EEVblog Electronics Community Forum

Products => Test Equipment => Topic started by: analogRF on October 21, 2019, 02:27:26 pm

Title: Enabling options on Agilent ESA series E4402B E4404B E4405B E4407B
Post by: analogRF on October 21, 2019, 02:27:26 pm
Hi
I was wondering if anyone ever hacked these ESA spectrum analyzers to enable options?

some options like 1DR and 1DS (or even 1D5 for S/N > 4421) can be enabled by license key only

https://www.keysight.com/main/editorial.jspx?cc=US&lc=eng&ckey=277453&nid=-11143.0.00&id=277453 (https://www.keysight.com/main/editorial.jspx?cc=US&lc=eng&ckey=277453&nid=-11143.0.00&id=277453)
Title: Re: Enabling options on Agilent ESA series E4402B E4404B E4405B E4407B
Post by: mbielman on November 08, 2019, 12:41:59 am
I have the same question! Specifically I want to enable the RF Preamp option. (the hardware should be there) Wondering if I can set a bit in the EEprom on the processor card. OR maybe figure out the key(s) based on the serial number.

Anyone?


Mark B
Title: Re: Enabling options on Agilent ESA series E4402B E4404B E4405B E4407B
Post by: analogRF on November 08, 2019, 02:45:15 am
I have heard that these analyzers have been cracked but people who know how it's done, won't disclose anything  :-//
Title: Re: Enabling options on Agilent ESA series E4402B E4404B E4405B E4407B
Post by: mbielman on November 08, 2019, 03:52:42 am
I have an idea but it would be tedious and slightly dangerous...

Pull the EEPROM (processor board - an assumption on my part) from a unit that has some options enabled, and read that.
Put it back, disable an option or two, remove it again and reread, then look for changes.

Ug!
Title: Re: Enabling options on Agilent ESA series E4402B E4404B E4405B E4407B
Post by: analogRF on November 11, 2019, 02:20:05 pm
disabling the option in the menus does not remove it from the EEPROM

I am pretty sure someone has found a way to enable the options but it is not shared....
Title: Re: Enabling options on Agilent ESA series E4402B E4404B E4405B E4407B
Post by: PA0PBZ on November 11, 2019, 02:51:49 pm
If it's the same as the N1996a CSA and the E7495 it uses FlexLM, I'm the one to blame for the "enhancement" and I have no problem to have a look at these machines as they are discontinued anyway. Does anyone have root access to these machines already?
Title: Re: Enabling options on Agilent ESA series E4402B E4404B E4405B E4407B
Post by: analogRF on November 11, 2019, 03:04:43 pm
If it's the same as the N1996a CSA and the E7495 it uses FlexLM, I'm the one to blame for the "enhancement" and I have no problem to have a look at these machines as they are discontinued anyway. Does anyone have root access to these machines already?

that would be awesome. unfortunately I don't have root access . I think N1996A is a much newer machine than ESA series...but of course they might be using the same os
Title: Re: Enabling options on Agilent ESA series E4402B E4404B E4405B E4407B
Post by: PA0PBZ on November 11, 2019, 03:09:57 pm
Can you see what format the license code should be? That would probably show if it is FlexLM or something else.
I just downloaded the firmware upgrade but it is 9 discs  |O And the other version for older OS does not run on my PC.
-to be continued-
Title: Re: Enabling options on Agilent ESA series E4402B E4404B E4405B E4407B
Post by: analogRF on November 11, 2019, 03:16:45 pm
actually I personally do not have one of these analyzers but have been hunting for one for quite some time. if there is a way to enable some non-hardware options then it would be awesome...I have worked with them though...

maybe this page will help?

https://www.keysight.com/main/editorial.jspx?cc=US&lc=eng&ckey=1000004808:epsg:faq&nid=-35489.384884&id=1000004808:epsg:faq (https://www.keysight.com/main/editorial.jspx?cc=US&lc=eng&ckey=1000004808:epsg:faq&nid=-35489.384884&id=1000004808:epsg:faq)

Title: Re: Enabling options on Agilent ESA series E4402B E4404B E4405B E4407B
Post by: Miek on November 11, 2019, 03:23:24 pm
I think you may be able to just concatenate the five ESAFW files, though I'm not completely sure - there might be a header on each.

There are references in the source to FlexLM, and an RTOS named pSOS.
Title: Re: Enabling options on Agilent ESA series E4402B E4404B E4405B E4407B
Post by: PA0PBZ on November 11, 2019, 05:54:35 pm
So it runs on some kind of *nix, it is FlexLM and the license file is here: /usr/local/flexlm/licenses/license.dat.
The bad news is that the bytes that have to be patched in the other instruments are not to be found in the ESAFW file.

So, is there any way to communicate with the ESA, is there a prompt on a serial port? I don't think it has ethernet..
Is there a harddisk inside that is readable? [Edit] No, it's flash.
Title: Re: Enabling options on Agilent ESA series E4402B E4404B E4405B E4407B
Post by: PA0PBZ on November 11, 2019, 06:46:34 pm
Processor is Motorola Coldfire:

[attachimg=1]
Title: Re: Enabling options on Agilent ESA series E4402B E4404B E4405B E4407B
Post by: mbielman on November 11, 2019, 08:59:44 pm
Not sure what you are trying to convey here. The ESA instruments use the MC68LC040 (integer only version) and as far as I know do not have a "traditional" OS at all, unlike the newer units.

If there is a way to interrogate the system, I would love to know how!
Title: Re: Enabling options on Agilent ESA series E4402B E4404B E4405B E4407B
Post by: PA0PBZ on November 11, 2019, 09:17:43 pm
I'm trying to find a way into the ESA to be able to patch the FlexLM part. It looks like the code disassembles fine as a Coldfire processor but you could be right that it is a 68LC040. It looks like it's not that different and it disassembles fine. The method I used to get around the FlexLM stuff in the other instruments is always returning "ok" on an entered license but you have to patch the FlexLM daemon. If you can't get to the file that is going to be difficult so I'm looking at the install.o file to see how it works and if there is a way to install a patched file, that's basically it :)

Title: Re: Enabling options on Agilent ESA series E4402B E4404B E4405B E4407B
Post by: mbielman on November 11, 2019, 09:57:26 pm
Yeah, not much differs I think between those processors, at least basic op codes. Coldfire is newer than the old MOT 680xx.
As mentioned, don't think these run HP-UX, Windows or any such OS. So no idea if there is anything resembling a file system.
Although it has A: and C: drives (floppy and flash) so who knows! If it's there, you do not see it when the system boots.
Title: Re: Enabling options on Agilent ESA series E4402B E4404B E4405B E4407B
Post by: Scopetechniques on May 20, 2020, 09:25:48 pm
No, the preamp option is not just software. It actually does have a hardware preamp after the input that can be turned on and off.
Title: Re: Enabling options on Agilent ESA series E4402B E4404B E4405B E4407B
Post by: tv84 on May 20, 2020, 09:51:05 pm
The method I used to get around the FlexLM stuff in the other instruments is always returning "ok" on an entered license but you have to patch the FlexLM daemon. If you can't get to the file that is going to be difficult so I'm looking at the install.o file to see how it works and if there is a way to install a patched file, that's basically it :)

Have you succeeded? Do you have JTAG access?
Title: Re: Enabling options on Agilent ESA series E4402B E4404B E4405B E4407B
Post by: PA0PBZ on May 21, 2020, 08:01:51 am
Have you succeeded? Do you have JTAG access?
I gave up looking at the install file (can't remember why) and I don't have the hardware myself so the motivation is low.
Title: Re: Enabling options on Agilent ESA series E4402B E4404B E4405B E4407B
Post by: smgvbest on June 29, 2020, 02:36:22 am
My turn to chime in.    I just got ahold of a broken E4407B from Alltest.   I will be posting a blog about the repair once it arrives
in the mean time,  this is a topic I am also interested in.   I'd love to enable any of the license only options I could.

everything I see says this is not linux at all which I think we agree on
I don't think FLExm is involved,   they would have had to port it to their proprietary software which seems a waste.

I wonder if you could brute force this over SCPI.    you can enter the license that way.
be interesting to get a few options done.

Me first, I have to wait for mine to arrive then figure out what's broke

Does anyone have the actual CLIP for this I could borrow.   I have the scanned version and even it the schematics are hard to read
also anyone have a handle they are not using?   Ill post in the wanted section but thought I would ask

edit:   I need to walk back the statement over FLEXLM.    it is part of the code as was pointed out by @Miek and the OS is PSOS as also pointed out
Title: Re: Enabling options on Agilent ESA series E4402B E4404B E4405B E4407B
Post by: smgvbest on July 17, 2020, 07:04:58 am
Does anyone have a Personality Disk from any of the options and/or a license file
I need your hostID also if anyone is willing to share
Title: Re: Enabling options on Agilent ESA series E4402B E4404B E4405B E4407B
Post by: smgvbest on August 23, 2020, 03:03:31 pm
I extracted strings from the E4407B and found some interesting ones
in particular is SCPI Debuger

