Author Topic: Hacking the Agilent 4263B LCR Meter! (Read 19354 times)

Hugoneus · « **on:** April 02, 2014, 03:33:14 am »

I have an Agilent 4263B LCR Meter. However, it does not have OPT 001 and OPT 002 installed. After some searches I came across the fact that the option is just a software installation:

http://cp.literature.agilent.com/litweb/pdf/04263-90051.pdf

Of course I don't have the floppy. So no luck there. After further search, I also found that someone had posted a firmware upgrade of the unit as a BIN file which can be downloaded to an EEPROM inside the unit. (Not through GPIB).

I have attached that BIN file here. I think it might be possible to just simply modify the BIN file to enable the OPT upgrades. Although, I could be wrong. I had to rename the BIN file to HEX to be able to post it.

I also have to add that Agilent is actually giving away OPT 001/002 with this unit now. But don't seem to carry the floppy disks anymore. If someone figures this out, I will also do a video of the teardown and upgrade of the unit.

Any ideas?

echen1024 · « **Reply #1 on:** April 02, 2014, 04:06:53 am »

Since this unit is discontinued, you might just ask Agilent to provide you with a spare set of floppies. If I could get a 33120A function generator, I'm sure a set of floppies could be manageable.

Hugoneus · « **Reply #2 on:** April 02, 2014, 04:10:03 am »

Quote from: echen1024 on April 02, 2014, 04:06:53 am

Since this unit is discontinued, you might just ask Agilent to provide you with a spare set of floppies. If I could get a 33120A function generator, I'm sure a set of floppies could be manageable.

I asked, unfortunately they don't seem to have them... Or at least the person that I spoke to couldn't locate one. Someone out there is ought to have those floppies!

echen1024 · « **Reply #3 on:** April 02, 2014, 04:25:09 am »

Quote from: Hugoneus on April 02, 2014, 04:10:03 am

Quote from: echen1024 on April 02, 2014, 04:06:53 am
Since this unit is discontinued, you might just ask Agilent to provide you with a spare set of floppies. If I could get a 33120A function generator, I'm sure a set of floppies could be manageable.

I asked, unfortunately they don't seem to have them... Or at least the person that I spoke to couldn't locate one. Someone out there is ought to have those floppies!

I would try Vincent Himpe (free_electron) on the forum. He seems to be the authority on all things Agilent. I'm just a student starting out, with a relatively small amount of test equipment, so I don't have these large stashes. I do try and keep an eye out on eBay for cheap HP/Agilent stuff, as it lasts forever and is easily repairable.

alex.forencich · « **Reply #4 on:** April 02, 2014, 05:01:02 am »

What processor does that thing run on?

Edit: That's interesting; all of the strings in the ROM are byte-swapped. What ROM is the supposed to be programmed in to? And it is just supposed to be programmed in to one ROM?

Hugoneus · « **Reply #5 on:** April 02, 2014, 05:10:37 am »

Quote from: alex.forencich on April 02, 2014, 05:01:02 am

What processor does that thing run on?

I'd have to open the unit. I'll do that and let you know. The EEPROM itself is an AT27C2048.

casinada · « **Reply #6 on:** April 02, 2014, 05:12:09 am »

Tin has one of those units too. Maybe he knows.

alex.forencich · « **Reply #7 on:** April 02, 2014, 05:18:35 am »

Quote from: Hugoneus on April 02, 2014, 05:10:37 am

Quote from: alex.forencich on April 02, 2014, 05:01:02 am
What processor does that thing run on?

I'd have to open the unit. I'll do that and let you know. The EEPROM itself is an AT27C2048.

Interesing. That's a 16 bit ROM. I think there is a good chance this unit is running on a 68000 like the spectrum analyzers. However, the address offsets in the low part of memory exceed the size of the memory, almost as if they might be byte-swapped. I wonder if the high and low bytes were swapped for routing purposes? Can you also possibly check to see if this is how it is wired?

alex.forencich · « **Reply #8 on:** April 02, 2014, 05:31:26 am »

We have a winner! It seems to be a 68k ROM, with the bytes swapped. Un-swapped version is attached.

TiN · « **Reply #9 on:** April 02, 2014, 05:58:39 am »

Yap, I have unit and want hack it too.

I downloaded both firmware ROM and cal/data EEPROM from my unit, and as well found 1.06 firmware on web.

All I put for downloadhere.

I bet Vincent knows what are magic bits there to modify. Just adding "001,002" ASCII near name did not unlock options, so there must be some extra checksum checks or something like this. $:-\$

Hugoneus · « **Reply #10 on:** April 02, 2014, 05:59:29 am »

Quote from: alex.forencich on April 02, 2014, 05:31:26 am

We have a winner! It seems to be a 68k ROM, with the bytes swapped. Un-swapped version is attached.

Very nice. Now do you suggest that we decompile it and look for OPT?

Hugoneus · « **Reply #11 on:** April 02, 2014, 06:03:04 am »

Quote from: TiN on April 02, 2014, 05:58:39 am

Yap, I have unit and want hack it too.
I downloaded both firmware ROM and cal/data EEPROM from my unit, and as well found 1.06 firmware on web.

All I put for downloadhere.

I bet Vincent knows what are magic bits there to modify. Just adding "001,002" ASCII near name did not unlock options, so there must be some extra checksum checks or something like this. $:-\$

I will buy some spare EEPROMS to experiment. I also have a 4263A that DOES have option 001. Perhaps we can use that somehow.

alex.forencich · « **Reply #12 on:** April 02, 2014, 06:18:23 am »

Memory address FFFFD978 is the flag for option 1 and FFFD97A is the flag for option 2. These are in NVRAM. Now, there has to be a command to set these....

alex.forencich · « **Reply #13 on:** April 02, 2014, 06:33:43 am »

What appears to the the list of SCPI commands, organized in line pairs, first is required prefix, second is optional sufix:

Code: [Select]

