Enabling options on Agilent ESA series E4402B E4404B E4405B E4407B

[smgvbest]

For those interested here's the dump of the bootrom

[analogRF]

not an expert here but I am not sure if the bootrom is that useful for cracking the options.
you probably need to access a serial console that is somewhere on the cpu board to access the main firmware files that are unpacked in the flash (or is it EEPROM?)
is there a place that you can enter a license key and see what error it generates?

[smgvbest]

The reason for posting it is there appears to be monitor functions built in that may help get to the data we’re after   

My unit has no licenses and the licenses are stored in the Flash memory not in the ERPROM according to the security doc out there from Agilent

[smgvbest]

So before trying to attach the J1 connector I figured I better determine if it's RS232 levels or TTL level output

U63 is a MAX232.   so RS232 levels

Also J1 is a 2mm 2x5 header.   I don't have one so Digikey order (along with stuff for my DSKY EL Display ) should be here by Monday I hope.
unless I can rig up something

[analogRF]

all you need to do is to attach two small grabbers to pin9 and pin10 of the MAX232 chip (TTL level) and you are good to go. Any cheap UART-USB converter will do the job. I prefer my BUSPirate. That's how I have always done this in numerous instruments.

But which RS232 connector is this? Is it the one at the back of instrument? or is it something just on board for debugging?

Because if it is the one at the back of instrument, you won't get any boot log on that or access to the OS

[smgvbest]

Got the connection working.   I needed a reboot 

this is some of the information I see from it

Code: [Select]


***** Mosquito Bootrom *****
Copyright 1988-1997,
Hewlett-Packard Company, all rights reserved.

@(#)HEWLETT-PACKARD, E4401 Bootrom, 5.00
@(#)LDS Rev: 3.02 - Module Incremental (Sep  9 2003)
@(#)Linked: Sep  9 2003 14:46:44

Bootrom Checksum ...
Bootrom DRAM:     Testing 69632 bytes at 0x04000000
Non Destructive SRAM Test ...
Main Firmware DRAM:     Testing 33484800 bytes at 0x04011000
Main FW Checksum ...
Self-tests complete.SRAM selftest results:
        Start  = 0xa000000
        End    = 0xa007fa3
        Errors = 0x0
DRAM selftest results:
        Start  = 0x4011000
        End    = 0x6000000
        Errors = 0x0
hpibPort = 0x8005000
hpibPort = 0x8005000, bus Address = 19

Cache Enabled
16MBytes of FLASH

Download to Flash Selected
>>> mainMain()
text segment:           0x4011000 thru 0x4435e14 ( 424e14 bytes)
data segment:           0x4600000 thru 0x476dd88 ( 16dd88 bytes)
bss  segment:           0x476dd88 thru 0x48bcce8 ( 14ef60 bytes)

ROM size:               0x00592b9c ( 592b9c bytes of 4194304 max.)

memory pool (all):      0x048bcce8 thru 0x05ffffff (24392472 bytes)
Calling start_psos() ...
>>>> debug() process starting
DLP Loaded - Power Suite Utilities, A.06.05, Nov 21 2003 15:45:40

----- System/pSOS Debug commands: -----
    '?' - this help message.
    'j' - drop into breakpoint.
   '^C' - Abort to monitor.
   '^P' - Process status info, and LOTS of it.
 '[dD]' - Print DLP debug information.
 '[bB]' - Big memory hog report.
 '[pP]' - Process ONLY status info.

 '[eE]' - Exchange info.
 '[gG]' - toggle breakpoint exception handlers on/off
 '[tT]' - Time log.
 '[hH]' - History log.
 '[oO]' - Memory segment ownership.
 '[mM]' - Memory segment summary.
 '[sS]' - Semaphore ownership, etc.
 '[uU]' - maximum process stack Usage.
 '[vV]' - memory Validity check.
 '[iI]' - Show psosSystemData.
 '[1]' -  Show NVRAM contents.
 '[9]' -  Show Exception Report.
 '[wW] <process name>' - Show process stack trace.

>d
==============================================================
                                DLP LIST
Name         State      Text            Data            BSS
c:dlp\ps2\ps2.o Loaded  0x5c3dcc8/1751472       0x5c3bcb4/8192  0x5b6abe0/856256
c:dlp\pn\pn.o Unlicensed        0x0/0   0x0/0   0x0/0
c:dlp\catv\catv.o Unlicensed    0x0/0   0x0/0   0x0/0
==============================================================
Currently 1 DLP's loaded

>b
=================================================================

Memory HOG report - oink oink

caller PC    count      bytes
0x04338902   17072    5349060
0x04361be2       1    1751492
0x00000000     111    1049872
0x04361bfe       1     856276
0x05d00d06     194     798504
0x05d01948      83     341628
0x043ebcfe      83     294836
0x05cefb16      61     245220
0x05cf28b6      40     160800
0x05ceceb2      33     132660
0x05cf564a      15      60300
0x043eb0f0     339      39892
0x042b66a2       1      32792
0x05cea37a       7      28140
0x04345af2      53      26632
0x05d0235c       3      12348
0x042def9e       1      11108
0x04361bf0       1       8212
0x042ec426       1       2596
0x042ec3e2       1       2148
0x0412a3d0       1       2068
0x042ec404       1       1196
0x04364636       1       1032
0x042ec3c0       1       1028
0x042def8c       1        812
0x0414b2a2       3        624
0x0a0008f6       1        532
0x0a000446       1        532
0x0a0005ea       1        532
0x0a000626       1         84
=================================================================

