Passive telemetry-sniffing receiver based on ExpressLRS 3.5.0.
This project turns a standard ELRS receiver into a "Ghost RX": a second receiver that follows the original TX/RX RF link without intentionally transmitting telemetry back into that link. Its goal is to passively recover telemetry from the real airborne receiver and forward the decoded data to an external host over UART.
ExpressLRS Ghost RX is a modified derivative of ExpressLRS, currently focused on the following workflow:
- bind to the monitored link TX in order to obtain the UID
- rely on the original ELRS TX to follow FHSS hopping
- stay in receive mode during telemetry response timing, with no intentional RF transmission and no interference to the original link
- receive telemetry frames from the real receiver
- decode and forward telemetry over UART for further processing by a PC or MCU
The current implementation is intended for bench development, telemetry capture, protocol analysis, and sidecar integration with external systems.
- passive telemetry monitoring of an existing ELRS link
- no TX firmware changes required
- no aircraft RX firmware changes required
- compatible with original ELRS packet rates, telemetry ratios, and switch modes
- keeps WiFi support available
- UART output of sniffed CRSF telemetry frames
- UART backdoor commands for
BOOT,BIND, andWiFi - disabled automatic "enter WiFi after long disconnect" behavior
The Ghost RX remains associated with the original ELRS transmitter so it can track the active RF mode, timing, and FHSS position. Instead of behaving like a normal receiver during telemetry response timing, it stays in receive mode and listens for telemetry coming from the real receiver on the aircraft.
Recovered telemetry is reassembled into CRSF frames and forwarded through UART. This allows a PC or MCU to consume data such as:
- battery voltage and current
- GPS position and altitude
- barometric altitude and vertical speed
- flight mode text
- link statistics
This repository represents a working development stage that has already been bench-tested.
Implemented:
- passive telemetry slot handling
- telemetry reassembly and UART forwarding
- custom link statistics output
- UART binary/text backdoor commands
- WiFi retention with manual UART entry
Not implemented yet:
- polished multi-target support
- broad compatibility validation across many ELRS hardware combinations
- full documentation for all edge cases and timing constraints
Currently tested on:
ExpressLRS 3.5.0BETAFPV Nano 2.4GHz RXUnified_ESP8285_2400_RX_via_UART- board config
betafpv.rx_2400.nano
Other targets may work, but they are not yet validated by this project.
This stage uses a dedicated PlatformIO config:
src/platformio_betafpv.ini
Build command:
cd "src"
pio run -e Unified_ESP8285_2400_RX_via_UART -c platformio_betafpv.iniFirmware output:
src/.pio/build/Unified_ESP8285_2400_RX_via_UART/firmware.bin
Binary commands currently supported:
| Command | Bytes | Function |
|---|---|---|
| BOOT | EC AC 32 56 |
reboot into bootloader |
| BIND | EC AC 32 62 |
enter bind mode |
| WiFi | EC AC 32 77 |
enter WiFi update mode |
Text commands were also used during development, but binary commands are preferred for repeatable bench testing.
Automatic WiFi entry after prolonged TX disconnection has been intentionally disabled in this project.
This behavior is short-circuited in src/lib/WIFI/devWIFI.cpp inside the TARGET_RX auto-WiFi branch by an early return DURATION_NEVER;.
To restore the original ExpressLRS behavior, open src/lib/WIFI/devWIFI.cpp, locate the TARGET_RX auto-WiFi block, and remove or comment out that early return DURATION_NEVER; so the preserved upstream logic below it can execute normally.
This project is not:
- a normal ELRS receiver replacement for flight control output
- a generic CRSF UART decoder attached behind an existing RX
- a modification to the original TX firmware
- a requirement to modify the airborne receiver firmware
- an officially supported ExpressLRS feature
- experimental project, not production-ready
- currently validated on a narrow hardware and firmware combination
- not yet packaged for Configurator integration
- documentation is still incomplete
This repository is a modified derivative of ExpressLRS 3.5.0.
- upstream project: ExpressLRS/ExpressLRS
- upstream license:
GPL-3.0 - this repository retains and follows the upstream license requirements
This is an unofficial project and is not affiliated with, endorsed by, or sponsored by ExpressLRS LLC.
ExpressLRS is a trademark of ExpressLRS LLC and is referenced here only for descriptive compatibility and attribution purposes.
Thanks to the ExpressLRS project and contributors for the original codebase, protocol implementation, hardware support, and tooling that made this derivative work possible.
