-
To one member here I make a promise to check the internals of 34410A and 34411A.
After removing covers there was small surprise - boards seems to be identical!!
On both is marking 34410A and also sticker on 64 MBit Flash inside 34411A meter has marking 34410A:)
In brief the main difference is reading speed - for more check http://literature.cdn.keysight.com/litweb/pdf/5989-4039EN.pdf?id=744074 (http://literature.cdn.keysight.com/litweb/pdf/5989-4039EN.pdf?id=744074)
This automatically triggered next step - check firmware, but unfortunately meters seems to be based on VxWorks.
Schematic is available, no information about 34411A in it, maybe JM1102 and JM1103 position needs to be found.
http://www.keysight.com/owc_discussions/thread.jspa?threadID=36971&tstart=-1 (http://www.keysight.com/owc_discussions/thread.jspa?threadID=36971&tstart=-1)
In attachment is high resolution picture of main board from internet.
Stay tunned.
-
Thanks for sharing this.
I just bought a broken 34410A and this schematic will help a lot.
Do you also have a parts list of all components, as we know it from the 34401A?
-
Very nice looking forward to your further investigation
-
Unfortunaltelly units which I can afford to brick do not have J1003 and U1101 (75LV4737) populated. So I decided to start with L4411A which I can brick.
Debug terminal output (9600 baud rate if someone is going to follow)
Attaching interface lo0...done
Adding 26466 symbols for standalone.
AMDFLASH
-> rhapsodyInit: programInguard
0x13f87b8 (tOxf): FPGA ready
rhapsodyInit: initInstrumentEngine
KOM_gpib_config
KOM_int_cfgn
0x1206bb0 (tUsb): Config EBIU USB Asynchronous Timings
0x1206bb0 (tUsb): Previous USB EBIU_DCR_BR: 10188398
0x1206bb0 (tUsb): NEW USB EBIU_DCR_BR: 10188368
0x1206bb0 (tUsb): Config EBIU USB Synchronous Timings
0x1206bb0 (tUsb): Previous USB EBIU_DCR_BR: 10188368
0x1206bb0 (tUsb): NEW USB EBIU_DCR_BR: 10188162
0x11d4cb8 (tPollVbus): USB connectPullUp = 0
IP address = 192.168.0.5
+------------------------------------------------------------
| GPIB is enabled
| USB is enabled
| Sockets Server is running on port 5025
| Telnet Server is running on port 5024
| VXI-11 Server is running
| WEB Sockets Server is running on port 5042
| AllegroTaskInit successful
| Web Server is running
+------------------------------------------------------------
-> help
help Print this list
ioHelp Print I/O utilities help info
dbgHelp Print debugger help info
nfsHelp Print nfs help info
netHelp Print network help info
spyHelp Print task histogrammer help info
timexHelp Print execution timer help info
h [n] Print (or set) shell history
i [task] Summary of tasks' TCBs
ti task Complete info on TCB for task
sp adr,args... Spawn a task, pri=100, opt=0x19, stk=20000
taskSpawn name,pri,opt,stk,adr,args... Spawn a task
td task Delete a task
ts task Suspend a task
tr task Resume a task
d [adr[,nunits[,width]]] Display memory
m adr[,width] Modify memory
mRegs [reg[,task]] Modify a task's registers interactively
pc [task] Return task's program counter
Type <CR> to continue, Q<CR> to stop:
iam "user"[,"passwd"] Set user name and passwd
whoami Print user name
devs List devices
ld [syms[,noAbort][,"name"]] Load stdin, or file, into memory
(syms = add symbols to table:
-1 = none, 0 = globals, 1 = all)
lkup ["substr"] List symbols in system symbol table
lkAddr address List symbol table entries near address
checkStack [task] List task stack sizes and usage
printErrno value Print the name of a status value
period secs,adr,args... Spawn task to call function periodically
repeat n,adr,args... Spawn task to call function n times (0=forever)
version Print VxWorks version info, and boot line
NOTE: Arguments specifying 'task' can be either task ID or name.
value = 1 = 0x1
-> version
VxWorks (for Agilent KOM PPC405, SA27E rev1) version 5.5.1.
