Friday, September 11, 2015

10GHz Station Upgrades

With the 2015 September 10GHz and up contest approaching fast, I am in process of making some performance improvements to my 10GHz station. I had already missed the first round of the August 10GHz and up, so I wanted to make sure to complete a few necessary items before the 2nd round is here.

First on the agenda is to upgrade my PLL frequency synth that runs my LO to use low-noise regulators. This was a design error on my part, when I originally designed these freq synths, they had less than ideal phase noise as a result. The noise itself was determined to be coming from the 78nn series of linear regulators I had originally spec'd out for the design for the 5v vco, and dual 3.3v analog and digital supplies. A test of an unused synth I had built (for a beacon project) proved to show quite an impressive improvement once I replaced the regulators:

ADF4107 Phase Noise
Phase noise is shown here on the left with the original noise regulators, and a much cleaner output is shown on the right after the low-noise regulator replacement.

Next item on my list was to add some additional attenuation into the LO path that drives the mixers. Originally when I had a phased lock PLL brick, LO drive power through both outputs was approximately 12dBm. This was ideal for the two Magnum Microwave mixers I was using. After switching to the PLL synth and x4 multiplier, my output to the LO's through a splitter was a little hot at 15dBm. This was the upper max limit of power in the datasheet. This as a result was causing some additional spurs on the RF side, which while immediately filtered was still resulting in some spur leakage. A 3dB pad in line with the output of the x4 multiplier cleaned the excessive spurs up nicely.

The final improvement is in regards to the actual frequency reference itself for the LO PLL freq synth. I had designed my synth to use an on board TCXO protected by a shielded enclosure for both rf shielding and hopefully help stabilize the temperature. Temperature drift is critical in any design, this one was particularly touchy to temperature. When the synth was running and locked to my 2556GHz output frequency, simply blowing air across the TCXO caused the output frequency to start drifting. The specs for the particular crystal I had chosen were not that great at ±2.5ppm over the specified temperature range, I would definitely need to do better for good stability.

I have a rubidium 10MHz reference I use at my bench. I didn't want to devote this just for my mobile station as I use the reference for all of my test equipment. I would also need to frequency double it to work with my ADF4107 PLL as it requires a minimum 20MHz reference. As a compromise, I decided to go with a crystal oven oscillator (OCXO). I had a 20MHz version available that runs off of 12V which will be perfect for this mobile 10GHz station. Details of this will probably be in a separate post due to the difference being pretty interesting.

Tuesday, June 16, 2015

Anritsu MF76A Repair - Part I


I recently acquired a nice Anritsu MF76A 18GHz frequency counter in a non-working state off of eBay. While older, this is still a very usable counter that goes for quite a bit of money when working. This one sold for cheap so I figured why not, I'm sure I'll be able to get it working. I didn't really need it as I have a good EIP 545A 18GHz counter, but this one looked fun to fix. The images of it indicated that it was powering up and had the cpu portions functional as the display went through its power up cycle and displayed all zeros on the display. Typically with frequency counters in this state and not counting, you either have a failed 10MHz reference or a damaged front end from over-driving the input. I was hoping for the former as I already have a stable rubidium reference I use with all of my gear.

Anritsu equipment is notoriously difficult to repair due to the lack of service manual availability. I ran into the same issue with my second MT8801C communication analyzer / spectrum analyzer that I had purchased in a non-booting state. I was ultimately able to acquire a service manual for it but it took some serious searching and asking around. Once I obtained it, it was nothing like the older HP and Tektronix manuals I was used to. This manual went through a basic troubleshooting process to identify the issue to a board level, no further schematics or information was available (in the manual I had anyway).

Upon arriving, I powered this MF76A up on the bench, it was in good overall condition and did power up as it was supposed to. Upon applying a RF source to either the 200MHz or 18GHz inputs resulted in no counting. In a way this was good, it could indicate an issue further down then the first converter stages. The back of the unit has a switch to either output the internal 10MHz reference or accept an external one. Checking this with a counter, the internal reference is working as expected. Damn. Time to open it up.

