Author Topic: Agilent E7495 linux root account  (Read 88439 times)

0 Members and 1 Guest are viewing this topic.

Offline Urs42

  • Supporter
  • ****
  • Posts: 142
  • Country: ch
Agilent E7495 linux root account
« on: February 16, 2015, 04:49:55 pm »
I found out i'ts running linux on an ARM CPU, i can't have any Linux Box without root access, so i did some password cracking:

User: guest
Pass: noname

User: root
Pass: wh1skers

You can log in to it with telnet, it has many serial ports, i suspect that most of them are used to communicate with the Spectrum Analyzer Part. The Powerup Config of the Device is stored in /flash/egServer/registry/Powerup/ if you want to change some default settings. There is an ftp client on the device, if you run a ftp server on your computer, you can use it to copy files from and to the device. Binaries from debian woody will work on the Device.

 

Offline jwm_

  • Frequent Contributor
  • **
  • Posts: 318
  • Country: us
    • Not A Number
Re: Agilent E7495 linux root account
« Reply #1 on: February 17, 2015, 01:38:39 pm »
That is great, time to email them and ask for the source code. Depending on their mood, we may get the source to drivers for their hardware in it.

Offline Wuerstchenhund

  • Super Contributor
  • ***
  • Posts: 3048
  • Country: gb
Re: Agilent E7495 linux root account
« Reply #2 on: February 17, 2015, 05:52:09 pm »
Nice find! Yes, the E7495 is a nice device, and great for hacking or expanding its capabilities, probably more so than most other VSAs in that price class.

You should be able to get the source code for the OSS stuff from Keysight but I believe the hardware drivers are closed source binaries.

But hey, there's a lot that could potentially be done with that thing. Maybe someone can fix the sometimes temperamental screen capture function, or even modify it so that it works with USB drives as well.
 

Offline Urs42

  • Supporter
  • ****
  • Posts: 142
  • Country: ch
Re: Agilent E7495 linux root account
« Reply #3 on: February 17, 2015, 07:14:49 pm »
There is no USB Storage Support in the kernel running on the device, and the module is also missing :-(

The kernel Version that is running on the device is available on the internet, the .config from the kernel would help with building a matching module, i'm not sure if it's possible to build it without the .config.

They are Obligated to give us the source, because of the GPL...

I think that the mounting and unounting of the cf card is done with shell scripts, it should be possible to switch the scripts to USB.

The licensing of options is done with the flexlm license manager, i have no idea how secure this thing is. There are many Options that don't need additional hardware. I think it might be possible to copy licenses from one device to another.

 

Offline jwm_

  • Frequent Contributor
  • **
  • Posts: 318
  • Country: us
    • Not A Number
Re: Agilent E7495 linux root account
« Reply #4 on: February 17, 2015, 07:17:51 pm »
If it does just communicate with its devices over serial links, it would be easy to interpose a driver to capture and sniff the data. also possible for usb, but a bit trickier if we can't load a kernel module.

can you post its full boot logs, lspci and lsusb?

I was thinking of picking up one of those for use as a general spectrum analyzer, how hampered will i be that it was designed for a specific purpose? Will i always be fighting the UI that keeps on wanting me to repair base stations?

Offline Lukas

  • Frequent Contributor
  • **
  • Posts: 398
  • Country: de
    • carrotIndustries.net
Re: Agilent E7495 linux root account
« Reply #5 on: February 17, 2015, 09:24:06 pm »
Btw, you can download a firmware upgrade from Keysight and reverse engineer as you like.

Strangely, this device runs some embedded sort of java! xkcd: http://xkcd.com/801/

They took advantage of that, so the PC software they offer simply is the same one that runs on the device, with the difference that it doesn't connect to localhost.

You're wondering why this thing takes so long to boot? This may be part of the answer:

Code: [Select]
# There's some defect in the GUI that results in
# intermittent hangs on startup (very rare, but some
# boxes can hit it regularly). This delay is a workaround
# to avoid them. When the root cause is found and fixed
# this delay can be removed.
sleep 16
« Last Edit: February 17, 2015, 09:25:40 pm by Lukas »
 

Offline Wuerstchenhund

  • Super Contributor
  • ***
  • Posts: 3048
  • Country: gb
Re: Agilent E7495 linux root account
« Reply #6 on: February 17, 2015, 09:28:43 pm »
I was thinking of picking up one of those for use as a general spectrum analyzer, how hampered will i be that it was designed for a specific purpose?

Not hampered at all. It's a normal Vector SA which covers from 500kHz to 2.5GHz (E7495A)/2.7GHz (E7495B) all the way from zero span to full span.

Also no need to "fight" the menu. You can ignore the BTS specific software and selectr "Spectrum Analyzer" directly in the main menu.

