Add support for GA-4H generic Ebay controller

[davidrattvik]

Hi and thank you for the work that you guys have done!

I have a bunch of common receivers that i believe would be nice to add to the protocol list. I have captured a data stream from each of the pins on the transmitter chip (XN297L) ( it is connected to the common nRF24L01. The controller does not seem to be smart in any way as you can connect multiple receivers to the same controller. you can also bind a receiver long after you started the controller. i tested this by running a couple receivers at the same time. during this time i connected another receiver and pressed the bind button on the reciever which connected directly and started to copy whart the other receivers where doing. therefore i don´t believe that there is any 2 way communication and that the controller sends its adress out at every data burst. the first adress that the reciever sees will be the one that it takes its commands from. also there is no bind button on the transmitter.

each stream was captured with the controller in a different position. Start no bind Start bind Full left Full right full throttle full break ch3 toggle ch4 toggle. I hope that i have collected enough data for you to be able to make a protocol from this.

captured with logic2

GA-4H.zip

[davidrattvik]

[davidrattvik]

attached below is a protocol dump made via visual studio code. it should simplify the process i hope. i also sniffed the receiver in an attempt to see if there was anything coming from it. nothing was detected from the receiver during its startup, search or pairing.

rf signal dump.txt

[pascallanger]

Thanks, I'll have a look soon and let you know

[pascallanger]

There are multiple issues:

• Your sampling rate is a bit too low so some clocks are not seen => Could you redo the dumps at a higher sampling rate?
• You do not let it run long enough on the files "start" and "start and bind" => Could you redo the start dump and let it run for a minute or so?
  • When you say "start and bind", I assume the difference is that you placed the RX in bind mode?
• For the XN297dump text file, you need to set the address to 4 bytes instead of 5 like you've done (RX number=4) => Could you redo the dump using the same TX as the one you are dumping from?
• Also the address on the SPI dump is different from over the air. Are you using 2 different TXs? => I assume yes, could you use the same for both?

Right now, I'm just unsure how it all works. I have the impression it is like the Turbo Racing with RF frequencies going all over the place without any specific pattern. But I can't see if the RF frequencies loop since the dumps are not long enough.

[pascallanger]

Also if you could use logic v1 instead since they've never fixed the export bug in the SPI analyzer of the V2 despite many requests...

[pascallanger]

More I look at it, more it looks like the Turbo racing protocol that I haven't been able to reverse on a different RF chip... I'm saying that from memory, I'll check my old dumps.

[pascallanger]

Chip: XN297L Bitrate: 250K Scramble: Yes

Address from dumps: 45 8B 5A 00 Address from over the air: 45 1A 5A 3D (the over the air dump as been done with a 5 bytes address instead of 4 on another TX)

The dumps look to have been done from 2 different TXs. I would need a good over the air dump from the 2 TXs over a long period of time using a bitrate of 250K using a 4 bytes TX address on channels 0x0F=15d, 0x23=35d, 0x4E=78d and any other channels with a good flow of packets starting by 0xF4. This might give some clues to figure out F3 and FC types.

Packets:

F4	96	96	64	C8	00
Type	P1	P2	P3	P4	P5
Type F4 = channels

P1=STR,P2=THR,P3=CH3,P4=CH4: 0x64..0x96..0xC8 100..150..200 ->small amplitude... P5 = 0x00

F3	01	83	0B	E4	00
Type	P1	P2	P3	P4	P5

Type F3 = ?? P1 = 0x01 P2,P3,P4 = ?? P5 = 0x00 or 0x14 at least in the small dumps

Address: 55 45 05 08

FC	4D	76	E0	8B	00
Type	P1	P2	P3	P4	P5

Type FC = bind P1,P2,P3 = ?? P4= 0x8B at least in the small dumps P5 = 0x00 at least in the small dumps

[pascallanger]

At this stage I need an extra long SPI dump from power on, over the air from the TXs you have like indicated previously and an extra dose of luck.

