OK, I hated the fact that on the 14MZ I could not change the order in which models are listed in the model menu. This annoyance spawned me to start looking at MDL files and figuring out thier format.

I have made some progress and have complete my first project which explaines how to edit the file and change the internally saved time and date stamp so you can put your models in any order you want.

Here is the new web site I created to start sharing info about hacking MDL files. My goal is to continue understanding the MDL file, share that info, and making a program to allow PC's to edit the MDL files!!!

Note: I could really use a windows programmer to help with this project!

Let me know what you think!

Here is the new web site

http://www.wavelandps.com/14mz/

Bob

Very interesting. Thank you for sharing!! :glasses2:

Great project finless. In fact I have just started on a similar project as you. To decode the mdl-files. And my progress is a little behind yours, so your site was helpfull.

One day it may be possible that Futaba releases software that allows pc editing of the mdl-files (and they probabaly have such software in use in their lab already), but until then it would be nice if we could get out an unofficial but (hopefully) fully functional mdl-editor. So you can edit your models at your computer.

Add automatic backup-functions of your memory-card, automatic image-resizing and file-transfer to the memory-card and it should become a very useful application!

Even though window-programming is not my strongest field (hardware related programming is), I may be able to help. But as I have limited spare-time I don't know how much I can get into this.

Regards
OAK

Hey finless, count me in ... here's some info I gathered some time ago (it's been a while, so can't remember how much is 100% accurate). If you can gather enough hands, suggest each person be assigned chunks of the mdl to decode, otherwise too much to handle. I'm 100% heli, so can help with those-type files.

## 5/28/2006 - 1
#offset
0x00000/0f- T14MZ___ (8? unicode text; padded with unicode spaces)
T12Z____
0x00010/11- pad? (always 0)
0x00012- always 1 (maybe file version)
0x00013- always 0 (ditto- as a short)
0x00014/15 editor build (short)
0x00016- editor version
0x00017- always 0 (maybe part of editor ver)
0x00018- always 1 (maybe part of editor ver)
0x00019- encoder version
0x0001a/1d- pad? (always 0)
0x0001e-5d Model name (32 unicode text; padded with unicode nulls)
0x0005e/5f- pad? (always 0)
0x00060- model type (0=plane, 1=heli)
0x00061- model sub-types (bitfield: 0x00=airplane, 0x80=glider, 0x40=motor glider, 0x00=h-1, 0x03=he3)
0x00062- modulation (0=G3, 1=PCM, 2=PPM)
0x00063- region code? (0=America, 1=?, 2=Europe/UK)
0x00064- frequency code? (2=35MHz, 7=72MHz)
0x00065- Channel index (for 72Mhz, 1=ch11, 2=ch12, ... 0x17=ch33, etc.)
0x00066-a5 Model picture name (33 unicode text; padded with unicode nulls)

0x000a8- year (short)
0x000aa- month (short) - always 1 on 12Z?
0x000ac- weekday (short; 0=sunday) - always 0 on 12z?
0x000ae- day (short) - always 1 on 12Z?
0x000b0- hour (short) - always 0 on 12Z?
0x000b2- minutes (short) - always 0 on 12Z?
0x000b4- seconds (short) - always 0 on 12Z?
0x000b6/7- pad? (always 0)
0x000b8/9- chksum (short?; checksum from offset 0-0xb7 ... it might be 32 bits)
0x000ba/b- pad? (always 0, probably high-order word for checksum above)

0x00b52/18d1- Start of sound-file array (48 items x 72 bytes)
0x00b52- wav filename (32 unicode text; padded with unicode spaces)
0x00b92/93- pad? (always 0, maybe null-termintate filename?)
0x00b94- 0x40=Alt
0x00b95- button (1=J1, 2=J2, 3=J3, ..., 0xff=NULL, +0x80=Symmetrical)
0x00b96/97- Posi. information
0x00b98- 1=merge sounds

0x02019- same as 0x00061?
0x0201a- 0x90 in PPM; 0x50 in PCM, 0x10 in G3
0x0201c- same as 0x00064?
0x0201d- same as 0x00065?

0x02152- G3 Rx id #1 (long-be) - max=67108863 (0x3ffffff)
0x02156- G3 Rx id #2 (long-be) - 0xffffffff if unused

0x021c7- Trainer (byte; bit-field, b7=INH:0/ON:1; b6=switch-ALT; b2=PPM:0/PCM:1; b1=8ch:0/12ch:1; b0=student:0/teacher=1)
0x021c8- Trainer switch (1 bytes)
0x021c9/ca- Trainer switch Posi (2 bytes)
0x021cb/cd- Trainer channel mode (3 bytes; 24-bit 2bits/ch; lowest-two is ch 1; 00=Off/01=Func/10=Norm/11=Mix)
0x021ce/d9- Trainer channel switches (12 bytes)
0x021da/e5- Trainer switch rates (12 bytes, +0/+100; -100:156/-1:255]

