This repo serves as some research to modify the hex dump of the official firmware of the LMS6.
Most of this information will apply only to the 403 MHz model, you'll know if you have this one as it has an additional wire with no sensors attached to it, that's the antenna
However, any 1680 firmware dumps I obtain I will also post here.
DISCLAIMER: It's not known if hex dumps from other radiosondes will run fine on your radiosonde. I still haven't fully understood all of the differences between the firmware, BUT likely the differences are calibration data and serial number information.
To connect to the LMS6, I recommend using Reid's Interface Board, you only need to add the ST7 Port and the card edge connector. You'll need to use an Rlink programmer with RFlasher7. Select ST72324J6 for the chip. If you encounter error 11 when writing, make sure you're using a power supply and erase the chip before writing.
To convert the hexdump to a binary to use many tools, run the following commands
- Hex->Bin -
objcopy -I ihex -O binary lms6_xxxxxxx.hex lms6_xxxxxxx.bin - Bin->Hex -
objcopy -I binary -O ihex lms6_xxxxxxx.bin lms6_xxxxxxx.hex
dumps/- ROM dumps from LMS6 boards, file names should be namedlms6_<SERIAL>.hex/bin. Firmware is v1.45 unless otherwise noted.mods/- Modified ROMs for example purposes, you might be able to flash it without problems but I'm not sure if calibration data exists and if that would mess your board up.
These are known modifications you can make to the hexdump.
For ease of use with programs like hex editors, all modifications will be written from the perspective of a hex editor. You could just modify the hex file, but it's just easier this way.
You can change the serial number to any 7 digit number
-
First, you'll need to get the 3 hex bytes which we'll change in the dump, I'd recommend using RapidTables' Decimal to Hexidecimal Converter. Type in a 7 digit number and you'll get back a hex number to modify. For example,
1234567is12D687. -
In the file, go to
0xe003, you'll replace the 3 bits, you'll see it surrounded by00, don't replace those.
If done correctly, your radiosonde will now have a different serial number. I would not change this number when you aren't testing, you don't want collisions with other radiosondes.
It is possible to change the TX frequency by modifying what is sent to the cc1050(radio) register.
I'd like to give a huge thanks to rsavxc for providing a Ida db and a reference sheet on the frequency register, here's the respective links for this information.
Here's what I've found so far in reguards to changing the frequency.
-
The dip switches correspond to a frequency register, also shown in the cc1050 calculator linked above.
-
Dip 1 is located at
0x9cdb
03,05, and07seem to separate the 3 values. There also seems to be 6 bytes between each register, which I think are related to the FSEP and REFDIV as mentioned on the calculator. -
Make sure you get these values right, adjust the FSEP and REFDIV to the respective values(I used 10 and 55 to get it working). Try to get your error Hz around the same ones the factory frequencies have.
-
Copy the generated number under "FREQ REG Calc" and paste it into column D, and adjust it until it gives a small error, you'll take that number and convert it into hex.
I made a modified firmware in the mods/ directory using the frequency given in the screenshot if you want to compare or even try and flash it on your own radiosonde. I've noticed some weird issues if you mess up the calculations on this number, such as the bandwidth increasing or other funky business. -
TL;DR if you want a ham band frequency and don't care to try to calculate things yourself, replace
03 44 05 AF 07 FEwith03 47 05 81 07 91on0x9D8Eand flip all the dip switches on.This is what you'll find when you use those numbers, it's hovering around 422.512 MHz
