Author Topic: EEVblog #1207 - ARM Dev Boards Falling From The Sky!  (Read 1630 times)

0 Members and 1 Guest are viewing this topic.

Online EEVblog

  • Administrator
  • *****
  • Posts: 30541
  • Country: au
    • EEVblog
EEVblog #1207 - ARM Dev Boards Falling From The Sky!
« on: May 01, 2019, 09:31:04 pm »
Hackable STM32 based ARM RF dev boards are literally falling from the sky!
A teardown of two weather balloon Vaisala radiosondes, the RS41 and RS92.

Repurposing tre RS41: http://www.om3bc.com/docs/rs41/rs41_en.html

Paper on capacitive humidity sensors: https://pdfs.semanticscholar.org/0728/24b548d91516d765c4b7facdceb350d61cdd.pdf

« Last Edit: May 01, 2019, 09:33:40 pm by EEVblog »
 

Offline Cnoob

  • Regular Contributor
  • *
  • Posts: 122
  • Country: gb
Re: EEVblog #1207 - ARM Dev Boards Falling From The Sky!
« Reply #1 on: May 02, 2019, 03:55:14 am »
You don't have any old Japanese ones Dave?  :)
 

Offline thieringpeti

  • Contributor
  • Posts: 18
  • Country: hu
Re: EEVblog #1207 - ARM Dev Boards Falling From The Sky!
« Reply #2 on: May 02, 2019, 06:28:40 am »
Hi, and welcome from Hungary!

I've collected a huge lot of those, and extracted CPU's. The Hungarian weather service in Budapest now using RS41-SGP, with the piggy board attached to the main PCB, so one sonde = two STM32's, winner-winner chicken dinner.
Our weather service has an other station, which uses the GRAW DFM-09. Until 2017, these sondes are also relased from Budapest, mixed with RS92's. Then the RS92 sounding station failed, the weather service has bought a new MW41 sounding system, and the GRAW launching is permamently moved to our south, Szeged station, but until that move, I've collected a big lot of those GRAW sondes, and I made a teardown document of it. The DFM-09 has an NTC temperature sensor, a stock humidity chip, a Telit JN3 or SL869 GPS module, an STM32F100C8T6 MCU, and an analogue radio transmitter with a synthesiser chip, modulated by the DAC output of the STM32! This radio circuit is built of RF transistors, and the analogue oscillator's range is only 399~406 MHz. On the board, there's also a place for a simple I2C/SPI pressure sensor module.  https://picclick.de/Radiosonde-Graw-Dfm-09-Wettersonde-Dwd-Ohne-Temperatur-Luftdruck-292820320148.html#&gid=1&pid=10

The temperature sensor of the RS92 family sondes is a special THERMOCAP sensor, two wires and a special epoxy glue. This sensor is capacitive. The RS41 has a platinum resistor, absolutely different design.

For the RS41 PCB loop, seen around the QR code of the PCB is a special RFID communication interface, with a 13.56 MHz communication. The carrier detect, and the modulation circuit is directly connected to the MCU. That's the way how the MW41 station communicates with the sonde, exchanging calibration data, transmitter frequency, etc... see manual: https://www.vaisala.com/sites/default/files/documents/Vaisala%20Radiosonde%20RS41-SG%20and%20RS41-SGP%20User%20Guide%20M211667EN.pdf

In France, another brand of radiosondes exist, the Meteomodem M10. https://www.flickr.com/photos/szgydezign/albums/72157661240623875 (photos of my friend). The Austrian weather service evaluated those sondes, and we've caught a few of them with my friend, George.
« Last Edit: May 02, 2019, 07:02:54 am by thieringpeti »
 
The following users thanked this post: thm_w

Offline thieringpeti

  • Contributor
  • Posts: 18
  • Country: hu
Re: EEVblog #1207 - ARM Dev Boards Falling From The Sky!
« Reply #3 on: May 02, 2019, 06:46:40 am »
OM3BC's page of RS41's: http://www.om3bc.com/docs/rs41/rs41_en.html
Github of a polish firmware: https://github.com/Qyon/STM32_RTTY
Australian fork of those: https://github.com/darksidelemm/RS41HUP
Other interesting project: https://github.com/darksidelemm/RS41FOX (search RS41 at github!)
Open source receivers: https://github.com/rs1729/RS/tree/master/rs41
Hardware analysis with schematics by Bazjo: https://github.com/bazjo/RS41_Hardware
Bazjo's radiosonde page: https://sondehunt.de/language/en/vaisala-rs41


My analysis of the RS41, written by a year ago for a radiosonde related, closed group:


