EEVblog #912 - BM235 Multimeter Reverse Engineering

[EEVblog]

What is the main chipset used in the EEVblog BM235 Multimeter?
Dave finds out.

http://www.ic-fortune.com/
http://www.cyrustek.com.tw/
http://www.hycontek.com/
http://www.hycontek.com/attachments/DMM/DS-HY12P65_EN.pdf

[Brumby]

Nice bit of detective work.  Not that you'll be running out to grab the bits to make your own clone - but interesting enough.

I did skip over to check out the possible serial hack video ... and didn't find the LCD segment data protocol too much of a head scratcher.  That was because I had done something similar....

What I put together was a digital scale, a barcode reader and an Arduino clone, so I could weigh a product, scan its barcode and capture the data.  My approach was to monitor the signals driving the LCD segments of the scales and derive the display data from that which gave a weight (including units).  Then, while the item was still on the scales, scan the barcode which triggered the data capture.  The Arduino did all the work - after I had mapped out all the LCD segment signals.  I used the Aurduino as a scope for this.  (One day I might check out the scales to see if there is a less convoluted way to achieve the result ... but, hey, it works as it is...)

Makes me wonder if something similar might be worth a shot here.


I also checked the location of the LED position between the two meters - and (from a still image of the close-up) concur that the centre of the LED position is in the same spot.

[piranha32]

Dave,

nice job tracing the circuit, but I'm not sure if you got the crystal pins right. The datasheet says the pins 15 and 16 are used for the crystal, while on the board the pins 14 and 15 seem to go to the pins of the crystal, and pin 16 goes to a via. Unless the crystal works as a self-running oscillator, this does not make much sense.
So, if this this the Hycon chip, they most likely ordered chip with custom pinout, what would explain the use of the mysterious COM pin.
BTW. OTP Eprom can be erased with an X-ray source

[EEVblog]

nice job tracing the circuit, but I'm not sure if you got the crystal pins right. The datasheet says the pins 15 and 16 are used for the crystal, while on the board the pins 14 and 15 seem to go to the pins of the crystal, and pin 16 goes to a via. Unless the crystal works as a self-running oscillator, this does not make much sense.
So, if this this the Hycon chip, they most likely ordered chip with custom pinout, what would explain the use of the mysterious COM pin.

Yes, I goofed that. It's obviously some close variant, maybe a custom variant for Brymen?

[nomis]

It might be a new chip from hycon that has not yet been released on their website.

Regarding the EEPROMs: typically you need to erase larger chunks of memory to change a single byte (and thus need to rewrite the surrounding content as well). So depending on that specific chips memory layout this might be a huge risk for calibration data.

For the state I'd expect that they don't reuse the same byte every time, but have a rolling scheme: i.e. on first mode change you write to the first byte, then to the 2nd byte, 3rd byte etc. For reading you then use the last "valid" byte (or how many bytes they actually need for their state). Only when your 2k are filled you erase the complete chip and start at the beginning again.

That way you'll get way more than 1000000 write cycles for the state.

Bye,
        Simon

[Fungus]

For the state I'd expect that they don't reuse the same byte every time, but have a rolling scheme: i.e. on first mode change you write to the first byte, then to the 2nd byte, 3rd byte etc. For reading you then use the last "valid" byte (or how many bytes they actually need for their state). Only when your 2k are filled you erase the complete chip and start at the beginning again.

That way you'll get way more than 1000000 write cycles for the state.

"Expect"?

It's a well known technique but there's no reason to think either they did or they didn't.

We know that program memory is tight and adding code to do that might mean they had to drop a feature. Would you rather have a meter with more features or one where you can change the range 10,000,000 times instead of only 1,000,000?

(1,000,000 is probably a very conservative number - lots of people have destructively tested the EEPROM in Arduinos and found it lasts far longer than the datasheet says - maybe 10x longer!)

The proof would be in attaching a 'scope to the chip and looking at the signals.

[EEVblog]

It might be a new chip from hycon that has not yet been released on their website.

Possible. Although they started this design more than 2 years ago.

That way you'll get way more than 1000000 write cycles for the state.

To use up a million writes it would take 274 button pushes per day, every day, for 10 years. Realistically not worth worrying about.

[Dr. Frank]

I scanned through the HYCON manual for the 12P65, and there is no clear explanation, how the digital representation of the A/D is calculated.. anyhow, the output seems to be much more than +/- 5000d, as the polarity, gain selection, Chopper (i.e. Offset) and filter parameters also influence that output data..

As far as I understood, it's up to 3FFFF, this way.
So it's well possible, to have any random resolution in the range of 5000d, which should be the useful magnitude of resolution, and is also related to the usual 5xxx ranges of such DMMs.. all examples are done on that full scale value.   


Concerning the special Bryman marking, that might simply be related to the firmware, as it's most cost effective, that the chip manufacturer already flashes the software during final IC test.

