HobbyKing.com New Products Flash Sale
Reply
Thread Tools
Old Apr 07, 2012, 05:20 AM
Better then Sliced Bread!
NorCalMatCat's Avatar
United States, CA, Arcata
Joined Oct 2011
2,649 Posts
Quote:
Originally Posted by rcH4x0r View Post
Yep, let me wake up properly and drink some tea then I will go for it.

Did you find the code that is actually doing the descrambling? That should be our next target along with nailing the checks when the app is launched. Then we can build our own .dfus from C code
I am all about helping with that part
NorCalMatCat is offline Find More Posts by NorCalMatCat
RCG Plus Member
Latest blog entry: Let'sFPV UBEC 1 WEEK SALE
Reply With Quote
Sign up now
to remove ads between posts
Old Apr 07, 2012, 06:52 AM
Registered User
Joined Jan 2012
682 Posts
Quote:
Originally Posted by rcH4x0r View Post
Yep, let me wake up properly and drink some tea then I will go for it.

Did you find the code that is actually doing the descrambling? That should be our next target along with nailing the checks when the app is launched. Then we can build our own .dfus from C code
I didn't go looking, but will start now. I did use the above algorithm on the dfuse and it seems to decrypt fine, so I'm pretty sure about it.
PhracturedBlue is offline Find More Posts by PhracturedBlue
Reply With Quote
Old Apr 07, 2012, 07:02 AM
Registered User
Joined Jun 2010
118 Posts
I'm nearly done with it, you were close
rcH4x0r is offline Find More Posts by rcH4x0r
Reply With Quote
Old Apr 07, 2012, 07:17 AM
Registered User
Joined Jun 2010
118 Posts
Very, very close. I think we have our first "fail"

Code:
ROM:08000D3E loc_8000D3E                             
ROM:08000D3E                 MOVS    R0, #0
ROM:08000D40                 MOVS    R2, #0x50
ROM:08000D42                 B       loc_8000D66
ROM:08000D44 ; ---------------------------------------------------------------------------
ROM:08000D44
ROM:08000D44 loc_8000D44                             
ROM:08000D44                 LDRB    R1, [R6,R0]
ROM:08000D46                 SUB.W   R3, R1, #0x80
ROM:08000D4A                 CMP     R3, #0x50
ROM:08000D4C                 BCS     loc_8000D64     ; if(byte <= 0x80 OR byte >= 0xD0) skip byte
ROM:08000D4E                 CMP     R1, #0x88
ROM:08000D50                 BCS     loc_8000D56     ; else if(byte >= 0x88) byte = (byte - 0x88) + 0x80
ROM:08000D52                 SUBS    R1, #0x38
ROM:08000D54                 B       loc_8000D58     ; else byte = (byte - 0x38) + 0x80
ROM:08000D56 ; ---------------------------------------------------------------------------
ROM:08000D56
ROM:08000D56 loc_8000D56                             
ROM:08000D56                 SUBS    R1, #0x88
ROM:08000D58
ROM:08000D58 loc_8000D58                             
ROM:08000D58                 SDIV.W  R3, R1, R2      ; Pointless???
ROM:08000D58                                         ; R3 = R1 / R2
ROM:08000D5C                 MLS.W   R1, R2, R3, R1  ; R1 = R1 - (R2 * R3)
ROM:08000D60                 ADDS    R1, #0x80       ; R1 = R1 + 0x80
ROM:08000D62                 STRB    R1, [R6,R0]
ROM:08000D64
ROM:08000D64 loc_8000D64                             
ROM:08000D64                 ADDS    R0, R0, #1
ROM:08000D66
ROM:08000D66 loc_8000D66                              
ROM:08000D66                 CMP     R0, R4
ROM:08000D68                 BCC     loc_8000D44
The division & mutiply/subtract seem to be pointless, we end up with:

Code:
if(byte < 0x80 OR byte >= 0xD0) byte = byte                         => byte = byte
else if(byte >= 0x88) byte = (byte - 0x88) + 0x80   => byte = byte - 0x08
else byte = (byte - 0x38) + 0x80                                => byte = byte + 0x48
Edit: Fixed expression, removed confusion, byte < 0x80 (ty PB)

