Montag, 5. September 2016

Taranis Allmode considerations

A friend of mine pointed me into a totally different topic a couple days ago. He said he has heard about a firmware for the popular FrSky-Taranis, which I own too by the way, with which you can use Futaba and some other protocol receivers in addition to the standard FrSky ones.
Because this really sounds interesting and also really plausible, I did a quick Google search on that topic. Unfortunately I found nothing but a YouTube-Video which is clearly a Fake. The person in the Video has done just a small change to the OpenTx-Firmware and ran it on the Simulator. So nothing special there, just a different GUI. I also found some plug-in Modules which contain multiple HF-Modules to be able to talk to other protocol receivers. But this was not what I was aiming for.
I want to be able to use the stock Hardware and a modded firmware to talk to other protocol receivers.
After that I took apart my own Transmitter in order to see whether thats a plausible thing to do or not. In fact FrSky is using just a plugin module (XJT - Module, well known) as their main transmitter unit. But thats nothing special, they're clearly cutting the cost down by doing so. All the approvals and the design afford costs an awful amount of money and this way they can do changes or even a whole new transmitter without getting everything done again. As expected they used a small STM32 controller on the XJT module just to deal with all the protocol and telemetry stuff.
In addition to that they're holding that way their protocol secret and untouched by the OpenTx firmware. This last point is unfortunately the end for any further thoughts about just changing main processor firmware to be able to use other protocols because you'll need direct access to the RF IC. (This clearly proves my opinion to the video that I mentioned earlier)

But as always I just can't stop thinking about possible ways to hack something! So I took a closer look to the board and investigated some parts of it. And yes there are at least two ways to maybe get it done. Because the builtin XJT module uses just a standard CC2500 (like my MC3D as well) and a power Amp to boost it up, all protocols that are transmittable with that hardware are theoretically possible to use. So the first option that came into my mind is to cut either in soft or in hardware the connection between the existing CC2500 and the Coprocessor. This way I could inject my own protocol and transmit it via the existing hardware. The other idea I had was to replace the existing XJT by a self-made one. That way I could flash protocols to the module until the Flash of the processor is full. Of cause reverse engineering the entire XJT module would also be a possible option to go for but as far as I can see they have used a 4 layer PCB which makes reverse engineering a lot less comfortable. As you may have seen in a earlier Blog I own a CC2500 module with an onboard LNA and PA so in fact just the same hardware as in the transmitter used.
I thought to myself that if I'm able to talk via that module to at least Futaba and FrSky receivers, I'll go for one of the above mentioned options and hack the transmitter.

On the same day I started to build-up a prototype board with just a small cortex M3 and the Transceiver module. So all the messy software stuff can now be done without going out of order with my "daily" Transmitter. I hope you liked that this time really theoretical article and stay tuned for more!


Keine Kommentare:

Kommentar veröffentlichen