28-Nov-2012 Update A bunch of really good US based resellers (including the great Aloft Hobbies) now have them listed too. If your in the US, you can now get them much faster! See post #364.

17-Sep-2012 Update: Those who may be interested in this thread and compatible receivers will probably be interested to know that HobbyKing now have Hitec compatible receivers. See post #226 onwards.

17-Apr-2012 Update: See post #56 onwards for the latest information and a commercially (partially) available receiver.

Over the last couple of months, in between other work commitments, I have been reverse engineering the Hitec 2.4GHz protocol. This was done by watching the communications on a Optima receiver and the Spectra transmitter module, between its Radio IC and main microcontroller. From this, I worked out the packet settings and setup, which I used a Packet Sniffer (from Texas Instruments) to watch the data be sent from my Transmitter. After documenting all this in my trusty notepad, I went away and produced a compatible receiver.

Anyway, here is a short video with the result of my work:

My Hitec Compatible Receiver - Demo (2 min 39 sec)

Well, what next?
The most obvious next step is to get it into the Air and test it with a small set of Beta testers. As this development board is relatively expensive, and has no on-board voltage regulation, I'd rather not hack it to fit inside a fuselage. Also its not very light!

The RF radio chipset used in the Hitec 2.4 kit is the CC2500. As many people on here know, this chip is used by a number of other manufacturers including, not least, Futaba (in S-FHSS), FrSky, Grapuner HoTT, Multiplex and others. Originally I had hoped to convert a FrSky V8R4 and/or a D6FR (and implement telemetry). These use a different microcontroller to the one I used, so I would have to have re-written the code - but as its C, its relatively portable across platforms. Unfortunately, FrSky have blown the JTAG program fuses, so its not really possible to hack these receivers without changing the main IC for every new receiver.

An alternative would be to design my own board up and use that. However it would be nice to be able to use an off-the-shelf receiver, especially one of the many cheap Chinese ones out there, as at the price point they come in, I could never compete with an own design in 10 off quantity.

Now FrSky have just recently released the VD5M receiver - a very light weight park-flyer receiver. From the images I have seen, it appears that it uses the CC2510 IC - the exact one that I'm using on the development board - so very little work is needed to move over to it. (The CC2510 is a CC2500 with a 8051 microcontroller in it - I.E. a one chip receiver solution.) Also Hitec don't have any ultra light receivers available on the market yet either. Perfect!!

Unfortunately I am still waiting for good ol' Hobby King to pack it and post it for me.

So what else?
Well the Minima 6 receiver also uses the CC2510. The other interesting thing about the Minima is that for some unknown reason, Hitec haven't locked down the program memory. So you can happily rip the firmware from this device and make a cheap knock off clones. Or maybe this was Hitec's intention?!

I should re-emphasise that I have not seen or reverse-engineered any Hitec code. Purely watched how it operates, make assumptions from what I've seen and test it. This is called black-box reverse-engineering. I did it this way as I wanted to make sure I didn't infringe any copyright, nor cause anything to make my work illegal, unusable and immoral.

So as I know exactly how the protocol work, there is no reason I can't offer new features to, say, the Minima - such as PPM output, RSSI output or even act as a Spektrum Remote Receiver for QuadCopters, FPV, etc. I bet that will get a few people excited

Plans for the future?
A great annoyance I have with the current 2.4GHz market is its incompatibilities. One brands kit will not work with another - even if they are based on the same technology. My real great aim would be to market a receiver based on this work, make enough money to cover the development costs and to buy up other CC2500 based transmitter systems to reverse engineer them too.

Hence from this, I could develop a Generic/Multi-standard receiver that could bind with, say, a Futaba transmitter one day and if you get a Hitec Transmitter, you could re-bind that same receiver to that - without having to replace the receiver! Back like in the good old 35/40/72MHz days.

