by krulkip » Sun Mar 06, 2016 12:12 pm
I have modified the openmili software from Henryk to work on the new protocol.
This allows me to read the packets in the same way woodster has done without the need to solder anything.
I used the nRF24L01 wireless transmitter attached to an arduino.
I can confirm that the channels used are indeed 8, 39 and 70 and that 9 bytes are used.
Also the syncword of 0x72361809 worked for me.
The CRC is also calculated in the same way as before with of course the two extra bytes taken into account.
I also found the output bytes to be scrambled and have not managed to resolve this so far.
Looking at a lot of key presses i did discover some patterns.
The LS nibble seems to be the same for bytes 0,1,2,3,4,5 and 7 irrespective of the MS nibble for most key presses.
As only bytes 6 and 8 change when the rest are identical these must contain the indexing and encryption part.
Here is an example.
B0 2B F0 61 76 DD 39 75 31
B0 2B F0 61 76 DD E4 75 F0
By comparing the fixed nibbles when pressing different buttons you also notice that only one nibble changes which must then refer to the key button number.
So when the second nibble is zero the second nibble in the 5th byte is as follows:
on 4, off 1,
group 1 off 2, group 2 off 3, group 3 off C, group 4 off D,
group 1 on 5, group 2 on 6, group 3 on 7, group 4 on 0,
S+ E, S- F,
Not clear how the other buttons work but lower nibble of previous byte 4 is involved.
I also can confirm woodsters findings on the high bit on byte 4 being impacted at long key presses. ie clear when active.
I looked to see if there was any logic in bytes 6 and 8 regarding increments but could not find it.
Also could not find logic connecting bytes 6 and 8 and either nibble.
Enclosed a file with some output.
Hope someone can find a solution.