Monday, July 11, 2016

Reverse engineering 2.4GHz RF chip XN297 using HackRF

In this post I describe the reverse engineering of Chinese RF chip, XN297 and emulation layer to communicate with RC models based on this chip with more standard nRF24L01+.


I participate in Deviation TX open source project. Deviation is an alternative firmware for Walkera's line of RC transmitters, Devention (or Devo). The firmware provide much wider capabilities than the original, in particular it supports many protocols for other companies' models.

It also supports several different RF chips used in 2.4GHz RC range. These chips mainly incompatible with each other, so you need to have them all in your Devo. There are 4 main chips used by majority of the models - Cypress CYRF6936, Amiccom A7105, Texas Instruments CC2500, and Nordic nRF24L01+.

The latter one is very popular for cloning by Chinese manufacturers, and as such is also popular in cheap Chinese models, mainly micro quadcopters.

There are several clones, which are radio-compatible (and mainly, register-compatible) with the original - Beken line - BK2421, BK2423, BK2425, and SI24R1.

Recently, new chip appeared in many models - XN297. Although this chip seems to be a clone of nRF24L01+ - it has the same pinout, uses the same 16MHz crystal, the datasheet, partially translated to Chinese, looks very similar to the original, the register set is the same - it is not compatible by radio format. My colleagues from Deviation forum collected SPI traces, analyzed them, and even built Deviation module for one of the models - Cheerson CX-10 - to no avail.

They discovered in the process that there are three extra registers in this chip, and setting them with some magic values is necessary for successful functioning of XN297.

Then closedsink on RCGroups forum made a PPM module out of original toy TX of CX-10, and it worked. The protocol is pretty simple and similar to protocols we've already seen in such cheap quadcopters.

Tools and Methods

I had several hypotheses why we can't control XN297 model with nRF24L01+, and to verify them decided to look at the actual radio signal. There is an excellent introduction to using SDR for such purposes at Cyber Explorer's blog post.

While you probably can use RTL-SDR with downconverter described in the mentioned post, I used an excellent HackRF by Michael Ossmann. My HackRF is a beta board, so called Jawbreaker, generously provided to me by Michael as part of his beta program.

I used GNU Radio to process the signal. It is non-trivial to build from source, so I used a pre-built binary, and as such there was no integrated HackRF driver. I used HackRF binaries from Michael Ossmann's site.

I also used GNU Radio Companion - graphical workflow tool which allows you to write complicated processing scripts without detailed knowledge of GNU Radio. An additional benefit of GNU Radio Companion is an ability to generate Python script which can be tuned and used in bulk processing.

To overview the radio signal I used SDR#, formerly open source, now closed but free SDR tool for Windows.

GNU Radio is a very powerful set of tools, but unfortunately it is very sparsely documented. While I had an overall idea of how signal is processed in SDR systems, I'm not an SDR expert, so I used all available material on the Web. Long and detailed introduction of using HackRF, SDR#, and GNU Radio on Windows is on Proxmark forum.


The detailed procedure is yet to be described, for a while you can browse Resources.


I assembled scripts, sources, and pictures illustrating this process at