Help, can I find the calibration method by reading the firmware in reverse?

[daisizhou]

My test analyzer,The manufacturer has stopped providing after-sales support and calibration services,So I can only rely on myself or enthusiastic friends.

I disassembled the motherboard,The main MCU is a NEC D70320L,The main program is stored in M27C1001, and the calibration data is stored in AT28C64B
At present, it is normally used when starting up, but it has not been calibrated for a long time,I only found the video to test it, but didn't find out how to adjust it.
I successfully obtained the internal firmware of M27C1001 and AT28C64B chips, but I don't know how to read it
How do you know how to read firmware? Please tell me, thank you for your help

[pcprogrammer]

Maybe give Ghidra a try. Not sure if it supports the D70320L and if it does it won't be easy and a lot of work to figure it all out.

There are several videos on youtube on how to use Ghidra.

[abyrvalg]

D70320L has Intel 8088 instruction set, there are many disassemblers supporting it (Ghidra mentioned already, IDA Free etc).

[daisizhou]

It's difficult for me.Could you help me? I have learned a little programming knowledge

[alm]

Do you need to adjust it? Just because it has not been adjusted for a long time does not mean it needs adjustment. Even in a commercial setting, just verifying that it's still performing within specifications could be enough to slap a calibration sticker on it. Of course if it needs adjustment, then you'll need to figure out how.

What kind of I/O does this have? Does it have its own front panel? Does it interface with a computer? If it has a computer interface with human-readable commands, and you have software that works with it, then I would start my sniffing the communication using software on the computer side (how depends on the hardware interface). If it looks like human-readable commands, then I would look for commands in the firmware you already dumped using a tool like the strings command.

Reverse engineering the firmware would require quite a lot of effort and would be my last resort. It would probably require at least some hours of work, so I don't think it's fair to ask someone to do it who does not own the equipment and hence would not benefit from it, unless you hire someone to do it.

[pcprogrammer]

alm raised and excellent point with the question if it really is needed.

To do a reverse engineering of the firmware it is also beneficial and sometimes also necessary to do the hardware first. Makeup the schematic of the device to know that the MCU is connected to and how it needs to be controlled.

Only if it is a very small piece of firmware it could be done in maybe a couple of hours, but I suspect it to be way longer. Reverse engineering code is not a simple thing and requires a lot of knowledge and effort to end up with something usable.

[eutectique]

My test analyzer,The manufacturer has stopped providing after-sales support and calibration services,So I can only rely on myself or enthusiastic friends.

I disassembled the motherboard,The main MCU is a NEC D70320L,The main program is stored in M27C1001, and the calibration data is stored in AT28C64B
At present, it is normally used when starting up, but it has not been calibrated for a long time,I only found the video to test it, but didn't find out how to adjust it.
I successfully obtained the internal firmware of M27C1001 and AT28C64B chips, but I don't know how to read it
How do you know how to read firmware? Please tell me, thank you for your help

Gazing into the crystal ball, I see DNI Nevada 454A Electro-Surgical Analyser.

Are you going to use this device to validate real electro-surgical units in a real hospital? Just curious.

[eutectique]

To put this into context, the analyser function is shown at 28:16 mark:

https://youtu.be/qo69ccPkuuY

[daisizhou]

At present, it seems that it works normally and is accurate.I want to know how to adjust it, and also to prepare for future adjustment.
It has a front panel. I found a user manual,It has a 15-pin print interface and a 15-pin serial interface,The old machine does not use the 9-pin serial interface now,In the system menu, I see the information about setting serial baud rate. Of course, you can see it in the user manual.
I haven't found any new clues

https://www.medwrench.com/documents/view/5647/fluke-biomedical-454a-dni-nevada-operators-manual

[daisizhou]

No, maybe it was originally designed for electrosurgery, but now it is a load resistor here.
The power value and current can be displayed internally, and the resistance value can be adjusted arbitrarily

[daisizhou]

Yes, the function is normal. There are still many engineers using it. Maybe they may need to adjust it in the near future

[abyrvalg]

Looks like there is some pretty user-friendly calibration UI saying what signals to apply, what to adjust etc. The hw self-test procedure looks very informative too: for each kind of error it tells IC/pin/voltage to check, i.e.:

Code: [Select]

TC error.    Press ENT key to continue.
DAC1 U30 pin 7 output of -4.8 volts.
2.4 volts on these points: U3 p7, TH4,
         U4 p9 (TC output), and U5 p7.


[daisizhou]

Yes, I also saw such information.But I don't know how to open it,in other words,I didn't find "hotkey" or "prompt connection method". Open the way to read it

[DavidAlfa]

There's no service manual for it?

