HP / Agilent 34401A hidden menu

[robert.rozee]

we really need someone with a scrap 34401A that they can experiment with. blown up front-end or ADC for instance, but that can still accept "DIAG:POKE ..." commands from the serial port and write to the EEPROM.

next, unsolder and remote the EEPROM, with a simple mechanism to switch over to reading the contents directly in an automated fashion after sending a POKE command. perhaps TiN (of xdevs.com) has such a parts unit available?

alas, i don't feel too inclined to mess too much with my own 34401A as it is the only one i have, and i do depend on it working and remaining in calibration!


cheers,
rob   :-)

[Hydron]

next, unsolder and remote the EEPROM, with a simple mechanism to switch over to reading the contents directly in an automated fashion after sending a POKE command.

No real need for this TBH, you can read it (probably a bit slowly) with the PEEK -1 command, and if you hold the processor in reset (ground pin 16) then you can read or write the EEPROM with an external programmer without any issues. Alternatively, if you have a logic analyser setup you could simply look for write accesses after sending a POKE command (it only writes to addresses it needs to update, and always reads immediately beforehand too, so you know exactly what gets changed).

If your programmer puts it's pins into high-Z mode when it's not actively working (as the AsProgrammer + FT232H setup I'm using seems to do) then you can actually just leave it connected, and only ground the reset pin when you need to flash the EEPROM.

[Hydron]

If I understand correctly what you tested, these are the option bits:

Offsets: 0x11+0x12

Code: [Select]

00 00 98 06 - Default
00 90 9C 06 - Store State + Temp + 10mA AC
00 10 98 06 - 10 mA AC
   |   |
   |   0001 - SCALE options in math menu
   |   0010 - ???
   |   0100 - Store State
   |   1000 - Default (?)
   |
   0001 - 10 mA AC
   0010 - Recall saved settings on power-up (set via SAVE menu item)
   0100 - ???
   1000 - Temp

No luck with trying more POKE commands (other than POKE 27 can turn the TEMP option off, but seemingly not on), but I did try and set the other bits in the byte that turns on the SAVE menu, and one of them enables the scale option seen in the quick-start guide here (math menu): https://www.keysight.com/gb/en/assets/9018-04874/quick-start-guides/9018-04874.pdf

Had a quick test and scale factor seems to work (and even gives you up to 7 digits of output!)

Will update once I figure out which of the two bits it was. It's the LSB

[tv84]

What about the 06 and the 9 in

Code: [Select]

00 10 98 06 - Default
Have you tried the bits in that byte and nibble?

I guess it could be part of the options map as (for example) an int32: 0x06981000

[robert.rozee]

just a silly idea: perhaps the calibration lock needs to be turned off first to enable changing some of the option bits?


cheers,
rob   :-)

[Hydron]

No further luck or info from either of the last couple of suggestions (I'd already tried the other bits in the settings bytes, and my unit was already unlocked, though I also tried with the lock enabled).

At this point I need my desk space back so the DMM is going back together again, but now with a few bonus features thanks to everyone's efforts (particularly dimmog for starting the thread and providing the EEPROM dump). 

[dimmog]

Some more poke from old IntuiLink software examples.

DIAG:POKE -2,4281,0  - Close front end relay
DIAG:POKE -2,4281,4  - Open front end relay
DIAG:POKE -2,3512,0  - Force front end conf to change
DIAG:POKE 1,0,0 - Force front end conf to be sent

thanks alex.forencich for finding this

[Hydron]

Yeah that set of POKE commands is what inspired me to try the PEEK? -1 which returns the eeprom contents. POKE -1 didn't seem to do anything though (and -2 seems to be for ram or something).

One thing it does make me realise is that I never tried a poke 1 after other commands - maybe that would trigger a write cycle? Very long shot though.

[tv84]

One thing it does make me realise is that I never tried a poke 1 after other commands - maybe that would trigger a write cycle? Very long shot though.

You mean changing the RAM contents with POKE -2 commands and then issue a POKE 1,0,0 to submit the info to EEPROM?