Code: [Select]
Line 7267: 3679704:@(#)LDS Rev:3.10 - Module Incremental (Aug  4 2008) ; hpib (68xxx asm) Rev 1.20
Line 7360: 3769948:@(#)LDS Rev:3.10 - Module Incremental (Oct 11 1999); Semeval Rev 3.10
Line 7438: 3859435:@(#)LDS Rev:3.10 - Module Incremental (Oct 11 1999); scpi_lp Rev 3.10
Line 7451: 3862796:@(#)LDS Rev:3.10 - Module Incremental (Oct 11 1999); shr Rev 3.10
Line 7509: 3894168:@(#)LDS Rev:3.10 - Module Incremental (Mar 26 2007); active function Rev 3.10
Line 7515: 3919656:@(#)LDS Rev:3.10 - Module Incremental (Mar 26 2007); fpanel control Rev 3.10
Line 7581: 3942204:@(#)LDS Rev:3.10 - Module Incremental (Mar 26 2007); menu system Rev 3.10
Line 7590: 3950528:@(#)LDS Rev:3.10 - Module Incremental (Jul  8 2003); ptp Rev 3.10
Line 7607: 3990652:@(#)LDS Rev:3.10 - Module Incremental (Oct 11 1999); scum Rev 3.10
Line 7613: 3997792:@(#)LDS Rev:3.10 - Module Incremental (Oct 11 1999); Math64 Rev 3.10
Line 7614: 4008452:@(#)LDS Rev:3.10 - Module Incremental (Oct 11 1999); cvt (asm source) Rev 3.10
Line 7615: 4009139:@(#)LDS Rev:3.10 - Module Incremental (Oct 11 1999); mcat Rev 3.10
Line 7630: 4012400:@(#)LDS Rev:3.10 - Module Incremental (Oct 11 1999); rlock Rev 3.10
Line 7644: 4017028:@(#)LDS Rev:3.10 - Module Incremental (Oct 11 1999); Save-Recall Rev 3.10
Line 7646: 4021306:@(#)LDS Rev:3.10 - Module Incremental (Sep 10 1999); OS wrapper for psos Rev 3.10
Line 7723: 4051040:@(#)LDS Rev:3.10 - Module Incremental (Oct 11 1999); HIHR Rev 3.10
Line 7737: 4059944:@(#)LDS Rev:3.10 - Module Incremental (Oct 11 1999); Null Happening Reporter Rev 3.10
Line 7738: 4060052:@(#)LDS Rev:3.10 - Module Incremental (Oct 11 1999); Tee Happening Reporter Rev 3.10
Line 7740: 4060976:@(#)LDS Rev:3.10 - Module Incremental (Oct 11 1999); Stderr Happening Reporter Rev 3.10
Line 7741: 4061100:@(#)LDS Rev:3.10 - Module Incremental (Oct 11 1999); Stdio Happening Reporter Rev 3.10
Line 7746: 4061988:@(#)LDS Rev:3.10 - Module Incremental (Oct 11 1999); Scpi Debugger Rev 3.10
Line 7765: 4072404:@(#)LDS Rev:3.10 - Module Incremental (Sep 10 1999); optimized memory manager Rev 3.10


I also extracted all the FlexLM items i could see
one of interest is

/usr/local/flexlm/licenses/license.dat


Code: [Select]
4072496:@(#) FLEXlm 6.0d (liblmgr.a), Copyright (C) 1988-1997 Globetrotter Software, Inc.
4072583:FLEXLM_COMM_TRANSPORT
4074343:FLEXLM_INTERVAL_OK
4074373:FLEXLM_USE_FINDER
4076772:FLEXLM_DIAGNOSTICS
4076795:LM_LICENSE_FILE
4076811:%s_LICENSE_FILE
4076830:%s%s%s%s%s
4078034:FLEXLM_DIAGNOSTICS
4078057:FLEXlm checkout error
4078079:license file(s):
4078103:lm_checkout("%s", %s, %d, 0x%x, ..., 0x%x)
4079117:x%s > %s
4079130:%d-%[^-]-%d
4080510:NOMORE
4080771:%d %d
4082547:,PORT_AT_HOST_PLUS   
4083270:DUP_GROUP
4083280:SUITE_DUP_GROUP
4083296:W_LIC_LOSS
4083307:OVERDRAFT
4083322:USER_BASED
4083333:HOST_BASED
4083352:PLATFORMS
4083369:SUPERSEDE
4083410:DIST_CONSTRAINT
4086112:%s=%s
4086286:%s=%d
4086618:%ld-%[^-]-%ld
4093632:PORT_AT_HOST_PLUS   
4094790:%s %s %s
4094811:INCREMENT
4094838:%s %s %s %s %s %s %s %s %[^
4094869:%s %s %s %s %s %s %s %[^
4094897:permanent
4094915:uncounted
4096630:PORT_AT_HOST_PLUS   
4096796:%s %s
4096936:USE_SERVER
4097583:All licenses are reserved for others
4097621:Cannot remove a linger license
4097652:The decimal format license is typed incorrectly
4097700:This FEATURE line can't be converted to decimal format
4097755:The desired vendor daemon is down
4097789:Server node is down or not responding
4097827:Network connect to THIS_HOST failed
4097863:Attempt to generate license with incompatible attributes
4097920:This feature is available in a different license pool
4097974:feature removed during lmreread, or wrong SERVER line hostid
4098035:ENCRYPTION_SEEDs are non-unique
4098067:Future license file format or misspelling in license file
4098125:This platform not authorized by license
4098165:System clock has been set back
4098196:Checkout exceeds MAX specified in options file
4098243:License object already in use
4098273:License server doesn't support this request
4098317:USER_BASED license has no specified users -- see server log
4098377:FLEXlm version of client newer than server
4098420:Invalid PACKAGE line in license file
4098457:FLEXlm internal error -81
4098483:FLEXlm internal error -80
4098509:FLEXlm internal error -79
4098535:FLEXadmin API functions not available
4098573:Bad version number - must be floating point number, with no letters
4098641:Internal FLEXlm Error - Please report to Globetrotter Software
4098704:SYS$SETIMR call failed
4098727:Attempt to read beyond end of license file path
4098775:Local checkout filter rejected request
4098814:Old VENDORCODE (3-word) struct type passed to lm_init()
4098870:Invalid TZ environment variable
4098902:Attempt to borrow the same (destination) license twice
4098957:License borrowing database corrupted
4098994:License borrowing not enabled
4099024:No licenses available to borrow
4099056:FLEXlm include file/library version mismatch
4099101:Unknown VENDORCODE struct type passed to lm_init()
4099152:lmremove request before the minimum lmremove interval
4099206:You are not a license administrator
4099242:Network software (tcp/ip) not available
4099282:Cannot read license file data from server
4099324:Server message checksum failure
4099356:Message checksum failure
4099381:setsockopt() call failed
4099406:socket() call failed
4099427:Cannot compute FEATURESET data from license file
4099476:Incorrect FEATURESET line in license file
4099518:No FEATURESET line in license file
4099553:Checkout request rejected by vendor-defined checkout filter
4099613:FLEXlm vendor daemon did not respond within timeout interval
4099674:FLEXlm not initialized
4099697:FLEXlm key data has expired
4099725:Date invalid for binary format
4099756:FLEXlm platform not enabled
4099784:Clock setting check not available in daemon
4099828:FLEXlm software is demonstration version
4099869:FLEXlm function not available in this version
4099915:Invalid FLEXlm key data supplied
4099948:No FLEXlm key data supplied in lm_init() call
4099994:Invalid parameter
4100012:Feature was never checked out
4100042:Cannot allocate dynamic memory
4100073:User/host not on INCLUDE list for feature
4100115:User/host on EXCLUDE list for feature
4100153:Duplicate selection mismatch for this feature
4100199:Feature database corrupted in daemon
4100236:In the queue for this feature
4100266:Clock difference too large between client and server
4100319:Bad encryption handshake with daemon
4100356:No such attribute
4100374:Feature start date is in the future
4100410:Cannot read license file
4100435:Cannot find ethernet device
4100463:Cannot read /vmunix
4100483:Cannot read /dev/kmem
4100505:Request for more licenses than this feature supports
4100558:License server does not support this version of this feature
4100619:Users are queued for this feature
4100653:License server temporarily busy (new server connecting)
4100709:Feature checkin failure detected at license server
4100760:License file does not support this version
4100803:License server busy (no majority)
4100837:Error in select system call
4100865:License server does not support this feature
4100910:Cannot write data to license server
4100946:Cannot read data from license server
4100983:Cannot connect to license server
4101016:Cannot find SERVER hostname in network database
4101064:No SERVER lines in license file
4101096:Invalid returned data from license server
4101138:Invalid date format in license file
4101174:Feature has expired
4101194:Invalid host
4101207:Invalid (inconsistent) license key
4101242:No socket connection to license manager server
4101289:No port number in license file and "FLEXlm" service does not exist
4101356:No such feature exists
4101379:Licensed number of users already reached
4101420:No server for this feature
4101447:Invalid license file syntax
4101475:Cannot find license file
4101910:The system administrator has reserved all the licenses for others.
4101978:Reservations are made in the options file. The server must be restarted
4102051:for options file changes to take effect.
4102093:1) Check the lmgrd log file, or 2) Try lmreread.
4102143:See the system adminstrator about starting the server, or
4102202:make sure the you're referring to the right host (see LM_LICENSE_FILE).
4102275:The license file indicates THIS_HOST, and the server is not
4102336:running on this host.  If it's running on a different host,
4102398:THIS_HOST should be changed to the correct host.
4102448:This is a warning condition.  The server has pooled one or more
4102513:INCREMENT lines into a single pool, and the request was made on
4102578:an INCREMENT line that has been pooled.  If this is reported as an
4102646:error, it's an internal error in FLEXlm
4102687:The file was issued for a later version of FLEXlm than this
4102748:program understands.
4102770:The server (lmgrd) has not been started yet, or
4102819:the wrong port@host or license file is being used, or the
4102878:port or hostname in the license file has been changed.
4102934:The lookup for the hostname on the SERVER line in the
4102989:license file failed.  This often happens when NIS or DNS
4103047:or the hosts file is incorrect.  Workaround:Use IP-Address
4103108:(e.g., 123.456.789.123) instead of hostname
4103153:The hostid of this system does not match the hostid
4103206:specified in the license file
4103237:The license-key and data for the feature do no match.
4103292:This usually happens when a license file has been altered
4103351:The license files (or server network addresses) attempted are
4103415:listed below.  Use LM_LICENSE_FILE to use a different license file,
4103484:or contact your software provider for a license file.
4103539:Usually this error message should be ignored.
4103586:It occurs when the FLEXlm error message function was called
4103647:though no error was detected
4104086:Vendor:Host
4104098:Platforms
4104108:PACKAGE text
4104121:Version text
4104134:Start date
4104145:Application version > License version
4104183:Server name
4104195:Date text
4104205:Expire date
4104224:Hostname
4104233:License text
4104246:Filename
4104257:INVALID FLEXlm error code
4104283:Feature:
4104314:%-15s %s
4104323:License path:
4104363:For further information, refer to the FLEXlm End User Manual,
4104425:available at "www.globetrotter.com".
4104462:FLEXlm error:
4104477:%-15s%d,%d.  System Error:%d "%s"%s
4104514:%d,%d:%d (%s)
4104530:%-15s%d,%d
4104541:(%d,%d)
4105410:%s:%s
4105530:no error
4105977:%d-%[^-]-%d
4106804:0123456789ABCDEF
4107098:1-jan-1990
4107113:1-jan-2025
4107127:%d-%s-%d
4108724:hp700_u9
4108978:LM_DEBUG_HOSTID
4109996:/etc/resolv.conf
4110826:DEMO
4110851:INTERNET=
4110876:HOSTNAME=
4110886:DISPLAY=
4110900:ID_STRING=
4110923:SENTINEL_KEY=
4110937:FLEXID=7-
4110952:FLEXID=8-
4110962:FLEXID=9-
4110972:FLEXID=A-
4110987:DISK_SERIAL_NUM=
4111013:VENDORDEF=
4112732:DUP_GROUP not valid with uncounted license
4112775:Hostid required for uncounted feature
4112813:HOST or USER BASED licenses must be counted
4112857:Illegal char in feature name:only alpha-num and '_' allowed
4112918:SUITE only applies to PACKAGE lines
4112954:Can't combine USER_BASED and HOST_BASED
4112994:PACKAGE and COMPONENT name can't be identical
4113040:%d-%[^-]-%d
4113052:ISSUED Invalid date format
4113079:ISSUED Can't have year 0
4113656:03.0
4114484:USE_SERVER
4115223:%s_LICENSE_FILE
4115239:LM_LICENSE_FILE
4115263:FLEXLM_USE_FINDER
4115281:/usr/local/flexlm/licenses/license.dat
4116485:START_LICENSE
4116504:END_LICENSE
4116896:%d%s
4117267:%c%c%c%c%c%c%c%c%s
4119122:%d-%s-%d
4120010:%c%s
4121072:DEMO
4121104:DISPLAY=
4121113:ID_STRING=
4121133:HOSTNAME=
4121155:FLEXID=7-
4121174:SENTINEL_KEY=
4121188:FLEXID=8-
4121201:FLEXID=9-
4121211:FLEXID=A-
4121221:DISK_SERIAL_NUM=
4121243:INTERNET=
4123359:SUPERSEDE
4123377:HOST_BASED
4123388:PLATFORMS
4123398:USER_BASED
4123409:CAPACITY
4123437:SUITE_DUP_GROUP
4123456:COMPONENTS
4123467:dist_info
4123494:asset_info
4123505:user_info
4123515:vendor_info
4123527:OVERDRAFT
4123537:DUP_GROUP
4123554:VENDOR_STRING
4123568:W_LIC_LOSS
4123579:w_term_signal
4123608:w_binary
4124356:SITE
4126380:/dev/tty
4126688:START_LICENSE
4128178:%s %s %s %s %s
4128204:this_host