The back of the unit had the calibration stickers broken which was expected, this came from a calibration house / test equipment reseller and I'm sure someone mucked around inside with some attempt to repair it. With covers off, everything looked at least complete, this unit was constructed very nicely.

The power supply is tucked into the back of the unit, not the easiest to reach to check voltages, but the power comes off of it and is transferred to the backplane which has wider traces for increased current making it easy to identify. There are no voltage markings or test points on the boards but it was pretty easy to determine which were power. Probing voltages, everything looked fine except for one strange voltage reading which was around +6.8 volts. Also noticing that a -12V rail was present but no +12, I was betting that something simple like a bad cap was holding the +12V rail down to +6.8 volts, very similar to my EIP 545A repair.

Pulling all the boards and reinserting them to locate the source of the issue resulted in the +12V voltage drop being caused by the input IF brick at the front of the unit. This was fed directly from the 18GHz input, the 200MHz input bypassed it and went right to one of the digital boards. As a test I left the 18GHz section unplugged and ran a 50MHz source into the other input. At first there was no response but I realized that one of the coax connectors coming off of the 200MHz input was not connected in the correct location. Whomever had been in this unit messing around didn't put it back together correctly. Once it was where it was supposed to be, success. 50MHz displaying correctly.



So the counter itself is working fine, just the 18GHz converter is causing problems. This was always a concern, you see this often from someone providing too much input and damaging the input section. So while 200MHz is great, 18GHz is why I wanted this counter. At this point I pulled the input brick out and started taking the covers off of it. The cables for this are long enough to allow you to work on it outside of the unit, I so love designs that allow for repairs.

Each side of this brick was made up of multiple boards all of which actually had labeled power input pins. This made locating the problem board very easy. Measuring +12V to ground I was reading roughly 1.2K ohms through all boards. Through process of elimination I was able to isolate the boards that were sinking the +12V down to two boards, both exactly the same. Pulling the +12V cable off of each board returned the rail to normal levels. Both boards were labeled '342U7363', each containing a handful of passives, some transistors and MMICs, along with what looked like a large thick-film precision resistor.



By following the traces on the board and divide and conquering by cutting some traces, I discovered the +12V sinking was actually coming from this large mystery device package. Looking it up, it is an NEC MC-5156 broadband amplifier in a sip package and was nearly shorted from vcc to ground.

Removing these two amplifiers from each board returned the +12V rail to normal, so these two parts were at least indicating to be bad. Was anything else bad? Maybe, it is hard to tell for sure and without a full schematic it is really difficult to trace the signal paths between these boards to guess what else may be blown. Luckily these old amplifiers are still available as NOS from some suppliers, so with two ordered we shall see. Right now with these two amplifiers removed, the unit powers up and counts correctly on the 200MHz input. I am also able to see some RF on the input to each now missing amplifier, so RF is at least getting that far. Is this the only problem? Maybe, maybe not as this would be too easy. I'm betting there are more issues than just this but I can't do any more at the moment until the replacement parts arrive.

Monday, June 15, 2015

Decreasing Phase Noise with Low Noise Regulators

I have posted several times in the past on the PLL frequency synthesizer I designed and built based on the Analog Devices ADF4107. The overall design is a platform for a fractional PLL frequency synthesizer for any frequency range up to about 5GHz.  A single frequency or range could be generated simply by changing out the VCO and loop filter and reprogramming the ADF4107s registers. The design overall has worked very well, I have used it as a LO for a 1.42GHz hydrogen line radio telescope, a 2556GHz LO for my 10GHz ham station, and a 5.4GHz LO for some specific satellite downlinks.