Most important parts:

STM32F100C8T6B CPU (same as DFM-09) with a 24MHz XTAL. (important to turn off the PLL clock and connect SYSCLK directly to HSE in the init script!)
Silicon Labs Si4032 radio NOTE! 26MHz clock from GPS, instead of 30 MHz! Frequency calculations differ from datasheet!
U-blox UBX-G6010-ST GPS chipset
TPS61202 Boost-converter, set to 3.6V
3V LDO's for each main unit (radio, GPS, CPU, sensors) marked "A811" (unknown type, ~LP2985). Later versions: mark ODM, TLV70030DDCR


Power distribution: 2xAA batteries (Energizer L91), with a FET power switch to the main boost converter. Then, the power is distributed to the main 3.6V rail, feeding the LDO's. Power ON FET can be turned off by CPU by PA12. Power is also enabled by hardware on NFC reception or pressing the ON button.
Battery voltage can be monitored by ADC value on PA5. The different sections have separate LDO's from the rail.


User interface: a pushbutton (hardwired to PWR_ON FET. Button press can be read by the ADC value of PA6), two LED's (red - PB8, green - PB7).

Peripherials:

GPS: connected to UART1
Radio: Connected to SPI2, Chip select:software NSS, MCU PIN2 / PC13
UART3 is available directly on the 10-pin connector. USART2 is not available, its pins are used for the sensor circuit.

NFC interface: operated by software, only a few parts (fast diodes & transistors) are used to interface with the NFC loop. A similar solution can be seen HERE or HERE

Analog section:

DG9411 (code 4DVA, SC-70 package) and TS3A4751PWR (YC751) CMOS switches used for switching the measured signals.
For buffering/inverting the CMOS signals, a 74LVC3G34DC (TSSOP-08 code Y34) and a 74hcu04 is used.

There is also an unknown part coded Z27B, 6-pin SC-70 package. UPDATE: it may be an NC7SZ27 3-input OR gate, but it has triangle waves on it, so it may be an analogue switch or op. amplifier.

Sensors: the RS41 has the most advanced sensors compared to its competitiors. The old "thermocap" temperature measurement capacitor used on RS92 family is replaced by a platinum thermistor. The glass-based humidity sensor is also improved, it has 3 main parts: capacitive humidity sensor, a temperature compensation resistor, and a heating resistor. The humidity sensor can be heated periodically, removing the moisture from the sensor. The RS41 has only one humidity sensor, while the older RS92 has two of them, one in pre-heating, and one in measurement stage. This method, when the sensor heating can be enabled / disabled by software, power usage can be minimized. DFM09 and M10 don't have a heated humidity sensor, so crossing and leaving clouds can cause invalid humidity data. Heating can be turned on/off by MCU PIN 46 (PB9).

The sensor data is encoded as pulses. When the selector pins are altered by the MCU, the analog part sends back pulses to the MCU port PA1. The temperature readout is doubled in every measurement cycle. Humidity sensor has two reference capacitors.

Optional pressure sensor module (RPM411):
This module is installed in the RS41-SGP model. The module has an additional STM32F100C8T6 MCU, which is connected to the sonde MCU by an SPI connection, with a separate chip select line. Parameters are read in every second.
The pressure is sensed by a Barocap(tm), with a 15pF reference capacitor. The module has also an NTC temperature sensor.
IC's on the board are almost the same models used on sonde PCB, CMOS switches, 3V LDO, and precision op amps.
RPM411 and external dataflash (RS41-SGM) cannot be used together, because both peripherials are using same Chip Select. (PB2 of main MCU).

Optional 8mbit (1MByte) M25PE80VP flash memory used on military models for delayed transmission. This SO-08 packaged memory chip is also connected to SPI2, and using PB2 for chip select.

Sonde connector UART works on 9600bps / 8 / N / 1

it gives a simple response during poweron, but no terminal is available, it doesn't react on keystrokes.
It may react on NFC commands. The NFC coil is connected to PA11 / PB0 pins of the MCU. I think, coil energization triggers an interrupt on PA11 (EXTERNAL INTERRUPT #11), and the sonde MCU can pull down the coil load by raising PB0 (as GPIO or as a timer output compare).
So a simple NFC protocol may be implemented by software.
The coil is also connected to the power on circuit by a simple switching diode, to turn the sonde on if the launch station wants to communicate.