ROM:00020520 aCal:           dc.b 'CAL',0
ROM:00020524                 dc.b   0
ROM:00020525 aCalibration:   dc.b 'CALIBRATION',0
ROM:00020531                 dc.b   0
ROM:00020532 a_trg:          dc.b '_TRG',0           ; DATA XREF: ROM:off_215EAo
ROM:00020537                 dc.b   0
ROM:00020538 aWai:           dc.b 'WAI',0            ; DATA XREF: ROM:off_2161Co
ROM:0002053C                 dc.b   0
ROM:0002053D aTst:           dc.b 'TST',0            ; DATA XREF: ROM:off_21662o
ROM:00020541                 dc.b   0
ROM:00020542 aTrg:           dc.b 'TRG',0            ; DATA XREF: ROM:off_21694o
ROM:00020546                 dc.b   0
ROM:00020547 aStb:           dc.b 'STB',0            ; DATA XREF: ROM:off_216DAo
ROM:0002054B                 dc.b   0
ROM:0002054C aSre:           dc.b 'SRE',0            ; DATA XREF: ROM:off_21720o
ROM:00020550                 dc.b   0
ROM:00020551 aSav:           dc.b 'SAV',0            ; DATA XREF: ROM:off_21752o
ROM:00020555                 dc.b   0
ROM:00020556 aRst:           dc.b 'RST',0            ; DATA XREF: ROM:off_21784o
ROM:0002055A                 dc.b   0
ROM:0002055B aRcl:           dc.b 'RCL',0            ; DATA XREF: ROM:off_217B6o
ROM:0002055F                 dc.b   0
ROM:00020560 aOpt:           dc.b 'OPT',0            ; DATA XREF: ROM:off_217FCo
ROM:00020564                 dc.b   0
ROM:00020565 aOpc:           dc.b 'OPC',0            ; DATA XREF: ROM:off_21842o
ROM:00020569                 dc.b   0
ROM:0002056A aLrn:           dc.b 'LRN',0            ; DATA XREF: ROM:off_21888o
ROM:0002056E                 dc.b   0
ROM:0002056F aIdn:           dc.b 'IDN',0            ; DATA XREF: ROM:off_218CEo
ROM:00020573                 dc.b   0
ROM:00020574 aEsr:           dc.b 'ESR',0            ; DATA XREF: ROM:off_21914o
ROM:00020578                 dc.b   0
ROM:00020579 aEse:           dc.b 'ESE',0            ; DATA XREF: ROM:off_2195Ao
ROM:0002057D                 dc.b   0
ROM:0002057E aCls:           dc.b 'CLS',0            ; DATA XREF: ROM:off_2198Co
ROM:00020582                 dc.b   0
ROM:00020583 aDel:           dc.b 'DEL',0
ROM:00020587 aAy:            dc.b 'AY',0
ROM:0002058A aTrig:          dc.b 'TRIG',0           ; DATA XREF: ROM:off_21A7Co
ROM:0002058F aGer:           dc.b 'GER',0
ROM:00020593 aCont:          dc.b 'CONT',0           ; DATA XREF: ROM:off_21B08o
ROM:00020598 aRol:           dc.b 'ROL',0
ROM:0002059C aFeed:          dc.b 'FEED',0           ; DATA XREF: ROM:off_21B4Eo
ROM:000205A1                 dc.b   0
ROM:000205A2 aPoin:          dc.b 'POIN',0           ; DATA XREF: ROM:off_21B94o
ROM:000205A7 aTs:            dc.b 'TS',0
ROM:000205AA aPath:          dc.b 'PATH',0           ; DATA XREF: ROM:off_21C0Co
ROM:000205AF                 dc.b   0
ROM:000205B0 aName:          dc.b 'NAME',0           ; DATA XREF: ROM:off_21C98o
ROM:000205B5                 dc.b   0
ROM:000205B6 aCat:           dc.b 'CAT',0            ; DATA XREF: ROM:off_21CE8o
ROM:000205BA aAlog:          dc.b 'ALOG',0
ROM:000205BF aExpr:          dc.b 'EXPR',0           ; DATA XREF: ROM:off_21D1Ao
ROM:000205C4 aEssion:        dc.b 'ESSION',0
ROM:000205CB aMath:          dc.b 'MATH',0           ; DATA XREF: ROM:off_21D4Co
ROM:000205D0                 dc.b   0
ROM:000205D1 aCle:           dc.b 'CLE',0            ; DATA XREF: ROM:off_21D7Eo
ROM:000205D5 aAr:            dc.b 'AR',0
ROM:000205D8 aLow:           dc.b 'LOW',0            ; DATA XREF: ROM:off_21F40o
ROM:000205DC aEr:            dc.b 'ER',0
ROM:000205DF aLim:           dc.b 'LIM',0            ; DATA XREF: ROM:off_22076o
ROM:000205E3 aIt:            dc.b 'IT',0
ROM:000205E6 aCalculate4:    dc.b 'CALCULATE4',0
ROM:000205F1                 dc.b   0
ROM:000205F2 aCalc4:         dc.b 'CALC4',0
ROM:000205F8                 dc.b   0
ROM:000205F9 aCalculate3:    dc.b 'CALCULATE3',0
ROM:00020604                 dc.b   0
ROM:00020605 aCalc3:         dc.b 'CALC3',0
ROM:0002060B                 dc.b   0
ROM:0002060C aCalculate2_0:  dc.b 'CALCULATE2',0
ROM:00020617                 dc.b   0
ROM:00020618 aCalc2_0:       dc.b 'CALC2',0
ROM:0002061E                 dc.b   0
ROM:0002061F aCalculate1_0:  dc.b 'CALCULATE1',0
ROM:0002062A                 dc.b   0
ROM:0002062B aCalc1_0:       dc.b 'CALC1',0
ROM:00020631                 dc.b   0
ROM:00020632 aCalculate:     dc.b 'CALCULATE',0
ROM:0002063C                 dc.b   0
ROM:0002063D aCalc:          dc.b 'CALC',0
ROM:00020642                 dc.b   0
ROM:00020643 aFetc:          dc.b 'FETC',0
ROM:00020648 aH:             dc.b 'H',0
ROM:0002064A aDig:           dc.b 'DIG',0            ; DATA XREF: ROM:off_2233Co
ROM:0002064E aIt_0:          dc.b 'IT',0
ROM:00020651 aPage:          dc.b 'PAGE',0           ; DATA XREF: ROM:off_223B4o
ROM:00020656                 dc.b   0
ROM:00020657 aText2:         dc.b 'TEXT2',0          ; DATA XREF: ROM:off_223E6o
ROM:0002065D                 dc.b   0
ROM:0002065E aText1:         dc.b 'TEXT1',0          ; DATA XREF: ROM:off_22418o
ROM:00020664                 dc.b   0
ROM:00020665 aText:          dc.b 'TEXT',0           ; DATA XREF: ROM:off_2244Ao
ROM:0002066A                 dc.b   0
ROM:0002066B aWind:          dc.b 'WIND',0           ; DATA XREF: ROM:off_224C2o
ROM:00020670 aOw:            dc.b 'OW',0
ROM:00020673 aDisp:          dc.b 'DISP',0
ROM:00020678 aLay:           dc.b 'LAY',0
ROM:0002067C aCabl:          dc.b 'CABL',0           ; DATA XREF: ROM:off_22580o
ROM:00020681 aE_0:           dc.b 'E',0
ROM:00020683 aCkit:          dc.b 'CKIT',0           ; DATA XREF: ROM:off_22684o
ROM:00020688                 dc.b   0
ROM:00020689 aMeth:          dc.b 'METH',0           ; DATA XREF: ROM:off_226CAo
ROM:0002068E aOd:            dc.b 'OD',0
ROM:00020691 aAcq:           dc.b 'ACQ',0            ; DATA XREF: ROM:off_226FCo
ROM:00020695 aUire:          dc.b 'UIRE',0
ROM:0002069A aColl:          dc.b 'COLL',0           ; DATA XREF: ROM:off_2272Eo
