content/eip545b_firmware.rst

Sat, 09 Oct 2021 16:52:19 +0200

author
David Douard <david.douard@sdfa3.org>
date
Sat, 09 Oct 2021 16:52:19 +0200
changeset 137
f3070bd842cd
parent 118
fb878b773377
permissions
-rw-r--r--

HP34970A - part 6

117
6d0820cef446 new post on the eip545b fw
David Douard <david.douard@sdfa3.org>
parents:
diff changeset
1 ==========================================
6d0820cef446 new post on the eip545b fw
David Douard <david.douard@sdfa3.org>
parents:
diff changeset
2 EIP 545B RF Frequency Counter - Firmware
6d0820cef446 new post on the eip545b fw
David Douard <david.douard@sdfa3.org>
parents:
diff changeset
3 ==========================================
6d0820cef446 new post on the eip545b fw
David Douard <david.douard@sdfa3.org>
parents:
diff changeset
4
6d0820cef446 new post on the eip545b fw
David Douard <david.douard@sdfa3.org>
parents:
diff changeset
5 :author: David Douard
6d0820cef446 new post on the eip545b fw
David Douard <david.douard@sdfa3.org>
parents:
diff changeset
6 :Category: Electronics
6d0820cef446 new post on the eip545b fw
David Douard <david.douard@sdfa3.org>
parents:
diff changeset
7 :Tags: test equipment, RF, EIP, 545, 545A, 545B, 575A, 578A, counter
6d0820cef446 new post on the eip545b fw
David Douard <david.douard@sdfa3.org>
parents:
diff changeset
8 :series: EIP545B Frequency Counter
6d0820cef446 new post on the eip545b fw
David Douard <david.douard@sdfa3.org>
parents:
diff changeset
9 :series_index: 7
6d0820cef446 new post on the eip545b fw
David Douard <david.douard@sdfa3.org>
parents:
diff changeset
10
6d0820cef446 new post on the eip545b fw
David Douard <david.douard@sdfa3.org>
parents:
diff changeset
11
6d0820cef446 new post on the eip545b fw
David Douard <david.douard@sdfa3.org>
parents:
diff changeset
12 This part will focus on the analyze of the firmware I made so far, in order to
6d0820cef446 new post on the eip545b fw
David Douard <david.douard@sdfa3.org>
parents:
diff changeset
13 fix a few issues I have encountered in my unit, as related in previous
6d0820cef446 new post on the eip545b fw
David Douard <david.douard@sdfa3.org>
parents:
diff changeset
14 `previous part <{filename}/eip545b.rst>`_.
6d0820cef446 new post on the eip545b fw
David Douard <david.douard@sdfa3.org>
parents:
diff changeset
15
118
fb878b773377 new post: fixing the Dell 2407
David Douard <david.douard@sdfa3.org>
parents: 117
diff changeset
16 **It will be updated** as I make progress on disassembling and understanding
fb878b773377 new post: fixing the Dell 2407
David Douard <david.douard@sdfa3.org>
parents: 117
diff changeset
17 the firmware.
117
6d0820cef446 new post on the eip545b fw
David Douard <david.douard@sdfa3.org>
parents:
diff changeset
18
6d0820cef446 new post on the eip545b fw
David Douard <david.douard@sdfa3.org>
parents:
diff changeset
19
6d0820cef446 new post on the eip545b fw
David Douard <david.douard@sdfa3.org>
parents:
diff changeset
20 Original Firmware
6d0820cef446 new post on the eip545b fw
David Douard <david.douard@sdfa3.org>
parents:
diff changeset
21 =================
6d0820cef446 new post on the eip545b fw
David Douard <david.douard@sdfa3.org>
parents:
diff changeset
22
6d0820cef446 new post on the eip545b fw
David Douard <david.douard@sdfa3.org>
parents:
diff changeset
23 The original firmware I have in my unit if the version "2060048 SPECIAL WB68".
6d0820cef446 new post on the eip545b fw
David Douard <david.douard@sdfa3.org>
parents:
diff changeset
24
6d0820cef446 new post on the eip545b fw
David Douard <david.douard@sdfa3.org>
parents:
diff changeset
25 Here are the 3 EPROM images dumped form there:
