HobbyKing.com New Products Flash Sale
Reply
Thread Tools
Old Nov 04, 2012, 05:10 PM
Registered User
Joined Jul 2009
63 Posts
Quote:
Originally Posted by PhracturedBlue View Post
one frame (16 bytes) per channel. The firmware actually runs a seek algroithm oon power up alternating between acending and descending channels until it locates a signal and locks on. the data format is the same as DSM2 but the SOP codes are different
Is the channel it locks on always the first channel in the channel
jumping sequence or middle is possible too? It seems that you
indicate it is trying to find the channel the TX is currently using.

After the 16 bytes of data. It needs will wait another 11ms or 22ms
to jump to the next channel channel to receive the next 16 bytes,
right?


Quote:
sure, processing it is easy enough. I'm not sure what you are trying to achieve though. you need something either Tx or Rx to generate the sequence, and you need some way to convince it to use a custom GUI to generate that sequence.

you could attach a uC to the SPI bus on the Rx, and put it in slave mode to snoop the signal, but that is all that a logic analyzer is doing, so I'm not sure what you gain.
You said your logic analyser has a limit of 10minuts of sample.
I am thinking using the SPI slave on a micro controller can give
rid of that 10 minutes limit. Of course you can have another
script to restart the logic analyser to achieve the same thing.
That might be easier actually.
printk is offline Find More Posts by printk
Reply With Quote
Sign up now
to remove ads between posts
Old Nov 04, 2012, 05:51 PM
Watts is where its at!
racerxky's Avatar
United States, WA, Seattle
Joined Oct 2004
1,744 Posts
Towards PhracturedBlue's goal of understanding the algorithm for generating the channel hopping sequence I have written a little code. Assuming that they are using an RNG and they are just looping around the end of the channel set. I wrote some code to compute the gaps or hop distance between channels. It turns out it is always divisible by 2.

The max channel is 75 and the min channel is 3. The smallest jump is 2 and the largest is 72.

I think they must have taken the output of the RNG and constrained it for numbers between 1 and 36 and then multiplied by 2. That way you never get hops to the neighboring channel.

code: http://jsbin.com/apujeq/1/edit
look in the JavaScript and Console tabs and hit run. If you have Chrome or Firefox (with firebug) go look in the console for the output.
racerxky is offline Find More Posts by racerxky
RCG Plus Member
Old Nov 04, 2012, 05:56 PM
Watts is where its at!
racerxky's Avatar
United States, WA, Seattle
Joined Oct 2004
1,744 Posts
Actually I may have a bug... of course!

The last hop in record 56 is actually a jump from 75 to 3:

"00000056: 03 35 2f 15 09 13 21 25 0d 23 43 3b 37 11 41 05 1b 29 1f 2d 45 3f 4b 03"

Every other jump is at last 2 channels wide but not that one.
racerxky is offline Find More Posts by racerxky
RCG Plus Member
Old Nov 04, 2012, 06:02 PM
Registered User
Joined Jan 2012
682 Posts
Quote:
Originally Posted by printk View Post
Is the channel it locks on always the first channel in the channel
jumping sequence or middle is possible too? It seems that you
indicate it is trying to find the channel the TX is currently using.
it is jiust searching for the channel the Tx is on. Once it locates a channel, it knows where it is, and hops every 11/22ms. This probably means that duplicates are never allowed in the sequence.
Quote:
You said your logic analyser has a limit of 10minuts of sample.
I am thinking using the SPI slave on a micro controller can give
rid of that 10 minutes limit. Of course you can have another
script to restart the logic analyser to achieve the same thing.
That might be easier actually.
Well, I have a limit of 10billion samples at 8MHz, so ~20Mins I guess. that is just the software though that is limited. I think using sigrok, I could probably do an infinite sequence. My wireless router is kicking the bucket, which has prevented me from actually being able to do much testing. Also, while the OrangeRx locks fine on the signal from my RPi, the Spektrum Rx doesn't like it. I'm not sure if it is a timing thing or the fact that I don't have an antenna on the module. I may give up and just put a custom firmware in the Devo8, since I had good luck with that setup earlier.
PhracturedBlue is offline Find More Posts by PhracturedBlue
Reply With Quote
Old Nov 04, 2012, 06:24 PM
Watts is where its at!
racerxky's Avatar
United States, WA, Seattle
Joined Oct 2004
1,744 Posts
Updated to fix the off by 1 bug: http://jsbin.com/apujeq/2/edit

