38
edits
Changes
Jump to navigation
Jump to search
Reverse engineer more firmware locations
[[File:LMS-6 Radiosonde.jpg|thumb|LMS-6 Radiosonde found on railroad tracks, circled in red.]]
The LMS-6 Radiosonde is a balloon-launched radiosonde manufactured by Lockheed-Martin Sippican, and used for meteorological sounding.
[[File:LMS6 bottom.jpg|left|thumb|Photo of the lower panel of the 403 MHz version of the LMS-6 Radiosode. Of particular note are the DIP Switch configurations for setting the transmit frequency.]]
[[File:RH Circuit.jpg|none|thumb|Relative Humidity Circuit section]]
[[File:Sonde_label.png|none|thumb|LMS6 Label possibly showing calibration factors.]]
<br />
==Disassembly==
This is a minimally-destructive disassembly method that will allow the payload to be held back together if you wish to reuse the payload for another weather balloon flight.
|-
|23
|GPS TX Data (38400 BPS)
U3 - Pin1/RDI
|Data bursts
|
|26
|GPS RX Data (38400 BPS)
Maybe not connected to U3?
|Data bursts
|U22.3
|U22 Pin 3 3V3 Enable (Active Low)
Connected to R38 pull-down
Connected to JP27
|-
|31
|19
|PPS
|C9 bypass to GND, Via to back to trace to via to small via connected to R3, then trace to 47k to ground, then some pins on U2 - looks like a level translator - through that then to a hidden via, pops back up at TP36 which is connected to PB4 on the ST7, which appears to be unread triggers ei3(external interrupt 3) in the firmware.
|
|-
|}
[https://github.com/rsaxvc/LMS6APRS/blob/master/docs/cc1050%20frequency%20calculator.ods?raw=true CC1050 Frequency Register Calculator based on 14.7456MHz crystal]
[https://e2e.ti.com/support/wireless-connectivity/zigbee-and-thread/f/158/t/158428?Where-can-one-find-SmartRF-Studio-6- Link to SmartRF Studio6 ( 7 doesn't have the CC1050)]
==Test Points==
Original firmware is not locked and can be dumped with Rlink-STD Debugger with RFlasher7.
Vector table and other interesting addresses: * 0xE003 - Serial number, at least 3 bytes. Ex: 0x7C6A34 is located at 8153652 big-endian.* 0xE100 to 0xE136 - something that changes between units. Maybe calibration factors? Checksums?* 0xFF00 - software string. Ex: "May 17, 2017 - V1.45"* 0xFFE4- AVD vector* 0xFFE6 - SCI / UART vector* 0xFFE8 - Timer B vector* 0xFFEA - Timer A vector* 0xFFEC - SPI vector* 0xFFEE - vector unused on this chip* 0xFFF0 - EI3 vector* 0xFFF2 - EI2 vector* 0xFFF4 - EI1 vector* 0xFFF6 - EI0 vector* 0xFFF8 - MCC/RTC vector* 0xFFFA - vector unused on this chip* 0xFFFC - Trap vector* 0xFFFE - Reset vector
IDA Pro uses CPU type ST7->ST72324J6 during loading, and can load the Intel Hex file produced by the programmer directly for analysis.
!Original Setting
|-
|Watchdog Reset on Halt(Reset On Entering Halt)
|Reset generation when entering HALT mode
|-
|Software (watchdog to be enabled by software)
|-
|Low Voltage Detection Selection(LVD Config)
|Highest Voltage Threshold
|-
**Triggered by PortA.3
**uses location 0xB2 as a shift register to output LSB first to CC1050's Data Input on PortF.4
*ei3_int
**Triggered by PortB.4
**Sets a variable when GPS PPS occurs
===GPS Initialization===
==Instruction Timing Tables==
These are based on the ST Visual Develop 4.3.12 Simulator. Hopefully it is accurate. I've only done the instructions needed for writing a software UART, since the hardware UART doesn't seem to be brought out on the edge-connectoris tied up doing GPS work.
{| class="wikitable"
|+
|}
==Ideas for doing AFSK modulation on 70CM with CC1050 and ST7==
The goal is to draw an approximation of a sine-wave over time in the frequency domain. This is usually done by drawing a sine-wave with a DAC, low-pass filtering it, and feeding it into an FM modulator, but we don't have those parts.
