Products > Test Equipment

Possible upgrade - Agilent 34410A to 34411A

<< < (7/9) > >>

zrq:
Now I believe the only reason that the 34411A firmware will refuse to run on 34410A is: the 34410A bootloader at physical address 0x0060230c on the flash (loaded address 0xFFE0230E) is writing a magical word 0x235a to RAM 0x9000000A. This address is then checked by the main firmware (store compressed on the flash too, in two copies) and expecting 0xB643. If it reads 0x235A, the meter will hang with the Load 34410A Firmware message.

One can see the evil instruction (38 60 23 5a     li         r3,0x235a) in the bootloader by querying DIAG:PEEK? 4292879116 and DIAG:PEEK? 4292879118,(4292879118=0xFFE0230E). If someone is willing to remove the flash from the main board and change the 23 5A at offset 0x0060230E to B6 43 with a programmer, then the meter should accept 34411A firmware as well. Someone brave enough can also try DIAG:POKE 0xB643 into 0xFFE0230E. I'm not sure if DIAG:POKE can write to flash, as the implementation is just a memory assignment, so it may not do anything. Alternatively, instead of crafting a firmware update package with the checkModelNumber patched, one can try to craft a file that overwrites the bootloader and modify the 0x235A to 0xB643. I'm not sure how the firmware update works (yet?) but it doesn't sound easy.

I have only a L4411A so have little motivation (and capability) of looking into this deeper, but if anyone interested want a GHIDRA project to play with, I may send it.

Bonus:

--- Code: ---L4411A> DIAG:PEEK:FIRM? 24,0,0
Elapsed Time Hours: 266.822
--- End code ---
This seems to return the total powered on hours of the meter.

OT: I was looking all around in the code to find a backdoor to allow backup of the cal rom, but couldn't. Most accesses are done by a call to iiceeprom and I couldn't find if the memory is mapped somewhere so I can fish out data by DIAG:PEEK?. If someone does find one, please let me know.

coromonadalix:
i'll try any commands later   going out   NOT  loll

but removing the flash for now is a no can't do

i dont have a socket for it and for the programmer i have ....  they sell it  pretty darn high  loll  but i would ...

i'm trying to understand you diag poke commands  loll   in RSVisaTester 5.12....

DIAG:PEEK? 4292879116
gave me this ?   +14432

DIAG:PEEK? 4292879118
gave me            +9050

DIAG:POKE 0xB643       gave a beeep ?  and received an VI Error TMO ???

and your bonus
DIAG:PEEK:FIRM? 24,0,0
gave 
Elapsed Time Hours: 9.77694

zrq:
Ahhh, I'd not recommend trying without a proper backup. Even you have a cal rom backup, recovering from corrupt firmware may need soldering and the flash programmer.

I think DIAG:POKE will only accept decimal input. And I'd suggest first trying out with a few safer addresses (checked by DIAG:PEEK? to be non-essential data), figure out the syntax (likely DIAG:POKE <decimal address>, <decimal number of the two bytes, big endian>) and then try the real thing.

Also:
+14432 = 38 60
+9050   = 23 5A
These are the expected values.

coromonadalix:
DIAG:PEEK?   doesn't work  VI Error IO ?

sorry  noob in this world of commands  loll

and the dangerous command would be  loll   ........  DIAG:POKE   uh oh  endians  ?? 


ok   ill try to find some progammer  loll and or a socket .......


TheSteve:
100% for certain I did change two 34410's to 34411's. This was a number of years ago and I don't have them anymore to compare/verify or repeat the process.

Navigation

[0] Message Index

[#] Next page

[*] Previous page

There was an error while thanking
Thanking...
Go to full version
Powered by SMFPacks Advanced Attachments Uploader Mod