HobbyKing.com New Products Flash Sale
Reply
Thread Tools
Old Apr 08, 2012, 12:53 PM
Registered User
Joined May 2011
657 Posts
Quote:
Originally Posted by rcH4x0r View Post
Urgh, Walkera have put crypto on their protocol, I think the "bind" packets (sent at power on) are in clear but the rest are encrypted. Found 4 packet types so far...
Then I think it should send some key or IV in the binding packet. It might be the ID itself...

There should be a few packet type: auto binding, fix id sending, normal control packet, received telemetry data, model transmit/receive...
FDR_ is offline Find More Posts by FDR_
Reply With Quote
Sign up now
to remove ads between posts
Old Apr 08, 2012, 01:12 PM
Registered User
Joined Jan 2012
682 Posts
It looks like the LCD is addressed with FSMC. The memory seems to be accessed at 0x60000000. I see the read, write, and init functions, but I haven't found any datasheets that match the initalization sequence yet
PhracturedBlue is offline Find More Posts by PhracturedBlue
Reply With Quote
Old Apr 08, 2012, 01:15 PM
Registered User
Joined Jun 2010
120 Posts
The data is being XOR'ed with something prior to transmssion.

Binding: I can see the 3 RF channels it selected being advertised

SOP sent to the CYRF chip is selected from a table based on the CYRF MFG data, reduces the chances that Tx's will interfere with each other
rcH4x0r is offline Find More Posts by rcH4x0r
Reply With Quote
Old Apr 08, 2012, 02:26 PM
Registered User
Joined Jun 2010
120 Posts
Quote:
Originally Posted by FDR_ View Post
Then I think it should send some key or IV in the binding packet. It might be the ID itself...

There should be a few packet type: auto binding, fix id sending, normal control packet, received telemetry data, model transmit/receive...
The first four bytes of the CYRF MfgId are sent in the bind packet. The encryption is using that as a key. Exact algorithm is tbd

Bind packet is:

Code:
    0x8A
    UNK1
    UNK2
    RF CH1
    RF CH2
    RF CH3
    CYRFMfgId[0]
    CYRFMfgId[1]
    CYRFMfgId[2]
    CYRFMfgId[3]
rcH4x0r is offline Find More Posts by rcH4x0r
Reply With Quote
Old Apr 08, 2012, 03:02 PM
Registered User
Joined May 2011
657 Posts
Quote:
Originally Posted by rcH4x0r View Post
The first four bytes of the CYRF MfgId are sent in the bind packet. The encryption is using that as a key. Exact algorithm is tbd

Bind packet is:

Code:
    0x8A
    UNK1
    UNK2
    RF CH1
    RF CH2
    RF CH3
    CYRFMfgId[0]
    CYRFMfgId[1]
    CYRFMfgId[2]
    CYRFMfgId[3]
Good!
But where is the binding ID then whether it is random or fixed?
Is it in the 2 unknown byte or only determines the 3 channels in use?

Edit: the max value for the ID is 999999 (=0xF423F), so it can't be in those two bytes...
FDR_ is offline Find More Posts by FDR_
Last edited by FDR_; Apr 08, 2012 at 03:11 PM.
Reply With Quote
Old Apr 08, 2012, 05:29 PM
Registered User
Joined Jan 2012
682 Posts
Well, I was reading up on programming the STM32, and how to get to the sytem bootloader. It turns out you need to use the USART to do this (specifically USART1). USART1 is connected to the trainer port, and the builtin bootloader should be enabled once the jumper is applied
Interestingly my DEVO-8 has a 2nd silk-screen mask identifyingthe values of all resistors and capacitors an names for all connectors, which rcH4x0r's doesn't seem to have. On my board the jumper is silk-screened as 'con2'. In either case it is right above the trainer-port jack on the right-side of the main-board. Applying a jumper and connecting to the USART should work. Note that I could not communicate with the STLink with the jumper enabled. The reason is simple: The power switch doesn't actually apply power for more than a second if CON2 is in place. This is where the 2nd jumper (next to the large electrolytic caps, also labeled 'CON2') comes into play. Attaching a jumper here powers powers up the Tx. With both jumpers in place, the STLink will connect (despite complaining of read-only memoy), and it should be possible to bulk-erase and reprogram from here.

I am not sure if it is possible to do a bulk-erase though the system bootloader, so I don't know if somone without a stlink could use this method.

As for the trainer port:
Note that the USART pins are directly connected through a 100ohm resistor, so it is likely you don't want to apply anymore than 3.3v to the trainer port. Note that a USB->Serial converter usually uses +/- 5V rail-to-rail, so you DO NOT want to wire up a USB->Serial converter to the trainer port!

FYI, this probably indicates how the DEVO-7 is programmed, as it probably has similar connectivity. It also indicates that programming through a trainer->PC adapter may be feasible, but would require a custom serial-port emulator driver.

