4DRC V8 (Tx: RW1608P, Rx: CP298L)

[dasavick]

Any hope for this drone? ~I'm currently in no possession of multiprotocol radio, so I was unable to tinker much~. Anyway, here is the data I was able to collect from the drone hardware itself.

Tx

RW1608P T377DSY42036

Same as Eachine e015? https://www.deviationtx.com/forum/protocol-development/8099-eachine-e015-flight-boat-car

Rx

CP298L 2018

It seems that chipsky does not provide full documentation on their website, here is basic info:

http://chipsky.com/view/product/p5.html http://www.chipsky.com/data/upload/files/20170516_800.pdf

Chip Introduction: 
CP298L is a single chip 2.4GHz transceiver chip embedded in baseband communication protocol 
The single chip 2.4GHz transceiver chip works in 2.4GHz~2.483GHz ISM band, 
Suitable for ultra-low power wireless applications. 
The design of CP298L wireless communication system only needs 
The design of CP298L wireless communication system requires only one MCU and few peripheral devices, and it is a Low-cost wireless system solution. 
The modulation method adopts GFSK modulation, the maximum transmitting 
Transmitting power can reach 4dBm, receiving sensitivity in 1Mbps rate can reach -88dBm.
On-chip integrated voltage regulator ensures high power
The integrated on-chip voltage regulator ensures high power source rejection ratio (PSRR) and wide supply voltage range. 
The minimum operating voltage is 1.8V and the maximum operating voltage is 3.6V.

Chip Features:
◆Operating frequency band: 2400~2483MHz
◆Low operating voltage: 1.8~3.6V
◆Null port rate: 500Kps, 1 Mbps, 2Mbps
◆SPI interface: 4-wire system, maximum rate is 10Mbps
◆Modulation method: GFSK
◆available low-cost crystal: ±60ppm
◆Ultra low power consumption
◆Hardware auto-answer and auto-retransmission
◆Fast channel switching, can be applied to frequency hopping algorithm
◆Operating frequency band: 2400~2483MHz

Typical applications:
◆Wireless keyboard and mouse
◆Wireless avionics
◆Wireless industrial control

Translated with www.DeepL.com/Translator (free version)

[pascallanger]

Without having access to the TX and RX there is little I can do... You can either send me the hardware to France or sponsor me so I can buy it.

[dasavick]

Ok, so this is, as I understand, confirmed - these chips are currently not supported. I wasn't really sure about that.

I feel like investing some time into learning a new skill. Furthermore, I actually have a couple of similar cheap drones and would like to contribute so all of them would be supported, including new models I will come by in the future. How would you approach the reverse-engineering of these? I found the multi-module.org note about that quite incomplete.

I will be honest, I haven't done a lot with that type of hardware. First and last time, was tinkering with the proprietary Zigbee gateway UART, so nothing special besides of soldering.

I think the software side (being proficient in more high-level languages) will be not much of a problem, besides of understanding the protocol and ecosystem a bit more. As you may tell, I'm currently missing the required hardware.

I'm planning on acquiring Eachine TX16S radio as a first step. Is this enough to test the new protocols, or this is would be mainly a final testing platform? Do I actually need SDR like HackRF or the Eachine radio can be used in similar fashion?

[pascallanger]

This chip is fully emulated by the CYRF6936. The E015 is flying great with Multi. You would need a SDR to find the RF frequencies being used, their order and make a dump of a couple of packets to be decoded.

[dasavick]

What SDR do you use/would recommend for these purposes? Is there anything other than HackRF One that would do the job and is worth considering?

[pascallanger]

I'm using a PlutoSDR.

[dasavick]

I will be able to start working on this somewhere next week when the hardware arrives. Couple of questions for now:

their order

Do you mean the frequency hopping pattern or something else?

make a dump of a couple of packets

Wouldn't it be required to dump packets for all actions? Like the auto-start/auto-land button or fine-tuning pad.

[pascallanger]

Frequency hopping pattern

A few packets already to see the structure of what's sent. Reversing a protocol is taking a lot of time and effort. Just with a few packets we will know already if it's doable or not...