I'm working on a review of my E7495B, with some luck I might finish it this weekend.
« Last Edit: February 17, 2015, 09:30:21 pm by Wuerstchenhund »
 

Offline Urs42

  • Supporter
  • ****
  • Posts: 142
  • Country: ch
Re: Agilent E7495 linux root account
« Reply #7 on: February 18, 2015, 05:30:14 am »
The GUI Part of the Software is java, there is also a server part that is not written in Java. Some parts of the Software are missing in the Firmware update.

Some details from a running system:

Code: [Select]
[root@Linux /root]$dmesg
Linux version 2.4.19-rmk7-ads5 (sreynard@elgato2.soco.agilent.com) (gcc version 2.95.2 19991024 (release)) #30 Wed Apr 28 13:36:58 UTC 2004
CPU: StrongARM-1110 revision 9
Machine: ADS GraphicsMaster
Warning: bad configuration page, trying to continue
On node 0 totalpages: 8192
zone(0): 256 pages.
zone(1): 7936 pages.
zone(2): 0 pages.
On node 1 totalpages: 8192
zone(0): 256 pages.
zone(1): 7936 pages.
zone(2): 0 pages.
Kernel command line: console=tty1 mem=32m@0xC0000000 mem=32m@0xC8000000 rw ramdisk_size=8192 initrd=0xC0800000,3m root=/dev/ram sa1100_pcmcia_opts=sock:0(speed_io:100,fast_mode),sock:1(speed_io:80)
Relocating machine vectors to 0xffff0000
Console: colour dummy device 80x30
Calibrating delay loop... 137.21 BogoMIPS
Memory: 32MB 32MB = 64MB total
Memory: 59552KB available (1716K code, 360K data, 88K init)
Dentry cache hash table entries: 8192 (order: 4, 65536 bytes)
Inode cache hash table entries: 4096 (order: 3, 32768 bytes)
Mount-cache hash table entries: 1024 (order: 1, 8192 bytes)
Buffer-cache hash table entries: 4096 (order: 2, 16384 bytes)
Page-cache hash table entries: 16384 (order: 4, 65536 bytes)
POSIX conformance testing by UNIFIX
Linux NET4.0 for Linux 2.4
Based upon Swansea University Computer Society NET3.039
Initializing RT netlink socket
sa1111_pcibuf: initializing SA-1111 DMA workaround
SA1111 Microprocessor Companion Chip: silicon revision 1, metal revision 1
Starting kswapd
JFFS version 1.0, (C) 1999, 2000  Axis Communications AB
JFFS2 version 2.1. (C) 2001 Red Hat, Inc., designed by Axis Communications AB.
ttyS0 at I/O 0xf0100000 (irq = 50) is a 16550A
ttyS1 at I/O 0xf0120000 (irq = 51) is a 16550A
ttyS2 at I/O 0xf0140000 (irq = 52) is a 16550A
ttyS3 at I/O 0xf0160000 (irq = 54) is a 16550A
ttySA0 at MEM 0x80050000 (irq = 17) is a SA1100
ttySA1 at MEM 0x80010000 (irq = 15) is a SA1100
ttySA2 at MEM 0x80030000 (irq = 16) is a SA1100
Console: switching to colour frame buffer device 80x30
initialize_kbd: Keyboard reset failed, no ACK
Keyboard timed out[1]
keyboard: Timeout - AT keyboard not present?
Keyboard timed out[1]
keyboard: Timeout - AT keyboard not present?
pty: 256 Unix98 ptys configured
UCB1200 generic module installed
ucb1200 touch screen driver initialized
ucb1200 adc driver initialized
UCB1200 audio driver version 2.2 initialized
UCB1200 audio driver Click-Avoid patch: TT <tthaele@papenmeier.de>
UCB1200 Mixer driver version 0.1 initialized. TT <tthaele@papenmeier.de>
smartio driver initialized. version 1.10, date:28-Jun-2002
SmartIO ID     : 0x5002
Device Version : 6(0x36)
Device Type    : 0x8535
SA1100 Real Time Clock driver v1.00
Uniform Multi-Platform E-IDE driver Revision: 6.31
ide: Assuming 50MHz system bus speed for PIO modes; override with idebus=xx
smc9194.c:v0.14 12/15/00 by Erik Stahlman (erik@vt.edu)
eth0: SMC91C96(r:9) at 0xf00e0000 IRQ:58 INTF:TP MEM:6144b ADDR: 00:60:0c:00:4c:5f
RAMDISK driver initialized: 16 RAM disks of 8192K size 1024 blocksize
loop: loaded (max 8 devices)
PPP generic driver version 2.4.2
Sound: SA1111 UDA1341: dsp id 3 mixer id 0
SA1111 audio out: SA-1111 SAC DMA channel 6 in use
DMA request for SAC output failed
physmap flash device: 4000000 at 8000000
Physically mapped flash: Found 2 x16 devices at 0x2000000 in 32-bit mode
0: offset=0x0,size=0x40000,blocks=128
1: offset=0x2000000,size=0x40000,blocks=128
Using buffer write method
SA1100 flash: probing 32-bit flash bus
SA1100 flash: Found 2 x16 devices at 0x2000000 in 32-bit mode
0: offset=0x0,size=0x40000,blocks=128
1: offset=0x2000000,size=0x40000,blocks=128
Using buffer write method
Using static partition definition
Creating 3 MTD partitions on "SA1100 flash":
0x00000000-0x00100000 : "zImage"
0x00100000-0x00400000 : "ramdisk.gz"
0x00400000-0x04000000 : "User FS"
Linux Kernel Card Services 3.1.22
  options:  [pm]
SA-1100 PCMCIA (CS release 3.1.22)
usb.c: registered new driver usbdevfs
usb.c: registered new driver hub
hcd/ohci-sa1111.c: starting SA-1111 OHCI USB Controller
hcd/ohci-sa1111.c: ohci-hcd (SA-1111) at 0xf4000400, irq 109

usb.c: new USB bus registered, assigned bus number 1
hub.c: USB hub found
hub.c: 1 port detected
usb.c: registered new driver hiddev
usb.c: registered new driver hid
hid-core.c: v1.8.1 Andreas Gal, Vojtech Pavlik <vojtech@suse.cz>
hid-core.c: USB HID support drivers
mice: PS/2 mouse device common for all mice
NET4: Linux TCP/IP 1.0 for NET4.0
IP Protocols: ICMP, UDP, TCP
IP: routing cache hash table of 512 buckets, 4Kbytes
TCP: Hash tables configured (established 4096 bind 4096)
NET4: Unix domain sockets 1.0/SMP for Linux NET4.0.
NetWinder Floating Point Emulator V0.95 (c) 1998-1999 Rebel.com
RAMDISK: Compressed image found at block 0
Freeing initrd memory: 3072K
EXT2-fs warning: checktime reached, running e2fsck is recommended
VFS: Mounted root (ext2 filesystem).
Freeing init memory: 88K
hub.c: USB new device connect on bus1/1, assigned device number 2
hub.c: USB hub found
hub.c: 4 ports detected
enable_irq(114) unbalanced from c032558c
Trying to free nonexistent resource <ce8a6000-ce8a600f>
hda: SILICONSYSTEMS INC 128MB, ATA DISK drive
ide0 at 0xce8a6000-0xce8a6007,0xce8a600e on irq 114
hda: 254208 sectors (130 MB) w/0KiB Cache, CHS=993/8/32
Partition check:
 hda: hda1
ide_cs: hda: Vcc = 3.3, Vpp = 0.0
 hda: hda1
 hda: hda1
VFS: Can't find ext2 filesystem on dev ide0(3,1).
 hda: hda1
 hda: hda1
cramfs: wrong magic
 hda: hda1
 hda: hda1
 hda: hda1
 hda: hda1
VFS: Can't find ext2 filesystem on dev ide0(3,1).
 hda: hda1
 hda: hda1
cramfs: wrong magic
 hda: hda1
 hda: hda1
AVR driver initialized. version 1.1, date:Aug  6 2004

Code: [Select]
[root@Linux /proc]$cat /proc/cpuinfo
Processor : StrongARM-1110 rev 9 (v4l)
BogoMIPS : 137.21
Features : swp half 26bit fastmult

Hardware : ADS GraphicsMaster
Revision : 0000
Serial : 0000000000000000
[root@Linux /proc]$

I think this module is used to reprogram a avr controller in the device
Code: [Select]
[root@Linux /root]$lsmod
Module                  Size  Used by
avrprog                 5416   0 (unused)
[root@Linux /root]$

Code: [Select]
[root@Linux /root]$cat /proc/interrupts
  0:      42792   ADS_ext_IRQ
  1:          0   sleep
 11:          0   GPIO 11-27
 12:          1   LCD
 17:       1224   serial_sa1100
 26:      62869   timer
 27:          0   rtc timer
 30:          2   rtc 1Hz
 31:          0   rtc Alrm
 49:        223   SA1111
 50:      40201   serial
 52:        982   serial
 54:        191   serial
 57:          0   UCB1200
 58:       1059   eth0
 63:          8   sio
 87:          0   keyboard
 97:          0   SA1111 audio out
 98:          0   SA1111 audio in
 99:          0   SA1111 audio out
100:          0   SA1111 audio in
109:         24   ohci-hcd
114:        240   ide0
116:          0   SA1111 PCMCIA card detect
117:          0   SA1111 CF card detect
118:          0   SA1111 PCMCIA BVD1
119:          0   SA1111 CF BVD1
Err:          0
[root@Linux /root]$