One element of the design that has been less than ideal was the devices phase noise. My specific PLL was on average about 10dB to 20dB under spec of what the documented phase noise should be for similar designs using the ADF4107 and Z-Comm VCOs. After reading to the application notes some more and a recommendation via twitter from Tony (KC6QHP) who suggested looking into using very low noise regulators for the design, I decided to make the change.

Searching regulator semiconductor manufacturers for very low noise versions is not an easy task, often, the noise levels are not available in any parametric search. So to keep things simple, I just went with the ADP150 which is what Analog Devices recommends for their own designs including the ADF4107. Now this is definitely something I should have considered to begin with in the design, but it was my fault for not reading the docs and assuming the basic ST Micro KFNN regulators which I often use would be suitable for a project like this. Looking at the datasheets, the stated noise levels of each are quite a bit apart:

KF33:

OUTPUT NOISE  10 Hz to 100 KHz 50 µV rms

ADP150:

OUTPUT NOISE  10 Hz to 100 KHz  9µV rms

The issue I now have is I had designed the board for standard DPAK package regulators, the ADP150 used tiny TSOT packages. Because of this I would have to be creative in mounting the devices in the DPAK footprints. This turned out to not be too bad of a task although not the most elegant solution.



The results speak for themselves, after replacing the regulators with the ADP150s, phase noise has considerably decreased. I have already started on a version 2 of this synthesizer and I will be definitely switching to these regulators for all future versions.

Standard KF33 and 7805 regulators on the left, low noise ADP150 regulators on the right.

Monday, May 11, 2015

Tektronix 2246 Repair Part II


In the process of debugging the strange intermittent display issue on my Tektronix 2246 after re-capping the power supply, things are not looking so good. Things have actually gone from bad to worse. First of all, the short (or open connection) somewhere in this unit which I can return the unit to normal operation by twisting the chassis has been more difficult to find that planned. I pulled and went through the entire power supply again and did not find any issues. Same for all of the connectors, all are seated correctly without issue. Every screw was in place and I checked to make sure there were no poor grounding issues throughout the scope. What happened next is the result of my own stupid mistake (again) which is just making things worse.

In the process of removing the power supply, you have to remove the high voltage anode cable to the crt which is generated in the main power supply. This cable runs out of the supply towards the front of the unit and has an insulated high voltage connector that is clipped on the the metal chassis between the power supply and front panel board. When I was pulling the power supply out for the third time, I wasn't careful and unplugged this connector only a minute or two after powering the scope down. At this point I let the cable go and it fell towards the A16 main processor board letting a nice spark jump from the high voltage cable to the main board most likely due to stored capacitance that had not been bled off yet. I didn't see exactly where it hit, but it didn't matter. The stored voltage had hit the board and I knew damage had been done. Upon reassembly and power up it was confirmed.


The display was in bad shape at this point, everything to the left say 2/5ths of the display was not showing up and squashed into a vertical line. Definitely not good. So now my priorities have changed, now I have to debug this issue to make sure I haven't burnt out something serious like the main display DACs or readout processors as these would most likely be difficult parts to locate and replace.

I started right with the schematic, which was my next stop anyway in locating the intermittent display issue. The full service manual including schematics is easily available for this scope which is another reason why I love the older Tektronix gear. I focused right away at the character generator and display readout circuitry.



After some probing around, I noticed that output from the A16 processor pcb was odd, the horizontal output drive for the display was not looking right, the bottom half of the waveform was clipped which would explain the left half of the display being smashed into a vertical line. Further up the signal path, the signal was looking correct from the DAC and the multiplexer. So the final op amp stage was looking to maybe be the culprit which makes sense as these op amps definitely wouldn't survive a direct high voltage hit.

Output of mux on left, output after op amp on right
So only the final output stage from the A16 pcb was looking bad, this is a good sign as the actual logic does not look to be damaged. Only the final outputs through an op amp look to have been hit. The op amp in question is a TI TL074. There still may be more damage but I'm going to focus on this op amp for now. I didn't have any in my parts bins, so I placed an order for a handful with Digikey which I should have in a few days. Stand by for part III.



Saturday, May 9, 2015

Tektronix 2246 Repair


Last year I had talked about how I accidentally destroyed my Tektronix 2246 oscilloscope by removing the cover. There was a small dent in the metal bottom panel that while removing it had snagged a heatsink on a Motorola 151-0846-00 labeled TO-39 transistor, specifically Q702 on the A10 main board. This ended up ripping the pins out of the transistor can leaving me with a unusable scope. Unfortunately this was not a common part and trying to locate one is next to impossible. I had attempted to use a 2N3866A with no success, the scope was definitely not happy with that transistor in it, an original replacement part would be necessary.

I did ultimately find a donor board. Late last year I found a complete used replacement board on eBay for around $40 which contained both of the 151-0846-00 labeled transistors. This option was definitely cheaper than a whole parts scope and I would hate to ruin another 2246 which may be repairable just for this one transistor. Once I replaced this transistor in my 2246 it was good as new.



I want to focus the attention now to a second Tek 2246 scope that I own with its own set of troubles. I purchased another 2246 a few years ago for cheap, I think it was only around $100. This scope had a lot more use than my original one, while it was in good cosmetic shape it had some issues mostly related to old capacitors. The display was not stable, the character generated osd and cursors would jump around and upon probing the supply rails you could see there was some noise present. A re-cap would be necessary and possibly some additional caps on the A-10 main pcb if necessary.

The 2246 main power supply is pretty basic, much more simple to work on than the Tektronix 2445B power supply which I have also done. One interesting observation upon accessing it is that all of the caps look to be large axial electrolytics:

Trktronix 2446 Power Supply

The bottom of the board told a different story, and once removing a capacitor and testing it was indeed a standard radial cap with an interesting third lead out the top that wasn't connected to anything. Maybe it was designed for additional stability? I know this scope was a popular portable model so my guess it was just some additional ruggedness built into the design. Interesting regardless, at least I can replace them with standard radial caps which are much easier to source.


Replacement caps were all Panasonic 105 degree C. units which are always my first choice, then using Nichicon capacitors in cases where the Panasonic's were not available. The final rebuilt version looked like this:

Tek 2446 Power Supply Rebuild
Quite a difference in size. For good measure I also replaced all of the high voltage film capacitors on the board, many looked stressed as they did in the 2445B. I left the large primary switching capacitor alone, they are rarely every a source of trouble. Everything else looked okay.

This is where things started to get interesting. After putting everything together and powering the scope back up, I had strange display issues. The entire display was shifted left. I started looking around to see if I had missed a cable or possibly had a connector loose during the reassembly but didn't see anything obvious. This scope was working just fine before the power supply rebuild so this issue was definitely something that I caused. At this time I went to turn the scope over on its side while powered up that the display snapped back into alignment. After some more poking around I realized that if I put pressure on the chassis, twisting it just lightly I could get the display back in alignment. So it must be a bad ground, loose connector, bad solder joint, or some other mechanical failure where putting pressure on the chassis would complete whatever broken connection was occurring. It will just be a matter of tracing down where the issue is at. More to come in part II.

Friday, May 8, 2015

Large Display for GPS Disciplined Time Server


Since building my own GPS disciplined local time server I have wanted a large display of some sort to display my super accurate clock. The primary purpose of doing this was really just because it would be rally really cool looking. I also have a personal issue with any clock that does not set itself from the WWVB or support NTP, in 2015 we shouldn't have to manually set clocks anymore. A secondary use for doing this would be for ham radio purposes. A nice large clock that is always accurate so I can easily and quickly log contacts in UTC would be very useful. Ultimately I ended up with a very nice solution and here is the result:

ESE ES-166 timecode display used for GPS clock

Searching for someone who makes such a clock was frustrating. It seems either you can have a large format clock for cheap that does not support NTP, or you can have one that does support NTP but costs hundreds of dollars. Designing and building my own was the next option that I had considered for awhile. A simple PIC based device that drives some large 7 segment led displays would be trivial to build, but I couldn't get into the project. It just didn't excite me, It's one of those things that would be so simple and mundane that I just couldn't drive myself to do it. It would be like a software engineer being assigned the task of writing a word processor. It's already been done so many times and is such an unfulfilling project you can just never get excited about it.