Kernel: WIND version 2.6.
Made on May 22 2015, 14:33:34.
Boot line:
emac(0,0)host:vxWorks h=10.1.1.2 e=169.254.9.80 u=demo pw=demo tn=
value = 78 = 0x4e = 'N'
->
-
Partial success.
L4411A is now 34411A for this change only header of file needs to be changed.
In file agt34411_instrument_rev241.xs
change row "%model=34411A" to "%model=L4411A"
Meter boot up correctly and in LXI it is 34411A now :-+
It is also possible to downgrade L4411A to 34410A without any issue.
Only the front panel will be off.After this upgrade L4411A is working in BenchVue :-+
Similar attempt with 34410A:
Firmware upload by Firmware Update utility finished correctly. But after restart there is message on display : "Please load 34410A firmware" :-/O
Further investigation needed, so stay tuned.
-
I have 4x 34410 candidates
-
You are making progress, great.
Are you really sure the hardware is the same between the 34410A and the 34411A instruments?
I would expect a at least a small difference.
But then, may be this was the beginning at Agilent to introduce software downgrading.
-
You are making progress, great.
Are you really sure the hardware is the same between the 34410A and the 34411A instruments?
I would expect a at least a small difference.
But then, may be this was the beginning at Agilent to introduce software downgrading.
Sure, the partnumber and stickers are the same. According to test above there is some check of meter ID. This should be in one of another firmware or in bootloader.
Any other thoughts? I needs to install IDA /pro dissassembler to chce the VxWorks firmware:)
-
Schematic is available, no information about 34411A in it, maybe JM1102 and JM1103 position needs to be found.
Don't bother with JM1102 and JM1103 as they are for calibration purposes. I have the unpacked firmware somewhere if you need it. The only notable difference seems between 01 and 1x is the check for frmware... for sure there are others ;)
-
Schematic is available, no information about 34411A in it, maybe JM1102 and JM1103 position needs to be found.
Don't bother with JM1102 and JM1103 as they are for calibration purposes. I have the unpacked firmware somewhere if you need it. The only notable difference seems between 01 and 1x is the check for frmware... for sure there are others ;)
Currently I am looking for 34410A unit with populated serial interface. 34411A/L4411A can be downgraded. So it seems to be in the bootloader or boot parameters.
-
Did you make any progress?
I just bought a broken 34411A that is on its way.
Once I have it, I will make a good comparison to one of my 34410A
-
Unfortunately no progress at all. What's wrong with 34411A?
-
@HighVoltage: That comparison will be very interesting indeed.
(Hmm, were your other DMMs getting lonely -- pining for a new team member? :-DD)
-
@HighVoltage: That comparison will be very interesting indeed.
(Hmm, were your other DMMs getting lonely -- pining for a new team member? :-DD)
I never owned a 34411A and got it for Euro 100 incl. shipping
Symptoms: Does not turn ON
I still don't have it, may be an easy repair, may be beyond repair, I don't know.
The 34411A rarely become available at a reasonable price.
May be we really can find out the differences between the 34410A and the 34411A
-
Woah :o that was a score! Well, I certainly hope it's just the power supply.
My 34410A and I eagerly await your next update. :-+
-
@HighVoltage: That comparison will be very interesting indeed.
(Hmm, were your other DMMs getting lonely -- pining for a new team member? :-DD)
I never owned a 34411A and got it for Euro 100 incl. shipping
Symptoms: Does not turn ON
I still don't have it, may be an easy repair, may be beyond repair, I don't know.
The 34411A rarely become available at a reasonable price.
May be we really can find out the differences between the 34410A and the 34411A
The board / hardware is identical. the only difference in in software and probably calibration. If I have unit for 100 EUR I will invest more into experiments with programmer. You can easily downgrade 34411A to 34410A by changing model number in firmware file header (%model=34410A).
