19
edits
Changes
Add details on changing frequency, Add link to firmware dumps
[[File:LMS6 bottom.jpg|left|thumb|Photo of the lower panel of the 403 MHz version of the LMS-6 Radiosode. Of particular note are the DIP Switch configurations for setting the transmit frequency.]]
[[File:RH Circuit.jpg|none|thumb|Relative Humidity Circuit section]]
[[File:Sonde_label.png|none|thumb|LMS6 Label possibly showing calibration factors.]]
==Audio Samples==
The following samples were taken from both frequency versions at a close distance using a HackRF SDR.
{| class="wikitable"
|+
!Frequency
!Audio file
|-
|400 MHz
|[[File:400MHz LMS-6 Sample.mp3|thumb]]
|-
|1680 MHz
|[[File:1680MHz LMS-6 Sample.mp3|thumb]]
|}
==Disassembly==
This is a minimally-destructive disassembly method that will allow the payload to be held back together if you wish to reuse the payload for another weather balloon flight.
Original firmware is not locked and can be dumped with Rlink-STD Debugger with RFlasher7.
Several dumps are publicly available on https://github.com/MrARM/lms6/tree/master/dumps Vector table and other interesting addresses: *0x9CDB - The start of frequency registers, each dip switch has registers starting from this address.*0xE003 - Serial number, at least 3 bytes. Ex: 0x7C6A34 is located at 8153652 big-endian.*0xE100 to 0xE136 - something that changes between units. Maybe calibration factors? Checksums?*0xFF00 - software string. Ex: "May 17, 2017 - V1.45"*0xFFE4- AVD vector*0xFFE6 - SCI / UART vector*0xFFE8 - Timer B vector*0xFFEA - Timer A vector*0xFFEC - SPI vector*0xFFEE - vector unused on this chip*0xFFF0 - EI3 vector*0xFFF2 - EI2 vector*0xFFF4 - EI1 vector*0xFFF6 - EI0 vector*0xFFF8 - MCC/RTC vector*0xFFFA - vector unused on this chip*0xFFFC - Trap vector*0xFFFE - Reset vector
IDA Pro uses CPU type ST7->ST72324J6 during loading, and can load the Intel Hex file produced by the programmer directly for analysis.
!Original Setting
|-
|Watchdog Reset on Halt(Reset On Entering Halt)
|Reset generation when entering HALT mode
|-
|Software (watchdog to be enabled by software)
|-
|Low Voltage Detection Selection(LVD Config)
|Highest Voltage Threshold
|-
[[File:TX circuit modified.jpg|alt=Picture of circuit board|thumb|Picture of TX circuit, highlighting components to remove to disable amplifier and a replacement jumper.]]
When testing, it's important not to transmit on unlicensed frequencies. Emissions can be eliminated by replacing the RF amplifier with a jumper between pins 1 and 3, and terminating the load at the antenna connection. The amplifier is an SOT-89 device just above the "-" terminal of B3. To access the RF chain, the shield housing may need to be temporarily removed. Also remove the bias feed resistor just below the "L104" marking. Then, remove the transmitter antenna from the "ANT1" connections. Use a 50 ohm resistor across the two terminals to provide a terminating load and eliminate any further transmission. Near-field reception is still possible after making these changes.
<br />
=== Change Frequency<ref>https://github.com/MrARM/lms6#change-the-tx-frequency</ref> ===
It is possible to change the TX frequency by modifying what is sent to the cc1050(radio) registers. Here is an example on how to get 422.5 MHz
# Download this frequency calculator: https://github.com/rsaxvc/LMS6APRS/blob/master/docs/cc1050%20frequency%20calculator.ods
# The easiest way to get started is to edit NWS1111's frequency(row 17), delete column D and J.
# Change column J to your desired frequency(for this example, 422.500000). Try to keep your frequency close to the original if you want to only have to change the frequency register.
# A number in column I will appear, copy this number to column D and round it up.
# Start gradually adjusting column D until the frequency error (col. K) is around ±5
# Convert your number in column D to hexadecimal
# Acquire a dump of your LMS-6 firmware using a programmer
# Go to 0x9D8F in the dump in a hex editor and insert the first two bytes of your hexadecimal number. Insert the next two after the 05 byte and the final two after the 07 byte.
# Save this hex file and flash it to the LMS-6
# Set all dip switches to 1 1 1 1 and turn on your LMS-6, you should be able to see it transmitting in your desired frequency. If you see abnormalities with the waveform, make sure your Freq Err is good, and check your FSEP and REFDIV values.
==Instruction Timing Tables==
|1,2
|}
[https://github.com/Reid-n0rc/LMS-6_Interface_Board/blob/main/LMS-6_Interface_Board_Rev_10.pdf LMS-6 Interface Board Schematic Rev 10]
=====Circuit Power Options=====
The LMS-6 Inteface board offers four power options to power LMS-6. Components for any of the power options can be omitted if they will be unused to reduce the build the build cost.
====== Battery Power ======
The LMS-6 can be powered using three CR123 lithium batteries connected to the LMS-6 onboard battery holders. Batter power is enabled by jumpering Pin 1 and Pin to of J6 together.
====== USB 5V Power ======
The LMS-6 can be powered from the J4 Micro USB B connection. This is enabled by jumpering Pin 2 and Pin 3 of J2; Pin 2 and Pin 3 of J6.
=====USB to UART=====
The LMS-6 interface includes a FT-2232 USB to UART. UART1 is connected to GPS. The default baud rate for the GPS is 38400 bps. UART 2 TX is connected to U3 pin 19 on the LMS-6.
If the connections are wrong, they can swapped using JP1,JP2 and JP4, JP5.
=====In Circuit Programming=====
===== eFuse =====
<br />
==Reference==