Also of interest is

Code: [Select]
0:----- System/pSOS Debug commands:-----
1176785:'?' - this help message.
1176815:'j' - drop into breakpoint.
1176848:'^C' - Abort to monitor.
1176877:'^P' - Process status info, and LOTS of it.
1176925:'[dD]' - Print DLP debug information.
1176965:'[bB]' - Big memory hog report.
1176999:'[pP]' - Process ONLY status info.
1177038:'[eE]' - Exchange info.
1177064:'[gG]' - toggle breakpoint exception handlers on/off
1177119:'[tT]' - Time log.
1177140:'[hH]' - History log.
1177164:'[oO]' - Memory segment ownership.
1177201:'[mM]' - Memory segment summary.
1177236:'[sS]' - Semaphore ownership, etc.
1177273:'[uU]' - maximum process stack Usage.
1177313:'[vV]' - memory Validity check.
1177347:'[iI]' - Show psosSystemData.
1177379:'[1]' -  Show NVRAM contents.
1177411:'[9]' -  Show Exception Report.
1177445:'[wW] <process name>' - Show process stack trace.
1177497:Unknown debug char:'%c' (0x%02X).  Press '?' for help.
Title: Re: Enabling options on Agilent ESA series E4402B E4404B E4405B E4407B
Post by: tv84 on August 24, 2020, 12:32:02 pm
Sandra,

Can you extract your /usr/local/flexlm/licenses/license.dat ?

Do you have JTAG access?
Title: Re: Enabling options on Agilent ESA series E4402B E4404B E4405B E4407B
Post by: smgvbest on August 26, 2020, 02:47:59 am
I don't have JTAG access yet.   
my SA has no licenses so its' not the best unit to work with.
my plan is to try several things.
the Serial Port to see if any boot info show up and to see if something I saw is correct as it looks like you can dumb memory thru the serial interface or SCPI interface.

JTAG is a boundary scan only interface on the 68040.   
I haven't seen any predefined targets for 68040 in OCD
Title: Re: Enabling options on Agilent ESA series E4402B E4404B E4405B E4407B
Post by: tv84 on August 26, 2020, 01:06:33 pm
A memdump, a boot log, etc. Everything helps.
Title: Re: Enabling options on Agilent ESA series E4402B E4404B E4405B E4407B
Post by: smgvbest on August 27, 2020, 01:14:59 am
Hum
I read out the boot rom and did the string search there and found some interesting things in there
like a Rom Monitor, GDB, breakpoints, member dump etc...   hummmm