>p

    pid    PNAME  STAT/M PRI GID POS  TIX MEMORY STK CPU
0x048ca38c  SWFI   RUN    51  0   *     1    0kB  8% 25%

0x048cc0f0  AAFI   RDY    51  0   1     1    0kB 12%  0%
0x048c9714  IDLE   RDY     0  0   2     1    0kB  6%  8%

0x048ccf30  CLOK  paus   100  0   .     0    0kB 16%  0%
0x048c9ffc  DIst  paus    52  0   .  3106    0kB  3%  0%
0x048c9aa4  DRST  paus    80  0   .    61    0kB 47%  0%
0x048c99c0  FMOT  paus   100  0   .    43    0kB 47%  0%

0x048cd014  UPDT  xblk   249  0   .     1    0kB 23%  0%
0x048cce4c  MAXM  xblk    60  0   .     1    0kB  6%  0%
0x048ccc84  LLMR  xblk    60  0   .     1    0kB  6%  0%
0x048ccba0  PRNT  xblk    60  0   .     1    0kB  8%  0%
0x048ccabc  DSPF  xblk    51  0   .     1    0kB  5%  0%
0x048cc9d8  DSPM  xblk    60  0   .     1    0kB  6%  0%
0x048cc8f4  DMFI  xblk    51  0   .     1    0kB  5%  0%
0x048cc810  DMMR  xblk    60  0   .     1    0kB  6%  0%
0x048cc648  FCFI  xblk    51  0   .     1    0kB  5%  0%
0x048cc564  FCMR  xblk    60  0   .     1    0kB  6%  0%
0x048cc480  ANSQ  xblk    52  0   .     1    0kB 13%  0%
0x048cc39c  ANFI  xblk    51  0   .     1    0kB 13%  0%
0x048cc2b8  ANMR  xblk    60  0   .     1    0kB  6%  0%
0x048cc1d4  AASQ  xblk    52  0   .     1    0kB 21% 28%
0x048cc00c  AAMR  xblk    60  0   .     1    0kB  6%  0%
0x048cbf28  SYMR  xblk    60  0   .     1    0kB  8%  0%
0x048cbe44  SGMR  xblk    60  0   .     1    0kB  6%  0%
0x048cbd60  ZMKR  xblk    60  0   .     1    0kB  6%  0%
0x048cbc7c   MKR  xblk    60  0   .     1    0kB  6%  0%
0x048cbb98  DEF3  xblk    51  0   .     1    0kB  5%  0%
0x048cbab4  SNFI  xblk    51  0   .     1    0kB  5%  0%
0x048cb9d0  SNMR  xblk    60  0   .     1    0kB  6%  0%
0x048cb8ec  DEF2  xblk    51  0   .     1    0kB  5%  0%
0x048cb808  LGDT  xblk   251  0   .     1    0kB  8%  0%
0x048cb724  LGDE  xblk    60  0   .     1    0kB  6%  0%
0x048cb640  DSFI  xblk    51  0   .     1    0kB  5%  0%
0x048cb55c  LGDT  xblk   251  0   .     1    0kB  8%  0%
0x048cb478  LGDS  xblk    60  0   .     1    0kB  6%  0%
0x048cb394  SWFI  xblk    51  0   .     1    0kB  5%  0%
0x048cb2b0  LGST  xblk   251  0   .     1    0kB  8%  0%
0x048cb1cc  LGSW  xblk    60  0   .     1    0kB  6%  0%
0x048cb0e8  DEFI  xblk    51  0   .     1    0kB  5%  0%
0x048cb004  DEMT  xblk   251  0   .     1    0kB  8%  0%
0x048caf20  DEMR  xblk    60  0   .     1    0kB  6%  0%
0x048cae3c  DMZF  xblk    51  0   .     1    0kB  5%  0%
0x048cad58  ZDMT  xblk   251  0   .     1    0kB  8%  0%
0x048cac74  ZDMR  xblk    60  0   .     1    0kB  6%  0%
0x048cab90  SIFI  xblk    51  0   .     1    0kB  5%  0%
0x048caaac  SIMT  xblk   251  0   .     1    0kB  8%  0%
0x048ca9c8  SIMR  xblk    60  0   .     1    0kB  6%  0%
0x048ca8e4  DZFI  xblk    51  0   .     1    0kB  5%  0%
0x048ca800  DZMT  xblk   251  0   .     1    0kB  8%  0%
0x048ca71c  DZMR  xblk    60  0   .     1    0kB  6%  0%
0x048ca638  DSFI  xblk    51  0   .     1    0kB  5%  0%
0x048ca554  DSMT  xblk   251  0   .     1    0kB  8%  0%
0x048ca470  DSMR  xblk    60  0   .     1    0kB  6%  0%
0x048ca2a8  SWMT  xblk   251  0   .     1    0kB  8%  0%
0x048ca1c4  SWMR  xblk    60  0   .     1    0kB  6%  1%
0x048ca0e0  MIME  xblk    79  0   .     1    0kB  6%  2%
0x048c9f18  FPLP  xblk   250  0   .     1    0kB  9%  0%
0x048c9e34  DCAS  xblk   251  0   .     1    0kB  8%  0%
0x048c9d50  RLCN  xblk   230  0   .     1    0kB  8%  0%
0x048c9c6c  REMT  xblk   250  0   .     1    0kB  5%  0%
0x048c9b88  PCKB  xblk   230  0   .     1    0kB  8%  0%
0x048c97f8  DISP  xblk   253  0   .     1    0kB  8%  4%
0x048c98dc  APPS  xblk   230  0   .     1    0kB 25%  0%
0x048c9630  ROOT  xblk   230  0   .     1    0kB  4% 32%
           >> EVENTS: W(0x0) S(0x2000)

