The last couple of days I have done some more work on the small toy quadcopters (now dubbed HCD for Hamster Cage Drone). The goal was to hack the communication so that they could be controlled using computer vision software. Basically the poor mans version of this (don’t bother you have already seen it).
UPDATE: Use this modified code to be compatoble with SparkFuns NRF24L01 radio.
UPDATE: I have made a Arduino library for controlling this particular Quadrotor (may work with similar products). You will need to build this simple hardware (discribed on this page) to use the library. All parts (apart from Arduino) may be found inside the remote controller that comes with the quadcopter.
The first thing I did was to take the remote control handset apart to see what kind of radio system was used.
Inside was pretty much what you’d expect. A couple of cheap paper PCB’s with not a lot on them.
The radio communication is handled by a small discrete radio module. After a lot of internet digging it turned out that the module was based on the BK2421 2.4GHz tranceiver IC. This also seem to be the choice for a lot of cheap RC toys coming out now.
With a datasheet for this chip and an oscilloscope it was simple enough to figure out the pin configuration for the SPI communication between the radio module and the handset.
Using an ArduinoUNO to eavesdrop on this comunication I was able to figure out the initialization and thereby the mode of communication. Here is a annotated list of the initialization sequence.
Without going into detail about the low level communication the following happen when the handset and
Quadcopter are turned on:
1) Handset broadcast it’s unique network address or ID.
2) Quadcopter receives the broadcast it acknowledges this and start listening to data from that ID.
3) Upon acknowledge the handset then start transmitting flying data packet every 20 mS.
Multible Quadcopters can be controlled simultaneously by assigning them different addresses.
The passing of ID is done on one fixed radio channel and flying data is sent on one of about 12 random radio channels. The quadrotors seem to auto scan the radio channels until they find data.
Flying data is transmitted as 8 byte packets in following format:
Byte 0 = throttle 0-255
Byte 1 =Yaw 0-255
Byte 2 =Yaw_trim 0-128
Byte 3 = Pitch 0-255
Byte 4 = Roll 0-255
Byte 5 = Pitch_trim 0-128
Byte 6 = Roll_trim 0-128
Byte 7 = Fly/run 0=fly, 16=run (toggle button on handset)
Next I created a base station that would connect to the quadrotors. I happened to have some RFM-70 modules that contain the same BK2421 chip. Not reading the datasheet properly I initially thought that this module required 3.3V logic and hence all the resistors. They are not needed since the BK2421 has 5V tolerant data pins.
NOTE: CE goes to pin 8 (missing on drawing)
I eventually ended up with a much simpler set-up using just the module salvaged from the handset and an Arduino.
To enable future experimentation I have written a Arduino library for connecting to one or more of these quadcopters.
The library should work on any ATMEGA88 to ATMEGA328P based Arduino boards.
If you want to have a go yourself you may get the HCD’s here or here among other places. These are just random hits on google, you may get them elsewhere.
Less crappy video here.
Please share if you find other toys that may be hacked using similar methods.
Happy hacking.
THANKS A TON! What a usefull INSTRUCTABLE! Man you have to post it there for votes & Rewards! THANKS A LOT!
Always wanted to try something like this :D.. In another note.. What laptop is that?
Such a cool project. Nice work on keeping it incredibly budget-friendly too! I would be curious to hear more about the results! What are the benefits of adding the Arduino? Is this enough to program the quadcopter for an autonomous flight? (These may be silly questions… I'm new to this.)
The arduino lets you fly the Quadcopter from a computer. I am currently using a kinect to make the Quads hover at a fixed point in space. I plan to release the code to do this later.
Hi, I've just attempted this hack and while trying to remove the module from the remote ive taken the tips off the end and cannot seem to get the solder to stick to the pins. Do you know what i need as a replacement as i don't want to have to buy another drone just for the transmitter. Any help would be much appreciated. Regards Richard
You can use any board with the BK2421 chip on it. I have used the RFM-70 breakout board available from e.g. farnell.
Here is a couple of links:
http://www.ebay.com/itm/2-4G-2400-2483-5MHz-RF-transceiver-Modulation-FSK-FM-GFSK-RFM70-83-Chanels-/280931874509?pt=LH_DefaultDomain_0&hash=item4168d836cd
http://www.hoperf.com/rf_fsk/24g/rfm70.htm
http://www.futurlec.com/RFM70.shtml
http://dk.farnell.com/jsp/search/browse.jsp;jsessionid=E15AYZJMJBRISCQLCIPJKBQ?N=0&Ntk=gensearch&Ntt=RFM70&Ntx=mode+matchallpartial&exposeLevel2Refinement=true&suggestions=false&ref=globalsearch&_requestid=1924
Thanks.
Im in the UK and for some reason i cant seem to find an RFM-70. At farnell it says discontinued.
Will this component work the same?
http://www.ebay.co.uk/itm/nRF24L01-2-4GHz-Wireless-Radio-Transceiver-Module-/131033562912?pt=UK_BOI_Electrical_Components_Supplies_ET&hash=item1e82357f20
It looks like it would be compatible. Nordic does not say which chip it is based on but registers and functionality seems to be the same.