ExpressLRS Ghost RX 是基于 ExpressLRS 修改而来的一个派生项目。它的目标是把一个标准 ELRS 接收机改造成“幽灵接收机”:
- 需要与被监听链路的TX进行bind以获取UID
- 依赖原始 ELRS 链路的 TX 进行 FHSS 跳频
- 在 telemetry 回传时隙保持接收,完全不会主动射频,不干扰原有链路
- 被动接收真实机载 RX 发回 TX 的 telemetry
- 通过 UART 将解码后的数据进行输出,可用于PC或MCU进行进一步处理
当前阶段主要面向台架开发、协议分析、遥测捕获和外部系统集成。
- 对现有 ELRS 链路进行被动遥测监听
- 不需要修改 TX 固件
- 不需要修改机载 RX 固件
- 兼容原版 ELRS 的 packet rate、telemetry ratio 和 switch mode
- 保留 WiFi 功能
- 通过 UART 输出 sniff 到的 CRSF telemetry
- 提供
BOOT、BIND、WiFi的 UART 后门命令 - 已禁用长时间断联后自动进入 WiFi 的行为
Ghost RX 会先与原始 ELRS 发射机建立关联,以便跟踪当前 RF 模式、时序和 FHSS 位置。与普通接收机不同的是,它在 telemetry 响应时隙不会主动回传,而是继续保持在接收模式,监听真实机载接收机发回的 telemetry。
接收到的 telemetry 会被重组为 CRSF 帧,并通过 UART 输出。因此外部 PC 或 MCU 可以读取这些数据,例如:
- 电压、电流
- GPS 位置和高度
- 气压高度与垂直速度
- 飞行模式
- 链路统计信息
这个仓库对应的是一个已经完成台架验证的开发阶段。
已实现:
- 被动 telemetry 时隙处理
- telemetry 重组与 UART 转发
- 自定义链路统计输出
- UART 二进制/文本后门命令
- 保留 WiFi 并支持通过 UART 手动进入
尚未完成:
- 更完善的多目标支持
- 更广泛的 ELRS 硬件组合验证
- 对边界条件和时序细节的完整文档化
当前已验证:
ExpressLRS 3.5.0BETAFPV Nano 2.4GHz RXUnified_ESP8285_2400_RX_via_UARTbetafpv.rx_2400.nano
其他目标理论上可能可用,但目前尚未由本项目验证。
当前阶段使用专用的 PlatformIO 配置:
src/platformio_betafpv.ini
编译命令:
cd "src"
pio run -e Unified_ESP8285_2400_RX_via_UART -c platformio_betafpv.ini固件输出路径:
src/.pio/build/Unified_ESP8285_2400_RX_via_UART/firmware.bin
当前支持的二进制命令如下:
| 命令 | 字节序列 | 功能 |
|---|---|---|
| BOOT | EC AC 32 56 |
重启进入 bootloader |
| BIND | EC AC 32 62 |
进入 bind 模式 |
| WiFi | EC AC 32 77 |
进入 WiFi 更新模式 |
开发过程中也使用过文本命令,但为了获得更稳定、可重复的台架行为,当前更推荐使用二进制命令。
本项目中,“长时间未连接 TX 后自动进入 WiFi”的原版行为被有意禁用了。
这个行为在 src/lib/WIFI/devWIFI.cpp 的 TARGET_RX 自动 WiFi 分支中,通过提前执行一个 return DURATION_NEVER; 被短路掉。
如果你想恢复原版 ExpressLRS 的自动进入 WiFi 行为,只需要打开 src/lib/WIFI/devWIFI.cpp,找到 TARGET_RX 的自动 WiFi 逻辑,并删除或注释掉那个提前返回的 return DURATION_NEVER;,让下面保留下来的原始上游逻辑继续正常执行即可。
本项目不是:
- 用来替代普通 ELRS 飞控输出接收机的方案
- 接在现有 RX 后面读取串口 CRSF 的通用解码器
- 对原始 TX 固件的修改
- 要求修改机载 RX 固件的方案
- ExpressLRS 官方支持的功能
- 这是一个实验性项目,还不是面向生产环境的方案
- 当前验证仍然集中在较窄的硬件与固件组合上
- 还没有整理成适合 Configurator 集成的形式
- 文档仍然不完整
本仓库是 ExpressLRS 3.5.0 的修改版派生项目。
- 上游项目:ExpressLRS/ExpressLRS
- 上游许可证:
GPL-3.0 - 本仓库保留并遵循上游许可证要求
本项目是非官方项目,与 ExpressLRS LLC 没有关联,也未获得其认可或背书。
ExpressLRS 是 ExpressLRS LLC 的商标,这里仅用于描述兼容性和来源归属。
感谢 ExpressLRS 项目及其贡献者提供原始代码库、协议实现、硬件支持和工具链,使这个派生项目成为可能。