So on to Plan C. Let's see what's already available and either modify or make it work for my intended use. Basically I would be looking for a large LED, backlit LCD, or big VFD display of some sort that would be able to easily display time. Input can be via various means, ethernet or serial would be first choices, some other parallel type interfaces would be not ideal although I could still make it work if needed. Luckily having some experience is professional video editing when I was in college, I looked towards something I felt might me the perfect solution: Timecode displays.

Upon scrounging around I found a perfect device on eBay, an ESE-166 remote timecode display. These can be found for less than $50 at times are are beautiful pieces of gear. It is a big 2U rack mount enclosure with a nice large format LED display on the front panel. This display is designed for displaying accurate time code for video editing systems. The particular display I purchased had hour, minute, and second digits which would be perfect. Many time code displays also include a 4th digit section for frames which this one did not as I did not need it for my purpose. The inputs on these devices are typically a single 75ohm timecode serial input for SMPTE timecode. I was fine with this as designing some hardware to convert an rs232 serial stream to SMPTE timecode actually sounded pretty fun, but I ended up not needing to. This specific display also included an rs232 serial input that supports a few ASCII time formats. This would be a perfect solution, just have a script that takes my local time directly off of the time server itself and dump it out the serial port to this display. There would be some very minimal latency with this obviously, but regardless this solution would be perfect! The ASCII format I chose to use is as follows:

Format #0: (CR)(LF)I(^)(^)DDD(^)HH:MM:SS(^)DTZ=XX(CR)(LF)

As for getting the time data into the ESE, it has two runtime options set by some dip switches inside. The first is a free running clock that when the serial port receives a time string, it updates the internal clock to the time received. The second option does not free run, you simply continuously provide the time signals to update at the interval you specify. In this option, you would need to provide the time signal at least once a second to keep the display real time. For now, I went with the first option. I have the ESE free running with a cron dumping data from my NTP server sending an rs232 time string via cron every five minutes. The noticeable time drift of this clock over a five minute period is not noticeable at all and this solution keeps the clock up to date on five minute intervals without having to constantly send it serial data.

For those that are curious what is inside the ESE ES-166, it is pretty basic:


There is a whole lot of room in that chassis with not very much there. Just a mains transformer and simple analog rectified power supply with a handful of logic to decode the SMPTE / serial port data and drive the display. I'm planning on moving my Trimble GPS receiver inside of this case as there would be plenty of room for it. This would consolidate some of the hardware laying in the back of my server rack.

Additionally the manual for the ES-166 includes a schematic which is also nice to see. There was one part of the design that I really loved, the rs232 to TTL translation:


There is no serial driver there, MAX232 or equivalent. Just a simple level converter based on a 2n2222 with a diode and resistor. I love it! You see MAX232s in everything these days when they are often just not needed for serial RX conversion.

Further plans include racking this unit in my server rack and possibly getting a second unit so I can display both local time and UTC.

Wednesday, April 1, 2015

IoT Security Fail


So I am not a huge fan of the whole Internet of Things movement that is going on right now, mostly due to the recent lack of any real security or thought of security being placed into these IoT devices. A more accurate name for the IoT would be the Internet of Insecure Things (IoIT). Recent (or not so recent) news of consumer home wireless access points and routers being compromised and used for various botnets are one example of this concern, and this is just one small example. Home routers, thermostats, IP cameras, VOIP phones, DVRs, smart TVs, etc, all things that can contain embedded firmware of now outdated or obsolete libraries that are exploitable. And if they are not exploitable, great, there is probably just some hard coded admin user and password in the device or another debugging backdoor that was forgotten to be disabled.

