Could the difficulty in finding the DSMX jumping sequence be what caused Orange to issue a DSMX capable TX module that needed the ability to change its GUID.

A.

Quote:

Originally Posted by AndyOne

Could the difficulty in finding the DSMX jumping sequence be what caused Orange to issue a DSMX capable TX module that needed the ability to change its GUID.

A.

I don't know anything about the Tx module, but it is very likely the same issue (and why they don't sell an Rx). Can you point me at the GUID change procedure? How many different options do you have?

It's unknown. Press the Change ID button a few seconds, then you hear a beep, means this module's ID changed, release the button.

https://www.hobbyking.com/hobbyking/s...2X39217X54.pdf

I guess what happen to Orange TX module is that, they have a limited pool of preset
GUID and matching jumping sequence. You press the key it will rotate to the next one.
I am curious to find out how many different GUID are there in the Orange TX module.

It is a bit tricky to ready back the TX GUID though. Currently I use the receiver to trace
the SPI. I don't know there is other ways to show the GUID of TX without taping the
SPI.

I have an idea to capture other TX's GUID in deviation firmware. We just need to
make the devo TX module listen to the bind packet and display the GUID on the LCD
screen.

Quote:

Originally Posted by printk

I guess what happen to Orange TX module is that, they have a limited pool of preset
GUID and matching jumping sequence. You press the key it will rotate to the next one.
I am curious to find out how many different GUID are there in the Orange TX module.

Yet another reason not to buy one!

I wonder if they even bothered to make sure their GUIDs are unique from real Spektrum ones, or could I get shot down by someone with an Orange module

Pat MacKenzie

I was going to say what printk did about the Orange module probably having a set of pre-programmed known good GUIDs and corresponding hopping patterns to select from when you press the ID change button. I too wonder how many they decided to code into the module. I'd definitely be worried about one Orange module user shooting another Orange module user down!

printk, you've done some really nice work so far in analyzing the DSMX hopping patterns and I was sorry to hear that your Walkera TX module is semi-toasted. I have a bunch of brand new Walkera modules and I would be happy to give one to you. PM me with your address and I'll mail it to you.

Hammer22, thanks for the offer of the walkera TX. I have 2 TX module just
for experimenting. So I am fine with the TX module. Plus that one I open is
actually in the working order for experiment, just not install into the Devo TX.
I call that a feature without the amplify. I really appreciate the offer though.

It seems hammer22 and I are often think alike :-)

I haven't able to make much new progress on the DSMX though. I want to
come up with a theory to explain why the channel are more likely to jump to
its own zone then then other zone. I come up with a few theory like own zone
has one less channel to chose from (can't jump to the same channel).
But it does not match the number I found.

Also the chance of the channel stay within the middle zone is slightly higher
than channel stay within the high or low zone. I don't have a theory can match
that number either.

I attach the first 64k jumping sequence I capture with my MCPX receiver.
Open the zipfile there is one binary file and one python file.

Just run the following command should give you a full list of
the guid. I store the guid in binary to save some space.

Code:

python read-guid.py guid-00000000-1.bin

I hope some one else can come up with some new idea why
why the DSMX slight favour to stay within the same zone.

DSMX use not only different sets of channels. DSMX use different hopp time and alternating spreading codes.
http://www.flyelectric.ukgateway.net/24scanner.htm

I have upload receiver side spi trace of the cyrf chip. That should show the usage of channel very well. It is repeating every 22ms. The receiver can send back telemetry data, that happen every other channel which might explain the different timing you saw on the air.

Quote:

Originally Posted by Kambalunga

DSMX use not only different sets of channels. DSMX use different hopp time and alternating spreading codes.
http://www.flyelectric.ukgateway.net/24scanner.htm

Hi. That page is mine. I know more now than I did when I put that up. I don't think the different hop timing is correct. I will fix the page. DSMX does use different spreading codes but that has already been explained.
Regards, David.

Quick questions- Does the model match number combine with the GUID produce a new hopping sequence?
If not, does the mismatch in the model number prevent the receiver from locking on to a transmitter with the same GUID but a different model number?

Some of the info on this thread and the DSM2 protocol suggests that the GUID is offset by the model match number.