Code: [Select]
Vaisala RS41 Radiosonde SW V2.02.14
Copyright (c) Vaisala Oyj 2016. All rights reserved.
Serial number: P231xxxx
Pressure module serial number: P222xxxx SW V2.01
Transmitter frequency: 403.00 MHz
Transmitter power: 3/7

Enabled TX


STM32Cube project file (save as .ioc)
Code: [Select]
#MicroXplorer Configuration settings - do not modify
ADC1.Channel-0\#ChannelRegularConversion=ADC_CHANNEL_TEMPSENSOR
ADC1.IPParameters=Rank-0\#ChannelRegularConversion,Channel-0\#ChannelRegularConversion,SamplingTime-0\#ChannelRegularConversion,NbrOfConversionFlag,master
ADC1.NbrOfConversionFlag=1
ADC1.Rank-0\#ChannelRegularConversion=1
ADC1.SamplingTime-0\#ChannelRegularConversion=ADC_SAMPLETIME_1CYCLE_5
ADC1.master=1
File.Version=6
KeepUserPlacement=false
Mcu.Family=STM32F1
Mcu.IP0=ADC1
Mcu.IP1=NVIC
Mcu.IP2=RCC
Mcu.IP3=SPI2
Mcu.IP4=SYS
Mcu.IP5=USART1
Mcu.IP6=USART3
Mcu.IPNb=7
Mcu.Name=STM32F100C(8-B)Tx
Mcu.Package=LQFP48
Mcu.Pin0=PC13-TAMPER-RTC
Mcu.Pin1=PC14-OSC32_IN
Mcu.Pin10=PA5
Mcu.Pin11=PA6
Mcu.Pin12=PA7
Mcu.Pin13=PB0
Mcu.Pin14=PB1
Mcu.Pin15=PB2
Mcu.Pin16=PB10
Mcu.Pin17=PB11
Mcu.Pin18=PB12
Mcu.Pin19=PB13
Mcu.Pin2=PC15-OSC32_OUT
Mcu.Pin20=PB14
Mcu.Pin21=PB15
Mcu.Pin22=PA8
Mcu.Pin23=PA9
Mcu.Pin24=PA10
Mcu.Pin25=PA11
Mcu.Pin26=PA12
Mcu.Pin27=PA13
Mcu.Pin28=PA14
Mcu.Pin29=PA15
Mcu.Pin3=PD0-OSC_IN
Mcu.Pin30=PB3
Mcu.Pin31=PB4
Mcu.Pin32=PB5
Mcu.Pin33=PB6
Mcu.Pin34=PB7
Mcu.Pin35=PB8
Mcu.Pin36=PB9
Mcu.Pin37=VP_ADC1_TempSens_Input
Mcu.Pin38=VP_SYS_VS_ND
Mcu.Pin39=VP_SYS_VS_Systick
Mcu.Pin4=PD1-OSC_OUT
Mcu.Pin5=PA0-WKUP
Mcu.Pin6=PA1
Mcu.Pin7=PA2
Mcu.Pin8=PA3
Mcu.Pin9=PA4
Mcu.PinsNb=40
Mcu.UserConstants=
Mcu.UserName=STM32F100C8Tx
MxCube.Version=4.22.0
MxDb.Version=DB.4.0.220
NVIC.BusFault_IRQn=true\:0\:0\:false\:false\:true
NVIC.DebugMonitor_IRQn=true\:0\:0\:false\:false\:true
NVIC.HardFault_IRQn=true\:0\:0\:false\:false\:true
NVIC.MemoryManagement_IRQn=true\:0\:0\:false\:false\:true
NVIC.NonMaskableInt_IRQn=true\:0\:0\:false\:false\:true
NVIC.PendSV_IRQn=true\:0\:0\:false\:false\:true
NVIC.PriorityGroup=NVIC_PRIORITYGROUP_4
NVIC.SVCall_IRQn=true\:0\:0\:false\:false\:true
NVIC.SysTick_IRQn=true\:0\:0\:false\:false\:true
NVIC.UsageFault_IRQn=true\:0\:0\:false\:false\:true
PA0-WKUP.GPIOParameters=GPIO_Label
PA0-WKUP.GPIO_Label=NFC_FIELD
PA0-WKUP.Locked=true
PA0-WKUP.Signal=S_TIM2_CH1_ETR
PA1.GPIOParameters=GPIO_Label
PA1.GPIO_Label=INPUT_MEASURED_VALUE_COUNT
PA1.Locked=true
PA1.Signal=GPXTI1
PA10.GPIOParameters=GPIO_Label
PA10.GPIO_Label=GPS_RX
PA10.Mode=Asynchronous
PA10.Signal=USART1_RX