[daisizhou]

Yes i did not find the service manual,I just found a picture of it,It may be the reason for the paper version, which is not conducive to dissemination

[abyrvalg]

From disassembly it looks like there is some multilevel menu starting with "MAIN MENU" and calibration is one level deeper. Try entering various menus on the instrument (btw, that should be much easier than disassembling the firmware).

Update: indeed, the calibration menu is not accessible from "main menu". To activate it, you need to press ENTER and (or then?) F1 quickly when the instrument says "...SYSTEM INITIALIZING..." during start. Have fun

[daisizhou]

I try to press and hold "ENT" to turn on the power, or press and hold "F1+ENT" to turn on the power, or press "F1" to turn on the power, and after seeing "... SYSTEM INITIALIZING...", I still enter the normal use interface, and there is no calibration interface

[abyrvalg]

Wrong. You need to press them (one by one, I think, press ENT, then press F1) when it already shows “…SYSTEM INITIALIZING…”. The time this message being shown is the key press waiting time.

[daisizhou]

https://youtu.be/pkIlojDQjMA
Is this how I operate when I shoot a video?

[pcprogrammer]

You did not try:

1) power on and wait for message "system initializing" (which seems to be shown immediate")
2) press "ENT".
3) press "F1"

But you have to be quick, because the initialization state does not last long, by the looks of it.

[daisizhou]

"F1" and "ENT" are real physical keys,Press to turn on and leave to turn off

[pcprogrammer]

Yes I know that. Watched your video. By the looks of it "power on" is done with a switch on the back. So what do you not understand from the listed order of events.

Maybe I should have written press and release, because that is what I meant, and probably to most also implied.

[daisizhou]

You mean after the power is turned on,See the screen display "system initialization"，Press "ENT" or "F1" or "ENT+F1" at the fastest speed to observe the response of the system. Is that right?

[pcprogrammer]

No what I mean is, turn it on, then press/release the "ENT" key and then press/release the "F1" key. So in following order, 1, 2, 3. At least that is what I get from what abyrvalg wrote.

[daisizhou]

Very good. I entered the calibration mode smoothly according to your suggestion.I see the "Calibration" menu on the menu,When I press to enter "Calibration", it appears to let me set the time. I also set it, but finally I return.
I will present some other new menus in the video
https://youtu.be/Q-rE7eNqoPc

[daisizhou]

https://youtu.be/Q-rE7eNqoPc
Finally, I entered the calibration mode, but I still don't know how to calibrate.
Some new items appear on the menu. I don't know what they are for

[pcprogrammer]

Since the clock is set, you should use another key to continue with calibration. "ESC" which means escape, brings you back to the previous or main menu. Try the "ENT" key and see what happens.

[abyrvalg]

There should be 5 calibration steps:
- 454a SYSTEM OFFSET CALIBRATION
- 454a THERMAL CONVERTER NULL
- AMP CALIBRATION: GAIN=A
- AMP CALIBRATION: GAIN=C
- AMP CALIBRATION: GAIN=D

For first two it just asks "Make sure amp input voltage is zero. Press any key" and does the rest on it's own.
For AMPs it displays some TARGET and ACTUAL voltages and allows to adjust an offset. The goal is to make ACTUAL matching the TARGET I guess. Perhaps you need to apply real precise voltage matching the TARGET to some input during that.

[daisizhou]

Do I need to buy new AT28C64B and M27C1001 chips? Because I'm worried that I will modify the data incorrectly without knowing it.
Although I have backed up AT28C64B and M27C1001, the initial firmware.
I'm worried about the calibration data being modified incorrectly.
The following video shows me entering the "Hardware" option
https://youtu.be/AydYXA4zk-M

This is a video for further testing--->https://youtu.be/W8a2OTjN2-g

[daisizhou]

Do I need to buy new AT28C64B and M27C1001 chips? Because I'm worried that I will modify the data incorrectly without knowing it.
Because I am not sure whether the calibration data will be modified after pressing "ENT" to enter

[abyrvalg]

You don’t need new chips. M27C1001 content never changes in the system (it requires UV erase and high voltage to reprogram). The calibration will be saved into AT28C64B, but you have a backup already (and a prommer used to read it), so it can be restored at any time.

[daisizhou]

OK, I will try to enter the "Calibration" menu to view, please wait for my video

[daisizhou]

Thanks for your help, I have completed the calibration of the host.
I took a video and hope it can be used as a reference for friends who are still using it.
https://youtu.be/abGKWQjHHTk?si=A_2VoX92oenl3gwu

I want to know how these modules work.
In the system menu "auxiliary",It seems that these modules communicate with the host through a DB15 interface.
If you can find a clue in the firmware please let me know, thanks for your help

manual------>http://frankshospitalworkshop.com/equipment/documents/workshop_equipment/manuals/DNI%20Nevada%20402A%20ESU%20Tester%20-%20User%20manual.pdf