Swann RC Helicopter tear-down & reverse engineering - Part 1

I picked up a 30$ Swann RC Helicopter from Fry's one day for hell of it and once I was done tormenting the cat with it, I decided to do what I do with all my electronics. Take it apart.

Pulling it apart we find nothing much out of the ordinary on the top side of our board except the mounted daughter board. Noting the markings SYMA-218-8900T V3 on the board.

An extremely simple design, MCU, some push buttons and joysticks. The push buttons are all handled by a single pin on the MCU by using a circuit that changes the resistance based on the button pushed and the joysticks are just read as analog inputs. Unfortunately it seems the markings on the MCU and RF chip are gone.

If we are going to reverse this it would be best to have a stable reusable setup, something I can plug/unplug a logic analyzer and MCU into quickly without worrying about probes falling off. The RF daughter board had 0.075" pitch pins, to make it easier to drop on a breadboard I attached it to a 0.1" header. On the reverse side of the RF board it's marked SYMA-8900T V2, at least we have something to go off of.

I didn't have any magnet wire handy so this will do for now.

Easy enough to connect an external MCU or logic analyzer now. We have 4 unknown bus pins and V+/GND. This is likely SPI given the pin count and device, possibly IC2.

Here is the board from the copter itself, it appears to be the exact same chips on a single compact board.

Some quick digging around on Octopart, DigiKey and Mouser didn't get me any closer to determining what MCU it was. I assumed it was some low power freescale MCU like a CY8 but the pins don't match up. There aren't a lot of 16 pin SOIC MCU chips out there so maybe it's just some chinese knock off? Not sure but it's not what I'm really interested in anyways, we just want to sniff the bus to the RF chip.

So I hooked up my Saleae Logic Pro 8 logic analyzer and took a look. A quick glimpse shows what appears to be the CS and CLK line so my assumption of SPI was probably right. Logging the data we have some obvious 'init' sequences that are broadcast at different states.

Let's first hook up to a TEENSY 3.1 and see if we can replay this data over SPI to the RF chip and get the copter to "sync" with our new MCU. When the copter detects this original broadcast signal the LED starts flashing at a different frequency. By pushing the throttle on the original controller to the max and back down causes it to pair with it. After programming the MCU to spam the init sequence and connecting it to the RF board, low and behold we have the copter synced.

It would seem the device uses 16bit SPI registers. With a little analyzing we can assume that 0x32 is the register that is used for writing data over the air prefixed with a 16bit length value, followed by the data. This is somewhat similar to how the NRF24l01 works. It seems just before this it always sets register 0x34 to 0x8080 first, possibly setting up the radio for write mode?

(0x34) (0x8080)
(0x32) (0x16) (D8 07 40 4C 4C AA AA AA D8 07 40 4C 4C AA AA AA)

When the change from the initial sync to pairing state occurs I notice that after setting  (0x34 0x8080) 2 registers are set before the write, they are (0x24 0xd807) and (0x27 0x404c). This looks like the same data being written to the 0x34 register earlier. This data never changes, this could be 2 syncwords for radio pairing. After this we have new OTA data...

(0x34) (0x8080)
(0x24) (0xD807)
(0x27) (0x404C)
(0x32) (0x16) (00 3F 3F 7F 40 00 00 00) (00 3F 3F 7F 40 00 00 00)

Moving the controls around we can see these values are clearly the throttle, yaw, roll and what appears to be the trim value, note that the data is repeated twice. The rest of the zeroed data appears to be unused, I assume they are probably used in their other products.

Adding what we learned from above and mimicking our log data on the TEENSY, adding a push button to add to the throttle value... reset wait for pairing and tap the button a few times and we have success! We have a wildly flying RC copter that crashed into the ceiling!

Alright, so we have some very basic functionality and not much understanding of the other registers being written and read. So I decided it would be a good idea to try to see if I could find a datasheet for this unlabeled RF chip again. A few hours and some vague Google searches of random variations of the markings found on the boards and I finally found the datasheet! And even more amazing it's in English. It turns out it is a NRF24l01 clone, called the LT8900. No manufacture is mentioned anywhere but we have timing specs, radio specs and nearly full info for registers and their values. Look's like it's time to write a library for this new little radio and the copter control protocol I'll blindly dub SYMA! Covered in Part 2, complete with links to source.

Great news! After a minor technical issue, Spoticast is now listed on the Google Cast Ready Apps page!

Sepakura

It was a cold, wet weekend and we found ourselves down the internet rabbit hole of paper-craft after looking for something completely irrelevant. Coming across a guy who cleaned up all the weapon / armor models from Skyrim, we found our choice, the Daedric dagger - complex enough to be challenging but finishing it casually over the weekend wouldn't be a problem.

