Recently, Joel, Adrian and I acquired a number of Vaisala RS92-SGPW digital radiosondes, with the intention of making them usable on the 70cm amateur radio band. I've talked about these radiosondes and how we obtain them in a previous post.
A (not so) brief look inside...
The RS92-SGPW consists of a GPS receiver, a sensor module (temperature, humidity & pressure), a 400MHz transmitter module, and a micro-controller tying it all together. Many of the ICs are custom-made by Vaisala, making reverse engineering the device difficult.
The micro-controller is an interesting beast, labelled with 'DSP1C'. My suspicions are that it is a dsPIC core on custom silicon, but I haven't been able to confirm this. Further investigation will look at finding the programming pins and interrogating the IC for information. The micro runs at 16MHz, provided by the GPS module, and talks to peripherals using mostly SPI. The code for the micro-controller is stored in a 256Kbit SPI EEPROM, which will be discussed later in this post.
The GPS receiver is a uBlox uN8021 RF front-end, which demodulates the GPS L1 signal, and sends samples to the micro-controller. This module is controlled via SPI on a shared bus, and also provides a 16.3676MHz clock signal to the rest of the board.
This module, which extends outside the main sonde casing, incorporates a temperature sensor, two humidity sensors, and a pressure sensor. At the moment I am unsure how it communicates with the micro-controller, as my focus has been on the radio module.
400MHz Radio Module
This module contains a Vaisala TX1B GMSK modulator, which is programmed via SPI on the shared bus. The output frequency and power are programmed from the micro-controller on boot-up. The module accepts 2400-baud synchronous serial data on pins 2 and 3 of the module, which are transmitted using GMSK modulation.
Code & Configuration Storage - The 95256 EEPROM
On the bottom left of the RS92-SGPW main-board is a small SO-8 EEPROM IC. This EEPROM contains the software for the micro-controller, as well as configuration and calibration parameters for the rest of the sonde. Adremko, from the Sondemonitor Yahoo Group, provided information on what a few of the addresses within the EEPROM mean, allowing manipulation of the output frequency and power.
To allow us to experiment with the EEPROM, Joel and I soldered wires to each pin. These wires were then hooked up to a Bus Pirate, a universal bus interface, which talks SPI along with many other serial protocols.
Using the bus pirate, we were able to see the micro-controller pull program data off the EEPROM during boot-up, and then watch other communications on the SPI bus (mainly the GPS) during sonde operation. I was able to write a number of scripts for the bus-pirates interface to read and write to addresses in the EEPROM, allowing me to read and change the output frequency control bytes. One of the bytes steps the output frequency in units of 2.56MHz, while the other steps it in units of 10KHz. A lot of trial and error later, I was able to find the upper limit of the transmitter was 423MHz. Around this point the PLL within the transmitter module cannot lock, and no output signal is produced.
To make programming the sonde easier, I wrote a Python script which uses the Bus Pirate's binary mode to talk to the EEPROM. Sample output from the script appears below:
darkside-macbook:Python darkside$ python set_frequency.pyEnter new frequency (MHz): 420.050Chosen Frequency = 420.05MHzHex values are 0xd5,0x7Opening serial connection to bus pirate...Entering binmode: OK.Entering raw SPI mode: OK.Configuring SPI.3V3 Power On.SPI Speed set to 125KHz.SPI Configuration Finished.Reading current frequency: 400.800MHzConfirm Programming of new frequency (420.05)? yClearing Status Bits.Status Register: 0x0Writing f1.Writing f2.Confirming Write: OK - Frequency set to 420.050MHz.
I also made a cable to connect the Bus Pirate to the sonde, this time using the un-populated 16-pin header to the right of the EEPROM. All of the EEPROMs connections are present on this header, and by using a IDC connector with a pin-header inserted I can connect to the sonde without any soldering.
Changing the output frequency is only the first step to making full use of these radio-sondes. If we can understand how the micro-controller is programmed, we may be able to use the radiosondes as a full-featured telemetry platform.