This is my first post so... hello 
I know this is pretty old topic but... I have generic solution. Maybe it'll help someone (even if an author totally gave up on this ;))
So... I have transmitter (from MALi Racing RC car) with similar PCB. As you probably know you need at least 4 things to get any packet from this device:
- RX address
- air data rate (1M, 2M or 250K)
- channel (0-127)
- CRC bytes count
Getting RX address is the hardest part because there are 240 addresses (more than IPv4). You have the following options to find this address:
- brutal force search (takes too long)
- listening for packets in promisc mode - there is no such mode in nrf24l01 compatible chips but we can fake this (Promiscuity is the nRF24L01+'s Duty)
- read address (and other parameters) from RF initialized by original PCB
I tried all of this but finally found right address using the last one This one is simple but you probably should unsolder RF. And before you start you need to write some code (for Arduino) to read and display on PC screen the RF registers. Then connect RF to external power supply and SPI lines to transmitters PCB, power up and (after a few secods) power down the transmitter. Now connect SPI lines to Arduino and just read registers
I've done this using RPi and BK2423 RF chip so can't give code for Arduino but it's rather simple to write yourself if you look at RF chip datasheet In my case the transmitter uses address 0x66 0x88 0x68 0x68 0x68 (LSByte first), 1Mbit, channels around 20-50 and 2B CRC. Maybe yours uses the same but if not... you know how to get this Last thing you'll have to do is packet structure analysis but in my opinion it is the easiest part