[davidrattvik]

Thanks for the feedback. Tonight i'll try and get all the information that you require. I thought that a couple of data bursts would be enough since we are talking about 2.4 ghz. So to sum it up, you need more data and a slight tuning of my measuring method. I am learning as I do this so I have a bit of homework cut out for me.

[davidrattvik]

Also yes. You are correct pascallanger. As I remember I used different transmitters.

[pascallanger]

So to sum it up, you need more data and a slight tuning of my measuring method.

Yes, faster sample time on your logic analyzer and let it run for a LONG time

As I remember I used different transmitters.

Please dump all the transmitters you have over the air as indicated previously

[davidrattvik]

i don´t know if i will find the time to do all that you asked of me this weekend but i managed to connect each of my 4 TX´s to the analyzer and make a start and bind. i captured 1 minute of data for each controller at 8 MS/s (whatever MS/s means) whitch for some reason was the highest speed at whitch my analyzer was able to work in logic1. i spent last evening trying to figure out what you meant with the 5 channel to 4 channel change in over the air read. I was not able to figure out exactly what you meant. i tried to change the settings during the debug session but could not see that the feed displaying 5 channels changed. I appreciate the time you take out of your day to support the community and i am sorry that i could not deliver all that you asked for.

i have attached the new dumps made with LOGIC 1 this time.

[davidrattvik]

logic1 analys start and bind.zip

[pascallanger]

I will check if 8 million samples per second are enough but the dumps look ok.

They give us some clues:

TX1 address: 45 45 5A 18 TX2 address: 45 8B 5A 00 TX3 address: 45 1A 5A 3D TX4 address: 45 9F 5A 03

Packets FC = bind sent on the bind address 55 45 05 08 :

FC	4D	76	E0	8B	00
Type	P1	P2	P3	P4	P5

Type FC = bind P1,P2,P3 = values change every packets but they are the same on the 4 TXs: same bytes sequence and no loop over 120 packets. P4= TX_ADDR[1] P5 = TX_ADDR[3]

Packets F3 ?sync?

F3	01	83	0B	E4	00
Type	P1	P2	P3	P4	P5

Type F3 = ?sync RF frequency? P1 = 0x01 P2,P3,P4 = values change every packets but they are the same on the 4 TXs: same bytes sequence and no loop over 120 P5 = flip between 0x00 and 0x14 every other packet

Packets F4 are common to all 4 TXs:

F4	96	96	64	C8	00
Type	P1	P2	P3	P4	P5

Type F4 = channels

P1=STR,P2=THR,P3=CH3,P4=CH4: 0x64..0x96..0xC8 100..150..200 ->small amplitude... P5 = 0x00

======================== F4 are sent on the same RF channels with no loop on the 4 TXs F3 are sent on two RF channels which are different on the 4 TXs. The 2 RF channels alternate every packet. FC are sent on one RF channel 0x4E=78 on the bind address 55 45 05 08

[davidrattvik]

Great! Do you still want me to perform the airdumps as well? If you could guide me towards a site where i can learn to change the 5byte to 4 byte. The problem i am refering to:

"The dumps look to have been done from 2 different TXs. I would need a good over the air dump from the 2 TXs over a long period of time using a bitrate of 250K using a 4 bytes TX address on channels 0x0F=15d, 0x23=35d, 0x4E=78d and any other channels with a good flow of packets starting by 0xF4. This might give some clues to figure out F3 and FC types."

Or did i just circumvent that with the logic analyzer?

[pascallanger]

I think I have enough with the logic analyzer dumps you provided. If you could do one extra on any of the 4 TXs but really long, the longest the software allows you to do from startup.

[davidrattvik]

Ok. I'll give it a go later tonight. I assume that it just needs to stand idle during the sampling. Also something that might be interresting is that button 3 is toggle and Button 4 returns automatically. I assume though that the receivers channels 3 and 4 dont care about that and will modulate a ppm signal either way.