===FeatherHAB Approach using a similar FSK chip===
The FeatherHAB approach involves using a transmitter with an asynchronous digital modulation input(CC1050 can do this), and oversamping it like a 1-bit DAC. I think this works as long as the input signal is much faster than the charge pump bandwidth, and if so, it should act like a low-pass filter. FeatherHAB uses a hardware timer to drive their digital modulation input, but they do so by sending a variable-length pulse every 19200 Hz.
We might be able to do this using a 19200Hz periodic timer interrupt to set the modulation pin and a one-shot timer to generate another interrupt to clear it. This will use all available timers on the ST7. We cannot use a timer to generate the pulses directly as the ST7 does not wire out any timers on the right pins.
===SFCW-like Frequency Hopping Approach(RSAXVC)===
The CC1050 has a pair of frequency register sets, this allows programming a new frequency then flipping to it using a bit - this takes 4x register writes(16 bits each). We could, like a stepped frequency radar, switch between a series of tones rapidly(perhaps 8x symbol rate). This would look like an unfiltered DAC version of a sine-wave with little stair-steps.
===Why we're not going to do 9600baud 70CM FSK modulation===
For these to be a usable tracker we're going to need ground stations. In the Kansas City metro, there's not many APRS digipeaters on 70cm, and the few there are use 1200 baud AFSK, not 9600 baud FSK.
==ST7 Programming==
The ST7 can be programmed using the RLINK-STD programmer. This programmer is available from Digi-Key https://www.digikey.com/en/products/detail/iotize/RLINK-STD/9923059
===FlashBash Programmer===
The FlashBash ST7 programmer claims to be able to program the ST7 on the LMS-6. This has not been evaluated yet. http://www.spen-soft.co.uk/
FlashBash V3 PCB can be ordered from DirtyPCBs.com: https://dirtypcbs.com/store/designer/details/1826/6489/flashbash-v3-st7-programmer
===LMS-6 Card Edge Interface===
LMS-6 Card edge interface board KiCad schematic and board layout: https://github.com/Reid-n0rc/LMS-6_Interface_Board
LMS-6 Card Edge Interface PCB Rev B can be ordered from DirtyPCBs.com: https://dirtypcbs.com/store/designer/details/1826/6490/lms6-interface-board-rev-b
{| class="wikitable sortable mw-collapsible mw-collapsed"
|+LMS-6 Card Edge Connector Digi-Key BOM
!'''Manufacturer Part Number'''
!'''Manufacturer'''
!'''Digi-Key Part Number'''
!'''Customer Reference'''
!'''Reference Designator'''
!'''Packaging'''
!'''Part Status'''
!'''Quantity'''
!'''Unit Price'''
!'''Extended Price'''
!'''Quantity Available'''
!'''Mfg Std Lead Time'''
!'''Description'''
!'''RoHS Status'''
!'''Lead Free Status'''
!'''REACH Status'''
|-
|885012207095
|Würth Elektronik
|732-8077-1-ND
|C4
|C4
|Cut Tape (CT)
|Active
|2
|0.1
|$0.20
|4457
|12 Weeks
|CAP CER 0.033UF 50V X7R 0805
|ROHS3 Compliant
|Lead free
|REACH Unaffected
|-
|CL21B104KBCNNNC
|Samsung Electro-Mechanics
|1276-1003-1-ND
|C3,C5,C6
|C3,C5,C6
|Cut Tape (CT)
|Active
|4
|0.1
|$0.40
|2366592
|22 Weeks
|CAP CER 0.1UF 50V X7R 0805
|ROHS3 Compliant
|Lead free
|REACH Unaffected
|-
|T491A106K010AT
|KEMET
|399-3684-1-ND
|C7
|C7
|Cut Tape (CT)
|Active
|1
|0.33
|$0.33
|4400267
|7 Weeks
|CAP TANT 10UF 10% 10V 1206
|ROHS3 Compliant
|Lead free
|REACH Unaffected
|-
|CL31A106KAHNNNE
|Samsung Electro-Mechanics
|1276-1075-1-ND
|C8
|C8
|Cut Tape (CT)
|Active
|2
|0.2
|$0.40
|1387438
|22 Weeks
|CAP CER 10UF 25V X5R 1206
|ROHS3 Compliant
|Lead free
|REACH Unaffected
|-
|CL31B475KAHNNNE
|Samsung Electro-Mechanics
|1276-1055-1-ND
|C9
|C9
|Cut Tape (CT)
|Active
|1
|0.2
|$0.20
|124045
|22 Weeks
|CAP CER 4.7UF 25V X7R 1206
|ROHS3 Compliant
|Lead free
|REACH Unaffected
|-
|LH R974-LP-1
|OSRAM Opto Semiconductors Inc.
