For some time I've felt the need to have a piece of equipment allowing me to measure inductance, impedance and a broader range of capacitance values. For the rest of the relevant types of measurements I've already had a digital multimeter and an oscilloscope, which have proven sufficient so far.
The device in question is named LCR after the symbols that represent the quantities that is capable of measuring. L represents Inductance (the letter conventionally used in the mathematical equations involving this quantity), C stands for Capacitance and R is Resistance.
In a more advanced LCR meter or in this model in particular, other quantities such as the Q factor, Equivalent Series Resistance (ESR), Impedance (Z) and Reactance (X) can also be measured.
One aspect that characterizes the versatility of an LCR meter is the range of frequencies that it is capable of synthesizing in order to produce measurements. An LCR meter with a broader range of frequencies will be capable of measuring the inductance of a component closer to the conditions in which it will be operated.
In this particular LCR meter, the user can select frequencies between 100 Hz and 40 KHz. There is a "twin" version of this meter - the 1833C, which is capable of outputting 50, 75 or 100KHz sine waves as well, and two different voltage output levels can be selected - 300 mV rms or 600 mV rms. The 1832C only outputs a fixed 600 mV.
While I don't have a confirmation that the hardware on the 1833C is the same, some users were able to find that after installing the firmware provided in the vendor page in their 1832C devices (there is only one firmware image for all the 183x models), to their surprise the device was now reporting as 1833C, and they could then select frequencies up to 100 KHz.
While this is a relatively simple way of "converting" the device, I found that my (recently purchased) meter had a firmware version which appeared more recent than the one found in the website, judging by the date code/version number of each. Mine has version 20201120PM, whereas the one in the Hantek site is 2020101001AM according to the filename and the photo provided by one user in the blog where this topic first appeared: https://www.eevblog.com/forum/testgear/hantel-lcr-1832c-unlock/
As I didn't want to let go this eventually improved firmware version, I decided to try to find if there was an alternative way of achieving the same effect, i.e. unlock the frequencies and the 300 mV level.
By reading the manual I found that this instrument supports SCPI (Standard Commands for Programmable Instruments) commands. This is basically a spec that describes a standard way for devices to communicate with a given test equipment. The physical interface in this case is USB, but the specification is agnostic to the physical layer. Another popular physical interface from the days when this standard first appeared is the GPIB bus (IEEE-488.1), but is less common in more modern devices.
So my focus was on trying to figure out if there would be some undocumented SCPI command to change factory data. I knew that many devices support changing lower level calibration data and even model data (as is the case of the Rigol DS1052E oscilloscope) via SCPI, so chances were they would use such approach to calibrate and set the model in the factory, while keeping the rest of the process the same for the two models.
By playing a bit with the SCPI commands, I found that I could set the frequency to 100 KHz using the FREQuency <freq> command:
In order to find other commands, my first approach was to analyse the binary image of the firmware and look for relevant strings. This allowed me to figure out the existence of a "fact:model ?" command that when called would return the current model string:
-> fact:model ?
<- model = Hantek1832C
Upon trying to use it for writing, i.e.:
-> fact:model Hantek1833C
<- model = Hantek1832C
it would just behave as the query command. Seemed too easy but I had to try anyway :)
So I decided to go deeper in the analysis and begin with a tool called Ghidra.
This is basically a open source tool first created by the NSA (not too surprising why this organization needed to develop such tool :) ), that is capable of decompiling code from multiple architectures. In this case, the LCR meter has an STM32 microcontroller:
So I needed to be able to decompile Arm Cortex Little Endian 32 bit code.
The tool is quite compreehensive and can even generate flow graphs such as this one:
Not very helpful but cool.
Not too long into the analysis, I realized that there was a global variable that was a pointer to an address in RAM containing a byte used as a boolean. When this byte was set to 0x01, certain commands were allowed to run.
In the STM32, any address in the 0x20000000-0x2000FFFF range corresponds to the SRAM:
So by looking up this address (0x200031E6) in other parts of the code, I found where it was being read, and also asserted. I was able to conclude that this was the variable that would tell if the device was in debug mode or not. Among the various commands that dependend on this variable being set to 0x01, was the fact:mode write command.
So I only had to figure out how to enter debug mode. I found another function that grouped various calibration related strings, and among these were the strings "hantek_enter_debug_cmd" and "hantek_exit_debug_cmd". And precisely in this section of the code is where the debug global variable was being set. By digging a little bit further, I could see that these two commands belonged to the CALIB subsystem, and essentially this function was responsible for handling all the commands of this subsystem.
