Sat, 09 Oct 2021 16:52:19 +0200
HP34970A - part 6
117
6d0820cef446
new post on the eip545b fw
David Douard <david.douard@sdfa3.org>
parents:
diff
changeset
|
1 | ========================================== |
6d0820cef446
new post on the eip545b fw
David Douard <david.douard@sdfa3.org>
parents:
diff
changeset
|
2 | EIP 545B RF Frequency Counter - Firmware |
6d0820cef446
new post on the eip545b fw
David Douard <david.douard@sdfa3.org>
parents:
diff
changeset
|
3 | ========================================== |
6d0820cef446
new post on the eip545b fw
David Douard <david.douard@sdfa3.org>
parents:
diff
changeset
|
4 | |
6d0820cef446
new post on the eip545b fw
David Douard <david.douard@sdfa3.org>
parents:
diff
changeset
|
5 | :author: David Douard |
6d0820cef446
new post on the eip545b fw
David Douard <david.douard@sdfa3.org>
parents:
diff
changeset
|
6 | :Category: Electronics |
6d0820cef446
new post on the eip545b fw
David Douard <david.douard@sdfa3.org>
parents:
diff
changeset
|
7 | :Tags: test equipment, RF, EIP, 545, 545A, 545B, 575A, 578A, counter |
6d0820cef446
new post on the eip545b fw
David Douard <david.douard@sdfa3.org>
parents:
diff
changeset
|
8 | :series: EIP545B Frequency Counter |
6d0820cef446
new post on the eip545b fw
David Douard <david.douard@sdfa3.org>
parents:
diff
changeset
|
9 | :series_index: 7 |
6d0820cef446
new post on the eip545b fw
David Douard <david.douard@sdfa3.org>
parents:
diff
changeset
|
10 | |
6d0820cef446
new post on the eip545b fw
David Douard <david.douard@sdfa3.org>
parents:
diff
changeset
|
11 | |
6d0820cef446
new post on the eip545b fw
David Douard <david.douard@sdfa3.org>
parents:
diff
changeset
|
12 | This part will focus on the analyze of the firmware I made so far, in order to |
6d0820cef446
new post on the eip545b fw
David Douard <david.douard@sdfa3.org>
parents:
diff
changeset
|
13 | fix a few issues I have encountered in my unit, as related in previous |
6d0820cef446
new post on the eip545b fw
David Douard <david.douard@sdfa3.org>
parents:
diff
changeset
|
14 | `previous part <{filename}/eip545b.rst>`_. |
6d0820cef446
new post on the eip545b fw
David Douard <david.douard@sdfa3.org>
parents:
diff
changeset
|
15 | |
118
fb878b773377
new post: fixing the Dell 2407
David Douard <david.douard@sdfa3.org>
parents:
117
diff
changeset
|
16 | **It will be updated** as I make progress on disassembling and understanding |
fb878b773377
new post: fixing the Dell 2407
David Douard <david.douard@sdfa3.org>
parents:
117
diff
changeset
|
17 | the firmware. |
117
6d0820cef446
new post on the eip545b fw
David Douard <david.douard@sdfa3.org>
parents:
diff
changeset
|
18 | |
6d0820cef446
new post on the eip545b fw
David Douard <david.douard@sdfa3.org>
parents:
diff
changeset
|
19 | |
6d0820cef446
new post on the eip545b fw
David Douard <david.douard@sdfa3.org>
parents:
diff
changeset
|
20 | Original Firmware |
6d0820cef446
new post on the eip545b fw
David Douard <david.douard@sdfa3.org>
parents:
diff
changeset
|
21 | ================= |
6d0820cef446
new post on the eip545b fw
David Douard <david.douard@sdfa3.org>
parents:
diff
changeset
|
22 | |
6d0820cef446
new post on the eip545b fw
David Douard <david.douard@sdfa3.org>
parents:
diff
changeset
|
23 | The original firmware I have in my unit if the version "2060048 SPECIAL WB68". |
6d0820cef446
new post on the eip545b fw
David Douard <david.douard@sdfa3.org>
parents:
diff
changeset
|
24 | |
6d0820cef446
new post on the eip545b fw
David Douard <david.douard@sdfa3.org>
parents:
diff
changeset
|
25 | Here are the 3 EPROM images dumped form there: |
6d0820cef446
new post on the eip545b fw
David Douard <david.douard@sdfa3.org>
parents:
diff
changeset
|
26 | |
6d0820cef446
new post on the eip545b fw
