Author Topic: EEVBlog 121GW Multimeter Firmware Details  (Read 340989 times)

0 Members and 1 Guest are viewing this topic.

Offline tpw_rules

  • Regular Contributor
  • *
  • Posts: 50
Re: EEVBlog 121GW Multimeter Firmware Details
« Reply #25 on: January 25, 2018, 11:27:31 pm »
I also tried to read out the option bytes from the cpu.

I'm not sure about these if I did it right. I'll look into them tomorrow with the datasheet to see if they make sense.

This is my first encounter with STM32, I just used AVRs up to now. I'll have to do a lot of reading.

As far as I can tell, you did. Most of the memory should be 0s as it's not actually mapped to anything. The rest of them are two-byte complement pairs. I didn't actually decode them to see what they mean. Page 73 of the reference manual has all the details.

And welcome to ARM! I made that transition a year or so ago and it's great. Everything is more complicated and there's more reading to do, but you get a heck of a lot of cool stuff and power in return.

And also a lot of thanks to Dave and UEi for not setting the readout protection on the STM32! I sincerely hope they don't regret it.

Me too. Thanks also to UEi for not encrypting the firmware and for not using compiler optimizations. That's being extremely nice to hackers :)
 
The following users thanked this post: dcac, Sehsuan

Offline bicycleguy

  • Frequent Contributor
  • **
  • Posts: 265
  • Country: us
Re: EEVBlog 121GW Multimeter Firmware Details
« Reply #26 on: January 28, 2018, 02:43:46 am »
I've set up a GitHub repository for future development and information, located here. The wiki on it is free to edit for anyone with a GitHub account. I plan to upload my IDA database tomorrow or so and work on documenting what I've found on the wiki. If you would like to help, please check out the Questions page. I haven't got my meter yet so I can't answer them.

I've got pretty much the entire thing documented in terms of variables and functions. Some algorithms I don't know yet and would like help with. But there's a hell of a lot of information we can use to start our own firmware, which I also hope to do on perhaps a bit of a longer timescale.

And as I mentioned previously, I have some firmwares edited with bugfixes, if anyone would like to test them out?
Looked at your github and am really amazed at all you have figured out and documented.  Looks better documented than most new code!

I have a few questions if you don't mind.  Most are not about the 121GW but about the process.  I've done a lot of micro coding but never decompiling.

1.  Looks like C++ because I see the word 'class' around a lot.  Is this why you commented 'everything is global' ie. the decompiler put all the class object data in one big pile?
2.  Since you have modified firmware already (and tested by Dave somewhere) does that mean you were able to recompile the code.  I don't see how that could happen without all the object definitions, headers ect.  Could you illuminate further.  Is the binary just patched ?  I didn't see any C++ code.

thanks
 

Offline amspire

  • Super Contributor
  • ***
  • Posts: 3802
  • Country: au
Re: EEVBlog 121GW Multimeter Firmware Details
« Reply #27 on: January 28, 2018, 03:05:10 am »
Fantastic, I have just cloned your repository.

Ages since I have used a decompiler. Did you rebuild the C++ code from the assembler? That seems to be pretty amazing.
 

Offline tpw_rules

  • Regular Contributor
  • *
  • Posts: 50
Re: EEVBlog 121GW Multimeter Firmware Details
« Reply #28 on: January 28, 2018, 03:09:52 am »
Looked at your github and am really amazed at all you have figured out and documented.  Looks better documented than most new code!

Thank you :) I made great use of IDA 6.6 and the Hex-Rays decompiler. It automated all the disassembly and decompilation; my job was going and figuring out what e.g. the function sub_801C504 and variable dword_20003908 did.

1.  Looks like C++ because I see the word 'class' around a lot.  Is this why you commented 'everything is global' ie. the decompiler put all the class object data in one big pile?

Um I'm not sure where you've seen the word 'class'. I did a search of the repo and could not find that word anywhere. What I mean by 'everything is global' is that there are several functions (e.g. meas_ohms_calc_50M_offset(digits, factor)) where all the intermediate variables are stored as globals and only read/written in that function. This makes no sense and I'm pretty sure it can't be caused by the compiler.

2.  Since you have modified firmware already (and tested by Dave somewhere) does that mean you were able to recompile the code.  I don't see how that could happen without all the object definitions, headers ect.  Could you illuminate further.  Is the binary just patched ?  I didn't see any C++ code.