[pascallanger]

Yes just let it still during the capture. Ch3 and ch4 are normal channels from a protocol perspective. You have to understand that there is a chance that we won't be able to reverse this protocol...

[davidrattvik]

logic analys 100s to 500s.zip

the program limits me to a maximum of approximately 500 seconds. The analyzer is limited to this at 2MS/s. The program also limits me from lowering the sampling rate lower than 2MS/s. so the largest capture will be 500 seconds at 2MS/s. Yes i understand that it might not be possible to create a protocol from this. At least we, the community might learn something from this.

if i manage to increase the sample time i will post another zip-file.

[davidrattvik]

i managed to sample 1800 seconds. the file is too large to upload to this chat.

[pascallanger]

RF covers all the frequencies from 0x05 to 0x4E at the exception of 0x10, 0x20, 0x30, 0x40, 0x4D 0x4E is only used for FC, so we could assume that all other RFs are between 0x05 to 0x4C at the exception of 0x10, 0x20, 0x30, 0x40. It could be a final calculation like RF=(value % 0x48) + 5 . Types F3 and F4 can use the same RF channels. F4 are being replaced by F3 and FC. By this I mean that the system switch to the next F4 frequency even if it has not been sent since a F3 or FC has been sent instead.

[pascallanger]

F4 frequencies follows a pattern ABCD EFGH ABCD EFGH ABC ???? IJKL MNOP IJKL MNOP IJK ???? ...

[pascallanger]

I confirm that this is nearly the same as the Turbo racing protocol (types F3,F4,FC) which is using a different RF chip but the payload looks the same. For sure the same manufacturer.

[pascallanger]

F3 RF frequencies are calculated based on TX_ADDR[1] TX_ADDR[3]: RF0=( ( ( TX_ADDR[1] + TX_ADDR[3] ) & 7F ) % 48 ) + 5 RF1=RF0 + 13 if RF0==10 or 20 or 30 or 40 then RF0-- if RF1==10 or 20 or 30 or 40 then RF1-- //guess

The calculation of RF0 can't be 100% sure with the data we have, it could be one of these 3 solutions:

1. RF0=( ( ( TX_ADDR[1] + TX_ADDR[3] ) & 7F ) % 48 ) + 5
2. RF0=( ( ( TX_ADDR[1] & 7F ) + ( TX_ADDR[3] ) & 7F ) % 48 ) + 5
3. RF0=( ( ( TX_ADDR[1] & 7F ) + TX_ADDR[3] ) % 48 ) + 5

I'm not sure if 1 and 2 are equivalent or not...

TX1: 45 45 5A 18 , F3:1A,2D -> RF0=1A , RF1=RF0+13=2D TX2: 45 8B 5A 00 , F3:0F,23 -> RF0=10 , RF1=RF0+13=23 => RF0=10 is not allowed RF0=RF0-1=0F TX3: 45 1A 5A 3D , F3:14,27 -> RF0=14 , RF1=RF0+13=27 TX4: 45 9F 5A 03, F3:27,3A -> RF0=27 , RF1=RF0+13=3A

[pascallanger]

At this stage:

• F3 frequencies are known, the 3 unknown bytes could be a sync on how to calculate the next F4 RF frequencies
• FC frequency is known, the 3 unknown bytes could be a sync on how to calculate the next F4 RF frequencies
• F4 frequencies are unknown but follow a "pattern", all bytes are fully known

That's still a lot of unknowns...

[pascallanger]

@davidrattvik Can you see if you can connect your logic analyzer on the RX? If you can that would allow us to send stuff to it and see how it will react.

[davidrattvik]

Absolutely! I will give it a try after work. I guess that we will send known data via the multi protocol module and analyse what the receiver spits out.

[pascallanger]

Yep 👍

[davidrattvik]

Done. i will await further instructions.

[pascallanger]

@davidrattvik Can you launch a dump of this receiver from power on, bind with an "unknown" TX (not the one it was bound to), let it run for a couple of seconds and finally turn off the TX?