Author Topic: Enabling options on Agilent ESA series E4402B E4404B E4405B E4407B  (Read 12091 times)

0 Members and 1 Guest are viewing this topic.

Offline abyrvalg

  • Frequent Contributor
  • **
  • Posts: 471
  • Country: ru
Re: Enabling options on Agilent ESA series E4402B E4404B E4405B E4407B
« Reply #175 on: September 18, 2020, 11:45:22 am »
I've studied the PSOS debug handler: nothing like "^C" handling there, but there is one undocumented cmd with unclear functionality: lowercase "r".
 

Offline abyrvalg

  • Frequent Contributor
  • **
  • Posts: 471
  • Country: ru
Re: Enabling options on Agilent ESA series E4402B E4404B E4405B E4407B
« Reply #176 on: September 18, 2020, 11:48:07 am »
Ok, so we need patching. Could someone try figuring out the DIP switch responsible for Flash/DRAM boot as described here: https://www.eevblog.com/forum/testgear/enabling-options-on-agilent-esa-series-e4402b-e4404b-e4405b-e4407b/msg3238002/#msg3238002 ?
 

Offline suj

  • Regular Contributor
  • *
  • Posts: 78
  • Country: pl
Re: Enabling options on Agilent ESA series E4402B E4404B E4405B E4407B
« Reply #177 on: September 18, 2020, 11:48:56 am »
I conducted an experiment. In the monitor:
Code: [Select]
->slong 04600020 04028318                                                       
->dlong 04600020                                                               
04600020  04028318 00000000 00000000 00000000   ................
Then reset and:
Code: [Select]
->dlong 04600020                                                               
04600020  00000000 00000000 00000000 00000000   ................
Clearly the contents of the DRAM cannot survive the hardware reset.
 

Offline suj

  • Regular Contributor
  • *
  • Posts: 78
  • Country: pl
Re: Enabling options on Agilent ESA series E4402B E4404B E4405B E4407B
« Reply #178 on: September 18, 2020, 11:50:01 am »
Ok, so we need patching. Could someone try figuring out the DIP switch responsible for Flash/DRAM boot as described here: https://www.eevblog.com/forum/testgear/enabling-options-on-agilent-esa-series-e4402b-e4404b-e4405b-e4407b/msg3238002/#msg3238002 ?
I need some time. MB need to be removed to change dip-switch settings
 

Offline abyrvalg

  • Frequent Contributor
  • **
  • Posts: 471
  • Country: ru
Re: Enabling options on Agilent ESA series E4402B E4404B E4405B E4407B
« Reply #179 on: September 18, 2020, 12:03:38 pm »
Could you try the "r" cmd (in normal mode) also?
 

Offline suj

  • Regular Contributor
  • *
  • Posts: 78
  • Country: pl
Re: Enabling options on Agilent ESA series E4402B E4404B E4405B E4407B
« Reply #180 on: September 18, 2020, 12:06:10 pm »
Of course. I have SA opened and its possible to change dip-switch without removing MB.
 

Offline suj

  • Regular Contributor
  • *
  • Posts: 78
  • Country: pl
Re: Enabling options on Agilent ESA series E4402B E4404B E4405B E4407B
« Reply #181 on: September 18, 2020, 12:23:58 pm »
"r" like RESET. But:
Code: [Select]
->dlong 04600020
04600020  00000000 00000000 00000000 00000000
 

Online tv84

  • Super Contributor
  • ***
  • Posts: 1814
  • Country: pt
Re: Enabling options on Agilent ESA series E4402B E4404B E4405B E4407B
« Reply #182 on: September 18, 2020, 12:38:30 pm »
I conducted an experiment. In the monitor:
Code: [Select]
->slong 04600020 04028318                                                       
->dlong 04600020                                                               
04600020  04028318 00000000 00000000 00000000   ................
Then reset and:
Code: [Select]
->dlong 04600020                                                               
04600020  00000000 00000000 00000000 00000000   ................
Clearly the contents of the DRAM cannot survive the hardware reset.

