HobbyKing.com New Products Flash Sale
Reply
Thread Tools
Old Nov 20, 2012, 08:16 AM
Registered User
Joined Jan 2012
677 Posts
Discussion
Hubsan X4 protocol analysis

I've started work on the Hubsan X4 protocol. Here are my initial findings.

You can find the latest documentation as part of the Deviation project in doc/Hubsan.txt:
https://bitbucket.org/PhracturedBlue/deviation/src

-----
The Hubsan X4 uses the A7105 transceiver chip for communication

Binding:
First the Tx scans the RSSI on the following channels and picks the best one:
14 1e 28 32 3c 46 50 5a 64 6e 78 82

Next it starts transmitting on the chosen frequency every 12 msec, listening
for a response after each transmission. The 1st packet (packet id 0x01) is
continuously broadcast until a response is received which begins the handshake.
Once the handshake starts, packets are transmitted at various rates as shown

There do not seem to be any special rules regarding the session ID or transmitter-ID.
using random values for these (for a given session) seems to work fine

Stage 1:
Once the 1st packet is received, subsequent packets are transmitted at 8msec intervals
Set the A7105 ID to '55 20 10 41'
---- Ex 1 ---
Tx: 01 3c 2c b5 da b3 08 e5 ea 9e 50 db 04 26 79 12
Rx: 02 3c 2c b5 da b3 00 00 00 00 00 00 00 00 00 54
Tx: 03 3c 2c b5 da b3 08 e5 ea 9e 50 db 04 26 79 10
Rx: 04 3c 2c b5 da b3 00 00 00 00 00 00 00 00 00 52
---- Ex 2 ---
Tx: 01 32 44 a7 0d 0f 08 e4 ea 9e 50 db 04 26 79 84
Rx: 02 32 44 a7 0d 0f 00 00 00 00 00 00 00 00 00 c5
Tx: 03 32 44 a7 0d 0f 08 e4 ea 9e 50 db 04 26 79 82
Rx: 04 32 44 a7 0d 0f 00 00 00 00 00 00 00 00 00 c3
---
aa bb cc dd ee ff gg hh ii jj kk ll mm nn oo pp
aa : current bind state
bb : chosen frequency
ccddeeff : ID to use for this session
gg : always Tx 08
hh-kk : ??
llmmnnoo: Transmiter ID(?)
pp : checksum

Stage 2:
Set the A7105 ID to 'cc dd ee ff' Packets still transmit at 8msec intervals
---- Ex 1 ---
Tx: 01 3c 2c b5 da b3 08 e5 ea 9e 50 db 04 26 79 12
Rx: 02 3c 2c b5 da b3 03 07 20 03 01 00 00 00 00 26
---- Ex 2 ---
Tx: 01 32 44 a7 0d 0f 08 e4 ea 9e 50 db 04 26 79 84
Rx: 02 32 44 a7 0d 0f 03 07 20 03 01 00 00 00 00 97