Im going to have to get hooked up the J1 Port RS232


Code: [Select]
3076:@(#)LDS Rev: 3.02 - Module Incremental (Sep  9 2003)
3129:5.00
3774:Self-tests complete.
3795:Main FW Checksum ...
3818:Main Firmware DRAM:
3839:Non Destructive SRAM Test ...
3871:Bootrom DRAM:
3890:Bootrom Checksum ...
3913:addressStrobe ...
3931:onOffStrobe ...
3947:dataStrobe ...
4569:SRAM Cleared
4583:FLASH Cleared
4598:Cache Disabled
4614:Cache Enabled
4629:4MBytes of FLASH
4648:8MBytes of FLASH
4667:12MBytes of FLASH
4687:16MBytes of FLASH
4707:Download to DRAM Selected
4735:Download to Flash Selected
4990:ESALOADR
5800:command not found.
5819:rty test routine
5836:rty
5840:gu [<hex start addr>]  - go to start address
5885:bootvars- display bootrom variables
5921:bootvars
5933:[<hex boot config>] - set the bootrom configuration (see bchelp)
6004:[<hex start addr>] 
6025:- go to start address
6053:- force a breakpoint when starting
6091:gbreak
6098:- force a gdb breakpoint
6123:gbreak
6130:gdb
6134:- enable gdb trapping of exceptions
6170:gdb
6174:dlong
6180:[<hex start address> [m bytes]] - display memory using longs
6243:dlong
6249:dword
6255:[<hex start address> [m bytes]] - display memory using words
6318:dword
6324:dbyte
6330:[<hex start address> [m bytes]] - display memory using bytes
6393:dbyte
6399:dmem
6404:[<hex start address> [m bytes]] - display memory using bytes
6467:dmem
6472:slong
6478:<hex start address> <hexchars> - set memory using longs
6534:slong
6540:sword
6546:<hex start address> <hexchars> - set memory using words
6602:sword
6608:sbyte
6614:<hex start address> <hexchars> - set memory using bytes
6670:sbyte
6676:smem
6681:<hex start address> <hexchars> - set memory using bytes
6737:smem
6742:hmon
6747:[device] - download into memory
6779:hmon
6784:version
6792:- display bootrom version
6818:version
6826:SRAM selftest results:
6850:        Start  = 0x%x
6873:        End    = 0x%x
6896:        Errors = 0x%x
6919:DRAM selftest results:
6943:Downloading from floppy
9532:    ROM Checksum Failure.  Bad Checksum. 
9578:    ROM Checksum Failure.  Bad Table.     01
9623:    ROM Checksum Failure.  Bad ROM Id.    01
9668:    ROM Checksum Failure.  Bad Table.     01
9713:    ROM Checksum Failure.  Bad ROM size.  01
10464:getIoSlotAddr: Illegal slot mber %d
10624:hpibPort = 0x%x
10900:RS232BINARY
10912:HPIB
10917:RS232
11040:hpibPort = 0x%x, bus Address = %d
11418:RAM
11427:Remove disk and cycle power to contie.
11469:LIST
11474:executing at 0x%x
12692:28F032
12699:28F0320
12707:28F016
12714:29F400B
12722:29F400T
12730:29F040
12737:29F010
12744:28F200BX-B
12755:28F200BX-T
12766:MT28F400-B
12777:28F400BX-B
12788:28F400BX-T
12799:28F800BX-B
12810:28F800BX-T
12821:28F001BX-B
12832:28F001BX-T
12843:28F008
12850:28F020A
12858:28F010
12865:28F020
14219:  **  Improper device command sequence.
14261:  **  Vpp Low Detected.
14492:Checking block at 0x%p for erasure.
14604:    Programming memory to zeros
14640:   
14648:  **  Program to zero failed at address 0x%p
14695:    Erasing memory.
14717:  **  Block erase failed at block 0x%p
14764:< (.
15359:  **  Chip Erase failed at adrs 0x%p
15636:    Erasing memory.
16867:Device program failure at 0x%p, write(0x%x), read(0x%x)
19846:  ** Unrecognized EPROM Identifier at 0x%p
20582:Unrecognized EPROM identifier at address 0x%p
20633:Flash ROM is %s with width=%d, memorywidth=%d
20680:Programming from %p to %p.
24116:    ROM Checksum Failure.  Bad Checksum. 
24162:    ROM Checksum Failure.  Bad Table.     01
24207:    ROM Checksum Failure.  Bad ROM Id.    01
24252:    ROM Checksum Failure.  Bad Table.     01
24297:    ROM Checksum Failure.  Bad ROM size.  01
25048:getIoSlotAddr: Illegal slot mber %d
25208:hpibPort = 0x%x
25484:RS232BINARY
25496:HPIB
25501:RS232
25624:hpibPort = 0x%x, bus Address = %d
26124:RS232
26134:RS232BINARY
26146:,LIST
27014:0123456789abcdef
30200:hpibctrl.c: Stubbed version of enableHpibSysControl invoked
30287:Running code from address = 0x%p
30698:***** Mosquito Bootrom *****
30729: ; LDS Bootrom Rev
30752:@(#)HEWLETT-PACKARD, E4401 Bootrom, 5.00
30795:Ron Yamada was here!
31060:Running code from address = 0x%p
35692:FloppyInterruptRoutine: mymsr = %x
44248:media_2mb_512
44466:media_1mb_256
44512:media_1mb_512
44558:media_1mb_1024
44606:media_2mb_256
44652:media_2mb_1024
45384:   Bus Error.
45404:   Failed with exception 0x
45784:testmain.S: mainEntryPoint variable is LL
47204:    Testing
47217: bytes at 0x
47230: bytes
47237:    Memory size too small.
47266:    Bus Error.
47908:    At address(0x
47926:), write(0x
47938:) read(0x
48191:|    RAM bit errors: 0x
48215:    Bus Error.
48514:    RAM refresh errors: 0x
48541:    Bus Error.
48638:bootromRevision   : 0x%08x
48670:compositeErrors   : 0x%08x
48698:bootConfig        : 0x%08x
48726:bootromBdataBegin : 0x%08x
48754:bootromBssEnd     : 0x%08x
48782:bootromMainStack  : 0x%08x
48810:ram1Start         : 0x%08x
48838:ram1Stop          : 0x%08x
48866:ram1Errors        : 0x%08x
48894:ram2Start         : 0x%08x
48922:ram2Stop          : 0x%08x
48950:ram2Errors        : 0x%08x
48978:ram3Start         : 0x%08x
49006:ram3Stop          : 0x%08x
49034:ram3Errors        : 0x%08x
49062:ram4Start         : 0x%08x
49090:ram4Stop          : 0x%08x
49118:ram4Errors        : 0x%08x
52167:MMU Access Level Violation error
52205:MMU Illegal Operation error
52233:MMU Config error
52250:FP Unimplemented Data Type
52277:FP Signaling NAN
52294:FP Overflow
52306:FP Operand Error
52323:FP Underflow
52336:FP Divide by zero
52354:FP Inexact Result
52372:FP Branch or Set on Unordered Condition
52412:Trap #15
52421:Trap #14
52430:Trap #13
52439:Trap #12
52448:Trap #11
52457:Trap #10
52466:Trap #9
52474:Trap #8
52482:Trap #7
52490:Trap #6
52498:Trap #5
52506:Trap #4
52514:Trap #3
52522:Trap #2
52530:Trap #1
52538:Trap #0
52546:Level 7 Autovector
52565:Level 6 Autovector
52584:Level 5 Autovector
52603:Level 4 Autovector
52622:Level 3 Autovector
52641:Level 2 Autovector
52660:Level 1 Autovector
52679:Spurious Interrupt
52698:Uninitialized Interrupt
52722:Format Error
52735:Coprocessor Protocol Violation
52766:Reserved
52775:Trace Exception
52791:Privilege Violation
52811:FTRAPcc, TRAPcc, TRAPV
52834:CHK, CHK2 Instruction
52856:Integer Divide by Zero
52879:Illegal Instruction
52899:Address Error
52913:Access Fault (bus error)
52938:Reset PC
52947:Reset Stack Pointer
52967:Vector #
53355:Unexpected exception at VBR offset 0x%x
53396:  %s
53402:  format = %d, frame is at 0x%x
53435:  PC = 0x%x
53448:  SR = 0x%04x
53463:  Registers = 0x0a007fa4 thru 0x0a007fef
53505:  Access Address = 0x%x
53618:0R/
55368:ROM Monitor
55385:Enter ? for help.
55404:Monitor nested too deep, resetting stack pointer...
56306:DOWNLOAD
56319:HPIB
56324:RS232BINARY
56336:Unable to open '%s' for downloading
56373:Downloading via %s
57090:bad hex char: '%c'
57420:gdb communication enabled.
57496:ERROR: bootConfigAreaSize is zero
57538:ERROR - couldn't zapp boot config!
58600:28F032
58607:28F0320
58615:28F016
58622:29F400B
58630:29F400T
58638:29F040
58645:29F010
58652:28F200BX-B
58663:28F200BX-T
58674:MT28F400-B
58685:28F400BX-B
58696:28F400BX-T
58707:28F800BX-B
58718:28F800BX-T
58729:28F001BX-B
58740:28F001BX-T
58751:28F008
58758:28F020A
58766:28F010
58773:28F020
60127:  **  Improper device command sequence.
60169:  **  Vpp Low Detected.
60400:Checking block at 0x%p for erasure.
60512:    Programming memory to zeros
60548:   
60556:  **  Program to zero failed at address 0x%p
60603:    Erasing memory.
60625:  **  Block erase failed at block 0x%p
61267:  **  Chip Erase failed at adrs 0x%p
61544:    Erasing memory.
62775:Device program failure at 0x%p, write(0x%x), read(0x%x)
65754:  ** Unrecognized EPROM Identifier at 0x%p
66490:Unrecognized EPROM identifier at address 0x%p
66541:Flash ROM is %s with width=%d, memorywidth=%d
66588:Programming from %p to %p.
69368:Copyright 1988-1997,
69390:Hewlett-Packard Company, all rights reserved.
69440:@(#)LDS Rev: 3.02 - Module Incremental (Sep  9 2003) ; Bootrom Rev 5.00
69516:0123456789abcdef
69992:bad checksum.  My count = 0x%x, sent=0x%x. buf=%s
70874:vector=%d, sr=0x%x, pc=0x%x
70914:malformed read memory command: %s
70952:bus error70962:E02
70966:malformed write memory command: %s
71001:new pc = 0x%x
71016:frame at 0x%p has pc=0x%x, except#=%d
72744:Bootrom Revision 5.00
72960:disable
72972:clear
72980:off
72984:false
72995:enable
73002:set
73011:true
73016:yes
73874:Command too short, try one of
73912:Usage: %s
74562:SUBCMD - Don't know what to do?
74599:"%s" subcommands:
74618:valid subcommands:
74824:Valid options:
75638:RAM
75646:boot config area is full
75816:uhpibctrl.c: Stubbed version of enableHpibSysControl invoked
76152:Linked: Sep  9 2003 14:46:44
76185:By: gy
76196:Sep  9 2003
76208:14:46:44
77630:Memory allocation statistics %s
77678:used:
77687:Total in use: %d, total free: %d
Title: Re: Enabling options on Agilent ESA series E4402B E4404B E4405B E4407B
Post by: smgvbest on August 27, 2020, 11:39:59 am
For those interested here's the dump of the bootrom
Title: Re: Enabling options on Agilent ESA series E4402B E4404B E4405B E4407B
Post by: analogRF on August 27, 2020, 12:28:55 pm
not an expert here but I am not sure if the bootrom is that useful for cracking the options.
you probably need to access a serial console that is somewhere on the cpu board to access the main firmware files that are unpacked in the flash (or is it EEPROM?)
is there a place that you can enter a license key and see what error it generates?
Title: Re: Enabling options on Agilent ESA series E4402B E4404B E4405B E4407B
Post by: smgvbest on August 27, 2020, 12:34:59 pm
The reason for posting it is there appears to be monitor functions built in that may help get to the data we’re after   

My unit has no licenses and the licenses are stored in the Flash memory not in the ERPROM according to the security doc out there from Agilent



Title: Re: Enabling options on Agilent ESA series E4402B E4404B E4405B E4407B
Post by: smgvbest on August 27, 2020, 11:44:31 pm
So before trying to attach the J1 connector I figured I better determine if it's RS232 levels or TTL level output

U63 is a MAX232.   so RS232 levels

Also J1 is a 2mm 2x5 header.   I don't have one so Digikey order (along with stuff for my DSKY EL Display ) should be here by Monday I hope.
unless I can rig up something

Title: Re: Enabling options on Agilent ESA series E4402B E4404B E4405B E4407B
Post by: analogRF on August 28, 2020, 12:57:32 am
all you need to do is to attach two small grabbers to pin9 and pin10 of the MAX232 chip (TTL level) and you are good to go. Any cheap UART-USB converter will do the job. I prefer my BUSPirate. That's how I have always done this in numerous instruments.

But which RS232 connector is this? Is it the one at the back of instrument? or is it something just on board for debugging?