# general condition structure offsets ... not final
0x0221c/- Normal (condition structure; size=0x2fbe)
0x051da/- Idle up-1 (IDLEUP1_)
0x08198/- Idle up-2 (IDLEUP2_)
0x0B156/- Idle up-3 (IDLEUP3_)
0x0E114/- Hold (HOLD_)
0x110D2/- Condition 6 (CONDIT6_)
0x14090/- Condition 7 (CONDIT7_)
0x1704E/- Condition 8 (CONDIT8_)

0x1fffc/f- chksum (long; 32-bit checksum from offset 0-0x1fffb)

================================================== ===============
14mz switch mappings
00 J1
01 J2
02 J4
03 J3
04 SW-C
05 SW-D
06 SW-G
07 SW-H
08 RD
09 RS
0a RST
0b
0c SW-A
0d SW-B
0e SW-E
0f SW-F
10 LD
11 LST
12 LS
13 CD-SW
14 T1
15 T2
16 T4
17 T3
18 T5
19 T6
1a CD

ff NULL
================================================== ===============
14MZ
J1 T1 SW-A SW-E LST
J2 T2 SW-B SW-F LS
J3 T3 SW-C SW-G LD
J4 T4 SW-D SW-H RD
CD T5 RS
CD-SW T6 RST

FX-40
J1 T1 T7 SW-E L1
J2 T2 T8 SW-F L2
J3 T3 SW-A SW-G L3
J4 T4 SW-B SW-H LD
CD T5 SW-C SS1 RD
CD-SW T6 SW-D SS2

Here are my notes so far. I see you have some stuff I was wondering about and I also have some additional info!

BTW so we dont flood this forum I started a post about this in my forum.


Notes:
The last word of the file appears to change from 5400 to 5900
depending on if was copied from memory or used fromt he CF card.

Offset starting at 186 through 284 appear to change for no reason?
Like its some kind of addition mod time stamp?

Offset 96 2nd byte appears to be a model type number
0000 basic airplane
0001 airplane with 2 aileron servos
0002 airplane with 2 aileron servos and 1 flap





Frequency:
Heli and plank the same
offset 8220
07XX where XX is frequncey number - 10
e.g. decimal 50 is channel 60 (50-10).

PPM, PCM, 2048:
Heli and plank the same
offset 8218
PCM = 4000
PPM = 8000
PPM 12 channel (N1.3) = 8500
PPM 12 channel (N1.5) = 8100
PPM Reversed = 8200
PPM 12 channel (N1.3) reversed = 8700
PPM 12 channel (N1.5) reversed = 8300
2048 = 0700

Trims:
They start at offset 130958
There are 8 blocks of 7 words and they appear to be repeated
Assumption this far is it is some kind of memory to have 8 repeated blocks
First byte of first word is elevator trim
2nd byte of first word is Aileron
so far values dont make sense


Servo Reversing (set in 8 channel PCM mode)
Now this is with channel order
Elevator, rudder, throttle, aileron, gear, Air Brake, aux6, aux5
I am hoping these dont change position if function is changed? update it did stay the same when I remapped function. So this value changes based on channel number not what is assigned!

0ffset 8376 first byte
00 = nothing reversed. Value changes based on what is reversed
Channel 1 rev = 01
channel 2 rev = 02
channel 3 rev = 04 (note offset 8464 also changed from 063B to 01C5?? when this was thottle)
Channel 4 rev = 08
Channel 5 rev = 10
CHannel 6 rev = 20
Channel 7 rev = 40
Channel 8 rev = 80

Offset 8376 2nd byte
channel 9 rev = 01
channel 10 rev = 02
channel 11 rev = 04
channel 12 rev = 08
channel 13 DG1 rev = 10
channel 14 DG2 rev = 20


ATV's
they start at offset 8378 and are 12 channels (words) long
Each word first byte left EP 2nd byte right EP of each channel
just convert the decimal value to hex! e.g. 100% = 64 hex

ATV Limits (max ATV)
They start at offset 8402 (just aftr ATV) and are 12 words long.
THey are just like the ATVs


Subtrims
start at offset 8538 and is 12 words long
0000 = no subtrim
0001 = +1
00F0 = full +240
FFFF = -1
FF10 = full -240
Note: the delta ffff-fff10 = 239 (0-239 or 240 steps)



Bob

If you don't mind, lets keep it here. Your section of these forums is already crowded :noteworthy with T-Rex posts. Anyway, this is the right section for 14MZ/12Z discussions. I'll keep updating my previous post and include a timestamp for when it changes.

I was working on this a little this weekend. I am now able to import the hex files into Java and edit them. Need to start on a simple UI to edit the settings that have already been identified.

I am using Java by the way.

Updated my info and made thread sticky

A little progress guys.... A person sent me a program to allow you to drag and drop MDL files which changes the date and orders them for the menus. Works great. I have shared with him the other stuff we have figured out so far and he is going to work on it. I found one bug in his current program and installer package which he will fix and we will release the program for use.