[dasavick]

My HackRF finally arrived. Do you have any software recommendations? I would also appreciate some additional guidance with the recording and decoding process. What format of the samples would you like?

Note: this post has been edited as it contained noisy samples in .complex16s format and my incorrect assumption from some noise. See post below for better data.

[dasavick]

Frequencies

After turning on the remote, there is the only one frequency active:

• 2459,9 MHz

After pairing with no receiver (throttle up then down):

• 2450,9 MHz (A)
• 2455,9 MHz (B)
• 2473,9 MHz (C)
• 2477,9 MHz (D)
• pattern: looks like C B A D A D ignoring therese weak spots in the C, but then with more resolution i'm not so sure

2459,9 MHz

Remote before pairing seems to be producing repeating 5 fragments with no real data (?). These are with 1.5 ms delay between 5-fragment segments, 0.38 ms between each fragment and with fragment length of 0.22 ms. Each segment is 2,64 ms:

Then the signal changes with no action at the end of the tenth segment:

10001110001111100000111110000011111110000001111111111100000000000001111111111111111111111111111111111111000000000000000000000001111111111111111 [Pause: 767 samples]
01100001100000111100000011111111110000000000000000010001111100011100011100011100011110001110001111000111000111000111100011110001111000011110001 [Pause: 2935 samples]
110011001100110011001100110011001110011001110001100011000111000110011100111000110001110001110001110001110001110001110001110001110001110011100011100011 [Pause: 767 samples]

00000111111111111111111110010000001111100000011100000111110000011100011100000111000001000111110100011100011101110111000101110001011101110111010 [Pause: 767 samples]
11000000000001111110000011100011100010001110111110111000100010001011100010001000101110111010111010111111010101000100001010101010101010 [Pause: 772 samples]
00011100011100011101110111000101110101110101010111111010101010111101010101010101010101010110101010010101101010010100101101 [Pause: 771 samples]
10001000100010101000101010101010101010101010011111110101010101101010101101011010110101101001010011010110110110100110100 [Pause: 769 samples]
011101010100010111111111101010100101010010101101010010010110110100100101101101011001011011011011001001001001101100110110 [Pause: 3027 samples]

1111100011111011100010001011101000101000101011101010101010101010111101010101010101010101011010101010010100101011010100101 [Pause: 770 samples]
1011100010101000101010101010110101010101010110101001010010100101001011011010010010110110110110110110110010010011001101 [Pause: 770 samples]
01010101010101011010110101001011010010010110101101101100101100100100100110110010011011101101100110011011001100110110011 [Pause: 771 samples]
01010101010110100100101101101101101101101100110110011011001100110011001100110011001100110011001100011001100111001100111001 [Pause: 770 samples]
11111010101001011011010010010011011011001101100100110011011101110110011001100011001100110011100111001110011100011100111000111 [Pause: 2938 samples]

000111011101000101010101010101010101010010101011010101101011010010100100101101101101101101101101100100110110010011011000 [Pause: 768 samples]
10111010101101010101101011011010110110110100110100100100110110010110010011011001001101100110110011001100110011001110011000 [Pause: 767 samples]
01010101010110101101001101101101100100100110110011001001110011001100110001100110011001110001000111001110011100011000111000111 [Pause: 769 samples]
10101101010010110100100110110010011001101110110011001100111011100110011101110011000110011100111000110001100011100111000110001 [Pause: 767 samples]
111101010110110110010010010011011001100110011001110111001110011001110011100111001110011100011100111000111100111100001110000111110 [Pause: 2945 samples]

011101110101010101010101010010101101011010100101101101101001101101011001011001011011011001001100100110111011001100110011 [Pause: 768 samples]
10101010010101101001011011011011011001001001100110011001100110011001100110011001100110011001100110011001100110011001100110011001 [Pause: 767 samples]
1001100110011001100110011001100110011001100110011001100110011001100110011001100110011100111001100111001100110001100011001100011100110001100 [Pause: 766 samples]
10011001100110011001100110011001100110011001100110011001100110011001100110011001110011001110011100110001100111001100011100111001110011100111 [Pause: 767 samples]
10011001100110011001100110011001100110011001100110011100111001110011100111001110011100110001100011100111000110001100011100011100111001110001110011 [Pause: 2926 samples]