ROM:0002069F aEct:           dc.b 'ECT',0
ROM:000206A3 aCorr:          dc.b 'CORR',0           ; DATA XREF: ROM:off_227F6o
ROM:000206A8 aEction:        dc.b 'ECTION',0
ROM:000206AF aAver:          dc.b 'AVER',0           ; DATA XREF: ROM:off_228B4o
ROM:000206B4 aAge:           dc.b 'AGE',0
ROM:000206B8 aVer:           dc.b 'VER',0            ; DATA XREF: ROM:off_228FAo
ROM:000206BC aIfy:           dc.b 'IFY',0
ROM:000206C0 aCont_0:        dc.b 'CONT',0           ; DATA XREF: ROM:off_2292Co
ROM:000206C5 aAct:           dc.b 'ACT',0
ROM:000206C9 aAuto:          dc.b 'AUTO',0           ; DATA XREF: ROM:off_22972o
ROM:000206CE                 dc.b   0
ROM:000206CF aUpp:           dc.b 'UPP',0            ; DATA XREF: ROM:off_21FFEo
ROM:000206CF                                         ; ROM:off_229B8o
ROM:000206D3 aEr_0:          dc.b 'ER',0
ROM:000206D6 aRang:          dc.b 'RANG',0           ; DATA XREF: ROM:off_229EAo
ROM:000206DB aE_1:           dc.b 'E',0
ROM:000206DD aAper:          dc.b 'APER',0           ; DATA XREF: ROM:off_22A30o
ROM:000206E2 aTure:          dc.b 'TURE',0
ROM:000206E7 aFimp_0:        dc.b 'FIMP',0           ; DATA XREF: ROM:off_22A62o
ROM:000206EC aEdance:        dc.b 'EDANCE',0
ROM:000206F3 aCoun:          dc.b 'COUN',0           ; DATA XREF: ROM:off_2283Co
ROM:000206F3                                         ; ROM:off_22AA8o
ROM:000206F8 aT:             dc.b 'T',0
ROM:000206FA aConc:          dc.b 'CONC',0           ; DATA XREF: ROM:off_22AEEo
ROM:000206FF aUrrent:        dc.b 'URRENT',0
ROM:00020706 aOn:            dc.b 'ON',0             ; DATA XREF: ROM:off_22B34o
ROM:00020709                 dc.b   0
ROM:0002070A aFunc:          dc.b 'FUNC',0           ; DATA XREF: ROM:off_22B66o
ROM:0002070F aTion:          dc.b 'TION',0
ROM:00020714 aSens:          dc.b 'SENS',0
ROM:00020719 aE_2:           dc.b 'E',0
ROM:0002071B aOffs:          dc.b 'OFFS',0           ; DATA XREF: ROM:off_22C6Ao
ROM:00020720 aEt:            dc.b 'ET',0
ROM:00020723 aAmpl:          dc.b 'AMPL',0           ; DATA XREF: ROM:off_22CB0o
ROM:00020728 aItude:         dc.b 'ITUDE',0
ROM:0002072E aLev:           dc.b 'LEV',0            ; DATA XREF: ROM:off_22D14o
ROM:00020732 aEl:            dc.b 'EL',0
ROM:00020735 aVolt:          dc.b 'VOLT',0           ; DATA XREF: ROM:off_22D46o
ROM:0002073A aAge_0:         dc.b 'AGE',0
ROM:0002073E aCw:            dc.b 'CW',0             ; DATA XREF: ROM:off_22D8Co
ROM:00020741                 dc.b   0
ROM:00020742 aFreq:          dc.b 'FREQ',0           ; DATA XREF: ROM:off_22DBEo
ROM:00020747 aUency:         dc.b 'UENCY',0
ROM:0002074D aSour:          dc.b 'SOUR',0           ; DATA XREF: ROM:off_21A18o
ROM:0002074D                                         ; ROM:off_22BDEo
ROM:00020752 aCe:            dc.b 'CE',0
ROM:00020755 aData:          dc.b 'DATA',0           ; DATA XREF: ROM:off_21AC2o
ROM:00020755                                         ; ROM:off_21F0Eo ...
ROM:0002075A                 dc.b   0
ROM:0002075B aForm:          dc.b 'FORM',0           ; DATA XREF: ROM:off_220BCo
ROM:00020760 aAt:            dc.b 'AT',0
ROM:00020763 aQues:          dc.b 'QUES',0
ROM:00020768 aTionable:      dc.b 'TIONABLE',0
ROM:00020771 aEnab:          dc.b 'ENAB',0           ; DATA XREF: ROM:off_22EE0o
ROM:00020771                                         ; ROM:off_22FE4o
ROM:00020776 aLe:            dc.b 'LE',0
ROM:00020779 aCond:          dc.b 'COND',0           ; DATA XREF: ROM:off_21E0Ao
ROM:00020779                                         ; ROM:off_22F26o ...
ROM:0002077E aItion:         dc.b 'ITION',0
ROM:00020784 aOper:          dc.b 'OPER',0
ROM:00020789 aAtion:         dc.b 'ATION',0
ROM:0002078F aStat:          dc.b 'STAT',0           ; DATA XREF: ROM:off_230D4o
ROM:00020794 aUs:            dc.b 'US',0
ROM:00020797 aPres:          dc.b 'PRES',0
ROM:0002079C aEt_0:          dc.b 'ET',0
ROM:0002079F aLfr:           dc.b 'LFR',0
ROM:000207A3 aEquency:       dc.b 'EQUENCY',0
ROM:000207AB aKloc:          dc.b 'KLOC',0
ROM:000207B0 aK:             dc.b 'K',0
ROM:000207B2 aVers:          dc.b 'VERS',0
ROM:000207B7 aIon:           dc.b 'ION',0
ROM:000207BB aStat_0:        dc.b 'STAT',0           ; DATA XREF: ROM:off_21C52o
ROM:000207BB                                         ; ROM:off_21E50o ...
ROM:000207C0 aE_3:           dc.b 'E',0
ROM:000207C2 aBeep:          dc.b 'BEEP',0           ; DATA XREF: ROM:off_21E82o
ROM:000207C7 aEr_1:          dc.b 'ER',0
ROM:000207CA aErr:           dc.b 'ERR',0
ROM:000207CE aOr:            dc.b 'OR',0
ROM:000207D1 aSyst:          dc.b 'SYST',0           ; DATA XREF: ROM:off_23304o
ROM:000207D6 aEm:            dc.b 'EM',0
ROM:000207D9 aAbor:          dc.b 'ABOR',0
ROM:000207DE aT_0:           dc.b 'T',0
ROM:000207E0 aCont_1:        dc.b 'CONT',0
ROM:000207E5 aInuous:        dc.b 'INUOUS',0
ROM:000207EC aImm:           dc.b 'IMM',0            ; DATA XREF: ROM:off_21A4Ao
ROM:000207EC                                         ; ROM:off_22CE2o
ROM:000207F0 aEdiate:        dc.b 'EDIATE',0
ROM:000207F7 aReg:           dc.b 'REG',0
ROM:000207FB aIster:         dc.b 'ISTER',0
ROM:00020801 aWord:          dc.b 'WORD',0
ROM:00020806                 dc.b   0
ROM:00020807 aAddr:          dc.b 'ADDR',0
ROM:0002080C aEss:           dc.b 'ESS',0
ROM:00020810 aMem:           dc.b 'MEM',0
ROM:00020814 aOry:           dc.b 'ORY',0
ROM:00020818 aTest:          dc.b 'TEST',0           ; DATA XREF: ROM:off_235A2o
ROM:0002081D                 dc.b   0
ROM:0002081E aVmon:          dc.b 'VMON',0           ; DATA XREF: ROM:0002097Co
ROM:00020823                 dc.b   0
ROM:00020824 aImon:          dc.b 'IMON',0           ; DATA XREF: ROM:00020970o
ROM:00020829                 dc.b   0
ROM:0002082A aRef2:          dc.b 'REF2',0           ; DATA XREF: ROM:00020978o
ROM:0002082F                 dc.b   0
ROM:00020830 aRef1:          dc.b 'REF1',0           ; DATA XREF: ROM:00020974o
