ATT DPH153-AT Femtocell

June 29, 2017

Talking to the GPS inside a DPH153-AT Femtocell

More properly, listening to it -- at least to start. We are listening to the messages being generated by the SiRF GSC3f/LPx chip.

NMEA sentence descriptions

In the photo above, note the 4 pins labelled "GCON1" -- these are on 0.1 inch centers, so I soldered the usual 4 pin header into this spot on the PCB. If we call the pin next to the white corner on the silkscreen pin 1, the pins are:

1 - 3.3 volts
2 - Tx
3 - Rx
4 - Ground

What I do is to connect ground and Tx to a handy CP2102 USB to serial dongle that is 3.3 volt configured and then use "picocom" to listen to (snoop) on communication. After a bit of experimenting, I discover that the baud rate is 38400 and see the following every 5 seconds (before the GPS status light indicates a proper GPS lock).

Note that between "lines" (prior to the "$") there are various unprintable characters.

$GPGGA,000741.587,,,,,0,00,,,M,0.0,M,,0000*5E
$GPGSV,3,1,11,08,78,087,,02,76,332,,07,56,038,,17,36,195,*73
$GPGSV,3,2,11,28,26,124,,03,23,165,,10,21,070,,13,12,253,*71
$GPGSV,3,3,11,25,12,033,,16,10,210,,09,04,213,*45
$GPRMC,000741.587,V,,,,,,,300617,,,N*46

After power cycling the board, I discover that some interesting things go on before it settles down to the above, including:

SiRFLocClient3.5.0Cisco-Test2_3.5.00.00-C17P2.00 SiRFLocClient3.5.0

And there are a few exchanges like this:

$GPGGA,002044.530,,,,,0,00,,,M,0.0,M,,0000*52
$GPGSV,1,1,01,00,00,000,*48
$GPRMC,002044.530,V,,,,,,,300617,,,N*4A

Then we settle down to what we see above.

Once the GPS status light indicates a lock, the messages continue every 5 seconds and look like this:

$GPGGA,003101.042,3415.7713,N,11102.9081,W,1,04,3.3,747.3,M,-27.7,M,,0000*63
$GPGSV,3,1,12,24,63,326,,29,60,339,37,05,53,051,38,21,49,040,*7A
$GPGSV,3,2,12,18,39,048,,04,35,053,,19,34,315,,02,28,060,32*77
$GPGSV,3,3,12,12,26,178,23,13,17,120,29,15,06,047,,14,05,154,*7F
$GPRMC,003101.042,A,3415.7713,N,11102.9081,W,0.16,36.29,300617,,,A*47

These are swell NMEA "sentences".

The value 003101.042 is the UT time 00:31:01.042 (i.e about 5:31 PM in Tucson).

The elevation is given as 747.3 meters (which is 2451.8 feet), but using only 4 satellites. This updates later to 731.0 meters (2398 feet) with 7 satellites.

The topographic map indicates 2400 feet. The GPS in my cell phone indicates either 2409 or 2310 depending on which application I use (I tend to trust the 2410 number more).

Now watch the Rx line

It is worthy of note that the documentation for the SiRF chip says that it talks at 4800 baud. But the documentation also says that once you send a valid command to reconfigure the communication parameters, they are stored in battery backed static ram and will be used to configure the unit on the next startup (but we have no battery).

Nothing was observed watching at 4800 baud. Watching at 38400 baud, we see a burst of activity, doubtlessly to initialize the GPS chip. We do not see the chip being polled every 5 seconds. Apparently it gets configured to send information on some schedule. And indeed this is done by the PSRF103 commands.

$PSRF100,0,38400,8,1,0*3C $x*78 $PSRF100,1,38400,8,1,0*3D $x*78 $x*78 $PSRF104,0,0,0,0,0,0,12,1*10 $x*78 $PSRF103,00,00,05,01*21 $x*78 $PSRF103,03,00,05,01*22 $x*78 $PSRF103,04,00,05,01*25 $x*78 $PSRF103,02,00,00,00*27 $PSRF103,00,00,05,01*21 $PSRF103,03,00,05,01*50 $PSRF103,04,00,05,01*50 $PSRF103,02,00,00,00*50

Have any comments? Questions? Drop me a line!

Tom's electronics pages / tom@mmto.org