Skip to content

Reverse Engineering the Hi-Link LD1125H 24GHz FMCW Radar which uses the SGRSemi SGR1101 and GigaDevice GD32F303CET6

Notifications You must be signed in to change notification settings

dm5tt/LD1125H_ReverseEngineering

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

48 Commits
 
 
 
 
 
 
 
 

Repository files navigation

What is the LD1125H?

The LD1125H is a FMCW 24GHz radar manufactured by the Chinese company Hi-Link.

It's main components consists of the

The GD32 creates the VCO ramp using its DAC and receives the down-mixed echo signal back into a ADC channel.

For signal analysis the device does NOT offer full access to I/Q of the echo/bang signal as only one of both is connected to the ADC of the microcontroller.

PCB

PCB Front PCB Back PCB Back without UC

Datasheets for the Radar IC

There aren't much datasheets around for the Radar IC. But it seems to be purely analog with some downmixing and VCO functionality.

These might be close to one we are looking for:

Also ham radio operator IK1ZYW played around with it here. According to his research it's a clone of the Infineon BGT24LTR11N16. Very untypical for Infineon they are giving us a metry ton of very high quality datasheets and application notes on their product website without having us seeling our soul to a NDA.

Signals

VCO Ramp (PA4)

Entire Sequence

Entire Radar Burst

The entire sequence jitters heavily.

Bursts

Ranging Bursts

Bursts Detail

Ranging Bursts Detail

Beat (PA0) + Ramp Signal (PA4)

Echo Signal

Firmware

With a ST-Link adapter OpenOCD and this configuration file the device can be accessed.

Connecting to the chip using OpenOCD

# openocd -f interface/stlink.cfg  -f  ~/gd32f30x.cfg -c "init; reset halt"

openocd -f interface/stlink.cfg -f ~/Downloads/gd32f30x.cfg 
Open On-Chip Debugger 0.12.0
Licensed under GNU GPL v2
For bug reports, read
        http://openocd.org/doc/doxygen/bugs.html
Info : auto-selecting first available session transport "hla_swd". To override use 'transport select <transport>'.
Info : The selected transport took over low-level target control. The results might differ compared to plain JTAG/SWD
Info : DEPRECATED target event trace-config; use TPIU events {pre,post}-{enable,disable}
Info : Listening on port 6666 for tcl connections
Info : Listening on port 4444 for telnet connections
Info : clock speed 1000 kHz
Info : STLINK V2J23S0 (API v2) VID:PID 0483:3748
Info : Target voltage: 2.936993
Info : [gd32f3x.cpu] Cortex-M4 r0p1 processor detected
Info : [gd32f3x.cpu] target has 6 breakpoints, 4 watchpoints
Info : starting gdb server for gd32f3x.cpu on 3333
Info : Listening on port 3333 for gdb connections
Info : accepting 'telnet' connection on tcp/4444

Looks good.

> flash info 0
#0 : stm32f1x at 0x08000000, size 0x00080000, buswidth 0, chipwidth 0
        #  0: 0x00000000 (0x1000 4kB) not protected
        #  1: 0x00001000 (0x1000 4kB) not protected
        #  2: 0x00002000 (0x1000 4kB) not protected
        #  3: 0x00003000 (0x1000 4kB) not protected
        #  4: 0x00004000 (0x1000 4kB) not protected
        #  5: 0x00005000 (0x1000 4kB) not protected
        #  6: 0x00006000 (0x1000 4kB) not protected
        #  7: 0x00007000 (0x1000 4kB) not protected
        #  8: 0x00008000 (0x1000 4kB) not protected
        #  9: 0x00009000 (0x1000 4kB) not protected
        # 10: 0x0000a000 (0x1000 4kB) not protected
        # 11: 0x0000b000 (0x1000 4kB) not protected
(...)
        # 23: 0x00017000 (0x1000 4kB) not protected
        # 24: 0x00018000 (0x1000 4kB) not protected
        # 25: 0x00019000 (0x1000 4kB) not protected
        # 26: 0x0001a000 (0x1000 4kB) not protected
        # 27: 0x0001b000 (0x1000 4kB) not protected
        # 28: 0x0001c000 (0x1000 4kB) not protected
        # 29: 0x0001d000 (0x1000 4kB) not protected
        # 30: 0x0001e000 (0x1000 4kB) not protected
        # 31: 0x0001f000 (0x61000 388kB) not protected
STM32F10x (High Density) - Rev: unknown (0x2104)

Nothing Is protected. Great.

