LMS-6 Radiosonde

The LMS-6 Radiosonde is a radiosonde manufactured by Lockheed-Martin Sippican, and used for meteorological sounding.

Overview

There are two models of the LMS-6, a 403MHz model and a 1680MHz model. This article will cover the 403MHz model unless specified.

Specs

16 Fixed transmit carrier frequencies (MHz): 400.250, 400.625, 401.000, 401.375, 401.750, 402.125, 402.500, 402.875, 403.250, 403.625, 404.000, 404.375, 404.750, 405.125, 405.500, 405.875
Frequency tolerance +/-30ppm
Mean TX Power 70.8mW (18.5dBm)
Emission Designator 16K8F1D
FSK with a maximum modulating frequency of 4.8 kHz
Emission 3dB BW +/-5.0 kHz
Emission 20dB BW +/-12.7 kHz
Omnidirectional antenna
Main beam gain 2dBi
Horizontal Beamwidth 360 degrees
Vertical Beamwidth +84 degrees

Source: https://apps.fcc.gov/els/GetAtt.html?id=121623&x=.

Photos

Photo of the lower panel of the 403 MHz version of the LMS-6 Radiosode. Of particular note are the DIP Switch configurations for setting the transmit frequency.

Relative Humidity Circuit section

Disassembly

This is a minimally-destructive disassembly method that will allow the payload to be held back together if you wish to reuse the payload for another weather balloon flight.

Partially-disassembled LMS-6 Radiosonde, with upper styrofoam shell removed. Some RF shielding removed. Rechargeable cells in use for testing purposes.

Cut the zip tie holding the plastic strap to the balloon/parachute tether rope.
Examine rope, parachute and parachute rigging lines for viability. Neatly organize the flight rigging if usable. Discard if not viable for reuse.
Peel open the battery/power cover from the bottom of the radiosonde and ensure that all 3 connectors are loose and not connected to one another.
Remove the plastic pins from either side of the radiosonde.
Peel away the paper wrapper starting with the corner near the external sensors
Tear the plastic strap off. It's held on mostly with a few staples into the styrofoam
Using a sharp utility razor, cut the bottom half of the shell off, carefully. The styrofoam is about 0.6 inch (15mm) thick on both the sides and bottom, so making a long cut all the way around the sides of the radiosonde, about 0.75" from the bottom edge, and not much deeper than 0.6" is recommended. You can use the exit of the weather sensors as a guide. DO NOT fully separate the radiosonde styrofoam shell yet.
Cut the tape holding the antenna into its dipole shape. Completely remove the tape and straighten the antenna wires.
Peel open the battery terminal access panel on the bottom again. Using a pair of tweezers, remove the small styrofoam block keeping the power wires restrained.
Push the battery wires through the hole as you peel apart the styrofoam shell.
The shell is glued together from the factory. Some of this glue will hold wires to the styrofoam shell. Carefully peel the sensor wires away from the foam and carefully pull the antenna wire (straightened in step 8) through the hole in the bottom of the shell.
The board should be completely separated from the two styrofoam shell halves. Set aside shell, plastic strap, plastic pins and paper wrap for possible re-use later.
Remove (3) Lithium CR-123A cells from the battery holders and discard of them safely.