100110011001100110011001100110011001100110011001100110011001100110011001100110011001100110011001100110011001100110011001100110011001100111001100110 [Pause: 767 samples]
01100110011001100110011001100110011001100110011001100110011100110011001100011001110011000110001100110011000110011000110011100110011100111001110 [Pause: 767 samples]
1001100110011001100110011001100110011001100110011001100111001100110011000110011001110011000110011000110001100111000110011100111000110001100 [Pause: 766 samples]
100110011001100110011001100110011100110011000110011100110011100111001110001110011100111001110001110001110011100111000111000111000111000111000111000 [Pause: 766 samples]
01100110011001110011001100111001100111000110011000111001100011100011100111001110001110001110001110011100011100011100011100011100011100011100011100011 [Pause: 2943 samples]

101100110011001100110011001100110011001100110011001100110011001100110011001100110011001100110011001100110011001100110011100110011100111001 [Pause: 767 samples]
1001100110011001100110011001100110011001100110011001100110011100110001100110011100110011000110001100011000111000110001100011100011100011100011 [Pause: 768 samples]
1100110011001100110011001100110011001110011100110011100111001100011000111001110011000111001110011100011100011100011100011100111000111000111000111000 [Pause: 767 samples]
1001100110011001100110011001100011001110011100110001110011100011100011100011100111000111000111000111000111000110001110001110001110001110001110001110001 [Pause: 767 samples]
001100110011001100111001110011100111000111000111000111000110001110001110001110001110001110001110001110001110001110001110001110001110001110001110001110001 [Pause: 2938 samples]

0011001100110011001100110011001100110011001100110011001100110011001100110011001100111001110011100111001100111001100011000110011100110011100111 [Pause: 768 samples]
00110011001100110011001100110011001110011001110011000110011100111001110011100011000110001110001110011100111000111001110001110001110001110001110001 [Pause: 768 samples]
00110011001100110011001110011100110001110001110011100011100011100011100011100011100011100011100011100011100011100011100011100011100011100011100011100 [Pause: 771 samples]
00111000110001111100001111100000011111110000001111110000000001111111100000000001111111111100000000000011111111111111111111111111110001100000 [Pause: 770 samples]
111001110001111000011110000011111000011111100000011111111100000000001101111111111111111111100000000000000000000011011111111111111001110011100 [Pause: 2944 samples]

10101101101101100110111001101100011100110001110011100111000111000111000111100111100001110000111000001111000001111000000111110000001 [Pause: 768 samples]
01001100110011001110011100011110011110001111000001110000011110000001111110000011110000001111111000000111111110000000000001111111111111100 [Pause: 767 samples]
10110011000110001110000111000011111000011111000000111110000000011111111000000001111111100000000000011111111111111111001000000000000000000000 [Pause: 768 samples]
1100011000111000011100001111110000011111000000111111111000000011111111110000000000000100011111111111111111111111111111111111111111111111111111 [Pause: 769 samples]
10000111000111100000111110000001111111100000000001111111111111110000000000000000000111111111111111111111111111111111111111111111111000000000000 [Pause: 2921 samples]

010110110110011001100100010011100110001100010000111001110001110001110001111100001110000111110000111110001111000000111110000001111100 [Pause: 770 samples]
001100110011100111000011100011111000011111100000011111100000011111100000011111111100000001111111110000000111111111000000000001111111111111 [Pause: 769 samples]
100011001110001110000111100000111110000011111000000000111111110000000111111111111111000000000000000111111111111111111111111111111111111111111 [Pause: 767 samples]
01000111001111000011111100001111111000000011111110000000001111111111111000000000000000000000100000000000000000000000000000000100011111111111111 [Pause: 767 samples]
01100011110000011111000000111111110000000000001111111111111111111111100000000000001111111111111111111111111111000000000000011111111100000000111111 [Pause: 2942 samples]