One thing we learned relativity quickly was that scoring the folds for both directions on the same side of the cardstock made it difficult to fold together. Making reverse fold cuts on the opposite side of the cardstock the pieces just folded together without issue. This probably should have been obvious...

While we tried normal PVA glue what really seemed to work best in our collection was Gorilla - wood glue. It set quickly when spread thin and created an excellent bond.

Everything finally assembled, we used 67lb card-stock which once everything was all glued together was stronger than I had imagined it would be. Most people use fiberglass resin to harden their models but we didn't have any on and it isn't something I was about to do indoors without a garage. There are a couple of other solutions people use to harden them up, one being a 50/50 mix of PVA and water. I decided to do a sample on another piece to see the result. Applying it thin, applying it thick the results weren't too impressive really the strength added was minimal and water seeping into the card-stock caused warping.

I also tried a piece with just Gorilla wood glue, it added some strength but the finish was almost latex feeling and remained quite flexible, but always popped back in to place. Interesting result none-the-less but acrylic paints didn't stick to it very well so it would need primed for sure.
My girlfriend is an art geek at heart so she has supplies all over. She recommended just using some Gesso which she conveniently already had and I have to say it worked the best, it added some nice strength and left the perfect surface for painting. Looks like we have a winner.

So what do you do when you want to airbrush in a small apartment? Create a make-shift portable paint booth of course!

I decided to try out my hand painting skills for the detail work, I probably should of spent my time creating some stencils and just airbrushing it but it will do. The dagger was never completely finished but good enough for now.

I painted the blade with a light gray and let it dry, then painted over it with a darker gray and roughed over the edges with a wet paper towel to make it look aged.

Photo Gallery

• 
• 
• 
• 
• 
• 
• 
• 

Make-shift portable airbrush paint booth

A 18x18x16 cardboard packing box from Home Depot, salvaged 80mm Thermaltake case fan complete with rheostat, small push button, 12v AC/DC wall wart and a lot of duct/packing tape.

This is pretty straight-forward, I needed a place to airbrush indoors in a small apartment and avoid getting over-spray everywhere and so the portable cardboard airbrush paint booth was born.

A diagonal cardboard slip acts as the intake vent capturing most of the over-spray into the high tech air filter (single ply paper towels held from being sucked through with cheesecloth).

The cardboard sides have packing tape *wings* at the bottom to slip underneath of the bottom to avoid painting my dining room table.

It all folds up nicely into itself so it can be tossed in the closet, with enough room to hold the compressor, brush and paints / supplies.

Logitech K750 wireless solar keyboard mod

I've had a few Logitech K750s now and while they usually work great for about 2-3 months, they're notoriously bad for recharging and keeping a charge. Tired of dealing with this obvious flaw, I decided to "upgrade" mine to be a USB-charged battery-powered keyboard with a heftier battery.

Peeling off the glued front cover. (I salvaged my solar panels for another project since I wasn't going to need them)

Removing all the screws and popping the clips reveal the insides of the K750,
an Atmel ATXMEGA32D4-AU and a Nordic NRF24L01. 

On the reverse side of the PCB Logitech was nice enough to break out power & SPI to pads for us.

Without any disassembling, the original battery holder is removable with a little bit of prying and wiggling.

Taking some measurements with calipers and a little time in SketchUp, I recreated the battery insert with channels for some stripped solid core 22AWG wire to slide through. This provided a nice contact to the battery terminals inside without requiring any disassembly and a case for our new battery. Out with the old 65mAh coin-cell, in with the new 1000mAh LiPo (that should last a little longer and I had one laying around already...)

The 90 degree block was made as a separate piece due to too much friction while inserting the wire.

The first prototype, printed @ 230C/105C HBP. 0.2mm 50 travel/80 feed, 2 shells.

The original ML2032 is a 3v whereas our new LiPo is 3.7v. This shouldn't be a problem since the old solar cells output 4v to charge the coin-cell on the same circuit, so the regulator should be able to handle 4.2v. Testing a few points around the board, it appeared everything was powered by the regulated 2v "V_MAIN".

Plugged in and functional.

There's plenty of room for improvement but it serves it's purpose for now. It could use a bit of work in the aesthetics department and I originally planned on adding a LiPo charger with a microusb connector but it's been 3 months now and the battery voltage has only dropped ~0.05v, I'm probably not going to be needing it anytime soon... Maybe 1000mAh was a little overkill.


Like any wireless keyboard, "secure" or not, encryption on these devices are a joke. But I'm sure I'm not the only one who sits at their PC in a Faraday cage right?