Reverse Engineering the NRF24L01+ Communication

A project log for Open esk8 Remote - v1

Fully open source remote control for common electric skateboards using the NRF24L01+

Timo BirnscheinTimo Birnschein 12/10/2018 at 00:480 Comments

Okey, here is where this project gets slightly out of hand.

I was not expecting to build the entire remote but what seemed impossible yesterday became inevitable. In order to do this, I first needed to identify the correct pins and then hook up my BusPirate clone (which doesn't seem to work under my Windows for some reason - I hate counterfeits!) and sniff everything that happens between the Chinese controller chip and the NRF24L01+. Apparently, a lot.

Make no mistake, this protocol is simple and completely overloaded with unused 0x00 that make no sense to me, yet. Maybe some of you have ideas?

What you see above in ongoing communication. I captured a section of what's going on and marked all the interesting bits using my tablet. There is lots of configuration, buffer flushing, sending, waiting for ack and so on going on. Really interesting to watch and learn the actual SPI commands because that makes understanding the chip a lot easier than just looking at the datasheet.

In fact, I never got to results this fast! Every datasheet should have a comprehensive example command trace attached to it. That would help so many people!

My first step was to check if I could take this exact configuration and behavior and replicate it. It took me a couple hours to establish the base firmware for my Arduino but it basically worked right out of the box. Receiving the battery status and sending throttle commands was easy when you have the address key to communicate with the board - making the board believe it's still communicating with the original remote.

It get's quite a lot more involved the moment you decide to implement the actual pairing procedure.