Figured this would be of interest to some, I was expecting to see the firmware that this meter came with to be encrypted with at the very least some very basic xor, but turns out the 'EEVBlog.bin' firmware on the SD card is just the plain firmware, with what looks like a calibration file appended to the end of it (cal.dat)
geoff@sarah-xen:~/Projects/121GW$ arm-none-eabi-objdump -D -b binary -marm -Mforce-thumb EEVBlog.bin | head -n 21
EEVBlog.bin: file format binary
Disassembly of section .data:
00000000 <.data>:
0: 4b78 ldr r3, [pc, #480] ; (0x1e4)
2: 2000 movs r0, #0
4: 2879 cmp r0, #121 ; 0x79
6: 0802 lsrs r2, r0, #32
8: 0e35 lsrs r5, r6, #24
a: 0802 lsrs r2, r0, #32
c: 0e37 lsrs r7, r6, #24
e: 0802 lsrs r2, r0, #32
10: 0e39 lsrs r1, r7, #24
12: 0802 lsrs r2, r0, #32
14: 0e3b lsrs r3, r7, #24
16: 0802 lsrs r2, r0, #32
18: 0e3d lsrs r5, r7, #24
1a: 0802 lsrs r2, r0, #32
...
To explain:
0x20004b78 - The main stack pointer
0x08022879 - The reset vector (this is thumb, so the address is actually -1)
... etc
I am yet to look more into this, but it's good news from the point of view of writing custom firmware for the meter.