Mastodawn

this is definitely not an ADIS16488 and if it's a clone of it, then they have taken some remarkable liberties with the idea of a "functionally identical" replacement

the delta-angle and delta-velocity functionality appears to simply not exist, which excludes this being a faithful clone of either adis16488 or adis16375

oh, i just realized that it has a "product ID" register that clearly says 0x4068 (16488). so it's supposed to be a clone of ADIS16488 then. it's just a very bad one

this thing doesn't seem to have a magnetometer or a barometer, it's just an accelerometer and a gyroscope. not even very good ones, they're probably on par with what your cellphone has, if not worse

i think some enterprising company (possibly Shenznen Firepower Control Co. Ltd. based on @poppyhaze's research) has realized they can make a lot of money selling ADIS16488-style devices that only barely work at a half of their sticker price from AD

✧✦Catherine✦✧

oh... it has a GD32F103 inside. there are even, conveniently, pads with SWD routed to them

firmware dumping time? firmware dumping time.

we have SWD!

the source code is not protected (i am reading out valid values), but for some reason my dump memory command is encountering errors; most likely a misunderstanding of ADIv5.2

it looks like sometimes it works and sometimes it doesn't

very bold of a vendor to call it a "good device" when in fact it seems to be bad

nevermind, it works fully once i attach a logic analyzer. for one reason or the other, adding a few pF of capacitance to the pins is what it needed

here's a firmware name: WM_KT-EX9-10_2.12_GD103.bin

did someone build the firmware with -funroll-loops or what

this is a part the code that copies static mutable data into RAM from Flash. it goes on for kilobytes

there's actually a few loops in the middle doing the same memcopy operation. i think the compiler smokes crack

although, a horrifying thought is that this is just what the original code looked like

OH I GOT IT

i finally tracked down the source of this device, and also the gyroscope vendor

the WM_KT-EX9-10_2.12_GD103.bin in the firmware name most likely refers to the gyro:
https://en.ktjmyq.com/html/2024/MEMS_0526/141.html

KT-EX9-1 - MEMS GYROSCOPE - KaiTuo Precise Instrument Co., Ltd-accelerometer,Gyro,MEMS,MEMS Gyro,MEMS Accelerometer,KTJB1,KTFG,KTEX

FEATURESTriaxial, digital gyroscope, ±450° sec dynamic range ±0 05° orthogonal alignment error,0 3&

i'm wrong. the KT-EX9-1 device has a public datasheet and some key values don't match

this could be a custom one-off or something?

SDRHoernchen Jun 30

@whitequark.. Or just a shady copy of a copy, due to usage? Returns probably happen rarely, and the buyer might be a bit desperate.

@SDRHoernchen it's possible, but I think it's somewhat unlikely

Timon 🛠Jun 30

@whitequark One off'ish feels kinda likely. I seen that a few times in the med space despite doing that only briefly. Some sub-assembly was unobtainable so a shoddy "drop-in" that only replicates the features the specific device was using was made as it was easier/cheaper than redesigning the device itself.
Prob. not too different in the defense space?

@timonsku yep, that's my guess; no reason to try and name the firmware to impersonate some other vendor

Philip Guenther Jun 30

@whitequark I’m fine with compilers NOT being responsible for all the final code sins of the world

Timon 🛠Jun 30

@whitequark going full time freelance has truly opened my eyes when it comes to the state of software in the embedded space. I always assumed that I write mediocre code at best but the bar for "ready to ship" is in fact so much lower than I could have ever imagined

@timonsku YEP.

@whitequark * Keil has entered the chat

Aaron Sawdey, Ph.D.Jun 30

@whitequark a frequent problem with compilers, actually. Sometimes it doesn’t even involve UB 😂

@whitequark lolololol amazing, I guess they’re not using assembly for their init handler

@jpm this firmware is weird

Tóth Gábor Baltazár Jun 29

@whitequark
that is indeed a fun roll :3

Kevin Riggle Jun 29

@whitequark putting the fun back in -funroll-loops

Jaime Jun 30

@whitequark I would definitely want my loops to be fun rolled, tbh

prom™️Jun 29

@whitequark cat works fine when attached to logic analyzer. let me "make nconfig" for reasons. (it's been a day, not necessarily bad)

J. "Henry" Waugh Jun 29

@whitequark so you're saying that the analyzer knows when it's attached because it knows when it isn't? 😛

jaseg Jun 30

@whitequark next version of Glasgow with DAC-controlled varactors on all pins for programmatic application of capacitive fiddle factors

@jaseg i considered stuff like that

@whitequark oh wait, I vaguely recall that the GD32F103 fixed some silicon errata from the STM32F103 around debug handling.