I missed something...  |O

@abyrvalg, when is that location filled with the 04028318 ?
 

Offline suj

  • Regular Contributor
  • *
  • Posts: 78
  • Country: pl
Re: Enabling options on Agilent ESA series E4402B E4404B E4405B E4407B
« Reply #183 on: September 18, 2020, 12:47:22 pm »
I can't get consistent readings from address 0x0200200c when changing dip-switches. It looks different after the reset. Sometimes, with the same settings, the readings are different depending on the time in which the reading is made.
 

Offline abyrvalg

  • Frequent Contributor
  • **
  • Posts: 471
  • Country: ru
Re: Enabling options on Agilent ESA series E4402B E4404B E4405B E4407B
« Reply #184 on: September 18, 2020, 01:09:53 pm »
DRAM not surviving: found the reason - BootROM clears entire DRAM at each start, so reset is not our friend :(

Inconsistent switch reg reading: there can be some other bits not related to switches, ignore them. We are interested in bit 8 (hex mask 0100), normally it should be 0 (for "Download to Flash Selected") and we need to switch it to 1 (for "Download to DRAM Selected").
 

Offline abyrvalg

  • Frequent Contributor
  • **
  • Posts: 471
  • Country: ru
Re: Enabling options on Agilent ESA series E4402B E4404B E4405B E4407B
« Reply #185 on: September 18, 2020, 01:16:07 pm »
@tv84, a function at 04011078 in ESAFW initializes data section (04600000-0476DD88) by copying from 04435E14 and clears bss section (0476DD88-048BCCE8)
 

Offline suj

  • Regular Contributor
  • *
  • Posts: 78
  • Country: pl
Re: Enabling options on Agilent ESA series E4402B E4404B E4405B E4407B
« Reply #186 on: September 18, 2020, 01:29:45 pm »
DIP switch #4, ON position (default)

Code: [Select]
->dword 0x0200200c                                                             
0200200c  0400   ..

DIP switch #4, OFF position

Code: [Select]
->dword 0x0200200c                                                             
0200200c  0500   ..
 

Offline suj

  • Regular Contributor
  • *
  • Posts: 78
  • Country: pl
Re: Enabling options on Agilent ESA series E4402B E4404B E4405B E4407B
« Reply #187 on: September 18, 2020, 01:43:20 pm »
After booting with DIP switch #4 in OFF position:

Code: [Select]
***** Mosquito Bootrom *****                                                   
Copyright 1988-1997,                                                           
Hewlett-Packard Company, all rights reserved.                                   
                                                                               
@(#)HEWLETT-PACKARD, E4401 Bootrom, 5.00                                       
@(#)LDS Rev: 3.02 - Module Incremental (Sep  9 2003)                           
@(#)Linked: Sep  9 2003 14:46:44                                               
                                                                               
Bootrom Checksum ...                                                           
Bootrom DRAM:     Testing 69632 bytes at 0x04000000                             
Non Destructive SRAM Test ...                                                   
Main Firmware DRAM:     Testing 33484800 bytes at 0x04011000                   
Main FW Checksum ...                                                           
Self-tests complete.SRAM selftest results:                                     
        Start  = 0xa000000                                                     
        End    = 0xa007fa3                                                     
        Errors = 0x0                                                           
DRAM selftest results:                                                         
        Start  = 0x4011000                                                     
        End    = 0x6000000                                                     
        Errors = 0x0                                                           
hpibPort = 0x8005000                                                           
hpibPort = 0x8005000, bus Address = 19                                         
                                                                               
Cache Enabled                                                                   
16MBytes of FLASH                                                               
                                                                               
Download to DRAM Selected                                                       
ROM Monitor                                                                     
Enter ? for help.                                                               
 