ROM:00020835                 dc.b   0
ROM:00020836 aBuf2:          dc.b 'BUF2',0           ; DATA XREF: ROM:0002096Co
ROM:0002083B                 dc.b   0
ROM:0002083C aBuf1:          dc.b 'BUF1',0           ; DATA XREF: ROM:off_20968o
ROM:00020841                 dc.b   0
ROM:00020842 aPcnt:          dc.b 'PCNT',0           ; DATA XREF: ROM:00020990o
ROM:00020847                 dc.b   0
ROM:00020848 aDev:           dc.b 'DEV',0            ; DATA XREF: ROM:off_2098Co
ROM:0002084C                 dc.b   0
ROM:0002084D aInv:           dc.b 'INV',0            ; DATA XREF: ROM:000209B0o
ROM:00020851                 dc.b   0
ROM:00020852 aRp:            dc.b 'RP',0             ; DATA XREF: ROM:000209CCo
ROM:00020855                 dc.b   0
ROM:00020856 aQ:             dc.b 'Q',0              ; DATA XREF: ROM:000209C4o
ROM:00020858                 dc.b   0
ROM:00020859 aD:             dc.b 'D',0              ; DATA XREF: ROM:000209A8o
ROM:0002085B                 dc.b   0
ROM:0002085C aPhas:          dc.b 'PHAS',0           ; DATA XREF: ROM:000209C0o
ROM:00020861 aE_4:           dc.b 'E',0
ROM:00020863 aImag:          dc.b 'IMAG',0           ; DATA XREF: ROM:000209ACo
ROM:00020868 aInary:         dc.b 'INARY',0
ROM:0002086E aLs:            dc.b 'LS',0             ; DATA XREF: ROM:000209B8o
ROM:00020871                 dc.b   0
ROM:00020872 aLp:            dc.b 'LP',0             ; DATA XREF: ROM:000209B4o
ROM:00020875                 dc.b   0
ROM:00020876 aCs:            dc.b 'CS',0             ; DATA XREF: ROM:000209A4o
ROM:00020879                 dc.b   0
ROM:0002087A aCp:            dc.b 'CP',0             ; DATA XREF: ROM:off_209A0o
ROM:0002087D                 dc.b   0
ROM:0002087E aMlin:          dc.b 'MLIN',0           ; DATA XREF: ROM:000209BCo
ROM:00020883 aEar:           dc.b 'EAR',0
ROM:00020887 aNev:           dc.b 'NEV',0            ; DATA XREF: ROM:000209E0o
ROM:0002088B aEr_2:          dc.b 'ER',0
ROM:0002088E aAlw:           dc.b 'ALW',0            ; DATA XREF: ROM:off_209DCo
ROM:00020892 aAys:           dc.b 'AYS',0
ROM:00020896 aRefl3:         dc.b 'REFL3',0          ; DATA XREF: ROM:000209F4o
ROM:0002089C                 dc.b   0
ROM:0002089D aRefl2:         dc.b 'REFL2',0          ; DATA XREF: ROM:off_209F0o
ROM:000208A3                 dc.b   0
ROM:000208A4 aStandard3:     dc.b 'STANDARD3',0      ; DATA XREF: ROM:00020A18o
ROM:000208A4                                         ; ROM:off_22602o
ROM:000208AE                 dc.b   0
ROM:000208AF aStan3:         dc.b 'STAN3',0          ; DATA XREF: ROM:00020A0Co
ROM:000208AF                                         ; ROM:off_22652o
ROM:000208B5                 dc.b   0
ROM:000208B6 aStandard2:     dc.b 'STANDARD2',0      ; DATA XREF: ROM:00020A14o
ROM:000208C0                 dc.b   0
ROM:000208C1 aStan2:         dc.b 'STAN2',0          ; DATA XREF: ROM:00020A08o
ROM:000208C7                 dc.b   0
ROM:000208C8 aStandard1:     dc.b 'STANDARD1',0      ; DATA XREF: ROM:00020A10o
ROM:000208D2                 dc.b   0
ROM:000208D3 aStan1:         dc.b 'STAN1',0          ; DATA XREF: ROM:off_20A04o
ROM:000208D9                 dc.b   0
ROM:000208DA aSeq:           dc.b 'SEQ',0            ; DATA XREF: ROM:00020A48o
ROM:000208DE aUential:       dc.b 'UENTIAL',0
ROM:000208E6 aEven:          dc.b 'EVEN',0           ; DATA XREF: ROM:off_20A3Co
ROM:000208E6                                         ; ROM:off_22F6Co
ROM:000208EB aT_1:           dc.b 'T',0
ROM:000208ED aInit:          dc.b 'INIT',0           ; DATA XREF: ROM:00020A44o
ROM:000208F2 aIate:          dc.b 'IATE',0
ROM:000208F7 aIdle:          dc.b 'IDLE',0           ; DATA XREF: ROM:00020A40o
ROM:000208FC                 dc.b   0
ROM:000208FD aPass:          dc.b 'PASS',0           ; DATA XREF: ROM:00020A5Co
ROM:00020902                 dc.b   0
ROM:00020903 aFail_0:        dc.b 'FAIL',0           ; DATA XREF: ROM:off_20A58o
ROM:00020903                                         ; ROM:off_21DC4o
ROM:00020908                 dc.b   0
ROM:00020909 aReal:          dc.b 'REAL',0           ; DATA XREF: ROM:000209C8o
ROM:00020909                                         ; ROM:00020A70o
ROM:0002090E                 dc.b   0
ROM:0002090F aAsc_0:         dc.b 'ASC',0            ; DATA XREF: ROM:off_20A6Co
ROM:00020913 aIi:            dc.b 'II',0
ROM:00020916 aDown:          dc.b 'DOWN',0           ; DATA XREF: ROM:off_20A80o
ROM:0002091B                 dc.b   0
ROM:0002091C aUp:            dc.b 'UP',0             ; DATA XREF: ROM:00020A8Co
ROM:0002091F                 dc.b   0
ROM:00020920 aMax:           dc.b 'MAX',0            ; DATA XREF: ROM:00020A84o
ROM:00020920                                         ; ROM:off_20A9Co
ROM:00020924 aImum:          dc.b 'IMUM',0
ROM:00020929 aMin:           dc.b 'MIN',0            ; DATA XREF: ROM:00020A88o
ROM:00020929                                         ; ROM:00020AA0o
ROM:0002092D aImum_0:        dc.b 'IMUM',0
ROM:00020932 aLong:          dc.b 'LONG',0           ; DATA XREF: ROM:off_20AB0o
ROM:00020937                 dc.b   0
ROM:00020938 aMed:           dc.b 'MED',0            ; DATA XREF: ROM:00020AB4o
ROM:0002093C aIum:           dc.b 'IUM',0
ROM:00020940 aShor:          dc.b 'SHOR',0           ; DATA XREF: ROM:00020AB8o
ROM:00020945 aT_2:           dc.b 'T',0
ROM:00020947 aBus:           dc.b 'BUS',0            ; DATA XREF: ROM:off_20AC8o
ROM:0002094B                 dc.b   0
ROM:0002094C aExt:           dc.b 'EXT',0            ; DATA XREF: ROM:off_20A28o
ROM:0002094C                                         ; ROM:00020ACCo
ROM:00020950 aErnal:         dc.b 'ERNAL',0
ROM:00020956 aMan:           dc.b 'MAN',0            ; DATA XREF: ROM:00020AD4o
ROM:0002095A aUal:           dc.b 'UAL',0
ROM:0002095E aInt:           dc.b 'INT',0            ; DATA XREF: ROM:00020A2Co
ROM:0002095E                                         ; ROM:00020AD0o
ROM:00020962 aErnal_0:       dc.b 'ERNAL',0