Trying to figure out how bad the Orange DSMX implementation really is

Thanks,

Pat MacKenzie

My understanding is, model match number will produce a new GUID.
However, this new GUID is still 32 bit, so it might smash into some
other GUID. At least in theory that is possible, unless there is some
thing clever in the GUID selection to avoid that. e.g. Cypress can
leave some room between each GUID so make sure each GUID
offset some range will not become another valid GUID.

Of course, the new GUID will have a different hopping sequence.

Its important to note that the real GUID of the radio is, as printk says, a 32 bit value which the receiver learns at bind time. 16 of those bits are the actual GUID that is transmitted as the first 2 bytes of every data packet sent. It is those 2 bytes that are modified with the model match number. The other 16 bits become a pair of CRC seed values used to build the checksum of each data packet. This also aids in making sure the receiver only receives packets from the correct transmitter because it will reject the packet if the CRCs do not match. The CRC seed values do not change with the model match number.

So a Spektrum radio with 50 model memories actually had 50 different GUIDs; one for each model memory slot.

The way Spektrum handles the model match number is to take the base radio GUID, (model memory 1 actually has a model match number of 0, model memory 2 has model match value 1 etc...) and XOR that with the single byte model match number. The new GUID that is produced is used any time that particular model memory is selected.

The DSMX frequency hopping algorithm appears to use the entire 32 bit GUID to calculate the hopping pattern.

Thanks guys, that is sort of what I understood.


Pat MacKenzie

at now, i think, dsmX frequency hopping question is finish.

Code:

#include <stdio.h>
/*
  DSMX channels list for Frequency Shift Hopping
  math by Alexandr Alexandrov
  code by Sergey Gimaev
  some function (like RadioSetFrequency) from Cypress old assember lib for CYRF transivers
  they used in OrangeRX DSM2 6 channel and AR6110 clone receiver
*/
int main(void){
unsigned int manufacturerID = 0x92C65809;//inverted 0x6D39A7F6;
//manufacturerID - это то, что видим в первых 4-х байтах BIND пакета
unsigned int calc;
unsigned int channel;
int c = 0, k, part1 = 8, part2 = 7, part3 = 8, flag = 0;
unsigned char channel_list[23];

    for(k = 0; k < 23; k++){
        channel_list[k] = 0xFF;//init channel list
    }

    calc = manufacturerID;//init randomize function
    do{
        calc *= 0x0019660D;//randomize function
        calc += 0x3C6EF35F;//from wiki, liniux, gcc, etc

        channel = calc >> 8;
        channel = channel % 0x49;

/*1.Если 4-й байт ManID - чётный ( "0" в младшем бите ), то и channel
должен быть таким же чётным ( или нечётным для нечётного 4-го байта ManID ).
Если он не такой - continue  ( генерируем в calc следующее число ).*/
//i need to compare last bit in manufacturerID and last bit in channel for both even/odd
        if((unsigned char)(channel & 1) == (unsigned char)(manufacturerID & 1)){
/*2. Если channel совпадает с каким-либо из уже полученных ранее номеров
каналов в массиве, то continue */
            for(k = 0; k < 23; k++){
                if(channel_list[k] == (channel + 3)){flag = 1; k = 0xFF;}
                else    flag = 0;
            }
            if(flag == 0){
                flag = 1;
/*3. Проверяем, к какому поддиапазону channel относится ( 0..24, 25..48 или 49..72 ).
В начале работы - завести 3 счётчика ( для каждого поддиапазона ) и задать в них 8, 7 и 8
( 7 - в счётчике для поддиапазона 25..48 ).  В каком поддиапазоне channel - проверяем, не 0 ли
уже в соответствующем счётчике. Если 0 - continue*/
                if(channel < 25){
                    if(part1){
                        part1--;
                        flag = 0;
                    }
                }else{
                    if(channel < 49){
                        if(part2){
                            part2--;
                            flag = 0;
                        }
                    }else {
                        if(part3){
                            part3--;
                            flag = 0;
                        }
                    }
                }
                if(flag == 0){
/*Процедура вернёт, потом к этому ещё прибавится 4 ( в отличие от 2 для DSM2 ),
и с этим вызовет RadioSetFrequency, в которой отнимет ещё 1 и запишет в трансивер.*/
//i don`t use Cypress lib, write my self to CYRF. coz i need +3
                    channel_list[c] = channel + 3;//поэтому +3
                    printf ("0x%.2x ", channel + 3);
                    c++;
                }
            }
        }

    }while(c < 23);
    return 7;
}

sorry, coments in code in russian