38
edits
Changes
Jump to navigation
Jump to search
Reverse engineer more firmware locations
[[File:LMS6 bottom.jpg|left|thumb|Photo of the lower panel of the 403 MHz version of the LMS-6 Radiosode. Of particular note are the DIP Switch configurations for setting the transmit frequency.]]
[[File:RH Circuit.jpg|none|thumb|Relative Humidity Circuit section]]
[[File:Sonde_label.png|none|thumb|LMS6 Label possibly showing calibration factors.]]
<br />
==Disassembly==
This is a minimally-destructive disassembly method that will allow the payload to be held back together if you wish to reuse the payload for another weather balloon flight.
Original firmware is not locked and can be dumped with Rlink-STD Debugger with RFlasher7.
Vector table and other interesting addresses: * 0xE003 - Serial number, at least 3 bytes. Ex: 0x7C6A34 is located at 8153652 big-endian.* 0xE100 to 0xE136 - something that changes between units. Maybe calibration factors? Checksums?* 0xFF00 - software string. Ex: "May 17, 2017 - V1.45"* 0xFFE4- AVD vector* 0xFFE6 - SCI / UART vector* 0xFFE8 - Timer B vector* 0xFFEA - Timer A vector* 0xFFEC - SPI vector* 0xFFEE - vector unused on this chip* 0xFFF0 - EI3 vector* 0xFFF2 - EI2 vector* 0xFFF4 - EI1 vector* 0xFFF6 - EI0 vector* 0xFFF8 - MCC/RTC vector* 0xFFFA - vector unused on this chip* 0xFFFC - Trap vector* 0xFFFE - Reset vector
IDA Pro uses CPU type ST7->ST72324J6 during loading, and can load the Intel Hex file produced by the programmer directly for analysis.
!Original Setting
|-
|Watchdog Reset on Halt(Reset On Entering Halt)
|Reset generation when entering HALT mode
|-
|Software (watchdog to be enabled by software)
|-
|Low Voltage Detection Selection(LVD Config)
|Highest Voltage Threshold
|-
|1,2
|}
[https://github.com/Reid-n0rc/LMS-6_Interface_Board/blob/main/LMS-6_Interface_Board_Rev_10.pdf LMS-6 Interface Board Schematic Rev 10]
=====Circuit Power Options=====
The LMS-6 Inteface board offers four power options to power LMS-6. Components for any of the power options can be omitted if they will be unused to reduce the build the build cost.
====== Battery Power ======
The LMS-6 can be powered using three CR123 lithium batteries connected to the LMS-6 onboard battery holders. Batter power is enabled by jumpering Pin 1 and Pin to of J6 together.
====== USB 5V Power ======
The LMS-6 can be powered from the J4 Micro USB B connection. This is enabled by jumpering Pin 2 and Pin 3 of J2; Pin 2 and Pin 3 of J6.
=====USB to UART=====
The LMS-6 interface includes a FT-2232 USB to UART. UART1 is connected to GPS. The default baud rate for the GPS is 38400 bps. UART 2 TX is connected to U3 pin 19 on the LMS-6.
If the connections are wrong, they can swapped using JP1,JP2 and JP4, JP5.
=====In Circuit Programming=====
===== eFuse =====
<br />
==Reference==