Code: [Select]
[root@Linux /root]$ps aux
USER       PID %CPU %MEM   VSZ  RSS TTY      STAT START   TIME COMMAND
root         1  1.1  0.8  1384  544 ?        S    Feb13   0:07 init
root         2  0.0  0.0     0    0 ?        SW   Feb13   0:00 [keventd]
root         3  0.0  0.0     0    0 ?        SWN  Feb13   0:00 [ksoftirqd_CPU0]
root         4  0.0  0.0     0    0 ?        SW   Feb13   0:00 [kswapd]
root         5  0.0  0.0     0    0 ?        SW   Feb13   0:00 [bdflush]
root         6  0.0  0.0     0    0 ?        SW   Feb13   0:00 [kupdated]
root         7  0.0  0.0     0    0 ?        SW   Feb13   0:00 [mtdblockd]
root         8  0.0  0.0     0    0 ?        SW   Feb13   0:00 [khubd]
root        40  0.0  0.0     0    0 ?        SWN  Feb13   0:00 [jffs2_gcd_mtd3]
root        56  0.0  1.1  1480  744 ?        S    Feb13   0:00 /sbin/cardmgr -f
root       587  0.0  1.0  1568  644 ?        S    Feb13   0:00 dhcpcd -DH -t 10
root       610  0.0  0.8  1680  544 ?        S    Feb13   0:00 syslogd -m 0
bin        636  0.0  0.7  1456  444 ?        S    Feb13   0:00 [portmap]
root       666  0.0  1.0  1592  644 ?        S    Feb13   0:00 inetd
root       679  0.0  0.8  1704  544 ?        S    Feb13   0:00 /bin/sh /etc/rc.d/rc3.d/S51timeUpdate.sh start
root       680  0.0  1.2  1788  772 ?        S    Feb13   0:00 /bin/bash /flash/elgato/utils/keepTimeUpdated
root       681  0.0  0.5  1672  336 ?        S    Feb13   0:00 sleep 1200
root       701  0.8 11.4 93644 7176 ?        S    Feb13   0:05 /flash/egServer/elgato -xaemon -o /dev/ttyS0 -e /dev/ttyS0
root       710  0.0  0.7  1572  476 tty1     S    Feb13   0:00 /sbin/getty 38400 tty1
root       711  0.0  0.7  1572  484 ttyS/ttySA0 S Feb13   0:00 /sbin/getty -L ttyS0 38400 vt100
root       712  0.0  1.2  1796  808 ?        S    Feb13   0:00 /bin/bash /root/catch_sleep.sh
root       724  0.0 11.4 93644 7176 ?        S    Feb13   0:00 /flash/egServer/elgato -xaemon -o /dev/ttyS0 -e /dev/ttyS0
root       725  0.0 11.4 93644 7176 ?        S    Feb13   0:00 /flash/egServer/elgato -xaemon -o /dev/ttyS0 -e /dev/ttyS0
root       726  0.0 11.4 93644 7176 ?        S    Feb13   0:00 /flash/egServer/elgato -xaemon -o /dev/ttyS0 -e /dev/ttyS0
root       727  0.0 11.4 93644 7176 ?        S    Feb13   0:00 /flash/egServer/elgato -xaemon -o /dev/ttyS0 -e /dev/ttyS0
root       729  0.0 11.4 93644 7176 ?        S    Feb13   0:00 /flash/egServer/elgato -xaemon -o /dev/ttyS0 -e /dev/ttyS0
root       730  0.0 11.4 93644 7176 ?        S    Feb13   0:00 /flash/egServer/elgato -xaemon -o /dev/ttyS0 -e /dev/ttyS0
root       731  0.0 11.4 93644 7176 ?        S    Feb13   0:00 /flash/egServer/elgato -xaemon -o /dev/ttyS0 -e /dev/ttyS0
root       732  0.0 11.4 93644 7176 ?        S    Feb13   0:00 /flash/egServer/elgato -xaemon -o /dev/ttyS0 -e /dev/ttyS0
root       738  0.2 11.4 93644 7176 ?        S    Feb13   0:01 /flash/egServer/elgato -xaemon -o /dev/ttyS0 -e /dev/ttyS0
root       751  0.0 11.4 93644 7176 ?        S    Feb13   0:00 /flash/egServer/elgato -xaemon -o /dev/ttyS0 -e /dev/ttyS0
root       752  0.0 11.4 93644 7176 ?        S    Feb13   0:00 /flash/egServer/elgato -xaemon -o /dev/ttyS0 -e /dev/ttyS0
root       753  0.0 11.4 93644 7176 ?        S    Feb13   0:00 /flash/egServer/elgato -xaemon -o /dev/ttyS0 -e /dev/ttyS0
root       754  0.0 11.4 93644 7176 ?        S    Feb13   0:00 /flash/egServer/elgato -xaemon -o /dev/ttyS0 -e /dev/ttyS0
root       755  0.0 11.4 93644 7176 ?        S    Feb13   0:00 /flash/egServer/elgato -xaemon -o /dev/ttyS0 -e /dev/ttyS0
root       756  0.0 11.4 93644 7176 ?        S    Feb13   0:00 /flash/egServer/elgato -xaemon -o /dev/ttyS0 -e /dev/ttyS0
root       757  0.0 11.4 93644 7176 ?        S    Feb13   0:00 /flash/egServer/elgato -xaemon -o /dev/ttyS0 -e /dev/ttyS0
root       758  0.0 11.4 93644 7176 ?        S    Feb13   0:00 /flash/egServer/elgato -xaemon -o /dev/ttyS0 -e /dev/ttyS0
root       759  0.0 11.4 93644 7176 ?        S    Feb13   0:00 /flash/egServer/elgato -xaemon -o /dev/ttyS0 -e /dev/ttyS0
root       774  1.1 22.2 18540 13968 tty2    S    Feb13   0:07 /flash/siege/bin/_siege -Xmx23m -DlocalAddress=127.0.0.1 -Dserver=127.0.0.1 -DLogger.level=2 -
root       776  0.0 22.2 18540 13968 tty2    S    Feb13   0:00 /flash/siege/bin/_siege -Xmx23m -DlocalAddress=127.0.0.1 -Dserver=127.0.0.1 -DLogger.level=2 -
root       777  0.0 22.2 18540 13968 tty2    S    Feb13   0:00 /flash/siege/bin/_siege -Xmx23m -DlocalAddress=127.0.0.1 -Dserver=127.0.0.1 -DLogger.level=2 -
root       778  0.0 22.2 18540 13968 tty2    S    Feb13   0:00 /flash/siege/bin/_siege -Xmx23m -DlocalAddress=127.0.0.1 -Dserver=127.0.0.1 -DLogger.level=2 -