Reassembly

Place fresh lithium CR-123A cells into the battery holders. Use of rechargeable cells is not recommended for high-altitude flight.
Pass antenna wire through bottom part of shell.
Pass all 3 power wires through the bottom part of shell and into the power lead compartment.
Make sure radiosonde circuit board is properly aligned and seated into the bottom half of the shell.
Replace small styrofoam brick to hold power wires into the compartment. Do not connect any power wires together yet.
Route the antenna flat against the bottom of the shell.
Place upper half of shell onto lower half of shell, ensuring that the weather sensors are able to exit the side of the shell where they originally did.
Affix the two halves of the radiosonde shell together. Long, sturdy zip-ties (one around where the plastic strap goes, another one or two perpendicular to it over the top and bottom) would likely work well and remain intact while exposed to the potentially harsh and cold elements at high altitudes. Alternative closures could be twine (if properly tied) or hot glue, which seems to be what is used to seal the radiosonde at the factory. Glues and cements may make further re-use problematic if you intend to recover and fly the radiosonde multiple times.
Place the plastic strap around the radiosonde as originally equipped. You can likely push the staples back into the styrofoam if they're left intact.
Optionally, re-attach the paper wrapper to the payload, or feel free to attach your own wrapper or identification.
Replace the plastic pins that hold the plastic strap to the radiosonde payload.
Ensure all sensors and antenna are extended and oriented properly. Be sure to bend the antenna into a dipole orientation similar to how it shipped (about 5.75" of the shorter lead folded back and held about 0.5" away from the twin-lead coming from the radiosonde)
Optionally, use a loop of tape to ensure the dipole antenna remains positioned appropriately, similar to how the antenna was originally rigged.
Attach radiosonde strap to flight rigging (rope/parachute/balloon or your choice of drone, kite, etc)
Remember to connect the red and white wires, and do a pre-flight telemetry verification immediately before launch.

Powering the radiosonde in the lab

The OEM battery bank consists of three (3) CR-123A cells in series at 3.0VDC each, for a total of 9VDC. These cells are relatively expensive and only power the unit for 6-7 hours at a time. Internal battery power is enabled by connecting the white and red power wires together inside the compartment on the bottom of the radiosonde.

The unit can be powered on the bench by providing 9VDC to the red power wire and connecting the black wire to power supply ground. Do not exceed 10VDC. Lithium-Ion rechargeable RCR-123A cells can also be used for testing. These cells will not likely last the duration of a high-altitude balloon flight due to both limited power capacity and cold temperatures at altitude.

Connectors

There are four sensor connectors (SENSN) used for sensor input by the radiosonde. SENS1 is not populated on the 403MHz units. SENS2-4 have leads connected to them, and the sensors are connected to the other end of the leads, outside of the radiosonde housing. Only SENS1 appears to have spacing for a connector; the others have arbitrary lead spacing.

SENS1 - 7-pin, 0.1" header spacing
Pin	Characteristics
1	+5V (5.47 measured) - From U25
2	GND
3	U3 Pin 37 (PA7, High Sink/20mA)
4	1 Hz - U14 Pin 9 (S2)
5	1 Hz - U14 Pin 11 (S1)
6	1 Hz - U14 Pin 11 (S0)
7	Pulldown via R41 (47k) to GND

Public information shows this header may be used for adding additional analog sensors to the radiosonde.

SENS2 - Humidity
Pin	Connection
1	Sensor pin 1
2	Sensor pin 2

0.3" spacing. Both lead wires have ferrite beads immediately before connecting to the board.

SENS3 - Temp. Sensor (standalone)
Pin	Connection
1	Sensor pin 1
2	Sensor pin 2

0.5" spacing.

SENS4 - Temp. Sensor (humidistat)
Pin	Connection
1	Sensor pin 1
2	Sensor pin 2

0.3" spacing. Fine gauge insulated wire run along SENS3 wire and loomed in white heat-shrink tubing.