@jpm are you sure they haven't added any

@whitequark no, my mistake, apparently it was the CKS clone STM32F103 that fixed ST’s silicon errata.

And yes, CKS added their own bugs: https://nvd.nist.gov/vuln/detail/CVE-2020-13464

NVD - CVE-2020-13464

alina arielle amelie🏳️‍⚧️🐾

Jun 29

@whitequark what exactly is that, what are you doing, i'm curious. looks very fancy awawa

@alina the device on the image is a PCB i extracted from an inertial measurement unit from a loitering munition

you know that "the missile knows where it is because it knows where it isn't" meme? well, this PCB is _how_ the missile knows where it isn't

on the right i have a debugger connected to it, so that i can dump and analyze the firmware within and learn what makes it tick

alina arielle amelie🏳️‍⚧️🐾

Jun 29

@whitequark omg that's soo heckin cool :O

@alina thank u ^^

F4GRX SÃ©bastien Jun 30

@whitequark aha, gold plated CLCC gyros?

@f4grx the gyros apparently have vacuum inside of them (according to the vendor) which apparently makes them less sensitive to vibration!

@f4grx I kinda want to open one up, I even have my trinocular here...

@whitequark oh, did you try to make one run before teardown? They look quite nice. they're probably better than your average MPU6050.

@f4grx it's still functioning, I have a script that makes it run

I could measure it properly, Allan deviation and the like, but purely from mouthfeel they don't feel like they're all that better. I don't have a good intuition though and I think numbers are the real way to tell

if you want me to collect some data and know to analyze it I can easily do that

@whitequark no, it's quite complex and painful to characterize, there's a lot of noise measurements to be made, but these are statistical and I am unable to wrap my head around an actual meaning. it's just frustrating.

All I know is that when you use a gyro for dead reckoning, you integrate the rate over time twice and if the measurement has any bias, the integrated result will drift quadratically. Moreover, this "zero rate bias" varies with temperature and also if you look at the box sideways.

@f4grx so, adis16488 is supposed to have an integrator for the angle

this box does not. it just reads as zeroes

i wonder if this means that it's not very good

@whitequark looks like they did the vital minimum for the customer that wanted a cheaper adis16488. it just outputs the rates, and integration is made outside. probably the gd103 just translates spi protocols.

@f4grx that is my conclusion as well

i have the gd103 firmware. i can share it but it's horrifying spaghetti

@f4grx it would be mildly interesting to find out what the gyro protocol is. it's something low pin count as the flex cable just about has enough pins for SPI

@whitequark can you post a relatively better res pic of one gyro? ideally one with a visible part number? :)

@f4grx of course

@whitequark startpage gave this with the 1001-011 search request https://geo-matching.com/products/high-performance-tactical-grade-mems-gyroscope

(I considered the second line a date code and the third line a lot code)

High Performance Tactical Grade MEMS Gyroscope

Features Proven and robust silicon MEMS gyro Up to ±400°/s measurement range 0.1°/hr bias instability 0.05°/√hr angular random walk Digital output (SPI slave) 5V operation (4.75~5.25V supply) Low power consumption (35 mA) High shock and vibration rej...

@f4grx huh, what was the query?

also, wtf is that website? ubo lite doesn't let me follow any links that lead to "syndicatedsearch.goog"

example: https://avictech.en.made-in-china.com/product/FOStsiZvGITD/China-High-Measure-Range-Single-Axis-Mems-Gyro-Chips-for-Automatic-Driving.html

@whitequark Now I get more good looking stuff, I swear I did not get that before.

@whitequark ah here is the query I made previously.

@whitequark avictech new ref https://avictech.en.made-in-china.com/product/sAJUXYnyglhq/China-Inertial-Navigation-System-High-Performance-North-Seeking-Mems-Gyroscope-MGZ330HC-A1.html

Is this a classic package for gyros or the same product renamed?

[Hot Item] Inertial Navigation System High Performance North Seeking Mems Gyroscope MGZ330HC-A1

Model NO.: MGZ330HC-A1 Type: Servo Output Signal Type: Digital Output Measuring Shaft Quantities: Single Accuracy Grade: 0.02deg IP Rating: IP67

Made-in-China.com

@whitequark Also, what about this little dude? if the golden ones are 1 axis acceleros (so there are 3) then this little one should be the 3-axis gyro.

@whitequark that explains the SPI controller weirdness…