Saving Old Instrument by Reverse Engineering It's Software
paul.delamusica wrote 05/26/2019 at 04:31 • 1 pointI have an old spectrophotometer, Thermo Spectronic 20 Genesys, circa 1996, according to the PCB marking. It consists of a stepping motor controlled by an Intel 80C251 microcontroller. It allows a user to input a wavelength and the controller would drive the motor to a predetermined angle.
In order to arrive at the exact wavelength, the instrument keeps a set of local parameters for each machine. It is kept in an EEPROM on the main board, which unfortunately has been corrupted. Being old, the vendor no longer supports this model and no programming manual can be found. All I have is some circuit description and the circuit diagram.
I would like to write to the EEPROM so that I can put new calibration data into it. I don't know the data format nor the instructions for loading data through its RS232 port. On the plus side, I suppose that Intel 80C251 microcontroller is very common and the operation for driving a stepper motor is quite simple. Can this be done at all? Any advice is appreciated.
Discussions
Become a Hackaday.io Member
Create an account to leave a comment. Already have an account? Log In.
There's quite a few of these on Ebay. It wouldn't hurt to contact the sellers and ask if one of them has a disk or can dump the EEPROM.
Are you sure? yes | no
Thanks for the suggestion. I actually have another working unit. But because the parameter set is specific to each machine, the numbers that worked on another machine cannot work here.
Are you sure? yes | no
Is it possible that the EEPROM contains calibration settings specific to each machine? I've seen measurement equipment that is tested at the factory and a bunch of offsets developed that make it report the right values. Given what you're telling me (You need the serial number of a specific machine) and the factory sent you a file specific to each particular machine) then I'd consider it possible the manufacturer kept a database of devices and what their unique adaptations were. Reverse engineering the firmware would show it reading a table from the EEPROM and using it in measurements.
Are you sure? yes | no
If you could get a copy of the backup disk, you might get the command set required to load the data if the commands were embedded in the file.
Are you sure? yes | no
Can you look at the bus transactions to the EEPROM with an external tool? I use EEPROM for parameter and configuration storage in some of my projects, and when I detect corrupted data or a software revision change, I re-initialize the EEPROM to default values. Maybe your spectrophotometer does the same. Knowing the default values might help figure out the data organization. Otherwise, dumping the firmware and reverse engineering it seems necessary.
Are you sure? yes | no
This is probably what happens. The setup routine does some checks, if not successful, it loads a default parameter set that is common to all machines of that model, and the power-on test completes gracefully.
By "looking at the bus transactions" do you mean hooking up a logic analyzer to the appropriate pins? I don't have it now but they can be obtained cheaply. Right now I only have a 250 MHz oscilloscope.
When the spectrophotometer was supported by the vendor, in the event that the EEPROM is corrupted, the user can send the serial number to the vendor and get back a floppy disk containing the parameter files and a exe for writing them into the instrument.
Are you sure? yes | no
I am assuming that the EEPROM is either I2C or SPI interfaced. I use a tool called a Beagle from TotalPhase Systems for sniffing I2C and SPI traffic if I need to look at more than a byte or two. The Beagles are kind of expensive and there are probably other, cheaper options out there.
Reverse engineering the firmware or finding a programmers manual are probably the only ways to get the data format for loading the cal data though.
Are you sure? yes | no
Might be the old school parallel EEPROM chips. That would match the vintage of the 80C251 and DOS (late 90s).
Are you sure? yes | no
It is an X2816CP-20.
Are you sure? yes | no
Haha, a Xiicor 2 kB EEPROM 200 ns access time. Have a couple in my retro box. 😀 It's quite possible there is nothing wrong with the chip, just that the charge leaked away over the years so the bits are blank. So you might not have to replace it, just to reprogram it.
You might also want to work out the circuit diagram, in particular which 80C251 port lines control what. It'll help fill in the puzzle.
Are you sure? yes | no
It's funny, I have been using the I2C and SPI versions for so long, that it never even occurred to me that it might be parallel interfaced.
It might be worth putting an o'scope on the chip select pin and see what the cycle time is. It may be possible to take a low cost eval board for a fast ARM MCU and read the data bus and some low order address bits along with the chip select and get a dump of the contents without a real logic analyzer.
Are you sure? yes | no
Maybe there are calibration routines in the firmware that can be invoked after the EEPROM has been replaced?
Are you sure? yes | no
Yes, it does some limited calibration. But the "major" calibration has to come from the factory.
Are you sure? yes | no
The firmware is stored in a different EEPROM. It contains the power up sequence, a number of "utility functions", etc. It should be common to all machines, unlike the other EEPROM that contains machine specific calibration parameters that are different from machine to machine, therefore cannot be copied from another working machine.
A list of chips are actually in the documentation that I have. As for someone in the same situation, so far I have not found anyone online. But I will keep looking.
Are you sure? yes | no
Where is the firmware stored? In am external ROM/EPROM/EEPROM? If so try to get it dumped to disassemble. Also have you looked to see if there are other owners who have done this before?
Post a picture of the board, maybe we can identify the other chips.
Are you sure? yes | no
I found a few software tools that suppose to convert HEX code into Intel 8051 assembly code. The code for writing to the EEPROM, however, is a PC program ran under DOS prompt.
Are you sure? yes | no
Maybe you might also want to try working out what this program sends out. You can get FreeDOS and run it under a virtual machine. There might be software tools to intercept what it sends out on the port.
If you are lucky the software just sends a whole block of machine specific calibration data (<= 2kB) to program the EEPROM but you will have to figure out which bytes mean what.
Are you sure? yes | no
I would start by looking around and see if someone 'in the wild' could dump the EEPROM of a working model for you.
Are you sure? yes | no