Products > Test Equipment
HP / Agilent 34401A hidden menu
alan.bain:
I can confirm that those pokes do indeed provide "firmware" stable ways to set the flags which also work in 7-5-2 (they work by doing the same as the RAM pokes, but are much cleaner!). Also I checked the addresses in another firmware and for 10-5-2 the ram pokes were different viz:
DIAG:POKE -2,4665,1 ; recall on power up
DIAG:POKE -2,4605,1 ; temp
DIAG:POKE -2,4606,1 ; save/recall state
DIAG:POKE -2,4608,1 ; scale menus
DIAG:POKE 25,0,1
As an example for POKE 30 (temp) the code 7-5-2 is
046E1 CMP E2,#04A7; int(ARG2)==1191?
046E5 JNE 46EA
046E7 LDB E1,#01 ; second arg is 1191 -magic on value?
046EA ...
[Switch dispatch] for POKE 30 to 4B2B
// Case 22 (poke 30)
// E1 =1 iff second arg is magic 1191 value
04B2B STB E1,11FF[0] ; DIAG:POKE -2,4607,1
04B30 LCALL 76C3 ; Switch overlay to 0x2xxx and call 460A (write all "normal" blocks)
04B33 SJMP 4B7
Hydron:
Great work getting this "hack" to work without needing to open the case and read/write the EEPROM. I've tested the POKE 28 and 32 commands (the two I didn't have enabled already) and sure enough they work. I also noted that using a custom aperture seems to let you retain 6.5 digits at <10 NPLC, though that doesn't mean the extra digit (or the 7th digit you can get by enabling the SCALE function) is useful at that setting.
I probably actually managed to enable these during my EEPROM hacking attempts, but just didn't discover the newly activated options due to how buried they are (I only kept the bit flips which did something I noticed). Should really have looked more closely at the strings in the firmware though - they would have revealed a hint that there was an extra option or two hiding away. Not seeing any further hints with another look now though; are all of the secrets finally revealed?
@razvan784 - did you also reverse engineer the firmware like alan.bain, or did the list come from elsewhere?
I'm wondering why they hid these features in the first place, other than maybe the temperature measurement, it's hardly like they were going to cannibalise sales from their 3441x or other meters by adding them. I guess maybe they didn't want owners with earlier firmware revisions demanding the new features?
Edit: forgot to note that mine is running FW 11-5-2, so I suspect that the magic commands work from 7-x-y onwards.
razvan784:
I couldn't find any information apart from what's already been posted here, so I disassembled the v10 firmware, out of curiosity / entertainment.
The code is quite large and "twisted" and I can't say I understood it all, or most of it, but I specifically looked into the POKEs, PEEKs, menus and SCPI commands.
Those seem to be all the hidden functions, and they seem to be production-ready - no idea why hp decided to hide them, management decision perhaps.
There are SCPI commands for temperature measurement that are similar to the 34420A and 34970A.
There is a DIAG:TEMP? command that returns the internal DMM temperature measured from its on-chip sensor.
All peeks follow the format PEEK function,parameter,0.
Functions span from -12 to 3.
-10 reads if a hidden feature is enabled
-6 gets the stack dump
-4 measures the line frequency
-1 reads an eeprom word
0 reads a ram/rom byte
1 reads a ram/rom word
2 reads a ram/rom dword
3 reads a ram/rom float
All pokes follow the format POKE function,param1,param2
Functions span from -4 to 34.
-4 writes a float to ram, aligned, something like *(param1 & 0xFFFE) = param2
-3 writes a word to ram
-2 writes a byte to ram
-1 does nothing
0 increments CAL count
11 seems to mess with the PWM signal that compensates the precharge buffer offset - so yes, these pokes can ruin the performance of your instrument in subtle ways if misused :)
23 resets CAL count
34 resets the CPU.
All other peek and poke function codes do something, but I currently have no idea what. Many write to the EEPROM, so please don't go around calling these just to see what they do without doing a backup and checking that you can restore it.
Enjoy :)
tv84:
--- Quote from: razvan784 on December 04, 2022, 10:57:09 pm ---I couldn't find any information apart from what's already been posted here, so I disassembled the v10 firmware, out of curiosity / entertainment.
The code is quite large and "twisted" and I can't say I understood it all, or most of it, but I specifically looked into the POKEs, PEEKs, menus and SCPI commands.
--- End quote ---
:clap: :clap:
iMo:
Great work guys! While reading about your findings I've been pretty tempted to enable the functions in my meter, but still extremely cautious not to brick it or de-calibrate :)
--- Quote from: alan.bain on December 03, 2022, 04:03:28 pm ---I can confirm that those pokes do indeed provide "firmware" stable ways to set the flags which also work in 7-5-2 (they work by doing the same as the RAM pokes, but are much cleaner!). Also I checked the addresses in another firmware and for 10-5-2 the ram pokes were different viz:
DIAG:POKE -2,4665,1 ; recall on power up
DIAG:POKE -2,4605,1 ; temp
DIAG:POKE -2,4606,1 ; save/recall state
DIAG:POKE -2,4608,1 ; scale menus
DIAG:POKE 25,0,1
--- End quote ---
--- Quote from: razvan784 on December 03, 2022, 12:43:19 pm ---Unfortunately those POKEs probably won't work on other firmware versions, because the RAM layout would be different.
In version 10 (and maybe others) there are dedicated POKEs that enable the hidden functions:
POKE 28,0,1191 math menu -> min-max: enable sdev, pp
POKE 30,0,1191 temp menu, scpi commands
POKE 31,0,1191 menu -> scale, calc:scale
POKE 32,0,1191 resolution menu -> custom aperture
POKE 33,0,1191 system menu -> store state, recall state
To disable, poke with something other than 1191, e.g. 0
To check if a function is enabled, use
PEEK -10,index,0 where index is
1 sdev, pp
2 temp
3 scale
4 custom aperture
5 save recall
--- End quote ---
Could you perhaps consolidate, for example for the 10-05-02 revision (I've got here), the safest way to switch the hidden function on?
Navigation
[0] Message Index
[#] Next page
[*] Previous page
Go to full version