Card edge - 40-pin, looks like ISA spacing
Pin Number	Function	Notes / Observations	Pin Number	Function	Notes / Observations
1	Vdd	U3 - Vdd U15 - Pin 4	2	Vdd	U3 - Vdd U15 - Pin 4
3	U3 - Pin29 / PC6 / SCK / ICCCLK TP33 U21 - Pin21 / PCLK		4	U3 - Pin38/Vpp/ICCSEL	Programmer probably has a 5->12v charge pump for this. Do not apply 12v willy-nilly, will blow chip.
5	U3 - Pin39/RESET		6	U3 - Pin27 / PC4 / MISO / ICCDATA
7	Vdd	U3 - Vdd U15 - Pin 4	8	Vdd	U3 - Vdd U15 - Pin 4
9	GND		10	GND
11	J5 - Pin 2		12	U21 - Pin 20 - DCLK	3.3v - 4800Hz square wave, clocks the serial data This is probably not directly connected to ST7 PortF.4 which is 5V.
13	SW1.4	U3 - Pin10/AIN3/PD3 51K resistor to ground	14
15	GND		16	GND
17	SW1.2	U3 - Pin8/AIN1/PD1 51K resistor to ground	18	SW1.1	U3 - Pin7/AIN0/PD0 51K resistor to ground
19	GND		20	GND
21	47k pullup U3 - Pin19	Appears to be some sort of test-mode select, checked before GPIO initialization.	22
23	GPS Data (38400 BPS) U3 - Pin1/RDI	Data bursts	24		+5VDC ?
25			26	GPS Data (38400 BPS) Maybe not connected to U3?	Data bursts
27			28
29			30		+5VDC ?
31	BATT POS		32
33	GND		34	GND
35			36	SW1.3	U3 - Pin9/AIN2/PD2 51K resistor to ground
37			38	U3 - Pin18 / OCMP1_A / AIN10 / PF4	Square wave data bursts, 0.2msec per bit
39	RED WIRE		40	Battery voltage	Around 9VDC measured, 3x3V batteries

J1 - 4-pin, 0.1" header spacing
Pin	Wire Color	Use
1	Black	Ground
2	White	Battery +9
3	Red	+9 VDC In
4	NC	Unknown - goes to unpopulated CR1

J4 - NC - earphone jack? uses SENS3 leads

J5 - 4-pin, 2.0mm spacing
Pin	Use
1	Unknown
2	Unknown
3	Unknown
4	Unknown

These traces go to U3 (ST microcontroller)

SP1 - 2x4-pin, 0.1" spacing
Pin	Use	Notes/Observations
1	+5VDC
2	Unknown	U14 Pin 13 (A0) - 3V rounded square pulses, 2x per second, 2 different periods avg ~75msec?
3	+5VDC
4	Unknown	U14 Pin 14 (A1) - 5V, 0.1msec pulse once per second
5	+5VDC
6	Unknown	U14 Pin 15 (A2) - 5V, 0.1msec pulse once per second
7	+5VDC
8	Unknown	U14 Pin 12 (A3) - 3V, 250msec pulse once per second

SP1 connects to four channels of U14, an 8-channel analog MUX. Pin 2 also connects to R111, non-populated, which would provide a pull-up to +5 at Pin 1.

Internal Busses

TI CC1050 to ST7 Bus

CC1050 Pin	CC1050 Name	ST7 Pin	Notes/Observations
19	DI	Pin18 / OCMP1_A / AIN10 / PF4	U17 appears to be a level translator between CC1050.19 and ST7.18
20	DCLK	Pin30 / PC7 / SS / AIN15	U7 appears to be a level translator between CC1050.20 and ST7.30
21	PCLK	Pin29 / PC6 / SCK / ICCCLK
22	PDATA	Pin28 / PC5 / MOSI / AIN14	Voltage varies between 5 and 3.something volts depending on which side is transmitting.
23	PALE	Pin27 / PC4 / MISO / ICCDATA

GPS Chip to ST7 Bus

GPS Pin	GPS Name	ST7 Pin	ST7 Name	Notes/Observations
33	TX_A	1	RDI	TSIP@38400baud

Components

The following is a catalog of active components. Designators italicized still need positive identification; bold have been positively identified. Markings listed where known to help in identification. List additional markings when they differ.

U1 - GPS - Trimble 63530-50 - 12-channel GPS, 2x serial ports, 2.7-3.3VDC, SBAS, flash almanac/ephemeris/location storage. (The -50 variant is probably a custom variant, and exact capabilities are unknown.) This chip defaults to TSIP on the 38400 baud port, which is a binary protocol, and has been captured on this PCB.