-
I never owned a 34411A and got it for Euro 100 incl. shipping
Symptoms: Does not turn ON
I still don't have it, may be an easy repair, may be beyond repair, I don't know.
The 34411A rarely become available at a reasonable price.
May be we really can find out the differences between the 34410A and the 34411A
Congrats on the "no fix" fix, as you put it. Way to score. We anxiously await your revelations as to the potential of upgrading a 34410A to a 34411A. For curiosity, of course. Most of the time, I'm running my 34410A with integration at 10 or 100 PLC.
-
Sorry to revive this old thread. I'm seeking for a 6 1/2 digits DMM for the home lab and got interested in second hand 34410As, which seems available on ebay for a reasonable price (other suggestions welcome). For obvious reason, the meter will be of better value if it's hackable. I downloaded the firmware (agt34411_instrument_rev243.zip) from Keysight website and start digging into it.
Basically, the xs file is a Motorola S file for the hex content, with tools like 010Editor, we can easily convert to the actual bytes in rom. binwalk indicates there is a Zlib compressed section, use -e to extract, and we get a vxworks image. With -a it turns out in the Agilent ASIC, the firmware runs on a big endian 32bits PowerPC core. Googling shows there is a tool https://github.com/PAGalaxyLab/vxhunter can help me load the memory image in GHIDRA, and I noticed the image comes with a symbol table :-+ . Searching the "Please load" quickly led to the _checkModelNumber__5IEIfcF routine
**************************************************************
* FUNCTION *
**************************************************************
undefined _checkModelNumber__5IEIfcFv()
undefined r3:1 <RETURN>
undefined4 Stack[0x4]:4 local_res4 XREF[2]: 004d4adc(W),
004d4b40(R)
undefined4 Stack[-0x10]:4 local_10 XREF[1]: 004d4acc(W)
_checkModelNumber__5IEIfcFv XREF[2]: initInstrumentEngine__5IEIfcFv:0
00a4d690(*)
004d4acc 94 21 ff f0 stwu r1,local_10(r1)
004d4ad0 7c 08 02 a6 mfspr r0,LR
004d4ad4 3d 80 90 00 lis r12,-0x7000
004d4ad8 a0 8c 00 0a lhz r4,offset DAT_9000000a(r12) <- UNKNOWN ADDRESS
004d4adc 90 01 00 14 stw r0,local_res4(r1)
004d4ae0 2c 04 23 5a cmpwi r4,0x235a
004d4ae4 40 82 00 3c bne LAB_004d4b20
004d4ae8 3c 60 00 96 lis r3,0x96
004d4aec 38 63 2c fc addi r3=>s_34410_FIRMWARE_00962cfc,r3,0x2cfc = "34410 FIRMWARE"
004d4af0 3c 80 00 96 lis r4,0x96
004d4af4 38 84 2d 0c addi r4=>s_PLEASE_LOAD_00962d0c,r4,0x2d0c = "PLEASE LOAD"
004d4af8 4b bc f7 29 bl updateVfdNow__FPCcT1 undefined updateVfdNow__FPCcT1()
004d4afc 48 0c 96 89 bl theMgr__19GandalfStateManagerSFv undefined theMgr__19GandalfState
004d4b00 38 80 00 00 li r4,0x0
004d4b04 48 0c 90 e5 bl enablePorRecall__19GandalfStateManagerFb undefined enablePorRecall__19Gan
004d4b08 3c 60 00 1e lis r3,0x1e
004d4b0c 60 63 84 80 ori r3,r3,0x8480
004d4b10 4b d6 e2 c9 bl spin__9SpinTimerSFi undefined spin__9SpinTimerSFi()
004d4b14 38 60 40 00 li r3,0x4000
004d4b18 4b ca 96 15 bl reboot int reboot(int __howto)
004d4b1c 48 00 00 24 b LAB_004d4b40
LAB_004d4b20 XREF[1]: 004d4ae4(j)
004d4b20 28 04 b6 43 cmplwi r4,0xb643
004d4b24 41 82 00 1c beq LAB_004d4b40
Although still not sure what the code is checking, as I hadn't got to figure out the memory mapping. I guess there is a 0x235a value in the calibration rom which is checked against, and it's possible the value can be changed in the vxWorks shell by the debug commands. But apparently, as there seems to be no secure booting, a trivial solution is to nop out the only code reference to this function in initInstrumentEngine__5IEIfcFv.
**************************************************************
* FUNCTION *
**************************************************************
undefined initInstrumentEngine__5IEIfcFv()
undefined r3:1 <RETURN>
undefined4 Stack[0x4]:4 local_res4 XREF[2]: 004d4f30(W),
004d4ff4(R)
undefined4 Stack[-0x4]:4 local_4 XREF[2]: 004d4f2c(W),
004d5004(R)
undefined4 Stack[-0x8]:4 local_8 XREF[2]: 004d4f28(W),
004d5000(R)
undefined4 Stack[-0x10]:4 local_10 XREF[1]: 004d4f20(W)
initInstrumentEngine__5IEIfcFv XREF[2]: vxmain__FiPPc:0005c034(c),
00a661f0(*)
004d4f20 94 21 ff f0 stwu r1,local_10(r1)
004d4f24 7c 08 02 a6 mfspr r0,LR
004d4f28 93 c1 00 08 stw r30,local_8(r1)
004d4f2c 93 e1 00 0c stw r31,local_4(r1)
004d4f30 90 01 00 14 stw r0,local_res4(r1)
004d4f34 4b be 34 8d bl instance__10SoftRebootSFv undefined instance__10SoftReboot
004d4f38 4b b8 ca 6d bl subscribeEventBootHandlers undefined subscribeEventBootHand
004d4f3c 4b ff fb 91 bl _checkModelNumber__5IEIfcFv undefined _checkModelNumber__5IE
004d4f40 4b ff fb 0d bl _checkFlashType__5IEIfcFv undefined _checkFlashType__5IEIf <------------HERE
004d4f44 3f c0 00 c8 lis r30,0xc8
004d4f48 3b de 7c c0 addi r30,r30,0x7cc0
004d4f4c 48 08 9e 15 bl newScanController__Fv undefined newScanController__Fv()
I don't (yet) have the 34410A to verify this is feasible, but it looks promising.
BTW: who is Gandalf?
-
Going 34410 to 34411 is pretty easy. In the past you just needed swap the names of the bin files so the upgrade package would install the 34411 firmware into your 34410. When it boots it will be unhappy so the other thing required is to edit the model # in the eeprom that is in the back left corner of the unit(8 pin SOIC). You can get an SOIC clip onto it without even removing the PCB. Just edit the instances of 34410 to 34411.
-
im playing with an l4411A
poking into the serial debug port ...
in my case i have only one user with loginUserShow() command
annnnnd its gandalf value = 0 = 0x0
Is it possible to find the user password ??, i've read they must be encrypted with vxencrypt.exe and be typed encrypted ??? is there a way to get this file ?
Tried to create other user with some i've found out on the web
Upon reset the added user(s) are cleared up, only gandalf remain loll
-
Edit sold the L4411A and got an 34410a with the populated debug port (ic+ plug) old fw 2.21 .... gonna do a normal upgrade and see the plug pinouts with the known schematic
-
Was hard to find a way to solder a thin wire on the jtag connector to hold the cpu in reset while reading the eeprom in SPI
Changed the 34410 occurrence to 34411 and it still complained about the model version
attached is the original non modded AT24C16 eeprom
if someone has ideas loll
The wp pin is tied to ground maybe its a problem, my programmer seem able to bypass this ?? i've tried some read an writes ... and seems to work ?
Or someone has an defective 34411a board ?
-
You have to mod the eeprom and program the 34411A firmware.
-
While i have pmed TheSteve
Still no luck with info's given here or TheSteve info's
The Firmware updater seems to check something who's not related to the eeprom model found in it ??
Tried many combinations eeprom vs the fw files, no avail, the meter will request to have proper 34410 fw .....