I think we need an IDA Pro loader script...
rcH4x0r is offline Find More Posts by rcH4x0r
Last edited by rcH4x0r; Apr 07, 2012 at 08:18 AM.
Reply With Quote
Old Apr 07, 2012, 07:55 AM
Registered User
Joined Jan 2012
682 Posts
...code analysis stuff removed, since you found the bug... It does show my analysis was right-on then

I'd probably do it in the dfu extractor/creator rather than in IDA, but either way would work

Edit again: it is < 0x80 not<= 0x80.
PhracturedBlue is offline Find More Posts by PhracturedBlue
Last edited by PhracturedBlue; Apr 07, 2012 at 08:06 AM.
Reply With Quote
Old Apr 07, 2012, 08:11 AM
Registered User
Joined Jan 2012
682 Posts
I think it would be useful to figure out how the pins are wired to the MCU. I'm guessing from the code that GPIOE.4 is the 'Ext' pin and GPIOE.3 is the power switch, but it should be easy to test with a voltmeter
PhracturedBlue is offline Find More Posts by PhracturedBlue
Reply With Quote
Old Apr 07, 2012, 08:30 AM
Registered User
Joined Jun 2010
118 Posts
The center pin of the power switch is connected to the regulator cct on the left hand side. The rest of the buttons we will find when I strip the HW down later - so much to do! Fun
rcH4x0r is offline Find More Posts by rcH4x0r
Reply With Quote
Old Apr 07, 2012, 08:40 AM
Better then Sliced Bread!
NorCalMatCat's Avatar
United States, CA, Arcata
Joined Oct 2011
2,649 Posts
Quote:
Originally Posted by rcH4x0r View Post
The center pin of the power switch is connected to the regulator cct on the left hand side. The rest of the buttons we will find when I strip the HW down later - so much to do! Fun
What about decompiling the walkera protocol?

Knowing that is going to be quite important.

Technically we should be able to use any DSSS protocol correct? That covers a large range of receivers from DSM2 to many others
NorCalMatCat is offline Find More Posts by NorCalMatCat
RCG Plus Member
Latest blog entry: Let'sFPV UBEC 1 WEEK SALE
Reply With Quote
Old Apr 07, 2012, 09:16 AM
Registered User
Joined Jun 2010
118 Posts
I have my HW in bits at the moment to get some photos and figure out how everything's connected. While I am in there I will add some wires to log the SPI bus between MCU and CYRF chip.

I noticed someone else has reversed DSM2 (not published any info tho) and I don't see any reason it cant be added to this Tx (same RF chip )
rcH4x0r is offline Find More Posts by rcH4x0r
Reply With Quote
Old Apr 07, 2012, 09:18 AM
Registered User
Joined May 2011
655 Posts
Quote:
Originally Posted by rcH4x0r View Post
I have my HW in bits at the moment to get some photos and figure out how everything's connected. While I am in there I will add some wires to log the SPI bus between MCU and CYRF chip.

I noticed someone else has reversed DSM2 (not published any info tho) and I don't see any reason it cant be added to this Tx (same RF chip )
Yes, I have already invited him to participate...
FDR_ is offline Find More Posts by FDR_
Reply With Quote
Old Apr 07, 2012, 10:25 AM
flying beam
blackmoon's Avatar
through the Looking Glass
Joined Apr 2008
1,649 Posts
Quote:
Originally Posted by rcH4x0r View Post
While I am in there I will add some wires to log the SPI bus between MCU and CYRF chip.
This would be awesome, I'm dreaming of using my TH9X to control walkera devention birds, I don't really want another Tx in my collection.

"One transmitter to rule them all and in openness bind them all..."

We already have an open source module available.

http://www.rcgroups.com/forums/showthread.php?t=1564343

Kile is great guy and his modules are really well done.


Quote:
Originally Posted by FDR_ View Post
Yes, I have already invited him to participate...
The only two guys that I'm aware here on Rcg that did it, are, one selling compatible modules and the other receivers, don't think they will help, but I hope I'm wrong.

