Author Topic: Hantek LCR 1832C unlock  (Read 59771 times)

0 Members and 2 Guests are viewing this topic.

Offline teixeluis

  • Contributor
  • Posts: 36
Re: Hantek LCR 1832C unlock
« Reply #25 on: March 26, 2021, 11:18:45 am »
You can easily dump it via ST Link adapter and SWD interface

Attached my original and edited firmware files.

ZhuraYuk how did you proceed with getting a dump of the STM32 flash? I struggled a bit to obtain the image: first I tried connecting all the 4 pins of the programming interface (including power) to a ST-Link V2 clone, and could not connect to the target device.

Then I tried not providing power from the ST-Link v2, but instead put the batteries in the LCR and power it up, and in that case was able to connect to the target and obtain the firmware image. Did that a couple of times with success. But afterwards I ran a open circuit self-calibration and tried to get another dump afterwards (to compare which areas are written when calibration is done), and was no longer able to connect to the device via the ST-Link.

How did you proceed exactly in your case?

Thank you

Cheers
 

Offline ZhuraYukTopic starter

  • Regular Contributor
  • *
  • Posts: 85
  • Country: ua
Re: Hantek LCR 1832C unlock
« Reply #26 on: March 26, 2021, 07:40:05 pm »
You can easily dump it via ST Link adapter and SWD interface

Attached my original and edited firmware files.

ZhuraYuk how did you proceed with getting a dump of the STM32 flash? I struggled a bit to obtain the image: first I tried connecting all the 4 pins of the programming interface (including power) to a ST-Link V2 clone, and could not connect to the target device.

Then I tried not providing power from the ST-Link v2, but instead put the batteries in the LCR and power it up, and in that case was able to connect to the target and obtain the firmware image. Did that a couple of times with success. But afterwards I ran a open circuit self-calibration and tried to get another dump afterwards (to compare which areas are written when calibration is done), and was no longer able to connect to the device via the ST-Link.

How did you proceed exactly in your case?

Thank you

Cheers

I did in same way as you with powered on state  and on batteries, but did not performed any self calibration.
 

Offline teixeluis

  • Contributor
  • Posts: 36
Re: Hantek LCR 1832C unlock
« Reply #27 on: March 26, 2021, 11:06:15 pm »
Thanks for the feedback @ZhuraYuk

Meanwhile I was also able to successfully extract a dump via USB using DfuSe Demo (v3.0.6). By leaving the R-X button pressed while pressing the power button until it beeps, the device enters DFU mode (this is described in the manual btw). We are then able to use Dfuse Demo to obtain the dfu dump using the "Upload Action" feature. Curiosly the tool detects 3 different flash devices. Not sure what the deal is there, because I couldn't find in the PCB any devices minimally resembling the M25P64 or M29W128F flash chips listed in the tool (see attached photo).

The Internal flash dump is successful and matches the dump I have obtained before via ST-Link. There are a few bytes in a isolated region of the dump (address 0x00071800) which have different values. My guess is that this corresponds to the self-calibration data, because of open-circuit run that I have performed between dumps. In order to compare the two dumps, I have converted the dfu file obtained from DfuSe Demo into a regular bin file using the DfuFileMgr tool.

Selecting the M25P64 SPI flash causes the device to hang at 6 % into the download process. For the M29W128F NOR flash the process takes a while and produces a 16 MB dump, which besides a small header and footer is filled with 0x00.

I have also attached these dumps. At a first glance it seems relatively safe to play with the SCPI commands having these backups and assuming that all the factory calibration data is contained within. There is however one 8 pin chip in the board with the markings grinded off which could ultimately be an SPI flash, even though judging by the traces and where it is placed, it looks more like something related with the signal processing (perhaps some special trade secret ADC that they are using?  :P).

Cheers


 
The following users thanked this post: thm_w

Online coromonadalix

  • Super Contributor
  • ***
  • Posts: 6724
  • Country: ca
Re: Hantek LCR 1832C unlock
« Reply #28 on: March 27, 2021, 01:32:57 am »
could be a adc ??  since the preceding ic is a sgm3002 (dual switch)
 

Offline teixeluis

  • Contributor
  • Posts: 36
Re: Hantek LCR 1832C unlock
« Reply #29 on: March 27, 2021, 02:31:15 pm »
@coromonadalix, could be a good candidate.. Pin 2 and 3 seem to be differential inputs (each switched by the sgm3002). Maybe something similar to the MCP3201.
 