Still not sure about that jump from 4b to 3.
racerxky is offline Find More Posts by racerxky
RCG Plus Member
Old Nov 04, 2012, 06:47 PM
Registered User
Joined Jan 2012
682 Posts
Well, I found an antenna that I could use, and now my RPi seems to be binding to the 6210 reliably, so as soon as I can locate a working router, I should be ready to capture some streams.
PhracturedBlue is offline Find More Posts by PhracturedBlue
Reply With Quote
Old Nov 04, 2012, 06:58 PM
Watts is where its at!
racerxky's Avatar
United States, WA, Seattle
Joined Oct 2004
1,744 Posts
Ahh, I forgot to add 1 for wrapping around. Now the pretty divisible by 2 pattern is gone.

The distribution of the hop sizes should be flat but its not. I think this is because the way I'm counting is incorrect. Some of the hops must be much larger than 75. e.g. I think some of the hops I'm counting as 2 are really 77.
racerxky is offline Find More Posts by racerxky
RCG Plus Member
Old Nov 04, 2012, 07:01 PM
Registered User
Joined Jan 2012
682 Posts
Quote:
Originally Posted by racerxky View Post
Ahh, I forgot to add 1 for wrapping around. Now the pretty divisible by 2 pattern is gone.

The distribution of the hop sizes should be flat but its not. I think this is because the way I'm counting is incorrect. Some of the hops must be much larger than 75. e.g. I think some of the hops I'm counting as 2 are really 77.
FYI, I'm not sure what the upper channel limit is. it is certainly no higher than 80, but could be as high as that.
PhracturedBlue is offline Find More Posts by PhracturedBlue
Reply With Quote
Old Nov 04, 2012, 08:32 PM
Watts is where its at!
racerxky's Avatar
United States, WA, Seattle
Joined Oct 2004
1,744 Posts
Quote:
Originally Posted by PhracturedBlue View Post
FYI, I'm not sure what the upper channel limit is. it is certainly no higher than 80, but could be as high as that.
This is a plot of the number of occurrences of each channel in your data:



Thats a pretty flat distribution. I'd say only channels 3 to 75 are used. If more channels were used they should appear in your published data set.
racerxky is offline Find More Posts by racerxky
RCG Plus Member
Old Nov 04, 2012, 08:33 PM
Registered User
Joined Jan 2012
682 Posts
Ok, the code seems to be working now.
here's guid 100-110:
Code:
00000064: 43 09 41 2f 2d 07 1f 35 15 23 4b 1d 47 21 11 05 27 3b 03 13 45 49 0b 43
00000065: 1e 42 2a 24 34 2c 38 3c 12 0a 18 3a 48 22 28 14 0c 10 26 08 16 46 40 1e
00000066: 29 3b 39 35 41 05 2b 03 1f 21 2f 37 09 07 11 0f 43 2d 3f 1d 45 15 19 29
00000067: 20 2c 10 2a 32 04 38 16 0e 1c 40 44 3e 08 18 28 34 3c 36 14 2e 0c 42 20
00000068: 3d 29 13 35 47 21 0d 23 31 11 43 41 37 1f 3b 2f 07 2d 39 0f 0b 05 03 3d
00000069: 3c 1c 3a 3e 06 20 30 12 0a 2c 44 0e 16 4a 18 26 04 46 08 42 2a 2e 38 3c
0000006a: 3b 31 4b 45 33 1b 0d 21 0b 17 27 49 1d 47 15 05 03 2d 43 23 3d 19 3f 3b
0000006b: 3a 28 1e 48 38 14 20 06 34 04 2a 32 4a 46 2c 42 3c 10 22 0a 0e 08 12 3a
0000006c: 41 39 0f 07 1f 05 17 35 09 2d 47 15 19 37 4b 25 33 45 2f 49 21 0d 23 41
0000006d: 40 42 30 3e 2e 16 06 1c 34 1a 04 08 0c 3a 0e 12 22 24 1e 44 28 36 38 40
I've included the code. you need a RPi, and it needs to have the spi_bcm2708 module loaded to enable spi. the code uses GPIO17 (which for GP0 on my breakout board) to turn the Rx on/off (the pin will go high when the Rx should be on)
compile as:
Code:
gcc main.c dsm2.c -lrt
It takes 2 arguments startGUID and endGUID
It is designed to control a Walkera CYRF6936 module (it may work with others, but the PA control on the Walkera module is unique)
You must have some mechanism to capture the SPI output of the Rx
It takes 6 seconds per GUID to capture (it may be possible to shave a little time off this, but at some point you run into reliability issues, as it can take a while for for the Rx to see the Tx binding codes)
PhracturedBlue is offline Find More Posts by PhracturedBlue
Reply With Quote
Old Nov 04, 2012, 08:33 PM
Registered User
Joined Jul 2009
63 Posts
I draw a jump distribution graph at post #21 here:

It should not be flat. Because random select two channel,
the distance distribution is not flat. There are more distance are 2 groups
than distance are 80. Because out of the 80x80 matrix (assume total
channel are 80). There are only one group of them are 79. But there are
many group of them at distance are 1. It should be a triangle.

If you allow wrap around and measure the absolute distance, then it
should be flat.


Quote:
Originally Posted by racerxky View Post
Ahh, I forgot to add 1 for wrapping around. Now the pretty divisible by 2 pattern is gone.

The distribution of the hop sizes should be flat but its not. I think this is because the way I'm counting is incorrect. Some of the hops must be much larger than 75. e.g. I think some of the hops I'm counting as 2 are really 77.
printk is offline Find More Posts by printk
Reply With Quote
Old Nov 04, 2012, 08:48 PM
Watts is where its at!
racerxky's Avatar
United States, WA, Seattle
Joined Oct 2004
1,744 Posts
Here is a jump distance distribution chart, X-axis is the jump distance ordered by size and Y is the number of occurrences of that length of jump. Maybe I'm wrong but I would think that both the frequency usage graph and the hop distance graph should be roughly flat. This graph is drawn using the code I posted earlier, assuming that they are always jumping forward and wrapping around the end of the range.



The reason this graph is not flat is that we dont know the right algorithm yet. If we get the right way of generating the pattern this graph should go flat and not be so crazy spiky.

What do we know about the Random Number Generator(s) that are available on the platform?
racerxky is offline Find More Posts by racerxky
RCG Plus Member
Last edited by racerxky; Nov 04, 2012 at 09:07 PM.
Reply With Quote
Old Nov 04, 2012, 09:56 PM
Registered User
Joined Jan 2012
682 Posts
I've updated the 2nd post with GUIDS 1 - 512.
I'll look into using sigrok that may let me capture more than 200 GUIDS at a time, but this is a lot easier than what I had before.
PhracturedBlue is offline Find More Posts by PhracturedBlue
Reply With Quote
Old Nov 04, 2012, 10:28 PM
Registered User
Joined Jul 2009
63 Posts
Great. What RX do you use? You mention OrangeRx in your previous post.
I am not aware OrangeRx can do DSMX.
printk is offline Find More Posts by printk
Reply With Quote
Old Nov 04, 2012, 10:33 PM
Registered User
Joined Jan 2012
682 Posts
I have a (working) OrangeRx (which only does DSM2), but it isn't useful for the DSMX stuff as you noted. I also have a broken Spektrum 6210Rx (main Rx is completely shot), but the satellite works fine (when connected to the broken 6210Rx). I am probing the satellite. It won't actually complete binding (since the main Rx is needed for that) but the Satellite is sufficient to recognize the GUID and do channel scanning.
PhracturedBlue is offline Find More Posts by PhracturedBlue
Reply With Quote
Reply


Thread Tools

Similar Threads
Category Thread Thread Starter Forum Replies Last Post
Sold DSMX DX-8 and (2) DSMX Sats for Sale laughingstill Aircraft - General - Radio Equipment (FS/W) 3 Jan 20, 2012 11:24 AM
Wanted JR9503 DSMX or JR 11X DSMX and AR9200/AR9210 Receiver w/sats patrick21x Aircraft - General - Radio Equipment (FS/W) 0 Nov 17, 2011 10:22 PM
Discussion WALKERA 2.4 TX hack -can YOU hack it? aaronstomfoolery Radios 2 Oct 29, 2011 04:44 AM
Sold NNIB AR6210 DSMX w/sat + AR600 DSMX GeetarJoe Aircraft - General - Radio Equipment (FS/W) 0 Oct 19, 2011 01:50 AM