        64 Process(s) (27 avail); Total time: 4569 ticks.

>e
    xid    XNAME  TYPE  ACC  maxQ  Qlen BLOCKED
0x048c1584        fifo  any    1    0    REMT
0x048c1562  UPDI  fifo  any    1    0    UPDT
0x048c1540  MAXM  fifo  any  inf    0    MAXM
0x048c151e  Sign  fifo  any  inf    0   
0x048c14fc  LIMI  fifo  any  inf    0    LLMR
0x048c14da  DSPM  fifo  any  inf    0    DSPM
0x048c14b8  DSPS  fifo  any    1    0   
0x048c1496  DSPF  fifo  any  inf    0    DSPF
0x048c1474  SPEC  fifo  any    1    0   
0x048c1452  SPEC  fifo  any    1    0   
0x048c1430  DMMR  fifo  any  inf    0    DMMR
0x048c140e  DMFI  fifo  any  inf    0    DMFI
0x048c13ec  SPEC  fifo  any    1    0   
0x048c13ca  FCMR  fifo  any  inf    0    FCMR
0x048c13a8  FCFI  fifo  any  inf    0    FCFI
0x048c1386  SPEC  fifo  any    1    0   
0x048c1364  ANSQ  fifo  any  inf    0    ANSQ
0x048c1342  ANFI  fifo  any  inf    0    ANFI
0x048c1320  ANFS  fifo  any  inf    0   
0x048c12fe  ANOW  fifo  any   20    0   
0x048c12dc  ANMR  fifo  any  inf    0    ANMR
0x048c12ba  SPEC  fifo  any    1    0   
0x048c1298  AARS  fifo  any    1    0    AASQ
0x048c1276  AAFI  fifo  any  inf    0   
0x048c1254  AAFS  fifo  any  inf    0   
0x048c1232  AAMR  fifo  any  inf    0    AAMR
0x048c1210  SPEC  fifo  any    1    0   
0x048c11ee   CMR  fifo  any  inf    0   
0x048c11cc  SPEC  fifo  any    1    0   
0x048c11aa  SIGT  fifo  any  inf    0    SGMR
0x048c1188  ZMKM  fifo  any  inf    0    ZMKR
0x048c1166  MKMR  fifo  any  inf    0    MKR
0x048c1144  DEF3  fifo  any  inf    0    DEF3
0x048c1122  SNFI  fifo  any  inf    0    SNFI
0x048c1100  SNMR  fifo  any  inf    0    SNMR
0x048c10de  SPEC  fifo  any    1    0   
0x048c10bc  DEF2  fifo  any  inf    0    DEF2
0x048c109a  LGDT  fifo  any    1    0    LGDT
0x048c1078  LGDE  fifo  any  inf    0    LGDE
0x048c1056  SPEC  fifo  any    1    0   
0x048c1034  DSFI  fifo  any  inf    0    DSFI
0x048c1012  LGDT  fifo  any    1    0    LGDT
0x048c0ff0  LGDS  fifo  any  inf    0    LGDS
0x048c0fce  SPEC  fifo  any    1    0   
0x048c0fac  SWFI  fifo  any  inf    0    SWFI
0x048c0f8a  LGST  fifo  any    1    0    LGST
0x048c0f68  LGSW  fifo  any  inf    0    LGSW
0x048c0f46  SPEC  fifo  any    1    0   
0x048c0f24  DEFI  fifo  any  inf    0    DEFI
0x048c0f02  DEMT  fifo  any    1    0    DEMT
0x048c0ee0  DEMR  fifo  any  inf    0    DEMR
0x048c0ebe  SPEC  fifo  any    1    0   
0x048c0e9c  DMZF  fifo  any  inf    0    DMZF
0x048c0e7a  ZDMT  fifo  any    1    0    ZDMT
0x048c0e58  ZDMR  fifo  any  inf    0    ZDMR
0x048c0e36  SPEC  fifo  any    1    0   
0x048c0e14  SIFI  fifo  any  inf    0    SIFI
0x048c0df2  SIMT  fifo  any    1    0    SIMT
0x048c0dd0  SIMR  fifo  any  inf    0    SIMR
0x048c0dae  SPEC  fifo  any    1    0   
0x048c0d8c  DZFI  fifo  any  inf    0    DZFI
0x048c0d6a  DZMT  fifo  any    1    0    DZMT
0x048c0d48  DZMR  fifo  any  inf    0    DZMR
0x048c0d26  SPEC  fifo  any    1    0   
0x048c0d04  DSFI  fifo  any  inf    0    DSFI
0x048c0ce2  DSMT  fifo  any    1    0    DSMT
0x048c0cc0  DSMR  fifo  any  inf    0    DSMR
0x048c0c9e  SPEC  fifo  any    1    0   
0x048c0c7c  SWFI  fifo  any  inf    0   
0x048c0c5a  SWMT  fifo  any    1    0    SWMT
0x048c0c38  SWMR  fifo  any  inf    0    SWMR
0x048c0c16  SPEC  fifo  any    1    0   
0x048c0bf4  shrL  fifo  any    1    0   
0x048c0bd2  ACTV  fifo  any    1    0   
0x048c0bb0  hihr  fifo  any    1    0   
0x048c0b8e  hihr  fifo  any    1    0   
0x048c0b6c  hihr  fifo  any    1    0   
0x048c0b4a  hihr  fifo  any    1    0   
0x048c0b28  MENU  fifo  any    1    0   
0x048c0b06  MENU  fifo  any    1    0   
0x048c0ae4  MENU  fifo  any    1    0   
0x048c0ac2  MENU  fifo  any    1    0   
0x048c0aa0  MENU  fifo  any    1    0   
0x048c0a7e  MENU  fifo  any    1    0   
0x048c0a5c  MENU  fifo  any    1    0   
0x048c0a3a  MENU  fifo  any    1    0   
0x048c0a18  MENU  fifo  any    1    0   
0x048c09f6  ACTV  fifo  any    1    0   
0x048c09d4  SDRL  fifo  any    1    0   
0x048c09b2  SDIL  fifo  any    1    0   
0x048c0990    R2  fifo  any    1    0   
0x048c096e    R1  fifo  any    1    0   
0x048c094c    R0  fifo  any    1    0   
0x048c092a  isLk  fifo  any    1    0   
0x048c0908  dtLk  fifo  any    1    0   
0x048c08e6  mSTM  fifo  any  inf    0    MIME
0x048c08c4  mMIN  fifo  any  inf    0   
0x048c08a2  mMCL  fifo  any  inf    0   
0x048c0880  mMCR  fifo  any  inf    0   
0x048c085e  mMDA  fifo  any  inf    1   
0x048c083c  mMSA  fifo  any  inf    0   
0x048c081a  mDVL  fifo  any  inf    0   
0x048c07f8  dest  fifo  any  inf    0   
0x048c07d6  mLDS  fifo  any  inf    0   
0x048c07b4  FNSL  fifo  any    1    0   
0x048c0792  DDET  fifo  any  inf    0   
0x048c0770  DTRG  fifo  any  inf    0   
0x048c074e  DSWP  fifo  any  inf    0   
0x048c072c  Didi  fifo  any  inf    0   
0x048c070a  cntw  fifo  any    1    0   
0x048c06e8  cntx  fifo  any    1    0   
0x048c06c6  dRes  fifo  any    1    0   
0x048c06a4  Dlp   fifo  any    1    0   
0x048c0682  CalC  fifo  any    1    0   
0x048c0660  Scpi  fifo  any    1    0   
0x048c063e   LG1  fifo  any    1    0   
0x048c061c  ANON  fifo  any    1    0   
0x048c05fa  GPIB  fifo  any    1    0   
0x048c05d8  PCkb  fifo  any    1    0    PCKB
0x048c05b6  DISP  fifo  any    1    0    DISP
0x048c0594  OMMG  fifo  any    1    0   
0x048c0572   UNS  fifo  any    1    0   
0x048c0550  RLDS  fifo  any    1    0    ROOT
0x048c052e    BW  fifo  any    1    0   
0x048c050c  GLds  fifo  any    1    0   
0x048c04ea  BLds  fifo  any  inf    1   
0x048c04c8  CISW  fifo  any    1    0   
0x048c04a6  MRLK  fifo  any    1    0   
0x048c0484  HWLK  fifo  any    1    0   
0x048c0462    FP  fifo  any    1    0    FPLP
0x048c0440  ADCF  fifo  any    1    0   
0x048c041e  DIRg  fifo  any    1    0   
0x048c03fc  ANON  fifo  any    1    0   
0x048c03da  DIRf  fifo  any    1    0   
0x048c03b8  ANON  fifo  any    1    0   
0x048c0396  SIOB  fifo  any    1    0   
0x048c0374  CALM  fifo  any    1    0   
0x048c0352  DIRe  fifo  any    1    0   
0x048c0330  ANON  fifo  any    1    0   
0x048c030e  DIRd  fifo  any    1    0   
0x048c02ec  DIRc  fifo  any    1    0   
0x048c02ca  DIRb  fifo  any    1    0   
0x048c02a8  DIRa  fifo  any    1    0   
0x048c0286  APPS  fifo  any  inf    0    APPS
0x048c0264  DLLK  fifo  any    1    0   
0x048c0242  SUBL  fifo  any    1    0   
0x048c0220  LCSH  fifo  any    1    0   
0x048c01fe  FBUF  fifo  any    1    0   
0x048c01dc  DCAS  fifo  any    1    0    DCAS
0x048c01ba  RLCN  fifo  any    1    0    RLCN
0x048c0198  MROF  fifo  any    1    0   
0x048c0176  MRON  fifo  any    1    0   
0x048c0154  SWSP  fifo  any    1    0   
0x048c0132   SRQ  fifo  any    1    0    SYMR
0x048c0110  PRTH  fifo  any    1    0    PRNT
        155 Exchange(s) (245 avail).
        2 Msg buffer(s) (1022 avail).