Stage 3:
the '09' packet is transmitted every 22msec
---- Ex 1 ---
Tx: 09 3c 2c b5 da b3 08 e5 ea 9e 50 db 04 26 79 0a
Tx: 09 3c 2c b5 da b3 08 e5 ea 9e 50 db 04 26 79 0a
Tx: 09 3c 2c b5 da b3 08 e5 ea 9e 50 db 04 26 79 0a
Rx: 0a 02 2c b5 da b3 03 07 20 03 01 00 00 00 00 58
Tx: 09 3c 2c b5 da b3 08 e5 ea 9e 50 db 04 26 79 0a
Rx: 0a 03 2c b5 da b3 03 07 20 03 01 00 00 00 00 57
Tx: 09 3c 2c b5 da b3 08 e5 ea 9e 50 db 04 26 79 0a
Rx: 0a 04 2c b5 da b3 03 07 20 03 01 00 00 00 00 56
Tx: 09 3c 2c b5 da b3 08 e5 ea 9e 50 db 04 26 79 0a
Rx: 0a 05 2c b5 da b3 03 07 20 03 01 00 00 00 00 55
Tx: 09 3c 2c b5 da b3 08 e5 ea 9e 50 db 04 26 79 0a
Rx: 0a 06 2c b5 da b3 03 07 20 03 01 00 00 00 00 54
Tx: 09 3c 2c b5 da b3 08 e5 ea 9e 50 db 04 26 79 0a
Rx: 0a 07 2c b5 da b3 03 07 20 03 01 00 00 00 00 53
Tx: 09 3c 2c b5 da b3 08 e5 ea 9e 50 db 04 26 79 0a
Rx: 0a 08 2c b5 da b3 03 07 20 03 01 00 00 00 00 52
Tx: 09 3c 2c b5 da b3 08 e5 ea 9e 50 db 04 26 79 0a
Rx: 0a 09 2c b5 da b3 03 07 20 03 01 00 00 00 00 51
---- Ex 2 ---
Tx: 09 32 44 a7 0d 0f 08 e4 ea 9e 50 db 04 26 79 7c
Tx: 09 32 44 a7 0d 0f 08 e4 ea 9e 50 db 04 26 79 7c
Tx: 09 32 44 a7 0d 0f 08 e4 ea 9e 50 db 04 26 79 7c
Rx: 0a 02 44 a7 0d 0f 03 07 20 03 01 00 00 00 00 bf
Tx: 09 32 44 a7 0d 0f 08 e4 ea 9e 50 db 04 26 79 7c
Rx: 0a 03 44 a7 0d 0f 03 07 20 03 01 00 00 00 00 be
Tx: 09 32 44 a7 0d 0f 08 e4 ea 9e 50 db 04 26 79 7c
Rx: 0a 04 44 a7 0d 0f 03 07 20 03 01 00 00 00 00 bd
Tx: 09 32 44 a7 0d 0f 08 e4 ea 9e 50 db 04 26 79 7c
Rx: 0a 05 44 a7 0d 0f 03 07 20 03 01 00 00 00 00 bc
Tx: 09 32 44 a7 0d 0f 08 e4 ea 9e 50 db 04 26 79 7c
Rx: 0a 06 44 a7 0d 0f 03 07 20 03 01 00 00 00 00 bb
Tx: 09 32 44 a7 0d 0f 08 e4 ea 9e 50 db 04 26 79 7c
Rx: 0a 07 44 a7 0d 0f 03 07 20 03 01 00 00 00 00 ba
Tx: 09 32 44 a7 0d 0f 08 e4 ea 9e 50 db 04 26 79 7c
Rx: 0a 08 44 a7 0d 0f 03 07 20 03 01 00 00 00 00 b9
Tx: 09 32 44 a7 0d 0f 08 e4 ea 9e 50 db 04 26 79 7c
Rx: 0a 09 44 a7 0d 0f 03 07 20 03 01 00 00 00 00 b8
---
aa bb cc dd ee ff gg hh ii jj kk ll mm nn oo pp
aa : current bind state (?)
bb : chosen frequency (Tx), count (Rx)
ccddeeff: chosen ID for this session
gg : always Tx 08
hh-kk : ??
llmmnnoo: Transmiter ID(?)
pp : checksum
Binding is complete once the Received data has 'bb' == '09'


Data transmission:
The Transmitter will transmit 4 data packets on the chosen frequency,
and then a single packet on freq + 0x23.
Packets are transmitted 10msec apart

Ex1: 20 00 00 00 80 00 7d 00 84 02 64 db 04 26 79 7b
Ex2: 20 00 00 00 80 00 7d 00 84 02 64 db 04 26 79 7b
aa bb cc dd ee ff gg hh ii jj kk ll mm nn oo pp
cc : throttle observed range: 0x00 - 0xff (smaller is down)
ee : rudder observed range: 0x34 - 0xcc (smaller is right)
gg : elevator observed range: 0x3e - 0xbc (smaller is up)
ii : aileron observed range: 0x45 - 0xc3 (smaller is right)
llmmnnoo: Transmiter ID(?)
pp : checksum
Checksums:
The checksum is calculated as 256 - ((sum of the 1st 15 bytes) modulo 256)