U2 - (Marked G4/905)

U3 - ST72F324J6T6 - 32K Flash, 1K RAM, 5VDC, 10-bit ADC (16 inputs, muxed), 4x Timer, SPI, SCI, 32-bits total I/O

72F324J6T6 - ST72324 - Main Microcontroller, ST7 series Datasheet
ST7 Flash Programming Quick Reference Guide
ST7 Family Flash Programming Reference Manual
ST7 Family ICC Protocol Reference Manual
With a buffered 16MHz clock provided by Y3/U12, possible CPU speeds are 8MHz(/1), 4MHz(/2), 2MHz(/4), 1MHz(/8) depending on MCC configuration.
Instruction timings have yet to be found. The datasheet only says '2-12 cycles per instruction', and a note from Raisonance support says that NOP does indeed take 2 cycles. These will be needed before we can bring up a bit-banged software debug UART as well as the bitstream for the CC1050, and may need to be reverse engineered via GPIO+oscilloscope.

U4 - (Marked Z252)

U5, U6 - LP2985 - LDO - 2.8V?

U7 - (Marked G4/905)

U8 - (Marked G4/905)

U9 - (Marked F50)

U10 - (Did not locate, maybe not placed?)

U11 - (Marked 73RW, SOT-89 or similar) - Pre-amp for GPS ant? In GPS section can.

U12 - (Marked G5/849) - looks like a clock buffer between Y3 and U3

U13 - CD4040BPW - 12-stage Ripple-Carry Binary Counter/Divider ^{[IC Footnotes 1]}

U14 - CD74HC4051PWR - High-Speed CMOS Logic Analog Mux/Demux - 8:1

U15 - TI LMC555CMM Family ^{[IC Footnotes 2]}

U16 - LMV761MF - Low Voltage Precision Comparator w/ Push-Pull Output ^{[IC Footnotes 3]}

U17 - (Marked Z252) - 3v(blue) -> 5v(yellow) level translator *insert picture U17 here*

U18 - (Did not locate, maybe not placed?)

U19 - (Did not locate, maybe not placed?)

U20 - Toshiba TC7WH157FU

U21 - CC1050 (back) - Low Power Transmitter - 300MHz-1000MHz, variable power, FSK

U22 - TPS79133DBUR - 3.3V LDO - for U21

Unot_marked (23/24?) - (Marked W6K/W76) - RF Amp, similar to SKY65013-70LF (No designator; under TX can to bottom-right of U21.)

U25 - TPS7201Q - Adj. 1.2-9.75V LDO - (Designator silkscreen is hard to read; 8-SOIC on bottom-right)

Y3 - 16MHz crystal

U25 and general area

92JK ZC5 chip noted as U15


U15 Pin	Function	Observations/Notes
1	GND
2	5VDC
3	Trigger	Rounded square wave (maybe sawtooth) alternating between 2msec and 4msec, resting at +3VDC between bursts
4	Discharge	Rounded square wave alternating between 3msec and 5msec, short periods of 0v, resting at +3VDC between bursts
5	Output	Data. Square wave. 5V space, 0v mark? Pulses around 250msec per bit. Perhaps this is a capacitance or resistance to frequency converter.
6	Threshold	More rounded square wave bursts
7	Reset
8	Control

Sens 4 - Capacitive Relative humidity sensor ^{[IC Footnotes 4]}

Notes

↑ Package marking shows CM040B. TI Park marking lookup provides CD4040BPW.
↑ IC marked with ZC5. TI Part marking lookup provides LMV761. Pinout, footprint, and measured IC/pin operation matches what is expected from a 555.
↑ Package marking shows C22A. TI Part marking lookup provides LMV761. The SOT-23 footprint appears to match what is on the PCB.
↑ Sens 4 is known to be capacitive since it is listed as such on page 13 of the WMO Common Code Tables Document

GPS Subsystem

Trimble 63530 baud rate is 38400, 5V, connected to ST7 SCI port(Pins 1&2 on ST7, TDO and RDI). Assuming 8N1 framing, this means interrupts must not be disabled for >260 microseconds or else bytes may be lost as the receive shift register overflows.

