DSMX Hacking - Page 9 - RC Groups
Dec 13, 2012, 09:29 AM
Registered User
Quote:
 Originally Posted by RW9UAO at now, i think, dsmX frequency hopping question is finish. Code: ```#include /* DSMX channels list for Frequency Shift Hopping math by Alexandr Alexandrov code by Sergey Gimaev some function (like RadioSetFrequency) from Cypress old assember lib for CYRF transivers they used in OrangeRX DSM2 6 channel and AR6110 clone receiver */ int main(void){ unsigned int manufacturerID = 0x92C65809;//inverted 0x6D39A7F6; //manufacturer ID - this is what we see in the first 4 bytes of BIND package unsigned int calc; unsigned int channel; int c = 0, k, part1 = 8, part2 = 7, part3 = 8, flag = 0; unsigned char channel_list[23]; for(k = 0; k < 23; k++){ channel_list[k] = 0xFF;//init channel list } calc = manufacturerID;//init randomize function do{ calc *= 0x0019660D;//randomize function calc += 0x3C6EF35F;//from wiki, liniux, gcc, etc channel = calc >> 8; channel = channel % 0x49; /*1.If the 4-byte ManID - even ("0" in the low-bit), then the channel should be the same even (or odd for odd 4th byte ManID). If he's not - continue (calc generate in the next number.)*/ //i need to compare last bit in manufacturerID and last bit in channel for both even/odd if((unsigned char)(channel & 1) == (unsigned char)(manufacturerID & 1)){ /*2. If the channel coincides with any of the already obtained earlier numbers channels in the array, то continue */ for(k = 0; k < 23; k++){ if(channel_list[k] == (channel + 3)){flag = 1; k = 0xFF;} else flag = 0; } if(flag == 0){ flag = 1; /*3. Check to which subband channel is ( 0..24, 25..48 или 49..72 ). At the beginning of the work - to get 3 counters (for each sub-band) and set them in 8, 7 and 8 (7 - a counter for subband 25 .. 48). In which sub-band channel - check to see if 0 already in the appropriate counter. If 0 - continue*/ if(channel < 25){ if(part1){ part1--; flag = 0; } }else{ if(channel < 49){ if(part2){ part2--; flag = 0; } }else { if(part3){ part3--; flag = 0; } } } if(flag == 0){ /*Procedure returns, then we add to that 4 (as opposed to 2 for DSM2), and this will RadioSetFrequency, which takes another one and write to the transceiver.*/ //i don`t use Cypress lib, write my self to CYRF. coz i need +3 channel_list[c] = channel + 3;//поэтому +3 printf ("0x%.2x ", channel + 3); c++; } } } }while(c < 23); return 7; }``` sorry, coments in code in russian
Don't be offended, save little time for them that understand it
 Dec 13, 2012, 09:39 AM Registered User some check. i wrote channel scanner, bind my dsmX receiver and scan. first i calc channels on PC program: 0x0f 0x13 0x09 0x4b 0x29 0x23 0x3b 0x2d 0x25 0x33 0x3d 0x17 0x31 0x35 0x07 0x43 0x19 0x37 0x21 0x03 0x45 0x41 0x05 and scan (i broken my AR8000 and can not connect SPI grabber to him) bind my rx to DX8: Code: ```CYRF bind Bind RX ok 0x92C6580A 21 7A [92C6-580A-92C6-580A-04E4-0108-B200-0687] tx bind normal``` scan: Code: ```0F 7B [A7F5-A6AA-0156-3C00-FFFF-FFFF-FFFF-FFFF] 17 7B [A7F5-A6AA-0156-3C00-FFFF-FFFF-FFFF-FFFF] 21 7A [A7F5-0B2A-2C00-13EE-1C02-3400-FFFF-FFFF] 29 7A [A7F5-A6AA-0156-3C00-FFFF-FFFF-FFFF-FFFF] 31 7B [A7F5-0B2A-2C00-13EE-1C02-3400-FFFF-FFFF] 33 7B [A7F5-0B2B-2C00-13EE-1C02-3400-FFFF-FFFF] 35 7A [A7F5-A6AA-0156-3C00-FFFF-FFFF-FFFF-FFFF] 37 7B [A7F5-A6AA-0156-3C00-FFFF-FFFF-FFFF-FFFF] 3D 7B [A7F5-0B2A-2C00-13EE-1C02-3400-FFFF-FFFF] 45 7A [A7F5-A6AA-0156-3C00-FFFF-FFFF-FFFF-FFFF] 03 7B [A7F5-A6AA-0156-3C00-FFFF-FFFF-FFFF-FFFF] 05 7B [A7F5-0B2A-2C00-13EE-1C03-3400-FFFF-FFFF] 0F 7A [A7F5-0B2A-2C00-13EE-1C02-3400-FFFF-FFFF] 17 7A [A7F5-0B2A-2C00-13EE-1C02-3400-FFFF-FFFF] 21 7B [A7F5-0B2A-2C00-13EE-1C02-3400-FFFF-FFFF] 29 7B [A7F5-A6AA-0156-3C00-FFFF-FFFF-FFFF-FFFF] 31 7A [A7F5-A6AA-0156-3C00-FFFF-FFFF-FFFF-FFFF] 33 7A [A7F5-A6AA-0156-3C00-FFFF-FFFF-FFFF-FFFF]``` channel num, rx_irq_status(at now i ignore CRC_SEED and have a CRC error bit) and packet body.