I will update more as I start experimenting to find the meaning of all the unknown bytes.
PhracturedBlue is offline Find More Posts by PhracturedBlue
Last edited by PhracturedBlue; Nov 21, 2012 at 10:00 AM.
Reply With Quote
Sign up now
to remove ads between posts
Old Nov 21, 2012, 09:58 AM
Registered User
Joined Jan 2012
677 Posts
Well, the above information is enough to bind and fly a Hubsan X4.
There are lots of bytes whose value I don't know, but setting random values for the 'session ID' and 'transmitter ID', I have no issue binding or flying. There is a driver in the deviation source code now.

Note that the current code probably won't work with a scavenged V911 module. Inspection of that module shows that it does not have an antenna connected to the LNA input. I will test to be sure. On the other side, the handshake is not symetrical. It should be possible to complete the binding sequence without receiving any data from the model (though it won't be as reliable). If the V911 module isn't capable of completing the binding, I'll likely add an option for that.

For now, I've tested with an XL7105-SY (no external LNA/PA) and the '500m' module from ebay/aliexpress (has a ~16dBm PA), and both work well.
PhracturedBlue is offline Find More Posts by PhracturedBlue
Reply With Quote
Old Nov 21, 2012, 09:59 AM
Registered User
Joined Jan 2012
677 Posts
Also, the antenna on the Hubsan X4 Tx is purely decorative. There is no wire in the antenna. The Hubsan Tx uses an on-board antenna via the A7105 reference design, and has no external PA.
PhracturedBlue is offline Find More Posts by PhracturedBlue
Reply With Quote
Old Nov 21, 2012, 10:49 AM
RC beginner
New York
Joined Oct 2008
5,622 Posts
thanks again for an excellent dissection. im tempted to buy a hubsan and a devo just to test out your code. unfortunately both a a bit too pricey for me atm. i wish there was an avr or arduino project for 7105/flysky like kreatures cc2500 thread. guess im still stuck with diy frsky for now.
dave1993 is offline Find More Posts by dave1993
Reply With Quote
Old Nov 21, 2012, 12:07 PM
Registered User
Joined Jan 2012
677 Posts
Well, the V911 module works too surprisingly enough. I guess it has enough sensitivity without an antenna (or the antenna is connected and I just can't tell visually)
PhracturedBlue is offline Find More Posts by PhracturedBlue
Reply With Quote
Old Nov 21, 2012, 12:11 PM
Registered User
Joined Jan 2012
677 Posts
Quote:
Originally Posted by dave1993 View Post
thanks again for an excellent dissection. im tempted to buy a hubsan and a devo just to test out your code. unfortunately both a a bit too pricey for me atm. i wish there was an avr or arduino project for 7105/flysky like kreatures cc2500 thread. guess im still stuck with diy frsky for now.
The code itself should be easy to port to Arduino I am currently doing protocol development on my Raspberry pi using the same code. It isn't 100% reliable due to the non-rt nature of linux, but it is fine for analysis and development. Of course you need enough knowledge to port the SPI routines, but otherwise it sould be nearly plug and play.
PhracturedBlue is offline Find More Posts by PhracturedBlue
Reply With Quote
Old Nov 21, 2012, 01:10 PM
Tri-Quad-Hexa-Octo-copters!!
United States, TX, San Antonio
Joined Feb 2007
14,263 Posts
P,
Nice work! Any chance of getting this to work in a Futaba 9c?...
Cheers,
Jim
Quadrocopter and Tricopter Info Mega Link Index
jesolins is offline Find More Posts by jesolins
Reply With Quote
Old Nov 21, 2012, 01:35 PM
Registered User
Joined Jan 2012
677 Posts
Quote:
Originally Posted by jesolins View Post
P,
Nice work! Any chance of getting this to work in a Futaba 9c?...
Cheers,
Jim
Quadrocopter and Tricopter Info Mega Link Index
No, that is completely unrealistic. The only way to do it would be something like the magic cube, or Hammer22's module that plugs into the trainer port. Not something I'm interested in doing
PhracturedBlue is offline Find More Posts by PhracturedBlue
Reply With Quote
Old Nov 21, 2012, 01:43 PM
Tri-Quad-Hexa-Octo-copters!!
United States, TX, San Antonio
Joined Feb 2007
14,263 Posts
P,
OK. The Anylink/MagicCube trainer port or plug in modules would sure make life much easier with all the proprietary protocols in the multicopter micro and mini quads and other models out there. I did modify the Trunigy 9x module to work in the Futaba 9c for the WLToys multicopters. It would be great to have something like that for the Hubsan X4 too

