Electronics > Projects, Designs, and Technical Stuff

Reverse engineering FNIRSI-5012H

(1/81) > >>

ataradov:
Source code is now available here https://github.com/ataradov/open-5012h

I've recently got FNIRSI-5012H, and it is a very neat device. Once again, I would not use it as a primary scope, but it is a nice addition to the multimeter.
It has a fast boot time and, finally, sane and intuitive controls from the keyboard.

But there are some minor annoyances, which would be nice to fix. For example it does not remember settings for volts/div, time/div, 1x/10x, AC/DC.
Some of the controls could be improved.

So I decided to reverse engineer the board to see if there is any possibility of making open firmware for that thing. It only took a day to completely describe the board. My findings are below.

Note that there are two models of the PCB. The first revision has 4 mechanical relays. The second revision has only one mechanical relay.
The text below only applies to the second revision.

Main components on the board:
GD32F407VET6 - MCU (Cortex-M4, 512 KB Flash, 192 KB SRAM)
AD9288 (probably a clone, no markings) - ADC
TP4056 - Li-lon Battery Charger
TLV70033DDCR - 3.3 V LDO
PC817 - Photocoupler
CPC1002N - Optically coupled solid state relay
SN74HC148 - 8-line to 3-line priority encoder
SS8550 - PNP transistor
HFD4 - Mechanical relay
OPA356 - 200 MHz, CMOS OpAmp
W25Q64JV - 64 Mbit SPI Flash
TFT Display - Based on ST7789S

The MCU is locked (can't even erase), but it does not really matter, since there is zero value to having the original binary.
New MCUs are available for $5 from LCSC. Unfortunately a chip replacement is the only way to go, unless we can find a way to exploit GigaDevice MCUs, which is unlikely.

The ADC is pin-compatible with AD9288, but there are a couple of pins in the original that are marked NC, but bypassed to ground with capacitors in this design.
It also has a hemispherical dimple for first pin marker. The original has a flat bottom dimple. So it is possibly a knock-off, but fully pin-compatible.
But they have a few NC pins on the MCU bypassed to ground as well, so may be they just know more about those devices.

There are two LDOs in the system. One is the main LDO powering all the components. The other one is dedicated to the LCD backlight. The brightness is controlled by PWMing the enable signal.
Note that the LDO inputs are always supplied by the battery. The power switch only controls enable pin of the main LDO.

The display controller type is unknown, but the 20-pin connector pinout matches commonly available LCDs, so it should not be too hard to figure out the type once we get to the ID registers.

The USB connector actually has SWDIO/SWCLK on the data pins, so this connector is used for initial programming during the manufacturing process.
There is no way to get USB working without hardware modification. Although modification would be relatively easy to do. USB FS data pins are located right next to the programming pins.
But I'm not really sure of value of the USB on this device.

CPC1002N is used for shorting the AC/DC capacitor.
SS8550 are used to control PC817s and a mechanical relay.
OPA356 is a buffer right before the ADC.
W25Q64JV is used for waveform storage (and possibly settings, but not the firmware).
SN74HC148 are used to read the keyboard. Each IC handles 8 buttons and two buttons are connected directly to the MCU pins (for a total of 18 buttons).

Allocation of keys to priority encoders (PE):
PE0.0 - STOP
PE0.1 - F1
PE0.2 - EDGE
PE0.3 - AC/DC
PE0.4 - UP
PE0.5 - RIGHT
PE0.6 - MODE
PE0.7 - AUTO

PE1.0 - 50%
PE1.1 - TRIG DOWN
PE1.2 - TRIG UP
PE1.3 - TRIG
PE1.4 - MENU
PE1.5 - SAVE
PE1.6 - LEFT
PE1.7 - DOWN

F2 and 1X10X are connected directly to the MCU pins.

It is an interesting way to reduce the number of pins required for the keyboard, but obviously only one key from the group can be detected at a time, even if multiple keys are pressed.

