June 22, 2020

The DPH153-AT Femtocell - GPS traffic

The following link has nice documentation of the NMEA sentences. The GCON1 header provices access to the serial lines to the GPS chip. I see traffic from the GPS chip, but never anything going to it. Baud rate is 38400. I see (after giving the board plenty of time to get a lock):
������������������������P�$GPGGA,163910.000,3215.7881,N,11102.9078,W,1,04,14.9,744.0,M,-27.7,M,,0000*54
�����C�$GPGSV,3,1,10,02,83,255,,06,54,040,34,12,48,323,19,24,38,241,*7A
�����C�$GPGSV,3,2,10,19,33,055,32,05,19,165,,17,18,067,23,25,17,316,*75
�����)�$GPGSV,3,3,10,28,07,127,,29,04,271,*7A
�����I�$GPRMC,163910.000,A,3215.7881,N,11102.9078,W,3.13,348.14,240720,,,A*7E
R������������������������O�$GPGGA,163915.000,3215.7766,N,11102.9092,W,1,05,2.3,743.8,M,-27.7,M,,0000*60
^����C�$GPGSV,3,1,10,02,83,255,,06,54,040,33,12,48,323,18,24,38,241,*7C
�����C�$GPGSV,3,2,10,19,33,055,32,05,19,165,,17,18,067,23,25,17,316,*75
�����+�$GPGSV,3,3,10,28,07,127,22,29,04,271,*7A
	$����I�$GPRMC,163915.000,A,3215.7766,N,11102.9092,W,2.77,169.75,240720,,,A*7C
d������������������������O�$GPGGA,163920.000,3215.7734,N,11102.9096,W,1,05,2.3,743.7,M,-27.7,M,,0000*6A
i����C�$GPGSV,3,1,10,02,83,255,,06,54,040,33,12,48,323,18,24,38,241,*7C
�����C�$GPGSV,3,2,10,19,33,055,32,05,19,165,,17,18,067,23,25,17,316,*75
�����+�$GPGSV,3,3,10,28,07,127,23,29,04,271,*7B
	&����I�$GPRMC,163920.000,A,3215.7734,N,11102.9096,W,2.18,210.98,240720,,,A*7E
T������������������������P�$GPGGA,163925.000,3215.7729,N,11102.9094,W,1,04,15.0,743.6,M,-27.7,M,,0000*54
�����C�$GPGSV,3,1,10,02,83,255,,06,54,040,33,12,48,323,18,24,38,241,*7C
�����C�$GPGSV,3,2,10,19,33,055,31,05,19,165,,17,18,067,22,25,17,316,*77
�����)�$GPGSV,3,3,10,28,07,127,,29,04,271,*7A
�����I�$GPRMC,163925.000,A,3215.7729,N,11102.9094,W,0.61,201.27,240720,,,A*7D
Using "od" to look at the trash characters in the above, I see nothing particularly interesting:
000003b0 bfbd efbf bdef bfbd efbf bdef bfbd efbf
000003c0 bdef bfbd efbf bdef bfbd efbf bdef bfbd
000003d0 efbf bdef bfbd efbf bdef bfbd efbf bdef
000003e0 bfbd efbf bdef bfbd efbf bdef bfbd efbf
000003f0 bdef bfbd 4fef bfbd 2447 5047 4741 2c31       O   $GPGGA,1
00000400 3633 3932 302e 3030 302c 3332 3135 2e37   63920.000,3215.7
00000410 3733 342c 4e2c 3131 3130 322e 3930 3936   734,N,11102.9096
00000420 2c57 2c31 2c30 352c 322e 332c 3734 332e   ,W,1,05,2.3,743.
00000430 372c 4d2c 2d32 372e 372c 4d2c 2c30 3030   7,M,-27.7,M,,000
00000440 302a 3641 0a69 efbf bdef bfbd efbf bdef   0*6A i