No, I'm not yet able to recompile the code. I do want to have that available so everyone can play with the firmware, but I haven't taken the time to try it, see what's missing, etc. It's definitely possible, but may be a crazy amount of work. And I still would have no way to test it. For now, I just hand-assembled ARM instructions and patched the binary. It's a lot easier because the compiler wasn't very efficient and so space can easily be made for new code.
is the assembly for the bit I patched, and
is it after the patch. You can see I was able to make more efficient use of registers and fit in an extra test, store, and branch that does if (autorange_changed_range) meter_mode_range_change_delay = 0;
 
The following users thanked this post: benst, bicycleguy, Sehsuan

Offline tpw_rules

  • Regular Contributor
  • *
  • Posts: 50
Re: EEVBlog 121GW Multimeter Firmware Details
« Reply #29 on: January 28, 2018, 03:11:49 am »
By the way, Dave, if you're reading this, I sent you a PM a couple days ago? I sent an e-mail to dave@eevblog.com as well. It might have got lost in the shuffle.
 
The following users thanked this post: Sehsuan

Offline Brumby

  • Supporter
  • ****
  • Posts: 12281
  • Country: au
Re: EEVBlog 121GW Multimeter Firmware Details
« Reply #30 on: January 28, 2018, 11:58:11 am »
For now, I just hand-assembled ARM instructions and patched the binary. It's a lot easier because the compiler wasn't very efficient and so space can easily be made for new code.

It's been a lot of years since I've done that - and it was on a systems module on an IBM mainframe.

Making the change isn't all that difficult - it's knowing that you haven't broken something in doing so that is the challenge.  The decompile would have helped immensely ... I had to do mine from a hex dump.


The big thumbs up comes from doing this without being able to test it on meter.   :-+ Champion stuff.
« Last Edit: January 28, 2018, 12:00:31 pm by Brumby »
 
The following users thanked this post: tpw_rules

Offline Fungus

  • Super Contributor
  • ***
  • Posts: 16531
  • Country: 00
Re: EEVBlog 121GW Multimeter Firmware Details
« Reply #31 on: January 28, 2018, 03:30:22 pm »
For now, I just hand-assembled ARM instructions and patched the binary. It's a lot easier because the compiler wasn't very efficient and so space can easily be made for new code.

It's been a lot of years since I've done that - and it was on a systems module on an IBM mainframe.

Bonus points for doing it in a EPROM where you can only change 1s to 0s.

(I did that once)
 
The following users thanked this post: tpw_rules

Offline bicycleguy

  • Frequent Contributor
  • **
  • Posts: 265
  • Country: us
Re: EEVBlog 121GW Multimeter Firmware Details
« Reply #32 on: January 28, 2018, 06:24:17 pm »
...

1.  Looks like C++ because I see the word 'class' around a lot.  Is this why you commented 'everything is global' ie. the decompiler put all the class object data in one big pile?

Um I'm not sure where you've seen the word 'class'. I did a search of the repo and could not find that word anywhere. What I mean by 'everything is global' is that there are several functions (e.g. meas_ohms_calc_50M_offset(digits, factor)) where all the intermediate variables are stored as globals and only read/written in that function. This makes no sense and I'm pretty sure it can't be caused by the compiler.
|O I'm not sure where I got that from either, probably a brain fart although the vapors are still hanging, sorry.

The top of the 'EEVBlog-102.c':
Code: [Select]
/* This file has been generated by the Hex-Rays decompiler.
   Copyright (c) 2007-2014 Hex-Rays <info@hex-rays.com>
   Detected compiler: GNU C++
*/
I guess this means the GNU C++ compiler was used, not that the code is C++ ?
 

Offline exe

  • Supporter
  • ****
  • Posts: 2557
  • Country: nl
  • self-educated hobbyist
Re: EEVBlog 121GW Multimeter Firmware Details
« Reply #33 on: January 30, 2018, 09:16:03 am »
Sorry, I'm a bit late to the party. Is there a version of decompiled sources that could be modified a compiled? Or people directly modify binary code?
 

Offline tpw_rules

  • Regular Contributor
  • *
  • Posts: 50
Re: EEVBlog 121GW Multimeter Firmware Details
« Reply #34 on: January 30, 2018, 05:45:59 pm »
Sorry, I'm a bit late to the party. Is there a version of decompiled sources that could be modified a compiled? Or people directly modify binary code?

