EEVblog Electronics Community Forum
Products => Test Equipment => Topic started by: z80tw on November 19, 2015, 03:27:04 pm
-
I bought a SRS PS310 which does not include GPIB option last week,I put the GPIB ICs on the ic sockets(TMS9914ANL,SN75160BN,SN75161BN),made the cable and connected it to a GPIB female connector.but when I try to set the GPIB address by pushing the "GPIB" key it displayed err5 (Err5 No GPIB Interface The unit does not have the GPIB option so the GPIB address cannot be set.),I believe the ROM code in my PS310 doesn't support GPIB option,If I can reprogram the EPROM with the ROM code of PS310 which supports GPIB option then I may make the GPIB function works.or can I enable the GPIB function by modifying my current ROM code?
Jack
-
Any luck finding the firmware for SRS PS310?
Harm
The Netherlands
-
No luck so far..... :(
Jack
-
Can you read the firmware and look for ASCII strings in it that would indicate it has the gpib commands present?
-
Can you read the firmware and look for ASCII strings in it that would indicate it has the gpib commands present?
Yes, I can read the firmware and look for ASCII strings but I don't know where are the gpib commands,I think I can find the gpib commands
if I know their memory addresses or specific strings to look for.
Jack
-
Well I see IDN there. Makes me think there is a decent chance the needed firmware is already present, you just need to figure out how to enable it. Maybe a hardware jumper or a flat in firmware.
-
Well I see IDN there. Makes me think there is a decent chance the needed firmware is already present, you just need to figure out how to enable it. Maybe a hardware jumper or a flat in firmware.
Thanks for your comments,
I found no jumpers or test points on the main board,I can't figure out how to unlock the GPIB function ,the complete ROM code copied and attached here,hope someone can figure out how to modify the rom code and help me to restore the GPIB function.
The memory addresses for model and serial no.
19CC~19CD PS
0157~0159 310 (Model No,PS310)
1FFC~1FFF 7397(Serial No,last 4 bytes, total 8K bytes)
Jack
-
In attachment there is the manual, with all GPIB commands, and the schematic in next post(> 2MB allowed) .
As you have already noticed there are no jumpers on pcb to enable the GPIB.
Into the rom code I don't see all GPIB commands but these may have been converted into 'tokens'.
There could also be a trick contained in the battery backuped SRAM that enables GPIB.....
Good luck!
-
.... and this is the PS300 series schematic:
http://www.electronicsandbooks.com/eab2/manual/Hardware/S/Stanford%20Research%20www.thinksrs.com/Product/PS300%20PS310%20PS325%20PS350%20Power%20Supply/Schematics%20A3%20c20120517%20 (http://www.electronicsandbooks.com/eab2/manual/Hardware/S/Stanford%20Research%20www.thinksrs.com/Product/PS300%20PS310%20PS325%20PS350%20Power%20Supply/Schematics%20A3%20c20120517%20)[11].pdf
-
Can you please upload the ROM file?
That would be easier to do a "grep" on the file than looking at screenshot looking for GPIB commands.
According to the schematics, the main CPU is a Z80.
We can try to run a disassembler on it.
On the screenshots, there is some GPIB commands like "SAV" or "IDN", but not all.
Especially, the device specifici "HVON" or "HVOF" (output enable/disable) GPIB commands are nowhere to be found.
-
In attachment there is the manual, with all GPIB commands, and the schematic in next post(> 2MB allowed) .
As you have already noticed there are no jumpers on pcb to enable the GPIB.
Into the rom code I don't see all GPIB commands but these may have been converted into 'tokens'.
There could also be a trick contained in the battery backuped SRAM that enables GPIB.....
Good luck!
Thanks for your information,The parts number printed on the SRAM has been defaced completely,
I guess it's a 24 pin 2k bytes SRAM like HM6116 (DIP).
I tried to download the schematics but the web site showed me "error 404" ,the page doesn't exist.
Jack
-
Can you please upload the ROM file?
That would be easier to do a "grep" on the file than looking at screenshot looking for GPIB commands.
According to the schematics, the main CPU is a Z80.
We can try to run a disassembler on it.
On the screenshots, there is some GPIB commands like "SAV" or "IDN", but not all.
