Mercurial > whatever / file diff

diff: content/eip545b_firmware.rst

content/eip545b_firmware.rst

changeset 117
6d0820cef446
child 118
fb878b773377
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/content/eip545b_firmware.rst	Thu Oct 17 00:13:50 2019 +0200
@@ -0,0 +1,75 @@
+==========================================
+ EIP 545B RF Frequency Counter - Firmware
+==========================================
+
+:author: David Douard
+:Category: Electronics
+:Tags: test equipment, RF, EIP, 545, 545A, 545B, 575A, 578A, counter
+:series: EIP545B Frequency Counter
+:series_index: 7
+
+
+This part will focus on the analyze of the firmware I made so far, in order to
+fix a few issues I have encountered in my unit, as related in previous
+`previous part <{filename}/eip545b.rst>`_.
+
+**It will be updated** as long as I make progress on disassembling and
+understanding the firmware.
+
+
+Original Firmware
+=================
+
+The original firmware I have in my unit if the version "2060048 SPECIAL WB68".
+
+Here are the 3 EPROM images dumped form there:
+
+- U11 `EIP545B-2060048-02B <{static}/data/eip545b/EIP545B-2060048-02B_SPECIAL-WB68.bin>`_
+- U12 `EIP545B-2060048-03B <{static}/data/eip545b/EIP545B-2060048-03B_SPECIAL-WB68.bin>`_
+- U13 `EIP545B-2060048-04B <{static}/data/eip545b/EIP545B-2060048-04B_SPECIAL-WB68.bin>`_
+
+
+
+Modified Firmware
+=================
+
+The current version of the firmware I run on my device is the following:
+
+- U11 `EIP545B-2060048-02B-mod <{static}/data/eip545b/EIP545B-2060048-02B_SPECIAL-WB68-modified.bin>`_
+- U12 `EIP545B-2060048-03B-mod <{static}/data/eip545b/EIP545B-2060048-03B_SPECIAL-WB68-modified.bin>`_
+- U13 `EIP545B-2060048-04B-mod <{static}/data/eip545b/EIP545B-2060048-04B_SPECIAL-WB68-modified.bin>`_
+
+I have fixed a few issues of the original firmware, but not all of them:
+
+- the power meter works (with a very quick calibration for now),
+- there is no more a 160MHz Offset on startup, but the Offset lights remains on
+  (until I manually clear the frenauency offset values),
+- the 5 digits displayed on startup is not fixed either.
+
+
+Disassembling the firmware
+==========================
+
+f9dasm
+------
+
+At first, I used to use `f9dasm <https://github.com/Arakula/f9dasm>`_ to
+disassemble the firmware. It does the job but seriously lacks power.
+
+Nonetheless, here is the result of this first attempt:
+
+`EIP545B-2060048.f9dasm <{static}/data/eip545b/EIP545B-2060048.f9dasm>`_
+
+In this file, I only identified a bunch of routines. The interesting part
+starts at address 0x5F19, which is the address where the CPU jumps after a
+RESET (as configured in the interrupt vector table at the very end of the
+address space, namely addresses [0xFFF2:0xFFFF].
+
+radare2
+-------
+
+Then I discovered `radare2 <https://www.radare.org>`_, which is an awesome tool.
+When I started to try to use it, it had no complete and proper support for the
+MC6809 back then, so I had to write my own version of the architecture support,
+including ESIL support (unfortunately I never took the time to finish the work
+and submit my work upstream. I may try to finish this in the next few month).

Mercurial Repository: whatever

mercurial