Test Points

TP58 - MUX in/out (U14 Pin 3)

Circuits

RF Transmitter Circuit

The transmitter RF path contains a filter IC, pi matching network, broadband amplifier, and a few more output filter stages.

Low Pass Filters

Lowpass Filters are included on the output from the PA and CC1050 to filter out spurs and harmonics from the signal. These are required to meet FCC and NTIA emissions requirements. The measurements were taken with a NanoVNA V2 and the plots were aquired using the NanoVNA-QT software. These data should be considered un-calibrated. A S11 calibration OPEN,SHORT was performed on the NanoVNA, but since the coax is cut, I did not perform an S21 calibration. Additionally, the NanoVNA-QT software seemed to blowaway any of the manual settings I had. This software does not seem to support an OPEN/SHORT only calibration. These data can safely be interpreted as realitive measurements, meaning the filter type and cutoff frequency can be determined.

PA LPF

The PA LPF was measured by removing the DC blocking capacitor after the RF amplifier in the schematic above. The removed DC blocking capacitor is Port 1 of the measurement. Port 2 of the measurment is the antenna output with the antenna removed. The 3 dB cutoff of the filter is 500 MHz.

Lowpass filter output from the power amplifier. The blue trace is the S11 plot. The red trace is the S21 plot. This is from 200 MHz to 1.425 GHz. Absolute values are not to be trusted. The relative measurement indicates that the 3 dB cutoff of the filter is around 500 MHz.

FL101 - CC1050 LPF

The FL101 frequency response was measured as shown below. A DC blocking capacitor was removed that was between the output of CC1050 and FL101. Two parallel resistors were removed from the output of FL101. This isolated the filter in the circuit. The cutoff of the filter is 650 MHz.

Lowpass filter FL101, output from the CC1050. The blue trace is the S11 plot. The red trace is the S21 plot. This is from 200 MHz to 1.425 GHz. Absolute values are not to be trusted. The relative measurement indicates that the 3 dB cutoff of the filter is around 650 MHz.

Test setup for the FL101 measurement.

Relative Humidity Circuit

Schematic of RH sensor circuit.

Analog Multiplexer

U14 is an 8-channel mux/demux. Four of the channels (A0-A3) go to SP1. (A4-A7 appear to go to SENS2-4, need to be traced) Pin 3 is the common in/out, and goes to R13 (560k) and R15 (47k). R15 goes to U15 Pin 7 (555 Reset), and R13 goes to U15 Pin 8 (555 Control.)

Original Firmware

Original firmware is not locked and can be dumped with Rlink-STD Debugger with RFlasher7.

Vector table is located at 0xFFE4

IDA Pro uses CPU type ST7->ST72324J6 during loading, and can load the Intel Hex file produced by the programmer directly for analysis.

Option Bytes

Option bytes are set to 0xE7F7

Original Firmware Option Byte Details
Option Description	Original Setting
Watchdog Reset on Halt	Reset generation when entering HALT mode
Hardware of Software Watchdog	Software (watchdog to be enabled by software)
Low Voltage Detection Selection	Highest Voltage Threshold
FLASH read-out protection	Read-out protection disabled
Package slection	(A)R - TQFP64
RESET clock cycle selection	Reset phase with 256 CPU cycles
Oscillator Type	External Source
Oscillator Range	HS 8~16MHz
PLL activation	PLL x2 disabled