Again, DO NOT try to wire the trainer port directly to USB without an approved cable! It will very likely fry your controller!
PhracturedBlue is offline Find More Posts by PhracturedBlue
Reply With Quote
Old Apr 08, 2012, 05:54 PM
Registered User
Joined Jun 2010
120 Posts
Y, the Tx stays on now, which tool are you using?
rcH4x0r is offline Find More Posts by rcH4x0r
Reply With Quote
Old Apr 08, 2012, 06:01 PM
Registered User
Joined Jan 2012
682 Posts
Quote:
Originally Posted by rcH4x0r View Post
Y, the Tx stays on now, which tool are you using?
I used an ST-Link/v2 to connect via the SWD port. (4 wires, no connection to NRESET). Sortware was the STMicro software for STLink.
PhracturedBlue is offline Find More Posts by PhracturedBlue
Reply With Quote
Old Apr 08, 2012, 06:30 PM
Registered User
Joined Jun 2010
120 Posts
I'm not having much luck connecting. Just to be clear, how are you connecting the STLINK? I have

STLink Cable pin 7 - PCB TMS
STLink Cable pin 9 - PCB TCK
STLink Cable pin 20 - PCB GND

NVM, STLink Cable pins 1&2 - PCB VDD did the trick
rcH4x0r is offline Find More Posts by rcH4x0r
Last edited by rcH4x0r; Apr 08, 2012 at 06:45 PM.
Reply With Quote
Old Apr 08, 2012, 06:53 PM
Registered User
Joined Jan 2012
682 Posts
FYI, something in the Devo Bootloader, and possibly Devo firmware seems to reset when the debugger is connected. Maybe the watchdog timer? I don't think that just clearing the read-protect will be enough to debug the firmware.
PhracturedBlue is offline Find More Posts by PhracturedBlue
Reply With Quote
Old Apr 08, 2012, 07:04 PM
Registered User
Joined Jun 2010
120 Posts
Chip erased & bootloader reprogrammed, I can get into DFU mode, load the app and it runs ok. Yay!

I can also connect with the STLink and halt the MCU, single step & restart the code.

There's certainly a WDG running but it doesn't seem to be a problem

Edit: I had to put the power supply jumper on the board in order to be able to debug code
rcH4x0r is offline Find More Posts by rcH4x0r
Last edited by rcH4x0r; Apr 08, 2012 at 07:16 PM.
Reply With Quote
Old Apr 08, 2012, 07:59 PM
Better then Sliced Bread!
NorCalMatCat's Avatar
United States, CA, Arcata
Joined Oct 2011
2,650 Posts
Wow, I feel this is close to actually starting a firmware then After looking over the 9x firmware it's all a bit confusing to me because of all of the hardware code... I am not so sure I can be much help with any hardware stuff...
NorCalMatCat is offline Find More Posts by NorCalMatCat
Reply With Quote
Old Apr 08, 2012, 09:04 PM
Registered User
Joined Jan 2012
682 Posts
I looked at the ersky9x firmware, but while it is cortex-m3 based, the peripheral interface is completely different, and the hardware stuff is embedded within a lot of the code. I think we'd end up rewriting a huge portion of it to support the Devo series. It may be worthwhile as a starting point, but I don't see any way we could share a common code-base unless the code was completely rewritten and all I/O was abstracted.
PhracturedBlue is offline Find More Posts by PhracturedBlue
Reply With Quote
Old Apr 08, 2012, 11:22 PM
Registered User
Joined Jan 2012
682 Posts
Quote:
Originally Posted by rcH4x0r View Post
Chip erased & bootloader reprogrammed, I can get into DFU mode, load the app and it runs ok. Yay!

I can also connect with the STLink and halt the MCU, single step & restart the code.
Thanks for making sure it worked. I also had no problem flashing and reinstalling the bootloader without read-protection set. I was not able to connect to the SWD if I started the Tx as usual, but I was able to jump to the reset-vector from within the SWLink software and then start/halt/step through it. Is that what you found too?

The STLink software really isn't suitable for doing any debugging, and I don't have access to Keil or IAR. I guess I need to try out openocd, and see if I can get gdb working over the SWD port.
PhracturedBlue is offline Find More Posts by PhracturedBlue
Reply With Quote
Old Apr 08, 2012, 11:47 PM
Better then Sliced Bread!
NorCalMatCat's Avatar
United States, CA, Arcata
Joined Oct 2011
2,650 Posts
I'm getting excited :P I have a question...

How possible would it be to 'add' channels? I understand this would be a limitation on the receivers end, but would it be possible for a Devo 8 to do 12 channel output to a rx1201 RX?
NorCalMatCat is offline Find More Posts by NorCalMatCat
Reply With Quote
Reply


Thread Tools

Similar Threads
Category Thread Thread Starter Forum Replies Last Post
Wanted Broken Walkera Devo and Spektrum tx itsmillertime Aircraft - General - Radio Equipment (FS/W) 1 Mar 20, 2012 05:37 AM
For Sale Walkera Devo 7 TX/Devo RX2625H Combo for sale Tom Z Aircraft - General - Radio Equipment (FS/W) 0 Oct 06, 2011 01:33 PM
For Sale Walkera Devo 7 TX/Devo RX2625H Combo for sale Tom Z Aircraft - Electric - Helis (FS/W) 0 Oct 05, 2011 12:38 PM
Discussion New Walkera Devention Devo 12 TX w/ Touch-Screen hobbypartz Radios 2 May 09, 2011 12:38 AM
Discussion New Walkera Devention Devo 12 TX w/ Touch-Screen hobbypartz XHeli 0 May 06, 2011 12:19 AM