Approach 1:
It seems that the firmware contains gnu tar (maybe it's located in elgato/utils).
You can check what filesystems you have with "mount"
or "cat /proc/mounts"
Then dump them individually with
tar --one-file-system cvfz /mnt/fs1.tgz /fs1_mount_point
Where /fs1_mount_point is the mount point you see in the list of mounts above.
Skip virtual and temporary filesystems such as /proc.
Approach 2:
cp /dev/mtdsomething /mnt/mtdsomething.raw
This way you can get a raw flash images (of individual flash partitions or the whole flash chip).
The device names (mtdsomething) you can get from the list of mounts as described above.
I suggest you do both, because the latter approach is good for backup and replication.
The former one gets the files easily accessible.
I can give you the exact commands in a week or so when I return to home.
Or just PM me the output of
cat /proc/mtd
cat /proc/mounts
tar --version
gzip --version
ls -lR /
dmesg
Redirect command outputs to files with "> filename"
Yes, the second approach is the good one, I will try it. Here are my outputs:
[root@Linux /root]$cat /proc/mtd
dev: size erasesize name
mtd0: 04000000 00040000 "Physically mapped flash"
mtd1: 00100000 00040000 "zImage"
mtd2: 00300000 00040000 "ramdisk.gz"
mtd3: 03c00000 00040000 "User FS"
[root@Linux /root]$cat /proc/mounts
rootfs / rootfs rw 0 0
/dev/root / ext2 rw 0 0
/proc /proc proc rw 0 0
none /dev/pts devpts rw 0 0
/dev/mtdb3 /flash jffs2 rw 0 0
[root@Linux /root]$tar --version
tar: unrecognized option `--version'
BusyBox v0.60.3 (2002.06.05-19:04+0000) multi-call binary
Usage: tar -[cxtvO] [--exclude FILE] [-X FILE][-f TARFILE] [-C DIR] [FILE(s)] ...
Create, extract, or list files from a tar file.
Options:
c create
x extract
t list
File selection:
f name of TARFILE or "-" for stdin
O extract to stdout
exclude file to exclude
X file with names to exclude
C change to directory DIR before operation
v verbosely list files processed
[root@Linux /root]$gzip --version gzip: invalid option -- -
BusyBox v0.60.3 (2002.06.05-19:04+0000) multi-call binary
Usage: gzip [OPTION]... FILE
Compress FILE with maximum compression.
When FILE is '-', reads standard input. Implies -c.
Options:
-c Write output to standard output instead of FILE.gz
-d decompress
[root@Linux /root]$ls IR /
ls: IR: No such file or directory
/:
bin etc home linuxrc mnt proc root tmp var
dev flash lib lost+found nfs rd sbin usr xdrive
[root@Linux /root]$dmesg
360K data, 88K init)
Dentry cache hash table entries: 8192 (order: 4, 65536 bytes)
Inode cache hash table entries: 4096 (order: 3, 32768 bytes)
Mount-cache hash table entries: 1024 (order: 1, 8192 bytes)
Buffer-cache hash table entries: 4096 (order: 2, 16384 bytes)
Page-cache hash table entries: 16384 (order: 4, 65536 bytes)
POSIX conformance testing by UNIFIX
Linux NET4.0 for Linux 2.4
Based upon Swansea University Computer Society NET3.039
Initializing RT netlink socket
sa1111_pcibuf: initializing SA-1111 DMA workaround
SA1111 Microprocessor Companion Chip: silicon revision 1, metal revision 1
Starting kswapd
JFFS version 1.0, (C) 1999, 2000 Axis Communications AB
JFFS2 version 2.1. (C) 2001 Red Hat, Inc., designed by Axis Communications AB.
ttyS0 at I/O 0xf0100000 (irq = 50) is a 16550A
ttyS1 at I/O 0xf0120000 (irq = 51) is a 16550A
ttyS2 at I/O 0xf0140000 (irq = 52) is a 16550A
ttyS3 at I/O 0xf0160000 (irq = 54) is a 16550A
ttySA0 at MEM 0x80050000 (irq = 17) is a SA1100
ttySA1 at MEM 0x80010000 (irq = 15) is a SA1100
ttySA2 at MEM 0x80030000 (irq = 16) is a SA1100
Console: switching to colour frame buffer device 80x30
initialize_kbd: Keyboard reset failed, no ACK
Keyboard timed out[1]
keyboard: Timeout - AT keyboard not present?
