comparison: content/eip545b_firmware.rst
content/eip545b_firmware.rst
- changeset 117
- 6d0820cef446
- child 118
- fb878b773377
equal
deleted
inserted
replaced
| 116:dad9b39691de | 117:6d0820cef446 |
|---|---|
| 1 ========================================== | |
| 2 EIP 545B RF Frequency Counter - Firmware | |
| 3 ========================================== | |
| 4 | |
| 5 :author: David Douard | |
| 6 :Category: Electronics | |
| 7 :Tags: test equipment, RF, EIP, 545, 545A, 545B, 575A, 578A, counter | |
| 8 :series: EIP545B Frequency Counter | |
| 9 :series_index: 7 | |
| 10 | |
| 11 | |
| 12 This part will focus on the analyze of the firmware I made so far, in order to | |
| 13 fix a few issues I have encountered in my unit, as related in previous | |
| 14 `previous part <{filename}/eip545b.rst>`_. | |
| 15 | |
| 16 **It will be updated** as long as I make progress on disassembling and | |
| 17 understanding the firmware. | |
| 18 | |
| 19 | |
| 20 Original Firmware | |
| 21 ================= | |
| 22 | |
| 23 The original firmware I have in my unit if the version "2060048 SPECIAL WB68". | |
| 24 | |
| 25 Here are the 3 EPROM images dumped form there: | |
| 26 | |
| 27 - U11 `EIP545B-2060048-02B <{static}/data/eip545b/EIP545B-2060048-02B_SPECIAL-WB68.bin>`_ | |
| 28 - U12 `EIP545B-2060048-03B <{static}/data/eip545b/EIP545B-2060048-03B_SPECIAL-WB68.bin>`_ | |
| 29 - U13 `EIP545B-2060048-04B <{static}/data/eip545b/EIP545B-2060048-04B_SPECIAL-WB68.bin>`_ | |
| 30 | |
| 31 | |
| 32 | |
| 33 Modified Firmware | |
| 34 ================= | |
| 35 | |
| 36 The current version of the firmware I run on my device is the following: | |
| 37 | |
| 38 - U11 `EIP545B-2060048-02B-mod <{static}/data/eip545b/EIP545B-2060048-02B_SPECIAL-WB68-modified.bin>`_ | |
| 39 - U12 `EIP545B-2060048-03B-mod <{static}/data/eip545b/EIP545B-2060048-03B_SPECIAL-WB68-modified.bin>`_ | |
| 40 - U13 `EIP545B-2060048-04B-mod <{static}/data/eip545b/EIP545B-2060048-04B_SPECIAL-WB68-modified.bin>`_ | |
| 41 | |
| 42 I have fixed a few issues of the original firmware, but not all of them: | |
| 43 | |
| 44 - the power meter works (with a very quick calibration for now), | |
| 45 - there is no more a 160MHz Offset on startup, but the Offset lights remains on | |
| 46 (until I manually clear the frenauency offset values), | |
| 47 - the 5 digits displayed on startup is not fixed either. | |
| 48 | |
| 49 | |
| 50 Disassembling the firmware | |
| 51 ========================== | |
| 52 | |
| 53 f9dasm | |
| 54 ------ | |
| 55 | |
| 56 At first, I used to use `f9dasm <https://github.com/Arakula/f9dasm>`_ to | |
| 57 disassemble the firmware. It does the job but seriously lacks power. | |
| 58 | |
| 59 Nonetheless, here is the result of this first attempt: | |
| 60 | |
| 61 `EIP545B-2060048.f9dasm <{static}/data/eip545b/EIP545B-2060048.f9dasm>`_ | |
| 62 | |
| 63 In this file, I only identified a bunch of routines. The interesting part | |
| 64 starts at address 0x5F19, which is the address where the CPU jumps after a | |
| 65 RESET (as configured in the interrupt vector table at the very end of the | |
| 66 address space, namely addresses [0xFFF2:0xFFFF]. | |
| 67 | |
| 68 radare2 | |
| 69 ------- | |
| 70 | |
| 71 Then I discovered `radare2 <https://www.radare.org>`_, which is an awesome tool. | |
| 72 When I started to try to use it, it had no complete and proper support for the | |
| 73 MC6809 back then, so I had to write my own version of the architecture support, | |
| 74 including ESIL support (unfortunately I never took the time to finish the work | |
| 75 and submit my work upstream. I may try to finish this in the next few month). |
