I have a walkera 4G3 micro helicopter, I wonder if
I can hack the RF section out of the 2.4GHz transmitter, put it into
a module, and drive it with the PPM signal from a hitec optic6.

Doing so will allow me to fly the micro-heli with the hitec optic6
transmitter, which is much more programmable than the non-computer
walkera transmitter.

By observing the waves of the trainer ports, both the walkera and optic6
drive out a negative shift signal, on the optic6, the aileron is on channel 1, and
the elevator on channel2, while the walkera transmitter is reversed, but
that can be overcomed by swapping the two channels in the receiver.

I wonder if the walkera's 2.4GHz RF module takes a PPM signal as input,
or takes a digital value for each channel. If it takes a PPM signal, the
hacking should be simple. If it takes a digital signal, then I'll have to
add a microcontroller to read the optic6's PPM signal and convert it
into digital values to feed the RF module.

Has anyone tried this type of hacking? I use a spektrum 2.4GHz
module in my optic6 to fly my larger helis, so wonder if I can do essentially
the same for walkera.

Thanks for any suggestion on how to procede.

I doubt you will be able to do it without reverse engineering their protocol. Unless they have a buddy port that accepts PPM input, there is probably nothing in the transmitter that will go from PPM to their digital protocol. Their instruction book doesn't even call it a trainer port, they call it a simulator output or something like that.

Did you achieve any success with this project ?

no ppm input ;(

rch4x0r has done alot of digging into protocal HERE
but not much interest and i'm just not bright enough as much as i would love this module...

I'm quite sure this could be done, I am only missing a little info on the protocol & a Tx module could be created.

Now that the "project from hell" is complete I can maybe look at this a bit more...

Edit: Having taken a quick look at the Devo8 FW updates I think this might be a better target, the older Wk stuff is going EOL (I guess). Reversing this stuff may give us an insight into how the previous generation gear worked (no need to decap an ATMega when we just download Devo8 updates from Walkera) and Devo-X will be around for a few years yet

A quick rummage around:
-Update files are in DfuSe format, an ST specific version of DFU? http://openliveview.com/wp-content/u.../01/UM0391.pdf
-There are 2 files in the update
-DEVO-8 lib XXX.dfu file is full of images and strings (it should be trivially simple to extract/patch the resources)
-DEVO-8 FWDT XXX.dfu file is probably the firmware, havent manged to find any meaningful ARM code tho

<sigh> Now I want to buy a Devo-8 ....

Quote:

Originally Posted by rcH4x0r

I'm quite sure this could be done, I am only missing a little info on the protocol & a Tx module could be created.

Fingers crossed

Quote:

Originally Posted by rcH4x0r

and Devo-X will be around for a few years yet

Don't kid yourself....have you seen how many "NEW" even better than our last pile of crap and with help from you guys beta testing >WE< think we got it right this time (fingers crossed but we can always make another >NEW< Model $$$$)
And why drop old protocal's, not enough room ?? Yeah right...

Perhaps it don't use Cypress RF chip anymore. I'll be honest i don't know.

Quote:

Originally Posted by rcH4x0r

<sigh> Now I want to buy a Devo-8 ....

Maybe i would have got devo-XX second hand, if only to understand another member problem on setup but here on RCG you'd have to be fast to reply
Hell i would buy yeah one if i thought it would get it done!! Really<<

Can i offer a name for module the "Fook Me! No...Fook Yuo" just a thought


Phil

PS to anyone reading this i love my walkeras 4#3b's 4G3(not so much) Genuis CP wonderful got issues but all round prefect and only reason I'm still hopeful for TX module.

Hehehe, so cynical

Some good news tho, digging around in the Walkera Devo update files, they aren't encrypted and can be disassembled with IDA Pro....

Quote:

Originally Posted by rcH4x0r

Hehehe, so cynical

yeah but not far from truth

Quote:

Originally Posted by rcH4x0r

Some good news tho, digging around in the Walkera Devo update files, they aren't encrypted and can be disassembled with IDA Pro....