I may order a couple of these to see if they work.
Actually the datasheet for this module is way better than the one I use and has much better discription of how to program it…
If this module is compatible with my library then these will be too:
https://www.sparkfun.com/search/results?term=nRF24L01&what=products
And that would be really interesting…
I've ordered some too, so if you could keep me posted on your progress that would be great.
I'm very new to electronics and programming, I'm actually an Architecture student and my aim is to try and control the drone through a program called Rhino using firefly for grasshopper (http://fireflyexperiments.com/).
From what i've read to control the drone I think i'm going to have to write to the arduino using a serial write command in firefly does that sound right?
I want to do something similar to this http://www.youtube.com/watch?v=vaO3LBTyoAs
That vision control software looks pretty awesome. You will propably need to write a little Arduino code that connects the serial comands from Firefly to pitch,roll,yaw and throttle on the Quadcopter. I suggest modifying the "flying" example from the HCD library.
If you are completely new to this I suggest you team up with someone with a little Arduino experience.
Happy hacking.
Hi, the above components came and ive connected them up but it doesnt seem to be binding with the drone. Have you had any luck yourself?
Any help would be great.
Have you send a "0" (zero) followed by a return to the Arduino? It need this before it attempts to bind.
The drone needs to be powered for some seconds while sitting completely still before it will bind. You may remove the black cap to reveal the drone circuit board. On the board there is a red and green LED. When un-bound these LED's flicker forth and back with about 5Hz when the binding starts the LED's flicker much faster around 25Hz. When binding is complete the green LED goes solid.
Can you send me a schematic/picture of your set-up?
I have not yet received my radios. Things are much slower here 🙂
I have got HCD to bind but I can't seem to get the controllers to work… I took them out of the controller, and I believe hooked them up to the correct ports. They just don't respond to anything. Thanks for the help
Check the analog inputs. Make sure the quad is not moving while binding.
You did a great job in this post. it ia really helpful information to build a toy copter. I know one of the best copter that is flash copter. visit to be a vandor of flashcopter at http://www.flashcopter.com
hi there i wanna to ask if there any possible to get a code for the quadcopter
i am fresh in this field thanks 🙂
I already posted the code here on this blog.
Enjoy 🙂
Hi
I was wondering if you know if this will work on a http://www.banggood.com/Wholesale-WLtoys-V959-V949-V929-RC-Quadcopter-Spare-Parts-Receiver-Board-V959-06-p-61089.html
And controlled in the same manner as you did with an arduino?
Sorry i don't think so. The radio may be the same but the protocol is propably different.
Is there a way for me to read the protocol frome the drone? How did you do it?
Could you go into more detail about how you got the unique identifier of the handset (RX Address and TX address)? We're Comp sci students and this is an Electrical Engineering problem. ANY assistance would be GREATLY appreciated.
I wrote a piece of Arduino code that eavesdtopped the SPI communication between the radio module and handset processor. I used the radio datasheet to decode the data It is here as-is, you may find it useful:
#define SET(x,y) (x |=(1<<y)) //-Bit set/clear macros
#define CLR(x,y) (x &= (~(1<<y))) // |
#define CHK(x,y) (x & (1<<y)) // |
#define TOG(x,y) (x^=(1<<y)) //-+
volatile unsigned char inptr=0;
volatile unsigned char ipr=0;
volatile unsigned char outptr=0;
volatile unsigned char data[256];
volatile unsigned char line[256];
volatile unsigned char frame[256];
volatile unsigned char buffer[256];
volatile unsigned char linebuf[256];
SIGNAL(INT0_vect)
{
TOG(PORTD,7);
inptr=ipr;
frame[(ipr-1)]=1;
}
SIGNAL(SPI_STC_vect)
{
TOG(PORTD,7);
data[ipr]=SPDR;
line[ipr]=PIND;
frame[ipr]=0;
ipr++;
// inptr=ipr;
}
void setup()
{
Serial.begin(115200);
SPCR= 0b11000000;
EICRA=0b00000011;
SET(EIMSK,INT0);
SET(DDRD,7);
TIMSK1=0;
TIMSK0=0;
TIMSK2=0;
sei();
Serial.println("Log:");
Serial.println("'.'=read status");
Serial.println("'N'=NOP");
Serial.println("'Z'=Clear flags ");
}
unsigned char ls=0;
unsigned char dptr=0;
void loop()
{
while(inptr!=outptr)
{
outptr++;
buffer[dptr]=data[outptr];
linebuf[dptr++]=line[outptr];
if(frame[outptr]==1) //-Frame
{
//***************************************************
// Handle frame
//***************************************************
/* for(unsigned char i=0;i<dptr;i++)
{
Serial.print("0X");
if(buffer[i]<0x10)
Serial.print("0");
Serial.print(buffer[i],HEX);
Serial.print(",");
}
Serial.println();
*/
switch(buffer[0])
{
// case 0x20:
// case 0x61:
case 0xa0:
// case 0x2A:
// case 0x30:
Serial.print(" ");
case 0x25:
// case 0xA0:
for(unsigned char i=0;i<dptr;i++)
{
Serial.print("0X");
if(buffer[i]<0x10)
Serial.print("0");
Serial.print(buffer[i],HEX);
Serial.print(",");
}
Serial.println();
break;
/*
case 0x20:
if(buffer[1]&&0x01)
Serial.println("TX");
else
Serial.println("RX");
break;
*/
default:
break;
}
for(unsigned int i=0;i<300;i++)
asm("nop");
//***************************************************
dptr=0;
}
}
}
what exactly are the connection from the controller to the arduino to eavesdrop on the communication
Please Guide me I want to do the same thing using STM32F407 Discovery. This is the best solution I had ever got. Please provide me C Code of HCD Library (if available). Is there any example if STM32F4 which i can use. Please help me.