>g

Breakpoint handler installed

>i
PsosSystemData (0x048bcce8):
        (0x048bcce8) OS_PCB   *runningPCB    = 0x048ca38c
        (0x048bccec) OS_PCB   *readyList     = 0x048c97f8
        (0x048bccf0) OS_PCB   *pauseList     = 0x048ccf30
        (0x048bccf4) OS_PCB   *pcbActiveHead = 0x048cd014
        (0x048bccf8) OS_PCB   *pcbFreeHead   = 0x048ccd68
        (0x048bccfc) OS_XCB   *xcbActiveHead = 0x048c1584
        (0x048bcd00) OS_XCB   *xcbFreeHead   = 0x048c15a6
        (0x048bcd04) OS_Message *mgbFreeHead = 0x048c3750
        (0x048bcd08) void  *sstackEnd        = 0x048c0110
        (0x048bcd0c) short kernelLevel       = 0
        (0x048bcd0e) short reserved1         = 0
        (0x048bcd10) int   reserved2         = 1280
        (0x048bcd14) int   phileData         = 620765184
        (0x048bcd18) int   probeEntry        = 71205862
        (0x048bcd1c) OS_PCB   *memQHead      = 0x048bcd1c
        (0x048bcd20) OS_PCB   *memQTail      = 0x048bcd1c
        (0x048bcd24) int   timeoutTicks      = 41
        (0x048bcd28) short ticks             = 45
        (0x048bcd2a) short pad1              = 0
        (0x048bcd2c) int   time              = 292
        (0x048bcd30) int   date              = 130155777
        (0x048bcd34) char  motbl[12]         =
        (0x048bcd40) short ticksPerSec       = 100
        (0x048bcd42) short ticksPerSlice     = 1
        (0x048bcd44) char  todset            =
        (0x048bcd45) char  eventRace         = (0x048bcd46) char  unusedPad[2]      =   
        (0x048bcd48) Lds_UInt32 switchProc   = 0
        (0x048bcd4c) regionInfo[0].minSeg      = 20
        (0x048bcd50) regionInfo[0].maxSeg      = 58796
        (0x048bcd54) regionInfo[0].minPend     = 6020
        (0x048bcd58) regionInfo[0].regionEnd   = 0x048dcce7
        (0x048bcd5c) regionInfo[0].regionName  = REG1
  (0x048bcd60) regionInfo[0].freeHead    = 0x048ce73c
        (0x048bcd64) regionInfo[0].freeTail    = 0x048d3e30
        (0x048bcd68) regionInfo[0].regionFlags = 0
        (0x048bcd6c) regionInfo[1].minSeg      = 20
        (0x048bcd70) regionInfo[1].maxSeg      = 24261400
        (0x048bcd74) regionInfo[1].minPend     = 24261401
        (0x048bcd78) regionInfo[1].regionEnd   = 0x05ffffff
        (0x048bcd78) regionInfo[1].regionEnd   = 0x05Bfffff
        (0x048bcd80) regionInfo[1].freeHead    = 0x048dcce8
        (0x048bcd84) regionInfo[1].freeTail    = 0x05e74208
        (0x048bcd88) regionInfo[1].regionFlags = 0
        (0x048bcd8c) regionInfo[2].minSeg      = 20
        (0x048bcd90) regionInfo[2].maxSeg      = 21844
        (0x048bcd94) regionInfo[2].minPend     = 21845
        (0x048bcd98) regionInfo[2].regionEnd   = 0x0a006393
        (0x048bcd9c) regionInfo[2].regionName  = dyna

        (0x048bcda0) regionInfo[2].freeHead    = 0x0a000e40
        (0x048bcda4) regionInfo[2].freeTail    = 0x0a000e40
        (0x048bcda8) regionInfo[2].regionFlags = 1
        (0x048bcdac) regionInfo[3].minSeg      = 128
        (0x048bcdb0) regionInfo[3].maxSeg      = 7120
        (0x048bcdb4) regionInfo[3].minPend     = 7121
        (0x048bcdb8) regionInfo[3].regionEnd   = 0x0a007fa3
        (0x048bcdbc) regionInfo[3].regionName  = nvra