Are any of these not documented?

casinada · « **Reply #14 on:** April 02, 2014, 07:07:14 am »

Some parts are inexpensive but the eeprom direct from Agilent not much @ $31.39

http://www.home.agilent.com/myagilent/faces/partDetail.jspx?partNumber=1818-4808&imageStatus=YES&_afrLoop=31022653359000&_afrWindowMode=0&_afrWindowId=dm2v73fle_19#%40%3F_afrWindowId%3Ddm2v73fle_19%26_afrLoop%3D31022653359000%26imageStatus%3DYES%26partNumber%3D1818-4808%26_afrWindowMode%3D0%26_adf.ctrl-state%3Ddm2v73fle_40

The Eproms are cheaper around $21 and probably have the newest firmware.

Nermash · « **Reply #15 on:** April 02, 2014, 07:28:08 am »

Quote from: Hugoneus on April 02, 2014, 03:33:14 am

After further search, I also found that someone had posted a firmware upgrade of the unit as a BIN file which can be downloaded to an EEPROM inside the unit. (Not through GPIB).

I have attached that BIN file here.

Hmm, probably speaking out my arse,but have you tried to program this bin file to your unit? Maybe it is already enabled with opt 1 and just needs to be executed?

alex.forencich · « **Reply #16 on:** April 02, 2014, 07:50:39 am »

Here is the code that sets the flags in NVRAM to enable or disable the options. Now, all that is left is to figure out how to call this, and what args it needs to enable both options:

Code: [Select]

ROM:00016710
ROM:00016710 ; =============== S U B R O U T I N E =======================================
ROM:00016710
ROM:00016710 ; Attributes: bp-based frame
ROM:00016710
ROM:00016710 set_opts:                               ; CODE XREF: sub_1886A+Ap
ROM:00016710
ROM:00016710 var_44          = -$44
ROM:00016710 var_38          = -$38
ROM:00016710 var_30          = -$30
ROM:00016710 var_2E          = -$2E
ROM:00016710 var_26          = -$26
ROM:00016710 var_24          = -$24
ROM:00016710 var_20          = -$20
ROM:00016710
ROM:00016710                 link        a6,#-$44
ROM:00016714                 movem.l     d2-d4/a2-a4,-(sp)
ROM:00016718                 movea.l     #$47FA,a2
ROM:0001671E                 movea.l     #$FFD978,a3
ROM:00016724                 movea.l     #$15D2,a4
ROM:0001672A                 jsr         (get_serial_str).l
ROM:00016730                 move.l      d0,-(sp)
ROM:00016732                 pea         var_44(a6)
ROM:00016736                 jsr         (sub_15FA).l
ROM:0001673C                 addq.l      #8,sp
ROM:0001673E                 moveq       #0,d4
ROM:00016740                 moveq       #0,d2
ROM:00016742
ROM:00016742 loc_16742:                              ; CODE XREF: set_opts+40j
ROM:00016742                 move.l      d2,d0
ROM:00016744                 lsl.l       #2,d0
ROM:00016746                 clr.l       var_20(a6,d0.l)
ROM:0001674A                 addq.l      #1,d2
ROM:0001674C                 move.l      d2,d0
ROM:0001674E                 subq.l      #8,d0
ROM:00016750                 blt.s       loc_16742
ROM:00016752                 moveq       #0,d2
ROM:00016754
ROM:00016754 loc_16754:                              ; CODE XREF: set_opts+90j
ROM:00016754                 move.b      var_44(a6,d2.l),d0
ROM:00016758                 ext.w       d0
ROM:0001675A                 ext.l       d0
ROM:0001675C                 move.l      d2,d1
ROM:0001675E                 jsr         sub_344A
ROM:00016762                 lea         (off_28).w,a1
ROM:00016766                 movea.l     d0,a0
ROM:00016768                 jsr         sub_34DC
ROM:0001676C                 move.l      d0,d4
ROM:0001676E                 moveq       #0,d3
ROM:00016770
ROM:00016770 loc_16770:                              ; CODE XREF: set_opts+88j
ROM:00016770                 movea.l     d4,a0
ROM:00016772                 addq.l      #1,d4
ROM:00016774                 lea         (off_28).w,a1
ROM:00016778                 jsr         sub_34DC
ROM:0001677C                 movea.l     #aYhpKobeInstrum,a0 ; "YHP Kobe-Instrument-Division HP4263A.  "...
ROM:00016782                 move.b      (a0,d0.l),d1
ROM:00016786                 ext.w       d1
ROM:00016788                 ext.l       d1
ROM:0001678A                 move.l      d3,d0
ROM:0001678C                 lsl.l       #2,d0
ROM:0001678E                 add.l       d1,var_20(a6,d0.l)
ROM:00016792                 addq.l      #1,d3
ROM:00016794                 move.l      d3,d0
ROM:00016796                 subq.l      #8,d0
ROM:00016798                 blt.s       loc_16770
ROM:0001679A                 addq.l      #1,d2
ROM:0001679C                 moveq       #$A,d0
ROM:0001679E                 cmp.l       d0,d2
ROM:000167A0                 blt.s       loc_16754
ROM:000167A2                 moveq       #0,d2
ROM:000167A4
ROM:000167A4 loc_167A4:                              ; CODE XREF: set_opts+B2j
ROM:000167A4                 move.l      d2,d0
ROM:000167A6                 lsl.l       #2,d0
ROM:000167A8                 movea.l     var_20(a6,d0.l),a0
ROM:000167AC                 lea         ($5F).w,a1
ROM:000167B0                 jsr         sub_34DC
ROM:000167B4                 addi.b      #$20,d0 ; ' '
ROM:000167B8                 move.b      d0,var_38(a6,d2.l)
ROM:000167BC                 addq.l      #1,d2
ROM:000167BE                 move.l      d2,d0
ROM:000167C0                 subq.l      #8,d0
ROM:000167C2                 blt.s       loc_167A4
ROM:000167C4                 clr.b       var_30(a6)
ROM:000167C8                 move.w      #8,-(sp)
ROM:000167CC                 pea         var_2E(a6)
ROM:000167D0                 move.l      #$1E0044,-(sp)
ROM:000167D6                 jsr         (a2)
ROM:000167D8                 clr.b       var_26(a6)
ROM:000167DC                 pea         var_2E(a6)
ROM:000167E0                 pea         var_38(a6)
ROM:000167E4                 jsr         (a4)
ROM:000167E6                 lea         $12(sp),sp
ROM:000167EA                 tst.l       d0
ROM:000167EC                 beq.s       loc_167F2
ROM:000167EE
ROM:000167EE loc_167EE:                              ; CODE XREF: set_opts+104j
ROM:000167EE                 clr.w       (a3)
ROM:000167F0                 bra.s       loc_1681A
ROM:000167F2 ; ---------------------------------------------------------------------------
ROM:000167F2
ROM:000167F2 loc_167F2:                              ; CODE XREF: set_opts+DCj
ROM:000167F2                 move.w      #4,-(sp)
ROM:000167F6                 pea         var_24(a6)
ROM:000167FA                 move.l      #$1E003C,-(sp)
ROM:00016800                 jsr         (a2)
ROM:00016802                 pea         (a001).l    ; "001"
ROM:00016808                 pea         var_24(a6)
ROM:0001680C                 jsr         (a4)
ROM:0001680E                 lea         $12(sp),sp
ROM:00016812                 tst.l       d0
ROM:00016814                 bne.s       loc_167EE
ROM:00016816                 move.w      #1,(a3)
ROM:0001681A
ROM:0001681A loc_1681A:                              ; CODE XREF: set_opts+E0j
ROM:0001681A                 move.w      #4,-(sp)
ROM:0001681E                 pea         var_24(a6)
ROM:00016822                 move.l      #$1E0054,-(sp)
ROM:00016828                 jsr         (a2)
ROM:0001682A                 pea         (a002).l    ; "002"
ROM:00016830                 pea         var_24(a6)
ROM:00016834                 jsr         (a4)
ROM:00016836                 lea         $12(sp),sp
ROM:0001683A                 tst.l       d0
ROM:0001683C                 beq.s       loc_16844
ROM:0001683E                 clr.w       ($FFFFD97A).w
ROM:00016842                 bra.s       loc_1684A
ROM:00016844 ; ---------------------------------------------------------------------------
ROM:00016844
ROM:00016844 loc_16844:                              ; CODE XREF: set_opts+12Cj
ROM:00016844                 move.w      #1,($FFFFD97A).w
ROM:0001684A
ROM:0001684A loc_1684A:                              ; CODE XREF: set_opts+132j
ROM:0001684A                 movem.l     (sp)+,d2-d4/a2-a4
ROM:0001684E                 unlk        a6
ROM:00016850                 rts
ROM:00016850 ; End of function set_opts

free_electron · « **Reply #17 on:** April 02, 2014, 09:18:12 am »

The flags are stored in the 28c64.
The original software for the mod ran on an hp9000 workstation. It needs the serial number of the machine also stored in the 28c64. Hp gives you a 'key'. You need to call them with the serial of your machine. Just having the HP9000 software doesn't do anything. The software reads the serial, you type in the key , and it then sends a magic packet over gpib which gets written in the eeprom.
It sets two markers as ascii text and 6 hex numbers.

I have the 28c64 image for a machine with both enabled. There are two checksums.
Essentially the 28c64 is partitioned in options and calibration data. Each block has its own checksum.
Simply copying the entire 28c64 destroys your calibration data...
Copying the options block from one to another retains the cal data but alters the serial and the options.

The layout of the 28c64 is identical irrespective of firmware option. I have ROM binaries for all firmware of these machines. Standard 68k reverse byte image.