Keyboard timed out[1]
keyboard: Timeout - AT keyboard not present?
pty: 256 Unix98 ptys configured
UCB1200 generic module installed
ucb1200 touch screen driver initialized
ucb1200 adc driver initialized
UCB1200 audio driver version 2.2 initialized
UCB1200 audio driver Click-Avoid patch: TT <tthaele@papenmeier.de>
UCB1200 Mixer driver version 0.1 initialized. TT <tthaele@papenmeier.de>
smartio driver initialized. version 1.10, date:28-Jun-2002
SmartIO ID : 0x5002
Device Version : 5(0x35)
Device Type : 0x8535
SA1100 Real Time Clock driver v1.00
Uniform Multi-Platform E-IDE driver Revision: 6.31
ide: Assuming 50MHz system bus speed for PIO modes; override with idebus=xx
smc9194.c:v0.14 12/15/00 by Erik Stahlman (erik@vt.edu)
eth0: SMC91C96(r:9) at 0xf00e0000 IRQ:58 INTF:TP MEM:6144b ADDR: 00:60:0c:01:37:05
RAMDISK driver initialized: 16 RAM disks of 8192K size 1024 blocksize
loop: loaded (max 8 devices)
PPP generic driver version 2.4.2
Sound: SA1111 UDA1341: dsp id 3 mixer id 0
SA1111 audio out: SA-1111 SAC DMA channel 6 in use
DMA request for SAC output failed
physmap flash device: 4000000 at 8000000
Physically mapped flash: Found 2 x16 devices at 0x2000000 in 32-bit mode
0: offset=0x0,size=0x40000,blocks=128
1: offset=0x2000000,size=0x40000,blocks=128
Using buffer write method
SA1100 flash: probing 32-bit flash bus
SA1100 flash: Found 2 x16 devices at 0x2000000 in 32-bit mode
0: offset=0x0,size=0x40000,blocks=128
1: offset=0x2000000,size=0x40000,blocks=128
Using buffer write method
Using static partition definition
Creating 3 MTD partitions on "SA1100 flash":
0x00000000-0x00100000 : "zImage"
0x00100000-0x00400000 : "ramdisk.gz"
0x00400000-0x04000000 : "User FS"
Linux Kernel Card Services 3.1.22
options: [pm]
SA-1100 PCMCIA (CS release 3.1.22)
usb.c: registered new driver usbdevfs
usb.c: registered new driver hub
hcd/ohci-sa1111.c: starting SA-1111 OHCI USB Controller
hcd/ohci-sa1111.c: ohci-hcd (SA-1111) at 0xf4000400, irq 109
usb.c: new USB bus registered, assigned bus number 1
hub.c: USB hub found
hub.c: 1 port detected
usb.c: registered new driver hiddev
usb.c: registered new driver hid
hid-core.c: v1.8.1 Andreas Gal, Vojtech Pavlik <vojtech@suse.cz>
hid-core.c: USB HID support drivers
mice: PS/2 mouse device common for all mice
NET4: Linux TCP/IP 1.0 for NET4.0
IP Protocols: ICMP, UDP, TCP
IP: routing cache hash table of 512 buckets, 4Kbytes
TCP: Hash tables configured (established 4096 bind 4096)
NET4: Unix domain sockets 1.0/SMP for Linux NET4.0.
NetWinder Floating Point Emulator V0.95 (c) 1998-1999 Rebel.com
RAMDISK: Compressed image found at block 0
Freeing initrd memory: 3072K
EXT2-fs warning: checktime reached, running e2fsck is recommended
VFS: Mounted root (ext2 filesystem).
Freeing init memory: 88K
hub.c: USB new device connect on bus1/1, assigned device number 2
hub.c: USB hub found
hub.c: 4 ports detected
enable_irq(115) unbalanced from c032558c
Trying to free nonexistent resource <ce8b7000-ce8b700f>
hda: CF Card, ATA DISK drive
ide0 at 0xce8b7000-0xce8b7007,0xce8b700e on irq 115
hda: task_no_data_intr: status=0x51 { DriveReady SeekComplete Error }
hda: task_no_data_intr: error=0x04 { DriveStatusError }
hda: 3902976 sectors (1998 MB) w/1KiB Cache, CHS=242/255/63
Partition check:
hda: hda1
ide_cs: hda: Vcc = 3.3, Vpp = 0.0
VFS: Can't find ext2 filesystem on dev ide0(3,1).
cramfs: wrong magic
VFS: Can't find ext2 filesystem on dev ide0(3,1).
cramfs: wrong magic
AVR driver initialized. version 1.1, date:Aug 6 2004
VFS: Can't find ext2 filesystem on dev ide0(3,0).
cramfs: wrong magic
FAT: bogus logical sector size 64543
VFS: Can't find a valid FAT filesystem on dev 03:00.
