Products > Test Equipment
Possible upgrade - Agilent 34410A to 34411A
<< < (4/9) > >>
plesa:

--- Quote from: HighVoltage on August 29, 2016, 07:18:59 am ---
--- Quote from: bitseeker on August 28, 2016, 11:32:00 pm ---@HighVoltage: That comparison will be very interesting indeed.

(Hmm, were your other DMMs getting lonely -- pining for a new team member? :-DD)

--- End quote ---
I never owned a 34411A and got it for Euro 100 incl. shipping
Symptoms: Does not turn ON
I still don't  have it, may be an easy repair, may be beyond repair, I don't know.
The 34411A rarely become available at a reasonable price.

May be we really can find out the differences between the 34410A and the 34411A

--- End quote ---

The board / hardware is identical. the only difference in in software and probably calibration. If I have unit for 100 EUR I will invest more into experiments with programmer. You can easily downgrade 34411A to 34410A by changing model number in firmware file header (%model=34410A).
bitseeker:

--- Quote from: HighVoltage on August 29, 2016, 07:18:59 am ---I never owned a 34411A and got it for Euro 100 incl. shipping
Symptoms: Does not turn ON
I still don't  have it, may be an easy repair, may be beyond repair, I don't know.
The 34411A rarely become available at a reasonable price.

May be we really can find out the differences between the 34410A and the 34411A

--- End quote ---

Congrats on the "no fix" fix, as you put it. Way to score. We anxiously await your revelations as to the potential of upgrading a 34410A to a 34411A. For curiosity, of course. Most of the time, I'm running my 34410A with integration at 10 or 100 PLC.
zrq:
Sorry to revive this old thread. I'm seeking for a 6 1/2 digits DMM for the home lab and got interested in second hand 34410As, which seems available on ebay for a reasonable price (other suggestions welcome). For obvious reason, the meter will be of better value if it's hackable. I downloaded the firmware (agt34411_instrument_rev243.zip) from Keysight website and start digging into it.

Basically, the xs file is a Motorola S file for the hex content, with tools like 010Editor, we can easily convert to the actual bytes in rom. binwalk indicates there is a Zlib compressed section, use -e to extract, and we get a vxworks image. With -a it turns out in the Agilent ASIC, the firmware runs on a big endian 32bits PowerPC core. Googling shows there is a tool https://github.com/PAGalaxyLab/vxhunter can help me load the memory image in GHIDRA, and I noticed the image comes with a symbol table  :-+ . Searching the "Please load" quickly led to the _checkModelNumber__5IEIfcF routine


--- Code: ---
                            **************************************************************
                             *                          FUNCTION                          *
                             **************************************************************
                             undefined _checkModelNumber__5IEIfcFv()
             undefined         r3:1           <RETURN>
             undefined4        Stack[0x4]:4   local_res4                              XREF[2]:     004d4adc(W),
                                                                                                   004d4b40(R) 
             undefined4        Stack[-0x10]:4 local_10                                XREF[1]:     004d4acc(W) 
                             _checkModelNumber__5IEIfcFv                     XREF[2]:     initInstrumentEngine__5IEIfcFv:0
                                                                                          00a4d690(*) 
        004d4acc 94 21 ff f0     stwu       r1,local_10(r1)
        004d4ad0 7c 08 02 a6     mfspr      r0,LR
        004d4ad4 3d 80 90 00     lis        r12,-0x7000
        004d4ad8 a0 8c 00 0a     lhz        r4,offset DAT_9000000a(r12)    <- UNKNOWN ADDRESS
        004d4adc 90 01 00 14     stw        r0,local_res4(r1)
        004d4ae0 2c 04 23 5a     cmpwi      r4,0x235a
        004d4ae4 40 82 00 3c     bne        LAB_004d4b20
        004d4ae8 3c 60 00 96     lis        r3,0x96
        004d4aec 38 63 2c fc     addi       r3=>s_34410_FIRMWARE_00962cfc,r3,0x2cfc          = "34410 FIRMWARE"
        004d4af0 3c 80 00 96     lis        r4,0x96
        004d4af4 38 84 2d 0c     addi       r4=>s_PLEASE_LOAD_00962d0c,r4,0x2d0c             = "PLEASE LOAD"
        004d4af8 4b bc f7 29     bl         updateVfdNow__FPCcT1                             undefined updateVfdNow__FPCcT1()
        004d4afc 48 0c 96 89     bl         theMgr__19GandalfStateManagerSFv                 undefined theMgr__19GandalfState
        004d4b00 38 80 00 00     li         r4,0x0
        004d4b04 48 0c 90 e5     bl         enablePorRecall__19GandalfStateManagerFb         undefined enablePorRecall__19Gan
        004d4b08 3c 60 00 1e     lis        r3,0x1e
        004d4b0c 60 63 84 80     ori        r3,r3,0x8480
        004d4b10 4b d6 e2 c9     bl         spin__9SpinTimerSFi                              undefined spin__9SpinTimerSFi()
        004d4b14 38 60 40 00     li         r3,0x4000
        004d4b18 4b ca 96 15     bl         reboot                                           int reboot(int __howto)
        004d4b1c 48 00 00 24     b          LAB_004d4b40
                             LAB_004d4b20                                    XREF[1]:     004d4ae4(j) 
        004d4b20 28 04 b6 43     cmplwi     r4,0xb643
        004d4b24 41 82 00 1c     beq        LAB_004d4b40