PA11.GPIOParameters=GPIO_Label
PA11.GPIO_Label=NFC_CARRIER_DETECT_EXT_IRQ11
PA11.Locked=true
PA11.Signal=GPXTI11
PA12.GPIOParameters=GPIO_Label
PA12.GPIO_Label=POWER_OFF
PA12.Locked=true
PA12.Signal=GPIO_Output
PA13.Locked=true
PA13.Signal=SYS_JTMS-SWDIO
PA14.Locked=true
PA14.Signal=SYS_JTCK-SWCLK
PA15.GPIOParameters=GPIO_Label
PA15.GPIO_Label=GPS_RESET
PA15.Locked=true
PA15.Signal=GPIO_Output
PA2.GPIOParameters=GPIO_Label
PA2.GPIO_Label=HUMI_MODE_SELECT_START
PA2.Locked=true
PA2.Signal=GPIO_Output
PA3.GPIOParameters=GPIO_Label
PA3.GPIO_Label=T_MEAS_SEL0
PA3.Locked=true
PA3.Signal=GPIO_Output
PA4.GPIOParameters=GPIO_Label
PA4.GPIO_Label=ADC_IN4_OPTIONAL_INTERNAL_TEMP
PA4.Locked=true
PA4.Signal=ADCx_IN4
PA5.GPIOParameters=GPIO_Label
PA5.GPIO_Label=ADC_IN5_VBAT
PA5.Locked=true
PA5.Signal=ADCx_IN5
PA6.GPIOParameters=GPIO_Label
PA6.GPIO_Label=ADC_IN6_BUTTON
PA6.Locked=true
PA6.Signal=ADCx_IN6
PA7.GPIOParameters=GPIO_Label
PA7.GPIO_Label=ADC1_IN7_HEATING_MONITOR
PA7.Locked=true
PA7.Signal=ADCx_IN7
PA8.GPIOParameters=GPIO_Label
PA8.GPIO_Label=RCC_MCO_TO_PRESSURE_MODULE
PA8.Mode=Clock-out
PA8.Signal=RCC_MCO
PA9.GPIOParameters=GPIO_Label
PA9.GPIO_Label=GPS_TX
PA9.Mode=Asynchronous
PA9.Signal=USART1_TX
PB0.GPIOParameters=GPIO_Label
PB0.GPIO_Label=NFC_LOAD_COIL_BGD_BASE
PB0.Locked=true
PB0.Signal=GPIO_Output
PB1.GPIOParameters=GPIO_Label
PB1.GPIO_Label=EXT_PIN4
PB1.Locked=true
PB1.Signal=GPIO_Input
PB10.GPIOParameters=GPIO_Label
PB10.GPIO_Label=EXT_USART_TX_PIN3
PB10.Mode=Asynchronous
PB10.Signal=USART3_TX
PB11.GPIOParameters=GPIO_Label
PB11.GPIO_Label=EXT_USART_RX_PIN2
PB11.Mode=Asynchronous
PB11.Signal=USART3_RX
PB12.GPIOParameters=GPIO_Label
PB12.GPIO_Label=TEMP_MODE_SELECT_START
PB12.Locked=true
PB12.Signal=GPIO_Output
PB13.Mode=Full_Duplex_Master
PB13.Signal=SPI2_SCK
PB14.Mode=Full_Duplex_Master
PB14.Signal=SPI2_MISO
PB15.Mode=Full_Duplex_Master
PB15.Signal=SPI2_MOSI
PB2.GPIOParameters=GPIO_Label
PB2.GPIO_Label=PRESSURE_DATAFLASH_NSS
PB2.Locked=true
PB2.Signal=GPIO_Output
PB3.GPIOParameters=GPIO_Label
PB3.GPIO_Label=HUMI_SEL0
PB3.Locked=true
PB3.Signal=GPIO_Output
PB4.GPIOParameters=GPIO_Label
PB4.GPIO_Label=HUMI_SEL1
PB4.Locked=true
PB4.Signal=GPIO_Output
PB5.GPIOParameters=GPIO_Label
PB5.GPIO_Label=HUMI_SEL2
PB5.Locked=true
PB5.Signal=GPIO_Output
PB6.GPIOParameters=GPIO_Label
PB6.GPIO_Label=T_MEAS_SEL1
PB6.Locked=true
PB6.Signal=GPIO_Output
PB7.GPIOParameters=GPIO_Label
PB7.GPIO_Label=GREEN_LED
PB7.Locked=true
PB7.Signal=GPIO_Output
PB8.GPIOParameters=GPIO_Label
PB8.GPIO_Label=RED_LED
PB8.Locked=true