Dumping the Flash

> flash read_bank 0 /home/had/ld1125h_dump.bin
wrote 524288 bytes to file /home/had/ld1125h_dump.bin from flash bank 0 at offset 0x00000000 in 7.822686s (65.451 KiB/
# sha256sum ld1125h_dump.bin 
52a8a3401e2062a228d57d75a1d877d73e81beae9e8473564e7dbb5e94d9f138  ld1125h_dump.bin

Rough analysis of the dump

# strings ld1125h_dump.bin
(sorted out the interesting bits)

mov, dis=%.2f
mov, dis=%.2f, str=%.2f
occ, dis=%.2f
occ, dis=%.2f, str=%.2f
>v is %.2f km/h, mag is %.2f
erase failed
mov, dis=%.2f
mov, dis=%.2f, str=%.2f
occ, dis=%.2f
occ, dis=%.2f, str=%.2f
333@
!XHP0
occ raw data is ********************
%.2f %.2f
occ spectrum is ********************
%.2f
mov raw data is ********************
%.2f %.2f
mov spectrum is ********************
all vars have been initialized and saved
UID(hex) is:%08X-%08X-%08X
rmax=
rmax is %.2f
rcoef=
rcoef is %.4f
mth1_mov=
mth1_mov is %d
mth2_mov=
mth2_mov is %d
mth3_mov=
mth3_mov is %d
mth1_movs=
mth1_movs is %d
mth2_movs=
mth2_movs is %d
mth3_movs=
mth3_movs is %d
mth1_occ=
mth1_occ is %d
mth2_occ=
mth2_occ is %d
mth3_occ=
mth3_occ is %d
eff_th=
Beff_th is %d
accu_num=
accu_num is %d
test_mode=
test_mode is %d
output_mode=
output_mode is %d
ts_on=
ts_on is %d
ts_mov=
ts_mov is %d
ts_occ=
ts_occ is %d
ts_off=
ts_off is %d
pt_10ms=
 pt_10ms is %d
save
all vars have been saved
RKB1125H BW1800M 20230412 V4.1
get_all
sgr_get_all
initial
all vars have been initialized
data_obt=
data_obt is %d
vt is %d
get_uid

Playing around with hidden serial commands

These commands are pretty the same as described in their documentation.. but a few new ones are hidden.

received message: sgr_get_all
rmax is 6.00
rcoef is 0.0520
mth1_mov is 80
mth2_mov is 50
mth3_mov is 20
mth1_movs is 120
mth2_movs is 60
mth3_movs is 25
mth1_occ is 60
mth2_occ is 55
mth3_occ is 20
eff_th is 10
accu_num is 6
ts_mov is 60
ts_occ is 60
ts_off is 15
pt_10ms is 20
output_mode is 0
test_mode is 0
received message: get_uid
UID(hex) is:35300D73-XXX-XXX

Now the cool stuff.

received message: data_obt=1

mov spectrum is ********************
25.37
27.47
31.54
33.15
29.94
23.11
(...)

received message: data_obt=2

data_obt is 2
mov, dis=1.00
occ, dis=1.50
occ raw data is ********************
2048.80 0.00
2200.80 -0.00
2337.20 0.00
2380.20 0.00
2276.00 -0.00
2158.00 0.00
2017.00 0.01
(...)

Feeding it into Ghdira

A fitting SVD for the SVD-Import plugin can be found the gd32-rust website. After setting the base address to 0x08000000 and the CPU type to CORTEX it worked out of the box.

Following memory map seems to work

Gihdra Memory Map

Voila. Almost clean assembler code. Even the Decompiler seems to do its job more (or less).

Gihdra Disassembly

About

Reverse Engineering the Hi-Link LD1125H 24GHz FMCW Radar which uses the SGRSemi SGR1101 and GigaDevice GD32F303CET6

Topics

Resources

Stars

Watchers

Forks