Because if it is the one at the back of instrument, you won't get any boot log on that or access to the OS
Title: Re: Enabling options on Agilent ESA series E4402B E4404B E4405B E4407B
Post by: smgvbest on August 31, 2020, 04:12:44 pm
Got the connection working.   I needed a reboot  |O

this is some of the information I see from it

Code: [Select]

***** Mosquito Bootrom *****
Copyright 1988-1997,
Hewlett-Packard Company, all rights reserved.

@(#)HEWLETT-PACKARD, E4401 Bootrom, 5.00
@(#)LDS Rev: 3.02 - Module Incremental (Sep  9 2003)
@(#)Linked: Sep  9 2003 14:46:44

Bootrom Checksum ...
Bootrom DRAM:     Testing 69632 bytes at 0x04000000
Non Destructive SRAM Test ...
Main Firmware DRAM:     Testing 33484800 bytes at 0x04011000
Main FW Checksum ...
Self-tests complete.SRAM selftest results:
        Start  = 0xa000000
        End    = 0xa007fa3
        Errors = 0x0
DRAM selftest results:
        Start  = 0x4011000
        End    = 0x6000000
        Errors = 0x0
hpibPort = 0x8005000
hpibPort = 0x8005000, bus Address = 19

Cache Enabled
16MBytes of FLASH

Download to Flash Selected
>>> mainMain()
text segment:           0x4011000 thru 0x4435e14 ( 424e14 bytes)
data segment:           0x4600000 thru 0x476dd88 ( 16dd88 bytes)
bss  segment:           0x476dd88 thru 0x48bcce8 ( 14ef60 bytes)

ROM size:               0x00592b9c ( 592b9c bytes of 4194304 max.)

memory pool (all):      0x048bcce8 thru 0x05ffffff (24392472 bytes)
Calling start_psos() ...
>>>> debug() process starting
DLP Loaded - Power Suite Utilities, A.06.05, Nov 21 2003 15:45:40

----- System/pSOS Debug commands: -----
    '?' - this help message.
    'j' - drop into breakpoint.
   '^C' - Abort to monitor.
   '^P' - Process status info, and LOTS of it.
 '[dD]' - Print DLP debug information.
 '[bB]' - Big memory hog report.
 '[pP]' - Process ONLY status info.

 '[eE]' - Exchange info.
 '[gG]' - toggle breakpoint exception handlers on/off
 '[tT]' - Time log.
 '[hH]' - History log.
 '[oO]' - Memory segment ownership.
 '[mM]' - Memory segment summary.
 '[sS]' - Semaphore ownership, etc.
 '[uU]' - maximum process stack Usage.
 '[vV]' - memory Validity check.
 '[iI]' - Show psosSystemData.
 '[1]' -  Show NVRAM contents.
 '[9]' -  Show Exception Report.
 '[wW] <process name>' - Show process stack trace.

>d
==============================================================
                                DLP LIST
Name         State      Text            Data            BSS
c:dlp\ps2\ps2.o Loaded  0x5c3dcc8/1751472       0x5c3bcb4/8192  0x5b6abe0/856256
c:dlp\pn\pn.o Unlicensed        0x0/0   0x0/0   0x0/0
c:dlp\catv\catv.o Unlicensed    0x0/0   0x0/0   0x0/0
==============================================================
Currently 1 DLP's loaded

>b
=================================================================

Memory HOG report - oink oink

caller PC    count      bytes
0x04338902   17072    5349060
0x04361be2       1    1751492
0x00000000     111    1049872
0x04361bfe       1     856276
0x05d00d06     194     798504
0x05d01948      83     341628
0x043ebcfe      83     294836
0x05cefb16      61     245220
0x05cf28b6      40     160800
0x05ceceb2      33     132660
0x05cf564a      15      60300
0x043eb0f0     339      39892
0x042b66a2       1      32792
0x05cea37a       7      28140
0x04345af2      53      26632
0x05d0235c       3      12348
0x042def9e       1      11108
0x04361bf0       1       8212
0x042ec426       1       2596
0x042ec3e2       1       2148
0x0412a3d0       1       2068
0x042ec404       1       1196
0x04364636       1       1032
0x042ec3c0       1       1028
0x042def8c       1        812
0x0414b2a2       3        624
0x0a0008f6       1        532
0x0a000446       1        532
0x0a0005ea       1        532
0x0a000626       1         84
=================================================================

>p

    pid    PNAME  STAT/M PRI GID POS  TIX MEMORY STK CPU
0x048ca38c  SWFI   RUN    51  0   *     1    0kB  8% 25%

0x048cc0f0  AAFI   RDY    51  0   1     1    0kB 12%  0%
0x048c9714  IDLE   RDY     0  0   2     1    0kB  6%  8%

0x048ccf30  CLOK  paus   100  0   .     0    0kB 16%  0%
0x048c9ffc  DIst  paus    52  0   .  3106    0kB  3%  0%
0x048c9aa4  DRST  paus    80  0   .    61    0kB 47%  0%
0x048c99c0  FMOT  paus   100  0   .    43    0kB 47%  0%

0x048cd014  UPDT  xblk   249  0   .     1    0kB 23%  0%
0x048cce4c  MAXM  xblk    60  0   .     1    0kB  6%  0%
0x048ccc84  LLMR  xblk    60  0   .     1    0kB  6%  0%
0x048ccba0  PRNT  xblk    60  0   .     1    0kB  8%  0%
0x048ccabc  DSPF  xblk    51  0   .     1    0kB  5%  0%
0x048cc9d8  DSPM  xblk    60  0   .     1    0kB  6%  0%
0x048cc8f4  DMFI  xblk    51  0   .     1    0kB  5%  0%
0x048cc810  DMMR  xblk    60  0   .     1    0kB  6%  0%
0x048cc648  FCFI  xblk    51  0   .     1    0kB  5%  0%
0x048cc564  FCMR  xblk    60  0   .     1    0kB  6%  0%
0x048cc480  ANSQ  xblk    52  0   .     1    0kB 13%  0%
0x048cc39c  ANFI  xblk    51  0   .     1    0kB 13%  0%
0x048cc2b8  ANMR  xblk    60  0   .     1    0kB  6%  0%
0x048cc1d4  AASQ  xblk    52  0   .     1    0kB 21% 28%
0x048cc00c  AAMR  xblk    60  0   .     1    0kB  6%  0%
0x048cbf28  SYMR  xblk    60  0   .     1    0kB  8%  0%
0x048cbe44  SGMR  xblk    60  0   .     1    0kB  6%  0%
0x048cbd60  ZMKR  xblk    60  0   .     1    0kB  6%  0%
0x048cbc7c   MKR  xblk    60  0   .     1    0kB  6%  0%
0x048cbb98  DEF3  xblk    51  0   .     1    0kB  5%  0%
0x048cbab4  SNFI  xblk    51  0   .     1    0kB  5%  0%
0x048cb9d0  SNMR  xblk    60  0   .     1    0kB  6%  0%
0x048cb8ec  DEF2  xblk    51  0   .     1    0kB  5%  0%
0x048cb808  LGDT  xblk   251  0   .     1    0kB  8%  0%
0x048cb724  LGDE  xblk    60  0   .     1    0kB  6%  0%
0x048cb640  DSFI  xblk    51  0   .     1    0kB  5%  0%
0x048cb55c  LGDT  xblk   251  0   .     1    0kB  8%  0%
0x048cb478  LGDS  xblk    60  0   .     1    0kB  6%  0%
0x048cb394  SWFI  xblk    51  0   .     1    0kB  5%  0%
0x048cb2b0  LGST  xblk   251  0   .     1    0kB  8%  0%
0x048cb1cc  LGSW  xblk    60  0   .     1    0kB  6%  0%
0x048cb0e8  DEFI  xblk    51  0   .     1    0kB  5%  0%
0x048cb004  DEMT  xblk   251  0   .     1    0kB  8%  0%
0x048caf20  DEMR  xblk    60  0   .     1    0kB  6%  0%
0x048cae3c  DMZF  xblk    51  0   .     1    0kB  5%  0%
0x048cad58  ZDMT  xblk   251  0   .     1    0kB  8%  0%
0x048cac74  ZDMR  xblk    60  0   .     1    0kB  6%  0%
0x048cab90  SIFI  xblk    51  0   .     1    0kB  5%  0%
0x048caaac  SIMT  xblk   251  0   .     1    0kB  8%  0%
0x048ca9c8  SIMR  xblk    60  0   .     1    0kB  6%  0%
0x048ca8e4  DZFI  xblk    51  0   .     1    0kB  5%  0%
0x048ca800  DZMT  xblk   251  0   .     1    0kB  8%  0%
0x048ca71c  DZMR  xblk    60  0   .     1    0kB  6%  0%
0x048ca638  DSFI  xblk    51  0   .     1    0kB  5%  0%
0x048ca554  DSMT  xblk   251  0   .     1    0kB  8%  0%
0x048ca470  DSMR  xblk    60  0   .     1    0kB  6%  0%
0x048ca2a8  SWMT  xblk   251  0   .     1    0kB  8%  0%
0x048ca1c4  SWMR  xblk    60  0   .     1    0kB  6%  1%
0x048ca0e0  MIME  xblk    79  0   .     1    0kB  6%  2%
0x048c9f18  FPLP  xblk   250  0   .     1    0kB  9%  0%
0x048c9e34  DCAS  xblk   251  0   .     1    0kB  8%  0%
0x048c9d50  RLCN  xblk   230  0   .     1    0kB  8%  0%
0x048c9c6c  REMT  xblk   250  0   .     1    0kB  5%  0%
0x048c9b88  PCKB  xblk   230  0   .     1    0kB  8%  0%
0x048c97f8  DISP  xblk   253  0   .     1    0kB  8%  4%
0x048c98dc  APPS  xblk   230  0   .     1    0kB 25%  0%
0x048c9630  ROOT  xblk   230  0   .     1    0kB  4% 32%
           >> EVENTS: W(0x0) S(0x2000)