|475-1415-1-ND
|D1
|D1
|Cut Tape (CT)
|Active
|2
|0.25
|$0.50
|89674
|12 Weeks
|LED RED DIFFUSED 0805 SMD
|ROHS3 Compliant
|Lead free
|REACH Unaffected
|-
|LG R971-KN-1
|OSRAM Opto Semiconductors Inc.
|475-1410-1-ND
|D2, D3
|D2, D3
|Cut Tape (CT)
|Active
|2
|0.25
|$0.50
|325681
|12 Weeks
|LED GREEN DIFFUSED 0805 SMD
|ROHS3 Compliant
|Lead free
|REACH Unaffected
|-
|MPZ2012S601AT000
|TDK Corporation
|445-2206-1-ND
|FB1, FB2
|FB1, FB2
|Cut Tape (CT)
|Active
|2
|0.11
|$0.22
|228257
|10 Weeks
|FERRITE BEAD 600 OHM 0805 1LN
|ROHS3 Compliant
|Lead free
|REACH Unaffected
|-
|105-1103-001
|Cinch Connectivity Solutions Johnson
|J577-ND
|J1-J12
|J1,J12
|Bulk
|Active
|2
|0.73
|$1.46
|15970
|7 Weeks
|CONN TIP JACK SOLDER BLACK
|RoHS Compliant
|Lead free
|Not Available
|-
|61300311121
|Würth Elektronik
|732-5316-ND
|J2,J6,J10
|J2,J6,J10
|Bag
|Active
|3
|0.13
|$0.39
|73107
|13 Weeks
|CONN HEADER VERT 3POS 2.54MM
|ROHS3 Compliant
|Lead free
|REACH Unaffected
|-
|105-1102-001
|Cinch Connectivity Solutions Johnson
|J576-ND
|J3,J11
|
|Bulk
|Active
|2
|1.05
|$2.10
|0
|7 Weeks
|CONN TIP JACK SOLDER RED
|RoHS Compliant
|Lead free
|Not Available
|-
|UJ2-MIBH-4-SMT-TR
|CUI Devices
|102-4006-1-ND
|J4
|J4
|Cut Tape (CT)
|Active
|1
|0.79
|$0.79
|47066
|11 Weeks
|CONN RCPT USB2.0 MICRO B SMD R/A
|RoHS Compliant
|Lead free
|Not Available
|-
|302-S101
|On Shore Technology Inc.