6d0820cef446 new post on the eip545b fw
David Douard <david.douard@sdfa3.org>
parents:
diff changeset
26
6d0820cef446 new post on the eip545b fw
David Douard <david.douard@sdfa3.org>
parents:
diff changeset
27 - U11 `EIP545B-2060048-02B <{static}/data/eip545b/EIP545B-2060048-02B_SPECIAL-WB68.bin>`_
6d0820cef446 new post on the eip545b fw
David Douard <david.douard@sdfa3.org>
parents:
diff changeset
28 - U12 `EIP545B-2060048-03B <{static}/data/eip545b/EIP545B-2060048-03B_SPECIAL-WB68.bin>`_
6d0820cef446 new post on the eip545b fw
David Douard <david.douard@sdfa3.org>
parents:
diff changeset
29 - U13 `EIP545B-2060048-04B <{static}/data/eip545b/EIP545B-2060048-04B_SPECIAL-WB68.bin>`_
6d0820cef446 new post on the eip545b fw
David Douard <david.douard@sdfa3.org>
parents:
diff changeset
30
6d0820cef446 new post on the eip545b fw
David Douard <david.douard@sdfa3.org>
parents:
diff changeset
31
6d0820cef446 new post on the eip545b fw
David Douard <david.douard@sdfa3.org>
parents:
diff changeset
32
6d0820cef446 new post on the eip545b fw
David Douard <david.douard@sdfa3.org>
parents:
diff changeset
33 Modified Firmware
6d0820cef446 new post on the eip545b fw
David Douard <david.douard@sdfa3.org>
parents:
diff changeset
34 =================
6d0820cef446 new post on the eip545b fw
David Douard <david.douard@sdfa3.org>
parents:
diff changeset
35
6d0820cef446 new post on the eip545b fw
David Douard <david.douard@sdfa3.org>
parents:
diff changeset
36 The current version of the firmware I run on my device is the following:
6d0820cef446 new post on the eip545b fw
David Douard <david.douard@sdfa3.org>
parents:
diff changeset
37
6d0820cef446 new post on the eip545b fw
David Douard <david.douard@sdfa3.org>
parents:
diff changeset
38 - U11 `EIP545B-2060048-02B-mod <{static}/data/eip545b/EIP545B-2060048-02B_SPECIAL-WB68-modified.bin>`_
6d0820cef446 new post on the eip545b fw
David Douard <david.douard@sdfa3.org>
parents:
diff changeset
39 - U12 `EIP545B-2060048-03B-mod <{static}/data/eip545b/EIP545B-2060048-03B_SPECIAL-WB68-modified.bin>`_
6d0820cef446 new post on the eip545b fw
David Douard <david.douard@sdfa3.org>
parents:
diff changeset
40 - U13 `EIP545B-2060048-04B-mod <{static}/data/eip545b/EIP545B-2060048-04B_SPECIAL-WB68-modified.bin>`_
6d0820cef446 new post on the eip545b fw
David Douard <david.douard@sdfa3.org>
parents:
diff changeset
41
6d0820cef446 new post on the eip545b fw
David Douard <david.douard@sdfa3.org>
parents:
diff changeset
42 I have fixed a few issues of the original firmware, but not all of them:
6d0820cef446 new post on the eip545b fw
David Douard <david.douard@sdfa3.org>
parents:
diff changeset
43
6d0820cef446 new post on the eip545b fw
David Douard <david.douard@sdfa3.org>
parents:
diff changeset
44 - the power meter works (with a very quick calibration for now),
6d0820cef446 new post on the eip545b fw
David Douard <david.douard@sdfa3.org>
parents:
diff changeset
45 - there is no more a 160MHz Offset on startup, but the Offset lights remains on
6d0820cef446 new post on the eip545b fw
David Douard <david.douard@sdfa3.org>
parents:
diff changeset
46 (until I manually clear the frenauency offset values),
6d0820cef446 new post on the eip545b fw
David Douard <david.douard@sdfa3.org>
parents:
diff changeset
47 - the 5 digits displayed on startup is not fixed either.
6d0820cef446 new post on the eip545b fw
David Douard <david.douard@sdfa3.org>
parents:
diff changeset
48
6d0820cef446 new post on the eip545b fw
David Douard <david.douard@sdfa3.org>
parents:
diff changeset
49
6d0820cef446 new post on the eip545b fw
David Douard <david.douard@sdfa3.org>
parents:
diff changeset
50 Disassembling the firmware