David Douard <david.douard@sdfa3.org>
parents:
diff
changeset
|
27 | - U11 `EIP545B-2060048-02B <{static}/data/eip545b/EIP545B-2060048-02B_SPECIAL-WB68.bin>`_ |
6d0820cef446
new post on the eip545b fw
David Douard <david.douard@sdfa3.org>
parents:
diff
changeset
|
28 | - U12 `EIP545B-2060048-03B <{static}/data/eip545b/EIP545B-2060048-03B_SPECIAL-WB68.bin>`_ |
6d0820cef446
new post on the eip545b fw
David Douard <david.douard@sdfa3.org>
parents:
diff
changeset
|
29 | - U13 `EIP545B-2060048-04B <{static}/data/eip545b/EIP545B-2060048-04B_SPECIAL-WB68.bin>`_ |
6d0820cef446
new post on the eip545b fw
David Douard <david.douard@sdfa3.org>
parents:
diff
changeset
|
30 | |
6d0820cef446
new post on the eip545b fw
David Douard <david.douard@sdfa3.org>
parents:
diff
changeset
|
31 | |
6d0820cef446
new post on the eip545b fw
David Douard <david.douard@sdfa3.org>
parents:
diff
changeset
|
32 | |
6d0820cef446
new post on the eip545b fw
David Douard <david.douard@sdfa3.org>
parents:
diff
changeset
|
33 | Modified Firmware |
6d0820cef446
new post on the eip545b fw
David Douard <david.douard@sdfa3.org>
parents:
diff
changeset
|
34 | ================= |
6d0820cef446
new post on the eip545b fw
David Douard <david.douard@sdfa3.org>
parents:
diff
changeset
|
35 | |
6d0820cef446
new post on the eip545b fw
David Douard <david.douard@sdfa3.org>
parents:
diff
changeset
|
36 | The current version of the firmware I run on my device is the following: |
6d0820cef446
new post on the eip545b fw
David Douard <david.douard@sdfa3.org>
parents:
diff
changeset
|
37 | |
6d0820cef446
new post on the eip545b fw
David Douard <david.douard@sdfa3.org>
parents:
diff
changeset
|
38 | - U11 `EIP545B-2060048-02B-mod <{static}/data/eip545b/EIP545B-2060048-02B_SPECIAL-WB68-modified.bin>`_ |
6d0820cef446
new post on the eip545b fw
David Douard <david.douard@sdfa3.org>
parents:
diff
changeset
|
39 | - U12 `EIP545B-2060048-03B-mod <{static}/data/eip545b/EIP545B-2060048-03B_SPECIAL-WB68-modified.bin>`_ |
6d0820cef446
new post on the eip545b fw
David Douard <david.douard@sdfa3.org>
parents:
diff
changeset
|
40 | - U13 `EIP545B-2060048-04B-mod <{static}/data/eip545b/EIP545B-2060048-04B_SPECIAL-WB68-modified.bin>`_ |
6d0820cef446
new post on the eip545b fw
David Douard <david.douard@sdfa3.org>
parents:
diff
changeset
|
41 | |
6d0820cef446
new post on the eip545b fw
David Douard <david.douard@sdfa3.org>
parents:
diff
changeset
|
42 | I have fixed a few issues of the original firmware, but not all of them: |
6d0820cef446
new post on the eip545b fw
David Douard <david.douard@sdfa3.org>
parents:
diff
changeset
|
43 | |
6d0820cef446
new post on the eip545b fw
David Douard <david.douard@sdfa3.org>
parents:
diff
changeset
|
44 | - the power meter works (with a very quick calibration for now), |
6d0820cef446
new post on the eip545b fw
David Douard <david.douard@sdfa3.org>
parents:
diff
changeset
|
45 | - there is no more a 160MHz Offset on startup, but the Offset lights remains on |
6d0820cef446
new post on the eip545b fw
David Douard <david.douard@sdfa3.org>
parents:
diff
changeset
|
46 | (until I manually clear the frenauency offset values), |
6d0820cef446
new post on the eip545b fw
David Douard <david.douard@sdfa3.org>
parents:
diff
changeset
|
47 | - the 5 digits displayed on startup is not fixed either. |
6d0820cef446
new post on the eip545b fw
David Douard <david.douard@sdfa3.org>
parents:
diff
changeset
|
48 | |
6d0820cef446
new post on the eip545b fw
David Douard <david.douard@sdfa3.org>
parents:
diff
changeset
|
49 | |
6d0820cef446
new post on the eip545b fw
David Douard <david.douard@sdfa3.org>
parents:
diff
changeset
|
50 | Disassembling the firmware |
6d0820cef446
new post on the eip545b fw
