Reverse engineering 2.4GHz RF chip XN297 using HackRF

In this post I describe the reverse engineering of Chinese RF chip, XN297 and emulation layer to communicate with RC models based on this chip with more standard nRF24L01+.

Introduction

I participate in Deviation TX open source project. Deviation is an alternative firmware for Walkera's line of RC transmitters, Devention (or Devo). The firmware provide much wider capabilities than the original, in particular it supports many protocols for other companies' models.

It also supports several different RF chips used in 2.4GHz RC range. These chips mainly incompatible with each other, so you need to have them all in your Devo. There are 4 main chips used by majority of the models - Cypress CYRF6936, Amiccom A7105, Texas Instruments CC2500, and Nordic nRF24L01+.

The latter one is very popular for cloning by Chinese manufacturers, and as such is also popular in cheap Chinese models, mainly micro quadcopters.

There are several clones, which are radio-compatible (and mainly, register-compatible) with the original - Beken line - BK2421, BK2423, BK2425, and SI24R1.

Recently, new chip appeared in many models - XN297. Although this chip seems to be a clone of nRF24L01+ - it has the same pinout, uses the same 16MHz crystal, the datasheet, partially translated to Chinese, looks very similar to the original, the register set is the same - it is not compatible by radio format. My colleagues from Deviation forum collected SPI traces, analyzed them, and even built Deviation module for one of the models - Cheerson CX-10 - to no avail.

They discovered in the process that there are three extra registers in this chip, and setting them with some magic values is necessary for successful functioning of XN297.

Then closedsink on RCGroups forum made a PPM module out of original toy TX of CX-10, and it worked. The protocol is pretty simple and similar to protocols we've already seen in such cheap quadcopters.

Tools and Methods

I had several hypotheses why we can't control XN297 model with nRF24L01+, and to verify them decided to look at the actual radio signal. There is an excellent introduction to using SDR for such purposes at Cyber Explorer's blog post.

While you probably can use RTL-SDR with downconverter described in the mentioned post, I used an excellent HackRF by Michael Ossmann. My HackRF is a beta board, so called Jawbreaker, generously provided to me by Michael as part of his beta program.

I used GNU Radio to process the signal. It is non-trivial to build from source, so I used a pre-built binary, and as such there was no integrated HackRF driver. I used HackRF binaries from Michael Ossmann's site.

I also used GNU Radio Companion - graphical workflow tool which allows you to write complicated processing scripts without detailed knowledge of GNU Radio. An additional benefit of GNU Radio Companion is an ability to generate Python script which can be tuned and used in bulk processing.

To overview the radio signal I used SDR#, formerly open source, now closed but free SDR tool for Windows.

GNU Radio is a very powerful set of tools, but unfortunately it is very sparsely documented. While I had an overall idea of how signal is processed in SDR systems, I'm not an SDR expert, so I used all available material on the Web. Long and detailed introduction of using HackRF, SDR#, and GNU Radio on Windows is on Proxmark forum.

Procedure

The detailed procedure is yet to be described, for a while you can browse Resources.

Resources

I assembled scripts, sources, and pictures illustrating this process at https://github.com/victzh/xn297_reveng

 

New life

After some (long) pause in this blog I decided to resume it. I took several online classes (mainly in AI and machine learning) and it takes a sizable piece of your free time. But nevertheless I did some stuff which I'd like to share here.

I'm into model helicopters now, I'm still a beginner, but I bought several small helis, broken some and repaired some. I disassembled every heli I got, and their design was very interesting for me, so I plan to share my experience here. So far I have cheap Chinese small helis: coaxial 3ch Syma S107g, 4ch S800g, WL Toys quadcopter V929,  fixed pitch single rotor V911, and a bit larger single rotor Double Horse 9116. You gonna need soldering iron to repair some of this stuff

Another project is modification of Ladyada's iNecklace - RGB LED, auto turn off using photosensing. The design is so miniature that it is a big challenge both from physical and programmatic points of view. Still work in progress.

Unfortunately, my EKG efforts stalled. After I moved promising design from solderless breadboard to normal one and then to home-etched PCB it stopped working. Apparently I need to learn more about instrumentation amplifier design. You could put a stock Instrumentation OpAmp there, but then there is no challenge ;-) I still plan to debug the cheapest design possible.

My radio efforts moved to 2.4GHz (it's popular for helicopter RC), so I have several small modules based on various chips: nRF24L01+, it's full Chinese clone Beken BK2421 (the module company even refers you to nRF's site for the datasheet), Amiccom A7105 (popular in Chinese RC models), and CC2500. They all are pretty similar in abilities on paper but have very different settings and their register sets are very large - 50 registers is not unusual. So, trying to make sense out of this zoo.

That's my heart, people.

Summer clean up.

