Decoding the FVT/Maytech 120A firmware (it uses BLHeli)

kaspars · August 30, 2017, 8:52am

During the weekend I managed to capture the UART traffic used by the FVT USB Link software to upload the latest firmware revision 170818 to the Favourite 120A 12S ESC (also known as Maytech MTES 120A SBEC) and noticed a #Skywalker20A# string in the byte sequence right at the end of the firmware upload:

With a bit more work I managed to figure out that their HGM firmware files have all bytes XORed with 0x68. And with that I could decode the full firmware and notice multiple references to the BLHeli firmware.

Here is the full write-up on how I did that:

Okami · August 30, 2017, 8:48pm

Nice job, i still got to read your article but would it be possible to access more config options since u have decoded it?

Deckoz · August 31, 2017, 1:54pm

Have you tried connecting to the c2 pin? You should be able to connect it to blheli suite.

kaspars · September 1, 2017, 8:56am

Here is the byte sequence when reading the settings:

Time [s], Analyzer Name, Decoded Protocol Result
0.895004240000000,Async Serial,'225' (0xE1)
0.895564400000000,Async Serial,'225' (0xE1)
0.909020840000000,Async Serial,'227' (0xE3)
0.909556370000000,Async Serial,'3' (0x03)
0.910088380000000,Async Serial,'3' (0x03)
0.910620390000000,Async Serial,'1' (0x01)
0.911152390000000,Async Serial,\t (0x09)
0.911684400000000,Async Serial,'0' (0x00)
0.912216410000000,Async Serial,'2' (0x02)
0.912748420000000,Async Serial,'4' (0x04)
0.913280420000000,Async Serial,'0' (0x00)
0.913812410000000,Async Serial,'1' (0x01)
0.914344420000000,Async Serial,'3' (0x03)
0.914876430000000,Async Serial,'1' (0x01)
0.915408430000000,Async Serial,@ (0x40)
0.915940440000000,Async Serial,'0' (0x00)
1.071019510000000,Async Serial,'225' (0xE1)
1.071550400000000,Async Serial,'225' (0xE1)

I haven’t figured out the protocol, yet. There seem to be 13 settings in the UI which is exactly the number of bytes after the 0xE3 request, I think.

kaspars · September 1, 2017, 8:58am

Have you tried connecting to the c2 pin?

Not yet. I’m still waiting for some parts to build a proper connector for those tiny pads:

Deckoz · September 1, 2017, 10:45am

Ah, I use a pogo pin/needle board setup as its modular and can work across many projects

kaspars · September 1, 2017, 2:49pm

Wow, that looks awesome! Is that an AVRISP “connector” (based on the number of pins)?

Deckoz · September 1, 2017, 2:59pm

yea thats correct. this was before 1 wire bootloaders were prevalent in most drone ESC’s. but it can be adopted for many things. like make shift SWD connectors, or if you only had pads for stlink, testing traces on a pcb…ect

kaspars · September 1, 2017, 3:02pm

Tried reading the 0x0000-0x3DFF memory region (via C2) and got back only zeros – it must be locked. The BLHeliSuite confirmed that.

And BLHeliSuite doesn’t seem to recognise the UART response when reading the setup parameters so it might be a completely modified version of BLHeli.

Deckoz · September 1, 2017, 3:05pm

Try with an older 14xx version of blheli suite, i doubt the ESC is running 16.xx BLHELI_S.

That is interesting that the memory is locked though… You should still be able to pull version information off of the ESC however.

Also normally with BLHELI the memory is stored/flashed as the 13th page on silabs chips… I wonder if FVT switched it around and it is flashed as the first page.

manuel.covas · January 23, 2018, 5:53pm

Hi, This is slightly out of topic but I believe you might be able to give me an answer since you have already been fiddling around with this and probably know more about it then I do. So my question is since fvt’s USB link uses UART to communicate with the esc as stated online, could a standard USB to UART converter from eBay (such as https://rover.ebay.com/rover/0/0/0?mpre=https%3A%2F%2Fwww.ebay.com%2Fulk%2Fitm%2F232634397949) be used to program it instead of the 10$ link? And if so, since the port atleast on the fvt wolf series only has 3 wires, would TX or RX be hooked up to the white wire? How can a two way link ever occour?

kaspars · March 14, 2018, 8:10pm

I tried using a similar “generic” adapter and it didn’t work. I think it’s because the USB Link software uses software libraries specific to the SiLabs chip:

manuel.covas · March 20, 2018, 10:37am

I see, thank you for the info!

PredatorBoards · May 4, 2018, 3:14am

So what’s the progress on this project?

Is it possible to overhaul the firmware and do things like replacing the duty-cycle control mode in favor of @Ackmaniac’s watt/current mode? I’m pondering whether or not we can make the FVT or other car ESCs as programmable as say a VESC.

kaspars · May 4, 2018, 5:20am

I haven’t done any additional work on this after the initial research. It should be possible to just write a custom firmware or configure BLHeli to match the specific layout and pins of the FVT ESC.

PredatorBoards · May 5, 2018, 4:31am

Well the specific ESC I would like to reflash is the Mamba XLX. It’s programmability, as is, is already pretty sophisticated versus the other cars ESCs on the market. Would you be interested in pushing that boundary? If not, would you know who is?