JFFS: Trying to mount a non-mtd device.
jffs2: attempt to mount non-MTD device 03:00
VFS: Can't find ext2 filesystem on dev ide0(3,1).
cramfs: wrong magic
I used DD, not sure if it will work:
[root@Linux /]$dd if=/dev/mtdb3 of=/mnt/mtdb3.img bs=32
1966080+0 records in
1966080+0 records out
[root@Linux /]$ls -l /mnt
-rwxr-xr-x 1 root root 62914560 Jul 7 23:06 mtdb3.img
-rwxr-xr-x 1 root root 157280 Jul 7 22:54 printScreen.png
I used DD, not sure if it will work:
Thanks for the dump!
Yes, dd suites better for the task. I thought there's no dd there.
03c00000 = 62914560 so the size of mtdb3.img is correct.
It would be a good idea to dump the whole flash (mtd0) so you have a whole image if something goes wrong (and, please, share it too).
You may want to set bs=1024 or something so it would go faster.
[root@Linux /root]$tar --version
tar: unrecognized option `--version'
It's a crippled busybox version.
Gnu tar is at /flash/elgato/utils/tar
Do you think it got corrupted after the transfer? I can dump it again for you or just go straight for the raw dump.
Do you think it got corrupted after the transfer? I can dump it again for you or just go straight for the raw dump.
No, I think all the needed files are copied ok. A bit of inconvenience is that unix permissions are not saved. But if you do a raw flash dump I should be able to extract them.
I noted the version of tar as the backup procedure I described as "Approach 1" requires GNU tar.
For the very unlikely case someone wants to reverse engineer DSP code for the E7495,
I want to share my findings about the format of DSP .bin files.
The DSP is Analog Devices SHARC 21160M.
egServer/Dragonfly/Measurements/UserCode/*.binlength of blob1 (32bit, LE)
blob1 (SHARC code)
length of blob2 (32bit, LE)
blob2 (unknown)
length of blob3 (32bit, LE)
blob3 (unknown)
blob4 (unknown)egServer/Dragonfly/Firmware/E7495A/run.bin
egServer/Dragonfly/Firmware/E7495A/setu.bin
egServer/Dragonfly/Firmware/CPXSRC/run.bin
egServer/Dragonfly/Firmware/CPXSRC/setu.bin12 byte header or some setup code
flash imageThe flash image starts from SHARC code in a weird byte order.
I used unidasm utility from the MAME project to look at the SHARC assembly.
The unidasm doesn't get all the opcodes from 21160M right, but most of the code looks ok.
I'm attaching Tcl script I use to prepare code for unidasm.
Here's how to call it for Firmware:
./reord.tcl 12 12 '2 3 0 1 6 7 p p 4 5 10 11 8 9 p p' run.bin tmp.bin
./unidasm -arch sharc tmp.bin
And for UserCode:
./reord.tcl 4 6 '5 4 3 2 1 0 p p' demod.bin tmp.bin
./unidasm -arch sharc tmp.bin
bloblist.tcl is for splitting UserCode files.
Thank you very much! The image is good.
Could you dump mtdb0 as well?
Sure, I have it in my office. I'll try on Monday.
May I ask you, do you know where the piece of code to do the GPS timebase calibration lives? I got a real E7495B and the calibration option works fine. Seems like the files might be corrupted or missing on my L4600A.
Warmly
May I ask you, do you know where the piece of code to do the GPS timebase calibration lives? I got a real E7495B and the calibration option works fine. Seems like the files might be corrupted or missing on my L4600A.
It won't be localized in one particular place. It should start from GUI then elgato executable and then downstream to the hardware. I think it's a good idea to check the clock externally (what goes on if you change the reference). It may be well possible that the L4600A does the adjustment automatically.
If the code from L4600 runs on my E7495A, I'd check what happens to the time adjustment function.
[root@Linux /dev]$dd if=/dev/mtdb0 of=mtdb0.img bs=1024
dd: /dev/mtdb0: No such device
It didn't allow me.
Thanks, it should be just a concatenation of other three images. It's not needed as you posted the other ones.
Now I played with the L4600 software for some time.
Good things:
* It does run on the E7495
* FM modulation is working.
* User-defined modulation files should work (I haven't tried it yet).
* FM analyzer is working.