The references you see to YhP is yokogawa. The 4263 is a yokogawa design in partnership with hp.

alex.forencich · « **Reply #18 on:** April 02, 2014, 09:39:16 am »

That's very interesting. It looks like that function I located must be involved in reading out the option string from the 28C64 and setting the option flags in RAM. As far as I can tell, it is only run once on power-up. Well, that function might give some insight into what needs to be written into the 28C64.

TiN · « **Reply #19 on:** April 02, 2014, 09:54:19 am »

Quote

I also have a 4263A that DOES have option 001.

Can read EEPROM from it too?

16-bit checksums are stored:

* locations 0xFFE and 0xFFF for calibration data (from 0x80 to 0xFFD)
* locations 0x1EFE and 0x1EFF for some other data (from 0x1A00 to 0x1EFD)
* locations 0x1F00 to 0x1FEE for some other small data (from 0x1F00 to 0x1FED)

I have UV lamp, so can try to toss two second blocks from 4263A into my ROM and see what happens...

Quote

I also have to add that Agilent is actually giving away OPT 001/002 with this unit now.

Only if you buy new LCR from them.
They don't offer free options if you already have unit, I contacted them before.

free_electron · « **Reply #20 on:** April 02, 2014, 10:10:51 am »

Hold it ! A firmware is incompatible with b firmware !
Do not run b firmware on an a or vice versa ! The display logic is completely different !
The motherboards of an a and b are the same. The processor boards not !

TiN · « **Reply #21 on:** April 02, 2014, 11:40:22 am »

That's obvious, no need to even try to see that..

Segmented LCD on A.

HD44780 40x2 char LCD on B.

Holding would not help topic any good either, we trying to find out data mapping and proper bitfields, not flashing stuff blind on non-compatible gear.
After all maybe someone have bricked 4263A, so data could help someone even disregarding 4263B bridge being discussed here.

Hugoneus · « **Reply #22 on:** April 02, 2014, 02:10:04 pm »

Quote from: free_electron on April 02, 2014, 10:10:51 am

Hold it ! A firmware is incompatible with b firmware !
Do not run b firmware on an a or vice versa ! The display logic is completely different !
The motherboards of an a and b are the same. The processor boards not !

Thank you for your input, I appreciate it.

So what you are saying is that if I program the unit with the new Firmware V1.06, I will lose all calibration data? So I can't even flash it without losing that?

free_electron · « **Reply #23 on:** April 02, 2014, 03:31:57 pm »

Firmware is separate from caldata

the 27C1024 is a standard UV erasable EPROM. that holds the firmware.
the 28C64 is an EEPROM , that holds the cal data , the serial number and the lockbits.

attached the rom and eeprom images
fw 1.02 and 1.06 are in there as well as eeprom images of a machine without options, one with option 001 and one with both 001 and 002.
you figure it out

i mistakingly called the file 4264 but it is for a 4263B

i also uploaded an eeprom image for a 4263A with option oo1

i have both A and B machines. my A has a dead adc. i have the Asahi-Kasei chip , just need to find time installing the damn thing.

the files are standard binary files . these are readable by any device programmer. (i use a Hilo All11 or a dataman 48LV)

it is important that the EEProm is a 28C64 and not a 2864 . the C version has different timing and the machine crashes if that is used. Try to get either an original Xicor or an EXEL. others are unknown … if you can't find the 27c1024 : i have lots of those and can write them with the firmware.

Hugoneus · « **Reply #24 on:** April 02, 2014, 04:46:58 pm »

Quote from: free_electron on April 02, 2014, 03:31:57 pm

...

free_electron, thank you. You are great.

So just to make sure I understand:

The UV EPROM AT27C1024 can be erased and loaded with firmware 1.06. This changes nothing but to get the latest firmware. All the option information and calibration data are not stored in this chip.

The 28C64 which stores the calibration data and option unlock is what we need to focus on. One option would be to replicate ONLY the option portion into another 28C64. But that would mean you would lose your serial number. If one doesn't care about that, is there an issue to do this?

Also, thanks to everyone else for participating!

free_electron · « **Reply #25 on:** April 02, 2014, 06:39:41 pm »

correct.

i can tell you exactly what fields need modifying in the eeprom. i got it written down. just need ot find the damn notebook.

Hugoneus · « **Reply #26 on:** April 02, 2014, 07:34:12 pm »

Quote from: free_electron on April 02, 2014, 06:39:41 pm

correct.
i can tell you exactly what fields need modifying in the eeprom. i got it written down. just need ot find the damn notebook.

That would be even better!

vaualbus · « **Reply #27 on:** April 02, 2014, 10:11:10 pm »

So but for the hack you need to send some gpib command or just to repropgram the nvram?
There have to be a way to enable the option using either the gpib or some internal debug port. Of course than we should know the commands to do that.

TiN · « **Reply #28 on:** April 03, 2014, 04:18:42 am »

Quote from: free_electron on April 02, 2014, 03:31:57 pm

attached the rom and eeprom images
fw 1.02 and 1.06 are in there as well as eeprom images of a machine without options, one with option 001 and one with both 001 and 002.
you figure it out
i also uploaded an eeprom image for a 4263A with option oo1

Thank you a lot.

I played a little with WinHEX, made a template for easier modification, based on mine EEPROM dump and free_electron's

4263B, no option:

another one, no option (this one is corrupted, just a header in there, which is enough):

4263B, option 001:

4263B, option 001 + option 002:

4263A, option 001.

A have some extra data, lookling like presets or profiles, as it's repetitive pieces of data with own checksums.

And WinHEX template files:

TPL-file for 4263A and for 4263B.
Works fine with registered WinHEX 15.6

* Seem like something important stored in 7 bytes at offset 0x23. This block always there with optioned devices, but blank FF's in stock. Maybe some serial number to option tie?
* And second byte on block at offset 0x1F00 is 0x11 on optioned devices, but 0x12 on stock.

Rest seem to be irrelevant.

Also added Firmware changelog history, easily googlable from Agilent.

TiN · « **Reply #29 on:** April 03, 2014, 12:53:10 pm »

Now erasing firmware ROM, to programm 1.06

Thanks Vincent!

EDIT: Firmware updated to 1.06, all works fine.

I'll post details tomorrow, as it's already 1:12am here.

amiq · « **Reply #30 on:** April 07, 2014, 02:53:15 am »

Quote from: free_electron on April 02, 2014, 03:31:57 pm

i have both A and B machines. my A has a dead adc. i have the Asahi-Kasei chip , just need to find time installing the damn thing.

I'll be interested to hear if that fixes your unit. I acquired a supposedly working A unit which displayed the ADC Error message. I swapped out the ADC but that didn't fix it. I've still to get this unit working, but it looks like a fault in the CPU/ADC interface rather than the ADC.

vaualbus · « **Reply #31 on:** April 08, 2014, 06:57:10 pm »

Hey have you successfully enabled the options?

merox · « **Reply #32 on:** April 13, 2014, 05:58:21 pm »

What kind of program was stored on that floppy? Was it coded in HP Basic? I'd love to have a look at the program, even if it is SECUREd...

free_electron · « **Reply #33 on:** April 13, 2014, 06:46:59 pm »

Quote from: merox on April 13, 2014, 05:58:21 pm

What kind of program was stored on that floppy? Was it coded in HP Basic? I'd love to have a look at the program, even if it is SECUREd...

no it's a compiled binary for hp-ux. it asks serial number of the machine and the key provided by agilent. it then does something and sends a packet over gpib. the machine verifies the packet and if matched it sets the appropriate flag in eeprom

so part of the lock is in the program , part in the machine. the 'key' is serial number + a unique magic number related to the serial number. agilent knows the formula to generate a matching magic number for your serial.

the program ran only on 9000/300 series computers.

merox · « **Reply #34 on:** April 13, 2014, 07:02:07 pm »

Quote from: free_electron on April 13, 2014, 06:46:59 pm

no it's a compiled binary for hp-ux

Damn, i guess simple (SECUREd) HP Basic would have been just too easy.

