Products > Test Equipment
HP / Agilent 34401A hidden menu
<< < (14/36) > >>
tv84:
The attached picture is the map of all the blocks (and their Checksum positions) of the EEPROM dump. This should allow (one day) a more precise understanding of the initial blocks.

I used the 34401a_11-05-02-EEPROM.bin (posted above).

This was done based on the info collected by Hydron yesterday.

In order to verify and calculate the checksums of all the blocks in a dump, I leave here a C# code that does that (should be self-explanatory):


--- Code: ---            byte[] block_sizes = { 0x02, 0x02, 0x2A, 0x1A, 0x18, 0x12, 0x1A, 0x1C, 0x22 };
            if (BitConverter.ToUInt16(buffer, 0x14) != 0)  // to accommodate older FWs (below version 07-05-02)
            {
                block_sizes[2] = 4;
                if (BitConverter.ToUInt16(buffer, 0x06) != 0x16)
                    block_sizes[3] = 0x18;
            }

            for (int j = 0, i = 0; j < block_sizes.Length; j++, i += 2)
            {
                ushort sum = 0;
                for (int end = i + block_sizes[j] * 2; i < end; i += 2)
                    sum += (ushort)(BitConverter.ToUInt16(buffer, i) + 1);               
                Console.Write("Offset: {0:X4}  Checksum_Calc: {1:X4}  ", i, sum);
                if (BitConverter.ToUInt16(buffer, i) - sum == 0)
                    Console.WriteLine("OK");
                else
                    Console.WriteLine("ERROR!");
            }
--- End code ---

(This source code can be used to verify if your EEPROM dump is OK.)

The output for 34401a_11-05-02-EEPROM:

--- Code: ---Offset: 0004  Checksum_Calc: 0002  OK
Offset: 000A  Checksum_Calc: 0018  OK
Offset: 0060  Checksum_Calc: 9147  OK
Offset: 0096  Checksum_Calc: 9B7D  OK
Offset: 00C8  Checksum_Calc: 7336  OK
Offset: 00EE  Checksum_Calc: 1F61  OK
Offset: 0124  Checksum_Calc: 8093  OK
Offset: 015E  Checksum_Calc: 1EB3  OK
Offset: 01A4  Checksum_Calc: 3B72  OK

--- End code ---

The output for 34401a_hydrons_ebay_unit_with_save_temp_menus_enabled_by_bit_changes_EEPROM:

--- Code: ---Offset: 0004  Checksum_Calc: 8663  OK
Offset: 000A  Checksum_Calc: 0018  OK
Offset: 0060  Checksum_Calc: 215C  OK
Offset: 0096  Checksum_Calc: 0101  OK
Offset: 00C8  Checksum_Calc: 99A5  OK
Offset: 00EE  Checksum_Calc: 3ADC  OK
Offset: 0124  Checksum_Calc: CE20  OK
Offset: 015E  Checksum_Calc: DEC0  OK
Offset: 01A4  Checksum_Calc: EFE5  OK

--- End code ---

The output for calrom_orig.bin (floating around in the web). This old dump contains checksum errors (in my opinion):

--- Code: ---Offset: 0004  Checksum_Calc: 8663  OK
Offset: 000A  Checksum_Calc: 000A  OK
Offset: 0014  Checksum_Calc: 1A66  ERROR!
Offset: 0046  Checksum_Calc: 25D4  OK
Offset: 0078  Checksum_Calc: A3A5  ERROR!
Offset: 009E  Checksum_Calc: B3D6  ERROR!
Offset: 00D4  Checksum_Calc: 4359  OK
Offset: 010E  Checksum_Calc: 2C46  ERROR!
Offset: 0154  Checksum_Calc: 2B1B  OK

--- End code ---

The checksum calculation has a little twist: they also sum the number of Words that are used in the calculation.

Edit: The green area contains the additional bytes that were added with the introduction of FW 07-05-02.
The red area is where the option bits reside. As we can see, this area already existed in FW 07-05-02.
Hydron:
Interesting - never found the first couple of checksums as I didn't manage to trigger anything that would mess with that area. I wonder what those first two small blocks do - my unit and dimmog's both came with different info in the first word than the 0000 I've seen from other dumps.

Good insight into the extra twist of the word number being added to the sum - I didn't manage to figure out where the offset came from when I tried (though I was also probably looking at the wrong range of words).

I guess the main questions now are a) are there any more useful hidden features to find and enable and b) can we flip the magic bits via SCPI without an eeprom programmer

On my end I had a bit more of a play this morning, but I think I'll put my unit back together soon - does anyone have further tests they want done while I still have my programmer connected?
tv84:

--- Quote from: Hydron on September 25, 2022, 10:49:59 am ---On my end I had a bit more of a play this morning, but I think I'll put my unit back together soon - does anyone have further tests they want done while I still have my programmer connected?

--- End quote ---

If I understand correctly what you tested, these are the option bits:

Offsets: 0x11+0x12


--- Code: ---00 00 98 06 - Default
00 90 9C 06 - Store State + Temp + 10mA AC
00 10 98 06 - 10 mA AC
   |   |
   |   0001 - SCALE options in math menu
   |   0010 - ???
   |   0100 - Store State
   |   1000 - Default (?)
   |
   0001 - 10 mA AC
   0010 - Recall saved settings on power-up (set via SAVE menu item)
   0100 - ???
   1000 - Temp
--- End code ---

Did you test the other combinations? Can you do it?

BTW, If we look at those 2 bytes as a little-endian word, the middle nibbles become:


--- Code: ---9800
9C90
9810
 |
 +---+
 |   |
 00000001 - 10 mA AC
 00000010 - Recall saved settings on power-up (set via SAVE menu item)
 00000100 - ???
 00001000 - Temp
 00010000 - SCALE options in math menu
 00100000 - ???
 01000000 - Store State
 10000000 - Default (?)
--- End code ---

By crossing this info with the command to enable 10 mA Option:

DIAG:POKE 25,0,1

I could imagine this scenario:   :)

0 is the bit position of the above table (that we want to change)
1 is turning ON that bit position

Can you test POKE 25 with other combinations, with this theory in mind?

(not much hope but worth a try...)
Hydron:
OK so PEEK/POKE do NOT work like that doc. However I have found:

DIAG:PEEK? -1,x,0 where x is a decimal number will read the EEPROM word at address x, answer comes back in decimal again. This is a closed-case EEPROM backup enabler :)

Trying to do the same with POKE (e.g. diag:poke -1,8,45056) doesn't seem to write anything.

As for the option bits, I have tried setting them all on, didn't notice any changes beyond what we've already found with TEMP and SAVE menus, didn't search exhaustively though. I can add a little to the table though:

--- Code: ---   0001 - 10 mA AC
   0010 - Recall saved settings on power-up (set via SAVE menu item)
   0100
   1000 - Temp
--- End code ---
tv84:

--- Quote from: Hydron on September 25, 2022, 11:58:50 am ---OK so PEEK/POKE do NOT work like that doc.

--- End quote ---

Sure, forget the doc.

Can you try to disable the Temp by using the POKE 25 as I hint above:

POKE 25, 3, 0
Navigation
Message Index
Next page
Previous page
There was an error while thanking
Thanking...

Go to full version
Powered by SMFPacks Advanced Attachments Uploader Mod