        (0x048bcdc0) regionInfo[3].freeHead    = 0x0a0063d4
        (0x048bcdc4) regionInfo[3].freeTail    = 0x0a0063d4
        (0x048bcdc8) regionInfo[3].regionFlags = 0
        (0x048bcdcc) regionInfo[4].minSeg      = 0
        (0x048bcdd0) regionInfo[4].maxSeg      = 0
        (0x048bcdd4) regionInfo[4].minPend     = 0
        (0x048bcdd8) regionInfo[4].regionEnd   = 0x00000000
        (0x048bcddc) regionInfo[4].regionName  =     
        (0x048bcde0) regionInfo[4].freeHead    = 0x00000000
        (0x048bcde4) regionInfo[4].freeTail    = 0x00000000
        (0x048bcde8) regionInfo[4].regionFlags = 0
        (0x048bcdec) regionInfo[5].minSeg      = 0
        (0x048bcdf0) regionInfo[5].maxSeg      = 0
        (0x048bcdf4) regionInfo[5].minPend     = 0
        (0x048bcdf8) regionInfo[5].regionEnd   = 0x00000000
        (0x048bcdfc) regionInfo[5].regionName  =     
        (0x048bce00) regionInfo[5].freeHead    = 0x00000000
        (0x048bce04) regionInfo[5].freeTail    = 0x00000000
        (0x048bce08) regionInfo[5].regionFlags = 0
        (0x048bce0c) regionInfo[6].minSeg      = 0
        (0x048bce10) regionInfo[6].maxSeg      = 0
        (0x048bce14) regionInfo[6].minPend     = 0
        (0x048bce18) regionInfo[6].regionEnd   = 0x00000000
        (0x048bce1c) regionInfo[6].regionName  =     
        (0x048bce20) regionInfo[6].freeHead    = 0x00000000
        (0x048bce24) regionInfo[6].freeTail    = 0x00000000
        (0x048bce28) regionInfo[6].regionFlags = 0
        (0x048bce2c) regionInfo[7].minSeg      = 0
        (0x048bce30) regionInfo[7].maxSeg      = 0
        (0x048bce34) regionInfo[7].minPend     = 0
        (0x048bce38) regionInfo[7].regionEnd   = 0x00000000
        (0x048bce3c) regionInfo[7].regionName  =     
        (0x048bce40) regionInfo[7].freeHead    = 0x00000000
        (0x048bce44) regionInfo[7].freeTail    = 0x00000000
        (0x048bce48) regionInfo[7].regionFlags = 0
        (0x048bce4c) regionInfo[8].minSeg      = 0
        (0x048bce50) regionInfo[8].maxSeg      = 0
        (0x048bce54) regionInfo[8].minPend     = 0
        (0x048bce58) regionInfo[8].regionEnd   = 0x00000000
        (0x048bce5c) regionInfo[8].regionName  =     
        (0x048bce60) regionInfo[8].freeHead    = 0x00000000
        (0x048bce64) regionInfo[8].freeTail    = 0x00000000
        (0x048bce68) regionInfo[8].regionFlags = 0
        (0x048bce6c) regionInfo[9].minSeg      = 0
        (0x048bce70) regionInfo[9].maxSeg      = 0
        (0x048bce74) regionInfo[9].minPend     = 0
        (0x048bce78) regionInfo[9].regionEnd   = 0x00000000
        (0x048bce7c) regionInfo[9].regionName  =     
        (0x048bce80) regionInfo[9].freeHead    = 0x00000000
        (0x048bce84) regionInfo[9].freeTail    = 0x00000000
        (0x048bce88) regionInfo[9].regionFlags = 0
        (0x048bce8c) regionInfo[10].minSeg      = 0
        (0x048bce90) regionInfo[10].maxSeg      = 0
        (0x048bce94) regionInfo[10].minPend     = 0
        (0x048bce98) regionInfo[10].regionEnd   = 0x00000000
        (0x048bce9c) regionInfo[10].regionName  =     
        (0x048bcea0) regionInfo[10].freeHead    = 0x00000000
        (0x048bcea4) regionInfo[10].freeTail    = 0x00000000
        (0x048bcea8) regionInfo[10].regionFlags = 0
        (0x048bceac) regionInfo[11].minSeg      = 0
        (0x048bceb0) regionInfo[11].maxSeg      = 0
        (0x048bceb4) regionInfo[11].minPend     = 0
        (0x048bceb8) regionInfo[11].regionEnd   = 0x00000000
        (0x048bcebc) regionInfo[11].regionName  =     
        (0x048bcec0) regionInfo[11].freeHead    = 0x00000000
        (0x048bcec4) regionInfo[11].freeTail    = 0x00000000
        (0x048bcec8) regionInfo[11].regionFlags = 0
        (0x048bcecc) regionInfo[12].minSeg      = 0
        (0x048bced0) regionInfo[12].maxSeg      = 0
        (0x048bced4) regionInfo[12].minPend     = 0
        (0x048bced8) regionInfo[12].regionEnd   = 0x00000000
        (0x048bcedc) regionInfo[12].regionName  =     
        (0x048bcee0) regionInfo[12].freeHead    = 0x00000000
        (0x048bcee4) regionInfo[12].freeTail    = 0x00000000
        (0x048bcee8) regionInfo[12].regionFlags = 0