Online coromonadalix

  • Super Contributor
  • ***
  • Posts: 6724
  • Country: ca
Re: Hantek LCR 1832C unlock
« Reply #30 on: March 27, 2021, 02:40:37 pm »
if the chip is buffered you could try with a wet finger or alcohol,  trying to see if you can read the ic markings ??
 

Offline bianchifan

  • Regular Contributor
  • *
  • Posts: 94
  • Country: de
Re: Hantek LCR 1832C unlock
« Reply #31 on: March 27, 2021, 03:24:38 pm »
could be a adc ??  since the preceding ic is a sgm3002 (dual switch)
Voltlog's teardown shows it as the same type as the one left down in crop -> AD8052ARZ
" alt="" class="bbc_img" />
 
The following users thanked this post: teixeluis, coromonadalix

Offline ogden

  • Super Contributor
  • ***
  • Posts: 3731
  • Country: lv
Re: Hantek LCR 1832C unlock
« Reply #32 on: March 27, 2021, 03:27:21 pm »
It is worth noting that when the device is connected via USB, the output has a significant DC offset, besides being somewhat noisy (see attached screenshot).

No wonder - because there's no isolation barrier in any of three instruments devices you interconnected.
« Last Edit: March 27, 2021, 03:34:57 pm by ogden »
 

Offline teixeluis

  • Contributor
  • Posts: 36
Re: Hantek LCR 1832C unlock
« Reply #33 on: March 28, 2021, 03:11:56 pm »
After a little more digging, and with the help of Ghidra, I was able to confirm my suspicion that this could also be done via SCPI.

As previously explained I first found that the 
Code: [Select]
fact:model command existed. I tried to use it for writing a different model string, but the command simply returns the same output as if I would be calling "fact:model ?" (query command).

Going through the code, I learned that debug mode had to be activated before being able to call commands that write factory data. The trick was how to enter debug mode.
Then I found that there is an SCPI command for doing just that.

In a nutshell, for changing the model, we have to first enter a SCPI session (I am using Keysight Connection Expert, which is the tool that is provided with this LCR meter), and do the following:

1. Enter debug mode:
Type:
Code: [Select]
calib:hantek_enter_debug_cmdand click "Send & Read"

2. Change the model string:
Type:
Code: [Select]
fact:model "Hantek1833C"and click "Send Command"

3. Save the changed setting to the flash:
Code: [Select]
fact:saveand click "Send & Read"

4. Exit debug mode:
Code: [Select]
calib:hantek_exit_debug_cmdand click "Send & Read"

After this is done, the expected model number should appear in the "SYSTEM INF" screen (pressing twice in the SET button). The 50/75 and 100 KHz frequency modes should now also become selectable via the buttons, as well as the 300 mV level.

I confirmed with the oscilloscope that the new frequencies and level are consistent with the selected values.

It is probably a good idea to run the user calibration for both open and closed circuit.

There is of course (as I mentioned initially) the high likelyhood that above 40 KHz the factory calibration is not accurate or valid, because it is doubtable that they would bother calibrating modes that are not intended to be accessible.

There are various other commands in the calib: group that appear to serve the purpose of setting the factory calibration, but I have not gone through those, and it is somewhat irrelevant without the proper reference equipment.

I hope this is helpful. In my perspective the advantage that I see  in this approach, is being able to use the factory firmware. In my particular unit it is apparently more recent than the one published in the vendor website.

You can find attached the screenshots of the sections of the flash memory that change after the commands are sent.

Cheers

« Last Edit: March 28, 2021, 03:25:20 pm by teixeluis »
 
The following users thanked this post: kripton2035, thm_w, coromonadalix, ogden, ru_tash, Microcheap, Dwaine, golftango, yg188

Offline Dwaine

  • Frequent Contributor
  • **
  • Posts: 304
  • Country: ca
Re: Hantek LCR 1832C unlock
« Reply #34 on: March 28, 2021, 06:08:27 pm »
I just bought one.  I'll try the SCPI commands and see if it works.   Thanks for this hard work.