00000450 bfbd 43ef bfbd 2447 5047 5356 2c33 2c31     C   $GPGSV,3,1
00000460 2c31 302c 3032 2c38 332c 3235 352c 2c30   ,10,02,83,255,,0
00000470 362c 3534 2c30 3430 2c33 332c 3132 2c34   6,54,040,33,12,4
00000480 382c 3332 332c 3138 2c32 342c 3338 2c32   8,323,18,24,38,2
00000490 3431 2c2a 3743 0aef bfbd efbf bdef bfbd   41,*7C
000004a0 efbf bdef bfbd 43ef bfbd 2447 5047 5356         C   $GPGSV
000004b0 2c33 2c32 2c31 302c 3139 2c33 332c 3035   ,3,2,10,19,33,05
000004c0 352c 3332 2c30 352c 3139 2c31 3635 2c2c   5,32,05,19,165,,
000004d0 3137 2c31 382c 3036 372c 3233 2c32 352c   17,18,067,23,25,
000004e0 3137 2c33 3136 2c2a 3735 0aef bfbd efbf   17,316,*75
000004f0 bdef bfbd efbf bdef bfbd 2bef bfbd 2447             +   $G
00000500 5047 5356 2c33 2c33 2c31 302c 3238 2c30   PGSV,3,3,10,28,0
00000510 372c 3132 372c 3233 2c32 392c 3034 2c32   7,127,23,29,04,2
00000520 3731 2c2a 3742 0a09 26ef bfbd efbf bdef   71,*7B  &
00000530 bfbd efbf bd49 efbf bd24 4750 524d 432c        I   $GPRMC,
00000540 3136 3339 3230 2e30 3030 2c41 2c33 3231   163920.000,A,321
00000550 352e 3737 3334 2c4e 2c31 3131 3032 2e39   5.7734,N,11102.9
00000560 3039 362c 572c 322e 3138 2c32 3130 2e39   096,W,2.18,210.9
00000570 382c 3234 3037 3230 2c2c 2c41 2a37 450a   8,240720,,,A*7E
00000580 54ef bfbd efbf bdef bfbd efbf bdef bfbd   T
00000590 efbf bdef bfbd efbf bdef bfbd efbf bdef
I try different baud rates while resetting the board. At 4800 baud I see (after perhaps 30 seconds):
���1����a������*��$x*78
$PSRF100,1,38400,8,1,0*3D
$x*78
����(������ �����O@�
                    �����������OO�O����B����բ�
Using "od" on this shows nothing interesting:
odx zzz
00000000 efbf bdef bfbd efbf bd31 efbf bdef bfbd            1
00000010 efbf bdef bfbd 61ef bfbd efbf bdef bfbd         a
00000020 efbf bdef bfbd efbf bd2a efbf bdef bfbd            *
00000030 2478 2a37 380a 2450 5352 4631 3030 2c31   $x*78 $PSRF100,1
00000040 2c33 3834 3030 2c38 2c31 2c30 2a33 440a   ,38400,8,1,0*3D
00000050 2478 2a37 380a efbf bdef bfbd efbf bdef   $x*78
00000060 bfbd 28ef bfbd efbf bdef bfbd efbf bdef     (
00000070 bfbd efbf bd20 efbf bdef bfbd efbf bdef
00000080 bfbd efbf bd4f 40ef bfbd 0a20 2020 2020        O@
00000090 2020 2020 2020 2020 2020 2020 2020 20ef
000000a0 bfbd efbf bdef bfbd efbf bdef bfbd efbf
000000b0 bdef bfbd efbf bdef bfbd efbf bdef bfbd
000000c0 4f4f efbf bd4f efbf bdef bfbd efbf bdef   OO   O
000000d0 bfbd 42ef bfbd efbf bdef bfbd efbf bdd5     B
000000e0 a2ef bfbd