        (0x048bceec) regionInfo[13].minSeg      = 0
        (0x048bcef0) regionInfo[13].maxSeg      = 0
        (0x048bcef4) regionInfo[13].minPend     = 0
        (0x048bcef8) regionInfo[13].regionEnd   = 0x00000000
        (0x048bcefc) regionInfo[13].regionName  =     
        (0x048bcf00) regionInfo[13].freeHead    = 0x00000000
        (0x048bcf04) regionInfo[13].freeTail    = 0x00000000
        (0x048bcf08) regionInfo[13].regionFlags = 0
        (0x048bcf0c) regionInfo[14].minSeg      = 0
        (0x048bcf10) regionInfo[14].maxSeg      = 0
        (0x048bcf14) regionInfo[14].minPend     = 0
        (0x048bcf18) regionInfo[14].regionEnd   = 0x00000000
        (0x048bcf1c) regionInfo[14].regionName  =     
        (0x048bcf20) regionInfo[14].freeHead    = 0x00000000
        (0x048bcf24) regionInfo[14].freeTail    = 0x00000000
        (0x048bcf28) regionInfo[14].regionFlags = 0
        (0x048bcf2c) regionInfo[15].minSeg      = 0
        (0x048bcf30) regionInfo[15].maxSeg      = 0
        (0x048bcf34) regionInfo[15].minPend     = 0
        (0x048bcf38) regionInfo[15].regionEnd   = 0x00000000
        (0x048bcf3c) regionInfo[15].regionName  =     
        (0x048bcf40) regionInfo[15].freeHead    = 0x00000000
        (0x048bcf44) regionInfo[15].freeTail    = 0x00000000
        (0x048bcf48) regionInfo[15].regionFlags = 0
        (0x048bcf4c) regionInfo[16].minSeg      = 0
        (0x048bcf50) regionInfo[16].maxSeg      = 0
        (0x048bcf54) regionInfo[16].minPend     = 0
        (0x048bcf58) regionInfo[16].regionEnd   = 0x00000000
        (0x048bcf5c) regionInfo[16].regionName  =     
        (0x048bcf60) regionInfo[16].freeHead    = 0x00000000
        (0x048bcf64) regionInfo[16].freeTail    = 0x00000000
        (0x048bcf68) regionInfo[16].regionFlags = 0
        (0x048bcf6c) regionInfo[17].minSeg      = 0
        (0x048bcf70) regionInfo[17].maxSeg      = 0
        (0x048bcf74) regionInfo[17].minPend     = 0
        (0x048bcf78) regionInfo[17].regionEnd   = 0x00000000
        (0x048bcf7c) regionInfo[17].regionName  =     
        (0x048bcf80) regionInfo[17].freeHead    = 0x00000000
        (0x048bcf84) regionInfo[17].freeTail    = 0x00000000
        (0x048bcf88) regionInfo[17].regionFlags = 0
        (0x048bcf8c) regionInfo[18].minSeg      = 0
        (0x048bcf90) regionInfo[18].maxSeg      = 0
        (0x048bcf94) regionInfo[18].minPend     = 0
        (0x048bcf98) regionInfo[18].regionEnd   = 0x00000000
        (0x048bcf9c) regionInfo[18].regionName  =     
        (0x048bcfa0) regionInfo[18].freeHead    = 0x00000000
        (0x048bcfa4) regionInfo[18].freeTail    = 0x00000000
        (0x048bcfa8) regionInfo[18].regionFlags = 0
        (0x048bcfac) regionInfo[19].minSeg      = 0
        (0x048bcfb0) regionInfo[19].maxSeg      = 0
        (0x048bcfb4) regionInfo[19].minPend     = 0
        (0x048bcfb8) regionInfo[19].regionEnd   = 0x00000000
        (0x048bcfbc) regionInfo[19].regionName  =     
        (0x048bcfc0) regionInfo[19].freeHead    = 0x00000000
        (0x048bcfc4) regionInfo[19].freeTail    = 0x00000000
        (0x048bcfc8) regionInfo[19].regionFlags = 0
        (0x048bcfcc) regionSaveInfo[0] = 0x00000000
        (0x048bcfd0) regionSaveInfo[1] = 0x00000000
        (0x048bcfd4) regionSaveInfo[2] = 0x0a000004
        (0x048bcfd8) regionSaveInfo[3] = 0x00000000
        (0x048bcfdc) regionSaveInfo[4] = 0x00000000
        (0x048bcfe0) regionSaveInfo[5] = 0x00000000
        (0x048bcfe4) regionSaveInfo[6] = 0x00000000
        (0x048bcfe8) regionSaveInfo[7] = 0x00000000
        (0x048bcfec) regionSaveInfo[8] = 0x00000000
        (0x048bcff0) regionSaveInfo[9] = 0x00000000
        (0x048bcff4) regionSaveInfo[10] = 0x00000000
        (0x048bcff8) regionSaveInfo[11] = 0x00000000
        (0x048bcffc) regionSaveInfo[12] = 0x00000000
        (0x048bd000) regionSaveInfo[13] = 0x00000000
        (0x048bd004) regionSaveInfo[14] = 0x00000000
        (0x048bd008) regionSaveInfo[15] = 0x00000000
        (0x048bd00c) regionSaveInfo[16] = 0x00000000
        (0x048bd010) regionSaveInfo[17] = 0x00000000
        (0x048bd014) regionSaveInfo[18] = 0x00000000
        (0x048bd018) regionSaveInfo[19] = 0x00000000