root       779  0.0 22.2 18540 13968 tty2    S    Feb13   0:00 /flash/siege/bin/_siege -Xmx23m -DlocalAddress=127.0.0.1 -Dserver=127.0.0.1 -DLogger.level=2 -
root       780  9.9 22.2 18540 13968 tty2    S    Feb13   1:02 /flash/siege/bin/_siege -Xmx23m -DlocalAddress=127.0.0.1 -Dserver=127.0.0.1 -DLogger.level=2 -
root       781  0.0 11.4 93644 7176 ?        S    Feb13   0:00 /flash/egServer/elgato -xaemon -o /dev/ttyS0 -e /dev/ttyS0
root       782  0.0 11.4 93644 7176 ?        S    Feb13   0:00 /flash/egServer/elgato -xaemon -o /dev/ttyS0 -e /dev/ttyS0
root       783  0.0 11.4 93644 7176 ?        S    Feb13   0:00 /flash/egServer/elgato -xaemon -o /dev/ttyS0 -e /dev/ttyS0
root       784  0.0 11.4 93644 7176 ?        S    Feb13   0:00 /flash/egServer/elgato -xaemon -o /dev/ttyS0 -e /dev/ttyS0
root       785  0.0 11.4 93644 7176 ?        S    Feb13   0:00 /flash/egServer/elgato -xaemon -o /dev/ttyS0 -e /dev/ttyS0
root       786  0.0 11.4 93644 7176 ?        S    Feb13   0:00 /flash/egServer/elgato -xaemon -o /dev/ttyS0 -e /dev/ttyS0
root       787  0.0 11.4 93644 7176 ?        S    Feb13   0:00 /flash/egServer/elgato -xaemon -o /dev/ttyS0 -e /dev/ttyS0
root       788  0.0 22.2 18540 13968 tty2    S    Feb13   0:00 /flash/siege/bin/_siege -Xmx23m -DlocalAddress=127.0.0.1 -Dserver=127.0.0.1 -DLogger.level=2 -
root       789  0.0 22.2 18540 13968 tty2    S    Feb13   0:00 /flash/siege/bin/_siege -Xmx23m -DlocalAddress=127.0.0.1 -Dserver=127.0.0.1 -DLogger.level=2 -
root       790  0.0 22.2 18540 13968 tty2    S    Feb13   0:00 /flash/siege/bin/_siege -Xmx23m -DlocalAddress=127.0.0.1 -Dserver=127.0.0.1 -DLogger.level=2 -
root       791  0.0 22.2 18540 13968 tty2    S    Feb13   0:00 /flash/siege/bin/_siege -Xmx23m -DlocalAddress=127.0.0.1 -Dserver=127.0.0.1 -DLogger.level=2 -
root       792  0.0 22.2 18540 13968 tty2    S    Feb13   0:00 /flash/siege/bin/_siege -Xmx23m -DlocalAddress=127.0.0.1 -Dserver=127.0.0.1 -DLogger.level=2 -
root       795  0.2 22.2 18540 13968 tty2    S    Feb13   0:01 /flash/siege/bin/_siege -Xmx23m -DlocalAddress=127.0.0.1 -Dserver=127.0.0.1 -DLogger.level=2 -
root       798  0.0 11.4 93644 7176 ?        S    Feb13   0:00 /flash/egServer/elgato -xaemon -o /dev/ttyS0 -e /dev/ttyS0
root       799  0.0 11.4 93644 7176 ?        S    Feb13   0:00 /flash/egServer/elgato -xaemon -o /dev/ttyS0 -e /dev/ttyS0
root       800  0.0 11.4 93644 7176 ?        S    Feb13   0:00 /flash/egServer/elgato -xaemon -o /dev/ttyS0 -e /dev/ttyS0
root       801  0.0 11.4 93644 7176 ?        S    Feb13   0:00 /flash/egServer/elgato -xaemon -o /dev/ttyS0 -e /dev/ttyS0
root       802  0.0 11.4 93644 7176 ?        S    Feb13   0:00 /flash/egServer/elgato -xaemon -o /dev/ttyS0 -e /dev/ttyS0
root       803  0.0 11.4 93644 7176 ?        S    Feb13   0:00 /flash/egServer/elgato -xaemon -o /dev/ttyS0 -e /dev/ttyS0
root       804  0.7 11.4 93644 7176 ?        S    Feb13   0:04 /flash/egServer/elgato -xaemon -o /dev/ttyS0 -e /dev/ttyS0
root       805  0.0 11.4 93644 7176 ?        S    Feb13   0:00 /flash/egServer/elgato -xaemon -o /dev/ttyS0 -e /dev/ttyS0
root       806  0.0 11.4 93644 7176 ?        S    Feb13   0:00 /flash/egServer/elgato -xaemon -o /dev/ttyS0 -e /dev/ttyS0
root       807  0.0 11.4 93644 7176 ?        S    Feb13   0:00 /flash/egServer/elgato -xaemon -o /dev/ttyS0 -e /dev/ttyS0
root       808  0.0 11.4 93644 7176 ?        S    Feb13   0:00 /flash/egServer/elgato -xaemon -o /dev/ttyS0 -e /dev/ttyS0
root       809  0.0 11.4 93644 7176 ?        S    Feb13   0:00 /flash/egServer/elgato -xaemon -o /dev/ttyS0 -e /dev/ttyS0
root       810  0.0 11.4 93644 7176 ?        S    Feb13   0:00 /flash/egServer/elgato -xaemon -o /dev/ttyS0 -e /dev/ttyS0
root       811  0.0 11.4 93644 7176 ?        S    Feb13   0:00 /flash/egServer/elgato -xaemon -o /dev/ttyS0 -e /dev/ttyS0
root       812  0.0 11.4 93644 7176 ?        S    Feb13   0:00 /flash/egServer/elgato -xaemon -o /dev/ttyS0 -e /dev/ttyS0
root       813  0.0 11.4 93644 7176 ?        S    Feb13   0:00 /flash/egServer/elgato -xaemon -o /dev/ttyS0 -e /dev/ttyS0
root       814  0.0 11.4 93644 7176 ?        S    Feb13   0:00 /flash/egServer/elgato -xaemon -o /dev/ttyS0 -e /dev/ttyS0
root       819  0.0 22.2 18540 13968 tty2    S    Feb13   0:00 /flash/siege/bin/_siege -Xmx23m -DlocalAddress=127.0.0.1 -Dserver=127.0.0.1 -DLogger.level=2 -
root       824  0.0  1.3  1956  848 ?        S    Feb13   0:00 in.telnetd
root       825  0.0  1.5  1824  948 pts/0    S    Feb13   0:00 -bash
root       839  0.0  1.3  2736  876 pts/0    R    00:03   0:00 ps aux
[root@Linux /root]$