Just a dream? Certainly not, and is readily achievable given a bit of development time! Now that I know the CC2500 chip very well, reverse engineering the next protocol should be more straight forward.


Well that's enough jibber-jabber from me. Anyone have any comments, suggestions or even requests?!

I've tried to keep this free from technical jargon and understandable by those who don't understand the inner workings of receivers. However if anything isn't clear, feel free to ask away too!

Cheers,
Si.

Hi I enjoyed the video you have made. I will look forward to any new information you will have here.
Thank you
GFB

Well, I'll be following this thread with baited breath, for sure.

nice work dude, very inventive, good to see!
like you say its the super light weight class that's missing -( tho its not something that i personally use) i'm sure others would benefit in the indoor scene

You are a genius!

My vote goes for RSSI.

Nice... Subscribed.

I have been thinking about reverse engineering AFHSS for some time now but never found the time for it. I am very glad to see someone working on this.

Please get as technical as you want. Which micrcontroller(s) are you planning to use with the CC2500?

Quote:

Originally Posted by bingo17

You are a genius!

My vote goes for RSSI.

Haha I wish. There is nothing that I've done couldn't be replicated by someone with a logic analyzer, some embedded development knowledge and a bit of time!

Thanks everyone for all the encouragement, its nice to know what I'm doing isn't necessarily a waste of time - even though I did this project solely for the enjoyment of it.

Quote:

Originally Posted by aa78

Nice... Subscribed.

I have been thinking about reverse engineering AFHSS for some time now but never found the time for it. I am very glad to see someone working on this.

Please get as technical as you want. Which micrcontroller(s) are you planning to use with the CC2500?

I would like to write a report up about the protocol, however I'm not a great writer, so its not something I particularly enjoy. If others are interested to do it anyway or create their own receivers, I can scan in my log book with all my notes for others to digest. The protocol isn't that complicated, just a few gotcha's.

I've also found that Hitec have made some really shoddy design choices that stink. A good example is the servo position values. For example, I know Spektrum output this as a 10bit number, with 0 (decimal) starting as ~0.9ms and 1024 (decimal) as ~2.1ms. However Hitec have decided to output 0.9ms as 0x1FAE and 2.1ms as 0x36AD. I've seen similar weird formats with the telemetry side of the Hitec receivers - such as the current sensor values being raw ADC values - completely no-linear, with a offset - rather than the current in amps being sent over.

What I reckon is that the servo position values actually correspond to a Timer count value (used to determine the length of the Servo pulse) in the Atmel chip they use in the Optima receivers. This maybe ok if all the receivers use the Atmel chip, but as soon as they use another device (such as CC2510 in the Minima) the value has to be rescaled to suit this weird structure.

I strongly suspect that Hitec R&D department is tiny. Why? Even though people moan about design committees, you don't usually get these weird design decisions. Another example is that the protocol doesn't specify how many channels they are transmitting - only 9 channels every time. So Hitec are going to have to break their existing protocol if they want to make >9 channel system. Again poor design IMO.

The other thing that makes me suspect that their R&D department is small is the time delay between new products, and software updates. Notice how there hasn't been an update to the Aurora/Optima/Spectra for a while? Also notice how there is a lot of talk of a new transmitter out soon? Coincidence? No I think.

However that being said, there stuff does just works. The average punter will not care about how its happening, only if its reliable and good value. Just makes my life harder

Currently I have been developing on the CC2510 - this is a CC2500 with a 8051 core all in one chip. Several reasons. Firstly I like the idea of a single chip receiver. Secondly as there is no external communications between the Radio chip and the micro controller, it can reduce the latency from receiving the data to processing and positioning the servos. As soon as a packet is received, it is DMA straight into the main program RAM to be processed - a lot quicker than reading it through SPI. Thirdly, its the same IC that is used in the Minima receivers - hence there is a off-the-shelf receiver test platform that I can develop with if needs be. Fourthly, they are good value! Not much more expensive than the CC2500 on their own.