Offline abyrvalg

  • Frequent Contributor
  • **
  • Posts: 471
  • Country: ru
Re: Enabling options on Agilent ESA series E4402B E4404B E4405B E4407B
« Reply #188 on: September 18, 2020, 01:49:30 pm »
Great! That's it!
So, what we can do now:
- set DIP4 to ON (to enable ESAFW loading from flash)
- start the ESA with boot interruption
--- now we have stock ESAFW loaded from flash into DRAM, but we are in ROM Monitor
- patch ESAFW in RAM (with smem/sbyte/sword/slong)
- set DIP4 to OFF (to disable ESAFW reload in "gu" command)
- send gu command to start the patched image from DRAM

@tv84, any ideas what to patch?
I'm going to prepare some patch to jump from ESAFW back to ROM Monitor (i.e. with some of the psos debug commands) without reset to dump the data section content finally.
 
The following users thanked this post: smgvbest

Offline abyrvalg

  • Frequent Contributor
  • **
  • Posts: 471
  • Country: ru
Re: Enabling options on Agilent ESA series E4402B E4404B E4405B E4407B
« Reply #189 on: September 18, 2020, 01:59:54 pm »
Code: [Select]
sword 04139614 4ef9
sword 04139618 d8a4
gu
- ESAFW should start normally after this. Then, when it is running already, press "r" and you should get back to ROM Monitor with DRAM keeping the content (try dlong 04600020 there to see).
 

Online tv84

  • Super Contributor
  • ***
  • Posts: 1814
  • Country: pt
Re: Enabling options on Agilent ESA series E4402B E4404B E4405B E4407B
« Reply #190 on: September 18, 2020, 02:29:07 pm »
@tv84, any ideas what to patch?
I'm going to prepare some patch to jump from ESAFW back to ROM Monitor (i.e. with some of the psos debug commands) without reset to dump the data section content finally.

I think I can patch the license validation ATM. Although, having some idea of how flexlm tests licenses, I don't know what are the consequences of activating all licenses.

I would prefer 1st to have the dump, so that I can search for the seeds. If I can find the seeds in the dump, the keygen will be instantaneous.
 
The following users thanked this post: smgvbest

Offline suj

  • Regular Contributor
  • *
  • Posts: 78
  • Country: pl
Re: Enabling options on Agilent ESA series E4402B E4404B E4405B E4407B
« Reply #191 on: September 18, 2020, 02:37:32 pm »
Code: [Select]
->dlong 04600020                                                               
04600020  04028318 04028324 0402832a 04028331   .......$...*...1
 

Offline suj

  • Regular Contributor
  • *
  • Posts: 78
  • Country: pl
Re: Enabling options on Agilent ESA series E4402B E4404B E4405B E4407B
« Reply #192 on: September 18, 2020, 02:45:58 pm »
My steps:
0. Set the serial terminal to 19200,8n1
1. DIP sw #4 set to ON
2. break the boot process with 0x06
3. sword 04139614 4ef9
4. sword 04139618 d8a4
5. DIP sw #4 set to OFF
6. gu
7. SA restart in normal mode
8. Press "r" and we are in the monitor now  8)
9. Change the serial port speed.
>slong 815F4 1001A
10. Change speed of the serial terminal to 115200, 8n1



Respect for you  :-+ :-+ :-+
« Last Edit: September 18, 2020, 04:34:35 pm by suj »
 
The following users thanked this post: smgvbest, analogRF

Offline smgvbest

  • Supporter
  • ****
  • Posts: 614
  • Country: us
    • Kilbourne Astronomics
Re: Enabling options on Agilent ESA series E4402B E4404B E4405B E4407B
« Reply #193 on: September 18, 2020, 02:54:58 pm »
My steps:
1. DIP sw #4 set to ON
2. break the boot process with 0x06
3. sword 04139614 4ef9
4. sword 04139618 d8a4
5. DIP sw #4 set to OFF
6. gu
7. SA restart in normal mode
8. Press "r" and we are in the monitor now  8)

Respect for you  :-+ :-+ :-+

Cool,  I wake up and you all have done allot.