The serial port /dev/ttyS/ttySA0 is used for a serial console, and elgato is using ttyS0, ttyS2 and ttyS3. I think ttySA0 and ttySA1 are available on the back of the device.

The java part of the software is using /dev/rpg which is a simlink to /dev/sio15 i'm not sure what this is.
 

Offline Urs42

  • Supporter
  • ****
  • Posts: 142
  • Country: ch
Re: Agilent E7495 linux root account
« Reply #8 on: February 18, 2015, 05:36:37 am »
It would be interessting to add some non GSM/UMTS signals to the signal generator,  the data files for the generator are stored in /flash/egServer/Dragonfly/Measurements/Data/ and i have no idea about the format.
 

Offline Wuerstchenhund

  • Super Contributor
  • ***
  • Posts: 3048
  • Country: gb
Re: Agilent E7495 linux root account
« Reply #9 on: February 21, 2015, 12:45:24 pm »
It would be interessting to add some non GSM/UMTS signals to the signal generator,  the data files for the generator are stored in /flash/egServer/Dragonfly/Measurements/Data/ and i have no idea about the format.

I guess these are waveform binaries for the built-in Arbitrary Waveform Generator.

If we find out the format then we could create our own and push it to the E7495. Maybe even a function could be added to the Java GUI to enable copying waveforms from/to the CF card and PCMCIA card.