|ED1543-ND
|J7
|J7
|Bulk
|Active
|1
|0.28
|$0.28
|29961
|9 Weeks
|CONN HEADER VERT 10POS 2.54MM
|ROHS3 Compliant
|Lead free
|REACH Unaffected
|-
|PREC018DAAN-RC
|Sullins Connector Solutions
|S2012EC-18-ND
|J9
|J9
|Bag
|Active
|1
|0.69
|$0.69
|1395
|Not Available
|CONN HEADER VERT 36POS 2.54MM
|ROHS3 Compliant
|Lead free
|REACH Unaffected
|-
|61300211121
|Würth Elektronik
|732-5315-ND
|J13
|J13
|Bag
|Active
|1
|0.13
|$0.13
|127153
|13 Weeks
|CONN HEADER VERT 2POS 2.54MM
|ROHS3 Compliant
|Lead free
|REACH Unaffected
|-
|NPC02SXON-RC
|Sullins Connector Solutions
|S9341-ND
|JUMPER
|
|Bag
|Active
|4
|0.11
|$0.44
|209938
|5 Weeks
|CONN JUMPER SHORTING .100" GOLD
|ROHS3 Compliant
|Lead free
|REACH Unaffected
|-
|RC1206JR-070RL
|Yageo
|311-0.0ERCT-ND
|L1 - Replacement
|L1
|Cut Tape (CT)
|Active
|1
|0.1
|$0.10
|9627917
|24 Weeks
|RES SMD 0 OHM JUMPER 1/4W 1206
|ROHS3 Compliant
|Lead free
|REACH Unaffected
|-
|EBC20DRAS
|Sullins Connector Solutions
|S9672-ND
|J5
|J5
|Tray
|Active
|1
|6.9
|$6.90
|0
|3 Weeks
|CONN EDGE DUAL FMALE 40POS 0.100
|ROHS3 Compliant
|Lead free
|REACH Unaffected
|-
|CRG0805F27R
|TE Connectivity Passive Product
|A126357CT-ND
|
|R1,R2
|Cut Tape (CT)
|Active
|2
|0.1
|$0.20
|30073
|18 Weeks
|RES SMD 27 OHM 1% 1/8W 0805
|RoHS Compliant
|Lead free
|Not Available
|-
|CRGCQ0805F1K5
|TE Connectivity Passive Product
|A129751CT-ND
|
|R3
|Cut Tape (CT)
|Active
|2
|0.1
|$0.20
|46326
|21 Weeks
|CRGCQ 0805 1K5 1%
|RoHS Compliant
|Lead free
|Not Available
|-
|RC1005F103CS
|Samsung Electro-Mechanics
|1276-3431-1-ND
|
|R4
|Cut Tape (CT)
|Discontinued at Digi-Key
|2
|0.1
|$0.20
|8019
|Not Available
|RES SMD 10K OHM 1% 1/16W 0402
|ROHS3 Compliant
|Lead free
|REACH Unaffected
|-
|RC0805JR-07470RL
|Yageo
|311-470ARCT-ND
|
|R5
|Cut Tape (CT)
|Active
|2
|0.1
|$0.20
|823055
|24 Weeks
|RES SMD 470 OHM 5% 1/8W 0805
|ROHS3 Compliant
|Lead free
|REACH Unaffected
|-
|RC0805FR-07470KL
|Yageo
|311-470KCRCT-ND
|
|R6
|Cut Tape (CT)
|Active
|2
|0.1
|$0.20
|665330
|24 Weeks
|RES SMD 470K OHM 1% 1/8W 0805
|ROHS3 Compliant
|Lead free
|REACH Unaffected
|-
|ERJ-6ENF1373V
|Panasonic Electronic Components
|P137KCCT-ND
|
|R7
|Cut Tape (CT)
|Active
|2
|0.1
|$0.20
|95215
|11 Weeks
|RES SMD 137K OHM 1% 1/8W 0805
|ROHS3 Compliant
|Lead free
|REACH Unaffected
|-
|RC0805FR-0754K9L
|Yageo
|311-54.9KCRCT-ND
|
|R8
|Cut Tape (CT)
|Active
|2
|0.1
|$0.20
|19069
|24 Weeks
|RES SMD 54.9K OHM 1% 1/8W 0805
|ROHS3 Compliant
|Lead free
|REACH Unaffected
|-
|ERJ-6ENF1621V
|Panasonic Electronic Components
|P1.62KCCT-ND
|
|R9
|Cut Tape (CT)
|Active
|1
|0.1
|$0.10
|220523
|11 Weeks
|RES SMD 1.62K OHM 1% 1/8W 0805
|ROHS3 Compliant
|Lead free
|REACH Unaffected
|-
|ERJ-6ENF1433V
|Panasonic Electronic Components
|P143KCCT-ND
|
|R10
|Cut Tape (CT)
|Active
|1
|0.1
|$0.10
|34393
|11 Weeks
|RES SMD 143K OHM 1% 1/8W 0805
|ROHS3 Compliant
|Lead free
|REACH Unaffected
|-
|RC0805FR-07280RL
|Yageo
|311-280CRCT-ND
|
|R11
|Cut Tape (CT)
|Active
|2
|0.1
|$0.20