11011011011001001100111001100011000110001110001110000111000011110000111110000111100001111100000111110000001111111000001111110000000111 [Pause: 768 samples]
011001100011100111000111000011100000111110000001111000000111111000000011111100000000111111000000000011111111110000000000000000001111111111 [Pause: 770 samples]
0011000110000111100001111110000011111111000001111111111000001111111111111000000000000000000111111111111111111111111111100011100000000000000000 [Pause: 769 samples]
10001110001111100000111110000011111110000001111111111100000000000001111111111111111111111111111111111111000000000000000000000001111111111111111 [Pause: 767 samples]
01100001100000111100000011111111110000000000000000010001111100011100011100011100011110001110001111000111000111000111100011110001111000011110001 [Pause: 2935 samples]

Next, the pattern changes at the 14th segment, in the second fragment:

And continues like that until 17th segment, chaging in the third fragment:

100111001110000111100000111111000000001111111111000000000001111111111111111111000000000000000000000000111000000111111111111110000000000011111111 [Pause: 768 samples]
11110000111111000000000111111111111111111111111111111111111111111111111001100000000011111111111100000000111111111110000000001111111100000001111111000 [Pause: 767 samples]
1000000111111111111000011000000000000011111111111111111111 [Pause: 26 samples]
10011110001111010010001011010111100001001011111111001111100001001001111100101001 [Pause: 768 samples]
0010000000000000101101111011011101010111011111111101001110101000010011010001100001001001010100010110100001001010110011100010111100100111111001011110110 [Pause: 767 samples]
11111111111110111110101001100010100000000000000000001110010111110110101110011110101000101110010110101011111001000101010001010101101101100000110101100000011000000100001 [Pause: 2882 samples]

00000000000001000001010110011010111111111111111111100000011111101101011100111101101101010111001010110101101100100000111001010101101110100011100000100 [Pause: 767 samples]
000000000000011000101010110011101011111111111111111110000011111110110101110011110100100010111001011010101111101000111000011110101111111101010101010 [Pause: 767 samples]
11111111111110010111101010011000100000000000000000001011111000000010010100011000010101110100011010010101000001101110101011100001001001001100011111011 [Pause: 766 samples]
011111111111111110110010000110001000000000000000000001010111000000100010000010010100000001011101011110000100110101100111001111100000101111110011111010 [Pause: 766 samples]
11111111111110011111001000011000100110100000000000001101110011111101110111110011110110110010111001111010010011011110111100111110100100100110001111101 [Pause: 2933 samples]

1111111111111011101100100101000100111111111111111110101000101010101010100000110000101011010010100101101011111010001100111110100100010010001010111101 [Pause: 766 samples]
11010101111111101111100100101010100011111111111111111010101110000001000101000111000010110111010101010010110101111101000111001011110000000101000010111101 [Pause: 766 samples]
0000000000000100101110110101010110000000000000000000101110101010101010110101010110110110101011001011010010001101011010110001101010101000000001000111101 [Pause: 767 samples]
111111111111101110110010010100100011111111111111111101100011111101101011101011110000100010101010110100001001001111111101011101010101001000001010111100 [Pause: 768 samples]
0000000000000100010011011110011101111111111111111111110110001111110111011111010101011111110100111010010101000001101111100011111000000111111011100001 [Pause: 2936 samples]

00000000000001000010101010100010001010000000000000000101000111101010101000110000100100010101010111010010101111010001010100010011111110010010011110110 [Pause: 767 samples]
1101010101000000100010011010110011100011111111101010100001010000111111011101111110111101111011101001010100101010000011011111000111110010010111010101001001 [Pause: 767 samples]
0010101111111101111101010101010111010101011111111111111010101001010101101011100111011111101000111010010101001001110101110001011110010110110101010101100000000 [Pause: 746 samples]
00000001010101011110110010001100010100000000000101010101010110100000010010000010101010100100010110010101101011010100101001110100001010010010101010100111101000000 [Pause: 734 samples]
11111111111110010110101011010111011111111111111111111010010101010110110101111011010111101110100011101001001010010111101011100101111010110110101010101100111111111101000000000000 [Pause: 2862 samples]