Frank

[jesuscf]

Same chip as in the Master Craft 052-0052-2:

https://www.eevblog.com/forum/testgear/canadian-tire-mastercraft-dmm-new-and-old-revision-teardown/msg653857/#msg653857

In the Master Craft multimeter the chip is branded DTM0660L.  The configuration/calibration EEPROM can be modified to enable all kind of things, like temperature measurements and 8000 counts for example.  In some versions of the firmware the RS232 output can be enabled by just setting a bit in the configuration/calibration EEPROM.  Unfortunately that didn't work with my 052-0052-2.  I wonder if the same can be done to the BM235.  Anybody whiling to post a dump of the U5 IC in the BM235?

[Chipguy]

All the die pictures I have ever seen had additional pads on them that were unused.
I bet it is exactly one of those 2 ICs Dave pointed out but with different pads bonded out.
So they had an additional pin somewhere counterclockwise from the crystal pins and then got these 2 one offset by one pin clockwise.

Someone could decap that Brymen chip and a Hycon chip for comparison

Edit: corrected a typo

[matkar]

(1,000,000 is probably a very conservative number - lots of people have destructively tested the EEPROM in Arduinos and found it lasts far longer than the datasheet says - maybe 10x longer!)

I once tested EEPROM in PIC microcontrollers. It took 13000000 writes for the first error to appear. It needed about 20000000 writes to not be able to write the correct data anymore.

[b_force]

All the die pictures I have ever seen had additional bads on them that were unused.
I bet it is exactly one of those 2 ICs Dave pointed out but with different pads bonded out.
So they had an additional pin somewhere counterclockwise from the crystal pins and then got these 2 one offset by one pin clockwise.

Someone could decap that Brymen chip and a Hycon chip for comparison

I think an X-ray could also do the job?

[Chipguy]

All the die pictures I have ever seen had additional bads on them that were unused.
I bet it is exactly one of those 2 ICs Dave pointed out but with different pads bonded out.
So they had an additional pin somewhere counterclockwise from the crystal pins and then got these 2 one offset by one pin clockwise.

Someone could decap that Brymen chip and a Hycon chip for comparison

I think an X-ray could also do the job?

Yeah I thought the same. X-ray shows the bondwires very good, but not the pads on the chip itself.
But much better than nothing.

Did Mikeelectricstuff get a BM235? He could just X-ray it as it is.

[MBY]

Nice one!

But, as EEVblog homepage is rebuilt, the search doesn't work anymore. You mentioned that you have made a video on the BM235 calibration, but where? In the video list, only two videos of BM235 turns up in the search. And the search on the main page doesn't come up with anything ever. What happened to the verbose in-order list of all videos?

[EEVblog]

What happened to the verbose in-order list of all videos?

https://www.eevblog.com/episodes/

[MBY]

What happened to the verbose in-order list of all videos?

https://www.eevblog.com/episodes/

Thank you! This was lot better than the "FTP style" list in alphabetical order (so 1, 11, 100, etc, is before 2...) I somehow clicked to, rather than this much sensible numerical order.

But I still don't find the calibration of BM234 you mentioned in your last video. The search function does nothing as I can tell. Either a 404 or a "The EEVblog Search Engine (Like Google, but with extra Dave...)" that doesn't yield results on anything... I figure this must be included in another video, but the only other video featuring BM235 I could find is the repair video.

[jaromir]

The video peeking at the Hycon part instruction set rang my bell, so I had to download it and it confirmed my suspicion.

H08A instruction set http://www.hycontek.com/attachments/MSP/APD-CORE002_EN.pdf totally looks like PIC18 instruction set - see overview here http://www.people.okanagan.bc.ca/nkhessal/courses/elen216/PIC18instudtionset.pdf or details in every PIC18F datasheet. The mnemonics are somehow different, but the instructions itself are IMHO the same. Compared to PIC18, there are differences around program memory read operations.
Interesting enough, they have also H08B core http://www.hycontek.com/attachments/MSP/APD-CORE003_EN.pdf looking very similar, though with reduced number of branch instructions - something more like PIC16. http://www.hycontek.com/attachments/MSP/APD-CORE001_EN.pdf

[EEVblog]

https://www.eevblog.com/episodes/

Thank you! This was lot better than the "FTP style" list in alphabetical order (so 1, 11, 100, etc, is before 2...) I somehow clicked to, rather than this much sensible numerical order.

That was a mistake, not sure how it got like that. Menu option now works properly.

But I still don't find the calibration of BM234 you mentioned in your last video. The search function does nothing as I can tell. Either a 404 or a "The EEVblog Search Engine (Like Google, but with extra Dave...)" that doesn't yield results on anything... I figure this must be included in another video, but the only other video featuring BM235 I could find is the repair video.

It's a confusing title: