Author Topic: Some old school instruments showing how it's done (HP 3325A and Fluke 8506a)  (Read 59652 times)

0 Members and 1 Guest are viewing this topic.

Online joeqsmith

  • Super Contributor
  • ***
  • Posts: 12277
  • Country: us
Re: Some old school instruments showing how it's done (HP 3325A and Fluke 8506a)
« Reply #350 on: February 24, 2021, 12:27:17 pm »
The file you attached isn't cleared to all zeroes?  Here's what I see in the file, it looks interesting - note the '07' snuck in line 1 and line 9.

Yeah, my posts are not always very clear.

Quote
... it appears all the bits were set (this part is cleared to all zeros). 

From the datasheet, the part is cleared to 0's from the factory rather than the more common 1's.   From the datasheet, its a 1024 bit or 128 byte part.   Note the file is 2X that.  I assume the programmer doesn't use the upper nibble and the lower nibble represents Q0..3.  All of these bits were set (programmed with a 1), except for the two locations where Q3 was left in the factory cleared state.   

Q0 routes to U24 pin 20, !CS ( ! meaning active low for the context of this message)
Q1 routes to U23 pin 20, !CS
Q2 routes to U22 pin 18, !CS
Q3 routes to U20 pin 18, !CS

So only U20 would ever be selected.  Obviously, this is not correct.  So, again I suspect the programmer has a problem with this part.  If no one has a programmer that supports it (and willing to pull the part and read it), I think the next step is make an adapter to allow the programmer to read the PROM as a different device. 

Online joeqsmith

  • Super Contributor
  • ***
  • Posts: 12277
  • Country: us
Re: Some old school instruments showing how it's done (HP 3325A and Fluke 8506a)
« Reply #351 on: February 24, 2021, 05:54:19 pm »
Time for a second attempt.

Online joeqsmith

  • Super Contributor
  • ***
  • Posts: 12277
  • Country: us
Re: Some old school instruments showing how it's done (HP 3325A and Fluke 8506a)
« Reply #352 on: February 24, 2021, 08:44:15 pm »
Keep in mind the adapter is converting the 74S287 to a 2716.    A0-A7 routes to A0-A7 and Q0-Q3 routes to Q3-Q3.  The upper nibble is hardwired to zeros.

From the schematic, U18  A5 & 6 are hardwired to ground.  A7 routed to jumper W3 which defaults to ground.

U18 A0 maps to the 8080's A11 and so on, except for A4 which is further decoded.   This allows U18 to address in blocks of 0x7FF.   

Looking at the data from the U18, we can see  the address range for each memory devices is:

U24 0x0000-0x1FFF    PROM, 2764, 8K 1FFF
U23 0x2000-0x3FFF    PROM, 2764, 8K 1FFF
U22 0x4000-0x47FF    RAM,  D4016C-2,  2K, 7FF
U24 0x4800-0x4FFF    E^2, X2804AP,  2K, 7FF

We can see that U18 is programmed to allow remapping of these ranges.  Maybe some future expansion. 

At least it makes sense now but you should double check my work.   

****
Also, I was too lazy to decode it manually and instead just wrote a quick app to map it out.   
« Last Edit: February 24, 2021, 09:44:18 pm by joeqsmith »
 

Offline dietert1

  • Super Contributor
  • ***
  • Posts: 2473
  • Country: br
    • CADT Homepage
Re: Some old school instruments showing how it's done (HP 3325A and Fluke 8506a)
« Reply #353 on: February 24, 2021, 10:16:18 pm »
In the 8502A the memory map is the same, except is has only 768 Bytes of RAM and no EEPROM. EPROM consists of 4x i2732 in one instrument, the other one has a mezzanine with lots of mask ROMs AM9218.

Meanwhile i spent some hours looking into the firmware 3.0.0 and found it perfectly obfuscated. They went to great detail trying to hide essential pieces of the workings. For example in several places they replaced the jump instruction by an indirect jump through a ROM constant function pointer. System vectors RSTn are routed through RAM function pointers with variable destinations. Also they use a reverse memcpy() to hide the base addresses of data and code structures. I guess it was all written in assembly language. There is no interpreter and i didn't see a full floating point library. I doubt it can be reverse engineered using a general tool. I used a simulator and a disassembler, both with mods to log backplane access, RAM function calls and the like. Meanwhile the disassembler knows 19 obfuscated entry points in addition to the eight system vectors.

Regards, Dieter
« Last Edit: February 24, 2021, 10:25:15 pm by dietert1 »
 

Offline SilverSolderTopic starter

  • Super Contributor
  • ***
  • Posts: 6126
  • Country: 00
Re: Some old school instruments showing how it's done (HP 3325A and Fluke 8506a)
« Reply #354 on: February 24, 2021, 11:53:45 pm »

Looking at the data from the U18, we can see  the address range for each memory devices is:

U24 0x0000-0x1FFF    PROM, 2764, 8K 1FFF
U23 0x2000-0x3FFF    PROM, 2764, 8K 1FFF
U22 0x4000-0x47FF    RAM,  D4016C-2,  2K, 7FF
U24 0x4800-0x4FFF    E^2, X2804AP,  2K, 7FF


Color me impressed, that is some fancy footwork. 


An idea, coupled with @Dietert1's observation about intentional obfuscation:  could U18 be part of the obfuscation -  so the code inside the two EPROMs look like a total mess, unless the addresses are "decoded" by U18 first in order be put in the right order?

If so, perhaps by somehow applying the U18 logic to the code in the EPROMs, we can get a "clean" listing out of it?
« Last Edit: February 24, 2021, 11:56:00 pm by SilverSolder »
 

Offline SilverSolderTopic starter

  • Super Contributor
  • ***
  • Posts: 6126
  • Country: 00
Re: Some old school instruments showing how it's done (HP 3325A and Fluke 8506a)
« Reply #355 on: February 24, 2021, 11:57:10 pm »
In the 8502A the memory map is the same, except is has only 768 Bytes of RAM and no EEPROM. EPROM consists of 4x i2732 in one instrument, the other one has a mezzanine with lots of mask ROMs AM9218.

Meanwhile i spent some hours looking into the firmware 3.0.0 and found it perfectly obfuscated. They went to great detail trying to hide essential pieces of the workings. For example in several places they replaced the jump instruction by an indirect jump through a ROM constant function pointer. System vectors RSTn are routed through RAM function pointers with variable destinations. Also they use a reverse memcpy() to hide the base addresses of data and code structures. I guess it was all written in assembly language. There is no interpreter and i didn't see a full floating point library. I doubt it can be reverse engineered using a general tool. I used a simulator and a disassembler, both with mods to log backplane access, RAM function calls and the like. Meanwhile the disassembler knows 19 obfuscated entry points in addition to the eight system vectors.

Regards, Dieter

It never occurred to me that the "spaghetti" was an intentional attempt at obfuscation, but it makes perfect sense with the crazy stuff we are seeing inside the EPROMs...    see my answer to @joeqsmith,  perhaps we can untie the knot via the U18 listing?
 

Online joeqsmith

  • Super Contributor
  • ***
  • Posts: 12277
  • Country: us
Re: Some old school instruments showing how it's done (HP 3325A and Fluke 8506a)
« Reply #356 on: February 25, 2021, 01:05:35 am »
In the 8502A the memory map is the same, except is has only 768 Bytes of RAM and no EEPROM.

That's good to know.  I'm more confident now in my results.   My next step will be to start reading up on the 8080.