        64 Process(s) (27 avail); Total time: 4569 ticks.

>e
    xid    XNAME  TYPE  ACC  maxQ  Qlen BLOCKED
0x048c1584        fifo  any    1    0    REMT
0x048c1562  UPDI  fifo  any    1    0    UPDT
0x048c1540  MAXM  fifo  any  inf    0    MAXM
0x048c151e  Sign  fifo  any  inf    0   
0x048c14fc  LIMI  fifo  any  inf    0    LLMR
0x048c14da  DSPM  fifo  any  inf    0    DSPM
0x048c14b8  DSPS  fifo  any    1    0   
0x048c1496  DSPF  fifo  any  inf    0    DSPF
0x048c1474  SPEC  fifo  any    1    0   
0x048c1452  SPEC  fifo  any    1    0   
0x048c1430  DMMR  fifo  any  inf    0    DMMR
0x048c140e  DMFI  fifo  any  inf    0    DMFI
0x048c13ec  SPEC  fifo  any    1    0   
0x048c13ca  FCMR  fifo  any  inf    0    FCMR
0x048c13a8  FCFI  fifo  any  inf    0    FCFI
0x048c1386  SPEC  fifo  any    1    0   
0x048c1364  ANSQ  fifo  any  inf    0    ANSQ
0x048c1342  ANFI  fifo  any  inf    0    ANFI
0x048c1320  ANFS  fifo  any  inf    0   
0x048c12fe  ANOW  fifo  any   20    0   
0x048c12dc  ANMR  fifo  any  inf    0    ANMR
0x048c12ba  SPEC  fifo  any    1    0   
0x048c1298  AARS  fifo  any    1    0    AASQ
0x048c1276  AAFI  fifo  any  inf    0   
0x048c1254  AAFS  fifo  any  inf    0   
0x048c1232  AAMR  fifo  any  inf    0    AAMR
0x048c1210  SPEC  fifo  any    1    0   
0x048c11ee   CMR  fifo  any  inf    0   
0x048c11cc  SPEC  fifo  any    1    0   
0x048c11aa  SIGT  fifo  any  inf    0    SGMR
0x048c1188  ZMKM  fifo  any  inf    0    ZMKR
0x048c1166  MKMR  fifo  any  inf    0    MKR
0x048c1144  DEF3  fifo  any  inf    0    DEF3
0x048c1122  SNFI  fifo  any  inf    0    SNFI
0x048c1100  SNMR  fifo  any  inf    0    SNMR
0x048c10de  SPEC  fifo  any    1    0   
0x048c10bc  DEF2  fifo  any  inf    0    DEF2
0x048c109a  LGDT  fifo  any    1    0    LGDT
0x048c1078  LGDE  fifo  any  inf    0    LGDE
0x048c1056  SPEC  fifo  any    1    0   
0x048c1034  DSFI  fifo  any  inf    0    DSFI
0x048c1012  LGDT  fifo  any    1    0    LGDT
0x048c0ff0  LGDS  fifo  any  inf    0    LGDS
0x048c0fce  SPEC  fifo  any    1    0   
0x048c0fac  SWFI  fifo  any  inf    0    SWFI
0x048c0f8a  LGST  fifo  any    1    0    LGST
0x048c0f68  LGSW  fifo  any  inf    0    LGSW
0x048c0f46  SPEC  fifo  any    1    0   
0x048c0f24  DEFI  fifo  any  inf    0    DEFI
0x048c0f02  DEMT  fifo  any    1    0    DEMT
0x048c0ee0  DEMR  fifo  any  inf    0    DEMR
0x048c0ebe  SPEC  fifo  any    1    0   
0x048c0e9c  DMZF  fifo  any  inf    0    DMZF
0x048c0e7a  ZDMT  fifo  any    1    0    ZDMT
0x048c0e58  ZDMR  fifo  any  inf    0    ZDMR
0x048c0e36  SPEC  fifo  any    1    0   
0x048c0e14  SIFI  fifo  any  inf    0    SIFI
0x048c0df2  SIMT  fifo  any    1    0    SIMT
0x048c0dd0  SIMR  fifo  any  inf    0    SIMR
0x048c0dae  SPEC  fifo  any    1    0   
0x048c0d8c  DZFI  fifo  any  inf    0    DZFI
0x048c0d6a  DZMT  fifo  any    1    0    DZMT
0x048c0d48  DZMR  fifo  any  inf    0    DZMR
0x048c0d26  SPEC  fifo  any    1    0   
0x048c0d04  DSFI  fifo  any  inf    0    DSFI
0x048c0ce2  DSMT  fifo  any    1    0    DSMT
0x048c0cc0  DSMR  fifo  any  inf    0    DSMR
0x048c0c9e  SPEC  fifo  any    1    0   
0x048c0c7c  SWFI  fifo  any  inf    0   
0x048c0c5a  SWMT  fifo  any    1    0    SWMT
0x048c0c38  SWMR  fifo  any  inf    0    SWMR
0x048c0c16  SPEC  fifo  any    1    0   
0x048c0bf4  shrL  fifo  any    1    0   
0x048c0bd2  ACTV  fifo  any    1    0   
0x048c0bb0  hihr  fifo  any    1    0   
0x048c0b8e  hihr  fifo  any    1    0   
0x048c0b6c  hihr  fifo  any    1    0   
0x048c0b4a  hihr  fifo  any    1    0   
0x048c0b28  MENU  fifo  any    1    0   
0x048c0b06  MENU  fifo  any    1    0   
0x048c0ae4  MENU  fifo  any    1    0   
0x048c0ac2  MENU  fifo  any    1    0   
0x048c0aa0  MENU  fifo  any    1    0   
0x048c0a7e  MENU  fifo  any    1    0   
0x048c0a5c  MENU  fifo  any    1    0   
0x048c0a3a  MENU  fifo  any    1    0   
0x048c0a18  MENU  fifo  any    1    0   
0x048c09f6  ACTV  fifo  any    1    0   
0x048c09d4  SDRL  fifo  any    1    0   
0x048c09b2  SDIL  fifo  any    1    0   
0x048c0990    R2  fifo  any    1    0   
0x048c096e    R1  fifo  any    1    0   
0x048c094c    R0  fifo  any    1    0   
0x048c092a  isLk  fifo  any    1    0   
0x048c0908  dtLk  fifo  any    1    0   
0x048c08e6  mSTM  fifo  any  inf    0    MIME
0x048c08c4  mMIN  fifo  any  inf    0   
0x048c08a2  mMCL  fifo  any  inf    0   
0x048c0880  mMCR  fifo  any  inf    0   
0x048c085e  mMDA  fifo  any  inf    1   
0x048c083c  mMSA  fifo  any  inf    0   
0x048c081a  mDVL  fifo  any  inf    0   
0x048c07f8  dest  fifo  any  inf    0   
0x048c07d6  mLDS  fifo  any  inf    0   
0x048c07b4  FNSL  fifo  any    1    0   
0x048c0792  DDET  fifo  any  inf    0   
0x048c0770  DTRG  fifo  any  inf    0   
0x048c074e  DSWP  fifo  any  inf    0   
0x048c072c  Didi  fifo  any  inf    0   
0x048c070a  cntw  fifo  any    1    0   
0x048c06e8  cntx  fifo  any    1    0   
0x048c06c6  dRes  fifo  any    1    0   
0x048c06a4  Dlp   fifo  any    1    0   
0x048c0682  CalC  fifo  any    1    0   
0x048c0660  Scpi  fifo  any    1    0   
0x048c063e   LG1  fifo  any    1    0   
0x048c061c  ANON  fifo  any    1    0   
0x048c05fa  GPIB  fifo  any    1    0   
0x048c05d8  PCkb  fifo  any    1    0    PCKB
0x048c05b6  DISP  fifo  any    1    0    DISP
0x048c0594  OMMG  fifo  any    1    0   
0x048c0572   UNS  fifo  any    1    0   
0x048c0550  RLDS  fifo  any    1    0    ROOT
0x048c052e    BW  fifo  any    1    0   
0x048c050c  GLds  fifo  any    1    0   
0x048c04ea  BLds  fifo  any  inf    1   
0x048c04c8  CISW  fifo  any    1    0   
0x048c04a6  MRLK  fifo  any    1    0   
0x048c0484  HWLK  fifo  any    1    0   
0x048c0462    FP  fifo  any    1    0    FPLP
0x048c0440  ADCF  fifo  any    1    0   
0x048c041e  DIRg  fifo  any    1    0   
0x048c03fc  ANON  fifo  any    1    0   
0x048c03da  DIRf  fifo  any    1    0   
0x048c03b8  ANON  fifo  any    1    0   
0x048c0396  SIOB  fifo  any    1    0   
0x048c0374  CALM  fifo  any    1    0   
0x048c0352  DIRe  fifo  any    1    0   
0x048c0330  ANON  fifo  any    1    0   
0x048c030e  DIRd  fifo  any    1    0   
0x048c02ec  DIRc  fifo  any    1    0   
0x048c02ca  DIRb  fifo  any    1    0   
0x048c02a8  DIRa  fifo  any    1    0   
0x048c0286  APPS  fifo  any  inf    0    APPS
0x048c0264  DLLK  fifo  any    1    0   
0x048c0242  SUBL  fifo  any    1    0   
0x048c0220  LCSH  fifo  any    1    0   
0x048c01fe  FBUF  fifo  any    1    0   
0x048c01dc  DCAS  fifo  any    1    0    DCAS
0x048c01ba  RLCN  fifo  any    1    0    RLCN
0x048c0198  MROF  fifo  any    1    0   
0x048c0176  MRON  fifo  any    1    0   
0x048c0154  SWSP  fifo  any    1    0   
0x048c0132   SRQ  fifo  any    1    0    SYMR
0x048c0110  PRTH  fifo  any    1    0    PRNT
        155 Exchange(s) (245 avail).
        2 Msg buffer(s) (1022 avail).