11111111110101001010111011010111011111111111111111111010111000001010100101010111101010001011001010110101101000010100011101000011011000001011010010100111011110000 [Pause: 736 samples]
0000000000010110100101010101010100111111111101010101011010110000001001000001100001001001010100110101001010100001101110011010000110110100000101110011110111101001 [Pause: 736 samples]
000000000000010010011011110111011100000000000000000101101010000010001010001100001011011010110010101101010110101101011100110101010100000001011100111100 [Pause: 763 samples]
000000000000010001011101011100010000000000101010101111100011101010110101011111001111010010010101010110100101010010100110001100101010100111111011001000011 [Pause: 764 samples]
0000000000010100111110100001100100101111111111111110100100111111011010110101010100100111010011100101111011111010001100111110101100000001001110111100000000000 [Pause: 2906 samples]

1101111111111011101100010100111011010100000000000000101110011111101010010010000101101101011010110100100010011011100110000010110111111110011111011 [Pause: 766 samples]
00000000000000010110101000010101001111111111111101010010101100000101010110101011110101001011010110100101010010100101001110010101010101101110011111011 [Pause: 766 samples]
00000000000000010110101010011000100101010101010101010111111000001010101010101000001100001010110101010100101101010110101010111001101010101000000001100000100 [Pause: 766 samples]
111111111111111100101010110011011111110101010101010101001010111000000100101000101000011110110101101010110101111101000110010111100100101101110011111011 [Pause: 767 samples]
1111011111111111101000100101010100011111111111111111110000011110101010100110101111000000010100101101001010010011011101011110000110110100100001100000100 [Pause: 2935 samples]

1101111111111011111001001010101001111111111111111101010110000001000101000110000101101110101010100101101011111010001110010111100001001001001010111100 [Pause: 767 samples]
00000000000000001010101010100111000000000000000001010111010101010101011010101010101111110101110010101101011111010001110010111100100011011010011011110 [Pause: 767 samples]
11010101111111100111110010000100010001111111111111111101010101000001000101000111000011111110101110010110100100010111111110101100001101101001011110100001 [Pause: 767 samples]
11111111111101101001010101100111011010100000000000000001010101111110111010111000110100000101010011000011110110110010001110011111010010010000010001010101 [Pause: 767 samples]
111111111111111101010101100111011010000000000000001010100011111101101001010100001010110101101011010010001001111110001101000010110111111110011011110 [Pause: 2935 samples]

1111111111110110100001011110101011000000000010101010101101011100000010101101010101010110110101011000111100001001001101110001101000010110111011010100001001 [Pause: 765 samples]
11111111111110110101010110011011110101010000000000010100101000000100101101010101101010010101010100101101110110010001100111101010110100100101010010001 [Pause: 767 samples]
1111111111110110100001101101010010100000101010111111111010110011111101101001001100001011011010110011110000100001010010100101001111000000010010100110101011 [Pause: 765 samples]
000000000000000101111001001010110101110101000000000001010110000001010111110011110100000101001100001111011111101101111010110000111111101101011001010101111111101111111 [Pause: 722 samples]
0000000101010110111110010010101101110100000000000000110101100000010101111100111101001001010011010010110111011001000110001111101011000100100010010001 [Pause: 2932 samples]

11111111111111101001010111101010110000000000000001011010110010101010101111101111010100010110101101001010000010111001100101010101111111010001100000 [Pause: 765 samples]
0000000000000100101010101110010010101010101010111111101001010111111011010010101000010010110101010101010100010111111010110100001011011111110110001010011111111111111111111111111110000000000000 [Pause: 649 samples]
000000000000000111110010010101101011111101010100000001011011000000101011111001111010010010100110000111101111101001110011010011011010100000111100100 [Pause: 765 samples]
01010100000000010010101010011001001111111111111110100101001010100101010100011000011111110101100111101001001001101110001100000101101111111010001000011111111111111110000000000000 [Pause: 682 samples]
11111111111111110010101011001101100000000000000001101011000000010101111101111010100101010101010101110010100000011001111001000010011111000011010 [Pause: 2931 samples]
11111110101010101000001101101010011100000000000000001101100111111011010011010101010000001010011010010110111001010010000111001011010111111110011111011 [Pause: 767 samples]
111111111111111100101010110011011111111111111111100100111000000100101000110000101101110100010100001111011011000000001110011110110111111110111101010 [Pause: 766 samples]
1111111111111011011001001010101001111111111111111101000001000001000100000110000101101110100101001011010111110100011100111110000000100110101000101 [Pause: 766 samples]
110111111111110111110010010101100111111111111111110010011100000010010100011000011111110101110100101111011111001000111000011110000001101110011111011 [Pause: 767 samples]
1111111111111111001000101000111001111111111111111111000001110001010100110101111000000101001101010010100000110111000111100001111110010001100000100 [Pause: 2934 samples]