PB8.Signal=GPIO_Output
PB9.GPIOParameters=GPIO_Label
PB9.GPIO_Label=HUMIDITY_HEATING_ON
PB9.Locked=true
PB9.Signal=GPIO_Output
PC13-TAMPER-RTC.GPIOParameters=GPIO_Label
PC13-TAMPER-RTC.GPIO_Label=RADIO_NSS
PC13-TAMPER-RTC.Locked=true
PC13-TAMPER-RTC.Signal=GPIO_Output
PC14-OSC32_IN.GPIOParameters=GPIO_Label
PC14-OSC32_IN.GPIO_Label=T_MEAS_SEL_HUMITEMP
PC14-OSC32_IN.Locked=true
PC14-OSC32_IN.Signal=GPIO_Output
PC15-OSC32_OUT.GPIOParameters=GPIO_Label
PC15-OSC32_OUT.GPIO_Label=T_MEAS_SEL_MAINTEMP
PC15-OSC32_OUT.Locked=true
PC15-OSC32_OUT.Signal=GPIO_Output
PCC.Checker=false
PCC.Line=STM32F100 Value Line
PCC.MCU=STM32F100C(8-B)Tx
PCC.PartNumber=STM32F100C8Tx
PCC.Seq0=0
PCC.Series=STM32F1
PCC.Temperature=25
PCC.Vdd=3.3
PD0-OSC_IN.Mode=HSE-External-Oscillator
PD0-OSC_IN.Signal=RCC_OSC_IN
PD1-OSC_OUT.Mode=HSE-External-Oscillator
PD1-OSC_OUT.Signal=RCC_OSC_OUT
PinOutPanel.RotationAngle=0
RCC.ADCFreqValue=12000000
RCC.AHBFreq_Value=24000000
RCC.APB1Freq_Value=24000000
RCC.APB1TimFreq_Value=24000000
RCC.APB2Freq_Value=24000000
RCC.APB2TimFreq_Value=24000000
RCC.FCLKCortexFreq_Value=24000000
RCC.FamilyName=M
RCC.HCLKFreq_Value=24000000
RCC.HSE_VALUE=24000000
RCC.IPParameters=ADCFreqValue,AHBFreq_Value,APB1Freq_Value,APB1TimFreq_Value,APB2Freq_Value,APB2TimFreq_Value,FCLKCortexFreq_Value,FamilyName,HCLKFreq_Value,HSE_VALUE,MCOFreq_Value,PLLCLKFreq_Value,PLLMCOFreq_Value,RCC_MCOSource,SYSCLKFreq_VALUE,SYSCLKSource,TimSysFreq_Value
RCC.MCOFreq_Value=24000000
RCC.PLLCLKFreq_Value=8000000
RCC.PLLMCOFreq_Value=4000000
RCC.RCC_MCOSource=RCC_MCO1SOURCE_HSE
RCC.SYSCLKFreq_VALUE=24000000
RCC.SYSCLKSource=RCC_SYSCLKSOURCE_HSE
RCC.TimSysFreq_Value=24000000
SH.ADCx_IN4.0=ADC1_IN4,IN4
SH.ADCx_IN4.ConfNb=1
SH.ADCx_IN5.0=ADC1_IN5,IN5
SH.ADCx_IN5.ConfNb=1
SH.ADCx_IN6.0=ADC1_IN6,IN6
SH.ADCx_IN6.ConfNb=1
SH.ADCx_IN7.0=ADC1_IN7,IN7
SH.ADCx_IN7.ConfNb=1
SH.GPXTI1.0=GPIO_EXTI1
SH.GPXTI1.ConfNb=1
SH.GPXTI11.0=GPIO_EXTI11
SH.GPXTI11.ConfNb=1
SH.S_TIM2_CH1_ETR.0=TIM2_CH1
SH.S_TIM2_CH1_ETR.ConfNb=1
SPI2.CalculateBaudRate=12.0 MBits/s
SPI2.Direction=SPI_DIRECTION_2LINES
SPI2.IPParameters=VirtualType,Mode,Direction,CalculateBaudRate
SPI2.Mode=SPI_MODE_MASTER
SPI2.VirtualType=VM_MASTER
USART1.IPParameters=VirtualMode
USART1.VirtualMode=VM_ASYNC
USART3.IPParameters=VirtualMode
USART3.VirtualMode=VM_ASYNC
VP_ADC1_TempSens_Input.Mode=IN-TempSens
VP_ADC1_TempSens_Input.Signal=ADC1_TempSens_Input
VP_SYS_VS_ND.Mode=No_Debug
VP_SYS_VS_ND.Signal=SYS_VS_ND
VP_SYS_VS_Systick.Mode=SysTick
VP_SYS_VS_Systick.Signal=SYS_VS_Systick


There's some info in the attached files, too.
« Last Edit: May 02, 2019, 07:27:44 pm by thieringpeti »
 

Offline thieringpeti

  • Contributor
  • Posts: 18
  • Country: hu
Re: EEVblog #1207 - ARM Dev Boards Falling From The Sky!
« Reply #4 on: May 02, 2019, 06:49:48 am »
Some images of the sonde PCB
 

Offline thieringpeti

  • Contributor
  • Posts: 18
  • Country: hu
Re: EEVblog #1207 - ARM Dev Boards Falling From The Sky!
« Reply #5 on: May 02, 2019, 06:52:12 am »
Some images of the pressure sensor. Also there's a protocol discovery on the UART of this piggyboard, which communicates by SPI, but the UART gives response on commands!

Code: [Select]
Vaisala RPM411 Radiosonde Pressure Module SW V2.01
Copyright (c) Vaisala Oyj 2017. All rights reserved.
Module serial number: P222xxxx
Sensor serial number: L23A08
Parameter setup not done

>help

? - Print basic information
HELP - Print command menu
R - Start RUN mode
S - Stop RUN mode and go to STOP mode
INTV - Set interval [s] between results in RUN mode
SEND - Print latest results
SERI - port baudrate - Set baud rate for given port
PASS - password - Give password to access service level
ADDR - address - Set/show device MAC address

>addr
Address              : 0

>send
NK1: 0 NK2: 0 NP: 0 Tntc: 51.81 P: -181.38 Tmcu: 65.02 V: 0.001

>r
NK1: 0 NK2: 0 NP: 0 Tntc: 44.15 P: -181.71 Tmcu: 59.23 V: 0.001
NK1: 0 NK2: 0 NP: 0 Tntc: 44.00 P: -181.72 Tmcu: 59.06 V: 0.001
NK1: 0 NK2: 0 NP: 0 Tntc: 43.77 P: -181.73 Tmcu: 58.71 V: 0.001
NK1: 0 NK2: 0 NP: 0 Tntc: 43.58 P: -181.74 Tmcu: 58.54 V: 0.001
NK1: 0 NK2: 0 NP: 0 Tntc: 43.40 P: -181.75 Tmcu: 58.54 V: 0.001
NK1: 0 NK2: 0 NP: 0 Tntc: 43.21 P: -181.75 Tmcu: 58.20 V: 0.001
Top
 

Offline thieringpeti

  • Contributor
  • Posts: 18
  • Country: hu
Re: EEVblog #1207 - ARM Dev Boards Falling From The Sky!
« Reply #6 on: May 02, 2019, 07:11:14 am »
My GRAW DFM-09 teardown with schematics, and a bit sniffing around the UART protocol of the sonde, made a simple app in MinGW, if one wants to read the sonde by UART.

Most important parts datasheets:

CPU: STM32F100-C8T6B (http://www.st.com/content/ccc/resource/technical/document/datasheet/dd/87/fd/2a/fb/3f/48/5c/CD00251732.pdf/files/CD00251732.pdf/jcr:content/translations/en.CD00251732.pdf)
EEPROM: CAT25010 (http://www.onsemi.com/pub_link/Collateral/CAT25010-D.PDF)
Small 2-way multiplexers: NC7SZ157 (https://www.fairchildsemi.com/datasheets/NC/NC7SZ157.pdf)
Diodes for 1.8V power: BAT54SS3 (dual schottky-diodes) http://ftp01.cystekec.com/BAT54S3.pdf)
Humidity sensor FET's: BFR31 (http://www.nxp.com/documents/data_sheet/BFR30-31.pdf)
PLL: MB15E03SL PLL Synthesizer (http://www.es.co.th/Schemetic/PDF/MB15E03SL-FUJITSU.PDF)
Radio PA transistor: BFP450 (http://www.infineon.com/dgdl/Infineon-BFP450-DS-v01_02-en.pdf?fileId=db3a30431400ef680114275d537d074b)
VFO oscillator: BGA416 (http://www.infineon.com/dgdl/Infineon-BGA416-DS-v02_01-en.pdf?fileId=db3a304314dca389011541880d641635)
Humidity sensor: http://downloads.epluse.com/fileadmin/data/product/hc103m2/datasheet_HC103M2.pdf

UART is 57600-8-N-1

Code: [Select]
Command, cheksum format is always REVERSE BYTE ORDER! (for example, 0x0004 offset is 04 00, 0x0193 is 93 01)

A0 A2 [2-byte CMD] [2-byte OFFSET] [DATA BLOB] [2-byte checksum] B0 B3

CMD list:

0x0399 (99 03): prints 4 bytes of version info. (reverse byte order). Depends on the batch of the sonde. For my ones, 70207 or 70107 or 70301 (?ver 7.2.7, 7.1.7, 7.3.1)
0x0499 (99 04): writes 4 bytes of serial (reverse byte order). Must be followed by 4 bytes of valid data, or fills the first 2 bytes with random data, and after next boot, the sonde serial changes to a random number.
0x04AA (AA 04): changes the serial in the RAM. If you don't want to power cycle the sonde after changing the serial...
0x0599 (99 05): read serial (4 bytes of serial)
0x1199 (99 11): EEPROM query. (Gives 176 or 208 bytes of EEPROM data in HEX format)
0x20AA (AA 20): GPSversion. (Prints the NMEA about string of GPS in ASCII format)
0x0699 / 0x06AA (99 / AA 06): FREQ WRITE. First EEPROM, then RAM. Must be followed by 2 bytes of FREQ data in reverse byte order. The value represents the frequency increment after 400 MHz in 10 KHz steps.
0x0799 (99 07): Frequency readout.

Other commands giving constant results on all of my sondes:

0x9933 / 0xAA33 always gives a single byte of 0x03
0x9939 gives a two-byte answer varying on each sonde.
0xAA19 gives 4 bytes, which is always change (some counter? Some status register?).
0x992B gives always FFFF.
0x50AA gives 28 bytes of 00's.


messages from sonde

CC 02 02 00 [CMD] [OFFSET] - ACK, succesful write command.
CC 03 03 00 00 00 [MSG] - error or sonde powerup, common MSG's are 2C,2D,2F,34,36,38
B4 [CMD] [offset] [BLOB] - queried data from sonde


commands can be sent to sonde. First byte: CMD, second byte: Address.


99 - eeprom (?)
AA - RAM or flash (?)

then offset (for freq, 06), byte count 2-byte (for freq, 02 00), then the data, C9-00 for 402.01 MHz (0x00C9 = 201 x 10KHz, reverse byte order 0xC900)

For changing eeprom values (freq, etc), you have to first set the value in eeprom, then in RAM. (or just set EEPROM then reboot sonde).
« Last Edit: May 02, 2019, 07:18:45 am by thieringpeti »
 

Offline Fungus

  • Super Contributor
  • ***
  • Posts: 10396
  • Country: 00
Re: EEVblog #1207 - ARM Dev Boards Falling From The Sky!
« Reply #7 on: May 02, 2019, 12:51:45 pm »
RE: "Fitting their cars with special antennas and tracking them down"

It's way cheaper then just ordering a dozen of them on Aliexpress.  :popcorn:
 

Offline VK5QI

  • Newbie
  • Posts: 1
  • Country: au
Re: EEVblog #1207 - ARM Dev Boards Falling From The Sky!
« Reply #8 on: May 02, 2019, 02:27:28 pm »
I guess I'd better jump into this thread and say hi!
I'm one of those people that drive out to recover these things, and my car (VK5QI_chase) was shown in one of Dave's screenshots of the tracking site sondehub.org

It isn't actually that difficult to receive signals from these radiosondes - no direction finding equipment required (usually..), and you don't really need special antennae either!
I've developed the decoder system 'radiosonde_auto_rx' ( https://github.com/projecthorus/radiosonde_auto_rx ) which uses RTLSDRs to automatically scan, decode, and upload radiosonde telemetry to various online/offline services (including sondehub.org and APRS-IS). Michael Wheeler and I presented on this at linux.conf.au the start of the year - a link to our conference talk is in the description of Dave's video. This code is based off the open source 'RS' decoders ( https://github.com/rs1729/RS ), and we have worked with rs1729 to add new features and performance test the codebase.