Back in the early/mid 80s, I had a friend who worked as a third tier programmer for a large company.  Micros back then had very limited resources.   The first tier programmers world write the code until they ran out of resources.  I was then handed over to the 2nd tier who would clean up and optimize the code to get things to fit.  If they couldn't pull it off, it went to the final group.  They were allowed to completely rewrite the code and would typically optimize it to the point it was no longer maintainable.   It's very possible that what you are seeing is a result of no longer caring about how well the software looks and could be maintained but rather  how to get it to fit and meet timing.    I've never worked for a company where the goal was to make the code unreadable.  More it was the end result of what was being asked.   :-DD   

Quote
....replaced the jump instruction by an indirect jump through a ROM constant function pointer.
I few years ago I decided to test some handheld DMMs and I ended up designing a small transient generator to help automate the task.   I decided to go all old tech one last time, right down to the wire wrap.  The microcontroler I used was the  Motorola MC68701 which has 2K ROM.  It's all written in assembler and I am doing exactly what you describe in several places of the code.  I think I even have some indirect tables in RAM that change in order to save a few bytes.    That codes a mess.   

U18 is really just a decoder.  Could have been a PAL.   The code space is linear and if you look at the contents, you can see how that jumper remaps things.  But that jumper is fixed so I highly doubt there is anything funny going on with U18 creating some top secrete code security system.     

Offline SilverSolderTopic starter

  • Super Contributor
  • ***
  • Posts: 6126
  • Country: 00
Re: Some old school instruments showing how it's done (HP 3325A and Fluke 8506a)
« Reply #357 on: February 25, 2021, 02:11:30 am »


It just goes to prove, once code gets messy enough, it becomes indistinguishable from an intentional effort to obfuscate!  :D
 

Online joeqsmith

  • Super Contributor
  • ***
  • Posts: 12277
  • Country: us
Re: Some old school instruments showing how it's done (HP 3325A and Fluke 8506a)
« Reply #358 on: February 25, 2021, 02:43:04 am »
Did you find a disassembler / assembler combo that allows you to reassemble the disassembled code and match the binary? 

To attempt to make use of the improved BAUD rate, I may not need to go to that level but if you have the tool chain sorted, I would start getting it setup.   

Offline SilverSolderTopic starter

  • Super Contributor
  • ***
  • Posts: 6126
  • Country: 00
Re: Some old school instruments showing how it's done (HP 3325A and Fluke 8506a)
« Reply #359 on: February 25, 2021, 02:49:14 am »

No, I stopped at the disassembly part (and quickly ran out of Aspirin).

...In other news, I downloaded the TL866ii software and noted that it actually still has all the high voltage chips in its database (i.e. the same chips as the previous models), opening the possibility for adding an external Vpp supply for 21V and 25V chips, it seems.
 

Online joeqsmith

  • Super Contributor
  • ***
  • Posts: 12277
  • Country: us
Re: Some old school instruments showing how it's done (HP 3325A and Fluke 8506a)
« Reply #360 on: February 25, 2021, 03:28:28 am »

No, I stopped at the disassembly part (and quickly ran out of Aspirin).
That's too bad.  I'll have a look after I read up on the 8080.

...In other news, I downloaded the TL866ii software and noted that it actually still has all the high voltage chips in its database (i.e. the same chips as the previous models), opening the possibility for adding an external Vpp supply for 21V and 25V chips, it seems.
:-DD  I put mine back in the box.  Even if I invested time to improve the hardware, the software is just too limited and I really don't like how unreliable it seems to be depending how fast you run commands.   Now that you have that new programmer, what do you think of it?   I may end up buying a decent new one again.   

Offline SilverSolderTopic starter

  • Super Contributor
  • ***
  • Posts: 6126
  • Country: 00
Re: Some old school instruments showing how it's done (HP 3325A and Fluke 8506a)
« Reply #361 on: February 25, 2021, 12:24:20 pm »

I would say it is a quality item, but I only have TL866 to compare it with!  :D

There is a list of the chips the little guy supports here:  https://www.batronix.com/files/pdf/BX32PBarlino-II-DeviceList.pdf


Batronix have also made a pretty cool feature on their web site:  type in a chip, and it tells you which programmers support it (even if not their own!)...   Probably only covers current models...
https://www.batronix.com/shop/programmer/chip-support-search.html
 

Online joeqsmith

  • Super Contributor
  • ***
  • Posts: 12277
  • Country: us
Re: Some old school instruments showing how it's done (HP 3325A and Fluke 8506a)
« Reply #362 on: February 25, 2021, 02:37:25 pm »
It's odd that even for our little 4-bit part, there are few options listed.  It looks like for it to handle the old Altera, Xilinx CPLD and serial proms, I would need to up my game.   I still have some old project that use these parts and am thinking that if I am going to spend the money, I want to support all of my past projects.   

Thinking of the 4-bit part,  I should have added the W3 jumper.   Remember when I talked about U24 having the A13 pin routed to possibly support a larger part rather than a NC?  Well, as we can see, this jumper was added to support that feature.   The memory map is still linear.  U24 still acts as the boot ROM.  Everything else is just moved up.  It's good when things make sense.

I wonder if any of their meters ever took advantage of this larger part. 

U24 0x0000-0x3FFF    PROM, 27128, 16K 3FFF
U23 0x4000-0x5FFF    PROM, 2764, 8K 1FFF
U22 0x6000-0x67FF    RAM,  D4016C-2,  2K, 7FF
U24 0x6800-0x6FFF    E^2, X2804AP,  2K, 7FF

Offline SilverSolderTopic starter

  • Super Contributor
  • ***
  • Posts: 6126
  • Country: 00
Re: Some old school instruments showing how it's done (HP 3325A and Fluke 8506a)
« Reply #363 on: February 25, 2021, 02:44:03 pm »
It's odd that even for our little 4-bit part, there are few options listed.  It looks like for it to handle the old Altera, Xilinx CPLD and serial proms, I would need to up my game.   I still have some old project that use these parts and am thinking that if I am going to spend the money, I want to support all of my past projects.   

Thinking of the 4-bit part,  I should have added the W3 jumper.   Remember when I talked about U24 having the A13 pin routed to possibly support a larger part rather than a NC?  Well, as we can see, this jumper was added to support that feature.   The memory map is still linear.  U24 still acts as the boot ROM.  Everything else is just moved up.  It's good when things make sense.

I wonder if any of their meters ever took advantage of this larger part. 

U24 0x0000-0x3FFF    PROM, 27128, 16K 3FFF
U23 0x4000-0x5FFF    PROM, 2764, 8K 1FFF
U22 0x6000-0x67FF    RAM,  D4016C-2,  2K, 7FF
U24 0x6800-0x6FFF    E^2, X2804AP,  2K, 7FF

I noticed that Fluke used the same controller board in the 5100 series of calibrators - maybe it needed more space for code in that application?

Those calibrators are big and ugly, and only 4 1/2 digit, so probably not something to get super excited about...
 

Online joeqsmith

  • Super Contributor
  • ***
  • Posts: 12277
  • Country: us
Re: Some old school instruments showing how it's done (HP 3325A and Fluke 8506a)
« Reply #364 on: February 25, 2021, 03:05:40 pm »
Yeah, that thing is a tank but it may be another source for parts.  I bet you're right about the use.  My manual is fairly old and has the jumper.  I suspect they planned for it's use right from the start. 

I wonder if at that time the 16K parts were on shortage.   For our meters, they could have set the jumper and put all the firmware in a single PROM and left U23 unpopulated.   With the low volumes and high cost, doubt it mattered much but would be interesting to know some of the history from the designers.   
« Last Edit: February 25, 2021, 04:43:17 pm by joeqsmith »
 

Offline SilverSolderTopic starter

  • Super Contributor
  • ***
  • Posts: 6126
  • Country: 00
Re: Some old school instruments showing how it's done (HP 3325A and Fluke 8506a)
« Reply #365 on: February 25, 2021, 03:46:48 pm »
The front panel styling has not aged that well - very 70's!  - almost kitch! - if you see what I mean -




This might be what the exterior styling guy's bedroom looked like!   :D

Don't tell me engineers aren't vain enough in general for this to matter (if you have ever had chrome wheels on a car, you are vain enough!  - oops, I still do! :D )  -  on the bright side, the styling is likely a primary reason this meter is as cheap as it is today!


