The Memoirs of Jim 'ung

Reverse Engineering a Hubsan X4 Quadcopter – Part 3: The Protocol Definition

Reverse Engineering a Hubsan X4 Quadcopter – Part 3: The Protocol Definition

Reverse Engineering a Hubsan X4 Quadcopter – Part 3: The Protocol Definition

The write up for this project is split up into 4 parts – part 1: hacking the controller, part 2: decoding the protocol, part 3: the protocol definition, and part 4: hacks using the protocol. That way you can just jump to whatever interests you, or follow the whole thing first start to finish. There’s also a bonus post on achieving a similar goal by emulating the controller joysticks using an Arduino Uno.

The Protocol Specification

Here’s the cold, hard, RFC-style documentation of the reversed protocol for anyone who is looking to re-implement the protocol in their own projects or improve their interoperability:

Hubsan X4 Protocol Specification RFC v.1.0

If you spot any errors or mistakes, please let me know and I’ll update the spec.

13 thoughts on “Reverse Engineering a Hubsan X4 Quadcopter – Part 3: The Protocol Definition

  1. Pingback: Reverse Engineering a Hubsan X4 Quadcopter — Part 2: Reversing The Protocol | The Memoirs of Jim 'ung

  2. Christian THOMAS

    Hello Jim what about the part 4 -hacks using the protocol- of your very interesting reverse engineering serie ?
    And thank you, it’s very instructive

  3. Christian THOMAS

    byt the way On my small holydays laptop I didn’t see the check box … Notify me of follow-up comments by email. So halas I didn’t check it

  4. Jon Keller

    Hi, Jim – I just wanted to drop a note to say thank you for this series of articles! I’m looking forward to part 4 when it’s completed!
    I’m hoping to do something involving using a webcam to identify the quadcopter in flight, and then transmit signals to make it perform commands. Perhaps dodging a tossed ball, or something similar.

    Thanks,
    Jon

  5. rakul mahenthiran

    Hi, ur post has been too much help to me. I am computer engineering student and this is what I am doing for my final year project. I was completely lost with my project and reading your post clarified too much of the work for me. Thanks a lot bud.

    And is there a part 4?

  6. Dave X

    I’d be interested in the gyro-calibrate signal (transmitter at zero throttle, full right yaw, then flip roll back and forth a few times until the leds flash) and the copter re-levels itself. Is that in packet J, or in one of the other bytes?

    Also, the H107C appears to write a PHOTO and a VIDEO directory on the SD card. Could some signal possibly remotely control video on/off or snap a photo for th PHOTO directory?

    1. Jim Post author

      Hey Dave X,

      Re: Gyro calibration, that’s a great point – I’ll take a look into that as I suspect you are correct that it’s a special command flag sent in the “J” byte, and I’ll update the spec with what I find (and post here!).

      Re: the camera control, that too could be in the control flags, or it could be in one of the NULL bytes of the command packet. I’m afraid I don’t have a H107C to play with to find out! I’m tempted to get the sexy new model of H107C (http://www.amazon.co.uk/Hubsan-H107C-Quadcopter-Camera-Longer/dp/B0169JYZD8) but I’m not sure if it uses the same protocol. I’ll definitely hack it anyway, so I guess we’ll find out…

    1. Dave X

      Cool. They hook a LED + terminal to the camera’s ‘KEY’ input and by toggling the LED on and off, they tweak the KEY.

      Some of the newer camera modules have several terminals, mostly unconnected: B-, B+, KEY, CVBS, TX, RX, SNAP. Maybe the unconnected SNAP would do the pics, and could be connected to the LED pin as well. I imagine the unconnected TX/RX are communications with the microcontroller of the camera module.

      It looks like the http://www.amazon.com/Hubsan-Camera-Plus-H107C-Quadcopter/dp/B015A48W5K has extra buttons on the controller for “PHOTO” and “CAMERA” Maybe they would twiddle the KEY and SNAP terminals?

  7. Pingback: Reverse Engineering a Hubsan X4 Quadcopter – Part 1: Hacking the Controller – The Memoirs of Jim 'ung

  8. Pingback: Reverse Engineering a Hubsan X4 Quadcopter – Part 4: Putting It To Use – The Memoirs of Jim 'ung

Leave a Reply

Your email address will not be published. Required fields are marked *