Analysis of the toy helicopter protocol on the IR control
Recently, a friend brought me a simple toy helicopter:
It is controlled not by radio, but by means of infrared signals. On the helicopter itself, there is an ordinary remote control, which means that the carrier frequency of 36-40kHz is used, and it is not difficult to understand the structure of the signals that the remote sends, which I decided to do.
I’ll say right away that this whole idea initially didn’t make any sense, it’s just an article about how IT-fun is having fun :)
After analyzing the signal using the remote control receiver, it became clear that the modified remote control protocol from Sony is used, which looks like this:
In the Sony protocol, a start signal of 2.4ms is first sent, and then data is transmitted that is encoded by a pause between signals: logical zero is 600 microseconds, logical one is 1200 microseconds.
In the protocol of the helicopter, only the duration of the time intervals differs. The start bit is approximately 2 ms, zero is 300 microseconds, the unit is 600 microseconds. Alas, I forgot to take a screenshot of the timeline. Thus, 4 bytes are transmitted. It only remained to find out - for what they are responsible?
This was done stupidly by experience. It turned out that the data is transmitted in high bits forward, and the bytes are:
In this case, in the first three bytes, the low bit is always zero, i.e. values are always even. It seems that this is done in order to distinguish the channels, but our helicopter worked only with this option. There is no checksum.
If you pass the values 128, 128, 254, 128 (0x80, 0x80, 0xFE, 0x80), it rotates at full speed vertically. By smoothly changing the third byte, you can make it hang in the air at the same height. Reduce the first byte - the helicopter turns to the left, we increase - to the right. We increase the second byte - we fly forward, we decrease - back. Everything is quite simple, it remained to reproduce these signals so that the helicopter believed that it is controlled by a real remote control.
I already had a self-made device that imitated the remote controls to control the TV and receiver, it was not difficult to modify its firmware so that it sent signals to the helicopter. And cheers, it worked!
Then it was interesting to use it somehow, for example, to control it with the help of some unusual devices. The choice fell on viimout and nunchuk from Nintendo Wii, especially since there are also accelerometers. If someone does not know, the Wiimote connects to the Wii via a normal bluetooth, so you can connect it to a computer without any problems. True, it seems only as an unknown HID device, not a game controller, but under Windows there is already a utility that can work with it - GlovePIE.
A script for GlovePIE was written in haste, which allowed you to control the mouse cursor using a Wiimote. My program read the current coordinates of the mouse and sent data to the router, which transmitted it to the network of my smart home (I wrote about it in another article ), to which the remote control transmitter was already connected. Oddly enough, the whole system worked quickly and stably.
I must say that in this way it became much easier to control the helicopter, because on the home console, the thrust handle is springy and tends to return to its original position.
Video of this madness:
After analyzing the signal using the remote control receiver, it became clear that the modified remote control protocol from Sony is used, which looks like this:
In the Sony protocol, a start signal of 2.4ms is first sent, and then data is transmitted that is encoded by a pause between signals: logical zero is 600 microseconds, logical one is 1200 microseconds.
In the protocol of the helicopter, only the duration of the time intervals differs. The start bit is approximately 2 ms, zero is 300 microseconds, the unit is 600 microseconds. Alas, I forgot to take a screenshot of the timeline. Thus, 4 bytes are transmitted. It only remained to find out - for what they are responsible?
This was done stupidly by experience. It turned out that the data is transmitted in high bits forward, and the bytes are:
- The first - turn left and right (the difference in the speed of rotation of the main propellers)
- The second - the movement back and forth (control propeller on the tail)
- The third - thrust up (the speed of rotation of the propellers)
- Fourth - the position of the rotation calibration knob, it is not clear why it is transmitted at all
In this case, in the first three bytes, the low bit is always zero, i.e. values are always even. It seems that this is done in order to distinguish the channels, but our helicopter worked only with this option. There is no checksum.
If you pass the values 128, 128, 254, 128 (0x80, 0x80, 0xFE, 0x80), it rotates at full speed vertically. By smoothly changing the third byte, you can make it hang in the air at the same height. Reduce the first byte - the helicopter turns to the left, we increase - to the right. We increase the second byte - we fly forward, we decrease - back. Everything is quite simple, it remained to reproduce these signals so that the helicopter believed that it is controlled by a real remote control.
I already had a self-made device that imitated the remote controls to control the TV and receiver, it was not difficult to modify its firmware so that it sent signals to the helicopter. And cheers, it worked!
Then it was interesting to use it somehow, for example, to control it with the help of some unusual devices. The choice fell on viimout and nunchuk from Nintendo Wii, especially since there are also accelerometers. If someone does not know, the Wiimote connects to the Wii via a normal bluetooth, so you can connect it to a computer without any problems. True, it seems only as an unknown HID device, not a game controller, but under Windows there is already a utility that can work with it - GlovePIE.
A script for GlovePIE was written in haste, which allowed you to control the mouse cursor using a Wiimote. My program read the current coordinates of the mouse and sent data to the router, which transmitted it to the network of my smart home (I wrote about it in another article ), to which the remote control transmitter was already connected. Oddly enough, the whole system worked quickly and stably.
I must say that in this way it became much easier to control the helicopter, because on the home console, the thrust handle is springy and tends to return to its original position.
Video of this madness: