SMALL - espritmodel.com SMALL - Telemetry SMALL - Radio
Reply
Thread Tools
Old Oct 18, 2011, 11:47 PM
Registered User
Joined Sep 2011
26 Posts
Discussion
Spektrum DX4e 4-Channel 2.4GHz DSMX

Hi,

Does anybody know the protocol which this transmitter transmits? I would imagine it would be fairly easily to reverse engineer, but if the work has already been done, it will save me a lot of time. I'm interested in the data stream available on the SPI from the Cypress receiver more so than the modulated signal.
SubZer0 is offline Find More Posts by SubZer0
Reply With Quote
Sign up now
to remove ads between posts
Old Oct 19, 2011, 10:28 AM
Registered User
United States, NH, Exeter
Joined Oct 2010
99 Posts
The DSM2 protocol has been reverse engineered by a few people, including myself. I don't know if DSMX has been attacked yet, or if so, no one has admitted to it. Part of the problem is that Spektrum is now using RF modules (X1TXO) that incorporate the microprocessor into the module under the metal shielding. This makes monitoring the SPI communications much more difficult as the signal traces and chip pins are very small. Knowing what I do about DSM2, I can surmise that DSMX is probably very similar to DSM2 at the transmitted packet level. But DSMX hops among a predetermined set of 23 (I think) channels whereas DSM2 uses only 2 channels. Figuring out how DSMX determines the set of channels is going to be the hard part, IMHO.

But anyways, the SPI communications between the microprocessor and the CYRF6936 transceiver chip are pretty complex. The CYRF6936 doesn't just output a data stream of received data from the TX. It is full of registers that need to be written to and read from to setup the chip and initiate reception or transmission of data. In a receiver, the 6936 must be placed into RX mode by setting a bit in a register using a write command over the SPI bus. When the chip receives a data packet, it signals the CPU with an interrupt and then the CPU must burst read a certain register to get the received data.

The first place you should go to learn more is to get the CYRF6936 datasheet and other documents from the Cypress website. Also get the datasheet for the Unigen Leto-LPA module. The reason you want both is that Cypress removed the register listing from their datasheet but Unigen put it in theirs.

I also posted a lot of useful information quite a while ago in the Radios forum and there is a thread in this forum I started.
hammer22 is offline Find More Posts by hammer22
Reply With Quote
Old Oct 19, 2011, 12:49 PM
Registered User
Joined Sep 2011
26 Posts
Hi Hammer22,

Thanks for the reply. Basically what I want to do is have a microcontroller effectively in control of the plane, and give up control when data is received from the TX via the Cypress. The only way that I can think of is to allow the onboard RX module to control the servos, etc, directly, but gated via transistors, or to actually decode data coming from the Cypress RX via SPI and process it from there.

Effectively what I want to achieve is a basic flight computer which can be overriden via the TX in case of spurious computer problems which send the plane into powerpoles.

Do you have the datasheet handy for the LETO module with the register sets at all? Have you had much experience register-bashing the Cypress?
SubZer0 is offline Find More Posts by SubZer0
Reply With Quote
Old Oct 19, 2011, 05:42 PM
Registered User
United States, NH, Exeter
Joined Oct 2010
99 Posts
From what you are describing, it sounds like you want to feed the microprocessor in the Spektrum RX with servo position data generated by your flight control computer while in autonomous flight but switch it back to the cypress chip under command from the ground. On its face it is going to be a very complicated task. Much easier to generate a servo pulse in your flight control computer and use that to directly control the servo on the aircraft. You can use a a simple switch box to switch the servos between your autopilot and the Spektrum RX.

