Electronics > Repair

HP 3478A: How to read/write cal SRAM

<< < (5/41) > >>

biot:

--- Quote from: MarkL on April 12, 2017, 09:21:25 pm ---I did look at the ROM image that's available on KO4BB with "strings" and "xxd".  It looks like there's a ROM monitor that can be accessed somehow.  That might provide a path to read/write the NVRAM (U511).

--- End quote ---

Looks like a Forth interpreter in there! Unfortunately I don't have a 3457A either.

However this might be an interesting avenue to figure out the checksum algorithm -- disassemble the 3478A's ROM.

ramon:
Thank you so much to MarkL for this information and to biot for his python script.

I recently bought a cheap 3478a and the first thing I have done is a backup of the calibration RAM using GPIB.

This is the output in case someone is still working on how to find the checksum algorithm and wants to compare (I already tried to compare my calibration data with data from MarkL and Pigrew meters)

0000000: 4f 40 40 40 46 41 41 42 41 4f 4f 40 4d 46 40 40  O@@@FAABAOO@MF@@
0000010: 40 40 45 49 42 41 40 43 45 4e 46 40 40 40 40 40  @@EIBA@CENF@@@@@
0000020: 46 42 41 40 4e 4e 4d 4a 49 49 49 49 49 44 42 41  FBA@NNMJIIIIIDBA
0000030: 4c 4c 40 4b 43 49 49 49 49 49 49 42 40 45 4f 44  LL@KCIIIIIIB@EOD
0000040: 4a 4f 40 40 40 40 40 40 40 40 40 40 40 4f 4f 49  JO@@@@@@@@@@@OOI
0000050: 49 49 45 49 45 42 4d 45 41 4e 4a 4e 49 49 49 49  IIEIEBMEANJNIIII
0000060: 46 48 41 4c 42 4e 42 4a 4e 49 49 49 49 49 46 41  FHALBNBJNIIIIIFA
0000070: 4c 43 4e 45 4a 49 40 40 40 40 40 40 41 4c 42 42  LCNEJI@@@@@@ALBB
0000080: 45 4e 49 40 40 40 40 40 40 41 4c 40 4f 4d 4d 46  ENI@@@@@@AL@OMMF
0000090: 49 49 49 49 49 49 41 4c 41 40 4f 4a 4c 49 49 49  IIIIIIALA@OJLIII
00000a0: 49 49 49 41 4c 40 43 43 4b 46 49 49 49 49 49 49  IIIAL@CCKFIIIIII
00000b0: 40 45 43 45 45 4b 47 40 40 40 44 43 49 43 42 4c  @ECEEKG@@@DCICBL
00000c0: 43 40 4d 4b 40 40 40 40 44 44 43 42 4d 45 4e 4d  C@MK@@@@DDCBMENM
00000d0: 42 40 40 40 40 40 40 40 40 40 40 40 4f 4f 49 49  B@@@@@@@@@@@OOII
00000e0: 49 45 49 45 43 4e 42 4e 44 4a 4c 40 40 40 40 40  IEIECNBNDJL@@@@@
00000f0: 40 40 40 40 40 40 4f 4f 40 40 40 40 40 40 40 40  @@@@@@OO@@@@@@@@


Also python script to convert the code received from GPIB into actual RAM data (each byte substracted by 64 or 40 hex):


--- Code: ---#!/usr/bin/python
from functools import partial
import sys

with open(sys.argv[1], 'r') if len(sys.argv) > 1 else sys.stdin as file:
    for byte in iter(partial(file.read, 1), b''):
        sys.stdout.write(chr(ord(byte)-64))
--- End code ---

Can be used like this:

  $  xxd -r gpibdata |  script.py | xxd -g 1

Note: I have read again the service manual, and now I understand why the did said 'CAUTION: do not send program codes "W" and/or "X" ... these codes can, under certain conditions, uncalibrate the instrument'

MarkL:

--- Quote from: ramon on May 18, 2017, 02:40:57 pm ---Note: I have read again the service manual, and now I understand why the did said 'CAUTION: do not send program codes "W" and/or "X" ... these codes can, under certain conditions, uncalibrate the instrument'

--- End quote ---
Ah, good catch!  I didn't notice that in the manual, but it certainly provided a clue.  In my experimentation I never found any form of the "W" command that would write to memory.  Since they mentioned "W" and "X", it wouldn't have killed them to document those commands and, for that matter, similar cal backup commands for a lot of other equipment.  Tektronix is also quite guilty of hiding such useful commands.

I did the subtraction of 0x40 like this:

  tr '\100-\117' '\000-\017' < caldata | xxd -g1

What I like about Linux... always 100 different ways to do the same thing.

ramon:
Thanks, with 'tr' is much better!

And yes, I also think that they should have provided complete information about those gpib codes. Moreover considering that they didn't put any effort to hide the calibration switch in the front panel.

The calibration procedure needs so many kinds of expensive calibration devices (in AC,DC,ohms, etc...) that it doesn't make any sense to have such easy-to-turn calibration switch in the front panel. How many devices should have been uncalibrated by mistake?. Do they did that on purpose to increase earnings from maintenance services?

Anyway I am very happy with my meter. The schematics are available, and there is a lot of internal information about them.

I downloaded the ROM and tried to simulate the code with one free simulator available at acebus website (8048 version 208). Unfortunately the program only allows to load up to 64KB source code (asm listing) and I cannot fit the whole dissasembled 8K code into the simulator (I removed extra spaces and comments, and I was only able to reduce it to 88K in size).

The 8048 is quite weird: without CMP or SUB instruction, and also with those pages, mb0/mb1 selector, and bit 12 of program counter. I think I will not be able to find how it works. Is there any thread or progress about that? when I use strings on the ROM I cannot get any useful data. I will need to read the schematics more in detail.

MarkL:

--- Quote from: ramon on May 22, 2017, 01:35:55 pm ---...
The 8048 is quite weird: without CMP or SUB instruction, and also with those pages, mb0/mb1 selector, and bit 12 of program counter. I think I will not be able to find how it works. Is there any thread or progress about that? when I use strings on the ROM I cannot get any useful data. I will need to read the schematics more in detail.

--- End quote ---
What are you trying to do?

I think it's going to be difficult to simulate operation of the firmware.  It's very dependent on responses from the hardware.  So, you also have to simulate the hardware, which also means simulating the 8039 in the floating section.

If you're trying to discover the CRC/ECC algorithm, I think you're going to need a logic analyzer attached to a running meter as I described previously.

If you're looking for other hidden commands, the ones that aren't accounted for are: A G I J L O P Q U V Y.  The 3478A is a fairly simple machine, so I wouldn't expect anything else hidden of significance.

Some other discussion of 3478A firmware disassembly is here:

  https://www.eevblog.com/forum/testgear/3478a-cal-ram-readout-idea

And there's also this thread on the 3468A, which is very similar in design:

  https://www.eevblog.com/forum/testgear/hp-3468a-in-continual-resetinit/


Yeah, the 8048 is very limited.  The SUB instruction can be done with the following:

  CPL A
  ADD A, REG
  CPL A

(Courtesy of the MCS-48 Microcomputer User's Manual.)

Navigation

[0] Message Index

[#] Next page

[*] Previous page

There was an error while thanking
Thanking...
Go to full version
Powered by SMFPacks Advanced Attachments Uploader Mod