Hackaday Forums

[tamarok]

Radio controlled helicopters seems to be the latest gadget being pushed in local stores. The one that caught my eye was the Wi-Spi (video on YouTube: http://www.youtube.com/watch?v=qgxD486SQm0), because it uses wi-fi to control it and it has a built in camera. As sold it only works with iPhone and iPads, and possibly Android devices. I bought it in the hopes of being able to getting it working with a Linux based controller and eventually getting the computer to be able to automatically fly it on a predetermined course, with some hardware addition for locating the helicopter.

The helicopter advertises itself as a password-free wi-fi access point, to which you get your phone to connect to. Mine uses SSID of the form wispi0004849. The helicopter also has a mini-DHCP server to give you computer all the necessary connection info. At that point you can use the phone to control the helicopter.

A port scan reveals three open ports: 23, 2000 and 8080.

Port 23 is telnet, but I haven't worked out the username/password. The prompt displays "huahong login:". Port 8080 is http, using MJPEG HTTP Push for the video stream. I am guessing port 2000 is the port used to send the control signals.

A few things I am looking at the moment:

- how the software knows the address to use to connect to the server. I had assumed maybe the DNS addresses it provided, but those seem dud. At this point I am assuming it is just the address of the router it looks for.
- Trying to find out the telnet access info
- Working out how to decipher the protocol on port 2000.
- See what nmap and wireshark can give me.

If anyone has any ideas of how I can approach trying to get to the necessary information needed to make this useful for other project, then it would be appreciated. Maybe someone has already done the work?

[tamarok]

A bit of search shows there had been some investigation into the WiFli helicopter (same company) here, last year:

viewtopic.php?f=8&t=1743&p=8872&hilit=wifli#p8872

There is also this project in Python that may prove helpful:

http://code.google.com/p/wifli-control/

I'll see if anything there will help with this version of the helicopter, in the meantime I am just sharing what I find along the way.

[tamarok]

Turns out the control protocol isn't exactly the same as the wifli helicopter. My initial finding show:

TX: 9 byte message, of the form 0xaa, 0x64, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xbb. The third byte represents the thrust, with minimum thrust being 0x0e. WIll see for the next ones.

RX: 9 byte message, of the form 0xee, 0x64, 0x64, 0x32, 0x39, 0x00, 0x07, 0x00, 0xdd. I observed both bytes 6 and 7 changing value. One is certainly going to be the battery charge, but not sure about the other one (gyro value?).

I also noticed that the iPhone app wasn't happy if it lost video, but could happily tolerate a lack of control connection.

I'll look some more when I have a bit of time.

The way I analyzed the protocol:

I took two wi-fi equipped computers and connected them via ethernet. First I ensured both computers could talk to each other, via the ethernet cable. Then the first computer I configured to be an ad-hoc network and set the wireless IP address to be 192.168.11.123. The second computer I configured the wireless to connect to the helicopter, and left the interface using DHCP. On each computer I ran a TCPProxy, that I wrote in Java. On the first computer this would listen on both ports 2000 and 8080 and this directs the data to the second computer. On the second computer, I used the same software but this time a connection is established to the IP address of the helicopter. The software writes all the data that it receives to a file, so I could analyse the data afterwards. At this point I connected the iPhone to the adhoc network of the first computer and then attempted to control the helicopter.