And yes, I have had very good luck register bashing the cypress chip. So much so that I have written my own firmware for a PIC 16F1828 to take a normal PPM signal and transmit a DSM2 signal via a cypress based module like the Unigen Leto-LPA and others. The necessary datasheets are here:

http://www.rcgroups.com/forums/showp...&postcount=101
hammer22 is offline Find More Posts by hammer22
Reply With Quote
Old Oct 19, 2011, 05:55 PM
Registered User
United States, NH, Exeter
Joined Oct 2010
99 Posts
By the way, a Spektrum or any other 2.4Ghz radio is not a good choice if there is the possibility that you will loose visual contact with the aircraft during flight. 2.4Ghz is line of site only. If you need to take back manual control when the aircraft is behind an obstruction and a long distance away, you may never see it again..
hammer22 is offline Find More Posts by hammer22
Reply With Quote
Old Oct 20, 2011, 11:00 PM
Registered User
Joined Sep 2011
26 Posts
Hi Hammer22,

I wasn't going to feed data back into the Spektrum, but directly to the servos on board the aircraft via the flight computer. What I wanted to do with the Cypress was to just receive data via SPI from the transmitter, and, convert the serial data to PWM/PPM on the flight computer and send it to the servos if in manual mode, otherwise allow the flight computer to decide appropriate action for the servos, motor control, etc.

Do you have code to share in regards to controlling the Cypress? I downloaded the datasheets you provided the links for, and it seems the Cypress should be pretty straight forward programming via SPI on a Microchip microcontroller.

I might start with building a circuit consisting of the Cypress transceiver hooked up to a PIC, and try and receive data from the Spektrum TX.
SubZer0 is offline Find More Posts by SubZer0
Reply With Quote
Old Oct 21, 2011, 01:37 AM
"Simplify, then add lightness"
Raleigh,NC
Joined Nov 2000
2,701 Posts
Reverse engineering a protocol like DSMX is a noble cause, but seems like an awful lot of work just to accomplish what you want. It is pretty trivial to connect a micro to the 4 servo outputs from a spektrum receiver, decode them, and then watch for some pattern to decide when to go into manual mode.
jeffs555 is offline Find More Posts by jeffs555
Reply With Quote
Old Oct 21, 2011, 02:10 AM
Registered User
UK
Joined Aug 2000
1,082 Posts
If you do want to experiment with the CY radio, the easiest is to buy a couple of Ar6110 or Ar500 clones from Target that have the CYRF69103 on them. That chip has a simple MCU and CYRF6936 in one component. You will be able to connect to the Rx with a Cypress Miniprog, use the free CY PSoC Designer software (IDE), and the free 'Radio Driver' user module to control the radio. Search the CY site for 69103 example projects and find the LP Radio Technical Reference Manual.

You can also use the Ar6100-based copies with the separate MCU and CYRF6936 but the MCU is much more sophisticated and harder to configure. The MCU in the 69103 is more like a low end Pic.

Just control expectations, as already suggested DSMX is DSM2 using more frequencies. Reverse engineering the protocol and turning that into something useful is a big project. The approach suggested of intercepting the Rx servo outputs is vastly simpler.
Good luck, David.
David T is offline Find More Posts by David T
Reply With Quote
Old Oct 21, 2011, 04:05 AM
Oxford Panic
AndyOne's Avatar
United Kingdom, Oxford
Joined Feb 2003
3,659 Posts
Quote:
Originally Posted by hammer22 View Post
...And yes, I have had very good luck register bashing the cypress chip. So much so that I have written my own firmware for a PIC 16F1828 to take a normal PPM signal and transmit a DSM2 signal via a cypress based module like the Unigen Leto-LPA and others. ...
Hammer,

How does anyone who makes their own DSM2 transmitter choose a GUID for it. Surely Spektrum have the master list and issue them in sequence so for anyone outside the company it must be impossible to be sure it hasn't or won't be used on the genuine product. Or perhaps you copied the one from a Tx you own to be certain of avoiding conflicts.

Just curious.

