Hacking 2.4GHz Radio Control

Many modern radio control (RC) systems use frequency hopping to prevent interference. Unfortunately, hopping all over the 2.4GHz band can interfere with video or WiFi using the same frequency band. [Befinitiv] was trying to solve this problem when he realized that most of the systems used a TI CC2500 chip and a microcontroller. The microcontroller commands the chip via SPI and controls the frequency by writing into a frequency register.

Updating the microcontroller firmware was impractical. The firmware is encrypted, for one thing. In addition, the change would have to be reinserted on any future updates and repeated for every RC vendor. So [Befinitiv] took a different approach. He did a classic man in the middle attack by inserting an CPLD in between the controller and the CC2500.

A CPLD is–in simple terms–a small FPGA. There are usually some internal architectural differences, but you configure them with Verilog or VHDL just like an FPGA. What [Befinitiv] did was monitor the SPI clock line and intercept the data line. For most operations, the CPLD just passes the data through. However, when it sees a channel register write, it changes the data on the fly. This is, as you’d expect timing sensitive, which is why he used a programmable logic device instead of a microcontroller.

Of course, both the transmitter and receiver require modification. The system worked and continues to work regardless of software changes and will even work on other CC2500-based systems.

This is certainly less racy than the last CC2500 hack we covered. But it is a fine piece of work, nevertheless. Even if your current set up doesn’t use the CC2500, you could also mod it (see the video below).

Thanks to [lageos] for the tip.

6 thoughts on “Hacking 2.4GHz Radio Control

  1. The other popular chip is A7105 used in Turnigy 9x/FlySky/HobbyKing as seen here. I’ve read that some radios use nrf24l01 too. What’s interesting all these chips are transceivers and it is “only” a matter of PA in the “receiver” and some firmware changes on both ends to have telemetry data sent back to the ground.

    1. Some of the toolchains are free (gratis not libre) and you can get intro devices on breadboardable prototype boards for $15, e.g. XC9572XL from sparkfun, though you will also need a JTAG dongle to program it. Or pay $100 to get a DE0-nano, which is much more powerful and ready to program over USB I think. See also paplio.

      Getting the hardware is easy, writing a simple thing in VHDL or Verilog is readily doable… but producing a high quality, reliable piece of firmware with serious complexity is quite difficult compared to achieving the same task in software. There are timing traps and an infinite variety of intriguing bugs awaiting the unwary programmer, which is the price you pay for massive concurrency.

Leave a Reply to W Cancel reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.