Unaohm EP-2500: Upgrading the firmware without activation key
Hi,
One of the last field meters added to my collection is the Unaohm EP-2500. I bought it at eBay and got kind of lucky, as the device arrived with more than I bargained for!
It came with three extra options:
πThis is a tool that is designed for basically all older Unaohm field meter (EP-2200, EP-2500, EP-3000 and probably many others). So read on, even if your Unaohm is a different model!
One of the last field meters added to my collection is the Unaohm EP-2500. I bought it at eBay and got kind of lucky, as the device arrived with more than I bargained for!
It came with three extra options:
- QAM
- MPEG2
Nice surprise, as the seller did not mention these options in the auction.
The firmware was fairly recent: W3_2
After a lot of online searching and with some help from fellow mate "Channel Hopper" at the www.satellites.co.uk forum, who seem to be an expert in searching on web.archive.org, I found the following collection of firmware upgrade files:
- W2_2
- W3_2
- W3_2_1
- W4_0
πThis is a tool that is designed for basically all older Unaohm field meter (EP-2200, EP-2500, EP-3000 and probably many others). So read on, even if your Unaohm is a different model!
Great, I thought, let's upgrade this to W4_0 for additional satisfaction!
Not so fast: it seems that Unaohm does like to keep charging customers and to my surprise, you need an key code matching the serial number of the field meter, in order to upgrade the firmware!
Of course I tried some random codes, but naturally none worked.
Because the uploader seems to have been programmed in some version of Visual Basic, I decompiled it, but to no conclusion.
Last hacking attempt: notice how the "AUTO" button is deactivated. Well, I used a cool tool that let's you edit the controls of a compiled software, so I enabled this button! Unfortunatly, the programmer of the uploader software was well awake when programming it and included a specific instruction de deactivate the button. Otherwise that would have been a cool hack...
So, next solution was to search for the IC holding the firmware. It didn't take long to figure out that the EP-2500 uses a Z80 CPU for the user interface and next to it is a socket containing an ST M29F040B Flash/Eeprom in PLCC32 package.
I didn't have any chip of that sort in my stock nor did I have the suitable PLCC32 adapter for my Genius G540 programmer. No big deal: www.ebay.com is your friend!
I got the chips for about 8 Euro with free shipping (two of them, just in case) and the adapter cost me around 2 Euro with free shipping. Of course, coming from China, it took about 2 weeks for both orders to arrrive.
When they did, I setup my gear: I connected the Genius G540 to my main computer running Windows 10 and... I couldn't program or read the newly arrived IC's. After spending around an hour, figuring out why, I found the reason. The main computer is simply too recent, Windows 10 at 64 bit is not properly supported. While it works for smaller eeproms, it didn't work for this one.
No problem: I keep my old HP laptop with a Pentium III running Windows XP 32bit for a reason! It has RS232, parallel port and is compatible with all hacking gear I need (including OBDM stuff for messing with my BMW). Always keep yourself an old working Windows XP machine!
So, now I could program and read the chip. Time to dump the chip from the EP-2500. This produces a 512kb file. The firmware upgrade file is only 448kb.
Why? Easy: because the dump includes the bootloader, which is missing from the upgrade file!
Looking at both in an hex editor, I quickly found that the memory is devides as such:
&H00000-&H6FFFF - firmware
&H70000-&H7FFFF - bootloader
So I snipped the firmware part of the dump and replaced it with the firmware of the W4_0 file.
Programmed one of the new IC with this file, replaced it in the field meter and...
SUCCESS!!!
ππ
I now have W4_0 installed.
Looking at the HEX dump of the bootloader, I noticed this:
It seems that the firmware is just uploaded using 1K XMODEM protocol. I will try that out, when possible. This would make firmware upgrade on older Unaohm field meter much easier, as one would simply circumvent the Unaohm UpLoader software and just use plain Hyperterminal! (Did I mention to keep an old PC with Windows XP - it includes Hyperterminal)
Regards,
Vitor
Comments
Post a Comment