Andy.
AndyOne is offline Find More Posts by AndyOne
Reply With Quote
Old Oct 21, 2011, 08:15 AM
Registered User
United States, NH, Exeter
Joined Oct 2010
99 Posts
In Spektrum DSM2 radios, the GUID is not assigned from a master list. Every CYRF6936 chip has a unique (or unique enough) internal serial number called the manufacturing ID (MFG_ID). It can be read from the chip via the SPI bus and it's 6 bytes long. 2 of the bytes are used for the 16 bit GUID after XORing it with 0xFFFF and 2 are used for a pair of 16 bit CRC values used in DSM2 transmissions. It was pretty simple to figure out how DSM2 generated these 2 codes but it took me longer longer to figure out the scheme they used with the SOP and DATA PN codes used in every transmission.
hammer22 is offline Find More Posts by hammer22
Reply With Quote
Old Oct 21, 2011, 04:50 PM
Registered User
Joined Sep 2011
26 Posts
Hi all,

Just to verify, I'm not interested in reverse engineering the DSMX transport protocol itself - I'll leave that up the Cypress chip to decode the RF transmission. I'm just interested in the serial data stream transported over this protocol, ie, the information from the aileron controls, etc, on the RC transmitter. Therefore, basically all that I want to do is to receive a serial data stream transmitted from the RC control, eg, rudder up, full throttle.

That being said, is it possible to receive this data fairly easily via the Cypress, or there are specific data tables which need to be loaded into the Cypress chip itself which is proprietary to the specific controller using it? Ie, is it possible to simply create a module with a Cypress and receive data from the Spektrum transmitter without actually knowing proprietary data tables, etc, which are specific to implementations?

Clearly, as stated by others, the Spektrum undergoes a binding process whereby the RX is bound to a specific GUID. Does this occur each time the controller and aircraft is turned on, or it is bound once and the GUID stored in Flash? Has anybody decoded this protocol?

Effectively what I want to do is to replace the RX module on the aircraft with a custom solution containing the Cypress chip, and simply receive data from the existing Spektrum transmitter. In this sense, I'm uninterested in the DSMX protocol itself, just the data being received by the Cypress RX.

What proprietary configuration stages are actually necessary for the configuration of the Cypress to receive data transmitted via DSMX from the Spektrum? Specific data tables that can be snooped via a logic analyser, or these have already been decoded?
SubZer0 is offline Find More Posts by SubZer0
Reply With Quote
Old Oct 21, 2011, 08:09 PM
Registered User
United States, NH, Exeter
Joined Oct 2010
99 Posts
SubZero,
Sorry for my denseness. I was looking at this strictly from the TX side and totally forgot until now that what you are are looking for can be found in the serial link between Spektrum satellite receivers and their main receivers. They communicate with the main receiver via a 125Kbaud 3.3V TTL serial link. They transmit 16 byte bursts every ~22ms that, if it is an AR6200 or AR7000 contain the first 7 TX channels. If you are using a 8 or more channel TX, then there is another short burst with the additional channels. Do a search here on "spektrum satellite comms" or "spektrum serial format" and you will more more detailed info. Some people are in the habit of referring to the Spektrum serial communications protocol as DSM2 and its not really.
hammer22 is offline Find More Posts by hammer22
Reply With Quote
Old Oct 22, 2011, 06:16 AM
Registered User
UK
Joined Aug 2000
1,082 Posts
SubZer0,
If you want to work with a CY chip registers or SPI traffic between MCU and RF chip then you need to understand enough of 'raw' DSM2/X to know which bytes are useful to you.

As Hammer22 says if you use a Spektrum satellite then the communications between that and the host receiver's MCUs is a simpler RS232 protocol which is more widely documented on the web.
dt.
David T is offline Find More Posts by David T
Reply With Quote
Old Oct 22, 2011, 05:34 PM
Registered User
Joined Sep 2011
26 Posts
Hi all,

I was under the impression that the Cypress RX chip would strip out all of the underlying transport protocol, including SOP, Length fields, etc, and supply you with the serial protocol, consisting of a simple datastream as documented previously by Hammer22 (10 bits for aileron, etc, including 2 byte start of frame). Am I completely underestimating the complexity of this task?