It would definitely be interesting to chat with one of the original designers.  They got so many things right (including the modular construction).


« Last Edit: February 25, 2021, 03:49:58 pm by SilverSolder »
 

Online joeqsmith

  • Super Contributor
  • ***
  • Posts: 12277
  • Country: us
Re: Some old school instruments showing how it's done (HP 3325A and Fluke 8506a)
« Reply #366 on: February 25, 2021, 04:55:58 pm »
 :-DD :-DD  I'm more a bike enthusiast and like the look of polished aluminum, but who wouldn't like a set of foot lockers painted burnt orange?    :-DD     

Not sure about the meter's being cheap.  ebay prices are IMO through the roof.   $300 for a dead one.   :-DD    Out side of my interest in vintage tech,  I would have no use for it and would have let this one go to scrap.  Then again, if people are actually buying them for this much, more power to the sellers! 

Offline SilverSolderTopic starter

  • Super Contributor
  • ***
  • Posts: 6126
  • Country: 00
Re: Some old school instruments showing how it's done (HP 3325A and Fluke 8506a)
« Reply #367 on: February 25, 2021, 06:11:16 pm »

They have risen in status to "entry level volt-nut meter" which, in fairness, they do deserve.  The A/C specs are very hard to beat (not even HP3458A).  DC specs are also serious, and the voltage reference zener used in the R2 A/D now has cult status (I bet a lot of the cheap meters were bought just for that!)  The downside is that you have to comb your grey beard often to keep this thing in tune (this can be a real problem if you don't have one! :D ). 

eBay prices have definitely exploded - when I bought mine they rarely exceeded $100 including shipping.  Probably the "EEVblog effect", together with @TiN putting an article on his web site about it (https://xdevs.com/article/f8505a/) has meant an increase in demand.




 

Online joeqsmith

  • Super Contributor
  • ***
  • Posts: 12277
  • Country: us
Re: Some old school instruments showing how it's done (HP 3325A and Fluke 8506a)
« Reply #368 on: February 25, 2021, 06:31:35 pm »
Could very well be that by posting we are increasing the asking price.   

I was looking on-line for one of the books I had and found it.  It was in very good condition.  One problem.  It's for the 8085.  We had to learn them both.  I am not sure now if we even had a book for it.  We were using an Altair computer to program on.  The real deal. :-DD   

I was able to find a few on-line books for it, including the original "Intel 8080 assembly language programming manual" and the "Intel 8080 Microcomputer Systems User's Manual".      More than enough to get me up to speed.    I am devolving.   Time to dust off the slide rule.     


Offline SilverSolderTopic starter

  • Super Contributor
  • ***
  • Posts: 6126
  • Country: 00
Re: Some old school instruments showing how it's done (HP 3325A and Fluke 8506a)
« Reply #369 on: February 25, 2021, 07:02:43 pm »
 :-DD
Does that video mark the beginning of the downfall of America?  Goodness, people were crazy in the 80's!  :D



 

Online joeqsmith

  • Super Contributor
  • ***
  • Posts: 12277
  • Country: us
Re: Some old school instruments showing how it's done (HP 3325A and Fluke 8506a)
« Reply #370 on: February 26, 2021, 01:35:47 am »
More the beginning of my own personal downfall.  8080s, assembler....  obviously a mental problem.   :-DD   

I tried getting some of the old tools to run.   CMP86 will run under a DOSbox.  CMP86 will run Jim Lopushinsky's Z80.CMD.      The Z80.CMD will all run the old Digital Research simulator/debuggers to some level.  It will also run the old Microsoft  assembler, to some degree.   I just haven't been able to actually assemble a program and link it.    Attempting to just get something very basic to work.  2 lines of code sort of thing.  Baby steps.     