It's just a start.........

One thing we are concerned about is if the prgram somehow screws up a MDL file and causes a person to cash or even if not the person blames the program for the cause of a crash even though it may not have been a cause.

Also what will Futaba think of this? Might they consider using this a violation of warrenty in some way?

So how do we:
1) protect ourselves?
2) confirm Futaba wont have a problem with warrenty? I may go ask that question on the 14MZ site.......


Bob

Maybe both a long and short disclaimer that must be each be accepted during the install and any update installs.

As far as warranty, is it even possible for a corrupt .mdl file to damage the radio?
Is there any way for Futaba service center to tell if a file was edited outside of the TX?

Hey Bob, cool news. What's there to protect, seriously. "Use software at own risk; may cause radio failure; warranty may be voided; proceed?". ;)

Anything is possible when it comes to software (remember Murphy!); doubt anything bogus in a model file can cause a permanent failure. Don't think there's much Futaba can do about this either; even if they did, they'd have a hard time proving the radio didn't do it (or that the user did it). Heck, I'd blame it on a bad CF card!!! :banana

--Felix

Yep I agree but I am going to put a disclaimer on the "click wrap EULA"

Bob

Cool info, wil lbe nice to have a editor for the models on my PC. :)

Sorry, but I've been really "busy" and haven't been able to update anything more on the .mdl file structure ... oh, this is why ;) :::
image 1 (http://www.rcfan.com/files/14MZ/hacking/DSCF0050.JPG)
image 2 (http://www.rcfan.com/files/14MZ/hacking/DSCF0051.JPG)
image 3 (http://www.rcfan.com/files/14MZ/hacking/DSCF0052.JPG)

... and in case the infidel think the above are Photoshop'd ::
Hello World! Movie (AVI, 2MB -- if you can't view it, get FFDSHOW codec) (http://www.rcfan.com/files/14MZ/hacking/14MZ_HelloWorld.avi)

--Felix

Cool so you made a windows CE program that gets loaded like the UPDATER program?
Or were you actually able to blow out the Futaba Application and drop into Windows CE? I cant believe Futaba would leave the majority of the windows CE OS there? Is the Futaba program juts an application running on CE or is CE OS hacked up?

More info Dude you got my interest going!

bob

Yep, the 1st gen (shown in the pics) was a program that replaced T12mzUpdate.exe. The 2nd gen gave further access. Yes, the Futaba program is just another app run by a loader (another wince app) run at boot. Only problem is most screens are in Japanese with no English localization, so having a hard understanding most of it. And it doesn't help that my Windows hacking is almost 7 years rusty (definitely never hacked at WinCE until now). :-(

Yea I could tell the windows based error message were in Japaneese (kanji).
In the lastes code I found a bug that crashes the system.
Go the menu where you can assign sounds to switchs and using the menu (not the switches) test a few sounds. Now go use the sound recorder.... BAM when you try to record a sound it crashes.

Bob

Any news on a pc-based editor ?

Wow, looks like this thread has been dead for almost a year and a half. I'm curious to know also if any progress has been made.

Trying to keep the thread alive, I too would like to know if there has been any further progress on a PC based editor for my Futaba 12Z

Hi,

I would be interested too, just for the fun of it.

Based on what RCFan had already figured out I like to add the following info for the FASST system on the 14MZ.

0x00062- modulation (0=G3, 1=PCM, 2=PPM, 3=FASST?)
0x00063- region code? (0=America, 1=?, 2=Europe/UK)
0x00064- frequency code? (2=35MHz, 7=72MHz, 0x0B=2.4GHz?)
0x00065- Channel index (for 72Mhz, 1=ch11, 2=ch12, ... 0x17=ch33, etc., 0x25=FASST 14Ch ?)

Cheers

Kay

KCT - can you elborate a bit more. Do you think the TM-14 module has the same 93C46 eeprom? I checked the code and it was all 0's - so I came to the conlcusion that the eeprom may be different. I have changed the code on the 35mhz module several times to experiment and it works well. I can now use the 35MHZ module (europe) in a Radio set for America. Now if we can find a way of changing the code on the TM-14 that would be great as I would be able to have the module match the region of the radio.Any further help would be appreciated. Mohan

Hello, i have received my module from my local waranty center, and he say that was impossible to modify like the other module because there is a microcontroleur behind the eeprom, that block the readind and writing.
The only solution it's to unsold the eeprom

This is pict of the module.

http://img205.imageshack.us/img205/1729/dsc00625nv6.th.jpg (http://img205.imageshack.us/my.php?image=dsc00625nv6.jpg)

http://img407.imageshack.us/img407/1593/dsc00626my1.th.jpg (http://img407.imageshack.us/my.php?image=dsc00626my1.jpg)

After looking of module I think the way to acces at it, it's by the white flat connector, that it's ( i think ) the connector for futaba, it's direct on the eeprom.

just make a cable for it