Tuesday, April 9, 2013

Spektrum DX3S Hack (update: 16 April 2013)

Not long ago, I bought my second RC model (HPI Trophy Truggy 4.6 was the first): a Team Associated RC18R. Smaller, electric, perfect for indoor use. The problem is I only have a receiver for my DX3S.
Looking on the web, the cheapest receiver is about 150 RON (40-50$), which is almost the amount of money I gave for the small RC car. Also, the cheapest receiver has only 2 channels and no telemetry (RPM and battery voltage would be useful).

I was thinking to remove all the electronics inside the DX3S and replace it with my own. This way I could build my own receivers but have a good looking radio system.
The big downside is that this involves a lot of work. Not only writing the RF protocol, but also coding all the functions (expo, limits, trimming, corrections), UI, telemetry, timers, etc.
I took apart the DX3S and I noticed a small module between the antenna and the main board. It was obvious this was the RF module. It also had it's power written on it (@20 dBm).
After searching the internet for information about the module I decided to do a bit of reverse engineering. 
Armed with a multimeter and a logic analyzer, I determined the used pins (which were power and which were input/output data). There are 4 data pins (3 output and 1 input) and 2 power pins (3.3V and GND). The logic analyzer immediately revealed the used protocol: SPI (350 kHz clock, 8 byte packets sent at about 5.3 ms).

Here are some pics with the inside of the DX3S, the pinout and a captured sample of the protocol:


The main PCB with the RF module attached and my pinout

Each pin function. The rest are not connected.

A packet sample captured with Open Logic Sniffer

After analyzing the packets sent in different states (throttle at max/min/neutral, steering at max/min/neutral, CH3 on/off, RS port on/off, bind), here is the format of a packet:

byte            description
0_______________0x01 - normal packet
                0x41 - bind packet
1_______________model number (0 for model 1, 1 for model 2, etc)
2_______________steering high byte
3_______________steering low byte
4_______________throttle high byte
5_______________throttle low byte
6_______________CH3 high byte
7_______________(except bit 0) CH3 low byte
bit 0 of byte 7 is 1 when RS button (next to the scroll wheel) is pressed, else 0.

When bind is pressed, steering and throttle values are not sent. Example of bind packet: 0x41 0x00 0x53 0x53 0x35 0x35 0x2D 0x94.

With this protocol determined, I made a quick SPI to USB bridge from a dev board and a small program and here are the results:

Next step is to determine the format of the telemetry data (what the RF module responds to this packets).

After this, the RX/TX modules will be built around RFM22B modules (I already have all the needed parts).

If you have any questions or comments, feel free to put them below.

Update (16 April 2013): 
I think the channel values are 12 bit wide and the first 4 bits sent for each channel contain a channel ID.
So throttle has the first 4 bits: 0000, steering has 0001 and AUX has 0010. 
This is why the the steering has different limit values than the throttle but similar values with AUX channel (AUX channel has the LSB removed because I thought it's only for RS port).

12 comments:

  1. Hello, I've been working on a kinda similar project to yours, however, I want to use the Spektrum module and swap out the microcontroller for an arduino loaded with my own code. The radio I have is the DX3C but it has the same 2.4ghz module in it as the DX3S, DX3E, and DX2S. I came to the same conclusion about the packet structure as you did (header, model, steering, throttle, aux) but there's a few differences. The header is always 0x02 even when in bind mode and breaking down the packet into 4 bit sections I didn't see the channel id's you mentioned. Any ideas?

    ReplyDelete
    Replies
    1. Maybe it has different firmware version. So there is no difference between a normal packet and a bind packet? This is kind of strange...

      Delete
    2. This comment has been removed by the author.

      Delete
    3. I don't think you can reprogram the controller by SD card. As far as I know it's there foar loading/saving model settings. I'm not sure what are you trying to achieve. Are you trying to use the xbox remote to control your RC car? Or use the DX3C to control your xbox game?

      Delete
    4. This comment has been removed by the author.

      Delete
  2. Hello, may I ask?
    I would need to pull only ppm signal ..
    Can you please help me

    ReplyDelete
    Replies
    1. I'm not sure it is available. But based on the information presented in this page, you could generate it using a micro controller.

      Delete
  3. Hello, may I ask?
    I would need to pull only ppm signal ..
    Can you please help me

    ReplyDelete
    Replies
    1. I'm not sure it is available. But based on the information presented in this page, you could generate it using a micro controller.

      Delete
  4. aha, so it does not help me ... I need to use two systems on a single radio: (

    ReplyDelete
  5. hello, may i know, where's ppm pinout?, i have dx3s with poor signal problem. and i will try use ppm signal to change module with orange LRS, Thank's

    ReplyDelete
    Replies
    1. There is no ppm output. You need a microcontroller to generate ppm from the data.

      Delete