Turning an £8 childs toy into a spectrum analyser
This posts looks at how a child's toy can be reprogrammed to provide a simple spectrum analyser that may be useful when working with licence-free wireless technologies.
Like so many great open source hacks this is a story of engineers building on the work of others, incrementally adding value and making it possible to build ever more complex applications. And whilst it's dangerous to suggest where these things start, a post over at Dave's Hacks documents a key breakthrough in hacking the wireless-enabled “IM-me” toy covered here.
My own IM-me cost £8 from eBay although they can occasionally be found for even less. At the heart of the toy is a TI CC1110F32 SoC that combines a microcontroller, flash and sub-1GHz RF transceiver. In order to erase and reprogram the flash a JTAG programmer is required and support for the CC1110 is provided by the open source JTAG programmer (and much more), GoodFET.
Creator of the GoodFET, Travis Goodspeed, very kindly sent me a bare PCB and with the addition of an FT232 USB interface, an MSP430 microcontroller and a few other SMD parts I had the hardware required to reprogram the IM-me. With this assembled it was then necessary to load the GoodFET firmware into the MSP430 flash, and this along with the hardware design and software tools to support a variety of uses are provided under an open source licence.
Connecting the GoodFET to the IM-me requires cutting away just a little of the plastic that surrounds the test points inside the battery compartment.
With soldering iron access the next step is to solder wires onto these pads, and Travis provides a tutorial that clearly explains how to wire up the IM-me to a GoodFET.
If all 5 points have been connected the IM-me should power up when the GoodFET is plugged into a USB port. At this stage it's advisable to run “goodfet.cc status” just to check that everything is as it should be, and following which the CC1110 flash can be erased prior to being reprogrammed.
A variety of application software for the IM-me has been developed by Travis and others, including even a minimal operating system, the aptly named PinkOS. But for me the most useful application for this hardware comes from Michael Ossmann and turns it into a handy pocket spectrum analyser.
The bands covered by the spectrum analyser are:
281 – 361 MHz
378 – 481 MHz
749 – 962 MHz
So this obviously works well for covering the 433MHz, 868MHz and 915MHz licence-free bands that are used by so many wireless technologies. And it also covers the GSM 900 band and much activity can be seen in this part of the spectrum, although it won't tell you the network name and cell details etc.
When an engineer sees a toy like the IM-me they see more than what it currently is and was intended to be, and instead see a microcontroller that is attached to an LCD display, keypad and RF transceiver, that is crying out to be modified and perhaps made to function as something that would typically cost an order or magnitude more. And often all it takes is for a small initial discovery to be made with such interesting hardware, e.g. that it uses a SoC for which tools are available, in order to spark interest and provide motivation.
Whilst a spectrum analyser solution like this clearly cannot compete with professional test equipment it does provide an option for those with simple requirements and a limited budget. Given the low cost, handy form factor, flexible capabilities and easily programmable nature of the device, it may also make an excellent platform for developing specialist test equipment for proprietary wireless protocols. And aside from anything else it makes for a fun project!
Top image: detail from the IM-me spectrum analyser application.