Go to the profile of Sergio Martinez
Sergio Martinez
Software Engineer at Intel

Toy Helicopter Reverse Engineering

I love tiny things with electronics. Since I read a book about space exploration in which one the characters was building tiny robots to perform Shakespeare plays, one of my dreams has been to be able to just do that.

Build tiny robots which can do stuff, entertain people and do impressive feats for their tiny size.

This is the story of a little helicopter that was the perfect Christmas cheap present last year and my learning on Infrared communication protocols to get it working with an Arduino.

On this tiny article, I am not going in detail about the construction of the controller or how to reverse engineer the entire protocol, which is a bit outside the scope of this Medium. This is just a tiny introduction and you should figure out by yourself for just the challenge and fun of doing it!

Tiger Helicopter

So here i was looking at it and thinking, hey what kind of protocol this thing is using? How do you start capturing an IR message?

I didn’t have an IR receiver but… Maybe i could capture it with a proximity sensor that i have in here?

KeyesIR

You can wire that thing up really quickly to an Arduino so you have a very simple interface to the world of IR.

Infrared distance sensors work with two parts, and IR emitter and an IR receiver. You can disable the emitter by disconnecting the EN switch that is in the picture.

Now it is just about writing a program to capture Datagrams.

sergioamr/helicontrol
helicontrol - Sigma helicopter controllers.github.com

Proof of concept phase. Every time you sense an infrared message from the controller you print something in the Arduino Monitor.

sergioamr/helicontrol
helicontrol - Sigma helicopter controllers.github.com

But … you discover really fast that a full datagram from a helicopter controller is around 32ms… WOW that is fast! How can i capture it with a simple Arduino with the processing power the display of my toaster?

Simple, you just store it in memory and send it back through the serial port when you have time.

You discover fast that this kind of helicopters don’t send much data too often, it is wonderful what you can do with a tiny package every now and then.

So lets start capturing and try to figure out what is going on.

Example from Syma S6 full power datagram

We put the messages in a spreadsheet and display them in something that we can look at for a few hours, it feels like trying to solve some kind of an interesting Sudoku but you don’t really understand the rules of the game.

So the best point to start is to navigate the wikipedia and learn about all the different protocols which are there.

https://en.wikipedia.org/wiki/Consumer_IR

Maybe you can fully implement a Manchester code decoder thinking it looks like what you see, bummer it is not!.

You might want to go technical into the different types of coding and how to represent it:

http://www.vishay.com/docs/80071/dataform.pdf

At the end this tiny helicopter was using the most simple of the protocols!

If the time between the previous state change was 800 µs it is a 1, if it is 400 µs it is a 0!

You can see a single datagram here. I liked to represent the data in text.

Expressing long waiting times with ‘ or .

State changes with / when going from 0 to 1 or \ when going from 1 to 0.

That simple representation makes your life easier while looking at data flying fast in your terminal. Here are a few examples of how the data is represented.

// Full adjustment B POWER 157 A 00 A 00 RL 31 OK

\./ 10111001 [‘\/’\./’\/\./] 00000100 [\/\/\./\/] 00000000 [\/\/\/\/] 01111100 [\./’\./’\./\/] 11011111 [‘\./\./’\./’\./] ‘

// Top left B POWER 185 L 31 U 31 RL 31 OK

\./ 10011101 [‘\/\./’\./\./] 11111101 [‘\./’\./’\./\./] 11111001 [‘\./’\./’\/\./] 01111100 [\./’\./’\./\/] 10101010 [‘\/’\/’\/’ // Posible bits for more channels

Now lets try to figure out all what this thing means.

Here is a description of the decoded message:

// H. PPPPPPPP LLLLLABD UUUUU*RD *AAAAA** CHECKSUM

\./ 10011101 [‘\/\./’\./\./] 00000100 [\/\/\./\/] 00000000 [\/\/\/\/] 00000000 [\/\/\/\/] 10011011 [‘\/\./’\/’\./]

When the helicopter is on full power you can see the bits PPPPPPPP changing, that is nice!

PPPPPPPP = Power

LLLLL = Left or right defined by bit R

ABD = Channels for different helicopters

UUUUU = Up or Down, the bit D will tell you which direction it is going

AAAAA = Rotation adjustments so the helicopter doesn’t rotate.

And a Checksum, which on this case it is the sum of all the different values!

Lets build something that can take off this thing!

Coooooooooooool!

You can check out the code to fly that helicopter fully replicating the controller on my github account

Have fun with reverse engineering!

If by any change you would like me to reverse engineer any other IR controller for you just send me a device :D!!!

Have fun!

I hope my next article is about how to fly those things autonomously :)