As to the claim of 500 MHz real time sampling, I could not confirm it in any way.
The fastest sampling rate is with 6 ns/div - 200 ns/div. In this mode both channels of the ADC are used and the clock supplied to the ADCs is 125 MHz. So at best it is a 250 MSPS scope.
With slower settings only one channel is used and the sampling rate drops to 25 MHz, 12 MHz or 5 MHz, and in some cases to 27.8 MHz. In some cases there are also periodic single clock pulses following at a rate of about 30 kHz. Not sure what that is about.
The clock is only supplied when the samples are read, so the ADCs are not clocked significant potion of the time. This can't be good for their performance. I assume they discard the first few samples.

Attenuation is set though the 7 transistors (controlling optocouplers and a relay). I number the transistors Q0-Q6 starting from the one closest to the BNC connector.
Each volts/div setting enables one transistor:
10 V/div - Q4
5 V/div - Q5
2 V/div - Q6
1 V/div - Q1
500 mV/div - Q0
200 mV/div - Q2
100 mV/div and 50 mV/div - Q3

50 and 100 mV/div are not different on the hardware level, so the amplitude is just changed in the software.
This is also the only range that is controlled using a mechanical relay.

And finally, the full pinout of the MCU:
PD0  - ADC B D0
PD1  - ADC B D1
PD2  - ADC B D2
PD3  - ADC B D3
PD4  - ADC B D4
PD5  - ADC B D5
PD6  - ADC B D6
PD7  - ADC B D7
PD8  - ADC A D7
PD9  - ADC A D6
PD10 - ADC A D5
PD11 - ADC A D4
PD12 - ADC A D3
PD13 - ADC A D2
PD14 - ADC A D1
PD15 - ADC A D0
PA8  - ADC A CLK
PA9  - ADC B CLK

PC6  - LCD_RESET
PB0  - LCD_BL_EN
PB3  - LCD_RD
PB4  - LCD_WR
PB5  - LCD_RS
PB6  - LCD_CS
PE0  - LCD_D0
PE1  - LCD_D1
PE2  - LCD_D2
PE3  - LCD_D3
PE4  - LCD_D4
PE5  - LCD_D5
PE6  - LCD_D6
PE7  - LCD_D7

PB9  - Q0
PB8  - Q1
PB7  - Q2
PC12 - Q3
PC11 - Q4
PC10 - Q5
PA15 - Q6
PC15 - AC/DC
PA4  - Offset (DAC output)

PE13 - PE0.A0
PB14 - PE0.A1
PB13 - PE0.A2
PE14 - PE0.GS
PE15 - PE1.A0
PB12 - PE1.A1
PB11 - PE1.A2
PB10 - PE1.GS
PE12 - BTN_1X10X
PE11 - BTN_F2

PA3  - FLASH_CS
PA5  - FLASH_CLK
PA6  - FLASH_MISO
PA7  - FLASH_MOSI

PB15 - CHARGE
PB1  - VBAT_SENSE (Vbat / 2)
PH0 / PH1 - 20 MHz crystal
PA13 - SWDIO
PA14 - SWCLK

ataradov:
I have a few GD32F407VET6 on a way and another scope just in case.

I have not tried to think though the actual data capture, but I assume it is DMA triggered by the same timer that generates the clock signal. Hopefully it will not be a problem.

BravoV:
Subbed and thanks for sharing & your effort.  :-+ :clap:

ataradov:
I've made a breakout board for GD32F407V to make initial project bring up easier - https://github.com/ataradov/breakout-boards/tree/master/gd32f407v PcbWay is currently making them.
The same board may be used to poke around the security locks. ST chips have some issues there, so may be there is a way to unlock the device.

Given the annoying triggering bug (https://www.eevblog.com/forum/testgear/daniu-ads5012h-100mhz-500-mss-portable-scope-for-$80-usd/msg2727270/#msg2727270) and no ability to update the regular firmware, making a new firmware is actually the only way to make this thing usable.

abyrvalg:
Why custom breakout board? Isn’t this GD32 just a clone of STM32F407VET6? There are lots of VET6 boards for sale.

Navigation

[0] Message Index

[#] Next page

There was an error while thanking
Thanking...
Go to full version
Powered by SMFPacks Advanced Attachments Uploader Mod