I believed that it would be fairly straightforward to simply interface the Cypress with a PIC, set up the SOP table on the RX to match the table on the TX (as well as configuring the chip for RX, etc), and you would have the serial stream accessible directly from the RX via SPI.

Apparently there wouldn't be the complexity of negotiating channels for transmission, as DSMX can happily communicate with a DSM2 RX, and vice versa. Therefore, I would imagine that DSM2 simply listens for the SOP which it is associated with in the wideband range above 2.4 Ghz, and receives any serial stream with its associated SOP tag.

Am I way off the mark, or I simply need to learn more about this protocol before jumping in? I really want to incorporate the custom RX, as the space and weight requirements for the aircraft are fairly limited, and having a Spektrum RX with its associated ESC on board, is going to eat into my space and weight limits.

I am currently under the assumption that the Cypress RX acts in a "promiscuous mode" similiar to WiFi, whereby you can receive any data on the band, and that the filter is simply the SOP which either matches with the RX expectation and is received, or not, and is rejected. Is this assumption correct, or DSMX initiates protocol handshaking initially to configure itself between a RX and the transmitter?
SubZer0 is offline Find More Posts by SubZer0
Reply With Quote
Old Oct 23, 2011, 03:41 AM
Registered User
UK
Joined Aug 2000
1,082 Posts
Let me explain some terms I used in more detail. The CY RF chip can only be accessed using SPI. SPI usually requires clock, miso, mosi, enable and interrupt connections. I use the term 'serial' to refer to Spektrum's use of RS232 to communicate between its MCU's. This is a one-wire interface.

A DSM2/X MCU uses SPI to configure the CY RF chip to use the CY '8DR' mode. This is what I referred to as 'raw DSM2/X'. Some of the config is done at startup and some is done with every receive operation. SPI activity includes things like SOP/PN configuration which are frequency-specific in the DSM2/X protocol, enabling/aborting receive operations, RSSI measurements, reading payload, etc. Some SPI activity is regular and consistent and some is dynamic when there are errors. You would need to recognise patterns/understand the context to extract just the payload from SPI traffic.

The RF chip takes all the configuration data and manages the RF communications using their 8DR protocol. The RF chip conceals this level of detail. So you don't see 'raw RF' communications which would include all the preamble, SOP, PN, CRC etc handling.

'Serial' between MCU's contains mainly the validated payload which you are seeking. Serial only exists where there are multiple MCU's such as where there is a satellite. Multi-board receivers like the Ar7000/9000 may have serial in them; I've not checked.

8DR mode and checks in the DSM2/X protocol result in several layers of filtering/integrity checking, vastly more than some of your comments assume.

Hope this helps, dt.
David T is offline Find More Posts by David T
Reply With Quote
Reply


Thread Tools

Similar Threads
Category Thread Thread Starter Forum Replies Last Post
For Sale 2 spektrum AR 8000 2.4 dsm2/dsmx 8 channel receivers new! HD Hucker Aircraft - General - Radio Equipment (FS/W) 6 Mar 05, 2012 02:16 AM
For Sale Spektrum DX4e DSMX jlorenz Aircraft - General - Radio Equipment (FS/W) 9 Nov 08, 2011 08:57 PM
Sold SPEKTRUM AR6200 6-CHANNEL ULTRALITE 2.4GHz RECEIVER stretch1100 Aircraft - General - Radio Equipment (FS/W) 0 Sep 13, 2011 11:51 PM
For Sale Price reduced---Tactic TTX404 2.4GHz 4-Channel Radio w/the TR624 6-Channel Receiver kenkey Aircraft - General - Radio Equipment (FS/W) 2 Jul 04, 2011 07:38 AM
Sold DX4e DSMX 4-Channel Full Range Tx only MD2/4 by Spektrum isogloss3d Aircraft - General - Radio Equipment (FS/W) 1 Apr 10, 2011 01:08 PM