 Dec 13, 2012, 10:10 AM Registered User You guys are truly incredible. That code seems to work well on everything I've thrown at it.
 Dec 13, 2012, 02:01 PM Registered User Does it mean, that deviation will support DSMX soon?
Dec 13, 2012, 09:32 PM
Registered User
Quote:
 Originally Posted by FDR_ Does it mean, that deviation will support DSMX soon?
This has nothing to do with Deviation (though I'll likely implement it). I already had sufficient knowldege to implement a DSM-X transmitter. This is sufficient to implement a receiver though.
 Dec 13, 2012, 09:47 PM Registered User FYI, here is the pseudo-code representing the function of the posted code: Code: ```foreach idx in (0 .. 22): ok = 0 while(ok is 0): id_tmp = id_tmp * 0x0019660D + 0x3C6EF35F ## Randomization next_ch = ((id_tmp >> 8) MODULO 49) + 3 ## Use least-significant byte and must be larger than 3 if (next_ch is odd and ID is even OR next_ch is even and ID is odd) AND none of the values in the 'ch' array are equal to next_ch: if 3 <= tmp < 28 and the number of channels in ch that are between 3 and 28 is < 8 OR 28 <= tmp < 52 and the number of channels in ch that are between 28 and 52 is < 7 OR 53 <= tmp and the number of channels in ch that are greater than 53 is < 8: ok = 1 ch[idx] = next_ch``` Last edited by PhracturedBlue; Dec 13, 2012 at 10:58 PM.
Dec 13, 2012, 10:03 PM
Registered User
Quote:
 You guys are truly incredible. That code seems to work well on everything I've thrown at it.
it`s Polishinel`s secret
Quote:
 next_ch = ((id_tmp >> 8) MODULO 49) + 3
mistake. next_ch calculating, checking and put in to list. 3 added before write to CYRF. you moved borders, you cheked code?
 Dec 13, 2012, 10:14 PM Registered User at now i have worked code for: dsm2/dsmX 10/11 bit 11/22 ms receiver/transmitter and all telemetry, like GPS, S-sensor, current, powerbox, etc... i have one question: why Orange not release cheap dsm2 telemetry and cheap dsmX rx/tx (not for last bugged odd job with 10 fixed IDs)? HorizonHobby promised to kill oranges?
Dec 13, 2012, 10:58 PM
Registered User
Quote:
 Originally Posted by RW9UAO it`s Polishinel`s secret mistake. next_ch calculating, checking and put in to list. 3 added before write to CYRF. you moved borders, you cheked code?
Pretty sue it is right. I moved all bounds checks by 3.
Edit: I guess I missed one, but should be ok now
Dec 13, 2012, 11:25 PM
Quote:
 Originally Posted by RW9UAO at now i have worked code for: dsm2/dsmX 10/11 bit 11/22 ms receiver/transmitter and all telemetry, like GPS, S-sensor, current, powerbox, etc... i have one question: why Orange not release cheap dsm2 telemetry and cheap dsmX rx/tx (not for last bugged odd job with 10 fixed IDs)? HorizonHobby promised to kill oranges?
Orange have a DSMX receiver. Not for sale yet though.
 Dec 13, 2012, 11:26 PM Registered User it`s old picture. where in shop?
 Dec 13, 2012, 11:30 PM Registered Adict You are correct it is not in the shop yet
 Dec 14, 2012, 02:49 AM I don't want to "Switch Now" Now that it seems like the DSMX hopping scheme has been cracked, receivers should follow. And perhaps they will be able to do a proper job on their tx module
Dec 14, 2012, 02:53 AM
Registered User
Quote:
where our medals?
Dec 14, 2012, 02:58 AM
Registered User
Order-of-Glory