Duane Degn
Second Officer
Flight distance : 622234 ft
Offline
|
When I first saw the I2C exchange between the Motion Controller and the Intelligent Battery, I was optimistic I'd be able to replicate the replies from the Intelligent Battery using a microcontroller. I'm no long as optimistic as I had been.
The Motion Controller not only reads data from the Intelligent Battery but it also writes data to the Intelligent Battery.
If I remember how I2C communication works, I think the Motion Controller writes three bytes of data to register zero and then reads six or seven bytes from register 35 (0x23).
I'm replaced the I2C read setup to a simple "Read from".
For example, rather than writing:
Setup Write to ['22' (0x16)] + ACK
#(0x23) + ACK
Setup Read to ['23' (0x17)] + ACK
'4'(0x04) + ACK
'0'(0x00) + ACK
'0'(0x00) + ACK
'0'(0x00) + ACK
'0'(0x00) + ACK
T(0x54) + NAK
I'll instead use:
Read from 0x23,0x04,0x00,0x00,0x00,0x00,0x54
Most writes are single byte writes to indicate which register to read. Some writes are longer. I think these longer writes start with the register being written followed by the data being written. Again, I'll use a shorthand to condense the data.
Instead of:
Setup Write to ['22' (0x16)] + ACK
0' (0x00) + ACK
Q (0x51) + ACK
0' (0x00) + ACK
\n (0x0A) + ACK
I'll use:
Setup Write,0x00,0x51,0x00,0x0A
Using these rules, here's the first part of the communication captured as the S1 is turned on.
Read from 0xD5,0x00,0x00,0x4E
Read from 0x18,0x60,0x09,0xD0
Read from 0x17,0x0A,0x00,0x4A
Read from 0x19,0x30,0x2A,0x23
Read from 0x1B,0xD8,0x4E,0xDF
Read from 0x1C,0x5C,0x00,0xB2
Read from 0x20,0x05,0x44,0x45,0x53,0x41,0x59,0x7A,0x7A,0x7A,0x7A,0x7A,0x7A,0x7A,0x7A,0x7A,0x7A,0x7A,0x7A,0x7A,0x7A,0x7A,0x7A
Read from 0x21,0x0D,0x58,0x57,0x30,0x36,0x30,0x37,0x42,0x41,0x54,0x54,0x45,0x52,0x59,0x08,0x08,0x08,0x08,0x08,0x08,0x08,0x08
Read from 0xC2,0x08,0x01,0x00,0x00,0x00,0x07,0x05,0xA4,0x03,0x69
Read from 0xD8,0x0E,0x30,0x52,0x54,0x44,0x47,0x35,0x35,0x35,0x35,0x31,0x30,0x30,0x58,0x32,0x9E
Setup Write,0x00,0x51,0x00,0x0A
Read from 0x23,0x04,0x00,0x00,0x00,0x00,0x54
Setup Write,0x00,0x53,0x00,0x20
Read from 0x23,0x04,0x00,0x00,0x00,0x00,0x00,0x54
Setup Write,0x00,0x54,0x00,0x4B
Read from 0x23,0x04,0x06,0x03,0x06,0x00,0xE3
Setup Write,0x00,0x55,0x00,0x5E
Read from 0x23,0x02,0x04,0x04,0x31,0x31,0x31
Read from 0x09,0x91,0x2D,0x5C
Read from 0x0A,0x00,0x00,0x51
Read from 0x10,0x97,0x09,0x1F
Read from 0x0F,0x1A,0x07,0xDF
Read from 0x08,0x78,0x0B,0x46
Read from 0x0D,0x4B,0x00,0xFF
Read from 0x51,0x04,0x00,0x00,0x00,0x00,0xDA
Read from 0xD2,0x00,0x00,0x2C
Read from 0x7B,0x97,0x09,0xC0
The part which concerns me is this:
Setup Write,0x00,0x51,0x00,0x0A
Read from 0x23,0x04,0x00,0x00,0x00,0x00,0x54
Setup Write,0x00,0x53,0x00,0x20
Read from 0x23,0x04,0x00,0x00,0x00,0x00,0x00,0x54
Setup Write,0x00,0x54,0x00,0x4B
Read from 0x23,0x04,0x06,0x03,0x06,0x00,0xE3
Setup Write,0x00,0x55,0x00,0x5E
Read from 0x23,0x02,0x04,0x04,0x31,0x31,0x31
If I understand the above exchange correctly, the Motion Controller is writing three bytes of data to register zero and then reads register 0x23 after writing register zero. Date read from 0x23 is different each time and even the number of bytes read changes. I don't know the significance of this exchange but I'm concerned there's some sort oh check being performed to make sure the intelligent battery is legitimate.
I'm wondering if trying to spoof the I2C exchange will be more work than it's worth.
I'll likely attempt to add a battery in parallel with Intelligent Battery rather than trying to spoof the I2C communication.
As I mentioned in an early post, I have previously used a large LiPo in parallel with the Intelligent Battery. It's a pain to do so since I have to be careful to match the battery voltages but this will likely be an easier task than figuring out the I2C verification system. |
|