Watching again at 38400 baud, and waiting a full minute after the reboot, I see:

�Ȭ<��������������������������������������������������������������������������������������������������������$PSRF100,0,38400,8,1,0*3C
�������������1����a������*��$x*78
$PSRF100,1,38400,8,1,0*3D
$x*78
����(������P D �T    ��    �T     ����
                                      �  ��     ���*��TUJQJ��E��J*U���*��)D� ���������$x*78
$PSRF104,0,0,0,0,0,0,12,1*10
$x*78
$PSRF103,00,00,05,01*21
$x*78
$PSRF103,03,00,05,01*22
$x*78
$PSRF103,04,00,05,01*25
$x*78
$PSRF103,02,00,00,00*27
��������p������������$PSRF103,00,00,05,01*21�������$PSRF103,03,00,05,01*50�������$PSRF103,04,00,05,01*50�������$PSRF103,02,00,00,00*50�����p������
0���z�������?�I�����谳�����?�I�����谳�����,>2ȯ���
I don't know what to think about the "$x*78" commands in the above.

The PSRF commands are proprietary additions as follows:

$PSRF100,1,38400,8,1,0*3D
"1" selects NMEA (the chip supports a binary protocol with "extra stuff", which is selected with a "0")
38400,8,1,0 selects 38400 baud, 8 data, 1 stop, no parity
$PSRF104,0,0,0,0,0,0,12,1*10
PSRF104 allows initialization values to be set for lat, long, time, and such. A template would be as follows.
12 sets the channel count (could be 1 to 12).
1 sets the "reset config" to a "hot start".
$PSRF104,lat,long,alt,clock,time_of_week,week,12,1*10
$PSRF103,00,00,05,01*21
$PSRF103,03,00,05,01*22
$PSRF103,04,00,05,01*25
$PSRF103,02,00,00,00*27

$PSRF103,00,00,05,01*21
$PSRF103,03,00,05,01*50
$PSRF103,04,00,05,01*50
$PSRF103,02,00,00,00*50
PSRF103 selects messages and sets the rate. We see 8 of these messages. The "02" messages request (query) GSA "right now" and without a checksum. The rest configure telemetry at a 5 second rate. No telling why this is repeated twice.

00 requests GGA, 03 requests GSV, 04 requests RMC
00 is the mode (0 = set rate, 1 = query)
05 is the rate in seconds
01 enables the checksum.

And that is exactly what we see every 5 seconds, as in the following:

$GPGGA,163910.000,3215.7881,N,11102.9078,W,1,04,14.9,744.0,M,-27.7,M,,0000*54
$GPGSV,3,1,10,02,83,255,,06,54,040,34,12,48,323,19,24,38,241,*7A
$GPGSV,3,2,10,19,33,055,32,05,19,165,,17,18,067,23,25,17,316,*75
$GPGSV,3,3,10,28,07,127,,29,04,271,*7A
$GPRMC,163910.000,A,3215.7881,N,11102.9078,W,3.13,348.14,240720,,,A*7E
GPGGA gives my altitude in meters (744.0 or 2440.94 feet).

On one occasion shortly after initialization, I saw these strings (at 38400 baud).

I2SiRFLocClient3.5.0Cisco-Test2_3.5.00.00-C17P2.00 SiRFLocClient3.5.0
$GPGGA,235950.065,,,,,0,00,,,M,0.0,M,,0000*5D
$GPGSV,1,1,01,00,00,000,*48
$GPRMC,235950.065,V,,,,,,,110409,,,N*4B
$PSRFTXT,TOW:  0*25
$PSRFTXT,WK:   1527*64
$PSRFTXT,POS:  6376201 -111297 -110569*25
$PSRFTXT,CLK:  96250*25
$PSRFTXT,CHNL: 12*73
$PSRFTXT,Baud rate: 4800*65

Who talks to this thing?

I searched all the executables from the RT2150F firmware and do not find the strings PSRF anywhere. I have a growing suspicion that the PicoChip may be what is connected to the GPS on the Femtocell.
Have any comments? Questions? Drop me a line!

Tom's electronics pages / [email protected]