Boxee Box RF Remote comunication details

[bpietroiu]

Hi there, is there any way to get technical details about how nRF24LE1/nRF24LU1 chips are initialized in regarding RF communication?

I want to integrate remote controling boxee box in my iPad media control center and I need some details, maybe you are willing to share them freely:

RF_CHANNEL = ?
TX_ARRD_RX_ADDR = ?
DATA_RATE?
and so on

I am using compatible a breakout bord for nordic semi nRF24L01+ that is RF compatible with nRF24LE1/nRF24LU1 ...

More details on my iPad media control center, it is based on an arduino board integrating WiFi for iPad comm, IR send/receive for learning, replaying IR commands and now I want to add boxee box support to it. It is not a commercial product, just a fun project of mine.

[bpietroiu]

Having no support form anyone on this, I took this to the next level by myself.


So, a little more progress reversing boxee box radio transciver.

So, what I did: I took nordic semi's spec for nRF24LU1(Product_Specification_nRF24LU1_v1_1.pdf) - this is the radio transciver in the box responsible to receiving remote control commands.

This chip is a two in one solution integrating both an intel like 8051 mcu and a nRF24L01.

the way 8051 talks to the internal nRF24L01 is by means of an internal SPI channel, mapped to two special function registers (SFR at address
0xE5 - RFDAT
0xE6 - RFCON


By using what boxee team provided, the nRF24LU1's firmware - nrf6901_100903_00_11.hex you can spy what data is read and written to those two memory locations ... by using an 8051 simulator.
I did and here are some details:

RF_CHANNEL - 0x03
DATA_RATE - 2mbps
CRC - ON
CRC_WIDTH - 2 bytes
DYNAMIC PAYLOAD LENGTH for all rx data pipes
RX_P0Addr[5] = {0x1, 0x3, 0x6, 0x9, 0xc};
RX_P1Addr[5] = {0x2, 0x8, 0x9, 0xa, 0x12};
RX_P2Addr[1] = { 0x3 };
RX_P3Addr[1] = { 0x4 };
RX_P4Addr[1] = { 0x5 };
RX_P5Addr[1] = { 0x6 };
TX_Addr[5] = {0x4, 0x8, 0xa, 0xa, 0x12};

By using these details I was able to receive boxee's remote commands.
The problem is, I get garbage; pushing the same button twice I get completly different data

Code:

Got packet len =11
From pipe = 1
Data = 0x6 0xCC 0x9B 0x6C 0x2C 0x68 0x78 0x42 0x12 0xEF 0x3A 

Got packet len =11
From pipe = 1
Data = 0x6 0xCC 0x9B 0x6C 0x2C 0x68 0x78 0x42 0x12 0xEF 0x3A 

Got packet len =11
From pipe = 1
Data = 0x6 0xCC 0x9B 0x6C 0x2C 0x68 0x78 0x42 0x12 0xEF 0x3A 

Got packet len =14
From pipe = 1
Data = 0x75 0x90 0xF2 0x50 0xAC 0xF7 0xB0 0xCE 0xC5 0xB5 0xBA 0xC9 0x6A 0xA3 

Got packet len =14
From pipe = 1
Data = 0x75 0x90 0xF2 0x50 0xAC 0xF7 0xB0 0xCE 0xC5 0xB5 0xBA 0xC9 0x6A 0xA3 

Got packet len =11
From pipe = 1
Data = 0x51 0xD2 0x77 0x53 0x18 0x97 0x8D 0x10 0xE6 0x89 0x91 

Got packet len =11
From pipe = 1
Data = 0x51 0xD2 0x77 0x53 0x18 0x97 0x8D 0x10 0xE6 0x89 0x91 

Got packet len =11
From pipe = 1
Data = 0x51 0xD2 0x77 0x53 0x18 0x97 0x8D 0x10 0xE6 0x89 0x91 

Got packet len =14
From pipe = 1
Data = 0x1 0x2C 0xB3 0x31 0x8F 0xD8 0x32 0x5A 0xA8 0xEE 0x40 0x6B 0x49 0xB5 

Got packet len =14
From pipe = 1
Data = 0x1 0x2C 0xB3 0x31 0x8F 0xD8 0x32 0x5A 0xA8 0xEE 0x40 0x6B 0x49 0xB5

... something is going on, I think the remote and the box are doing two way communication