Good news, my first board ever, Chipcon CC1111 based USB radio, works fine. I bought an official TI's eZ430-Chronos with 915MHz transmitter, loaded transmitter firmware onto my board (it was designed maximally compatible with TI's for this purpose), and bingo - it works.

It is not only my very first board designed, it's also the most complex one. It has many 0402 components - radio reference designs frequently use this totally hobbyist unfriendly size. And having no network analyzer around the only hope is to follow someone else's design as close as possible.

But it works. I did not check the range compared to the official one, but I would not be surprised if it's not spectacular.

Check out my board compared to the official TI's. Mine is larger, breadboard friendly board.

Conway Life - redesign of Ladyada's board

I described this project first on the http://dangerousprototypes.com/forum/viewtopic.php?f=56&t=2219 (DP forum text follows with some edits):

I designed small 2-layer PCB for a version of Ladyada Game of Life. The board is two-side, front has 16 0603 LEDs on it, back has ATTiny861, 4 resistors, 4 FETs, 2 capacitors and one button.

The board was prototyped through Laen's PCB group order.

One side with TQFP processor was soldered on a hot plate, 16 LEDs on the other side soldered manually.

The board's firmware is not ready yet - the processor is quite different from the original ATMega 168 - less pins, less memory, fewer timers etc.

The LED activation is implemented as 4 x 4 matrix with columns connected through FETs and rows connected through limiting resistor directly to ATTiny. The idea is to activate one column at a time - thus FETs, and light up to 4 rows for every column - so we can get away with direct connection of row to processor pin.

The board is alive - first test lights the LEDs and senses the button.

Next step is a full port of original firmware with communication protocol - the boards can be connected to form large Game of Life field.

I'd appreciate suggestions on cheap 4-wire side connector.


--- end of quote ---

Here is further details on the project that seems to be interesting for me. Recently I learned through Laen's tweet about nice ISP connector for AVR boards: http://daniel-spilker.com/blog/2011/04/25/isptouch-for-avr-microcontrollers/ . I faced with analogous problem - the main curse of miniaturization is connectors. I have four communication connectors for proprietary (if you can say so about open) protocol, and ISP connector to program the beast. If you look at the photo

you'll see that the left side looks more populated with these nice golden strips. Upper three of them is an upper part of shortened board-side ISP connector I use on some of my boards. The layout is a standard AVR ISP 6-pin put on a board's side. I use a small adapter board with similar connector and solder bent pins to it, not unlike a SDcard breakout with headers. This is the header:

This is how it is connected to the board:

The board is still to be programmed, I port Ladyada's software slowly.

First post

Hi, I am a professional programmer who recently became fascinated with electronics, especially micro-controllers. That's why the blog's name - I do not have favorite, I try any chip I can get for a reasonable price.

So far I tried:

1. TI MSP430 - Launchpad, moved to breadboard, moved to soldered breadboard. Controls a LED chain, emulates Apple LED breathing effect. Done without tables, by calculating exponents without multiplication and division. I have soldered myself a GoodFET.
2. Chipcon - so far not that successful attempt to make a radio USB dongle (not unlike IM-ME, but using single chip - cc1111 instead of unhealthy mix of Cypress USB and cc1110). Radio without network analyzer is a hard problem. 
3. Atmel AVR - I have made many boards, from Teensy 1.0 semi-clone, vusbpico - miniature clone of USBTinyISP, SMT version of Lady Ada's (Conway's) Life, attenuation controller for pre-amp (inspired by http://www.vaneijndhoven.net/jos/switchr/design.html) etc. I do have Arduino clone, that is how I bootstrapped the process. In the beginning you need pre-programmed programmer to program your own programmer (vusbpico ;-). I bought Anarduino and mainly use it as a programmer for other Atmels.
4. ST32 - I have Discovery board - it works, but I did not try to program it.
5. UBW32 - PIC32, nee MIPS-based board - same thing.
6. SMT clone of Altera CPLD board - Kemani from G. Eric Rogers (see Amani64 site).
7. Parallax Propeller - breadboarded a simple blinking LEDs, was amazed by easiness and clarity of multicore code. Apparently, I still did not face my first race condition :-)

I use excellent Laen's PCB group order service - couldn't recommend it more. I encourage you to try it instead of making PCB at home (unless you love it, definitely). I couldn't imagine myself making all this stuff without this service. The turnaround time - 2 weeks in average, starting closest Monday - partially explains this multitude of semi-finished boards. I am trying to pipeline the process - while one board is coming, I program another and develop the third.

Given this affordable service, I prefer to design boards myself, rather than order ready made breakouts or soldered boards. Even if you modified slightly someone else's design, you learned something new.

I plan to publish all my projects in different stages of completion here, and will be glad if you find it useful or entertaining.

I also want to share my experience of a (almost) total novice in this foreign and wonderful world. I still remember how obvious things (what 0603 means - is it imperial or metric?) can be puzzling and frustrating.

So, wish me good luck!