Looking at the Ardupilot code it sure looks like the ST24 protocol is similar to the ST16. Specifically it looks like the ST16 packet matches what they have defined as a "ChannelData12" packet in the FW. The "ChannelData24" packet looks similar except with 24 RC channels vs 12. So it looks to me like the FW is written to decode either ST16 or ST24 data.
I'm copying the list of what I had figured out about the protocol from earlier this thread with some updates base of additional stuff I have figured out and/or assumptions based on the ST24 protocol (updates in Red).
The Yuneec ST10, ST16, the Wizard wand, the Typhoon H, Q500, and Blade Chroma all seem to use the same transmitter/receiver module = SR24
2. The SR24 is a CC2530 based Zigbee module.
3. The connection to the SR24 is: pin 1- Black wire, GND; Pin 2 - White wire, +3V; Pin 3 - Gray wire, serial data in; Pin 4 - Yellow wire, serial data out.
4. After attaching it to a typhoon H to bind it, I captured the serial output data using a logic analyzer module
5. From the logic analyzer data, the serial connection is 115.2Kbps 8N1, LSB first.
6. The data output is one 46 byte data frame followed by two 27 byte data frames.
7. Each data frame starts with the same two bytes: 0x55, 0x55
8. The next byte indicates the length of the rest of the bytes left in the packet (total size of the packet minus 2 header bytes and 1 length byte). Either 0x18 (24 bytes) or 0x2B( 43bytes)
8b. Byte 4 seems to indicate if it is a 46 or 27 byte frame: 46bytes=0x03 .... 27bytes=0x00
9. Bytes 5,6, seem to be a counter of the number of packets or a clock based on they always go up and that is how these bytes are described in the ST24 protocol.
9b. Byte 7 is probably an RSSI value based the description in the ST24 protocol.
9c. Byte 8 in the ST24 protocol is described as "Number of UART packets sent since reception of last RF frame (this tells something about age / rate)". In all the data I collected this byte was always 0 but maybe that is because my receiver wasn't hooked to the H and I never "armed" it by trying to start the motors?
10. The last byte if each frame (byte 46 or 27) always varies and is probably a CRC8 of all the bytes in the packet except for the first 2 header bytes and the crc byte itself based on the ST24 protocol
11. I believe all the channel info is encoded in bytes 9-26 with each channel represented by 12 bits. The channel data from analyzing the data captures after manipulating the controls, looking at the exported model file on ST16 and comparing that to the ST16 mixer and HW monitor is in this order:
T,A,E,R, Smart/Angle/Home switch, Smart/angle/home switch (duplicated for some reason? Or maybe it changes after the H is armed?), Camera tilt Slider, Pan Knob , TiltMode Switch, pan mode switch, landing Gear switch, Aux Button.
12. Bytes 30-27 of the 46 byte packets is the Latitude of the ST16 transmitter to 7 decimal places.
13. Byte 34-31 of the 46 byte packets is Longitude of the ST16 transmitter to 7 decimal places
14. I captured the binding sequence and successfully put the a receiver into binding mode by sending the data below repeated 5 times into the receiver over the serial line:
The binding data looks like this: 0x55,0x55,0x8,0x4,0x0,0x0,0x42,0x49,0x4E,0x44,0xB0