Nice! Maybe there's hope for a micro Genuis in my future

Hi!

I'm glad I've just found this thread!
I am looking into DEVO's firmwares and libraries too, and think about cracking it, but I don't have enough time, expertise and resources to do it alone!

The system is quite capable and seems that easily programmable.
I have a DEVO 8. It could be a decent transmitter, but I hate two things about the too much "consumer-like" UI.
First, the on/off beeps/tunes are quite annoying.
Second, the settings values are almost invisible because of the wrong design: they are written to 3D style light gray background boxes. Furthermore when one become active, the background change to darker grey and the text's forecolor will be red, so it barely visible at all!

I wrote a little program to create or edit the dfu files. The goal: I want to change (dismiss) the on/off tunes, and replace the background of the edited values to increase the visibility.
It would only need editing of the library without disassambling the firmware!

But a whole new custom firmware would be even greater!

There were some discussion about it, with a lot of useful resources:
http://9xforums.com/forum/viewtopic.php?f=5&t=362

It could be reprogrammed to handle other protocols too!!!

I spent a couple of hours looking at the update files from Walkera:

-Uses ST DfuSe format (spec is publicly available)
-LIB file is full of images & strings (boring)
-FWDT file is the FW, d'oh, and peeling away the wrappers the code proper starts at 129h (the exception vector table)

Walkera are (ab)using the ST DfuSe standard in the FWDT, there is a blob of binary data at the front of the file but it doesn't look like a digital signature (not quite the right size) and diff versions have very similar blobs. The code itself is not encrypted. There's nothing obvious to stop a custom firmware.

Digging in the 8S firmware and I think both SPI ports are in use, maybe one for telemetry (they use CYRF6936) and one for main Tx?

Edit: If you have a Devo set could you could take a look and see if there is an FCC ID, maybe post it here, then we can search their database. Maybe get lucky and find a schematic...

The FCC ID is "S29DEVO-8", but there is no schematics nowadays, but only pictures and manual...
(otherwise Walkera is "S29" and search for "DEVO")
Mine is the original DEVO-8, not the new 8S. I've got the upgrade modul, but don't want to open up the tx, because I would like to sell it.
There are plenty of people opened it to install the upgrade modul, but so far nobody answered my questions about the exact type of the microcontroller...

"...Digging in the 8S firmware and I think both SPI ports are in use..."
Have you already disassembled it?

Quote:

Originally Posted by rcH4x0r

-Uses ST DfuSe format (spec is publicly available)

Yes, I wrote a little utility to read and edit the DFU files, with recalculating the CRC...

Quote:

Originally Posted by rcH4x0r

-LIB file is full of images & strings (boring)

I can edit the string table, but can only correct the entries (For example instead of "Saving, Please Waiting" something like that "Saving, please wait!" )
But I don't know the image and sound format, and where are their boundaries, so for me it is not boring at all!
I would really like to know where are the on/off sounds to clear them all!

Quote:

Originally Posted by rcH4x0r

-FWDT file is the FW, d'oh, and peeling away the wrappers the code proper starts at 129h (the exception vector table)

Walkera are (ab)using the ST DfuSe standard in the FWDT, there is a blob of binary data at the front of the file but it doesn't look like a digital signature (not quite the right size) and diff versions have very similar blobs. The code itself is not encrypted. There's nothing obvious to stop a custom firmware.

I think it starts at 125h (11 prefix + 274 target prefix + 8 element prefix = 293, ie 125h) to the end -16.
I see no extraordinary here...
Wish I could disassemble and understand it!

I don't see any encryption, CRC, or other protection either!
I guess the ST DfuSe simply overwrites the flash with this contents!

The bad news is that Walkera compiled different firmware and library for all DEVO models, not a single universal one...