When chasing, I run a radiosonde_auto_rx receiver on a Raspberry Pi in my car, along with a 'chase mapping' system specifically tailored for hunting high-altitude balloons, called (imaginatively enough) chasemapper - https://github.com/projecthorus/chasemapper
This handles things like running live predictions of the balloon flight path based on Global Forecast System weather models, enabling me to predict the (approximate) landing location of the payload, and get there in time to watch it land.
« Last Edit: May 02, 2019, 02:57:30 pm by VK5QI »
 

Offline NF6X

  • Supporter
  • ****
  • Posts: 105
  • Country: us
    • Mark's Green Pages
Re: EEVblog #1207 - ARM Dev Boards Falling From The Sky!
« Reply #9 on: May 02, 2019, 04:15:11 pm »
I worked for u-Nav! I was an applications engineer, and I designed many (most?) of the evaluation, development, and demo boards. Good times. u-Nav was bought by Atheros, then they were bought by Qualcomm. Three employers, same desk. I wasn't aware that anybody was using our front end without its matching baseband processor. But it makes sense that Vaisala would have used them without me ever hearing about it here in the USA, since they naturally would have interacted with our Finland office, where most of our software development was done. Maybe I had heard about it, but just didn't interact directly enough on that project to remember it.

It didn't take Qualcomm long to kill off all of the u-Nav legacy stuff, and it's no surprise seeing uBlox in the later radiosonde.

Now I work in the veterinary RFID field. I thought that 134.2 kHz ought be be easy after working at 1.57542 GHz for so long, and it has been fun learning how wrong I was about that.
 

Offline thieringpeti

  • Contributor
  • Posts: 18
  • Country: hu
Re: EEVblog #1207 - ARM Dev Boards Falling From The Sky!
« Reply #10 on: May 02, 2019, 05:55:42 pm »
Dave!

For the end of the video, the blama. Don't forget, that the output on the opposite side is GND! You've succesfully shorted it out with Your alligator clips. Just solder a coax on the antenna pad, and the shield to the opposite side, then connect it to the scope, analyser, anything You would like. The LED signals can be the following with the original Vaisala firmware: Green blinking - waiting for GPS fix, Green light: OK, Red blinking - error during self-test (battery low, broken sensor, missing peripherial, etc...). The transmitter increases its power if the altitude reaches a few hundreds of meters prior to start, then the green LED turns off. Fallen sondes have a dark LED, but they can be turned off by pressing the button for approx 10 seconds (like turning off a frozen PC).

I've also forgot to paste the pinout of the sensor flex PCB.

RS41 sensors pinout (20-pin FFC connector, 0.5mm pitch).
The sensor boom has four parts, two 1k platinum thermometers (one for the humidity sensor, and one for measuring air temperature), a variable capacitance humidity sensor, and the heating element of the thin-film glass based humidity sensor.

Code: [Select]
1,3,5,7,10,12,14-20 - SHIELD, GND
2 - platinum temperature sensor closer end to the sonde. (to common temp pin 13)
4,6 - chip humidity sensor capacitive part
8,9 - chip humidity sensor heating element (10 ohhms)
11 -  chip humidity sensor resistive part, PT1000 (~1k, to common temp pin 13)
13 -  temperature sensor common (humi and temp sensor common)

How it's working? It has 7 different channels, and 2 measurement modes, ring oscillator realised by the HCU04 chip.
Humidity channels are selected by the 3 CMOS switches marked YC751, temperature channels are selected by the 74LVC3G34DC 4 channel switching IC. Modes are activated by a single transistor marked BGD, switching power to the desired section. Then, the pulses are fed through the 3-input OR gate, passing a 680 ohhm resistor, and delivered back to the MCU for counting.

In each mode, the microcontroller counts approx. 1200 pulses (temperature mode), and 2400 pulses (humidity mode), and determines the length of this burst, then advances to the next channel. First, the channel is selected, then the measurement is started by activating the HUMI or TEMP circuit. (PB12 / PA12) After the succesful measurement, the ports are set back to LOW level.

Pulses are delivered back to MCU on port PA1. A counter can be used, which is available on this pin. Triggering an interrupt can determine the burst length.

MCU pinout for the measurement channels: (logic level HIGH to activate)

Humidity mode:
PB4 - 1st measurement (REF1)
PB3 - 2nd measurement (HUMI value)
PB5 - 3rd measurement (REF2)
PA2 - HUMI mode activation / start measurement

Temperature mode: (the measurement runs twice, once for HUMI TEMP and again for SENSOR TEMP, each measurement containing 3 values)

PA3 - 1st measurement (REF1)
PC14 - 2nd measurement (HUMI TEMP)
PC15 - 2nd measurement (SENSOR TEMP)
PB6 - 3rd measurement (REF2)
PB12 - TEMP mode activation / start measurement

PB1 - connected to a thermistor in the reference section, via a 10k, and pulled up by a 10k also.

Reference heating: controlled by GPIO1 of Si4032 radio.
« Last Edit: May 02, 2019, 08:22:54 pm by thieringpeti »
 


Share me

Digg  Facebook  SlashDot  Delicious  Technorati  Twitter  Google  Yahoo
Smf