Thinking about it, it would make the E7495 into a really flexible tool.
 

Offline 9aplus

  • Regular Contributor
  • *
  • Posts: 124
Re: Agilent E7495 linux root account
« Reply #10 on: February 22, 2015, 02:16:40 pm »
Hello to all,
 
It is nice to know that someone else is digging out around E7495B software....
Own one unit just couple of months, working just fine, except remote SW on PC with new windows version XP and later.
Therefore I made debug of JAVA code in attempt to write own SW... for PC operated under Linux (Ubuntu 12 and later)
and new Windows versions.

I am interested to join efforts to bring this nice instrument to full use :)

Here my hardware configuration ->
« Last Edit: February 22, 2015, 02:18:34 pm by 9aplus »
 

Offline 9aplus

  • Regular Contributor
  • *
  • Posts: 124
Re: Agilent E7495 linux root account
« Reply #11 on: February 22, 2015, 03:02:28 pm »
Here just for educational evaluation
decompiled Java egclient app...
https://www.dropbox.com/s/waxxkz9c44h7dy2/egclient.src.zip?dl=0
 

Offline Urs42

  • Supporter
  • ****
  • Posts: 142
  • Country: ch
Re: Agilent E7495 linux root account
« Reply #12 on: February 22, 2015, 03:36:11 pm »
The remote software consists of two parts egclient.jar and  RemoteGui.jar. egclient.jar is also the GUI that you see on the device itself. RemoteGui.jar is a wrapper around egclient.jar it provides some additional buttons, for example the ESC/Lcl Button that is needed to switch between the local and remote mode. egclient.jar runs just fine on a Debian 7 System, didn't test any Windows version because i don't have one. The problem with running egclient alone, is that you can't press the ESC/Lcl button, so the remote control dons't work :-(

Code: [Select]
java -Dserver=10.10.0.101 -DlocalAddress=micro -classpath "egclient.jar:xerces.jar:JimiProClasses.zip:RemoteGui.jar" elgato.gui.MainWindow
I do have the same options installed.
 

Offline 9aplus

  • Regular Contributor
  • *
  • Posts: 124
Re: Agilent E7495 linux root account
« Reply #13 on: February 22, 2015, 04:38:16 pm »
Must try than on my Ubuntu 12.04 LTS but so far no luck with j2re-1_4_2-linux-i586.bin from Oracle site....
Quote
Do you agree to the above license terms? [yes or no]
yes
Unpacking...
tail: cannot open `+473' for reading: No such file or directory
Checksumming...
1
The download file appears to be corrupted.  Please refer
to the Troubleshooting section of the Installation
Instructions on the download page for more information.
Please do not attempt to install this archive file.
q@ubuntu:~/Desktop$
« Last Edit: February 22, 2015, 04:51:24 pm by 9aplus »
 

Offline Wuerstchenhund

  • Super Contributor
  • ***
  • Posts: 3048
  • Country: gb
Re: Agilent E7495 linux root account
« Reply #14 on: February 22, 2015, 05:08:47 pm »
Here my hardware configuration ->


Nice. I'd love to have options 240 and 245, as well as 230 and 235. My unit only came with CDMA+EV-DO unfortunately.
 

Offline 9aplus

  • Regular Contributor
  • *
  • Posts: 124
Re: Agilent E7495 linux root account
« Reply #15 on: February 22, 2015, 05:23:08 pm »
Right,
but on the other hand I was not so lucky with SW keys ->
 

Offline Urs42

  • Supporter
  • ****
  • Posts: 142
  • Country: ch
Re: Agilent E7495 linux root account
« Reply #16 on: February 22, 2015, 05:48:05 pm »
I'm using the openjdk-6 Package from Debian.

I think you can copy the license file from one device to another if you change the hostid on the target device. But i'm not sure...
 

Online PA0PBZ

  • Super Contributor
  • ***
  • Posts: 4441
  • Country: nl
Re: Agilent E7495 linux root account
« Reply #17 on: February 22, 2015, 06:01:31 pm »
The E7495 firmware looks very much the same as for the N1996 CSA SA, I can even use the remote client on my CSA. The license manager on the CSA is easy to patch so that it accepts any license code, maybe it is the same for the E7495. The license daemon on the CSA is called TORO, but I could not see something simular in the ps output posted above.

Keyboard error: Press F1 to continue.
 

Offline Urs42

  • Supporter
  • ****
  • Posts: 142
  • Country: ch
Re: Agilent E7495 linux root account
« Reply #18 on: February 22, 2015, 06:09:24 pm »
The licensing is done by the elgato process. I think they are using flexlm. Here is the license file from my device, i did remove the HOSTID and SIGN Values.

