The last couple of days I have done some more work on the small toy quadcopters (now dubbed HCD for Hamster Cage Drone). The goal was to hack the communication so that they could be controlled using computer vision software. Basically the poor mans version of this (don’t bother you have already seen it).
UPDATE: Use this modified code to be compatoble with SparkFuns NRF24L01 radio.
UPDATE: I have made a Arduino library for controlling this particular Quadrotor (may work with similar products). You will need to build this simple hardware (discribed on this page) to use the library. All parts (apart from Arduino) may be found inside the remote controller that comes with the quadcopter.
The first thing I did was to take the remote control handset apart to see what kind of radio system was used.
Inside was pretty much what you’d expect. A couple of cheap paper PCB’s with not a lot on them.
The radio communication is handled by a small discrete radio module. After a lot of internet digging it turned out that the module was based on the BK2421 2.4GHz tranceiver IC. This also seem to be the choice for a lot of cheap RC toys coming out now.
With a datasheet for this chip and an oscilloscope it was simple enough to figure out the pin configuration for the SPI communication between the radio module and the handset.
Using an ArduinoUNO to eavesdrop on this comunication I was able to figure out the initialization and thereby the mode of communication. Here is a annotated list of the initialization sequence.
Without going into detail about the low level communication the following happen when the handset and
Quadcopter are turned on:
1) Handset broadcast it’s unique network address or ID.
2) Quadcopter receives the broadcast it acknowledges this and start listening to data from that ID.
3) Upon acknowledge the handset then start transmitting flying data packet every 20 mS.
Multible Quadcopters can be controlled simultaneously by assigning them different addresses.
The passing of ID is done on one fixed radio channel and flying data is sent on one of about 12 random radio channels. The quadrotors seem to auto scan the radio channels until they find data.
Flying data is transmitted as 8 byte packets in following format:
Byte 0 = throttle 0-255
Byte 1 =Yaw 0-255
Byte 2 =Yaw_trim 0-128
Byte 3 = Pitch 0-255
Byte 4 = Roll 0-255
Byte 5 = Pitch_trim 0-128
Byte 6 = Roll_trim 0-128
Byte 7 = Fly/run 0=fly, 16=run (toggle button on handset)
Next I created a base station that would connect to the quadrotors. I happened to have some RFM-70 modules that contain the same BK2421 chip. Not reading the datasheet properly I initially thought that this module required 3.3V logic and hence all the resistors. They are not needed since the BK2421 has 5V tolerant data pins.
NOTE: CE goes to pin 8 (missing on drawing)
I eventually ended up with a much simpler set-up using just the module salvaged from the handset and an Arduino.
To enable future experimentation I have written a Arduino library for connecting to one or more of these quadcopters.
The library should work on any ATMEGA88 to ATMEGA328P based Arduino boards.
If you want to have a go yourself you may get the HCD’s here or here among other places. These are just random hits on google, you may get them elsewhere.
Less crappy video here.
Please share if you find other toys that may be hacked using similar methods.