Especially, the device specifici "HVON" or "HVOF" (output enable/disable) GPIB commands are nowhere to be found.
Yes, the CPU is a Z80,
I found "VON" and "VOF" in the ROM codes,please see the pic,are they the GPIB commands you talked about?
The ROM file (ZIP) is attached.let me know if you need more information.
Jack
-
Thank you. Seems like we have a nice little reverse engineering project here ! :-+
I have some good results with the disassembly, see the attached file.
I used yazd (https://github.com/toptensoftware/yazd)
First thing code is doing, is to set up the stack top at 0x4ff (top of 2k SRAM) and set interrupt mode 1.
I'll have a deeper look at the code tonight. With the schematic, we have everything at hand, unless the SRAM has some pre-programmed values.
Regarding the "VON" and "VOF", that may well be possible. Code may look at first character and then check the rest of the command name.
Also, the manual mentions only one part number for the ROM chip, so I would expect that there's only one ROM code.
edit: forgot the attachment
-
I have a PS350 with GPIB if you'd like to compare the FW?
-
I have a PS350 with GPIB if you'd like to compare the FW?
If you have the rom dump available, I'll gladly have a disassembly of it.
-
I have a PS350 with GPIB if you'd like to compare the FW?
If you have the rom dump available, I'll gladly have a disassembly of it.
Please see the attached.
-
I tried to download the schematics but the web site showed me "error 404" ,the page doesn't exist.
you must copy and paste the link. I don't understand why but the last part ([11] .pdf) was not included in the link itself.
I could not place the file directly because it is bigger than 1 MB.
-
I have a PS350 with GPIB if you'd like to compare the FW?
If you have the rom dump available, I'll gladly have a disassembly of it.
Please see the attached.
Please see the attached :)
So what you guys are saying is that the last 4 bytes of the ROM dump is always the serial number ("4243" for the PS350) ?
If so, it is then possible that they (SRS) put a flag to enable or disable the GPIB.
It seems that they also keep "calibration" data.
I'll have more time later in the night to further investigate.
Very interesting ! :-+
-
Ok, got a look at the code and schematic, but it is now 1am |O
From the schematic, IO ports are control by 2 74HC138 mux.
The one that interest us is U505: enable is: -A6 & -IORQ & M1.
M1 is on whenever the Z80 is not fetching an instruction.
Output signal -Y7 is connected to -GPIB, that is -CE of the TM9914.
MUX select is A5-A3.
A0-A2 are connected to RS0-RS2 (register select) of TM9914.
So basically, any IN or OUT instruction targeting ports x0111xxx is talking to the GPIB chip.
Example: OUT (38h), A would be written data in A to register 00h of GPIB.
In PS310 ROM we do have write accesses (see end of html) to GPIB ports 38h, 3Bh, etc, but only write!
In PS530 ROM we do have access GPIB ports too, a few more than PS310, and read/write.
The code doesn't appear to be encrypted. The SRAM could have be used to have decrypted code from ROM for instance.
But that doesn't seem to be the case.
In fact, it is very similar. Main loop is at E3h for PS310 and E0h for PS350.
Note the jump right before, with a decoding (for digit display) of the string "ERR0" in a subroutine. Must be the self testing.
My feeling is that each ROM is custom compiled. This is because of the serial number at the end (1FFCh).
So they can basically load one with GPIB support and one without.
The one without probably having code just to write on ports to tell it to shutdown, or go to a certain state.
On first look PS310 and PS350 seem to have very similar firmware code.
That needs to be further checked.
But if SRS decided to use a same firmware code for all models, I would think that it should possible to tweak the PS350 for the PS310.
I've just skimmed the surface. This needs further investigation.
I'll continue, this is very fun :)
-
There is a clue,according to the user's manual the GPIB address must be set before enabling GPIB function,this means the "GPIB" key must be pressed
in order to set the gpib address.thus find out the key scan subroutine and how cpu handle the key event of "GPIB" key pressing.
the process of gpib key event will tell us how CPU judges whether the gpib option is available or not.if the GPIB is not available PS310 will show the
error message "err5".
Err5: No GPIB Interface The unit does not have the GPIB option so the GPIB address cannot be set.
