New board for CX-10

[soulman301]

It looks like the manufacturer recently updated the electronics. The transmitter is still 2.4 GHz, but it seems the connection protocol has changed. Any advice?

[samnockels]

I would also like some advice with reverse engineering this new protocol. Here are some pic of the new electronics -> https://imgur.com/a/vCBHihA

[goebish]

That's not a good sign, there's only 1 chip in the Tx ... (MCU+RF in the same package), perhaps it's xn297 compatible, you'd need a nrf24l01 sniffer (set 2 byte address to 0x0f,0x71 to try to detect xn297 packets) or an SDR with 2.4GHz capability to check that. If it's xn297 compatible then it can be emulated with the nrf24-multipro. If it's based off LT8910 or something else there's nothing much we can do for now (same as Furibee F36)...

[soulman301]

There's no guarantee they still have them, but as of mid April Walmart.com was still selling the old version

[samnockels]

I'm from the UK and can't seem to get hold of one, bought 5 from different sources and all are the new one :( @goebish I'm a newbie in rf, how would I make a sniffer using the nrf24lo1?

[goebish]

Send me one if you want (my nickname @gmail.com for address, I'm from France) but I can't promise I'll be able to make it work, if it's using the same kind of transceiver than the F36 there's nothing I can do.

[samnockels]

Just sent an email :)

[goebish]

Ok got it.

[goebish]

@soulman301 does yours also have only 1 IC in the TX ? (and 2 in the quad, [MCU+RF] + MPU).

Also, is it a CX10, CX10D or CX10WD ?

[samnockels]

@goebish What other drones do you know of that still work?

[goebish]

You mean from the compatibility list on the project page ? All of them except a few CX10 ;)

If you're looking for a good machine take a look at the EAchine E011 or Boldclash BWhoop B03 pro (they're basically the same), they're using the Bayang protocol, same as H8 mini and they can be flashed with Silverware custom firmware for acro mode and other awesome stuffs.

[samnockels]

Cool, I'll have a look at them. I won't be able to send you the electronics until next week, how would you go about sniffing out xn297 packets? I might as well have a go at it this weekend before I send you it on Monday.

[goebish]

I would set the nrf24 address width register to 0 (illegal value according to the datasheet, =2 byte length actually :wink:), set RX address to {0x0f,0x71} which is part of xn297 preamble, set it to receive mode with CRC disabled, then listen to every frequencies for one second each with 250kbps and 1Mbps bitrate. If many similar packets are received that's a good sign, then they've to be unscrambled (xored with the byte array that's in xn297_emu.ino) ... At this point, if everything went fine we have almost as much information as if it was possible to connect a logic analyzer between the MCU and the transceiver.

[goebish]

here's a good article if you're interested in sniffing out nrf24 packets: http://travisgoodspeed.blogspot.com/2011/02/promiscuity-is-nrf24l01s-duty.html xn297 packets are easy to detect with a nrf24l01 because they always have the same preamble (0xf7155), you don't have to guess the syncword ...

[kpfaulkner]

Just got myself a CX10... but no luck running this. Guessing I've got a "new one" as well :( Can I do anything to help potentially get this fixed?

[kpfaulkner]

Just took apart the one I recently got. Similar images to the one shown above, but on the FC it has the marking KY-CX10R-6...

[goebish]

If you've an HackRF or any 2.4GHz capable SDR device then send me some captures, or send me one of those new CX10 and its transmitter (without guaranteed results), that's the best I can tell you ;)

[kpfaulkner]

Found out a local shop has a JJRC H36 so might bite the bullet and just switch to that for now :) Hopefully I wont have the same issue where they've changed the internals :/ Whats the HackRF? Any links?

[goebish]

You mean HackRF ? https://greatscottgadgets.com/hackrf/

Take care with the E010 / H36, they require to use a nrf24l01 module with an accurate crystal oscillator, those ones work fine: https://www.banggood.com/2_4G-NRF24L01-PA-LNA-Wireless-Module-1632mm-Without-Antenna-p-922601.html

[goebish]

But honestly, the E010 and H36 (same machine actually) are underpowered, get a Boldclash BWhoop B03 pro (get the pro, you don't want the version with baro, it's not fun and it's more expensive) or an EAchine E011, you won't regret it.

[kpfaulkner]

From a flying point of view my son and I fly 5" racing quads and occasionally tiny whoops. These smaller quads are purely to satisfy my curiosity about starting to code one.

As long as I can arm it, programmatically hover and move about a little (again just to satisfy my curiosity) that would probably be enough (for now).

I'd love to see how far this can go and decide flysky protocols etc. (ever looked at that?)

This is a great GitHub repo for learning!

Cheers

On 12 Jul 2018, at 20:03, goebish notifications@github.com wrote:

But honestly, the E010 and H36 (same machine actually) are underpowered, get a Boldclash B03 pro (get the pro, you don't want the version with baro, it's not fun and it's more expensive) or an EAchine E011, you won't regret it.

— You are receiving this because you commented. Reply to this email directly, view it on GitHub, or mute the thread.

[kpfaulkner]

Hmmm does this mean the one I bought ( https://www.amazon.com/gp/aw/d/B072BLN8SZ/ref=ya_aw_od_pi?ie=UTF8&psc=1 ) isn't any good for the e10/h36?

On 12 Jul 2018, at 19:58, goebish notifications@github.com wrote:

You mean HackRF ? https://greatscottgadgets.com/hackrf/

Take care with the E010 / H36, they require to use a nrf24l01 module with an accurate crystal oscillator, those ones work fine: https://www.banggood.com/2_4G-NRF24L01-PA-LNA-Wireless-Module-1632mm-Without-Antenna-p-922601.html

— You are receiving this because you commented. Reply to this email directly, view it on GitHub, or mute the thread.

[goebish]

YMMV but most of the modules you linked don't have accurate enough oscillator for the E010 protocol (because of the xn297 emulation @ 250kbps bitrate) and they don't have a power amplifier, so even if it works, the range will be very short. At least you can keep the small power supply board, the board I linked is pin compatible ;)

Flysky protocols require an A7105 transceiver, not a nrf24l01, I reverse engineered the AFHDS 2A protocol some time ago: https://www.deviationtx.com/forum/protocol-development/5251-flysky-afhds-2a-protocol-as-used-i10-i6-it4

[kpfaulkner]

Any recommendation for the A7105 transeiver? (sorry for hijacking this issue/thread)

[goebish]

This one is fine: https://www.banggood.com/A7105-Wireless-RF-2_4GHz-Transceiver-Module-3_3V-Power-Supply-Module-p-909404.html but that's only a RF transceiver, it won't do anything if not connected to a MCU with a proper firmware.