Dan JulioInitially I thought the data stream from the camera board to the quadcopter controller was PPM. This signal is only active when the app is running and the on-screen controls are brought up. The quadcopter has to be power-cycled in order to be controlled by the RF remote again. However a closer look at the signal as the on-screen controls were manipulated hinted that it was a serial stream instead. This makes some sense. The HI3518 has two serial ports and it would certainly be easier to ship a set of bytes of a serial port than generate a PPM data stream. A complete frame, shown below, takes about 4.06 mSec.
The period between frames is about 25 mSec although it seemed to vary a bit.
The smallest "bit" period in the frame is about 52 uSec which implies a bit rate of 19,200 baud and an 8-byte packet. Sure enough connecting the signal to the USB serial converter and a 19.2 kBaud 8N1 terminal connection yielded what looked like good data. Even better data seemed to be byte aligned and I saw direct changes when I manipulated the on-screen controls. What follows are the notes I took while associating data with control action. At the end is my guess as to what each byte means. The trim controls simply seem to add a small + or - offset to the actual control value. The start-byte and end-byte sum to 0xFF and the remaining bytes are protected by a XOR checksum.
Some bytes were repeated while the control was being touched. I am wondering now if the application just opens a simple telnet-like port connection with the camera board (perhaps on port 8080) and sends these bytes straight through (ala a remote serial connection). Next up will be to try to suss out the network traffic between the application and camera board.
Upon boot: ???
FF 69 6E 69 74 20 6F 6B 0A CC 80 80 00 80 00 80 33 66…
Upon app connection: ???
66 80 80 00 80 00 80 99
Upon app controls:
CC 80 80 00 80 00 80 33 66 80 80 00 80 00 80 99 (repeated)
Launch:
CC 80 80 7E 80 40 BE 33 66 80 80 7E 80 40 BE 99 (repeated when takeoff/land displayed)
CC 80 80 7E 80 42 BC 33 66 80 80 7E 80 42 BC 99 (repeated 6 times when takeoff pressed)
CC 80 80 7E 80 41 BF 33 66 80 80 7E 80 41 BF 99 (repeated 59 times - maybe while press)
CC 80 80 7E 80 40 BE 33 66 80 80 7E 80 40 BE 99
Land:
CC 80 80 7E 80 40 BE 33 66 80 80 7E 80 40 BE 99
CC 80 80 7E 80 42 BC 33 66 80 80 7E 80 42 BC 99 (repeated 62 times - maybe while press)
CC 80 80 00 80 00 80 33 66 80 80 00 80 00 80 99 (repeated after controls removed)
Throttle up:
CC 80 80 00 80 00 80 33 66 80 80 00 80 00 80 99
CC 80 80 26 80 00 A6 33 66 80 80 2E 80 00 AE 99
CC 80 80 44 80 00 C4 33 66 80 80 4E 80 00 CE 99
CC 80 80 64 80 00 E4 33 66 80 80 7E 80 00 FE 99
CC 80 80 86 80 00 06 33 66 80 80 96 80 00 16 99
CC 80 80 A0 80 00 20 33 66 80 80 B2 80 00 32 99
CC 80 80 B8 80 00 38 33 66 80 80 C8 80 00 48 99
CC 80 80 D0 80 00 50 33 66 80 80 D4 80 00 54 99
CC 80 80 DC 80 00 5C 33 66 80 80 E0 80 00 60 99
CC 80 80 EA 80 00 6A 33 66 80 80 EE 80 00 6E 99
CC 80 80 F6 80 00 76 33 66 80 80 F8 80 00 78 99
CC 80 80 FC 80 00 7C 33 66 80 80 FC 80 00 7C 99
Throttle left/right:
CC 80 80 78 80 00 F8 33 66 80 80 78 C0 00 B8 99
CC 80 80 78 C0 00 B8 33 66 80 80 78 C2 00 BA 99
…
CC 80 80 86 E6 00 60 33 66 80 80 88 E4 00 6C 99 (max right although real max seems FC)
…
CC 80 80 74 01 00 75 33 66 80 80 74 01 00 75 99 (min left)
Right Stick up/down:
CC 8B BD 88 80 00 3E 33 66 8B BB 88 80 00 38 99 (up)
CC 80 41 88 80 00 C9 33 66 80 41 88 80 00 C9 99 (down)
Right Stick left/right:
CC AE 74 00 80 00 5A 33 66 B5 74 00 80 00 41 99 (right)
CC 53 80 00 80 00 53 33 66 53 80 00 80 00 53 99 (left)
Normal/Headless button:
CC 80 80 00 80 20 A0 33 66 80 80 00 80 20 A0 99
Right Trim Throttle twice (from center):
CC 80 80 00 82 00 82 33 66 80 80 00 82 00 82 99
Left Trim Throttle once (from center):
CC 80 80 00 7F 00 7F 33 66 80 80 00 7F 00 7F 99
CC 80 80 00 75 00 75 33 66 80 80 00 75 00 75 99 (left a bunch)
Right Trim Right Stick:
CC 83 80 00 80 00 83 33 66 83 80 00 80 00 83 99 (several clicks)
Left Trim Right Stick all the way:
CC 70 80 00 80 00 70 33 66 70 80 00 80 00 70 99
Up Trim Right Stick:
CC 80 81 00 80 00 81 33 66 80 81 00 80 00 81 99 (one click)
CC 80 90 00 80 00 90 33 66 80 90 00 80 00 90 99 (all the way)
Down Trim Right Stick:
CC 80 7F 00 80 00 7F 33 66 80 7F 00 80 00 7F 99 (one click)
CC 80 70 00 80 00 70 33 66 80 70 00 80 00 70 99 (all the way)
Emergency Stop:
CC 80 80 00 80 80 00 33 66 80 80 00 80 80 00 99
Gravity Sense Mode: no change?
Speed Mode: no change?
Photo/Recording: no changes
Byte Order Guess:
Byte 0: Start of packet: CC (0x11001100) or 66 (0x01010101)
Byte 1: Right/Left pitch
Byte 2: Forward/Backward pitch
Byte 3: Throttle
Byte 4: Right/Left rotate
Byte 5: Flags
bit 7: Emergency Stop
bit 6: Takeoff/Landing Mode (controls displayed)
bit 5: Normal/Headless
bit 4:
bit 3:
bit 2:
bit 1: Set initially when either takeoff or landing pressed
bit 0: Set after bit 1 for takeoff
Byte 6: XOR Checksum of Bytes 1-5
Byte 7: End of packet: 33 (0x00110011) or 99 (0x10011001)
Discussions
Become a Hackaday.io Member
Create an account to leave a comment. Already have an account? Log In.
I have a question. I have this very quadcopter and love it. I also have a Syma X8 which most parts are shared between both quads. The flight board is different on the Promark and my Promark controller won't sync and bind with the Syma, and vice versa. I'm trying to make a hobby grade controller work with my Promark VR P70 and since you seem to be the only person who has got this far with the Wi-Fi and camera drone controls, would you suppose the communications protocol from the controller itself is the same? Or would it be totally different since the android app communicates thru the camera?
Are you sure? yes | no