(the GPIB option must be encrypted in the ROM code or SRAM)
Default Setup
The factory default setup can be recalled by
pressing the CLR key while turning the unit on or
recalling setup 0 (RCL 0). The default setup is also
recalled after a power on memory error (ERR 1).
The default setups are shown below.
PS310 Voltage Set 0 V
Voltage Limit 1250 V
Current Limit 21 mA
Current Trip 21 mA
Reset Mode MAN
High Voltage OFF
GPIB Addr 14 (if applicable)
I suppose the GPIB address will be saved in battery backuped SRAM once user set a GPIB address.
Jack
-
I tried to download the schematics but the web site showed me "error 404" ,the page doesn't exist.
you must copy and paste the link. I don't understand why but the last part ([11] .pdf) was not included in the link itself.
I could not place the file directly because it is bigger than 1 MB.
I believe the link I copied is different from the original(due to language version)
http://www.electronicsandbooks.com/eab2/manual/Hardware/S/Stanford%20Research%20www.thinksrs.com/Product/PS300%20PS310%20PS325%20PS350%20Power%20Supply/Schematics%20A3%20c20120517%20 (http://www.electronicsandbooks.com/eab2/manual/Hardware/S/Stanford%20Research%20www.thinksrs.com/Product/PS300%20PS310%20PS325%20PS350%20Power%20Supply/Schematics%20A3%20c20120517%20)
Could you send me the schematics by email?
Jack
-
@z80tw:
Send me your email in PM and I will send you the schematic.
-
The factory default setup can be recalled by
pressing the CLR key while turning the unit on or
Pressing CLR key at start, it will reset the SRAM.
But after that can you use the machine directly, or do you have turn it off and on again?
There is code at the beginning of the fw which read the keys.
I would guess it is the CLR key for SRAM reset.
And that piece of code indeeds writes default values into the SRAM (in 4000h).
But it then goes into a separate loop, not the main loop.
-
Pressing CLR key at start, it will reset the SRAM.
But after that can you use the machine directly, or do you have turn it off and on again?
The attached pic will show you the display after pressing CLR at start ,
I can use it without turning it off and on again
Jack
-
Just found out I have about 10 pcs of used 2764 EPROM IC and an EPROM eraser!
I am wondering what will happen if I put an EPROM IC with ROM code of PS350(supports GPIB option) in it and
use it in a PS310?will it damage my PS310?
Jack
-
I just replaced the ERPOM IC of PS310 with the one with ROM code of PS350 in it .
When turning it on the display showed the serial number "4243" and model no. "350" (1~2 seconds,pic 1),
after that the PS310 entered reset status(pic 2).I pressed the GPIB key and got gpib address "GP14" on display(pic 3).
I haven't tested the actual output voltage and GPIB communication yet.
Jack
-
There is code at the beginning of the fw which read the keys.
I would guess it is the CLR key for SRAM reset.
And that piece of code indeeds writes default values into the SRAM (in 4000h).
But it then goes into a separate loop, not the main loop.
Today I did a little modification in the ROM code of PS350:
Model No. 350------>310 (0157~0159: 33 35 30---->33 31 30)
Serial No. 4243----->7397(1FFC~ 1FFF: 34 32 34 33----->37 33 39 37)
After that I tested the PS310 with the modified ROM code of PS350:
1.Actual output voltage
SET/Display Actual output
50V 12.01V
100V 24.46v
200v 49.679v
500v 124.498v
1000v 250.498v
(PS310 Max output:1250V, PS350 Max output:5000V, 5000/1250=4)
2.GPIB communication:
PC---->PS310:*IDN?
PS310 response:StanfordResearchSystems,PS310,7397,1.40
PC---->PS310:VSET1.0E3 (set output=1000V)
PC---->PS310:VSET?
PS310 response:1.000E3 (=1000V)
PC---->PS310:HVON(output turned on)
PC---->PS310:HVOF(output turned off)
The GPIB works!
Jack
-
Today I did a little modification on ROM code of PS350:
Model No. 350------>310 (0157
Serial No. 4243----->7397
0157~0159 310 (Model No,PS310)
1FFC~1FFF 7397(Serial No,last 4 bytes, total 8K bytes)
1.Actual output voltage
Display Actual voltage
50V 12.01V
100V 24.46v
200v 49.679v
500v 124.498v
1000v 250.498v
Seems like "350" at 156h is for display purpose.