It would in theory be possible to recompile the source from the decompiler but I don't know how actually feasible it is. I've just been hand-assembling and patching the binary. I would like to see the sources recompiled at some point though.
 

Offline exe

  • Supporter
  • ****
  • Posts: 2557
  • Country: nl
  • self-educated hobbyist
Re: EEVBlog 121GW Multimeter Firmware Details
« Reply #35 on: February 01, 2018, 08:26:30 pm »
chefkoch84, thanks for providing decompiled FW. Do you know how to compile it back? I believe this should be possible. Unfortunately, I don't have much experience with ARM (I do software for web-servers). So, I picked some random gcc flags used by CubeMX from one of my old project, gcc still complains. I don't bother with missing main function (I believe it just has a wrong name), but I'm worried about other functions missing. How come they are not present in the code?

I also tried snowman, another ARM decompiler, but it seems it expects and ELF executable, not raw FW binary :(. Too bad, that tool produced a useful result to me. May be it's time to roll a completely new FW written from scratch? I'll try to start with an empty CubeMX project... when time permits. Since now we have schematics it should be relatively easy to create a proof of concept (I'm not talking about correct measurements or display working).

Code: [Select]
arm-none-eabi-gcc -mthumb -mcpu=cortex-m4 -mfpu=fpv4-sp-d16 -mfloat-abi=hard --specs=nosys.specs  ./EEVBlog.c
(.text+0x44): undefined reference to `main'
/tmp/ccgtjcep.o: In function `function_117dc':
EEVBlog.c:(.text+0x21f0a): undefined reference to `unknown_117bc'
/tmp/ccgtjcep.o: In function `function_158ec':
EEVBlog.c:(.text+0x294c4): undefined reference to `unknown_ff696e8c'
EEVBlog.c:(.text+0x299dc): undefined reference to `unknown_ff696ed4'
EEVBlog.c:(.text+0x299e4): undefined reference to `unknown_ff397cfc'
/tmp/ccgtjcep.o: In function `function_16ac0':
EEVBlog.c:(.text+0x367d6): undefined reference to `unknown_fff9a9c0'
EEVBlog.c:(.text+0x36812): undefined reference to `unknown_fff982e8'
/tmp/ccgtjcep.o: In function `function_1a4e8':
EEVBlog.c:(.text+0x43928): undefined reference to `unknown_fff9b7bc'
/tmp/ccgtjcep.o: In function `function_1b872':
EEVBlog.c:(.text+0x48054): undefined reference to `unknown_110c4c'
EEVBlog.c:(.text+0x48060): undefined reference to `unknown_ffe3ac50'
EEVBlog.c:(.text+0x48068): undefined reference to `unknown_fff71c54'
EEVBlog.c:(.text+0x48074): undefined reference to `unknown_ff6b4c58'
EEVBlog.c:(.text+0x4807c): undefined reference to `unknown_ff801c5c'
EEVBlog.c:(.text+0x4809e): undefined reference to `unknown_fff59c60'
/tmp/ccgtjcep.o: In function `function_1beee':
EEVBlog.c:(.text+0x48934): undefined reference to `unknown_1bf4c'
collect2: error: ld returned 1 exit status
 

Offline exe

  • Supporter
  • ****
  • Posts: 2557
  • Country: nl
  • self-educated hobbyist
Re: EEVBlog 121GW Multimeter Firmware Details
« Reply #36 on: February 01, 2018, 09:12:07 pm »
I just sacrificed one meter, the chip is STM32L152ZDT6 . Too bad this is not specified on schematic.

UP: looks like LCD is driven directly. So, no fancy proprietary drivers or something. Damn, wtf UEI does not release their crappy firmware opensource, I don't believe it is too difficult to write a firmware.
« Last Edit: February 01, 2018, 09:14:47 pm by exe »
 

Offline firewalker

  • Super Contributor
  • ***
  • Posts: 2450
  • Country: gr
Re: EEVBlog 121GW Multimeter Firmware Details
« Reply #37 on: February 01, 2018, 09:33:24 pm »
Become a realist, stay a dreamer.

 

Offline exe

  • Supporter
  • ****
  • Posts: 2557
  • Country: nl
  • self-educated hobbyist
Re: EEVBlog 121GW Multimeter Firmware Details
« Reply #38 on: February 01, 2018, 10:10:07 pm »
That's the problem, information is spread all over three threads :(. Unfortunately, I don't follow all of them, nor I have enough memory to remember who said what and where.