 

Offline Microcheap

  • Frequent Contributor
  • **
  • Posts: 261
  • Country: 00
Re: Hantek LCR 1832C unlock
« Reply #35 on: March 28, 2021, 06:43:36 pm »
There is of course (as I mentioned initially) the high likelyhood that above 40 KHz the factory calibration is not accurate or valid, because it is doubtable that they would bother calibrating modes that are not intended to be accessible.

Very nice work, thanks for all the details. I got my 1832 working as 1833 simply by installing the firmware update from Hantek website. After that, I compared some measurements with a DE-5000 and they were spot on or very close.
I will try to do a more detailed comparison and I'll post here the results.
 
The following users thanked this post: teixeluis

Offline teixeluis

  • Contributor
  • Posts: 36
Re: Hantek LCR 1832C unlock
« Reply #36 on: March 29, 2021, 03:55:32 pm »
I have added some more details regarding this work here:

https://www.creationfactory.co/2021/03/reverse-engineering-and-unlocking.html

I was able to discriminate between the factory calibration commands, but determining its syntax is still WIP.

Some measurements that I have taken suggest that above 40 KHz calibration might be somewhat off even though not unusable. More details there too.

Cheers
 
The following users thanked this post: thm_w, coromonadalix

Offline hpw

  • Frequent Contributor
  • **
  • Posts: 422
  • Country: 00
Re: Hantek LCR 1832C unlock
« Reply #37 on: April 14, 2021, 05:32:53 pm »

About those Hantek LCR's:

1) How you guys measure a 1pF SMD capacity  :-DD

2) Any know 4 pol cable set for external measurements (as SMD crap)  ;D

Hp
 

Offline teixeluis

  • Contributor
  • Posts: 36
Re: Hantek LCR 1832C unlock
« Reply #38 on: April 15, 2021, 11:35:36 am »

About those Hantek LCR's:

1) How you guys measure a 1pF SMD capacity  :-DD

2) Any know 4 pol cable set for external measurements (as SMD crap)  ;D

Hp

There is this guy who designed a custom PCB for the 4-wire measurements connector and shared a few indications on how to build one:

https://hackaday.com/2020/08/28/creating-kelvin-test-leads-for-four-wire-measurments/

His PCB can be ordered here:

https://www.tindie.com/products/voltlog/lcr-meter-kelvin-test-lead-adapter-pcb/

There is also this COTS product, which in principle should also fit in the Hantek LCR connector:

https://www.aliexpress.com/item/4001038783823.html?spm=a2g0o.productlist.0.0.5dc91ac6aML8W4&algo_pvid=26e04144-93b3-47df-a78e-11f9dbe4833e&algo_expid=26e04144-93b3-47df-a78e-11f9dbe4833e-0&btsid=0b0a556816184860906842581ef6d1&ws_ab_test=searchweb0_0,searchweb201602_,searchweb201603_

I personally did a slightly more makeshift cable using what I had available, except for the alligator clips, which I have ordered:

 

Offline hpw

  • Frequent Contributor
  • **
  • Posts: 422
  • Country: 00
Re: Hantek LCR 1832C unlock
« Reply #39 on: April 16, 2021, 06:41:54 am »

About those Hantek LCR's:

1) How you guys measure a 1pF SMD capacity  :-DD

2) Any know 4 pol cable set for external measurements (as SMD crap)  ;D

Hp

There is this guy who designed a custom PCB for the 4-wire measurements connector and shared a few indications on how to build one:

https://hackaday.com/2020/08/28/creating-kelvin-test-leads-for-four-wire-measurments/

His PCB can be ordered here:

https://www.tindie.com/products/voltlog/lcr-meter-kelvin-test-lead-adapter-pcb/

There is also this COTS product, which in principle should also fit in the Hantek LCR connector:

https://www.aliexpress.com/item/4001038783823.html?spm=a2g0o.productlist.0.0.5dc91ac6aML8W4&algo_pvid=26e04144-93b3-47df-a78e-11f9dbe4833e&algo_expid=26e04144-93b3-47df-a78e-11f9dbe4833e-0&btsid=0b0a556816184860906842581ef6d1&ws_ab_test=searchweb0_0,searchweb201602_,searchweb201603_

I personally did a slightly more makeshift cable using what I had available, except for the alligator clips, which I have ordered:

Thank you for the given links!!

