66% or better

EEPROM hack unlocks crippled features in Agilent multimeter and LCR meter

u1241a-agilent-hack

[Gnif] was doing what any good hacker does… poking around the insides of one of his tools to see how it works. While in there, he discovered that an EEPROM hack could make the Agilent U1241A function like the U1242A.

If you’re into this kind of thing the Rigol 1052e hack should have already popped to mind. That was a firmware crippled device that, when unlocked, made the cheaper model behave the same ways as it’s $400 more expensive sibling. This doesn’t have quite the same impact, as the price difference is somewhere between $20-$100. Still, this stuff is just cool, right?

A few posts down in the thread linked above [Gnif] shares the story of how he found the hack. After shorting the i2c lines of the EEPROM while powering up the meter he was able to see that the device initializes a lot of its values to 0xFF when it can’t find the stored data. The next step was to use an STM32 board to dump the EEPROM contents. With the backup file stored safely he started changing values and reflashing the chip. Through this process he discovered that switching one byte from 0×01 to 0×02 enabled the higher model’s features. It also works for upgrading the U1732C to the U1733C feature set.

Comments

  1. SYNTRONIKS says:

    This kind of a hack is what I have come to expect of the occasional firmware-related HaD post. Thank you for the underground knowledge — this is really stimulating food for thought.

    • matt says:

      +1, although I am surprised the lengths some people are willing to go, and violate their warranty at the same time, just to save $20.

      • oodain says:

        often i think it is the learning experience that takes precedence.
        though in the case of the rigol hack it sure does sound like quite a saving.

        • spacevs says:

          That is exactly why I did this, also the unit I bought was 2nd hand already and the price difference between this one and the next model was more like $100, so for me it was quite a saving.

          • Dave says:

            That’s really cool man, thanks for sharing. I’m sure it felt like a huge win when you figured it out!

          • spacevs says:

            No worries, and yeah, I had a pretty big smile when I tracked down the byte to change :).

  2. Jim Turner says:

    the price difference on the rigol is only 50 bucks. The 100mhz model the hack upgrades to costs $400 not $400 more…

  3. My God!! I am going to try this right away!

  4. Galane says:

    Hacks like this can also enable hidden features the manufacturer has decided they won’t allow you to have because of where you live. Cannon sold a lot of printers in the USA and Canada which were capable of printing on optical discs but had that function disabled in the firmware.

    The fix was as simple as pressing the buttons on the printer in the proper combinations to set the thing to Europe or Japan mode and for the USA, set the default paper to letter size.

    There have been many other cases of regional firmware feature lockouts and even regional firmware with features completely removed, which require obtaining a copy of the firmware for a region the manufacturer hasn’t decided to thumb their digital nose at and flashing it onto the device. In some cases a hacker must also edit the more featured firmware for their language, especially when the better version was sold only in Asian countries.

    One of the hardest device classes to do this to was Adaptech SCSI controllers. The Macintosh versions had a larger ROM than the much less expensive PC versions. The best ones to get were ones with a socketed firmware chip *and* the ability to use a larger chip for the Mac version firmware simply by plugging it in place of the PC version. Other models required unsoldering the chip and replacing it, some times also adding or moving other components to use the higher capacity chip.

    Why go to all that trouble? Around $200 higher price for a Macintosh version that only had one inexpensive chip difference.

    Media 100′s video editing hardware for NuBus Macintoshes had all its capabilities, except for component video I/O (that was on an optional daughterboard), built in. What functions you actually got to use were controlled by special dongles connected inline between the keyboard and an ADB port. Someone wrote a small emulator program that activated many, but not all, of the advanced functions.

    Several models of Hewlett Packard printer/scanner/FAX are differentiated solely by the control panel overlay, which the user has to install before plugging in the power and turning it on for the first time. The model is coded by tabs along one edge of the overlay, I assume they leave open or block a set of optical sensors. The scheme makes assembly simple, every one of the range is identical, they’re differentiated by the printing on the box and the matching accessory package that gets put in just before the box is sealed.

    Some times the difference is only in the drivers. Xerox made a short lived foray into inkjet printers. The company didn’t design them, they contracted with Sharp to wrap different housings around some of their printers, and replace Sharp with Xerox everywhere in the firmware and driver software (but not on the PCB silkscreens). Xerox touted them as 1200 DPI printers, for both color and monochrome. Yup, they were 1200 DPI – as long as you used Windows 98! The driver for Windows 2000 and XP limited the printers to a maximum of 600 DPI and Xerox flat out refused to fix it. (Sharp’s drivers wouldn’t work with the “Xerox” printers.) Then the print heads suffered a mass die-off where one color would suddenly quit printing. Rather than do a “My bad.” and fix anything (or sic their lawyers on Sharp for providing crappy products), Xerox quietly discontinued the whole inkjet product line. I haven’t owned a single Xerox product since that debacle.

    There’s a long, long history in electronics products of making multiple models from an identical device by selective crippling of features and functions.

    • Tony says:

      Sometimes it’s the lawyers, where feature X must be disabled in country Y.

      The Meizu M6 had MP3 disabled in the US (licensing), and the FM radio disabled in the EU (duties). Of course the firmware was readily available on the company website, so…

      • spacevs says:

        I had a stereo from Aldi here in AU about 6 years ago now, it also was lacking a feature I wanted, AUX input. So I cracked it open and found some signal diodes on the board that were being used to pull IO pins on the MCU up/down, thought it was a little odd so I played with them and enabled MP3 Playback and record from radio, Bluetooth capability, and AUX input :), I had to also populate the pins on the rear connector for the input though.

  5. Atleast until the law suites starts claiming you “stole” access to features they crippled by default in the device YOU paid for.

  6. echodelta says:

    I wouldn’t use that meter till it had the style buttons removed and the the labels LEVEL. Dam designers.

  7. Technics says:

    I do wonder if the extra features have proper calibration stored in EEPROM? It would be worth examining the EEPROMS from several meters of both models before breaking out the champagne. I doubt Agilent bothered to calibrate ranges that aren’t enabled.

  8. digi says:

    I just can’t believe that it is possible to just “discover” the needed change in eeprom. There are too many possible combinations. Real possibility is to compare different models eeproms. So either there is something the author is not telling us, or this is just a Agilent marketing campaign.

  9. pff says:

    The problem with this is that you can’t be sure that the hardware can manage the performance of the high end model.
    Perhaps if the tolerances are not within spec of a particular unit, it is crippled and sold as the lower model.

    Is there any calibration or verification done on the meter after the upgrade?

  10. where can i get one of these DMMs? I love the blue backlit screen….

  11. regiscruzbr says:

    The real Ha
    ck, thanks for share. I have the exactly same device.

  12. Cricri says:

    Proper hack, both thumbs up!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s