Walkera DEVO Tx Hacking - Page 10 - RC Groups
Thread Tools
Mar 21, 2012, 03:38 AM
FPV Electronics For Life!
NorCalMatCat's Avatar
Quote:
Originally Posted by Mike43110
So, how would you start a firmware. Base OS required?
As it will be built from the ground up, any UI suggestions?
At the moment it looks like the UI was built using the parts from an IDE.

This looks to be quite interesting, unfortunately nobody can do anything without the protocols.
Will the DSM2 stuff already done be enough?
Its ARM machine code, no OS, all the UI would have to be done, there are development kits for this processor, it's just a matter of building a firmware from the ground up!
Sign up now
to remove ads between posts
Mar 21, 2012, 01:13 PM
Registered User
Quote:
Originally Posted by Mike43110
This looks to be quite interesting, unfortunately nobody can do anything without the protocols.
Will the DSM2 stuff already done be enough?
To my knowledge, the only thing done was to implement the capability to interface with a DSM2 module scavenged from an old Transmitter (or the rare plugin module). You could do the same to a Devo if you wanted to use that module, but if you wanted to support DSM2 without any hardware modifications, the DSM protocol needs to be understood, and I don't think much work has happened on that front. This is the holy-grail of a Tx: a firmware only upgrade to support all 2.4GHz protocols. It is probably quite far away though.
Mar 21, 2012, 02:54 PM
FPV Electronics For Life!
NorCalMatCat's Avatar
Quote:
Originally Posted by PhracturedBlue
To my knowledge, the only thing done was to implement the capability to interface with a DSM2 module scavenged from an old Transmitter (or the rare plugin module). You could do the same to a Devo if you wanted to use that module, but if you wanted to support DSM2 without any hardware modifications, the DSM protocol needs to be understood, and I don't think much work has happened on that front. This is the holy-grail of a Tx: a firmware only upgrade to support all 2.4GHz protocols. It is probably quite far away though.
With the current hardware it's not going to happen, I think FHSS and DSSS require different hardware to work.
Mar 21, 2012, 03:29 PM
Registered User
The CPU is based on an ARM Cortex M3 processor, IDA Pro disassembles the binaries just fine. While it's not trivial to reverse ARM binaries it's not impossible especially if you have a HW debugger available

I'm _still_ waiting for my Devo8S to arrive so I can get stuck in, all that's really need is the transmitter protocol (and the telemetry stuff of course) and we can begin developing a replacement firmware - no real hacking required coz there's nothing to prevent our own code running. Logging the SPI bus between CPU and CYRF chip is high on the "todo" list. It will be really interesting to compare the way the old Walkera stuff works with the Devo Tx's

Does any one use the Walkera telemetry? Would a PC based telemetry logger be interesting?

Edit: The cheap and cheesey DSM2 module I ripped out of the nasty Tx I got with my HZ Champ is based on the the CYRF6936 (looks a _lot_ like the satellite module from my AR6210).

Edit, not SiLabs but CY8C214
Last edited by rcH4x0r; Mar 21, 2012 at 03:53 PM.
Mar 21, 2012, 03:31 PM
FPV Electronics For Life!
NorCalMatCat's Avatar
Quote:
Originally Posted by rcH4x0r
The CPU is based on an ARM Cortex M3 processor, IDA Pro disassembles the binaries just fine. While it's not trivial to reverse ARM binaries it's not impossible especially if you have a HW debugger available

I'm _still_ waiting for my Devo8S to arrive so I can get stuck in, all that's really need is the transmitter protocol (and the telemetry stuff of course) and we can begin developing a replacement firmware - no real hacking required coz there's nothing to prevent our own code running. Logging the SPI bus between CPU and CYRF chip is high on the "todo" list. It will be really interesting to compare the way the old Walkera stuff works with the Devo Tx's

Does any one use the Walkera telemetry? Would a PC based telemetry logger be interesting?
Do you have the equipment to reverse engineer the protocols? (I am assuming an oscilloscope pretty much all that is required?)
Mar 21, 2012, 03:48 PM
Registered User
I sure do

-IDA Pro to reverse the firmware
-Logic Analyser to log the SPI bus and see how the CPU is driving the CYRF chip (see my site, rcH4x0r.com, for examples)
-ST-LINK to control the CPU via debug interface (SWD in this case)

If/when we understand the transmitter protocol we are free to do our own thing.

The DSM2 stuff is quite do-able too (same CYRF chip), even if they do something sneaky like encrypt the data we can get the chip cracked & dumped for a couple of hundred dollars in China
Last edited by rcH4x0r; Mar 21, 2012 at 03:55 PM.
Mar 21, 2012, 04:29 PM
Registered User
FDR_'s Avatar
Quote:
Originally Posted by rcH4x0r
I sure do

-IDA Pro to reverse the firmware
-Logic Analyser to log the SPI bus and see how the CPU is driving the CYRF chip (see my site, rcH4x0r.com, for examples)
-ST-LINK to control the CPU via debug interface (SWD in this case)

If/when we understand the transmitter protocol we are free to do our own thing.