I was searching on ali without any success... then showed up different probes and different LCR gears...

Do you have to calibrate each time you start the 1832c, while always about 7pF off/idle, then after calibration about 0.02pF off..

Also the question rises:

. whether the cables should be shielded (may to most important as to the end of the clips) as pairs or each as 4 cables have large idle capacity calibrate

. it is a pain that even Hantek do not provide any tools and information about

. how sensitive remains the clip touched or untouched

. any guidelines seen or given how to measure a 805 SMD 1pF

. while the display as in 0.000x pF and any successful/reachable measurements going that low  ::)

Hp

 
 

Offline teixeluis

  • Contributor
  • Posts: 36
Re: Hantek LCR 1832C unlock
« Reply #40 on: April 16, 2021, 05:29:14 pm »
Hi @hpw,



Do you have to calibrate each time you start the 1832c, while always about 7pF off/idle, then after calibration about 0.02pF off..

I had success with the following approach for sub-pF measurements. If it's accurate enough I can't tell, because I don't have a very exact 1 pF capacitor at hand:

 - perform the normal open and closed circuit calibrations;
 - press REL to zero out the reading. With the kelvin probes, the value barely fluctuates (0.1 - 0.2 pF at most when you grab these, compared to the 10+ pF with the regular  2 wire clips)

Also the question rises:

. whether the cables should be shielded (may to most important as to the end of the clips) as pairs or each as 4 cables have large idle capacity calibrate

It is expected that with shielding you are able to reduce the leakage current at the surface of the conductors, so it improves the accuracy slightly.
It should become more important if you use higher frequencies for the measurements.

. it is a pain that even Hantek do not provide any tools and information about

. how sensitive remains the clip touched or untouched

Much less than with the regular probes, as I have explained above.

. any guidelines seen or given how to measure a 805 SMD 1pF

. while the display as in 0.000x pF and any successful/reachable measurements going that low  ::)

The noise floor is quite high for anything below 0.1 pF. At least with my setup..

Cheers
 

Offline Dwaine

  • Frequent Contributor
  • **
  • Posts: 304
  • Country: ca
Re: Hantek LCR 1832C unlock
« Reply #41 on: April 20, 2021, 09:33:39 pm »
After a little more digging, and with the help of Ghidra, I was able to confirm my suspicion that this could also be done via SCPI.

As previously explained I first found that the 
Code: [Select]
fact:model command existed. I tried to use it for writing a different model string, but the command simply returns the same output as if I would be calling "fact:model ?" (query command).

Going through the code, I learned that debug mode had to be activated before being able to call commands that write factory data. The trick was how to enter debug mode.
Then I found that there is an SCPI command for doing just that.

In a nutshell, for changing the model, we have to first enter a SCPI session (I am using Keysight Connection Expert, which is the tool that is provided with this LCR meter), and do the following:

1. Enter debug mode:
Type:
Code: [Select]
calib:hantek_enter_debug_cmdand click "Send & Read"

2. Change the model string:
Type:
Code: [Select]
fact:model "Hantek1833C"and click "Send Command"

3. Save the changed setting to the flash:
Code: [Select]
fact:saveand click "Send & Read"

4. Exit debug mode:
Code: [Select]
calib:hantek_exit_debug_cmdand click "Send & Read"

After this is done, the expected model number should appear in the "SYSTEM INF" screen (pressing twice in the SET button). The 50/75 and 100 KHz frequency modes should now also become selectable via the buttons, as well as the 300 mV level.

I confirmed with the oscilloscope that the new frequencies and level are consistent with the selected values.

It is probably a good idea to run the user calibration for both open and closed circuit.

There is of course (as I mentioned initially) the high likelyhood that above 40 KHz the factory calibration is not accurate or valid, because it is doubtable that they would bother calibrating modes that are not intended to be accessible.

There are various other commands in the calib: group that appear to serve the purpose of setting the factory calibration, but I have not gone through those, and it is somewhat irrelevant without the proper reference equipment.

I hope this is helpful. In my perspective the advantage that I see  in this approach, is being able to use the factory firmware. In my particular unit it is apparently more recent than the one published in the vendor website.

You can find attached the screenshots of the sections of the flash memory that change after the commands are sent.

