I picked up a 30$ Swann RC Helicopter from Fry's one day for hell of it and once I was done tormenting the cat with it, I decided to do what I do with all my electronics. Take it apart.
 |
Pulling it apart we find nothing much out of the ordinary on the top side of our board except the mounted daughter board. Noting the markings SYMA-218-8900T V3 on the board.
|
An extremely simple design, MCU, some push buttons and joysticks. The push buttons are all handled by a single pin on the MCU by using a circuit that changes the resistance based on the button pushed and the joysticks are just read as analog inputs. Unfortunately it seems the markings on the MCU and RF chip are gone.
If we are going to reverse this it would be best to have a stable reusable setup, something I can plug/unplug a logic analyzer and MCU into quickly without worrying about probes falling off. The RF daughter board had 0.075" pitch pins, to make it easier to drop on a breadboard I attached it to a 0.1" header. On the reverse side of the RF board it's marked SYMA-8900T V2, at least we have something to go off of.
 |
| I didn't have any magnet wire handy so this will do for now. |
Easy enough to connect an external MCU or logic analyzer now. We have 4 unknown bus pins and V+/GND. This is likely SPI given the pin count and device, possibly IC2.
Here is the board from the copter itself, it appears to be the exact same chips on a single compact board.
Some quick digging around on Octopart, DigiKey and Mouser didn't get me any closer to determining what MCU it was. I assumed it was some low power freescale MCU like a CY8 but the pins don't match up. There aren't a lot of 16 pin SOIC MCU chips out there so maybe it's just some chinese knock off? Not sure but it's not what I'm really interested in anyways, we just want to sniff the bus to the RF chip.
So I hooked up my Saleae Logic Pro 8 logic analyzer and took a look. A quick glimpse shows what appears to be the CS and CLK line so my assumption of SPI was probably right. Logging the data we have some obvious 'init' sequences that are broadcast at different states.
Let's first hook up to a TEENSY 3.1 and see if we can replay this data over SPI to the RF chip and get the copter to "sync" with our new MCU. When the copter detects this original broadcast signal the LED starts flashing at a different frequency. By pushing the throttle on the original controller to the max and back down causes it to pair with it. After programming the MCU to spam the init sequence and connecting it to the RF board, low and behold we have the copter synced.
(0x34) (0x8080)
(0x32) (0x16) (D8 07 40 4C 4C AA AA AA D8 07 40 4C 4C AA AA AA)
When the change from the initial sync to pairing state occurs I notice that after setting (0x34 0x8080) 2 registers are set before the write, they are (0x24 0xd807) and (0x27 0x404c). This looks like the same data being written to the 0x34 register earlier. This data never changes, this could be 2 syncwords for radio pairing. After this we have new OTA data...
(0x34) (0x8080)
(0x24) (0xD807)
(0x27) (0x404C)
(0x32) (0x16) (00 3F 3F 7F 40 00 00 00) (00 3F 3F 7F 40 00 00 00)
Moving the controls around we can see these values are clearly the throttle, yaw, roll and what appears to be the trim value, note that the data is repeated twice. The rest of the zeroed data appears to be unused, I assume they are probably used in their other products.
Adding what we learned from above and mimicking our log data on the TEENSY, adding a push button to add to the throttle value... reset wait for pairing and tap the button a few times and we have success! We have a wildly flying RC copter that crashed into the ceiling!
Alright, so we have some very basic functionality and not much understanding of the other registers being written and read. So I decided it would be a good idea to try to see if I could find a datasheet for this unlabeled RF chip again. A few hours and some vague Google searches of random variations of the markings found on the boards and I finally found the datasheet! And even more amazing it's in English. It turns out it is a NRF24l01 clone, called the LT8900. No manufacture is mentioned anywhere but we have timing specs, radio specs and nearly full info for registers and their values. Look's like it's time to write a library for this new little radio and the copter control protocol I'll blindly dub SYMA! Covered in Part 2, complete with links to source.