It really is starting to look like we need some better tools for 2021.

Offline SilverSolderTopic starter

  • Super Contributor
  • ***
  • Posts: 6126
  • Country: 00
Re: Some old school instruments showing how it's done (HP 3325A and Fluke 8506a)
« Reply #371 on: February 26, 2021, 05:21:19 am »

Better tools for 8080 will probably be a DIY project...
 

Online joeqsmith

  • Super Contributor
  • ***
  • Posts: 12277
  • Country: us
Re: Some old school instruments showing how it's done (HP 3325A and Fluke 8506a)
« Reply #372 on: February 27, 2021, 01:36:10 am »
Some success with the Microsoft tool set.   I was able to assemble and link some fairly large 8080 syntax programs with it.

Online joeqsmith

  • Super Contributor
  • ***
  • Posts: 12277
  • Country: us
Re: Some old school instruments showing how it's done (HP 3325A and Fluke 8506a)
« Reply #373 on: February 27, 2021, 05:41:26 pm »
I'm still sorting out the syntax for the old tools and reading up on the old 8080.   These tools and their documentation are all available for free on-line if anyone is interested attempting to use them.  Seems only fitting to use these old tools to hack the old meter.    :-DD

Looking at the example code from:
https://en.wikipedia.org/wiki/Intel_8080#Example_code

I changed the origin to 0 and removed the return just to give me a simple program to test with.   Attached is the listing from the Microsoft tools.   

Again, you would need to setup a DOSBox, download Jim's tool set (from 1985  :-DD) and download the Microsoft macro assembler and linker.   I am just running it from all from the command prompt using a batch file to automate the process.    I have not yet worked out the Digital Research tools.   

If I had another junk meter, I would replace that U18 prom with a GAL with a custom memory map that would place all of the code in U24.   I may still do this with a small plug in board.  This may make things easier once I actually start to look at and modify the original code.   


       MACRO-80 3.44   09-Dec-81       PAGE    1


                                ; memcpy --
                                ; Copy a block of memory from one location to another.
                                ;
                                ; Entry registers
                                ;       BC - Number of bytes to copy
                                ;       DEAddress of source data block
                                ;       HL - Address of target data block
                                ;
                                ; Return registers
                                ;       BC - Zero

                                            org     000h        ;Origin at 0000h
  0000'   78                                mov     a,b         ;Copy register B to register A
  0001'   B1                                ora     c           ;Bitwise OR of A and C into register A
  0002'   C8                                rz                  ;Return if the zero-flag is set high.
  0003'   1A                    loop:       ldax    d           ;Load A from the address pointed by DE
  0004'   77                                mov     m,a         ;Store A into the address pointed by HL
  0005'   13                                inx     d           ;Increment DE
  0006'   23                                inx     h           ;Increment HL
  0007'   0B                                dcx     b           ;Decrement BC   (does not affect Flags)
  0008'   78                                mov     a,b         ;Copy B to A    (so as to compare BC with zero)
  0009'   B1                                ora     c           ;A = A | C      (set zero)
  000A'   C2 0003'                          jnz     loop        ;Jump to 'loop:' if the zero-flag is not set.

                                        end
       MACRO-80 3.44   09-Dec-81       PAGE    S


Macros:

Symbols:
0003'   LOOP



No Fatal error(s)


s)
  0008'   78




Offline SilverSolderTopic starter

  • Super Contributor
  • ***
  • Posts: 6126
  • Country: 00
Re: Some old school instruments showing how it's done (HP 3325A and Fluke 8506a)
« Reply #374 on: February 27, 2021, 05:52:08 pm »

LOL seems you are really getting into some serious digital archaeology there, @joeqsmith!  :D
 


Share me

Digg  Facebook  SlashDot  Delicious  Technorati  Twitter  Google  Yahoo
Smf