Anyway, following the instructions here I have openocd working:
Code: [Select]
Escape character is '^]'.
Open On-Chip Debugger
> dump_image dump.bin 0x08000000 0x1ffff
dumped 131071 bytes in 6.293624s (20.338 KiB/s)

I'll try to make a hello world over weekend, if time permits. Although, I don't mind if   somebody else will do this ahead of me.
 

Offline cwalex

  • Frequent Contributor
  • **
  • Posts: 299
  • Country: au
Re: EEVBlog 121GW Multimeter Firmware Details
« Reply #39 on: February 02, 2018, 03:38:00 am »
Does anyone know if there has been an official firmware update released that fixes the slow auto range we can download and use to update our multimeters?

It would be nice if there was a support web page that we could go to for news and updates on current issues being worked on and official updates, instructions, info, etc. Does a page like this exist yet?
 

Offline exe

  • Supporter
  • ****
  • Posts: 2557
  • Country: nl
  • self-educated hobbyist
Re: EEVBlog 121GW Multimeter Firmware Details
« Reply #40 on: February 02, 2018, 08:25:28 am »
To the best of my knowledge, there is no such page. AFAIK, All the news are here: https://www.eevblog.com/forum/testgear/eevblog-121gw-discussion-thread/?topicseen . Short digest: many problems are acknowledge by the manufacturer, but no ETA yet. Dave does not post much, though. Perhaps, because there is nothing to say (and, I guess, to preserve good relationship with the manufacturer).

My biggest concern is that we are not told what UEI is going to do. I don't want to spend a lot of time on FW if there is a new FW release solving all the issues. I also understand that doing software is not easy. There might be very nontrivial things like temperature and age compensation. Or workarounds for HW problems, etc.

Does anyone know if there has been an official firmware update released that fixes the slow auto range we can download and use to update our multimeters?

It would be nice if there was a support web page that we could go to for news and updates on current issues being worked on and official updates, instructions, info, etc. Does a page like this exist yet?
 

Offline exe

  • Supporter
  • ****
  • Posts: 2557
  • Country: nl
  • self-educated hobbyist
Re: EEVBlog 121GW Multimeter Firmware Details
« Reply #41 on: February 02, 2018, 10:37:10 pm »
I tried to generate some code with the latest CubeMX, looks like it has a bug: some source files are mentioned twice in generated Makefile. This causes "multiple definition of XXX" problem. But this is easy to fix.

Now I'm trying to enable buzzer or lit some segments on LCD (assuming 1/4 duty cycle), no luck. I followed this instruction to setup openocd: https://sourcegate.wordpress.com/2012/09/18/getting-started-with-an-stm32l-discovery-with-linux-and-gcc/ . According to GDB my program is up and running. Uhm, may be it's time to read some manuals... Concerning LCD, I found this one: "How to use the STM8AL3Lxx, STM8L152xx and STM8L162xx LCD controllers" (http://www.st.com/content/ccc/resource/technical/document/application_note/0d/99/cb/9c/dc/73/42/52/CD00257713.pdf/files/CD00257713.pdf/jcr:content/translations/en.CD00257713.pdf)

I keep trying.

UP: buzzer (PE7) works! I had to disable LCD driver. Cool, now it's time to figure out what's wrong.

« Last Edit: February 02, 2018, 10:43:35 pm by exe »
 

Offline exe

  • Supporter
  • ****
  • Posts: 2557
  • Country: nl
  • self-educated hobbyist
Re: EEVBlog 121GW Multimeter Firmware Details
« Reply #42 on: February 02, 2018, 11:02:23 pm »
Alright, now I know what's happening (sort of). HAL_LCD_Init() returns HAL_TIMEOUT. Looking at the code, it seems that more initialization is needed. Perhaps, it's really time to open the manual (or find a working example on stackoverflow).

Catch you next time!
 

Offline tpw_rules

  • Regular Contributor
  • *
  • Posts: 50
Re: EEVBlog 121GW Multimeter Firmware Details
« Reply #43 on: February 05, 2018, 04:11:20 am »


Just as a reminder, the 121GW reverse engineering information repository is available. There's a new update with some more juicy hardware bits.

But now, there's also an IDE template already set up for you to write your own firmware. Instructions for setting it up are in the repository README. The best part is that you don't even need a programmer!