I have a DEVO 10, but not sure I want to modify the internal hardware to do this, if it will even works on a DEVO 10?

Great work again!
Cheers,
Jim
Quadrocopter and Tricopter Info Mega Link Index


Quote:
Originally Posted by PhracturedBlue View Post
No, that is completely unrealistic. The only way to do it would be something like the magic cube, or Hammer22's module that plugs into the trainer port. Not something I'm interested in doing
jesolins is offline Find More Posts by jesolins
Last edited by jesolins; Nov 27, 2012 at 05:13 AM.
Reply With Quote
Old Nov 21, 2012, 01:45 PM
Registered User
United Kingdom, England, Ashford
Joined Jun 2007
42 Posts
Will you be releasing an updated version of Deviation software to support Hubsan X4 protocol? I've tried building firmware from latest source but not having much luck...
RCaDDiCT! is offline Find More Posts by RCaDDiCT!
Reply With Quote
Old Nov 21, 2012, 01:48 PM
Registered User
Joined Jan 2012
677 Posts
Quote:
Originally Posted by RCaDDiCT! View Post
Will you be releasing an updated version of Deviation software to support Hubsan X4 protocol? I've tried building firmware from latest source but not having much luck...
We are in the final stages before the next release. I'm hopeful I'll get it out in the next week or so.
PhracturedBlue is offline Find More Posts by PhracturedBlue
Reply With Quote
Old Nov 21, 2012, 02:32 PM
Registered User
United Kingdom, England, Ashford
Joined Jun 2007
42 Posts
Excellent! Thanks again
RCaDDiCT! is offline Find More Posts by RCaDDiCT!
Reply With Quote
Old Nov 21, 2012, 04:42 PM
Registered User
Joined Jan 2012
1,592 Posts
Any chance to implement it into er9x firmware to use the 9x ?
mystman is online now Find More Posts by mystman
Reply With Quote
Old Nov 21, 2012, 05:13 PM
Registered User
Joined Jan 2012
677 Posts
Quote:
Originally Posted by mystman View Post
Any chance to implement it into er9x firmware to use the 9x ?
Not without doing the same hardware modification I do for Devo Tx. The 9x hardware does not expose enough control over the A7105 transceiver to support using the same module with multiple protocols
PhracturedBlue is offline Find More Posts by PhracturedBlue
Reply With Quote
Old Nov 26, 2012, 09:49 PM
Registered User
Joined Aug 2012
27 Posts
Quote:
Originally Posted by PhracturedBlue View Post
Not without doing the same hardware modification I do for Devo Tx. The 9x hardware does not expose enough control over the A7105 transceiver to support using the same module with multiple protocols
Thanks so much for working on this - its great to see someone bringing light to the mystery box. I fly my Hubsan a lot and notice that it doesn't always bind right away. Now I see some of the variables at play!
flyhigh42 is offline Find More Posts by flyhigh42
Reply With Quote
Reply


Thread Tools

Similar Threads
Category Thread Thread Starter Forum Replies Last Post
Discussion The Hubsan X4 youxif Multirotor Talk 55 Jan 31, 2014 09:21 AM
Discussion Hubsan x4 6axis scousethief Mini Multirotors 295 Jun 21, 2013 07:22 AM
Discussion Hubsan X4 Mini Quad dc9guy Mini Multirotors 32 Feb 04, 2013 10:14 PM