David Douard <david.douard@sdfa3.org>
parents:
diff
changeset
|
51 | ========================== |
6d0820cef446
new post on the eip545b fw
David Douard <david.douard@sdfa3.org>
parents:
diff
changeset
|
52 | |
6d0820cef446
new post on the eip545b fw
David Douard <david.douard@sdfa3.org>
parents:
diff
changeset
|
53 | f9dasm |
6d0820cef446
new post on the eip545b fw
David Douard <david.douard@sdfa3.org>
parents:
diff
changeset
|
54 | ------ |
6d0820cef446
new post on the eip545b fw
David Douard <david.douard@sdfa3.org>
parents:
diff
changeset
|
55 | |
6d0820cef446
new post on the eip545b fw
David Douard <david.douard@sdfa3.org>
parents:
diff
changeset
|
56 | At first, I used to use `f9dasm <https://github.com/Arakula/f9dasm>`_ to |
6d0820cef446
new post on the eip545b fw
David Douard <david.douard@sdfa3.org>
parents:
diff
changeset
|
57 | disassemble the firmware. It does the job but seriously lacks power. |
6d0820cef446
new post on the eip545b fw
David Douard <david.douard@sdfa3.org>
parents:
diff
changeset
|
58 | |
6d0820cef446
new post on the eip545b fw
David Douard <david.douard@sdfa3.org>
parents:
diff
changeset
|
59 | Nonetheless, here is the result of this first attempt: |
6d0820cef446
new post on the eip545b fw
David Douard <david.douard@sdfa3.org>
parents:
diff
changeset
|
60 | |
6d0820cef446
new post on the eip545b fw
David Douard <david.douard@sdfa3.org>
parents:
diff
changeset
|
61 | `EIP545B-2060048.f9dasm <{static}/data/eip545b/EIP545B-2060048.f9dasm>`_ |
6d0820cef446
new post on the eip545b fw
David Douard <david.douard@sdfa3.org>
parents:
diff
changeset
|
62 | |
6d0820cef446
new post on the eip545b fw
David Douard <david.douard@sdfa3.org>
parents:
diff
changeset
|
63 | In this file, I only identified a bunch of routines. The interesting part |
6d0820cef446
new post on the eip545b fw
David Douard <david.douard@sdfa3.org>
parents:
diff
changeset
|
64 | starts at address 0x5F19, which is the address where the CPU jumps after a |
6d0820cef446
new post on the eip545b fw
David Douard <david.douard@sdfa3.org>
parents:
diff
changeset
|
65 | RESET (as configured in the interrupt vector table at the very end of the |
6d0820cef446
new post on the eip545b fw
David Douard <david.douard@sdfa3.org>
parents:
diff
changeset
|
66 | address space, namely addresses [0xFFF2:0xFFFF]. |
6d0820cef446
new post on the eip545b fw
David Douard <david.douard@sdfa3.org>
parents:
diff
changeset
|
67 | |
6d0820cef446
new post on the eip545b fw
David Douard <david.douard@sdfa3.org>
parents:
diff
changeset
|
68 | radare2 |
6d0820cef446
new post on the eip545b fw
David Douard <david.douard@sdfa3.org>
parents:
diff
changeset
|
69 | ------- |
6d0820cef446
new post on the eip545b fw
David Douard <david.douard@sdfa3.org>
parents:
diff
changeset
|
70 | |
6d0820cef446
new post on the eip545b fw
David Douard <david.douard@sdfa3.org>
parents:
diff
changeset
|
71 | Then I discovered `radare2 <https://www.radare.org>`_, which is an awesome tool. |
6d0820cef446
new post on the eip545b fw
David Douard <david.douard@sdfa3.org>
parents:
diff
changeset
|
72 | When I started to try to use it, it had no complete and proper support for the |
6d0820cef446
new post on the eip545b fw
David Douard <david.douard@sdfa3.org>
parents:
diff
changeset
|
73 | MC6809 back then, so I had to write my own version of the architecture support, |
6d0820cef446
new post on the eip545b fw
David Douard <david.douard@sdfa3.org>
parents:
diff
changeset
|
74 | including ESIL support (unfortunately I never took the time to finish the work |
6d0820cef446
new post on the eip545b fw
David Douard <david.douard@sdfa3.org>
parents:
diff
changeset
|
75 | and submit my work upstream. I may try to finish this in the next few month). |