Any word on publishing the format of the cal data and firmware files - these would be prerequisites for alternative firmware - probably possible to reverse-engineer, though it would be a bit of a pain.
BTW is a full end-user recalibration possible ( this would make reversing the cal data easier if nothing else)?
So, IDA and I have been having a bit of fun over the past week and I now have a perhaps 80% complete IDA database of the 1.02 firmware. I'm hesitant to release it because a) it's not done and b) I don't know what UEI would think. I also can't test a lot of theories because my own meter is not here yet.
Anyway, regarding the format of the firmware file. The CPU is an STM32L152 family Cortex-M3 ARMv7-M processor. I don't know what exact chip it is. If anyone could send me a photo of the exact chip in the meter, I would be grateful. The EEVBlog.bin file is burned into ROM starting at 0x08006000. It has a standard Cortex-M3 vector table at the start, where the first 32 bits are the initial SP and the second are the reset vector (+ 1 because the processor always operates in Thumb-2 mode). This is enough to get it disassembling correctly in IDA, or to start your own firmware once the exact chip is known.
Regarding calibration data, it actually seems possible to load and save the calibration area of the EEPROM to the SD card. As before, I can't test it cause I don't have a meter. There is a non-zero chance you could lose all your cal data or start a fire. If you want to try, here is the procedure:
- Boot holding the MEM key, or maybe boot the meter with no keys and quickly press MEM. (I'm not entirely sure) Screen will show SdCAL if you did it.
- Press PEAK to load calibration data from SD card (screen shows SdSEt) or REL to save data to card (screen shows SdSAv).
- Press MODE to do it. If successful, screen shows SAvEd. Else, screen shows -Err-.
- Turn off the meter. The data is now in cal.bin on the SD card.
The cal.bin file is a copy of the first 1200 bytes of EEPROM. The first 48 bytes are used for settings, the rest of the 1200 bytes is calibration factors, and the rest of the EEPROM is involved with logging.
A lot of the ranges share factors and there are some I'm not too sure about. The official manual is pretty light on details, and it seems there are other things such as a bonus 50Mohm range calibration and some frequency calibration factors for the AC ranges which are not mentioned. (And what's with 10% for the AC ranges? Is that 10% of full scale as opposed to a dead short?) Fortunately, for most modes and ranges, it is indeed a simple 0 offset and a full-scale gain and I know which ones use which factors. Sadly, I'm not a metrologist, and these areas are heavy on algorithms I don't understand, so I'm having trouble. But I intend on communicating whatever I learn when I do learn it.
And Dave, could you give me an OK/over my dead body on releasing the work?