6d0820cef446 new post on the eip545b fw
David Douard <david.douard@sdfa3.org>
parents:
diff changeset
51 ==========================
6d0820cef446 new post on the eip545b fw
David Douard <david.douard@sdfa3.org>
parents:
diff changeset
52
6d0820cef446 new post on the eip545b fw
David Douard <david.douard@sdfa3.org>
parents:
diff changeset
53 f9dasm
6d0820cef446 new post on the eip545b fw
David Douard <david.douard@sdfa3.org>
parents:
diff changeset
54 ------
6d0820cef446 new post on the eip545b fw
David Douard <david.douard@sdfa3.org>
parents:
diff changeset
55
6d0820cef446 new post on the eip545b fw
David Douard <david.douard@sdfa3.org>
parents:
diff changeset
56 At first, I used to use `f9dasm <https://github.com/Arakula/f9dasm>`_ to
6d0820cef446 new post on the eip545b fw
David Douard <david.douard@sdfa3.org>
parents:
diff changeset
57 disassemble the firmware. It does the job but seriously lacks power.
6d0820cef446 new post on the eip545b fw
David Douard <david.douard@sdfa3.org>
parents:
diff changeset
58
6d0820cef446 new post on the eip545b fw
David Douard <david.douard@sdfa3.org>
parents:
diff changeset
59 Nonetheless, here is the result of this first attempt:
6d0820cef446 new post on the eip545b fw
David Douard <david.douard@sdfa3.org>
parents:
diff changeset
60
6d0820cef446 new post on the eip545b fw
David Douard <david.douard@sdfa3.org>
parents:
diff changeset
61 `EIP545B-2060048.f9dasm <{static}/data/eip545b/EIP545B-2060048.f9dasm>`_
6d0820cef446 new post on the eip545b fw
David Douard <david.douard@sdfa3.org>
parents:
diff changeset
62
6d0820cef446 new post on the eip545b fw
David Douard <david.douard@sdfa3.org>
parents:
diff changeset
63 In this file, I only identified a bunch of routines. The interesting part
6d0820cef446 new post on the eip545b fw
David Douard <david.douard@sdfa3.org>
parents:
diff changeset
64 starts at address 0x5F19, which is the address where the CPU jumps after a
6d0820cef446 new post on the eip545b fw
David Douard <david.douard@sdfa3.org>
parents:
diff changeset
65 RESET (as configured in the interrupt vector table at the very end of the
6d0820cef446 new post on the eip545b fw
David Douard <david.douard@sdfa3.org>
parents:
diff changeset
66 address space, namely addresses [0xFFF2:0xFFFF].
6d0820cef446 new post on the eip545b fw
David Douard <david.douard@sdfa3.org>
parents:
diff changeset
67
6d0820cef446 new post on the eip545b fw
David Douard <david.douard@sdfa3.org>
parents:
diff changeset
68 radare2
6d0820cef446 new post on the eip545b fw
David Douard <david.douard@sdfa3.org>
parents:
diff changeset
69 -------
6d0820cef446 new post on the eip545b fw
David Douard <david.douard@sdfa3.org>
parents:
diff changeset
70
6d0820cef446 new post on the eip545b fw
David Douard <david.douard@sdfa3.org>
parents:
diff changeset
71 Then I discovered `radare2 <https://www.radare.org>`_, which is an awesome tool.
6d0820cef446 new post on the eip545b fw
David Douard <david.douard@sdfa3.org>
parents:
diff changeset
72 When I started to try to use it, it had no complete and proper support for the
6d0820cef446 new post on the eip545b fw
David Douard <david.douard@sdfa3.org>
parents:
diff changeset
73 MC6809 back then, so I had to write my own version of the architecture support,
6d0820cef446 new post on the eip545b fw
David Douard <david.douard@sdfa3.org>
parents:
diff changeset
74 including ESIL support (unfortunately I never took the time to finish the work
6d0820cef446 new post on the eip545b fw
David Douard <david.douard@sdfa3.org>
parents:
diff changeset
75 and submit my work upstream. I may try to finish this in the next few month).

mercurial