Hugoneus · « **Reply #35 on:** April 16, 2014, 02:53:09 pm »

Quote from: merox on April 13, 2014, 07:02:07 pm

Quote from: free_electron on April 13, 2014, 06:46:59 pm
no it's a compiled binary for hp-ux

Damn, i guess simple (SECUREd) HP Basic would have been just too easy.

I just gave up on my serial number and copied the important section over to the EEPROM. That did the trick. Thank for everyone's contribution. I kept the original EEPROM data so I can revert back.

engiadina · « **Reply #36 on:** July 02, 2015, 01:04:14 pm »

I recently scored a 4263B labeled Agilent with no Options.

When looking into the EEPROM contents I found some difference to the shown contents here. This data block named "unknown block 1" seems to be some sort of key, as it is blank (containig FF) in those devices having no options activated. All other instruments have some date in there.

My EEPROM actually had some data in that space but no options installed. So I just edited the ASCII-Strings from 000 to 001 and 002 and tested again ... voila. Option 001 and 002 are activated. Maybe the more recent models had some universal keys set there.

I am posting the contents of my EEPROM here, maybe someone can test if that key activates the options without sacrifying the serial number.

pag · « **Reply #37 on:** July 08, 2015, 03:38:48 am »

Quote from: free_electron on April 02, 2014, 06:39:41 pm

correct.

i can tell you exactly what fields need modifying in the eeprom. i got it written down. just need ot find the damn notebook.

I picked up an A model missing option 1. The serial number is not far from the example A EEPROM dump and I made up an EEPROM with the example's serial number, the 7 special bytes, and checked the 11/12 near the end (mine was already 11).

Unfortunately this hasn't had any effect and still no option 1.

Did I miss something?

Peter

nfmax · « **Reply #38 on:** May 21, 2018, 08:41:23 pm »

Recently I picked up a late-model (Agilent branded) 4263B in immaculate condition, but with no options. This unit had the EEPROM byte at 0x1f01 already set to 0x11, but the bytes between 0x0021 and 0x0029 were all 0x00. I found I could enable option 002 by setting the byte at 0x002c to 0x32 ('2'). However, setting the byte at 0x0020 to 0x31 ('1') did not enable option 001 (though it didn't give any errors). Both these bytes were originally 0x00.

I can now select 20kHz test frequency, but the unit is out of calibration at that frequency (spot on on all the others, as far as I can tell). The date in the EEPROM is 15th July 2005; the date of last calibration was 4th February 2011.

Miek · « **Reply #39 on:** September 01, 2022, 11:12:26 am »

I did a bit of reverse engineering on the un-swapped firmware posted above and found out what the Unknown Block 1 is for the 4263B.
It is a sort of key/hash based on the serial number, it actually starts at 0x22, and if it's not set correctly then the instrument won't recognise option 001 being enabled.

Here's the function doing the checking:

and here's a python implementation of the "hash" function:

Code: [Select]

$ cat 4263b_hash.py
#!/usr/bin/env python
import sys

if len(sys.argv) < 2:
	print(f"Usage: {sys.argv[0]} <serial_number>")
	sys.exit(1)

sn = bytes(sys.argv[1], "ascii")
yhp = b"YHP Kobe-Instrument-Division HP4263A.   "

result = [0] * 8

for i, c in enumerate(sn):
	u1 = (c * i) % 0x28
	for j in range(len(result)):
			u2 = (u1 % 0x28)
			result[j] += yhp[u2]
			u1 += 1

result = " ".join(hex((x % 0x5f) + 0x20) for x in result)
print(f"Hash: {result}")

$ ./4362b_hash.py MY40103309
Hash: 0x6f 0x42 0x29 0x74 0x5f 0x3f 0x6a 0x4c

$ ./4362b_hash.py MY40102817
Hash: 0x4c 0x52 0x24 0x37 0x24 0x40 0x61 0x62

tv84 · « **Reply #40 on:** September 01, 2022, 08:44:24 pm »

Miek,

Nice work!

What about the GPIB command syntax, for those devices that don't have the key already in, did you find anything?

Miek · « **Reply #41 on:** September 02, 2022, 02:47:20 am »

Quote from: tv84 on September 01, 2022, 08:44:24 pm

Miek,

Nice work!

What about the GPIB command syntax, for those devices that don't have the key already in, did you find anything?

Thanks!

Unfortunately, I couldn't see any dedicated command like there was in the E4916A.

However, there are some commands to peek/poke at memory directly. Under "TEST:MEMory" there's "ADDRess", "LONG", "REAL", "REGister", and "WORD".
"TEST:MEM:ADDR" seems to set the address for a subsequent long/real/word read or write, and the address auto-increments after the read/write. REGister seems to be some special case that I'm not sure about yet.

The EEPROM space is mapped starting at 0x1e0000, but the low bit is unused so you have to shift any real EEPROM address left by one. So, the hash block appears at 0x1e0044 for example (not 0x1e0022).
In theory, running the following would read out the hash block (I don't think the scpi parser takes hex):

Code: [Select]

:TEST:MEM:ADDR 1966148
:TEST:MEM:LONG?
:TEST:MEM:LONG?

If there's someone who's up for experimenting a bit and is set up to backup/restore their unit, we could probably figure out how to set the options and write the hash all over GPIB.

gamalot · « **Reply #42 on:** September 02, 2022, 12:38:04 pm »

Quote from: Miek on September 02, 2022, 02:47:20 am

Quote from: tv84 on September 01, 2022, 08:44:24 pm
Miek,

Nice work!

What about the GPIB command syntax, for those devices that don't have the key already in, did you find anything?

Thanks!

Unfortunately, I couldn't see any dedicated command like there was in the E4916A.

However, there are some commands to peek/poke at memory directly. Under "TEST:MEMory" there's "ADDRess", "LONG", "REAL", "REGister", and "WORD".
"TEST:MEM:ADDR" seems to set the address for a subsequent long/real/word read or write, and the address auto-increments after the read/write. REGister seems to be some special case that I'm not sure about yet.

The EEPROM space is mapped starting at 0x1e0000, but the low bit is unused so you have to shift any real EEPROM address left by one. So, the hash block appears at 0x1e0044 for example (not 0x1e0022).
In theory, running the following would read out the hash block (I don't think the scpi parser takes hex):
Code: [Select]
:TEST:MEM:ADDR 1966148 :TEST:MEM:LONG? :TEST:MEM:LONG?
If there's someone who's up for experimenting a bit and is set up to backup/restore their unit, we could probably figure out how to set the options and write the hash all over GPIB.

it's me again!

Unfortunately I don't have a 4263A/B, but I have a 4338B. I can confirm that the SCPI commands you found can indeed read the contents of the EEPROM, and the results they return are the same as what I read with the programmer.

My 4338B thread/

nfmax · « **Reply #43 on:** September 02, 2022, 02:48:07 pm »

I have a 4263B, s/n MY40103486

. As I related above, I was able to activate option 002 by writing the appropriate bytes into the EEPROM, which I removed for the job. I have a full dump I took at the time while the EEPROM was in the programmer, although the instrument has been recalibrated since. So, I proceed with caution...

Using the proposed :TEST:MEM: commands, I am able to dump the EEPROM as described, and the contents mostly match what I see in the dump file, except that the original (factory calibration?) date '15/Jul/2005' at offset 0x12 is now changed to '07/Jan/2019', which is the date on the certificate of calibration I got back from Keysight.

I think I need to write a short script to dump the entire EEPROM, including the calibration data, before going any further. It may be a little while before I can do this, though.

I would expect that if :TEST:MEM:LONG? reads a longword at the current address, :TEST:MEM:LONG 123456 would be the command to write a longword. Is anyone in a position to confirm this?

gamalot · « **Reply #44 on:** September 02, 2022, 02:54:16 pm »

Quote from: nfmax on September 02, 2022, 02:48:07 pm

I have a 4263B, s/n MY40103486 . As I related above, I was able to activate option 002 by writing the appropriate bytes into the EEPROM, which I removed for the job. I have a full dump I took at the time while the EEPROM was in the programmer, although the instrument has been recalibrated since. So, I proceed with caution...