The DSM2 stuff is quite do-able too (same CYRF chip), even if they do something sneaky like encrypt the data we can get the chip cracked & dumped for a couple of hundred dollars in China
Welcome back!
It's a pity that you still don't have your tx! Where did you ordered from?

Could you send me the disassembled code? I would try to help to figure it up...
The question is: which fw to begin with? Most known hardware is the DEVO 8/8S, but it might be easier to look for the protocol in a simpler fw, like the DEVO 10...

Edit:
There are a few protocols to determine: auto-binding vs fixed id sending, normal flight control, receiving telemetry data, sending and receiving wireless model data transfer... etc
Mar 21, 2012, 04:32 PM
FPV Electronics For Life!
NorCalMatCat's Avatar
Quote:
Originally Posted by FDR_
Welcome back!
It's a pity that you still don't have your tx! Where did you ordered from?

Could you send me the disassembled code? I would try to help to figure it up...
The question is: which fw to begin with? Most known hardware is the DEVO 8/8S, but it might be easier to look for the protocol in a simpler fw, like the DEVO 10...
I second the decompiled code, I would like to start going through it and seeing what I can figure out.
Mar 21, 2012, 07:23 PM
Registered User
Another disassembled code request.
Mar 21, 2012, 07:44 PM
Registered User

SPI bus between CPU and CYRF6936 is done.


Quote:
Originally Posted by rcH4x0r
The CPU is based on an ARM Cortex M3 processor, IDA Pro disassembles the binaries just fine. While it's not trivial to reverse ARM binaries it's not impossible especially if you have a HW debugger available

I'm _still_ waiting for my Devo8S to arrive so I can get stuck in, all that's really need is the transmitter protocol (and the telemetry stuff of course) and we can begin developing a replacement firmware - no real hacking required coz there's nothing to prevent our own code running. Logging the SPI bus between CPU and CYRF chip is high on the "todo" list. It will be really interesting to compare the way the old Walkera stuff works with the Devo Tx's

Does any one use the Walkera telemetry? Would a PC based telemetry logger be interesting?

Edit: The cheap and cheesey DSM2 module I ripped out of the nasty Tx I got with my HZ Champ is based on the the CYRF6936 (looks a _lot_ like the satellite module from my AR6210).

Edit, not SiLabs but CY8C214
MISO, MOSI and not-SS are tied to the processor. I also found data transmission mode is 8DR.
Last edited by derek4610; Mar 21, 2012 at 07:46 PM. Reason: none
Mar 21, 2012, 07:52 PM
Registered User
In the pics already posted you can see both SPI interfaces are in use. One to the CYRF radio chip, the other to a 4MB SPI flash chip. Open questions are the ADCs for the joysticks and the LCD interface
Mar 21, 2012, 07:57 PM
FPV Electronics For Life!
NorCalMatCat's Avatar
Quote:
Originally Posted by rcH4x0r
In the pics already posted you can see both SPI interfaces are in use. One to the CYRF radio chip, the other to a 4MB SPI flash chip. Open questions are the ADCs for the joysticks and the LCD interface
Yeah, getting the screen working and all control inputs working would be a very high priority well before protocols had to be tackled.
Mar 21, 2012, 08:02 PM
Registered User
Quote:
Originally Posted by Mike43110
Another disassembled code request.
It doesn't quite work like that. You need IDA Pro 6 and then I can give you a dbase file that combined with the correct dfu file will let you examine the dissembly plus my comments so far
Mar 21, 2012, 08:07 PM
Registered User
Quote:
Originally Posted by rcH4x0r
It doesn't quite work like that. You need IDA Pro 6 and then I can give you a dbase file that combined with the correct dfu file will let you examine the dissembly plus my comments so far
Got IDA 6 Pro from uni already. Just need the dbase file. I assume the dfu file is the standard devo firmware file?

Just being able to see the output of the disassembler will be enough to start me off.
Mar 22, 2012, 12:35 AM
Registered User
Atomic Skull's Avatar
Quote:
Originally Posted by NorCalMatCat
With the current hardware it's not going to happen, I think FHSS and DSSS require different hardware to work.
DSM2 is also a DSSS system (and a less robust one at that). But according to the hackers on the 9x forum that chip could also do FHSS. Walkera chose to use DSSS instead of FHSS because apparently they think their implementation of DSSS is better.


Thread Tools

Similar Threads
Category Thread Thread Starter Forum Replies Last Post
Wanted Broken Walkera Devo and Spektrum tx itsmillertime Aircraft - General - Radio Equipment (FS/W) 1 Mar 20, 2012 05:37 AM
For Sale Walkera Devo 7 TX/Devo RX2625H Combo for sale Tom Z Aircraft - General - Radio Equipment (FS/W) 0 Oct 06, 2011 01:33 PM
For Sale Walkera Devo 7 TX/Devo RX2625H Combo for sale Tom Z Aircraft - Electric - Helis (FS/W) 0 Oct 05, 2011 12:38 PM
Discussion New Walkera Devention Devo 12 TX w/ Touch-Screen hobbypartz Radios 2 May 09, 2011 12:38 AM
Discussion New Walkera Devention Devo 12 TX w/ Touch-Screen hobbypartz XHeli 0 May 06, 2011 12:19 AM