GPIO Initialization

PADDR = 0xF0, PAOR = 0x38 or 0x30 depending on address 0xF3
- PA7: Open Drain Output
- PA6: Open Drain Output
- PA5: Push Pull Output
- PA4: Push Pull Output
- PA3: Depends on address 0xF3
PBDDR = 0x0F, PBOR=0x1F
- PB4 - Pullup interrupt input
- PB3 - Push Pull Output
- PB2 - Push Pull Output
- PB1 - Push Pull Output
- PB0 - Push Pull Output
PCDDR = 0x03, PCOR=0x0B
- PC7 - floating input
- PC6 - floating input
- PC5 - floating input
- PC4 - floating input
- PC3 - pullup input
- PC2 - floating input
- PC1 - push pull output
- PC0 - push pull output
PDDDR = 0x20, PDOR=default to 0x0
- PD5 - open drain output
- PD4 - floating input
- PD3 - floating input
- PD2 - floating input
- PD1 - floating input
- PD0 - floating input
PFDDR = 0x20 or 0x80 depending on address 0xF3, PFOR=0x10 or 0x80 depending on address 0xF3
- PF7 - depends on 0xF3
- PF6 - floating input - is checked very early on startup and used to set 0xF3. 47k resistor to 5v, TP8, CardEdge21.
- PF5 - depends on 0xF3
- PF4 - depends on 0xF3
- PF2 - floating input
- PF1 - floating input
- PF0 - floating input

MCC Initialization

Done in the main function, MCCSR is initialized to 0x0E. This means:

Clock Prescaler[CP] is set to /2
SlowModeSelect[SMS] is set to 0, so CP is ignored and Fcpu=Fosc2
TimeBase[TB] is 0b11, selecting 25ms timebase
OscillatorInterruptEnable[OIE] is set, has something to do with low-power mode(s)
OscillatorInterruptFlag[OIF] is clear, indicates main oscillator has reached countdown

MCCBCR does not appear to be initialized, meaning beeper-mode is disabled.

ADC Configuration

ADCDRL does not appear to be used, thus the ADC is operated as an 8-bit ADC instead of 10-bit.

ST7 ADC AIN8 appears to be the only one used.

Interrupts

ei0_int
- Triggered by PortA.3
- uses location 0xB2 as a shift register to output LSB first to CC1050's Data Input on PortF.4

Modifications

Disable amplification

Picture of TX circuit, highlighting components to remove to disable amplifier and a replacement jumper.

When testing, it's important not to transmit on unlicensed frequencies. Emissions can be eliminated by replacing the RF amplifier with a jumper between pins 1 and 3, and terminating the load at the antenna connection. The amplifier is an SOT-89 device just above the "-" terminal of B3. To access the RF chain, the shield housing may need to be temporarily removed. Also remove the bias feed resistor just below the "L104" marking. Then, remove the transmitter antenna from the "ANT1" connections. Use a 50 ohm resistor across the two terminals to provide a terminating load and eliminate any further transmission. Near-field reception is still possible after making these changes.

Reference

Here are some reference materials. This is an initial population of material, and this section will need significant cleanup - putting links up for now.

https://www.weather.gov/media/upperair/Documents/RWS_Build_3.4_User_Manual_%20071818.pdf - Radiosonde Replacement System Workstation User Guide. This manual describes the operational environment of the radiosonde.

https://www.nws.noaa.gov/directives/010/pd01014001b.pdf - Rawinsonde Operations - some more technical data on radiosonde operations.

[U13-1] Package marking shows CM040B. TI Park marking lookup provides CD4040BPW.

[U15-2] IC marked with ZC5. TI Part marking lookup provides LMV761. Pinout, footprint, and measured IC/pin operation matches what is expected from a 555.

[U16-3] Package marking shows C22A. TI Part marking lookup provides LMV761. The SOT-23 footprint appears to match what is on the PCB.

[Sens4-4] Sens 4 is known to be capacitive since it is listed as such on page 13 of the WMO Common Code Tables Document

[IC Footnotes 1]

[IC Footnotes 2]

[IC Footnotes 3]

[IC Footnotes 4]