Code: [Select]
$ cat elgato.lic
FEATURE 200 agilent 1.000 permanent uncounted \
HOSTID=ID_STRING=XXXXX SIGN=YYYYYYYYY
FEATURE 220 agilent 1.000 permanent uncounted \
HOSTID=ID_STRING=XXXXX SIGN=YYYYYYYYY
FEATURE 240 agilent 1.000 permanent uncounted \
HOSTID=ID_STRING=XXXXX SIGN=YYYYYYYYY
FEATURE 245 agilent 1.000 permanent uncounted \
HOSTID=ID_STRING=XXXXX SIGN=YYYYYYYYY
FEATURE 205 agilent 1.000 permanent uncounted HOSTID=ID_STRING=XXXXX \
SIGN=YYYYYYYYY
 

Online PA0PBZ

  • Super Contributor
  • ***
  • Posts: 4441
  • Country: nl
Re: Agilent E7495 linux root account
« Reply #19 on: February 22, 2015, 06:23:45 pm »
I think they are using flexlm.

Yes, that is FlexLM, same as N1996A and E4406A.
Keyboard error: Press F1 to continue.
 

Offline theatrus

  • Frequent Contributor
  • **
  • Posts: 350
  • Country: us
Re: Agilent E7495 linux root account
« Reply #20 on: February 22, 2015, 06:39:19 pm »
Looks nearly identical to the N1996A.

The good news is the binaries have most of their symbols intact - objdump (for ARM) and search for some likely functions :)
Software by day, hardware by night; blueAcro.com
 

Offline 9aplus

  • Regular Contributor
  • *
  • Posts: 124
Re: Agilent E7495 linux root account
« Reply #21 on: February 22, 2015, 06:50:50 pm »
Here more luck with OpenJDK Java 6 runtime

Now RemoteGUI.jar is running but not happy with egclient.jar version.
Program is offering download of egclient.jar from E7495B but file
transfer ends with 0 size....


 
 

Online PA0PBZ

  • Super Contributor
  • ***
  • Posts: 4441
  • Country: nl
Re: Agilent E7495 linux root account
« Reply #22 on: February 22, 2015, 06:52:32 pm »
Well. I just downloaded the firmware and did a quick compare between the toro process and the elgato one. Then I did a search for 16 bytes around the patch area and elgato had only one hit. So for whoever feels lucky, try this: (latest firmware downloaded from HP Agilent Keysight site)

Elgato offset 337A7C, change 01 00 00 EA to 00 00 A0 E1.

Then check your license file if there are any entries without the SIGN = part, because they start to work magically if the patch works and you don't want any weird options enabled. Just take them out.

Good luck and let me know  ;)

Edit: Version A06.25
« Last Edit: February 22, 2015, 06:57:06 pm by PA0PBZ »
Keyboard error: Press F1 to continue.
 

Offline Urs42

  • Supporter
  • ****
  • Posts: 142
  • Country: ch
Re: Agilent E7495 linux root account
« Reply #23 on: February 22, 2015, 07:21:54 pm »
Many thanks PA0PBZ, i'll try that.

toroServer looks alot like egServer. It would be interessting to see how similar the hardware of both devices is. FM/AM Demodulation and other Stuff i see in the toroServer directory would be cool...
 

Online PA0PBZ

  • Super Contributor
  • ***
  • Posts: 4441
  • Country: nl
Re: Agilent E7495 linux root account
« Reply #24 on: February 22, 2015, 07:42:04 pm »
toroServer looks alot like egServer.

It does, I even see a lot of possible options in the CSA that looks to be for the E7495:

200   CDMA / CDMA 2000 Analyzer
205   1xEV-DO Analyzer
210   CDMA Over Air Test
220   Channel Scanner
230   GSM Analyzer
235   GSM Edge
250   W-CDMA (UMTS) Over Air Test
270   Interference Analyzer
271   Spectrogram
300   DC Bias
330   NEM Software <unknown>
500   Internal Agilent Mfg Source
503   Frequency Range 100 kHz to 3 GHz
506   Frequency Range 100 kHz to 6 GHz
600   Power Meter
700   T1 Analyzer
710   E1 Analyzer
AFM   AM/FM Tune & Listen
HAR   Harmonics Analyzer
IQD   IQ Waveform
N8995A   Stimulus/Response Measurement Suite
N8995A-SR3   Stimulus/Response Measurement Suite, 3 GHz
N8995A-SR6   Stimulus/Response Measurement Suite, 6 GHz
N8996A-1FP   AM/FM Modulation Analyzer
N8996A-2FP   ASK/FSK Analyzer ASK/FSK
N8997A-1FP   W-CDMA (UMTS) Analyzer
N8997A-2FP   HSDPA Measurement
P03   Preamplifier, 3 GHz
P06   Preamplifier, 6 GHz
SEM   Spectral Emmissions Mask
TG3   Tracking Generator, 3 GHz
TG6   Tracking Generator, 6 GHz
TOI   TOI Analyzer
Keyboard error: Press F1 to continue.
 


Share me

Digg  Facebook  SlashDot  Delicious  Technorati  Twitter  Google  Yahoo
Smf