11011111111110011111010000100010001111111111111111101010101000001000101000111000011111110101100101101010011011111111010110000110110100100111101000011 [Pause: 766 samples]
000000000000000010101010011001001011111111111111101010110000001001011010101111011010010101010101010101001000000101000111100001000100100100101001 [Pause: 766 samples]
00100000000000000101010100110001001111111111111110100100110010101010101111100111101001000101001010101011101000000101001011110000100010010010001010101 [Pause: 767 samples]
111111111111111100101010110111011000000000000000001011100111111011010010101010101001001101001110010111101101100100011100101111010010001001001000111101 [Pause: 766 samples]
110111111111101101100101010111010111111111010101010000010011010101010101011111001111010010001010101010101010100101001000010100111100100101101000010111100 [Pause: 2933 samples]

000000000000010010101010011001000111111111111111101011001111110110101010100001001011010101010101010001011111100110000010110111111011001011100011001001 [Pause: 738 samples]
1111101010101010110010011011011100100101010111111111111010110011111101101000001000010110110101100101101001000100110111001100101010100101101101010110111000001111101111100011 [Pause: 708 samples]
110111111111110110010101011001101110000000000001010101101011000000010101111101111010100101010101010101010010100000010100111100000010101011110110 [Pause: 765 samples]
1111010101010101010000011011010100101000000010101010101010110101110000010101011010101111010100010110101101001010000101010100011001010101011110110110101010 [Pause: 767 samples]
110111111111110110101010110011101101010000000000000010101110000001001011010101111010100101010110100101101110110010001110011111010100001001000100100111100000000000000000000000000000 [Pause: 2841 samples]

00000000010101001111100110010101101011111101010000000001011011000000100101111100111101001001010011010011110111011001000110011110101011000010001001111010000000000000000000000001110111111001 [Pause: 662 samples]
11111010101000010000011011011100100000101111111111110101001111101010100000110000111111101011001111000010000011011100110010101010111101110110001010101001 [Pause: 751 samples]
000000010101010100111110010010101100111111111111111010010100111111101010010101010101001001010100111000010110110100000000101001111001000110111011000101011111111110101111010011 [Pause: 30 samples]
0 [Pause: 673 samples]
000010101001010100101101010100110010001011111111111111101001000111111011010110101010100100111010010100101101010110101101011001110100101101001000100111010110000000000000000000111111111110011111000000001 [Pause: 634 samples]
000000001010101001011010100001100010011111111111111111010100111111011010101010101010010010101001110000111101110110010001100101111000010010010110100001011101 [Pause: 2919 samples]

While sometimes the starting pattern is different, the change points are constant. Signal in the 17th segment, third fragment seems to be pretty similar between two different runs:

I cannot really figure out how to get Universal Radio Hacker to produce same binary output for these two. I noticed the center moved quite a lot in the second signal and in general this sample is a lot more "dirty". Here is the capture of the first one:

HackRF-20211214_223638-2_46GHz-2MSps-2MHz-pairing.zip

And this is the part from the analysis above, the signal drops after pairing:

[pascallanger]

Sorry but I'm really busy lately with familly issues and will come back to you I hope in not too long.

[ergpopler]

Hello, is there any new updates? I am looking to possibly use a teensy 4.1 to amplify the signal and extend range and control from my linux device.