38
edits
Changes
Jump to navigation
Jump to search
|!'''Manufacturer Part Number'''|!'''Manufacturer'''|!'''Digi-Key Part Number'''|!'''Customer Reference'''|!'''Reference Designator'''|!'''Packaging'''|!'''Part Status'''|!'''Quantity'''|!'''Unit Price'''|!'''Extended Price'''|!'''Quantity Available'''|!'''Mfg Std Lead Time'''|!'''Description'''|!'''RoHS Status'''|!'''Lead Free Status'''|!'''REACH Status'''
Reverse engineer more firmware locations
[[File:LMS6 bottom.jpg|left|thumb|Photo of the lower panel of the 403 MHz version of the LMS-6 Radiosode. Of particular note are the DIP Switch configurations for setting the transmit frequency.]]
[[File:RH Circuit.jpg|none|thumb|Relative Humidity Circuit section]]
[[File:Sonde_label.png|none|thumb|LMS6 Label possibly showing calibration factors.]]
<br />
==Disassembly==
This is a minimally-destructive disassembly method that will allow the payload to be held back together if you wish to reuse the payload for another weather balloon flight.
Original firmware is not locked and can be dumped with Rlink-STD Debugger with RFlasher7.
Vector table and other interesting addresses: * 0xE003 - Serial number, at least 3 bytes. Ex: 0x7C6A34 is located at 8153652 big-endian.* 0xE100 to 0xE136 - something that changes between units. Maybe calibration factors? Checksums?* 0xFF00 - software string. Ex: "May 17, 2017 - V1.45"* 0xFFE4- AVD vector* 0xFFE6 - SCI / UART vector* 0xFFE8 - Timer B vector* 0xFFEA - Timer A vector* 0xFFEC - SPI vector* 0xFFEE - vector unused on this chip* 0xFFF0 - EI3 vector* 0xFFF2 - EI2 vector* 0xFFF4 - EI1 vector* 0xFFF6 - EI0 vector* 0xFFF8 - MCC/RTC vector* 0xFFFA - vector unused on this chip* 0xFFFC - Trap vector* 0xFFFE - Reset vector
IDA Pro uses CPU type ST7->ST72324J6 during loading, and can load the Intel Hex file produced by the programmer directly for analysis.
!Original Setting
|-
|Watchdog Reset on Halt(Reset On Entering Halt)
|Reset generation when entering HALT mode
|-
|Software (watchdog to be enabled by software)
|-
|Low Voltage Detection Selection(LVD Config)
|Highest Voltage Threshold
|-
The ST7 can be programmed using the RLINK-STD programmer. This programmer is available from Digi-Key https://www.digikey.com/en/products/detail/iotize/RLINK-STD/9923059
=== FlashBash Programmer ===
The FlashBash ST7 programmer claims to be able to program the ST7 on the LMS-6. This has not been evaluated yet. http://www.spen-soft.co.uk/
FlashBash V3 PCB can be ordered from DirtyPCBs.com: https://dirtypcbs.com/store/designer/details/1826/6489/flashbash-v3-st7-programmer
=== LMS-6 Card Edge Interface ===
LMS-6 Card edge interface board KiCad schematic and board layout: https://github.com/Reid-n0rc/LMS-6_Interface_Board
{| class="wikitable sortable mw-collapsible mw-collapsed"
|+LMS-6 Card Edge Connector Digi-Key BOM
|-
|885012207095
|}
====Interface Description and Theory of Operation====
The LMS-6 interface PCB allows the LMS-6 to be powered, connect to USB to UART, and connect to an in circuit programmer through the card edge connector.
{| class="wikitable"
|+Power Jumper Settings
! rowspan="2" |Jumper Ref Des
! colspan="4" |Jumpered Pins
|-
!Battery
!USB 5V
!Banana Jacks Regulated (J1&J3)
!Direct Power (J11&J12)
|-
|J2
|X
|2,3
|1,2
|X
|-
|J6
|1,2
|2,3
|2,3
|2,3
|-
|J10
|X
|2,3
|2,3
|1,2
|}
[https://github.com/Reid-n0rc/LMS-6_Interface_Board/blob/main/LMS-6_Interface_Board_Rev_10.pdf LMS-6 Interface Board Schematic Rev 10]
=====Circuit Power Options=====
The LMS-6 Inteface board offers four power options to power LMS-6. Components for any of the power options can be omitted if they will be unused to reduce the build the build cost.
======Battery Power======
The LMS-6 can be powered using three CR123 lithium batteries connected to the LMS-6 onboard battery holders. Batter power is enabled by jumpering Pin 1 and Pin to of J6 together.
======USB 5V Power======
The LMS-6 can be powered from the J4 Micro USB B connection. This is enabled by jumpering Pin 2 and Pin 3 of J2; Pin 2 and Pin 3 of J6.
USB power is indicated by D2 Green LED
=====USB to UART=====
The LMS-6 interface includes a FT-2232 USB to UART. UART1 is connected to GPS. The default baud rate for the GPS is 38400 bps. UART 2 TX is connected to U3 pin 19 on the LMS-6.
If the connections are wrong, they can swapped using JP1,JP2 and JP4, JP5.
=====In Circuit Programming=====
=====eFuse=====
<br />
==Reference==
Here are some reference materials. This is an initial population of material, and this section will need significant cleanup - putting links up for now.