Cheers

I just got my device today.  Confirming that the above SCPI commands were successful at changing my device to a 1833C

Thanks
 
The following users thanked this post: teixeluis, golftango

Offline rickypr

  • Newbie
  • Posts: 2
  • Country: pr
Re: Hantek LCR 1832C unlock
« Reply #42 on: May 13, 2021, 12:22:12 pm »
Thanks for all the useful information.

I want to purchase my first LCR and have been researching for sub $150 units. The DE-5000 is the most recommended unit in this price range, but the Hantek unit got my attention for its TFT LCD, integrated USB-C and 18650 batteries. It is tempting to purchase the 1832C and unlocking the extra test frequencies and voltage. The Hantek 1832C costs $111.99 and the DE-5000 costs $103.87 on Amazon. Which one would you choose? Thanks!
 

Online coromonadalix

  • Super Contributor
  • ***
  • Posts: 6724
  • Country: ca
Re: Hantek LCR 1832C unlock
« Reply #43 on: May 13, 2021, 02:19:37 pm »
the hantek doesn't come with kelvin plugs or tweezers test plug  maybe add 20-25$ usd for each, even hacked  the calibration procedures are unknown (not the open close calibration)

the de5000 can come fully equiped for around 120$ usd,  minus the red casing and the usb interface,

At the moment i use an de5000,  cant ask more for now  loll

until the last bits of the 1832c to 1833c conversion are known,  personally i would not purchase it.
 

Offline rickypr

  • Newbie
  • Posts: 2
  • Country: pr
Re: Hantek LCR 1832C unlock
« Reply #44 on: May 13, 2021, 03:33:59 pm »
Thanks for your input!
 

Offline teixeluis

  • Contributor
  • Posts: 36
Re: Hantek LCR 1832C unlock
« Reply #45 on: June 03, 2021, 08:56:49 pm »
I haven't confirmed personally yet, but apparently there is a hardware tweak that is needed so that measurements above 40 KHz are correct. This was provided by a reader, it needs further confirmation, but sounds promising:

https://www.creationfactory.co/2021/03/reverse-engineering-and-unlocking.html?showComment=1622733342560#c2775361835350856538

Cheers
 
The following users thanked this post: thm_w, coromonadalix

Online coromonadalix

  • Super Contributor
  • ***
  • Posts: 6724
  • Country: ca
Re: Hantek LCR 1832C unlock
« Reply #46 on: June 04, 2021, 12:01:58 am »
Copy pasted from the previous link:

Capacitors C66, C67, C68, C69 are located near the reference resistors and form an RC filter with them at a frequency of 45 kHz. When calibrating, at a frequency higher than this, the capacitors shunt the reference resistors and the calibration is incorrect. I realized this when measuring an accurate resistor of 10,000kΩ, at a frequency of 100kHz it showed 30kΩ. After removing 4 capacitors and calibrating, it began to show 10,000 kΩ at all frequencies. To memorize the calibration results, press the SET button 3 times and after turning on the device, the calibration settings are saved




Just need an 1833 owner to confirm theses capacitors / resistors values
 

Offline Russ3000

  • Regular Contributor
  • *
  • Posts: 57
  • Country: il
Re: Hantek LCR 1832C unlock
« Reply #47 on: June 04, 2021, 11:57:21 am »
Copy pasted from the previous link:

....... To memorize the calibration results, press the SET button 3 times and after turning on the device, the calibration settings are saved....


It has not been possible to do this yet, the device remembers the calibration only until it is turned off.

Posted by developers
https://www.eediscuss.com/forum.php?mod=viewthread&tid=15195&extra=page%3D1
« Last Edit: June 05, 2021, 09:19:07 am by Russ3000 »
 

Offline kreutz

  • Newbie
  • Posts: 9
  • Country: us
Re: Hantek LCR 1832C unlock
« Reply #48 on: June 04, 2021, 02:53:52 pm »
I haven't confirmed personally yet, but apparently there is a hardware tweak that is needed so that measurements above 40 KHz are correct. This was provided by a reader, it needs further confirmation, but sounds promising.............

Does the 1833 model have those capacitors installed?
 

Offline Russ3000

  • Regular Contributor
  • *
  • Posts: 57
  • Country: il
 


Share me

Digg  Facebook  SlashDot  Delicious  Technorati  Twitter  Google  Yahoo
Smf