|180886
|24 Weeks
|RES SMD 280 OHM 1% 1/8W 0805
|ROHS3 Compliant
|Lead free
|REACH Unaffected
|-
|RC0805FR-07909RL
|Yageo
|311-909CRCT-ND
|
|R12
|Cut Tape (CT)
|Active
|2
|0.1
|$0.20
|284632
|24 Weeks
|RES SMD 909 OHM 1% 1/8W 0805
|ROHS3 Compliant
|Lead free
|REACH Unaffected
|-
|RC0805FR-071ML
|Yageo
|311-1.00MCRCT-ND
|
|R13
|Cut Tape (CT)
|Active
|2
|0.1
|$0.20
|2662481
|24 Weeks
|RES SMD 1M OHM 1% 1/8W 0805
|ROHS3 Compliant
|Lead free
|REACH Unaffected
|-
|FT2232D-REEL
|FTDI, Future Technology Devices International Ltd
|768-1010-1-ND
|
|U1
|Cut Tape (CT)
|Active
|1
|6.99
|$6.99
|24630
|11 Weeks
|IC USB FS DUAL UART/FIFO 48-LQFP
|RoHS Compliant
|Lead free
|REACH Unaffected
|-
|TEC 2-1219WI
|Traco Power
|1951-1401-ND
|
|U2
|Tube
|Active
|1
|10.26
|$10.26
|13
|13 Weeks
|DC DC CONVERTER 9V 2W
|ROHS3 Compliant
|Lead free
|Not Available
|-
|CSTNR6M00GH5C000R0
|Murata Electronics
|490-18276-1-ND
|
|Y1
|Cut Tape (CT)
|Active
|1
|0.44
|$0.44
|7201
|11 Weeks
|CERAMIC RES 6.0000MHZ 39PF SMD
|ROHS3 Compliant
|Not Available
|Not Available
|-
|TPS25921ADR
|Texas Instruments
|296-40731-1-ND
|
|U3
|Cut Tape (CT)
|Active
|1
|1.45
|$1.45
|36658
|6 Weeks
|IC PWR MGR EFUSE 18V 8SOIC
|ROHS3 Compliant
|Lead free
|REACH Unaffected
|}
====Interface Description and Theory of Operation====
The LMS-6 interface PCB allows the LMS-6 to be powered, connect to USB to UART, and connect to an in circuit programmer through the card edge connector.
{| class="wikitable"
|+Power Jumper Settings
! rowspan="2" |Jumper Ref Des
! colspan="4" |Jumpered Pins
|-
!Battery
!USB 5V
!Banana Jacks Regulated (J1&J3)
!Direct Power (J11&J12)
|-
|J2
|X
|2,3
|1,2
|X
|-
|J6
|1,2
|2,3
|2,3
|2,3
|-
|J10
|X
|2,3
|2,3
|1,2
|}
[https://github.com/Reid-n0rc/LMS-6_Interface_Board/blob/main/LMS-6_Interface_Board_Rev_10.pdf LMS-6 Interface Board Schematic Rev 10]
=====Circuit Power Options=====
The LMS-6 Inteface board offers four power options to power LMS-6. Components for any of the power options can be omitted if they will be unused to reduce the build the build cost.
======Battery Power======
The LMS-6 can be powered using three CR123 lithium batteries connected to the LMS-6 onboard battery holders. Batter power is enabled by jumpering Pin 1 and Pin to of J6 together.
======USB 5V Power======
The LMS-6 can be powered from the J4 Micro USB B connection. This is enabled by jumpering Pin 2 and Pin 3 of J2; Pin 2 and Pin 3 of J6.
USB power is indicated by D2 Green LED
=====USB to UART=====
The LMS-6 interface includes a FT-2232 USB to UART. UART1 is connected to GPS. The default baud rate for the GPS is 38400 bps. UART 2 TX is connected to U3 pin 19 on the LMS-6.
If the connections are wrong, they can swapped using JP1,JP2 and JP4, JP5.
=====In Circuit Programming=====
=====eFuse=====
<br />
==Reference==
Here are some reference materials. This is an initial population of material, and this section will need significant cleanup - putting links up for now.