'Junk Hacking' is a term I like that is used to describe people finding exploits in these devices, it seems every week there is some new little embedded device that has a vulnerability. Stop. When these stories break, everyone always seems to be surprised that there is a backdoor or other exploit on IoT device N. Really?! Of course there was a vulnerability on it! I would have only been surprised if there wasn't! I go by the opinion that every device is vulnerable. Proving me correct is not difficult, proving me wrong on the other hand would actually be impressive.

Now sure, most of these devices (with exception to the router itself) will live on a home private network and all have private ip's assigned by the routers DHCP server, so risk to them should be very minimal even if they are vulnerable in some way or another, although wireless devices are an exception. Some vulnerabilities require physical access to the device as well, which imo is not really a vulnerability (anyone can re-flash devices if it's physically in your hands ). That said, it is amazing how many of these devices end up being publicly accessible on the internet, either on public ips themselves or port forwarded to private ips. Not excluding commercial and industrial devices as well, they are also exposed everywhere. Everything is just hanging out waiting to be poked at. Having convenience over security seems to be the norm.

Favoring backwards compatibility is another issue that needs to be overcome. 'Well, it needs to work on IE6!' No, actually it doesn't, and it definitely shouldn't. This mentality needs to go away. Software goes obsolete for a reason, and that is because it's usually broken. This rule needs to be enforced by all.

The wireless side of things is the same story. Wireless ISM band mesh devices are the new hotness with everything communicating over ZigBee, Z-Wave, or other protocols. You don't need to look hard or far to find known vulnerabilities in these protocols or tools to sniff these networks. While sure, newer devices will have updated firmware with possibly better encryption and security, what about all of the existing devices in the wild?

While manufacturer of devices intentions may be good to keep devices secure and up to date, the real result of these devices is that none of them actually are. The OpenSSL vulnerabilities that occurred last year and recently are an example of these concerns. How many of these devices are still running an old version of OpenSSL? Probably most, unless of course you have updated your firmware, which I know usually never actually happens. This is assuming new firmware is even available.

This issue of updating these home devices to keep them up to date ends up being your (the consumers) responsibility. Manufactures are more than capable of having their devices auto update when new firmware comes available, but the risk and cost would be too high in doing so. The day that the device auto updates and becomes a brick because of a mistake is just too high, especially if it happens to thousands of devices. Manufacturers could of course design in fail-safes to prevent this, things like dual flash memories for running and updated configs allowing a rollback option, but this would of course increase costs. Plus manufactures don't want to have to support their own devices, that is just additional cost.

So the result is it is your responsibility as the consumer to make sure your device stays up to date. I'm not okay with this, but you have no choice. The alternative is to not use the device, if it isn't on, it is not vulnerable. The real issue falls onto the larger portion of the population that doesn't really know or understand, or care to know or understand security, networking, or recent CVE listed identifiers that come out, not to mention understand the actual details of the vulnerability. It is this group of the population that results in everything being at risk, but I don't believe they should be held responsible. Maybe manufacturers should be responsible for the security and patching of their own devices. Maybe they should not be designed so insecure in the first place.

So what is the solution? Should manufacturers be more security minded and allow automatic updates to all IoT based devices? Sure, that would be a good start. Putting any actual thought and time into security in the first place would be another great idea. Having anyone who actually knows anything about security audit your product before production would probably catch a lot of the really stupid mistakes. Another thought would be to not make every device IoT enabled if it doesn't half to be in the first place. Just because something could be internet enabled doesn't mean it should be. I'm pretty sure I have been hearing news of internet enabled refrigerators for over 10 years now, even seen one or two in some stores. Everyone thinks its neat and cool and somehow it will be useful as it solves a problem that doesn't exist. I just know it will be end up being another vulnerable device.