>g

Breakpoint handler installed

>i
PsosSystemData (0x048bcce8):
        (0x048bcce8) OS_PCB   *runningPCB    = 0x048ca38c
        (0x048bccec) OS_PCB   *readyList     = 0x048c97f8
        (0x048bccf0) OS_PCB   *pauseList     = 0x048ccf30
        (0x048bccf4) OS_PCB   *pcbActiveHead = 0x048cd014
        (0x048bccf8) OS_PCB   *pcbFreeHead   = 0x048ccd68
        (0x048bccfc) OS_XCB   *xcbActiveHead = 0x048c1584
        (0x048bcd00) OS_XCB   *xcbFreeHead   = 0x048c15a6
        (0x048bcd04) OS_Message *mgbFreeHead = 0x048c3750
        (0x048bcd08) void  *sstackEnd        = 0x048c0110
        (0x048bcd0c) short kernelLevel       = 0
        (0x048bcd0e) short reserved1         = 0
        (0x048bcd10) int   reserved2         = 1280
        (0x048bcd14) int   phileData         = 620765184
        (0x048bcd18) int   probeEntry        = 71205862
        (0x048bcd1c) OS_PCB   *memQHead      = 0x048bcd1c
        (0x048bcd20) OS_PCB   *memQTail      = 0x048bcd1c
        (0x048bcd24) int   timeoutTicks      = 41
        (0x048bcd28) short ticks             = 45
        (0x048bcd2a) short pad1              = 0
        (0x048bcd2c) int   time              = 292
        (0x048bcd30) int   date              = 130155777
        (0x048bcd34) char  motbl[12]         =
        (0x048bcd40) short ticksPerSec       = 100
        (0x048bcd42) short ticksPerSlice     = 1
        (0x048bcd44) char  todset            =
        (0x048bcd45) char  eventRace         = (0x048bcd46) char  unusedPad[2]      =   
        (0x048bcd48) Lds_UInt32 switchProc   = 0
        (0x048bcd4c) regionInfo[0].minSeg      = 20
        (0x048bcd50) regionInfo[0].maxSeg      = 58796
        (0x048bcd54) regionInfo[0].minPend     = 6020
        (0x048bcd58) regionInfo[0].regionEnd   = 0x048dcce7
        (0x048bcd5c) regionInfo[0].regionName  = REG1
  (0x048bcd60) regionInfo[0].freeHead    = 0x048ce73c
        (0x048bcd64) regionInfo[0].freeTail    = 0x048d3e30
        (0x048bcd68) regionInfo[0].regionFlags = 0
        (0x048bcd6c) regionInfo[1].minSeg      = 20
        (0x048bcd70) regionInfo[1].maxSeg      = 24261400
        (0x048bcd74) regionInfo[1].minPend     = 24261401
        (0x048bcd78) regionInfo[1].regionEnd   = 0x05ffffff
        (0x048bcd78) regionInfo[1].regionEnd   = 0x05Bfffff
        (0x048bcd80) regionInfo[1].freeHead    = 0x048dcce8
        (0x048bcd84) regionInfo[1].freeTail    = 0x05e74208
        (0x048bcd88) regionInfo[1].regionFlags = 0
        (0x048bcd8c) regionInfo[2].minSeg      = 20
        (0x048bcd90) regionInfo[2].maxSeg      = 21844
        (0x048bcd94) regionInfo[2].minPend     = 21845
        (0x048bcd98) regionInfo[2].regionEnd   = 0x0a006393
        (0x048bcd9c) regionInfo[2].regionName  = dyna

        (0x048bcda0) regionInfo[2].freeHead    = 0x0a000e40
        (0x048bcda4) regionInfo[2].freeTail    = 0x0a000e40
        (0x048bcda8) regionInfo[2].regionFlags = 1
        (0x048bcdac) regionInfo[3].minSeg      = 128
        (0x048bcdb0) regionInfo[3].maxSeg      = 7120
        (0x048bcdb4) regionInfo[3].minPend     = 7121
        (0x048bcdb8) regionInfo[3].regionEnd   = 0x0a007fa3
        (0x048bcdbc) regionInfo[3].regionName  = nvra

        (0x048bcdc0) regionInfo[3].freeHead    = 0x0a0063d4
        (0x048bcdc4) regionInfo[3].freeTail    = 0x0a0063d4
        (0x048bcdc8) regionInfo[3].regionFlags = 0
        (0x048bcdcc) regionInfo[4].minSeg      = 0
        (0x048bcdd0) regionInfo[4].maxSeg      = 0
        (0x048bcdd4) regionInfo[4].minPend     = 0
        (0x048bcdd8) regionInfo[4].regionEnd   = 0x00000000
        (0x048bcddc) regionInfo[4].regionName  =     
        (0x048bcde0) regionInfo[4].freeHead    = 0x00000000
        (0x048bcde4) regionInfo[4].freeTail    = 0x00000000
        (0x048bcde8) regionInfo[4].regionFlags = 0
        (0x048bcdec) regionInfo[5].minSeg      = 0
        (0x048bcdf0) regionInfo[5].maxSeg      = 0
        (0x048bcdf4) regionInfo[5].minPend     = 0
        (0x048bcdf8) regionInfo[5].regionEnd   = 0x00000000
        (0x048bcdfc) regionInfo[5].regionName  =     
        (0x048bce00) regionInfo[5].freeHead    = 0x00000000
        (0x048bce04) regionInfo[5].freeTail    = 0x00000000
        (0x048bce08) regionInfo[5].regionFlags = 0
        (0x048bce0c) regionInfo[6].minSeg      = 0
        (0x048bce10) regionInfo[6].maxSeg      = 0
        (0x048bce14) regionInfo[6].minPend     = 0
        (0x048bce18) regionInfo[6].regionEnd   = 0x00000000
        (0x048bce1c) regionInfo[6].regionName  =     
        (0x048bce20) regionInfo[6].freeHead    = 0x00000000
        (0x048bce24) regionInfo[6].freeTail    = 0x00000000
        (0x048bce28) regionInfo[6].regionFlags = 0
        (0x048bce2c) regionInfo[7].minSeg      = 0
        (0x048bce30) regionInfo[7].maxSeg      = 0
        (0x048bce34) regionInfo[7].minPend     = 0
        (0x048bce38) regionInfo[7].regionEnd   = 0x00000000
        (0x048bce3c) regionInfo[7].regionName  =     
        (0x048bce40) regionInfo[7].freeHead    = 0x00000000
        (0x048bce44) regionInfo[7].freeTail    = 0x00000000
        (0x048bce48) regionInfo[7].regionFlags = 0
        (0x048bce4c) regionInfo[8].minSeg      = 0
        (0x048bce50) regionInfo[8].maxSeg      = 0
        (0x048bce54) regionInfo[8].minPend     = 0
        (0x048bce58) regionInfo[8].regionEnd   = 0x00000000
        (0x048bce5c) regionInfo[8].regionName  =     
        (0x048bce60) regionInfo[8].freeHead    = 0x00000000
        (0x048bce64) regionInfo[8].freeTail    = 0x00000000
        (0x048bce68) regionInfo[8].regionFlags = 0
        (0x048bce6c) regionInfo[9].minSeg      = 0
        (0x048bce70) regionInfo[9].maxSeg      = 0
        (0x048bce74) regionInfo[9].minPend     = 0
        (0x048bce78) regionInfo[9].regionEnd   = 0x00000000
        (0x048bce7c) regionInfo[9].regionName  =     
        (0x048bce80) regionInfo[9].freeHead    = 0x00000000
        (0x048bce84) regionInfo[9].freeTail    = 0x00000000
        (0x048bce88) regionInfo[9].regionFlags = 0
        (0x048bce8c) regionInfo[10].minSeg      = 0
        (0x048bce90) regionInfo[10].maxSeg      = 0
        (0x048bce94) regionInfo[10].minPend     = 0
        (0x048bce98) regionInfo[10].regionEnd   = 0x00000000
        (0x048bce9c) regionInfo[10].regionName  =     
        (0x048bcea0) regionInfo[10].freeHead    = 0x00000000
        (0x048bcea4) regionInfo[10].freeTail    = 0x00000000
        (0x048bcea8) regionInfo[10].regionFlags = 0
        (0x048bceac) regionInfo[11].minSeg      = 0
        (0x048bceb0) regionInfo[11].maxSeg      = 0
        (0x048bceb4) regionInfo[11].minPend     = 0
        (0x048bceb8) regionInfo[11].regionEnd   = 0x00000000
        (0x048bcebc) regionInfo[11].regionName  =     
        (0x048bcec0) regionInfo[11].freeHead    = 0x00000000
        (0x048bcec4) regionInfo[11].freeTail    = 0x00000000
        (0x048bcec8) regionInfo[11].regionFlags = 0
        (0x048bcecc) regionInfo[12].minSeg      = 0
        (0x048bced0) regionInfo[12].maxSeg      = 0
        (0x048bced4) regionInfo[12].minPend     = 0
        (0x048bced8) regionInfo[12].regionEnd   = 0x00000000
        (0x048bcedc) regionInfo[12].regionName  =     
        (0x048bcee0) regionInfo[12].freeHead    = 0x00000000
        (0x048bcee4) regionInfo[12].freeTail    = 0x00000000
        (0x048bcee8) regionInfo[12].regionFlags = 0
        (0x048bceec) regionInfo[13].minSeg      = 0
        (0x048bcef0) regionInfo[13].maxSeg      = 0
        (0x048bcef4) regionInfo[13].minPend     = 0
        (0x048bcef8) regionInfo[13].regionEnd   = 0x00000000
        (0x048bcefc) regionInfo[13].regionName  =     
        (0x048bcf00) regionInfo[13].freeHead    = 0x00000000
        (0x048bcf04) regionInfo[13].freeTail    = 0x00000000
        (0x048bcf08) regionInfo[13].regionFlags = 0
        (0x048bcf0c) regionInfo[14].minSeg      = 0
        (0x048bcf10) regionInfo[14].maxSeg      = 0
        (0x048bcf14) regionInfo[14].minPend     = 0
        (0x048bcf18) regionInfo[14].regionEnd   = 0x00000000
        (0x048bcf1c) regionInfo[14].regionName  =     
        (0x048bcf20) regionInfo[14].freeHead    = 0x00000000
        (0x048bcf24) regionInfo[14].freeTail    = 0x00000000
        (0x048bcf28) regionInfo[14].regionFlags = 0
        (0x048bcf2c) regionInfo[15].minSeg      = 0
        (0x048bcf30) regionInfo[15].maxSeg      = 0
        (0x048bcf34) regionInfo[15].minPend     = 0
        (0x048bcf38) regionInfo[15].regionEnd   = 0x00000000
        (0x048bcf3c) regionInfo[15].regionName  =     
        (0x048bcf40) regionInfo[15].freeHead    = 0x00000000
        (0x048bcf44) regionInfo[15].freeTail    = 0x00000000
        (0x048bcf48) regionInfo[15].regionFlags = 0
        (0x048bcf4c) regionInfo[16].minSeg      = 0
        (0x048bcf50) regionInfo[16].maxSeg      = 0
        (0x048bcf54) regionInfo[16].minPend     = 0
        (0x048bcf58) regionInfo[16].regionEnd   = 0x00000000
        (0x048bcf5c) regionInfo[16].regionName  =     
        (0x048bcf60) regionInfo[16].freeHead    = 0x00000000
        (0x048bcf64) regionInfo[16].freeTail    = 0x00000000
        (0x048bcf68) regionInfo[16].regionFlags = 0
        (0x048bcf6c) regionInfo[17].minSeg      = 0
        (0x048bcf70) regionInfo[17].maxSeg      = 0
        (0x048bcf74) regionInfo[17].minPend     = 0
        (0x048bcf78) regionInfo[17].regionEnd   = 0x00000000
        (0x048bcf7c) regionInfo[17].regionName  =     
        (0x048bcf80) regionInfo[17].freeHead    = 0x00000000
        (0x048bcf84) regionInfo[17].freeTail    = 0x00000000
        (0x048bcf88) regionInfo[17].regionFlags = 0
        (0x048bcf8c) regionInfo[18].minSeg      = 0
        (0x048bcf90) regionInfo[18].maxSeg      = 0
        (0x048bcf94) regionInfo[18].minPend     = 0
        (0x048bcf98) regionInfo[18].regionEnd   = 0x00000000
        (0x048bcf9c) regionInfo[18].regionName  =     
        (0x048bcfa0) regionInfo[18].freeHead    = 0x00000000
        (0x048bcfa4) regionInfo[18].freeTail    = 0x00000000
        (0x048bcfa8) regionInfo[18].regionFlags = 0
        (0x048bcfac) regionInfo[19].minSeg      = 0
        (0x048bcfb0) regionInfo[19].maxSeg      = 0
        (0x048bcfb4) regionInfo[19].minPend     = 0
        (0x048bcfb8) regionInfo[19].regionEnd   = 0x00000000
        (0x048bcfbc) regionInfo[19].regionName  =     
        (0x048bcfc0) regionInfo[19].freeHead    = 0x00000000
        (0x048bcfc4) regionInfo[19].freeTail    = 0x00000000
        (0x048bcfc8) regionInfo[19].regionFlags = 0
        (0x048bcfcc) regionSaveInfo[0] = 0x00000000
        (0x048bcfd0) regionSaveInfo[1] = 0x00000000
        (0x048bcfd4) regionSaveInfo[2] = 0x0a000004
        (0x048bcfd8) regionSaveInfo[3] = 0x00000000
        (0x048bcfdc) regionSaveInfo[4] = 0x00000000
        (0x048bcfe0) regionSaveInfo[5] = 0x00000000
        (0x048bcfe4) regionSaveInfo[6] = 0x00000000
        (0x048bcfe8) regionSaveInfo[7] = 0x00000000
        (0x048bcfec) regionSaveInfo[8] = 0x00000000
        (0x048bcff0) regionSaveInfo[9] = 0x00000000
        (0x048bcff4) regionSaveInfo[10] = 0x00000000
        (0x048bcff8) regionSaveInfo[11] = 0x00000000
        (0x048bcffc) regionSaveInfo[12] = 0x00000000
        (0x048bd000) regionSaveInfo[13] = 0x00000000
        (0x048bd004) regionSaveInfo[14] = 0x00000000
        (0x048bd008) regionSaveInfo[15] = 0x00000000
        (0x048bd00c) regionSaveInfo[16] = 0x00000000
        (0x048bd010) regionSaveInfo[17] = 0x00000000
        (0x048bd014) regionSaveInfo[18] = 0x00000000
        (0x048bd018) regionSaveInfo[19] = 0x00000000