TheSteve did apparently manage to convert 2 meters, no success for me
On the Keysight Connection Manager, even with the 34411 model put in the eeprom, it will still identify as a 34410A
The populated debug port on my meter doesn't seems to react at all, checked many times against the schematic
I was maybe or surely too fast to upgrade my version 2.21 ??? :palm: |O
-
the cpu reset is located on theses pads (pictures attached) i was not connected properly, i was on the jtag reset pin ...
One side is DCOM digital ground / metal casing of the meter
I connected the pin 14 of the lm339 u902 to the ground via an 100 ohms resistor
Still no success, the info is elsewhere ... not in the eeprom it seems
-
An eevblog member tried a few hacks on the 34411a firmware
the XS file with an + at the end is patched and the FW updater too
Never worked for me and did not brick the meter
Try at you own risk and not liable for any problems
The XS file was compressed again, but the compression ratio is not the same, they are less bigger, my meter failed in the last FW portion, and if one worked fine it would ask for the 34410a fw on the screen
If you flashback the original keysight software it will function correctly again
https://www.sendspace.com/file/f5qj0d (https://www.sendspace.com/file/f5qj0d)
added the 34410a eeprom dump
-
Going 34410 to 34411 is pretty easy. In the past you just needed swap the names of the bin files so the upgrade package would install the 34411 firmware into your 34410. When it boots it will be unhappy so the other thing required is to edit the model # in the eeprom that is in the back left corner of the unit(8 pin SOIC). You can get an SOIC clip onto it without even removing the PCB. Just edit the instances of 34410 to 34411.
Have you tried this or saw evidence that this worked? I had another look into the 34410A flash dump on another post (https://www.eevblog.com/forum/repair/agilent-34410a-u1001-flash-dump/msg3786704/#msg3786704 (https://www.eevblog.com/forum/repair/agilent-34410a-u1001-flash-dump/msg3786704/#msg3786704) ), and it appears to me that the magic number being checked is just in the flash rather than the eeprom. The value checked against in _checkModelNumber() is hardcoded in the boot rom.
006022cc 3c 20 01 c0 lis r1,0x1c0
006022d0 38 21 00 00 addi r1,r1,0x0
006022d4 28 08 40 00 cmplwi r8,0x4000
006022d8 40 82 00 10 bne LAB_006022e8
006022dc 39 00 00 00 li r8,0x0
006022e0 38 60 00 02 li r3,0x2
006022e4 48 00 00 0c b LAB_006022f0
LAB_006022e8 XREF[1]: 006022d8(j)
006022e8 38 60 00 01 li r3,0x1
006022ec 48 00 08 95 bl FUN_00602b80 undefined FUN_00602b80()
LAB_006022f0 XREF[1]: 006022e4(j)
006022f0 3c 80 90 00 lis r4,-0x7000
006022f4 38 84 00 08 addi r4,r4,0x8
006022f8 98 64 00 00 stb r3,0x0(r4)=>DAT_90000008
006022fc 38 60 01 00 li r3,0x100
00602300 3c 80 00 1f lis r4,0x1f
00602304 38 84 84 80 subi r4=>DAT_001e8480,r4,0x7b80 = E5h
00602308 48 00 09 15 bl FUN_00602c1c undefined FUN_00602c1c()
0060230c 38 60 23 5a li r3,0x235a <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<BINGO
00602310 3c 80 90 00 lis r4,-0x7000
00602314 38 84 00 0a addi r4,r4,0xa
00602318 b0 64 00 00 sth r3,0x0(r4)=>DAT_9000000a
0060231c 3c 80 ff e0 lis r4,-0x20
00602320 38 84 2d e4 addi r4,r4,0x2de4
-
In my case nothing worked, some patched xs files, patched firmware updaters ... a mix of them, nada niet
the only thing is : the meter will spit a FW warning saying it need the 34410a FW
And was not able to receive any data from the internal serial console, all parts and connector is there ?? maybe i have not wired it correctly ?
-
This hack also did not work for me.
Once I got a real 34411A, I did not try anymore.
