Close

Further tests

A project log for Controlling a JJRC H37 Elfie quad from a PC

The JJRC Elfie Quadcopter comes with an Android/iOS app to control it from the phone. Can we control it from our own software?

adriajunyent-ferreadria.junyent-ferre 02/02/2017 at 01:420 Comments

Today I captured a bit more traffic from the application to the quadcopter and played with the on-screen controllers to see how that would affect the messages. Here's what I got. By moving the controllers, some of the bytes in the message change (these are marked with XX):

roll left-right
66 XX .. .. .. XX 99 horizontal position goes from 58 (left) to 80 (centre) and a7 (right)
pitch forward-backwards
66 .. XX .. .. .. XX 99 vertical position goes from 59 (bottom) to 80 (centre) and a8 (top)
yaw left and right
66 .. .. .. XX .. XX 99 rotation goes from 01(left) to 80 (centre) and fe (right)
throttle high and low
66 .. .. XX .. .. XX 99 throttle goes from 01 (bottom) to 80 (centre) and fe (top)

Apparently, the first byte and the last byte are always constant, one is 0x66, the other is 0x99. Also, the penultimate byte seems to be some sort of error correction byte that depends on all other bytes. Finally, the antepenultimate is used to encode different on/off commands such as the headless mode, the "arm" command, the "land" command and the emergency stop:

66 80 80 80 80 00 10 99 headless (the 10 in the antepenultimate byte is continuously sent)

66 80 80 80 80 01 01 99 start to spin (the 01 in the antepenultimate byte is sent for 1 second -20 messages-)

66 80 80 80 80 02 02 99 land (the 02 in the antepenultimate byte is sent for 1 second -20 messages-)

66 80 80 80 80 04 04 99 emergency stop (the 04 in the antepenultimate byte is sent for 1 second -20 messages-)

I suspect the byte that encodes the commands has each bit identified with a different command, and multiple commands might be sent simultaneously if needed (I haven't tested that).

In order to find out how the error correction byte is encoded, I've collected a few messages obtained by moving the controllers in random directions, I did a quick test with a few data points and it looks like the error correction byte is just an XOR of the other meaningful bytes. I haven't validated this hypothesis with all datapoints, though. Here's the whole lot:

6664 867f 8000 1d99

6664 8c7f 8000 1799

6666 8c7f 8000 1599

6667 787f 8000 e099

6669 707f 8000 e699

666a 8b7f 8000 1e99

666b 697f 8000 fd99

666c 647f 8000 f799

666d 617f 8000 f399

666e 617f 8000 f099

666e 627f 8000 f399

666f 677f 8000 f799

6671 887f 8000 0699

6672 7f7f 8000 f299

6673 767f 8000 fa99

6674 7f7f 8000 f499

6674 857f 8000 0e99

6674 8a7f 8000 0199

6674 937f 8000 1899

6674 987f 8000 1399

6674 997f 8000 1299

6675 877f 8000 0d99

6678 997f 8000 1e99

667a 857f 8000 0099

667b 737f 8000 f799

667d 807f 8000 0299

667e 6c7f 8000 ed99

6680 803e 8000 be99

6680 8041 8000 c199

6680 8046 7400 3299

6680 8048 8000 c899

6680 804a 8c00 c699

6680 804b 8000 cb99

6680 804e 8000 ce99

6680 8052 6600 3499

6680 8056 8000 d699

6680 805f 5900 0699

6680 805f bc00 e399

6680 8060 8200 e299

6680 8061 8000 e199

6680 8063 8300 e099

6680 8070 8000 f099

6680 8070 cc00 bc99

6680 8071 8900 f899

6680 8072 cb00 b999

6680 8074 c900 bd99

6680 8075 c500 b099

6680 8075 c700 b299

6680 8076 c300 b599

6680 8076 c400 b299

6680 8077 be00 c999

6680 8078 b500 cd99

6680 807a a600 dc99

6680 807d 8c00 f199

6680 807f 8000 ff99

6680 8080 8000 0099

6680 8081 8000 0199

6680 8083 8200 0199

6680 8090 4800 d899

6680 8094 9b00 0f99

6680 809b 9400 0f99

6680 80b7 ac00 1b99

6680 80c6 8000 4699

6680 80cd 8000 4d99

6680 80d1 8000 5199

6680 80d3 8000 5399

6680 917f 8000 ee99

6681 937f 8000 ed99

6682 6c7f 8000 1199

6683 807f 8000 fc99

6683 847f 8000 f899

6684 7c7f 8000 0799

6684 867f 8000 fd99

6684 877f 8000 fc99

6686 6e7f 8000 1799

6687 6e7f 8000 1699

6688 7f7f 8000 0899

6688 957f 8000 e299

668a 797f 8000 0c99

668a 817f 8000 f499

668b 737f 8000 0799

668c 6f7f 8000 1c99

668d 957f 8000 e799

668f 717f 8000 0199

6690 927f 8000 fd99

6692 7d7f 8000 1099

6692 927f 8000 ff99

6694 767f 8000 1d99

6696 8f7f 8000 e699

6697 7c7f 8000 1499

6697 807f 8000 e899

6697 817f 8000 e999

6698 877f 8000 e099

6698 a07f 8000 c799

6699 817f 8000 e799

6699 887f 8000 ee99

6699 9e7f 8000 f899

669a 9d7f 8000 f899

669b 9c7f 8000 f899

669d 9a7f 8000 f899

669e 957f 8000 f499

66a0 877f 8000 d899

66a2 837f 8000 de99

66a4 827f 8000 d999

66a5 807f 8000 da99

66a6 807f 8000 d999

Discussions