* Source Level adjustment in the "Two port insertion loss" mode adjusts the amplitude smoothly above -25dBm.
Bad things:
* The calibration is off.
* The generator is not working below 375MHz.
* GPS can't be used as a frequency reference (it's not even listed). I think it's the same problem jordi has on the L4600A.
My E7495A refused to work on battery. Now I regret that I dig into this. It took so much time...
The issue that was looking like a component failure appeared to be a pure software thing.
There is some SMBUS/Smart battery ugliness. Anyway, now I know quite a lot about this module.
I can help with diagnostics and repair.
I have an E7495B that refuses to work on batteries. I bought brand new batteries - 2 pcs Inspired Energy, type NI2040ED29 - from accutronics.co.uk . (The batteries were more expensive than the E7495B.)
When running on external power, everything works fine; the batteries are identified and charged - the battery information screen looks just fine with charging status and voltages correctly presented. The problem is, when booting up on battery power it passes the initial BIOS screens and then just powers off itself. Any information on how/where to rectify this would be most welcome.
Best regards,
eplpwr
I have an E7495B that refuses to work on batteries. I bought brand new batteries - 2 pcs Inspired Energy, type NI2040ED29 - from accutronics.co.uk . (The batteries were more expensive than the E7495B.)
When running on external power, everything works fine; the batteries are identified and charged - the battery information screen looks just fine with charging status and voltages correctly presented. The problem is, when booting up on battery power it passes the initial BIOS screens and then just powers off itself. Any information on how/where to rectify this would be most welcome.
Best regards,
eplpwr
Yes, the symptoms are very similar to what I have seen. However that's not enough to be sure.
Do you see any glitches while charging? For example, something's like incorrect charge % or battery leds change unexpectedly.
What happens to the leds while booting on battery?
Hello all,
Im pretty new to Linux hacking and i have a Agilent E7495A that i am trying to do the licence hack on. Is there a pre-made file with all options enabled. Currently I have these options installed
200-cdmaOne/CDMA 2000 Analyzer
210 cdmaOne/CDMA 200 Over air test
220 Channel scanner
510 CW & Complex modulation signal Generator
600 Power Meter
700 T1 analyser
I have pulled off the Elgato file from egServer.
hope someone can help.
TIA
Hello all,
Im pretty new to Linux hacking and i have a Agilent E7495A that i am trying to do the licence hack on. Is there a pre-made file with all options enabled. Currently I have these options installed
200-cdmaOne/CDMA 2000 Analyzer
210 cdmaOne/CDMA 200 Over air test
220 Channel scanner
510 CW & Complex modulation signal Generator
600 Power Meter
700 T1 analyser
I have pulled off the Elgato file from egServer.
hope someone can help.
TIA
Hello Tia,
No, I don't think there is a premade file (we all had to mod ours). If you upload it, we can verify if is correct. When el gato is modified correctly (and installed), you must manually add the licenses by modifying the other file (forgot the name).
Hello all,
Im pretty new to Linux hacking and i have a Agilent E7495A that i am trying to do the licence hack on. Is there a pre-made file with all options enabled. Currently I have these options installed
200-cdmaOne/CDMA 2000 Analyzer
210 cdmaOne/CDMA 200 Over air test
220 Channel scanner
510 CW & Complex modulation signal Generator
600 Power Meter
700 T1 analyser
I have pulled off the Elgato file from egServer.
hope someone can help.
TIA
Hello Tia,
No, I don't think there is a premade file (we all had to mod ours). If you upload it, we can verify if is correct. When el gato is modified correctly (and installed), you must manually add the licenses by modifying the other file (forgot the name).
I've uploaded the original .lic file, the modded version i made and the current version of elgato that is installed on the device. They are inside the zip file.
all files are untouched apart from the modded .lic file.
Can anyone provide a (RAM) memdump of E7495A running? Preferably, with valid options running.
(Copying /dev/mem should be sufficient, if possible.)
Can anyone provide a (RAM) memdump of E7495A running? Preferably, with valid options running.
(Copying /dev/mem should be sufficient, if possible.)
Can try to do on 7495B in case you have no luck with A
Can anyone provide a (RAM) memdump of E7495A running? Preferably, with valid options running.
(Copying /dev/mem should be sufficient, if possible.)
I don't think it's that easy. /dev/mem is not the RAM representation. It gives access to a physical
address space. It's not contiguous and may not be safe to access. I think that "cp /dev/ram" would just fail.
https://superuser.com/questions/71389/what-is-dev-memIf you're interested in one particular application (process), you would need a
core file.