Reverse Engineering the Hi-Link LD2410S FMCW Radar

 Date: May 11, 2025

The LD2410S is a FMCW Radar based on the

I’m not going to make any screenshots from the ICL1112 datasheet in this project as they have a huge “CONFIDENTAL” mark over them. Just visit the public website which is linked on the device name and access them by yourself.

PCBs

PCB Front

PCB front of the Hi-Link LD2410S
PCB front of the Hi-Link LD2410S
Pin Configuration of the Puya F030K28
Pin Configuration of the Puya F030K28

PCB Back

PCB Back of the Hi-Link LD2410S
PCB Back of the Hi-Link LD2410S

Bus Protocols

System diagram of the ICLegend IC1112. Taken from the public website of ICLegend.
System diagram of the ICLegend IC1112. Taken from the public website of ICLegend.

I2C

The I2C runs at 3MHz (sic) and seems to be used for the initial configuration and trigger of the radar scan.

After power-on 4 rapid burts in quick succession. During normal operation a burst can be seen every 2.05s.

A sniff with a Saleae can be found here. The power-up sequence and normal operation is visible in the trace.

Guess this is bit banged I2C as the hardware engine of the microcontroller only supports rates up to 400kHz.

SPI

The SPI runs at 10MHz clock rate. The ICL1112 acts as a SPI master.

This one was rather tricky to capture as my Logic Analyzer was loosing frames because of the high frequency (fmax. 20MHz) so I had to fall back to my DSO.

SPI Communication of the ICL1112
SPI Communication of the ICL1112 - Zoomed Section

According to the datasheet this board is using the “Range FFT data frame”.

Example Frame:

0  10101010 00110000 00000000 00010001
1  10000000 00000000 00101001 11110111
2  01010010 11010111 11101111 11111110
3  11111111 01011111 11111111 10100011
4  00000000 00010001 11111111 11111100
5  00000000 01001010 00000000 00100100
6  00000000 00001010 11111111 11101111
7  00000000 00000010 00000000 00010010
8  00000000 00010010 11111111 11111011
9  00000000 00010101 00000000 00001101
10 00000000 00001101 11111111 11111101
11 00000000 00010010 00000000 00000100
12 00000000 00001110 00000000 00000011
13 00000000 00001101 00000000 00000100
14 00000000 00001101 00000000 00000110
15 00000000 00001010 11111111 11111010
16 00000000 00001100 00000000 00000100
17 11101100 11101110 00010000 01010101

Lets try to interpret them.

Word 0: 
 0 10101010 00110000 00000000 00010001
   10101010 = Preamble
            0011 = Range Data
                0000 0000 0 = FFT Chirp Index
                           00 00010001 = CFG FFT TX MAX


Word 2-16: Range FFT Data


2  10000000 00000000 00101001 11110111
3  01010010 11010111 11101111 11111110
4  11111111 01011111 11111111 10100011
5  00000000 00010001 11111111 11111100
6  00000000 01001010 00000000 00100100
7  00000000 00001010 11111111 11101111
8  00000000 00000010 00000000 00010010
9  00000000 00010010 11111111 11111011
10 00000000 00010101 00000000 00001101
11 00000000 00001101 11111111 11111101
12 00000000 00010010 00000000 00000100
13 00000000 00001110 00000000 00000011
14 00000000 00001101 00000000 00000100
15 00000000 00001101 00000000 00000110
16 00000000 00001010 11111111 11111010
   \               / \               /
       FFT Real        FFT Imaginary


Word 17: 
17 11101100 11101110 00010000 01010101
   11101100 11101110 = Checksum        
                     0001  = Frame Index
                         00 = Not Used
                           00 CFG Message
                              01010101 = Postamble

Interesting bits

The ICLegend ICL series has an very interesting debug mode: they can spit out RAW I/Q frames.

Previous
⏪ Mediatek MT7925E and AMD Radeon RX580 crashes after resuming from Supend To RAM with Linux Kernel 6.13.7