Reverse engineering the BTE protocol of the Zhiyun Crane 2s
This gimbal has two main characteristics which I found through the nRF Connect app.
Write No Response: d44bc439-abfd-45a2-b575-925416129600
Notify: d44bc439-abfd-45a2-b575-925416129601
All messages sent to the gimbal are sent to the write-no-response characteristic.
| Offset | Size | Field | Description |
|---|---|---|---|
0 |
1 | 0x24 |
Magic Byte 1 |
1 |
1 | 0x3C |
Magic Byte 2 |
2–3 |
2 | Length (LE) | Always 0x0008 for motion packets |
4–5 |
2 | Format ID | Always 0x1812 (little-endian) for app→gimbal |
6 |
1 | Sequence ID | Increments by 1 for each command |
7 |
1 | Direction | Always 0x01 (app → gimbal) |
8 |
1 | Command ID | Command ID |
9–11 |
2 | Payload | Data |
12–13 |
2 | CRC-16/XMODEM | CRC over bytes 4 to 11, little-endian |
Example command (Pan right):
24 3C 08 00 18 12 01 01 02 10 00 08 A4 F1
Header Fmt Seq Dir Cmd Data CRC
The format ID byte seems to be 0x1812 for data sent to the gimbal and 0x1815 for heartbeat messages sent from the gimbal
Pan, Tilt and Roll have the command ids 0x01, 0x02 and 0x03 respectively.
| Offset | Field | Description |
|---|---|---|
0-1 |
Value (LE) | 0-4095 • 2048 = stop • <2048 = one direction • >2048 = opposite direction |
2 |
Motor Speed | 1-255; higher = faster |
10 00 08
Value speed
This project was inspired by Peter Maguire and his work on the Weebill-S gimbal. His work was the base for this project and taught me where to begin from