--- End code ---

Although still not sure what the code is checking, as I hadn't got to figure out the memory mapping. I guess there is a 0x235a value in the calibration rom which is checked against, and it's possible the value can be changed in the vxWorks shell by the debug commands. But apparently, as there seems to be no secure booting, a trivial solution is to nop out the only code reference to this function in initInstrumentEngine__5IEIfcFv.


--- Code: ---
                            **************************************************************
                             *                          FUNCTION                          *
                             **************************************************************
                             undefined initInstrumentEngine__5IEIfcFv()
             undefined         r3:1           <RETURN>
             undefined4        Stack[0x4]:4   local_res4                              XREF[2]:     004d4f30(W),
                                                                                                   004d4ff4(R) 
             undefined4        Stack[-0x4]:4  local_4                                 XREF[2]:     004d4f2c(W),
                                                                                                   004d5004(R) 
             undefined4        Stack[-0x8]:4  local_8                                 XREF[2]:     004d4f28(W),
                                                                                                   004d5000(R) 
             undefined4        Stack[-0x10]:4 local_10                                XREF[1]:     004d4f20(W) 
                             initInstrumentEngine__5IEIfcFv                  XREF[2]:     vxmain__FiPPc:0005c034(c),
                                                                                          00a661f0(*) 
        004d4f20 94 21 ff f0     stwu       r1,local_10(r1)
        004d4f24 7c 08 02 a6     mfspr      r0,LR
        004d4f28 93 c1 00 08     stw        r30,local_8(r1)
        004d4f2c 93 e1 00 0c     stw        r31,local_4(r1)
        004d4f30 90 01 00 14     stw        r0,local_res4(r1)
        004d4f34 4b be 34 8d     bl         instance__10SoftRebootSFv                        undefined instance__10SoftReboot
        004d4f38 4b b8 ca 6d     bl         subscribeEventBootHandlers                       undefined subscribeEventBootHand
        004d4f3c 4b ff fb 91     bl         _checkModelNumber__5IEIfcFv                      undefined _checkModelNumber__5IE
        004d4f40 4b ff fb 0d     bl         _checkFlashType__5IEIfcFv                        undefined _checkFlashType__5IEIf  <------------HERE
        004d4f44 3f c0 00 c8     lis        r30,0xc8
        004d4f48 3b de 7c c0     addi       r30,r30,0x7cc0
        004d4f4c 48 08 9e 15     bl         newScanController__Fv                            undefined newScanController__Fv()

--- End code ---

I don't (yet) have the 34410A to verify this is feasible, but it looks promising.

BTW: who is Gandalf?
TheSteve:
Going 34410 to 34411 is pretty easy. In the past you just needed swap the names of the bin files so the upgrade package would install the 34411 firmware into your 34410. When it boots it will be unhappy so the other thing required is to edit the model # in the eeprom that is in the back left corner of the unit(8 pin SOIC). You can get an SOIC clip onto it without even removing the PCB. Just edit the instances of 34410 to 34411.
coromonadalix:
im playing with an l4411A

poking into the serial debug port ...

in my case i have only one user  with loginUserShow()  command

annnnnd  its  gandalf  value = 0 = 0x0

Is it possible to find the user password  ??,  i've read they must be encrypted  with vxencrypt.exe  and be typed encrypted ???  is there a way to get this file  ?


Tried to create other user   with some i've found out on the web


Upon reset  the added user(s) are cleared  up,  only gandalf remain   loll


Navigation
Message Index
Next page
Previous page
There was an error while thanking
Thanking...

Go to full version
Powered by SMFPacks Advanced Attachments Uploader Mod