If you'd like to say hello to your meter too:
  • Put the EEVBlog.bin on your meter's SD card in a safe place (or get a copy of v1.02 here)
  • Copy the built EEVBlog.bin from the template onto the SD card (or get a pre-built copy here)
  • Execute the IAP procedure as detailed in the user manual (boot with MEM and HOLD buttons held, then press SETUP)
  • To restore the official firmware, just put it back on the SD card and execute IAP again. Calibration EEPROM data will not be touched
Note that the IAP procedure requires the firmware on the SD card to be named EEVBlog.bin; you might have to rename files.
 

Offline exe

  • Supporter
  • ****
  • Posts: 2557
  • Country: nl
  • self-educated hobbyist
Re: EEVBlog 121GW Multimeter Firmware Details
« Reply #44 on: February 05, 2018, 02:01:54 pm »
Thanks a lot! Would it be useful if I try writing a buttons driver?

The way I see it: timer polls button state (polling is for debouncing). Pressed buttons go into a queue (here some de-duplication needed if button remains pressed for several polling periods). If button remains pressed for more than certain time then this is a "long press". The keypress is logged at button release. At the moment only single key press would be supported to make life easier. The "queue" is a simple array with a few pointers and item counter. May be no need for a queue, just remember the last press.

I'm not sure how this fits the overall architecture of the FW though. I mean, menus, etc.
 

Offline TD-Linux

  • Contributor
  • Posts: 16
  • Country: us
Re: EEVBlog 121GW Multimeter Firmware Details
« Reply #45 on: February 11, 2018, 12:28:17 pm »
But now, there's also an IDE template already set up for you to write your own firmware. Instructions for setting it up are in the repository README. The best part is that you don't even need a programmer!

Have you decided on a license for your code? FYI, most of the newer ST code is under a 3-clause BSD, but the SD card code in Src/ is not.
 

Offline tpw_rules

  • Regular Contributor
  • *
  • Posts: 50
Re: EEVBlog 121GW Multimeter Firmware Details
« Reply #46 on: February 12, 2018, 03:29:24 am »
But now, there's also an IDE template already set up for you to write your own firmware. Instructions for setting it up are in the repository README. The best part is that you don't even need a programmer!

Have you decided on a license for your code? FYI, most of the newer ST code is under a 3-clause BSD, but the SD card code in Src/ is not.

I was thinking about something GPLey, as I'd rather like to avoid UEI just taking it and folding it into their meters.

All the code I can see looks to have the same license? At least it's got the same header as the others. I'm not experienced in such matters. I was just going to drop the GPLv3 in LICENSE in the root but I'm not sure if that is safe.
 

Offline amspire

  • Super Contributor
  • ***
  • Posts: 3802
  • Country: au
Re: EEVBlog 121GW Multimeter Firmware Details
« Reply #47 on: February 12, 2018, 04:05:06 am »
It may be not a bad idea to use a permissive license that allows UEi to freely use the open source code in their multimeters.

For one thing, it may have the effect that people such as EEVBLOG forum members start getting better multimeters. With a permissive license, any or every multimeter company could use parts of our 121GW code if they want.

Also, if we implement some new Bluetooth communications protocols for the 121GW and the same protocol starts appearing in many other multimeters, is that a bad thing?

There are aspects of GPL that are impossible for many companies to live with in their products. GPL does do a bit of "You have to do exactly what I tell you to do" and that is not exactly free.

Is the point of the code to allow 121GW owners to reprogram their meters which only needs a permissive license, or are there other goals in mind that require a GPL license?


 
The following users thanked this post: Kean, Diosol

Offline exe

  • Supporter
  • ****
  • Posts: 2557
  • Country: nl
  • self-educated hobbyist
Re: EEVBlog 121GW Multimeter Firmware Details
« Reply #48 on: February 13, 2018, 09:16:16 pm »
Shame on me, guys, I don't have free time at the moment to work on this. Hope to get back in a few weeks. Sorry :(. I also have to learn a lot since my experience with MCU is very limited.
 

Offline Yannik

  • Supporter
  • ****
  • Posts: 20
  • Country: de
Re: EEVBlog 121GW Multimeter Firmware Details
« Reply #49 on: February 15, 2018, 10:36:58 am »
With a GPL license, UEI and other companies can still use the code. However, they need to share their improvements to the code, which is just fair. Therefore, I strongly support the use of a GPL license for this.
 


Share me

Digg  Facebook  SlashDot  Delicious  Technorati  Twitter  Google  Yahoo
Smf