38
edits
Changes
Jump to navigation
Jump to search
Reverse engineer more firmware locations
[[File:LMS6 bottom.jpg|left|thumb|Photo of the lower panel of the 403 MHz version of the LMS-6 Radiosode. Of particular note are the DIP Switch configurations for setting the transmit frequency.]]
[[File:RH Circuit.jpg|none|thumb|Relative Humidity Circuit section]]
[[File:Sonde_label.png|none|thumb|LMS6 Label possibly showing calibration factors.]]
<br />
==Disassembly==
This is a minimally-destructive disassembly method that will allow the payload to be held back together if you wish to reuse the payload for another weather balloon flight.
Original firmware is not locked and can be dumped with Rlink-STD Debugger with RFlasher7.
Vector table and other interesting addresses: * 0xE003 - Serial number, at least 3 bytes. Ex: 0x7C6A34 is located at 8153652 big-endian.* 0xE100 to 0xE136 - something that changes between units. Maybe calibration factors? Checksums?* 0xFF00 - software string. Ex: "May 17, 2017 - V1.45"* 0xFFE4- AVD vector* 0xFFE6 - SCI / UART vector* 0xFFE8 - Timer B vector* 0xFFEA - Timer A vector* 0xFFEC - SPI vector* 0xFFEE - vector unused on this chip* 0xFFF0 - EI3 vector* 0xFFF2 - EI2 vector* 0xFFF4 - EI1 vector* 0xFFF6 - EI0 vector* 0xFFF8 - MCC/RTC vector* 0xFFFA - vector unused on this chip* 0xFFFC - Trap vector* 0xFFFE - Reset vector
IDA Pro uses CPU type ST7->ST72324J6 during loading, and can load the Intel Hex file produced by the programmer directly for analysis.
!Original Setting
|-
|Watchdog Reset on Halt(Reset On Entering Halt)
|Reset generation when entering HALT mode
|-
|Software (watchdog to be enabled by software)
|-
|Low Voltage Detection Selection(LVD Config)
|Highest Voltage Threshold
|-