PS350 is 5kV vs PS310 is 1.25kV. Values are divided by 4, seems consistent.
I've found some code right at the beginning that check the keyboard (see IN A, (30h) at address 2Eh) and jumps to a subroutine instead of the main loop.
If you're not afraid, can you try to boot with key "ENT" and/or "7" pressed and see what happens?
-
I've found some code right at the beginning that check the keyboard (see IN A, (30h) at address 2Eh) and jumps to a subroutine instead of the main loop.
If you're not afraid, can you try to boot with key "ENT" and/or "7" pressed and see what happens?
I did as you asked,this is what happened after booting with key ENT pressed,
the top segment(a) of left most seven segment LED light turned on(pic1).now the PS310 response only to two keys,
up-arrow and down-arrow keys,
if you press up-arrow key the (a) segment turns off and (b) segment turns on,
push up -arrow key again (c) segment is on,(b) segment off.
if you continue to push the up-arrow key again and again the display will continue from segment (a) to (h)-(dot)(pic2 & pic3)
then repeat it again on next seven segment LED,one segment turns on at one time.
after two 7 segments displayed in this manner all 7 segment LEDs turns on(pic4),after that
is the indicator LED "trip" turns on then "AUTO"--->"MAN"--->"REAR"---->"SET"--->"LIMIT(voltage)"--->"LIMIT(ma)"--->"TRIP"---->"LIMIT(status)"
---->"REM"---->"SRQ",one by one at one time.
after that you push one key you will see a code on display(pic 5):
key press display
Man 01
GPIB 02
left-arrow 03
Right arrow 04
up-arrow 05 (pic 5)
down-arrow 06
Enter 07
Select 08
STO 09
RCL 10
CLR 11
. 12
0 13
7 14
4 15
1 16
8 17
5 18
2 19
9 20
6 21
3 22
It looks like it's a key board and display test program.
Jack
-
I did as you asked,this is what happened after booting with key ENT pressed,
Great a (not so useful) undocumented feature :)
-
Great a (not so useful) undocumented feature :)
I set the GPIB bus address to 09 and saved it,then turned the power off and on again
,after power on I pressed the GPIB key this time I saw "GP09"(see pic) on the display,
I took out the EPROM(PS350) and verified it with the ROM file with my EPROM writer,
they are the same ,no change at all,thus the new GPIB address must be saved in SRAM.
I downloaded a free z80 disassembler and disassemled the binary files(PS310 & PS350),
Following information came from my brief analysis of PS350 ROM files and schematics:
1.Memory address of EPROM: 0000~1FFF (program space:8KB,ST M2764A)
2.SRAM: 4000~47FF (data space:2KB,Hitachi HM6116)
3.I/O address:
20h:Status1
28h:Status2
30h:-KBD
38h:-GPIB
48h:-Sets
50h:-DAC
58h:-LED
60h:-SEGB
68h:-SEGA
70h:-STROBE
78h:
------------------------------
bit0:-SHUTDOWN
bit1:UPOK
BIT2:-FLAG RESET
BIT3:-TIMER RESET
BIT4:(spare)
BIT5:-POS
bit6:-NEG
bit7:FILTER
------------------------------
Key code of "GPIB" :20h
I found only two read key code commands ("in a,(30h)") in the ROM file of PS350
1.0000~0044h:
002c db30 in a,(30h) ----read key code
002e fe80 cp 80h ------check if "ENTER" / "7" key pressed or not
0030 ca1714 jp z,1417h ------if yes then jump to 1417h,---the keyboard/display test program your asked me to check.
0033 c36800 jp 0068h-----if neither "ENTER" nor "7" pressed then jump to 0068h-----proceed regular power on procedures?
2.Subroutine 0FC2~0FD5h: 0FD2h db30 in a,(30h)
0fc2 3a1440 ld a,(4014h)
0fc5 fe02 cp 02h
0fc7 d8 ret c
0fc8 fe05 cp 05h
0fca d0 ret nc
0fcb 218740 ld hl,4087h
0fce 5f ld e,a
0fcf 1600 ld d,00h
0fd1 19 add hl,de
0fd2 db30 in a,(30h)
0fd4 77 ld (hl),a
0fd5 c9 ret
I will continue to analyze the ROM files.
