Products > Test Equipment
Upcoming Rigol DSG815/830
TurboTom:
Since the discussion on Siglent's counterpart to this generator turned into the direction of evaluating in how far an I/Q modulator "hack" could be possible, and the DSG800A series offers much more functionality than Siglent's products (internal baseband generator), I decided to take a closer look at Dave's teardown photos of the DSG815.
It's actually quite amazing how simple the operational principle of this generator is. As always, the difficulty is located in the details. Generally speaking, the DSG800 works in the upper frequency range (probably >300MHz) as a plain PLL VFO with several, switchable frequency dividers and a whole bunch of configurable low pass / band pass filters. The whole unit is full of switching diodes and non-reflective switches (HMC284). The first LO is split into three ranges and is almost a carbon copy of the corresponding section of the DSA815 spectrum analyzer. The reference frequency for the HMC704 PLL is generated by an AD9781 DAC (and not as I initially mistakenly indicated in my scheme, supplied directly from the 10MHz reference oscillator). This way, frequency and phase modulation is possible. The second channel of the DAC is used to generate the LF output signal. The DAC clock is supplied by the highly stable Z-COMM CRO3640B-LF VCO (3.64GHz), controlled by an ADF4106 PLL, divided by eight, hence it's 405MHz 455MHz (already forgot how to properly divide by two... |O).
To generate lower frequencies, a minicircuits ADE-12MH mixer is used to mix the 1LO output with 910MHz from the aforementioned synthesizer.
In my scheme, I used orange for the signal path on the visible side and magenta to approximately show what's going on on the hidden side of the PCB. I may have missed a filter or two on the hidden side, but the working principle should be covered failry accurately.
It gets obvious that the I/Q add-on board contains more circuitry than just a few ESD ptotection devices and some interconnections, it's got to contain the complete I/Q modulator, and as it seems also considerable circuitry to generate the I/Q baseband signal. So no easy hack, if possible at all...
But a possibly more interesting conclusion on the circuitry may be that it should be possible to output much higher frequencies than 1.5GHz since it's possible to route the oscillator signal trough the instrument without passing any frequency divider. Moreover, all the semiconductors used should be able to handle up to approx. 4GHz (I didn't believe that initially before I did the reverse engineering). So we may actually be up to a surprise if we compare this 1.5GHz version to one of the higher-frequency specimen of that model range... Another amazing detail: The PA is a NPTB00004A, capable of >5W at 4GHz!
So I'ld say this unit contains a very good hardware and there may actually be a chance for "improvement" of the entry models. What kind of calibration would be necessary afterwards is written on a different page, though... ???
tv84:
--- Quote from: TurboTom on July 09, 2020, 03:48:12 pm ---So I'ld say this unit contains a very good hardware and there may actually be a chance for "improvement" of the entry models. What kind of calibration would be necessary afterwards is written on a different page, though... ???
--- End quote ---
This usually means ;D for everyone and |O for me! :popcorn:
We definitely need a specimen to do some testing.
TurboTom:
--- Quote from: tv84 on July 09, 2020, 03:56:30 pm ---This usually means ;D for everyone and |O for me! :popcorn:
We definitely need a specimen to do some testing.
--- End quote ---
Yes I know ... Sorry for that ;)
But I cannot get rid of the impression that you consider it as some kind of sport... 8)
chicken:
I dug into the firmware last spring after I bought a DSG815 in a clearance sale. I think 3 GHz (DSG830) is just a software option. There are a lot of inert debug strings in the code that should help with reversing.
A few random snippets from my notes:
Model code name is DORY.
Shortly after boot the firmware checks configuration variables to determine the model. There's also a mystery file (E:\\LqepdclquJ.txt) whose content is checked for certain operations, for example to enter MANAGER and FACTORY modes (IIRC via the :PRIVate:SOFT:MODE SCPI command). I reversed the content of the file by emulating the firmware, but I haven't tried whether the putting it on a USB stick does anything.
The SSP SCPI commands may be for communication with the FPGA controlling the RF hardware.
RTOS is MQX 3.7 with MFS 3.0.0 and lwIP of unknown version.
Compile options for MQX likely were:
MQX_CHECK_MEMORY_ALLOCATION_ERRORS
MQX_EXIT_ENABLED
MQX_MONITOR_STACK
MQX_TD_HAS_STACK_LIMIT
MQX_USE_COMPONENTS
MQX_USE_IDLE_TASK
MQX_USE_INTERRUPTS
MQX_USE_MEM
MQX_USE_UNCACHED_MEM
PSP_HAS_DATA_CACHE
PSP_HAS_SUPPORT_STRUCT
PSP_STACK_ALIGNMENT = 0x1f
Attached my notes to extract the firmware binaries from firmware upgrade files.
Attached my notes about the mystery file.
Attached the full list of SCPI commands extracted from the 00.01.06.00.01 firmware image.
chicken:
PS: And here my notes about loading extracted firmware binaries with Ghidra and radare2
fw-vectors-0x00000000.bin
ARM vector table, loaded to 0x0
fw-app-0x40000000.bin
ARMv5t 32bit application code, loaded to 0x40000000
Code entry point: 0x4022004c
Loading into Ghidra:
Create new project
Open CodeBrowser
Import file: fw-vectors, architecture ARMv5/T little endian, location 0, name vectors (don't analyze)
Add to program: fw-app, location 0x40000000, name app (ALT-I)
Disassemble at 0 (F11)
Loading into r2:
r2 -a arm -b 32 -m 0x40000000 ./fw-app-0x40000000.bin
e anal.ignbithints=true
o ./fw-vectors-0x00000000.bin 0x0 rwx
PM me if you want a copy of my Ghidra project.
Navigation
[0] Message Index
[#] Next page
[*] Previous page
Go to full version