Very long shot indeed but...

(If the frontend relay state is also stored in EEPROM and the previous msg commands change the EEPROM contents then that could be possible.)

[tv84]

Yeah that set of POKE commands is what inspired me to try the PEEK? -1 which returns the eeprom contents.

What are the addresses that you used (could use) to dump the EEPROM via PEEK -1 ?

[Hydron]

What are the addresses that you used (could use) to dump the EEPROM via PEEK -1 ?

DIAG:PEEK? -1,x,0 where x is a decimal number will read the EEPROM word at address x, answer comes back in decimal again. This is a closed-case EEPROM backup enabler

Basically run it 211 times, with x = 0 to 210, record the answers and you have an EEPROM dump once you convert to hex. After 210 you just read the 0xFFFF padding until the end of the EEPROM, then it wraps back around. FW pre 07-xx-yy might give different results I guess?

[manupthehills]

I'm interested in the SCALE option but, reading again and again this thread, I can't figure out if it can be activated with DIAG:POKE command, like the 10mA AC range, or it requires to physically access the EEPROM

[Hydron]

Currently it needs physical access. Use a SO-8 test clip or something, plus a couple of mini grabbers to put the processor into reset (see service manual for pinouts).

If someone wanted to try and get it working without physical access by blindly testing more POKE commands (or better still by reverse engineering the firmware to try and find them) then that would be great though! (Best to backup the existing eeprom contents first though, at least we can now do that using the PEEK command instead of opening the case)

[alan.bain]

I landed upon this thread and thought it might be useful to leave this here from my file of useful(?) information:

With the 7-5-2 firmware in a 34401A

DIAG:POKE -2,4667,1
DIAG:POKE -2,4607,1
DIAG:POKE -2,4610,1
DIAG:POKE -2,4608,1 
DIAG:POKE 25,0,1

(first is recall, second temp, third save state, fourth SCALE menus)

The last instruction is vital even if you already have 10mA current enabled. This should turn on TEMP, SAVE State, RECALL state and 10mA current.

I am not sure how stable over firmware versions it is though but it's easy to check as the EEPROM format is stored in a table at the end of the 02xxxx region in ROM. The format is a bit strange, but is specified in terms of bit groups and the memory address where they are mapped (along with a ROM address for a default). In writing to the EEPROM each new group of bits is added to the left of the stream with LSB on right always. E.g.

[F6.1 F6.0 F5.0 F4.0 F3.2 F3.1 F3.0 F2.4 ] [F2.3 F2.2 F2.1 F2.1 F1.2 F1.1 F1.0 F0.0 ]

Shows fields of length 1,3,5,3,1,1,2 (imaginary example) bits in a field. Here FX.Y is Yth bit of field X. This shows the first two bytes in an example byte1 on left byte0 on right. So basically once you think of always adding on the left it sort of makes sense.

A few useful commands are: (all addr, data are base10). Words in memory are little-endian.
POKE -3,addr,word writes word to RAM
POKE -2,addr,byte writes  byte to RAM
PEEK 0,addr,0 reads a RAM addr (word)
PEEK -1,addr,0 reads a EEPROM addr (the EEPROM is not mapped into main memory)

POKE 25,0,1 turns on 10mA current by setting the RAM byte for the range and then doing a write to the lower part of the EEPROM of any changed data. This also picks up other RAM flag changes and saves them to EEPROM.

Someday I should look at the firmware and see if there were a more stable way to do this which might be stable over firmware versions.

Not sure if this is all the SCALE options - they seem to be in RAMat 4608/9 but the menus appear under MATH with just 4608 set to 1.

Now I need a temperature probe to test it.....

Thankfully 80196 code is much easier to read than Fairchild F8....

If anyone tries this I'd be interested to know how you get on; but see advice earlier about a backup before starting; PEEK -1 is your friend here.

[razvan784]

Unfortunately those POKEs probably won't work on other firmware versions, because the RAM layout would be different.

In version 10 (and maybe others) there are dedicated POKEs that enable the hidden functions:
POKE 28,0,1191 math menu -> min-max: enable sdev, pp
POKE 30,0,1191 temp menu, scpi commands
POKE 31,0,1191 menu -> scale, calc:scale
POKE 32,0,1191 resolution menu -> custom aperture
POKE 33,0,1191 system menu -> store state, recall state
To disable, poke with something other than 1191, e.g. 0

To check if a function is enabled, use
PEEK -10,index,0  where index is
1 sdev, pp
2 temp
3 scale
4 custom aperture
5 save recall

[alan.bain]

I can confirm that those pokes do indeed provide "firmware" stable ways to set the flags which also work in 7-5-2 (they work by doing the same as the RAM pokes, but are much cleaner!).  Also I checked the addresses in another firmware and for 10-5-2 the ram pokes were different viz:

DIAG:POKE -2,4665,1 ; recall on power up
DIAG:POKE -2,4605,1 ; temp
DIAG:POKE -2,4606,1 ; save/recall state
DIAG:POKE -2,4608,1 ; scale menus
DIAG:POKE 25,0,1

As an example for POKE 30 (temp) the code  7-5-2 is
046E1       CMP     E2,#04A7; int(ARG2)==1191?
046E5       JNE     46EA
046E7       LDB     E1,#01 ; second arg is 1191 -magic on value?
046EA ...

[Switch dispatch] for POKE 30 to 4B2B


// Case 22 (poke 30)
// E1 =1 iff second arg is magic 1191 value
04B2B         STB     E1,11FF[0] ; DIAG:POKE -2,4607,1
04B30    LCALL   76C3  ; Switch overlay to 0x2xxx and call 460A (write all "normal" blocks)
04B33         SJMP    4B7

[Hydron]

Great work getting this "hack" to work without needing to open the case and read/write the EEPROM. I've tested the POKE 28 and 32 commands (the two I didn't have enabled already) and sure enough they work. I also noted that using a custom aperture seems to let you retain 6.5 digits at <10 NPLC, though that doesn't mean the extra digit (or the 7th digit you can get by enabling the SCALE function) is useful at that setting.

I probably actually managed to enable these during my EEPROM hacking attempts, but just didn't discover the newly activated options due to how buried they are (I only kept the bit flips which did something I noticed). Should really have looked more closely at the strings in the firmware though - they would have revealed a hint that there was an extra option or two hiding away. Not seeing any further hints with another look now though; are all of the secrets finally revealed?

@razvan784 - did you also reverse engineer the firmware like alan.bain, or did the list come from elsewhere?
I'm wondering why they hid these features in the first place, other than maybe the temperature measurement, it's hardly like they were going to cannibalise sales from their 3441x or other meters by adding them. I guess maybe they didn't want owners with earlier firmware revisions demanding the new features?

Edit: forgot to note that mine is running FW 11-5-2, so I suspect that the magic commands work from 7-x-y onwards.

[razvan784]

I couldn't find any information apart from what's already been posted here, so I disassembled the v10 firmware, out of curiosity / entertainment.
The code is quite large and "twisted" and I can't say I understood it all, or most of it, but I specifically looked into the POKEs, PEEKs, menus and SCPI commands.
Those seem to be all the hidden functions, and they seem to be production-ready - no idea why hp decided to hide them, management decision perhaps.
There are SCPI commands for temperature measurement that are similar to the 34420A and 34970A.
There is a DIAG:TEMP? command that returns the internal DMM temperature measured from its on-chip sensor.
All peeks follow the format PEEK function,parameter,0.
Functions span from -12 to 3.
-10 reads if a hidden feature is enabled
-6 gets the stack dump
-4 measures the line frequency
-1 reads an eeprom word
0 reads a ram/rom byte
1 reads a ram/rom word
2 reads a ram/rom dword
3 reads a ram/rom float
All pokes follow the format POKE function,param1,param2
Functions span from -4 to 34.
-4 writes a float to ram, aligned, something like *(param1 & 0xFFFE) = param2
-3 writes a word to ram
-2 writes a byte to ram
-1 does nothing
0 increments CAL count
11 seems to mess with the PWM signal that compensates the precharge buffer offset - so yes, these pokes can ruin the performance of your instrument in subtle ways if misused
23 resets CAL count
34 resets the CPU.
All other peek and poke function codes do something, but I currently have no idea what. Many write to the EEPROM, so please don't go around calling these just to see what they do without doing a backup and checking that you can restore it.
Enjoy