So with this information, I decided to experiment in runtime, and yes the device appeared to enter debug mode:
Intuitively, my next step was to try the fact:mode for writing. I entered the command:
fact:mode Hantek1833C
and verified that no response was produced. This is normal for write commands. So I exited debug mode:
and tried the same command for reading, i.e.
fact:mode ?
as expected, the command returned Hantek1833C
but as I executed another SCPI command *IDN? (this is a command that most devices support, and it provides information about the software and hardware in the device), I obtained the same model nr:
Hantek Handheld LCR Meter,Hantek1832C,CN************,20201120PM
By executing it after changing the model string, this time yes, the change was persisted:
I was then able to confirm that everything was as expected: I could now change to any of the new frequencies, and set the 300 mV level as well:
So in a nutshell, the commands that need to be executed:
- Enter debug mode:
calib:hantek_enter_debug_cmd - Change the model string (this command will not return data, so use the "Send Command" button in this case):
fact:model "Hantek1833C" - Save the change:
fact:save - Exit debug mode:
calib:hantek_exit_debug_cmd - Confirm that the change was successful:
*IDN?
After the change is committed, I was able to compare the contents of the flash before and after the change, and confirm that for example no calibration data is lost. As can be seen only the model string, and what appears to be a flag have changed.
calib:600mvopen
calib:600mvshort
But as of yet it is not clear how to use these. Some commands appear to provide a readout of the calibration data, but the exact syntax is still to be figured out.
14 comments:
Hey!
I unlocked it in 1832 and found what to do to make the device show correctly at high frequencies. To do this, it is enough to evaporate 4 capacitors that are located with calibration resistors and form a 45 kHz high-pass filter with them. After that, you need to carry out the usual calibration.
Good luck!
Hi,
Thanks for the hint! Can you detail more the procedure you describe? I.e. which are these 4 capacitors? And do you have any idea if these capacitors are absent in the 1833C?
Cheers
Good evening!
Capacitors C66, C67, C68, C69 are located near the reference resistors and form an RC filter with them at a frequency of 45 kHz. When calibrating, at a frequency higher than this, the capacitors shunt the reference resistors and the calibration is incorrect. I realized this when measuring an accurate resistor of 10,000kΩ, at a frequency of 100kHz it showed 30kΩ. After removing 4 capacitors and calibrating, it began to show 10,000 kΩ at all frequencies. To memorize the calibration results, press the SET button 3 times and after turning on the device, the calibration settings are saved. But it is not exactly. Whether there are these capacitors in 1833 I do not know, I think not, otherwise the device would have been calibrated incorrectly
Happy experiments!
This sounds good. It makes sense that they might have done something extra to differentiate the models. And being the case, it is surely a cheap way of achieving such segregation at the hardware level.
I confirm the same in my device, while testing parallel resistance on a 10 K resistor. Up to 40 KHz is steady at 10 K, but as I select higher frequencies the value progressively increases up to 30 K at 100 KHz.
Indeed on a resistive load the frequency shouldn't matter, even asssuming incorrect calibration offsets..
Ultimately what the 1833 might have instead are different valued capacitors, so that the cutoff frequency is above 100 KHz.
Nice one! Thanks
If these capacitors are in 1833, then their capacity should be 3 times less, parallel to the 100kOhm calibration resistor was a 22pF capacitor, 10kOhm - 245pF. The device works great without these capacitors at all. It may be necessary to adjust at high frequencies by installing capacitors, but the capacitance must be calculated for a 100kHz filter.
Good luck!
It is necessary to wash the board with isopropanol, after which the device works more stable.
I never found a 10Ω calibration resistor on the board.
hello,
Please could you tell me the correct values for C66,C67,C68 and C69?
HANTEK 1833 100KHz
Thanks.
Fernando
Regarding the 1832C I will look forward to remove these caps and measure their values. Quoting a Unknown user from this blog, he mentioned:
"If these capacitors are in 1833, then their capacity should be 3 times less, parallel to the 100kOhm calibration resistor was a 22pF capacitor, 10kOhm - 245pF."
Regarding the 1833C I guess we will have to wait for a volunteer with that model..
Cheers
I've taken one for the team and got a 1833C. No tamper stickers or anything so I'm going in...
Unfort I don't have another bridge to check the capacitance and all my toys are in a different country. covid = no travel.
The cap mode on the fluke 189 is not going to cut it. I do have a line on a agilent u1733c but I'll have to fix it for my friend before I can use it.
R84 is 100R, R85 is 1k, R86 is 10k and R87 is 100k, so same as the 1832 I assume.
stay tuned.
Thanks for the feedback @Unknown,
Great, will be looking forward to hear more from you. We currently expect the capacitors to have different values, so that the cutoff frequency is higher than in the 1832C.
Cheers
Ok, here we go.
I've taken the capacitors out of circuit for measurement just to be sure. Measurement was done by a Aligent 1733c. I've taken the liberty to present the nearest EIA values.
C66 (// with 100k) = 56pF
C67 (// with 10k) = 220pF
C68 (// with 1k) = 470pF
C69 (// with 100R) = 1nF
cheers,
affa
Hello @affa,
Awesome. Thanks for your time providing this valuable info.
So, the bottom line is that even though we might get away with working results just by removing these capacitors on the 1832C, ideally we should replace by these values, in order to obtain the correct frequency cutoff.
Cheers,
Luis Teixeira
Hello, do you know what is the screen part number? I bought a 1833C but the screen is damaged and want to know if I can replace it. At the moment I don't want to open the unit until know if is it possible. It is under warranty but shipping back can be expensive.
Post a Comment