Reading through the SPIRIT1 datasheet again and having found fewer patterns in the payload data than I expected I wondered if they had enabled Data Whitening.
Enabling this would make sense so I found a small LFSR routine (that was simple enough I could understand it). Thanks to Trevor Bentley for this.
def lfsr(word, count=8):
word = word & 0x1FF
for i in range(count):
bit = (word >> 5) ^ (word >> 0) & 1
outword = ((word >> 1) & 0xFF) | (bit << 8)
word = outword & 0x1FF
return wordAfter adding this and using it to transform the received data things did look a little different.
9 13
------------ -----------
00: c2 0f 00 08 43 c8 0a 3e
01: c0 08 08 3c 43 c8 0a 3e
02: c0 08 08 3c 43 c8 0a 3e
03: c0 08 08 3c 43 c8 0a 3e
04: c2 0f 00 08 43 c8 0a 3eThere is still the same basic structure of 4 bytes of data with distinct patterns followed by 4 bytes that don't change at all (header and identifier).
Reviewing the payload, there was room for some optimism that this was the way to go...
17 32
-----------------------------------------------
01: 04 04 3b 0f 1c 4c 94 7c 72 80 4d 8c 44 30 47 ec
02: 09 0b 33 0f e4 b8 5c 20 07 0c 32 31 44 30 44 ec
03: 03 0c 0f 07 2c 0c d4 fc 81 30 75 d7 44 30 47 efThe last 4 bytes all follow a very similar pattern, regardless of the length of the payload.
- 443044ec appears on 25 packets
- 443044ef' appears on 22 packets
- 443047ec appears on 14 packets
- 443047ef' appears on 16 packets
Assumption #9 - Data Whitening is enabled
Checking the other controller/receiver pairs I find the same sequences at the end of all the packets, so this does seem to be related to the data rather than the specific controller.
I'm still not sure how the variability in packet length is handled but it is likely as simple as the packet type defining the length. Interestingly all the shorter packet payloads start with a number 0x and the longer packets start 4x. However, it can't be as simple as this as the 4x payloads are either 52 or 84 bytes. I need to correlate the data a little more.