Let me know if you find any thing wrong about my analysis.
Jack
-
After I did couple modifications on the ROM code of PS310 the GPIB function now is enabled! ;D
but I still can't change the GPIB bus address by pressing the "GPIB" key,
when I press the "GPIB" key I still see "Err5" on the display.
The codes I have modified:
1.(pic 1)
00b3h cd1710 call 0117h ------> cd301f call 1f30h
2.(pic 2)
1f30h~1f32h: ff ff ff ----->cd 58 12 call 1258h (basically I inserted only one command in the program:call 1258h,to initialize GPIB controller )
1f33h~1f35h: ff ff ff ----->cd 17 01 call 0117h
1f36h:ff ---->c9 RET
After installing new rom code in PS310 I turned on the power.
PS310 powered on and displayed normally,
then I pressed the "GPIB" key but saw "Err5" on display again.
next I tested the GPIB communication.it works!(pic 3)
I issued coulple commands and got correct response from PS310:
*IDN?
PS310 response:StanfordResearchSystems,PS310,7397,1.40
VSET=1.0E2(Vset=100V)
VSET?
PS310 response:1.00E2(=100V)
HVON (output turned on)
HVOF (output turned off)
Now I am going to figure out how to make the setting of GPIB bus address works.
PS.current GPIB bus address of PS310 is: 9 (saved in SRAM since I changed it yesterday)
Jack
-
Today I found out why I couldn't set GPIB address by keyboard of front panel,because the CPU jumped to "Err5" subroutine
every time I pressed "GPIB" key! in the ROM file of PS350 there is no "Err5" subroutine,instead of "Err5" subroutine there is
a subroutine which will enable GPIB interface and address setting by keyboard of front panel .
Thus I have to replace the "Err5" sub with the GPIB option sub(copied from PS350).The software version modified by me
I called it Version 1.41(original Ver 1.40)(pic 1)
Now GPIB interface of my PS310 works, the GPIB address can be set by keyboard of front panel and saved in SRAM(pic 2,no more "Err5")
How I replaced the "Err5" sub with GPIB option sub from ROM file of PS350?
1.I changed the code of 028fh~0292h:(pic3)
028f~0291 cd 40 1f call 1f40h
0292 c9 RET
2. Copied GPIB option subroutine of PS350 (029b~02c0) and pasted it
to address 1f40~1f65h:(pic4)
1f40 af xor a
1f41 321740 ld (4017h),a
1f44 328240 ld (4082h),a
1f47 328340 ld (4083h),a
1f4a 3e04 ld a,04h
1f4c 322440 ld (4024h),a
1f4f 3e01 ld a,01h
1f51 321940 ld (4019h),a
1f54 211240 ld hl,4012h
1f57 cbee set 5,(hl)
1f59 3a4c41 ld a,(414ch)
1f5c e67f and 7fh
1f5e 322240 ld (4022h),a
1f61 af xor a
1f62 322340 ld (4023h),a
1f65 c9 ret
Now my problem solved! :-DD
Thanks to all of you who has helped me by providing schematics,ROM code of PS350,hardware and software analysis,
without your helps I could not have fixed this problem.
Jack
-
Congratulations, you've done a really good job!
-
Cool detective work :-+
If you're nice , you'd upload the fixed eprom contents here.
/Bingo
-
Cool detective work :-+
If you're nice , you'd upload the fixed eprom contents here.
/Bingo
Here attached is the modified ROM file,Version 1.41,Model No.PS310,Serial No.2017(<---users have to modify it according to the serial no of their PS310.)hope it will help other owners of SRS PS-310 / PS-325 who has same problem I faced.
Jack
-
Now my problem solved! :-DD
This is not problem solving, but a nice firmware hack! :)
Congrat!
-
This is not problem solving, but a nice firmware hack! :)
Congrat!
Firmware hack! but without your inspiration I couldn't have done it! >:D
thanks for all efforts you have done for me.
Jack