Sadly I'm not of any help in the programing field, but sure could contribute with some donation for equipment that's ruined in the process.

Keep the good work guys, it's really appreciated.
blackmoon is online now Find More Posts by blackmoon
Reply With Quote
Old Apr 07, 2012, 10:52 AM
Team WarpSquad
Japan, Tokyo
Joined Jun 2011
2,718 Posts
Quote:
Originally Posted by rcH4x0r View Post
I have my HW in bits at the moment to get some photos and figure out how everything's connected. While I am in there I will add some wires to log the SPI bus between MCU and CYRF chip.

I noticed someone else has reversed DSM2 (not published any info tho) and I don't see any reason it cant be added to this Tx (same RF chip )
rcH4x0r, I'm quite curious to know if there are any hardware differences between the 100mW version and the 10mW version. I did notice that the main board of my D8 has a version number with E after it, next to the Walkera label. Is yours the same?
If the hardware is the same then I'm thinking that there must just be a version checker in the bootloader which verifies I'm running B code not A code. If once you guys are done with all the tricky stuff, I'd be curious (and willing to try) reflashing my D8 10mW with code which is A but with the version tags edited to read B.
Thanks, tm
thwaitm is offline Find More Posts by thwaitm
Reply With Quote
Old Apr 07, 2012, 11:08 AM
Registered User
Joined Jun 2010
118 Posts
LCD is a RDT028C0SP00 but I cant find much data.

Touch screen controller is a TI TSC2008, data sheet here:

http://www.ti.com/lit/ds/symlink/tsc2008.pdf

I found the initialisation code for the CYRF chip now, I will maybe look for the power control stuff later
rcH4x0r is offline Find More Posts by rcH4x0r
Reply With Quote
Old Apr 07, 2012, 11:08 AM
Better then Sliced Bread!
NorCalMatCat's Avatar
United States, CA, Arcata
Joined Oct 2011
2,649 Posts
I wonder if it would be possible in the code to get it to do more then 100mw considering how its software switchable...
NorCalMatCat is offline Find More Posts by NorCalMatCat
RCG Plus Member
Latest blog entry: Let'sFPV UBEC 1 WEEK SALE
Reply With Quote
Old Apr 07, 2012, 11:33 AM
Registered User
Joined Jan 2012
682 Posts
Quote:
Originally Posted by NorCalMatCat View Post
I wonder if it would be possible in the code to get it to do more then 100mw considering how its software switchable...
The question is whether anyone has any good pics of the Tx module with the shield removed. There is a decent one on 9xforums, but it doesn't show which power-amplifier is used. the CYRF6936 can drive -35dBm (<1uW) to 4dBm(2.5mW). I assume the power amplifier isn't actually variable, so specs on the amplifier could probably tell us the limits of the Tx. Apparently they only use one module for all 8S (the upgrade module isn't different between 10mW and 100mW versions as far as I can tell), so at least with the 8S, it should be possible to get the full 100mW on all models.
PhracturedBlue is offline Find More Posts by PhracturedBlue
Reply With Quote
Reply


Thread Tools

Similar Threads
Category Thread Thread Starter Forum Replies Last Post
Wanted Broken Walkera Devo and Spektrum tx itsmillertime Aircraft - General - Radio Equipment (FS/W) 1 Mar 20, 2012 04:37 AM
For Sale Walkera Devo 7 TX/Devo RX2625H Combo for sale Tom Z Aircraft - General - Radio Equipment (FS/W) 0 Oct 06, 2011 12:33 PM
For Sale Walkera Devo 7 TX/Devo RX2625H Combo for sale Tom Z Aircraft - Electric - Helis (FS/W) 0 Oct 05, 2011 11:38 AM
Discussion New Walkera Devention Devo 12 TX w/ Touch-Screen hobbypartz Radios 2 May 08, 2011 11:38 PM
Discussion New Walkera Devention Devo 12 TX w/ Touch-Screen hobbypartz XHeli 0 May 05, 2011 11:19 PM