This is an old revision of the document!

Vaisala RS92-SGPD firmware

Sonde have 32KB EEPROM chip. Chip contains (probably) some firmware binary patches for VLSI DSP chip, configuration (transmitting frequency, name, callibration data, ..) and others.

Dumping EEPROM with Bus Pirate

EEPROM can be dumped trought servicing connector (flat one). Anny SPI can be used in configuration 00. Digital IO use 2.8V logic, but 3.3 V was used succesfully. Inputs might be 5 V tollerant. As power supply can be used anny source in range 4.7-10 V. Voltages bellow cca 7V will result in power-saving mode, but this does not matter for EEPROM reading. Wiring for Bus Pirate is bellow.

Pin RESET must be pulled-down for al least 2 second before anny other operation can start.

Bus Pirate pin Vaisala probe pin
+3V3 NC
+5V 2 - VCC
Vpu NC

Python script for EEPROM dump

TODO: eeprom manipulation scripts and tools


address space description

Address space in EEPROM can be visualy divided into severall subblocks. Each subblock is separeted from others by wide field of 0x00. Start address of block shows nice alignment to multiple of 0x100 +- frew bytes, those bytes might be missalignment, or more probably footer of previous block.

start address end address name description
0x0000 0x0376 blob 1 firmware binary patch?
0x0800 0x4FFF blob 2 (compressed) code? (high entropy)
0x5000 0x6FFF blob 3 (compressed) code? (high entropy)
0x7000 0x71FF blob 4 - configuration and callibration
0x7200 0x79FF blob 5 - may be a event log?
0x7A00 0x7FFF blob 6 - runtime information?

blob 1

  • loks like series of binary patches applied to code with VLSI VSDSP instruction set
// Structure description in pseudocode
unisgned char eeprom[32768]; // EEPROM content
int idx = 0;  
while (eeprom[idx] == 1) {
  int data_len = *((uint16_t*)(eeprom+idx));
  idx += 2;
  int something = *((uint16_t*)(eeprom+idx));
  idx += 2;
  process_data(eeprom+idx, data_len, something);
  idx += data_len;

blob 4 - configuration and calibration

This block (512B long) is repeatedly broadcasted by sonde, in first part of frame.

see Callibration data for details

blob 5 - log

TODO: (verification needed)

  • 4B header
  • 42B superblock
  • 7 * 6B - block

blob 6 - status

address symbol meanign
0x7A02 - 0x7A03 DOWN_CNT have something todo with frame count?
0x7A04 ST4 operation status
  • ST4
    • 0 - ?
    • 1 - ?
    • 2 - sonde is operating
    • 3 - set when battery is low (eg bellow 6 or 7 V, not sure) for some time (eg 100 frames?), sonde stop transmitting


start date (UTC) ID type start location EEPROM dump
2013-02-25 00:00 H2813056 RS92-SGPD CZ, Prague - Libuš
2013-07-03 00:00 H4043220 RS92-SGPD CZ, Prague - Libuš TODO
Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Noncommercial-Share Alike 3.0 Unported
Recent changes RSS feed Donate Powered by PHP Valid XHTML 1.0 Valid CSS Driven by DokuWiki