content/eip545b_firmware.rst

Thu, 10 Nov 2022 20:56:16 +0100

author
David Douard <david.douard@sdf3.org>
date
Thu, 10 Nov 2022 20:56:16 +0100
changeset 148
2f87039dd0b5
parent 118
fb878b773377
permissions
-rw-r--r--

Replace video links with working ones from new peertube instance

==========================================
 EIP 545B RF Frequency Counter - Firmware
==========================================

:author: David Douard
:Category: Electronics
:Tags: test equipment, RF, EIP, 545, 545A, 545B, 575A, 578A, counter
:series: EIP545B Frequency Counter
:series_index: 7


This part will focus on the analyze of the firmware I made so far, in order to
fix a few issues I have encountered in my unit, as related in previous
`previous part <{filename}/eip545b.rst>`_.

**It will be updated** as I make progress on disassembling and understanding
the firmware.


Original Firmware
=================

The original firmware I have in my unit if the version "2060048 SPECIAL WB68".

Here are the 3 EPROM images dumped form there:

- U11 `EIP545B-2060048-02B <{static}/data/eip545b/EIP545B-2060048-02B_SPECIAL-WB68.bin>`_
- U12 `EIP545B-2060048-03B <{static}/data/eip545b/EIP545B-2060048-03B_SPECIAL-WB68.bin>`_
- U13 `EIP545B-2060048-04B <{static}/data/eip545b/EIP545B-2060048-04B_SPECIAL-WB68.bin>`_



Modified Firmware
=================

The current version of the firmware I run on my device is the following:

- U11 `EIP545B-2060048-02B-mod <{static}/data/eip545b/EIP545B-2060048-02B_SPECIAL-WB68-modified.bin>`_
- U12 `EIP545B-2060048-03B-mod <{static}/data/eip545b/EIP545B-2060048-03B_SPECIAL-WB68-modified.bin>`_
- U13 `EIP545B-2060048-04B-mod <{static}/data/eip545b/EIP545B-2060048-04B_SPECIAL-WB68-modified.bin>`_

I have fixed a few issues of the original firmware, but not all of them:

- the power meter works (with a very quick calibration for now),
- there is no more a 160MHz Offset on startup, but the Offset lights remains on
  (until I manually clear the frenauency offset values),
- the 5 digits displayed on startup is not fixed either.


Disassembling the firmware
==========================

f9dasm
------

At first, I used to use `f9dasm <https://github.com/Arakula/f9dasm>`_ to
disassemble the firmware. It does the job but seriously lacks power.

Nonetheless, here is the result of this first attempt:

`EIP545B-2060048.f9dasm <{static}/data/eip545b/EIP545B-2060048.f9dasm>`_

In this file, I only identified a bunch of routines. The interesting part
starts at address 0x5F19, which is the address where the CPU jumps after a
RESET (as configured in the interrupt vector table at the very end of the
address space, namely addresses [0xFFF2:0xFFFF].

radare2
-------

Then I discovered `radare2 <https://www.radare.org>`_, which is an awesome tool.
When I started to try to use it, it had no complete and proper support for the
MC6809 back then, so I had to write my own version of the architecture support,
including ESIL support (unfortunately I never took the time to finish the work
and submit my work upstream. I may try to finish this in the next few month).

mercurial