9>

Contents of the Exception Report:
[0x0a007fa4] D0 = 0x00000000
[0x0a007fa8] D1 = 0x00000000
[0x0a007fac] D2 = 0x00000000
[0x0a007fb0] D3 = 0x00000000
[0x0a007fb4] D4 = 0x00000000
[0x0a007fb8] D5 = 0x00000000
[0x0a007fbc] D6 = 0x00000000
[0x0a007fc0] D7 = 0x00000000
[0x0a007fc4] A0 = 0x00000000
[0x0a007fc8] A1 = 0x00000000
[0x0a007fcc] A2 = 0x00000000
[0x0a007fd0] A3 = 0x00008000
[0x0a007fd4] A4 = 0x00000000
[0x0a007fd8] A5 = 0x00000000
[0x0a007fdc] A6 = 0x00000000
[0x0a007fe0] A7 = 0x00000000
[0x0a007fe4] SSP = 0x00000000
[0x0a007fe8] SR = 0x0000
[0x0a007fec] PC = 0x00000000
[0x0a007fec] FMT/VO = 0x0000

----- System/pSOS Debug commands: -----
    '?' - this help message.
    'j' - drop into breakpoint.
   '^C' - Abort to monitor.
   '^P' - Process status info, and LOTS of it.
 '[dD]' - Print DLP debug information.
 '[bB]' - Big memory hog report.
 '[pP]' - Process ONLY status info.

 '[eE]' - Exchange info.
 '[gG]' - toggle breakpoint exception handlers on/off
 '[tT]' - Time log.
 '[hH]' - History log.
 '[oO]' - Memory segment ownership.
 '[mM]' - Memory segment summary.
 '[sS]' - Semaphore ownership, etc.
 '[uU]' - maximum process stack Usage.
 '[vV]' - memory Validity check.
 '[iI]' - Show psosSystemData.
 '[1]' -  Show NVRAM contents.
 '[9]' -  Show Exception Report.
 '[wW] <process name>' - Show process stack trace.





[smgvbest]

The first item needed is a full dump of the memory.   a dump of one with licensed options would really help.   mine has no licensed options
flexlm 6.01 which appears to be in the update file which I extracted strings from has been hacked and there's articles on how to find the different key values.

the part at the moment is how to get that dump,   flash and sdram from a running system
i figured out the JTAG pins and where you can pick them up but JTAG is not something I'm good with

if all you have is a boundary scan ability can you get a dump of memory?


anyone who can help with that and setting up OCD I'll do it on my ESA
I just need the help

the processor is a 68LC040 I believe (its the LC part i'm not 100% sure of off top of the head)

[tv84]

The first item needed is a full dump of the memory.   a dump of one with licensed options would really help.   mine has no licensed options
flexlm 6.01 which appears to be in the update file which I extracted strings from has been hacked and there's articles on how to find the different key values.

the part at the moment is how to get that dump,   flash and sdram from a running system

I don't think flexLM is in the update file. It should be already inside the machine. That's why a flash dump would be great.

The FlexLM version should be no problem. Regarding the places where to find the seeds it's not so simple as the several guides don't cover this lang/processor.

[analogRF]

Ive done jtag in a bunch of things.. Its not normally what is in your pic ? Maybe that is something else ? OR I am just stupid,, I CAN be that.. Normally its a 4 pin header. +5, tx, rx, gnd.. With ther TTL or RS232 voltages. I will look more at the board shortly..

