HACKING THE YONGNUO WIRELESS CONTROLLER
22ND FEBRUARY 2018 KARL
I wrote this back in May 2017 but it was never finished, I got distracted by other things and I needed the wireless controller for photography. I wrote all this and it would be a shame to delete it, so I am posting it now on the chance there may be of something of interest within.
I use this Yongnuo Wireless Controller in photography to control a number of flash units away from the camera body. It comes in two parts, a transmitter that connects to the hotshoe on the camera and receivers with a hotshoe that connect to the flash, a single transmitter can control any number of flash receivers within the claimed 300 meter range. The transmitter with a couple of receivers can be gotten of eBay for around ?35.
Yongnuo Wireless Controller FSK 2.4GHz
I am looking to:
- See how the flash is connected
- Investigate how the transmitter works – reverse engineer as much as I can
- See if I can control the transmitter directly with an Arduino
- See if other devices using the same radio chip can also be controlled
- Not destroy the transmitter while examining it
On the board inside you will find:
- A power on/off switch
- Bi-colour Red/Green LED
- A dual-press button with two switches for operating the flash manually
- A four way code selector (4 way DIL switch)
- An anonymous (no markings) microcontroller – µC
- A7105 2.4GHz FSK/GFSK ISM band wireless transceiver
Date: 14/04/23 – 23 April 2014
Looking at the datasheet for the A7105 it can work as both a transmitter and receiver and uses an SPI interface for user control, it appears to be popular with the radio controlled RC aeronautical drone community. The receiver looks to be very similar by way of components, using the same radio chip and anonymous microcontroller. I have not examined it in any detail and take care if disassembling as there are three hotshoe connections that need to be desoldered.
On the Canon camera the hotshoe has six connections but we only need to examine three of these. Looking down on the camera with the lens facing away from you, the main plate where the flash slides in is ground, the large central dot is the flash trigger just below this on the left is the camera ready connection. I assume the rest are for the E-TTL functions and I have not looked at these.
Canon Hotshoe Connections
Checking the hotshoe with a multimeter, the flash trigger appears to have a high resistance that decreases when the flash is fired, I suppose this is a legacy of when cameras were more mechanical. The Camera Ready connection goes High – around 5 Volts, to tell the flash to wake up, that you have pressed the shutter halfway, the lens has focused and you are about to take a photo.
To find the duration of the flash signal on the cameras hotshoe I connected an almost flat AA battery between ground and flash to give me 1.2 volts to measure against on the oscilloscope (checking a canon flash itself, the voltage across the flash pin and ground is 4.47 volts). I found that the flash signal is sent by the camera for 352ms, which is quite long considering that a typical shutter speed of 1/125 second for flash photography works out at 8ms, although the amount of time a flash fires for is set on the flash and not by this signal.
Capturing the flash event
I spent a while tracing out most of the transmitter circuit, I have ignored most of the supporting radio circuitry and the crystal timer as I am wanting to investigate the data side. The parts are also rather small and troublesome to investigate with standard multimeter probes.
RF600TX – Partial Schematic
The microcontroller looks to use internal pullup resistors for the input switches, the camera ready signal from the hotshoe switches a transistor to pull pin 16 low on the controller.
Looking at the circuit diagram we see an output to the antenna from pin 8 of the micro controller. This outputs two different square waves when the shutter button is pressed, one for camera ready and another for flash. I think these are being modulated on the transmitter output to produce a radio signal and simplify the transmitter design. Looking at the output from pin eight on the oscilloscope, the two states can be seen quite clearly:
Camera Ready signal
These square wave outputs are always the same, I thought it may change when a different code was chosen through the DIL switches. The transmitter unit does not receive any radio data, and no acknowledgement is made by the flash units.
Using a Logic Analyser
Time to break out the Logic Analyser, this is a cunning device that allows you to see the data being exchanged between the microcontroller and transceiver, I don’t want to get too detailed but think this may help for the following sections.
The data system being used by the A7105 is SPI. The Serial Peripheral Interface bus uses four wires: Chip Select SCS, multiple chips can be on the same SPI bus, but they all have different SCS connections, the master controller chip uses SCS to tell the slave chip it wants to use for data exchange. Serial Clock SCK: This is used to provide time synchronisation for the data exchange with a fixed duration for the highs and lows. Data SDIO: This is the data being sent by the microcontroller and GIO1 is data from the transceiver sent in reply, normally for SPI this is 8 bits, to make a byte.
The naming conventions used here are from the A7105 datasheet, The SPI bus has standard names for data lines; SDIO is MOSI – Master Out/Slave In, GIO1 would be MISO – Master In/Slave Out and SCS is SS – Slave Select. In our case the microcontroller would be the master and the transceiver the slave.
SPI Single slave
The Logic Analyser displays data in a form that allows you to see the logic, here we can see two bytes of data:
Example of SPI data
The microcontroller – µC sends data on the SDIO line and listens for replies on GIO1. When the µC sets Chip Select SCS low this tells the transceiver that the µC wants to talk to it. The µC sends a command byte followed by one or more bytes of data – a packet. During the SCS event, data is only transferred while the clock SCK is running.
SPI data, binary data from the highs and lows
We can see that the logic on the SDIO is read every-time the clock goes low, falling edge, a clock tick on the SCK line represents a bit of data, eight ticks make a byte. We now have our binary data: 00100101 for convenience this is converted into hexadecimal 0x25.