[tv84]

I couldn't find any information apart from what's already been posted here, so I disassembled the v10 firmware, out of curiosity / entertainment.
The code is quite large and "twisted" and I can't say I understood it all, or most of it, but I specifically looked into the POKEs, PEEKs, menus and SCPI commands.

 

[iMo]

Great work guys! While reading about your findings I've been pretty tempted to enable the functions in my meter, but still extremely cautious not to brick it or de-calibrate

I can confirm that those pokes do indeed provide "firmware" stable ways to set the flags which also work in 7-5-2 (they work by doing the same as the RAM pokes, but are much cleaner!).  Also I checked the addresses in another firmware and for 10-5-2 the ram pokes were different viz:

DIAG:POKE -2,4665,1 ; recall on power up
DIAG:POKE -2,4605,1 ; temp
DIAG:POKE -2,4606,1 ; save/recall state
DIAG:POKE -2,4608,1 ; scale menus
DIAG:POKE 25,0,1

Unfortunately those POKEs probably won't work on other firmware versions, because the RAM layout would be different.

In version 10 (and maybe others) there are dedicated POKEs that enable the hidden functions:
POKE 28,0,1191 math menu -> min-max: enable sdev, pp
POKE 30,0,1191 temp menu, scpi commands
POKE 31,0,1191 menu -> scale, calc:scale
POKE 32,0,1191 resolution menu -> custom aperture
POKE 33,0,1191 system menu -> store state, recall state
To disable, poke with something other than 1191, e.g. 0

To check if a function is enabled, use
PEEK -10,index,0  where index is
1 sdev, pp
2 temp
3 scale
4 custom aperture
5 save recall

Could you perhaps consolidate, for example for the 10-05-02 revision (I've got here), the safest way to switch the hidden function on?

[Hydron]

Great work guys! While reading about your findings I've been pretty tempted to enable the functions in my meter, but still extremely cautious not to brick it or de-calibrate

The instructions below should work with all firmware after 07-xx-yy (confirmed on 07, 10 and 11):

In version 10 (and maybe others) there are dedicated POKEs that enable the hidden functions:
POKE 28,0,1191 math menu -> min-max: enable sdev, pp
POKE 30,0,1191 temp menu, scpi commands
POKE 31,0,1191 menu -> scale, calc:scale
POKE 32,0,1191 resolution menu -> custom aperture
POKE 33,0,1191 system menu -> store state, recall state
To disable, poke with something other than 1191, e.g. 0

To check if a function is enabled, use
PEEK -10,index,0  where index is
1 sdev, pp
2 temp
3 scale
4 custom aperture
5 save recall

If you are concerned about calibration data, then this can be backed up without opening the unit by using the PEEK -1 command: https://www.eevblog.com/forum/testgear/hp-agilent-34401a-hidden-menu/msg4436983/#msg4436983
Note that if you do corrupt it (should be very unlikely if you stick to the known safe POKE commands) then flashing it back would require opening the unit and flashing the EEPROM.

[J-R]

I just enabled all these on my unit with revision 10-05-02.  No issues.  Being able to set the power-on state is particularly a nice feature to have.

[iMo]

I started small and added the store state/recall state menus only, and it works!
It starts now with my config, except my lovely SYS/DISPLAY OFF setting which starts always on, it seems (I run the meter with display off all the time)..

[dreamcat4]

have been watching with interest. but the problem i have here is....

i have early revision hardware. my firmware version is rev 06-04-01 so maybe that is too old?

[coromonadalix]

have been watching with interest. but the problem i have here is....

i have early revision hardware. my firmware version is rev 06-04-01 so maybe that is too old?

And you may have to old unobtanium vfd display driver ic