-
:-+ :-+
but it seems "easy" since the only notable difference is the sampling rate from the L4411a, 34410a to the 34411a ??? or not loll
-
Now I believe the only reason that the 34411A firmware will refuse to run on 34410A is: the 34410A bootloader at physical address 0x0060230c on the flash (loaded address 0xFFE0230E) is writing a magical word 0x235a to RAM 0x9000000A. This address is then checked by the main firmware (store compressed on the flash too, in two copies) and expecting 0xB643. If it reads 0x235A, the meter will hang with the Load 34410A Firmware message.
One can see the evil instruction (38 60 23 5a li r3,0x235a) in the bootloader by querying DIAG:PEEK? 4292879116 and DIAG:PEEK? 4292879118,(4292879118=0xFFE0230E). If someone is willing to remove the flash from the main board and change the 23 5A at offset 0x0060230E to B6 43 with a programmer, then the meter should accept 34411A firmware as well. Someone brave enough can also try DIAG:POKE 0xB643 into 0xFFE0230E. I'm not sure if DIAG:POKE can write to flash, as the implementation is just a memory assignment, so it may not do anything. Alternatively, instead of crafting a firmware update package with the checkModelNumber patched, one can try to craft a file that overwrites the bootloader and modify the 0x235A to 0xB643. I'm not sure how the firmware update works (yet?) but it doesn't sound easy.
I have only a L4411A so have little motivation (and capability) of looking into this deeper, but if anyone interested want a GHIDRA project to play with, I may send it.
Bonus:
L4411A> DIAG:PEEK:FIRM? 24,0,0
Elapsed Time Hours: 266.822
This seems to return the total powered on hours of the meter.
OT: I was looking all around in the code to find a backdoor to allow backup of the cal rom, but couldn't. Most accesses are done by a call to iiceeprom and I couldn't find if the memory is mapped somewhere so I can fish out data by DIAG:PEEK?. If someone does find one, please let me know.
-
i'll try any commands later
going out NOT loll
but removing the flash for now is a no can't do
i dont have a socket for it and for the programmer i have .... they sell it pretty darn high loll but i would ...
i'm trying to understand you diag poke commands loll in RSVisaTester 5.12....
DIAG:PEEK? 4292879116
gave me this ? +14432
DIAG:PEEK? 4292879118
gave me +9050
DIAG:POKE 0xB643 gave a beeep ? and received an VI Error TMO ???
and your bonus
DIAG:PEEK:FIRM? 24,0,0
gave
Elapsed Time Hours: 9.77694
-
Ahhh, I'd not recommend trying without a proper backup. Even you have a cal rom backup, recovering from corrupt firmware may need soldering and the flash programmer.
I think DIAG:POKE will only accept decimal input. And I'd suggest first trying out with a few safer addresses (checked by DIAG:PEEK? to be non-essential data), figure out the syntax (likely DIAG:POKE <decimal address>, <decimal number of the two bytes, big endian>) and then try the real thing.
Also:
+14432 = 38 60
+9050 = 23 5A
These are the expected values.
-
DIAG:PEEK? doesn't work VI Error IO ?
sorry noob in this world of commands loll
and the dangerous command would be loll ........ DIAG:POKE uh oh endians ??
ok ill try to find some progammer loll and or a socket .......
-
100% for certain I did change two 34410's to 34411's. This was a number of years ago and I don't have them anymore to compare/verify or repeat the process.
-
Hmm, then that's weird. Maybe I missed something?
-
Maybe on the older FW ??? i was to speedy to upgrade my meter damn it was very old |O
-
I know the only thing I did was trick the firmware update util to program the 34411 firmware into the 34410, I then made changes to the eeprom.
-
oh found out some solderless clip test for tsop 56 ... 68$ cad
i hope my programmer will take it, if not a new one will come too
-
oh found out some solderless clip test for tsop 56 ... 68$ cad
i hope my programmer will take it, if not a new one will come too
Where is it sold?
-
aliexpress searched for this and they appeared
Uni-clip 56pin Universal CLIP ...........
Example
https://vi.aliexpress.com/item/32814634915.html?