I suggest modifying this file for use with STM32:
https://github.com/dzlonline/easycom/blob/master/easycom/easycom.h
It contains all needed to communicate with the Quad and other radios. You only need to modify the actual SPI communication code, the rest is plain C++.
I have a Xinxun UFO quadcopter that makes 360 degrees flip. I used HCD library to connect with the transmitter sing STM32F407 Discovery it did not connected with the receiver board then I configured my STM32F407 as a slave and I observed the SPI commands sent by the Master controller on handset to transceiver ship are totally different from those provided in HCD Library. I took those sequences and tried to send to the chip but still ship did not connected to the receiver. I am working on this project from 4 weeks but I am not being able to connect. I have observed the communication of handset with chip by configuring two slaves and I have observed the pay load that master sends to the ship is sensible e.g. 0-255 for throttle. But other commands are totally different. I might be using some other 2.4 GHz transceiver chip. Please help me in hacking this communication. I have to use this setup in my Final Year Project.
I have the same problem here please help us
Hi
I was wondering if you know if this will work on a
http://www.helicoptere-telecommande.com/platine-electronique-recepteur-rouge-bleue-x30v-ky-x30r-c2x13705027
Can you give me an example of what the modified sketch for the nRF24L01 should spit out when hooked up to the controller? Also, should I have the controller attached to its chip while monitoring what it is trying to say to it?
could you please give me a little guidance with this project i broke down your whole project just need a little further understanding when trying to implement with another quad
I have tried on nrf24l01+ with your library, but it output nothing on the Serial monitor. Can you show the step to get the id from handset, or the drone? Thanks!
P.S. our drones should be same model
Hi! Which drone is used in this experiment? I searched for Hamster Cage Drone but I didn't get any result :S
Thanks!
Hi,
I'm just starting to learn about electronics. I was wondering if a logic analyzer (like this kind here: https://www.adafruit.com/products/2312 ) could be used instead of the oscilloscope to determine the signalling that happens between the controller and the drone. The reason I ask is that oscilloscopes seem to be really expensive.
Second attempt at replying. I have had some success with the http://dangerousprototypes.com/docs/Bus_Pirate which can sniff SPI up to 10MHz. I bought a SparkFun clone from an Australian agent and hopefully SparkFun support the developers as their web site suggest. I have collected the init sequence between the micro and transceiver on an MJX helicopter and have already found that the BK2421 data sheet seems to be wrong about not needing a data byte for some commands such as the FLUSH_RX. This matches with the sample code I found at http://www.hoperf.com/search.asp?sid=4&keyword=RFM70&x=0&y=0. My code for parsing the raw data can be found at https://github.com/pyblendnet-js/parseSPI if this helps anyone.
Hi, thanks for your reply.
Correct me if I’m wrong but I think you’re saying that the Bus Pirate can sniff the user input pulses (steering to the left for example or increasing the throttle) before the transmitter modulates those pulses onto the 2.4 Ghz radio carrier frequency?
In other words, before they are modulated, those input pulses are square wave pulses that move at a much slower frequency (in the MHz range) which the Bus Pirate can detect – is that right?
Dear GeekPhysical,
Can't get it to work with nrf24l01, no response on serial monitor or binding, can you help us out here? Thanks
Here is another deal with all your needs. You should visit the link where you will get special discount.
Quadcopter with HD Camera
Hi,firstly i want to thank you for this post.I have a question.
I am thinking to buy this quadcopter for this project.
http://www.amazon.com/Lian-Sheng-4-Channel-Quadcopter-Aircraft/dp/B00M0E1W38
can i send command to ls 124 quadcopter from arduino by this method.
so i think ls124's remote is similar UDI U816' remote.is this true? do you have an idea?
Thank you for your interest. 🙂
Great article, It's one of the best content in your site. I really impressed the post. Good work keep it up. Thanks for sharing the wonderful post.
Quadcopter in India
Thanks for sharing this nice information here. it's really informative for me.
Aeromodelling