When examining an SPI bus check any available datasheets to see if the clock is set to tick on a falling or rising edge, the bit order is Most Significant Bit – MSB or Least Significant Bit – LSB, and the data length (normally eight).
Looking at the A7105 Transceiver
A7105 Block Diagram (a clearer version can be seen in the datasheet)
From the A7105 datasheet the SPI bus is set for the following:
- To activate SPI, the SCS pin must be set low
- data length: 8 bits
- bit order: Most Significant Bit First (MSB)
Connections to the Logic Analyser
This table shows the Input/Output pins on the transceiver and microcontroller, as well as the colour of wire used for the logic analyser.
A7105 Description In/Out µC Wire Colour 11 SCS 3 Wire Chip Select I 9 yellow 12 SCK 3 Wire Clock I 10 orange 14 SDIO Read / Write I/O 12 brown 16 GIO1 4 Wire SPI Data Output I/O 11 red 17 GIO2 4 Wire SPI Data Output I/O 13 white GND Ground black Trigger Out O 8 grey
How the A7105 organises data
The transceiver has two data modes, Strobe and Control. There are eight strobe commands to control the various modes the chip supports, these are four bits in length and always begin with a 1, where the transceiver is being operated in 8 bit mode the final four bits are ignored. The Control registers are eight bits in length and are used to configure and read settings from the transceiver, they are eight bits in length, the first bit is always 0 and the second is either 1 for write or 0 for read. The table below shows examples of a write, a read (or more accurately a request, the transceiver replies on GIO1) and a strobe command sent by the µC.
Examining the A7105 data
Data is exchanged on the SPI during two events, after the transmitter has been switched on, and when you are pressing the camera shutter or the button on the unit.
Extract of the SPI power on data showing SCS event 48, see the spreadsheet for more details
When you first switch on the unit, the microcontroller initialises the transceiver with a few hundred bytes of data, I have created this spreadsheet from the SPI data, hex data across is the most useful sheet to view:
In summary the initialization sequence consists of the following
- The microcontroller sets the majority of control registers to default
- Internal calibration is started and the microcontroller keeps checking until this is done
- Final cleaning up
- Place the A7105 into standby mode
On the SPI the shutter press action has two distinct stages, the preamble and the transmission. The preamble takes the camera out of standby mode and sets the channel it is going to be transmitting on. The transmission broadcasts the camera ready and flash states.
At the beginning of the data capture I see a preamble packet sent over the SPI:
Logic Analyser Data – first five bytes of the Preamble Packet
This preamble looks to only appear when the flash is first operated after the transmitter unit has been switched on, subsequent use goes straight to transmit. The fifth byte changes depending on the DIL switch setting on the underside of the unit, as you can see in the four examples given in the table below.
Taking the first example, we can break this down to see what each byte is doing
It is difficult to work out what is going on here, according to the datasheet you send a packet of data 0xb5 0xf0 to be transmitted to FIFO Data 0x5 and follow that with the strobe command TX mode 0xd0, but what is transmitted bears no relation to the FIFO packet.
We need to look further back in the initialisation sequence and the datasheet, the A7105 has three modes of transmission; easy, segment and extension. We need to undertake a little bit of detective work to find which this is. Chapter 16.4 of the datasheet shows us the two registers used in the initialisation sequence we need to examine:
The datasheet does not say directly so we need to go through each modes description to see which is the best fit. Segment FIFO looks good: “In Segment FIFO, TX FIFO length is equal to (FEP [7:0] – PSA [5:0] + 1). FPM [1:0] should be zero”. So our settings: (FEP:0b1 – PSA:0b0) + 1 = 2. The number of bytes sent our FIFO Data packet is also 2.
Further reading of the description “This function is very useful for button applications. In such case, each button is used to transmit fixed code (data) every time. During initialisation, each fixed code is written into corresponding segment FIFO once and for all. Then, if button is triggered, MCU just assigns corresponding segment FIFO (PSA [5:0] and FEP [7:0]) and issues TX strobe command.”
Taking an initial look at the data gathered during a shutter press on the Trigger Out (pin 8 of the microcontroller) we can clearly see the transition from Camera Ready and Flash as we saw on the oscilloscope earlier.
Logic Analyser Data
GIO2 shows a mirror of the Trigger Out, but zooming in to the data and I see that it follows the Trigger signal. Looking in the initialisation spreadsheet at SCS event we see that the command 0xc 0x1 was sent for setting the function of the GIO2 pin. Looking at the datasheet this appears to be set as an ‘I am transmitting’ signal, WTR – Wait until TX or RX has finished. If I force GIO2 low by sorting it to ground then the flash does not fire when I press the shutter
Logic Analyser Data
In my data capture the Camera Ready signal was transmitted six times, and the Flash signal thirteen times, I am sure this is dependant on the length of time I had the shutter button pressed on the camera.
Apologies for the inconclusive ending, I ran out of time to pursue this further.
Links and Sources
- A7105 Datasheet and Product information
- Logic Analyser: https://www.ikalogic.com/scanaplus/
- SPI Data tutorial https://learn.sparkfun.com/tutorials/se ... erface-spi
- Arduino A7105 library: https://github.com/nh2/arduino-a7105
- Reverse Engineering a Hubsan X4 Quadcopter: http://www.jimhung.co.uk/?p=1424 with a description of the A7105 data
- SPI data bus and FSK – Frequency Shift Keying on Wikipedia