Finally I'm currently running a start-up company as my main job and I am developing with another chip in the CC25xx family and hence have a full, licensed, legitimate version of the IAR compiler for the 8051 core that is used. Unfortunately this compiler is not cheap - over $3k per licence. So I should imagine others probably will want to choose another chip!

Do you perhaps know what the receiver sensitivity is or at what baud rate the modem is set?

thanks and keep up the good work!

@SimonChambers: I don't disagree with what you posted above. There is room for improvement in the A9/AFHSS system. It is good but it can be better.

I don't consider latency to be that critical a factor above a certain threshold. IMO, using a separate controller adds flexibility and increases expansion potential.

Please post the protocol details and the gotchas you mention above. Lets see if any of us here can make something of this.

Quote:

Originally Posted by bingo17

Do you perhaps know what the receiver sensitivity is or at what baud rate the modem is set?

thanks and keep up the good work!

The receiver modulation format is set to MSK (this is the setting, set in the registers) - which is interesting, as GFSK is specified in the FCC reports. Maybe a modulation expert could confirm if MSK is similar to GFSK - in the eyes of the FCC?

Baud rate is 250kBaud - according to SmartRF studio, using the default register settings.

Defining the receiver sensitivity is not easy and is affected by what LNA the Optima/Minima receivers are using, plus obviously the LNA in the CC2500 will affect it as well. I haven't checked the part numbers of the LNA's, so can't comment on that.

Quote:

Originally Posted by aa78

@SimonChambers: I don't disagree with what you posted above. There is room for improvement in the A9/AFHSS system. It is good but it can be better.

I don't consider latency to be that critical a factor above a certain threshold. IMO, using a separate controller adds flexibility and increases expansion potential.

Please post the protocol details and the gotchas you mention above. Lets see if any of us here can make something of this.

I'll try and get my notes posted some time. I'll have to find a scanner somewhere to convert it, or type it up properly.

The biggest factor in using the CC2510, IMO, is cost. At Digikey full-reel prices, the CC2500 is $1.862 for 3k off, where as the CC2510-32 (32k flash, the smaller flash parts are even cheaper) is $2.86 for 2.5k off. So its round-about a dollar more for a Radio and Microcontroller. It'll be hard to spec a Microcontroller (plus associated parts - such as an oscillator, etc) even at those quantities for a dollar. Not forgetting the cost savings with a smaller, simpler PCB with less components to pay to be stuffed.

I would have thought the QuadCopter folk would be keen on a library that could be integrated with the main stabilising Microcontroller though. Especially as it would reduce the size, weight and complexity of the complete solution.

Apart from that, I personally don't see what extra flexibility or expansion potential would be by having a separate radio and Microcontroller. After all the cc2510 has an integral ADC, 2 Uarts, and if you go for the CC2511, integrated USB. However I maybe (and often!) wrong. Do you have any ideas in mind?

Perhaps I should say that my current, prime motivation with this project is to firstly produce lower cost receivers. I know the Hitec receivers are cheap anyway, however I'm a tight wad!

Secondly I want to create a multi-brand compatible receiver. This is stage two however, as this requires capital outlay in purchasing all the different systems.

To fund this, I will probably build and sell small numbers of these receivers. Its not going to make me a millionaire, or its even unlikely to make me a living - but hopefully pay for the project to continue.

I guess I should ask, would people be interested in compatible receivers with similar prices, not far off FrSKY kit? Or is Hitec kit cheap enough for people not to want it?

I'm not sure on the above points, hence why my initial aim is to either offer a product that Hitec haven't got in their range yet (an ultralight receiver - which depends on the FrSKY VD5M hackability) - or adding functionality to the Hitec Minima that isn't supported yet - such as PPM, RSSI, etc.

I'm for cheaper and RSSI

Excellent work, Si. A Hitec satellite unit for FBL controllers would be cool.