EEPROM Hack Unlocks Crippled Features In Agilent Multimeter And LCR Meter

u1241a-agilent-hack

[Gnif] was doing what any good hacker does… poking around the insides of one of his tools to see how it works. While in there, he discovered that an EEPROM hack could make the Agilent U1241A function like the U1242A.

If you’re into this kind of thing the Rigol 1052e hack should have already popped to mind. That was a firmware crippled device that, when unlocked, made the cheaper model behave the same ways as it’s $400 more expensive sibling. This doesn’t have quite the same impact, as the price difference is somewhere between $20-$100. Still, this stuff is just cool, right?

A few posts down in the thread linked above [Gnif] shares the story of how he found the hack. After shorting the i2c lines of the EEPROM while powering up the meter he was able to see that the device initializes a lot of its values to 0xFF when it can’t find the stored data. The next step was to use an STM32 board to dump the EEPROM contents. With the backup file stored safely he started changing values and reflashing the chip. Through this process he discovered that switching one byte from 0x01 to 0x02 enabled the higher model’s features. It also works for upgrading the U1732C to the U1733C feature set.

31 thoughts on “EEPROM Hack Unlocks Crippled Features In Agilent Multimeter And LCR Meter

  1. This kind of a hack is what I have come to expect of the occasional firmware-related HaD post. Thank you for the underground knowledge — this is really stimulating food for thought.

        1. That is exactly why I did this, also the unit I bought was 2nd hand already and the price difference between this one and the next model was more like $100, so for me it was quite a saving.

    1. That’s a direct result of the hack being revealed. Sales of the 50MHz model skyrocketed, and the 100MHz model dried up. Rigol eventually relented and permanently dropped the price of the 100MHz model to the $50 difference you now see.

      1. Yes, thanks to the hack exposing the greedy way Rigol cripples firmware to get your money, they had to drop the price of the DS1102E down to a reasonable level. Now they’re selling like hotcakes – making Rigol lot’s more money in the end. This is what happens when you let greedy marketing goons run your business instead of just trying to deliver the best quality and value you possibly can to your customers at an affordable price.

        1. Thx Dave but sadly this price is only true if you live in the US.
          Every other sellers (even in china) go way over he $500 mark.
          I would gladly put an extra $50 … even $100 for a 1102 with shipping to europe.
          DX sells their 1052 @ $345. It’s still makes the mod for 100MHz relevant

  2. Hacks like this can also enable hidden features the manufacturer has decided they won’t allow you to have because of where you live. Cannon sold a lot of printers in the USA and Canada which were capable of printing on optical discs but had that function disabled in the firmware.

    The fix was as simple as pressing the buttons on the printer in the proper combinations to set the thing to Europe or Japan mode and for the USA, set the default paper to letter size.

    There have been many other cases of regional firmware feature lockouts and even regional firmware with features completely removed, which require obtaining a copy of the firmware for a region the manufacturer hasn’t decided to thumb their digital nose at and flashing it onto the device. In some cases a hacker must also edit the more featured firmware for their language, especially when the better version was sold only in Asian countries.

    One of the hardest device classes to do this to was Adaptech SCSI controllers. The Macintosh versions had a larger ROM than the much less expensive PC versions. The best ones to get were ones with a socketed firmware chip *and* the ability to use a larger chip for the Mac version firmware simply by plugging it in place of the PC version. Other models required unsoldering the chip and replacing it, some times also adding or moving other components to use the higher capacity chip.

    Why go to all that trouble? Around $200 higher price for a Macintosh version that only had one inexpensive chip difference.

    Media 100’s video editing hardware for NuBus Macintoshes had all its capabilities, except for component video I/O (that was on an optional daughterboard), built in. What functions you actually got to use were controlled by special dongles connected inline between the keyboard and an ADB port. Someone wrote a small emulator program that activated many, but not all, of the advanced functions.

    Several models of Hewlett Packard printer/scanner/FAX are differentiated solely by the control panel overlay, which the user has to install before plugging in the power and turning it on for the first time. The model is coded by tabs along one edge of the overlay, I assume they leave open or block a set of optical sensors. The scheme makes assembly simple, every one of the range is identical, they’re differentiated by the printing on the box and the matching accessory package that gets put in just before the box is sealed.

    Some times the difference is only in the drivers. Xerox made a short lived foray into inkjet printers. The company didn’t design them, they contracted with Sharp to wrap different housings around some of their printers, and replace Sharp with Xerox everywhere in the firmware and driver software (but not on the PCB silkscreens). Xerox touted them as 1200 DPI printers, for both color and monochrome. Yup, they were 1200 DPI – as long as you used Windows 98! The driver for Windows 2000 and XP limited the printers to a maximum of 600 DPI and Xerox flat out refused to fix it. (Sharp’s drivers wouldn’t work with the “Xerox” printers.) Then the print heads suffered a mass die-off where one color would suddenly quit printing. Rather than do a “My bad.” and fix anything (or sic their lawyers on Sharp for providing crappy products), Xerox quietly discontinued the whole inkjet product line. I haven’t owned a single Xerox product since that debacle.

    There’s a long, long history in electronics products of making multiple models from an identical device by selective crippling of features and functions.

    1. Sometimes it’s the lawyers, where feature X must be disabled in country Y.

      The Meizu M6 had MP3 disabled in the US (licensing), and the FM radio disabled in the EU (duties). Of course the firmware was readily available on the company website, so…

      1. I had a stereo from Aldi here in AU about 6 years ago now, it also was lacking a feature I wanted, AUX input. So I cracked it open and found some signal diodes on the board that were being used to pull IO pins on the MCU up/down, thought it was a little odd so I played with them and enabled MP3 Playback and record from radio, Bluetooth capability, and AUX input :), I had to also populate the pins on the rear connector for the input though.

  3. I do wonder if the extra features have proper calibration stored in EEPROM? It would be worth examining the EEPROMS from several meters of both models before breaking out the champagne. I doubt Agilent bothered to calibrate ranges that aren’t enabled.

  4. I just can’t believe that it is possible to just “discover” the needed change in eeprom. There are too many possible combinations. Real possibility is to compare different models eeproms. So either there is something the author is not telling us, or this is just a Agilent marketing campaign.

    1. Are you serious? It is not always that hard to deduce things like this from simple reasoning sometimes. I wish I was affiliated with Agilent, I would have a nice DSO then :)

  5. The problem with this is that you can’t be sure that the hardware can manage the performance of the high end model.
    Perhaps if the tolerances are not within spec of a particular unit, it is crippled and sold as the lower model.

    Is there any calibration or verification done on the meter after the upgrade?

    1. Both devices have the same MCU in them, they are the same product, just with a single byte change in the EEPROM, there is no additional calibration to be done here as it is not enabling additional ranges.

Leave a Reply to Jim TurnerCancel reply

Please be kind and respectful to help make the comments section excellent. (Comment Policy)

This site uses Akismet to reduce spam. Learn how your comment data is processed.