@suj how are you flipping the DIP SW without removing the Processor Card?
a long stick???  LOL
Sandra
(Yes, I am a Woman :p )
 

Offline suj

  • Regular Contributor
  • *
  • Posts: 78
  • Country: pl
Re: Enabling options on Agilent ESA series E4402B E4404B E4405B E4407B
« Reply #194 on: September 18, 2020, 02:59:17 pm »
@suj how are you flipping the DIP SW without removing the Processor Card?
a long stick???  LOL
 
The following users thanked this post: smgvbest

Offline smgvbest

  • Supporter
  • ****
  • Posts: 614
  • Country: us
    • Kilbourne Astronomics
Re: Enabling options on Agilent ESA series E4402B E4404B E4405B E4407B
« Reply #195 on: September 18, 2020, 03:01:51 pm »
@suj how are you flipping the DIP SW without removing the Processor Card?
a long stick???  LOL

Ah,  right angle tweezers and coming in from that angle,   thanks.  :-+
Sandra
(Yes, I am a Woman :p )
 

Offline abyrvalg

  • Frequent Contributor
  • **
  • Posts: 471
  • Country: ru
Re: Enabling options on Agilent ESA series E4402B E4404B E4405B E4407B
« Reply #196 on: September 18, 2020, 03:05:10 pm »
Great!
@tv84, your turn! :)

Btw, does anyone know what UART IC is used in ESA? Perhaps it is possible to raise the baudrate by writing to some regs manually from the Monitor.
 

Offline suj

  • Regular Contributor
  • *
  • Posts: 78
  • Country: pl
Re: Enabling options on Agilent ESA series E4402B E4404B E4405B E4407B
« Reply #197 on: September 18, 2020, 03:09:42 pm »
Btw, does anyone know what UART IC is used in ESA? Perhaps it is possible to raise the baudrate by writing to some regs manually from the Monitor.

It's part of the 68EN360 QICC. Its working in "companion" mode with 68LC040
 

Offline smgvbest

  • Supporter
  • ****
  • Posts: 614
  • Country: us
    • Kilbourne Astronomics
Re: Enabling options on Agilent ESA series E4402B E4404B E4405B E4407B
« Reply #198 on: September 18, 2020, 03:24:26 pm »
Great!
@tv84, your turn! :)

Btw, does anyone know what UART IC is used in ESA? Perhaps it is possible to raise the baudrate by writing to some regs manually from the Monitor.

Given where we are I don't know if this is worth pursuing or not but there appears to be some kind of undocumented SCPI debug interface and FLASH from SCPI is a supported option as well
found it by mistake , 
hmon    [device] - download into memory
defaults to loading from SCPI
I've not been able to find what [device] is supported
SCPI does not work but hmon on own loads from it
tried FLOPPY, FLASH, 0-1, A-Z, A:-C: and a few more
even things like /dev/fd0


if we want to avoid that, that's fine I defer to the Guru's here.
Sandra
(Yes, I am a Woman :p )
 

Offline smgvbest

  • Supporter
  • ****
  • Posts: 614
  • Country: us
    • Kilbourne Astronomics
Re: Enabling options on Agilent ESA series E4402B E4404B E4405B E4407B
« Reply #199 on: September 18, 2020, 03:46:38 pm »
@tv84, any ideas what to patch?
I'm going to prepare some patch to jump from ESAFW back to ROM Monitor (i.e. with some of the psos debug commands) without reset to dump the data section content finally.

I think I can patch the license validation ATM. Although, having some idea of how flexlm tests licenses, I don't know what are the consequences of activating all licenses.

I would prefer 1st to have the dump, so that I can search for the seeds. If I can find the seeds in the dump, the keygen will be instantaneous.

Do you want the same dump we've had before or a different one?
Sandra
(Yes, I am a Woman :p )
 


Share me

Digg  Facebook  SlashDot  Delicious  Technorati  Twitter  Google  Yahoo
Smf