Using the proposed :TEST:MEM: commands, I am able to dump the EEPROM as described, and the contents mostly match what I see in the dump file, except that the original (factory calibration?) date '15/Jul/2005' at offset 0x12 is now changed to '07/Jan/2019', which is the date on the certificate of calibration I got back from Keysight.

I think I need to write a short script to dump the entire EEPROM, including the calibration data, before going any further. It may be a little while before I can do this, though.

I would expect that if :TEST:MEM:LONG? reads a longword at the current address, :TEST:MEM:LONG 123456 would be the command to write a longword. Is anyone in a position to confirm this?

It's works on my 4338B, both reading and writing.

nfmax · « **Reply #45 on:** September 03, 2022, 03:08:15 pm »

SUCCESS!!!

I used @Miek's Python script to generate the hash for my instrument's serial number:

Code: [Select]

(base) byrd:test max$ ./4263B_hash.py MY40103486
Hash: 0x21 0x44 0x56 0x41 0x28 0x56 0x73 0x67

I then programmed 4 longwords, starting at offset 0x020. This is actual address 0x1e0040 because of the last address bit fiddle described. In decimal, this is 1966144.

The three longwords are made up of:

Code: [Select]

0:  0x31   0x00  hash0  hash1
1: hash2  hash3  hash4  hash5
2: hash6  hash7   0x30   0x30

The first byte in word 0 is the ASCII '1' character that enables the option, the second byte is what I originally read from the EEPROM. The last two bytes in word 2 are the leading zeros in the code for option 2, which I enabled back in 2018.

The actual commands I sent, using Interactive IO from the Keysight IO library suite, were:

Code: [Select]

:TEST:MEM:ADDR 1966144
:TEST:MEM:LONG 822092100
:TEST:MEM:LONG 1447110742
:TEST:MEM:LONG 1936142384

I read the same addresses back, using the commands:

Code: [Select]

:TEST:MEM:ADDR 1966144
:TEST:MEM:LONG?
:TEST:MEM:LONG?
:TEST:MEM:LONG?

and verified the contents had changed as expected. I took a deep breath and power-cycled the instrument - and option 001 was there! The extra measurements appear on the menus as expected. Not having a transformer test fixture, I am not able to verify their function yet.

I have a copy of the original installation note for end-user installation of this option. Importantly, this does NOT say that the unit needs to be recalibrated after enabling the option (it does for option 002, though obviously only at the 20kHz setting. In my case, only the lowest capacitance ranges were out of spec before adjustment. Looking elsewhere in the dump file, I can see there are 'new' calibration factors, which look like doubles, in many places. For example, at offset 0x3f0, 0x3f80000000000000 has become 0x3f800019bc0c8cc3.)

I think @Miek qualifies for the hacker's Golden Pizza award for this - well done!

RolandK · « **Reply #46 on:** September 03, 2022, 10:53:22 pm »

You don't need the special adapter.

The connection scheme is described in the AN1305-3 Effective Transformer LF Coil Testing 5967-5377. Figure 2 is wrong, L2 should be connected to the low side of Lpot/Lcur, too.

The not so simple procedure is described in the user manual in Chapter 3 at the end. The Adapter shorts Lcur and Lpot, what you should do without it, too.

The only other thing the adapter does is to swap the high side of L1 and L2 with a switch between Hcur and Hpot.

Just checked the function with a 12V transfomer. It calculated to be 16V, which seems plausible, as without load the voltage is higher.

Did anybody get the 20 kHz range calibrated without the hp software?

metebalci · « **Reply #47 on:** March 13, 2023, 08:56:44 am »

Something tiny to add. All the EEPROM images I looked (on the repo linked here etc.), the address 0x30 contains:

Code: [Select]

2E 30 30 00 FF FF FF FF
My 4263B (no options, 1.06) contains:

Code: [Select]

2E 30 30 00 00 FF FF FF
There is a 00 instead of FF at 0x34. I was thinking maybe I messed up something but then I realized @engiadina 's firmware posted in this thread is the same.

Hugoneus · « **Reply #48 on:** March 15, 2023, 02:35:20 pm »

Amazing information. I changed the name of the thread so others can find it easier.

TERRA Operative · « **Reply #49 on:** March 06, 2024, 11:01:58 am »

I just bought one of these instruments, and with a bit of help I added to the code posted above by @Miek to provide an output that can be directly cut and paste into the GPIB comms software as detailed by @nfmax.

I'll try it when my unit arrives and report back.

What would be cool is to use PyVISA to automatically communicate with the instrument, grab the serial number (and back up the existing memory contents), then with a click of the button, generate the unlock values and write them back.
Might be a good excuse for me to finally learn a bit of Python.....

Code: [Select]


import sys

serial = sys.stdin.readline().strip()

if not serial:
    print(f"Usage: {sys.argv[0]} <serial_number>")
    sys.exit(1)

sn = bytes(serial, "ascii")
yhp = b"YHP Kobe-Instrument-Division HP4263A.   "

result = [0] * 8

for i, c in enumerate(sn):
    u1 = (c * i) % 0x28
    for j in range(len(result)):
        u2 = (u1 % 0x28)
        result[j] += yhp[u2]
        u1 += 1

result = [(x % 0x5f) + 0x20 for x in result]

# Insert fixed values
result.insert(0, 0x31)  # 1st byte
result.insert(1, 0x00)  # 2nd byte
result.append(0x30)  # Last 2 bytes
result.append(0x30)

# Convert each group of 4 bytes to a long unsigned integer
long_integers = [
    (result[0] << 24) + (result[1] << 16) + (result[2] << 8) + result[3],
    (result[4] << 24) + (result[5] << 16) + (result[6] << 8) + result[7],
    (result[8] << 24) + (result[9] << 16) + (result[10] << 8) + result[11],
]

print (':TEST:MEM:ADDR 1966144')

for i, value in enumerate(long_integers):
    print(':TEST:MEM:LONG 'f"{value}")

TERRA Operative · « **Reply #50 on:** March 10, 2024, 01:42:50 pm »

Alrighty, I've written my first real Python script.

Install Python and PyVISA, then your choice of Keysight IO Libraries Suite (if using a HPAK USP-GPIB adapter) or National Instruments NI-488.2 software if using an NI GPIB-USB-HS, or whatever respective drivers you need for your GPIB adapter.

It will automatically find and communicate with your 4263B to read the serial number, firmware number, and check if the options are already enabled. (for good measure it'll also tell you if your firmware is out of date).
If you don't have both options enabled, it'll reset the unit and then run self tests to make sure it is all ok (and tell you what errors it finds, if any).
Then it'll generate the option codes, write them into the instrument and finally it will verify the written data.

Once you reboot your instrument, it's all good to go. It's as easy as it could possibly be. It's literally as simple as running the script and letting it do all the work.

I have tested it under Windows 10 using an Agilent 83257B USB-GPIB adapter with the Keysight IO Libraries Suite installed, and also a National Instruments GPIB-USB-HS adapter with the NI libraries installed and it works perfectly on both. It should work on any GPIB interfaces that PyVISA supports, let me know how you go with your setup.
(I found the Keysight software 'just works' a bit better with it's auto discovery of connected devices, but once the NI software can see the instrument, it's smooth sailing).

Special thanks to Miek for reverse engineering the checksum magic, and nfmax for providing the commands to read and write to memory!

Let me know what you think and suggestions for improvements and bugfixes etc.


EEVblog Main Site	EEVblog on Youtube	EEVblog on Twitter	EEVblog on Facebook	EEVblog on Odysee

Author Topic: Hacking the Agilent 4263B LCR Meter! (Read 19354 times)

Share me