Edit: ...and the fw's destination address is 0x08004000 (by the dfu target prefix)

125h for the LIB and the 129h for the exception vector table in FWDT (we're both right )

There's a table in the LIB file giving the offset into the image for each "resource", the first 8 bytes of the resource may give a clue about type etc


./a.out -L -i "10mwDEVO-8S-0.6/DEVO-8 Lib v0.0.4.dfu"
Num Targets 1
-------------
Target 0 : 'DEVO-8 Lib v0.0.4' 00191908 1
Element 0 : 00010000 00191900
Name : 'Walkera DEVO-8 Library Binary Code Ver. 0.0.4'
00 : 00000100 00025808 00 10 40 01 F0 00 01 1B
01 : 00025908 00070818 00 10 40 01 F0 00 01 1B
02 : 00096120 00009010 00 10 60 00 60 00 01 1B
03 : 0009F130 00004808 00 10 60 00 60 00 01 1B
04 : 000A3938 00016828 00 10 60 00 60 00 01 1B
05 : 000BA160 0001B030 00 10 60 00 60 00 01 1B
06 : 000D5190 0001C9C8 00 10 20 00 20 00 01 1B
07 : 000F1B58 00011468 00 10 18 00 18 00 01 1B
08 : 00102FC0 00001230 00 10 10 00 18 00 01 1B
09 : 001041F0 00001B18 00 10 30 00 18 00 01 1B
10 : 00105D08 00003630 00 10 30 00 18 00 01 1B
11 : 00109338 00000110 00 10 0C 00 0B 00 01 1B
12 : 00109448 000000B0 00 10 08 00 05 00 01 1B
13 : 001094F8 0000930E 00 10 7B 00 99 00 01 1B
14 : 00112806 000082B8 00 10 7B 00 88 00 01 1B
15 : 0011AABE 0000D140 00 10 CE 00 82 00 01 1B
16 : 00127BFE 00000908 00 10 30 00 18 00 01 1B
17 : 00128506 00000C88 00 10 28 00 28 00 01 1B
18 : 0012918E 00003008 00 10 60 00 40 00 01 1B
19 : 0012C196 00005488 00 10 68 00 68 00 01 1B
20 : 0013161E 00007810 00 10 40 01 18 00 01 1B
21 : 00138E2E 00000650 00 10 14 00 14 00 01 1B
22 : 0013947E 00001908 00 10 10 00 C8 00 01 1B
23 : 0013AD86 00001968 00 10 CB 00 10 00 01 1B
24 : 0013C6EE 0000005C 00 10 07 00 06 00 01 1B
25 : 0013C74A 000000B6 00 00 00 00 00 00 00 00
26 : 0013C800 00001200 00 00 00 00 00 00 00 00
27 : 0013DA00 00002000 00 00 00 00 01 00 03 00
28 : 0013FA00 00000100 10 10 10 10 10 10 10 10
29 : 0013FB00 00045080 00 00 00 00 00 00 00 00
30 : 00184B80 00000080 00 00 00 00 00 00 00 00
31 : 00184C00 0000CD00 57 61 72 6E 69 6E 67 00

Thank you!

What did give this output to you? Is it the IDA Pro? I looked, but only the professional version is capable to manage ST processors, and it is way expensive for me.
Is there some free (or at last cheap) alternative to it?

I have to study the table, so far not clear...

I think this project would deserve it's own thread!

That's the output from some code I wrote that analyses the LIB file

00 : 00000100 00025808 00 10 40 01 F0 00 01 1B

Offset : 00000100
Length : 00025808 (Offset (N+1) - Offset (N))
First 8 bytes at offset : 00 10 40 01 F0 00 01 1B

Edit : Looks like the image size is in the 8 byte header (40 01 F0 00 => 0140h * 00F0h or 320 * 240). That gives us

(length - 8 byte header) / (w * h) =>
(0x25808 - 8) / (0x140 * 0xF0) = 2 bytes per pixel ie 16 bit colour maybe (or possibly two images at 8bpp)