Wednesday, 18 February 2015

Ghetto controller idea

Just a short note today to show my new controller idea. It's a standard 6 channel remote but with integrated Bluetooth telemetry bridge similar to the Event38 telemetry bridge

I'm really pleased with it's simplicity and function and I've even started selling a system on ebay.co.uk

I'm also available now on LiveNinja for technical questions you have regarding Quadcopters, drones, Arduino, setup & programming and general help.

If you like it, I'm happy to make one for you and ship it. just get in touch. 

Update:
I have been using this tx for a few months now and it's great. Yesterday I opened up the transmitter and it looks interesting for programmer connections:




Perhaps it is possible to flash with custom opentx or er9x (er6x???) firmware? Or maybe using just usb cable?

I will look closer for usual VCC-GND-MOSI-MISO-SCK-RST connection points.

Then possibilities for APM Ardupilot telemetry direct from receiver like normal er9x but without frsky module costs :) :) :)



So then no need for 3dr telemetry units perhaps. Just thoughts & possibilities right now but potential super cost saving over 9x/frsky combo.

Hmmm maybe this controller has 6-pin programmer already, when using firmware usb cable? Also debug port?

Update:20 Feb 2015:
Board uses eeprom chip (for storing your programs/vehicle configurations) + 32bit ARM M0 processor @ 48mhz (Raspberrypi is also ARM 32)
Pictures:
eeprom datasheet



So er9x & open tx are currently compiled for the 9x 8-bit processor (Atmel AtMega64 8-bit MCU), so what to do?

My understandings at the moment are that the controller is connected to a PC using a USB UART/SPI/FTDI-programmer like this:
or making your own (which is what I did) like this:

then opening the firmware update file:


This connects to the remote server (there are some verisign handshaking & server commands in the code of the .exe), and replaces the existing controller firmware, so quite secure, making sure you can't easily get a copy of the firmware. Running this exe file with a network monitor program, there does not seem to be any network traffic that is specific to flysky, or at least I can't find any.

So it might seem that the exe contains the firmware.

Options are to get a copy of the firmware and then understand the type of embedded software being used and alter it, or create one from scratch by changing the bootloader, using the various embedded software available that are compatible with this arm 32-bit chip (like Eclipse IDE?? Anyone know of others?). 

The newer firmware 'v1.1 november 2014' allows ppm signal. Didn't see anything else changed. Download link here

Update:
Too difficult for me to try to decompile the firmware updater, or figure out how to flash the chip. Spent far too long thinking about it and almost fried my brain. The furthest I got was to observe the flashing process using a port monitor, and then looking at the HEX code - which makes very little sense but shows some interesting snippets:
That's as far as I am and can go, Maybe some of the guys who worked on the er9x or opentx projects can take over and do something.

Update:
Seems that the 9xrpro & Taranis all use ARM 32-bit chips so this looks good for the prospect of flashing opentx or er9x with this unit, hopefully making half the process of my goal (full telemetry data) possible. There is also a version for the very similar flysky t6 recently done, so I am excited more about this now.

I managed to hack the updater app, modify it so it looks like it a different hacker release, and also extract the firmware binary. I am able to modify text for the transmitter menus, but not to add a menu yet. 

Programmer app updated, small beginnings....

Now to modify the firmware dump I have, then replace the one in this app with my modified one (easily said, very hard to do)...Possibly this is out of my abilities, and might be better for someone who has more experience editing a firmware. 


Update:
Some people asking if possible to modify i6 with lipo/life battery. i6 Spec sheet says "Working Voltage: 1.5v x 4 AA" So this might have to be obeyed (anybody wish to test if it can take 3s lipo????? *be careful*). Safe solution to use lipo/life battery is to also use an adjustable step-down voltage regulator like this:
Then you can install any rechargeable battery you wish to. The Rhino 610mah 3s lipo seems to fit:

(You will also have to cut away the inside as it is designed to fit 4pcs AA-size batteries). Also, you will have to use 3s lipo alarm to protect your lipo from being killed.... Or just use 4x AA Nimh batteries and quit d**king about?????


13 comments:

Michael Roberts said...

As I'm thinking of purchasing one of these radios, good job and thanks for your brain frying. It's nice to see someone haxxing cheaper items to make them more useful. :D

DalyBulge said...

totally brain fried. Had to spend 48hrs in a darkened quiet room ;)

Anonymous said...

Amazing work keep it up would be great to read more about what might be possible with this radio

Kamil said...

Hey :) Nice work, have U find a solution to implement opentx into i6 ?

Anonymous said...

Thx for the hint with the FTDI cable, works just great. However, I had to start the transmitter once everything was already wired & plugged, else it wouldn't work. Why did you actually want to plug a 3s inside? I believe they have a voltage regulator inside for the 3,3V rail. Means, it probably does not matter if you use, let's say 2 LiFe cells. They make it in 14500 format, which just fits a regular AA. I'll have a look at the 6V-path and see what they have there.

DalyBulge said...

How high do you think this voltage regulator will go? Please let me know your research on this, thanks.

Unknown said...

hi
this radio is powerful
if you mount 3 leaf antennas it will go easy 1km ground level
if u press 6 buttons trim lever buttons, ok and up and then turn on the radio it will go in boot mode or something
ca u tell me about your research like flashing part !
my one is stuck at the first screen saying:
WARNING place all switches in their up position and lower the throttle !
i just want to edit or remove the warning screen if possibile by editing the firmware or eeprom.........

Anonymous said...

Can you give us some details about how you extracted the raw firmware?
I bricked my unit as I attempted to flash it with the official updater, hence I'm trying to somehow write the firmware directly onto the eeprom, hoping that the firmware sits there.
Maybe there's a simpler way to restore my radio?

Anonymous said...

Hi,
I did a lot of work on reverse engineering this radio, and I can tell you that the firmware is not in the eeprom.
It's located in the flash memory of the kinetis KL16 arm chip, starting at offset 0x1800. If you want to write directly to it, you need a SWD adapter (a kind of JTAG).
Check out my blog, or this thread: http://www.rcgroups.com/forums/showthread.php?t=2486545
I will soon release a custom firmware with 8 channels support, and the tool to install it with the updater cable.
Thom

DalyBulge said...

Hi, I have extracted the firmware binary from the updater.exe and I am able to change characters in the i6 menus, i'm also able to change the firmware updater.exe layout (logo, text, heading, version numbers etc..) but that is it. I had to take a break and move onto something else as it was too much to become obsessive over and I was really learning as I progressed.

I think it is possible to have full telemetry also, but I think a new menu system needs to be designed and I am no expert on logic analysis and RF analysis.

I am happy to help with what I know, but I think the path for this i6 TX is:
- clever hacking
or
- complete reprogramming of the ARM chip
or
- complete copy/redesign of internal pcb to include more powerful ARM chip (perhaps a Raspberry Pi shield?)

Unknown said...

Have a question about my bricked flysky i6

Unknown said...

Have you try with 1W LoRa radios? I try to connect by arduino Pro a SPI radio to connect the telemetry. I don't know if it is possible.

Maria Brill said...

Maybe you can try replacing the chip with lte iot chipset