TX,RX,GND is not a JTAG, it's UART . you dont even need the Vcc necessarily.

this thing has a JTAG interface but i dont think it will be of much help. The content of bootrom is not what we need.
you only need the dump of flash memory to access the file system of the main OS, nothing else really. Another way would be to figure out how to combine the 9 floppy disks to create a single file firmware and then "explore" it   

[tv84]

Another way would be to figure out how to combine the 9 floppy disks to create a single file firmware and then "explore" it 

Where are those 9 disks?

[analogRF]

Another way would be to figure out how to combine the 9 floppy disks to create a single file firmware and then "explore" it 

Where are those 9 disks?

on keysight website
https://www.keysight.com/main/software.jspx?cc=CA&lc=eng&ckey=1000001085:epsg:sud&nid=-32406.536879915.02&id=1000001085:epsg:sud&cmpid=92448

EDIT: i dont have the instrument so I have never gone through the process of making the firmware update. I just know that it creates 9 floppy disks

[smgvbest]

I have combined the 5 disks that make up the ESA Firmware. the other 4 are the power suite I can combine those as well if you want?
There is no guarantee that just combining them will give a correct image.
They may contain loader information that the internal bootrom reads to build the actual firmware that is loaded (just thinking, or over thinking)
This is a full image it's not an upgrade.   I had to do a full erase of mines memory to restore it so I can attest everything is on those disks.
I also have the Discs for all the DLPs (personalities) that can be installed.   

The reason I provided the boot loader rom is it looks like GDB server is in the bootroom.  if you have GDB could you dump memory thur it?
There is also apparently a SCPI Debug interface,   maybe there a memory read function in there?

i'll try to attach it here.

If this does not work the other way I could brute force this is I could remove all of the FLASH memory and read them out with the Xgpro (formerly TL866) reader/programmer.
I have a spare processor card I'm willing to experiment on.

[analogRF]

there is also a series of F000000 to F000003 files that I wonder what they contain...i think they must be combined too.
also there is a bootloader file on the first floppy

have you been able to analyze the single firmware file with tools that are available in linux?

[analogRF]

I think having the actual unpacked firmware image from the flash memory will make it a lot easier and certainly possible to hack this thing
if i am not mistaken there are more than one flash rom, right? so again their contents must be concatenated

EDIT: but then we know that a simple concatenation will give us the whole system
with the firmware installation files, I am not sure about that because each of those 5 files may have a header and when you connect them together you get a broken image of the actual file structure

[smgvbest]

there is also a series of F000000 to F000003 files that I wonder what they contain...i think they must be combined too.
also there is a bootloader file on the first floppy

have you been able to analyze the single firmware file with tools that are available in linux?

When I tried the linux tools they did not recognize the contents

PDISC is the physical Disc Number below whereas the DISC # is the as LABELED Disc for installation

BOOTROM:  This looks for a DISK with ESALOADER on it and if so loads and runs it
DISC ESALOADER(PDISC1),   This is what's run to install the FIRMWARE.
DISC1-5(PDISC2-6),  this is the ESA Firmware Discs  (this is the the ESAFW I uploaded)
DISC1-3(PDISC7-9),  These contain the ESA Power Suite Software)  (the F000000 to F000003 are the Powersuite Image files)

I'll combine and upload the Powersute after work today

[smgvbest]

I'd love to be able to enable all DLP's and License only options
example RF PREAMP is a License only option (hardware is there above certain serial numbers) you only need the 16 digit license key
but DLP for Cable Fault Analyzer requires the Tracking Gen be installed.  (i have a TG installed so would like this one)

I'm installing the DLP for Cable Fault Analyzer and grabbing screen caps so you can see the process of installing a DLP

[tv84]

If this does not work the other way I could brute force this is I could remove all of the FLASH memory and read them out with the Xgpro (formerly TL866) reader/programmer.
I have a spare processor card I'm willing to experiment on.

This seems the best option. How many flash chips are there? Isn't just one?

[smgvbest]

Total of 4
One on cpu board which is main firmware
3 on simm which is where licenses are supposed to be stored

[tv84]

Those that want to play in IDA with @smgvbest's ESAFW can use these settings:

Proc: Motorola Coldfire
Load address: 0x04011000

[smgvbest]

Memory module on a memory simm 72 pins old style sdram memory formfactor

It’s how the e4407b had its memory expanded

[tv84]

Memory module on a memory simm 72 pins old style sdram memory formfactor

It’s how the e4407b had its memory expanded

Never had seen one of those expansions!

We don't need a dump from the "license's flashes". The licenses are already visible on the screen.

[smgvbest]

Those that want to play in IDA with @smgvbest's ESAFW can use these settings:

Proc: Motorola Coldfire
Load address: 0x04011000

Is the Motorla Coldfire same as a M68040?
the Motorola 68LC040 is the actual processor on the board is why I ask

how did you manage to get the load address?

[smgvbest]

The static ram is not where licenses are stored.  They’re in the flash memory so unless you wipe flash you maintain them

Loosing the sram looses the date/time and calibration and other settings like printer setup. 
You just do an align all to get it back and reset date/time

[smgvbest]

So are you gals/guys thinking about patching the image and then loading a new image in ? Might be able to add all sorts of stuff that way. Hopefully its not checksummed or anything..

So a personality MUST have a key before running ? So no stripping that requirement from the personality ? The ESA wont run a personality that has no license requirements ?

Just thinking out loud.. And most likely being stupid..

I think what we're after is a keygen more or less.
if we can find all the keys FlexLM uses (I think there 8 total if I understand) then we find out id using the host ID we can generate a valid license we hopefully can generate them all
Yes a personality must also have license ,  you load the personality (DLP) and license it then its usable
the only DLP that's not licensed is the Power Suite

[smgvbest]

I  don’t know that would help
The licenses are to the hostid not the serial number
You could change the serial to match a machine basically.  Install the license and it would not work