9>

Contents of the Exception Report:
[0x0a007fa4] D0 = 0x00000000
[0x0a007fa8] D1 = 0x00000000
[0x0a007fac] D2 = 0x00000000
[0x0a007fb0] D3 = 0x00000000
[0x0a007fb4] D4 = 0x00000000
[0x0a007fb8] D5 = 0x00000000
[0x0a007fbc] D6 = 0x00000000
[0x0a007fc0] D7 = 0x00000000
[0x0a007fc4] A0 = 0x00000000
[0x0a007fc8] A1 = 0x00000000
[0x0a007fcc] A2 = 0x00000000
[0x0a007fd0] A3 = 0x00008000
[0x0a007fd4] A4 = 0x00000000
[0x0a007fd8] A5 = 0x00000000
[0x0a007fdc] A6 = 0x00000000
[0x0a007fe0] A7 = 0x00000000
[0x0a007fe4] SSP = 0x00000000
[0x0a007fe8] SR = 0x0000
[0x0a007fec] PC = 0x00000000
[0x0a007fec] FMT/VO = 0x0000

----- System/pSOS Debug commands: -----
    '?' - this help message.
    'j' - drop into breakpoint.
   '^C' - Abort to monitor.
   '^P' - Process status info, and LOTS of it.
 '[dD]' - Print DLP debug information.
 '[bB]' - Big memory hog report.
 '[pP]' - Process ONLY status info.

 '[eE]' - Exchange info.
 '[gG]' - toggle breakpoint exception handlers on/off
 '[tT]' - Time log.
 '[hH]' - History log.
 '[oO]' - Memory segment ownership.
 '[mM]' - Memory segment summary.
 '[sS]' - Semaphore ownership, etc.
 '[uU]' - maximum process stack Usage.
 '[vV]' - memory Validity check.
 '[iI]' - Show psosSystemData.
 '[1]' -  Show NVRAM contents.
 '[9]' -  Show Exception Report.
 '[wW] <process name>' - Show process stack trace.



Title: Re: Enabling options on Agilent ESA series E4402B E4404B E4405B E4407B
Post by: smgvbest on September 03, 2020, 12:41:34 am
The first item needed is a full dump of the memory.   a dump of one with licensed options would really help.   mine has no licensed options
flexlm 6.01 which appears to be in the update file which I extracted strings from has been hacked and there's articles on how to find the different key values.

the part at the moment is how to get that dump,   flash and sdram from a running system
i figured out the JTAG pins and where you can pick them up but JTAG is not something I'm good with

if all you have is a boundary scan ability can you get a dump of memory?
[attach=1]

anyone who can help with that and setting up OCD I'll do it on my ESA
I just need the help

the processor is a 68LC040 I believe (its the LC part i'm not 100% sure of off top of the head)

Title: Re: Enabling options on Agilent ESA series E4402B E4404B E4405B E4407B
Post by: tv84 on September 03, 2020, 10:22:20 am
The first item needed is a full dump of the memory.   a dump of one with licensed options would really help.   mine has no licensed options
flexlm 6.01 which appears to be in the update file which I extracted strings from has been hacked and there's articles on how to find the different key values.

the part at the moment is how to get that dump,   flash and sdram from a running system

I don't think flexLM is in the update file. It should be already inside the machine. That's why a flash dump would be great.

The FlexLM version should be no problem. Regarding the places where to find the seeds it's not so simple as the several guides don't cover this lang/processor.
Title: Re: Enabling options on Agilent ESA series E4402B E4404B E4405B E4407B
Post by: analogRF on September 03, 2020, 10:28:48 am
Ive done jtag in a bunch of things.. Its not normally what is in your pic ? Maybe that is something else ? OR I am just stupid,, I CAN be that.. Normally its a 4 pin header. +5, tx, rx, gnd.. With ther TTL or RS232 voltages. I will look more at the board shortly..


TX,RX,GND is not a JTAG, it's UART . you dont even need the Vcc necessarily.

this thing has a JTAG interface but i dont think it will be of much help. The content of bootrom is not what we need.
you only need the dump of flash memory to access the file system of the main OS, nothing else really. Another way would be to figure out how to combine the 9 floppy disks to create a single file firmware and then "explore" it  ;) 
Title: Re: Enabling options on Agilent ESA series E4402B E4404B E4405B E4407B
Post by: tv84 on September 03, 2020, 10:31:32 am
Another way would be to figure out how to combine the 9 floppy disks to create a single file firmware and then "explore" it  ;)

Where are those 9 disks?
Title: Re: Enabling options on Agilent ESA series E4402B E4404B E4405B E4407B
Post by: analogRF on September 03, 2020, 10:37:54 am
Another way would be to figure out how to combine the 9 floppy disks to create a single file firmware and then "explore" it  ;)

Where are those 9 disks?

on keysight website
https://www.keysight.com/main/software.jspx?cc=CA&lc=eng&ckey=1000001085:epsg:sud&nid=-32406.536879915.02&id=1000001085:epsg:sud&cmpid=92448 (https://www.keysight.com/main/software.jspx?cc=CA&lc=eng&ckey=1000001085:epsg:sud&nid=-32406.536879915.02&id=1000001085:epsg:sud&cmpid=92448)

EDIT: i dont have the instrument so I have never gone through the process of making the firmware update. I just know that it creates 9 floppy disks
Title: Re: Enabling options on Agilent ESA series E4402B E4404B E4405B E4407B
Post by: smgvbest on September 03, 2020, 11:59:58 am
I have combined the 5 disks that make up the ESA Firmware. the other 4 are the power suite I can combine those as well if you want?
There is no guarantee that just combining them will give a correct image.
They may contain loader information that the internal bootrom reads to build the actual firmware that is loaded (just thinking, or over thinking)
This is a full image it's not an upgrade.   I had to do a full erase of mines memory to restore it so I can attest everything is on those disks.
I also have the Discs for all the DLPs (personalities) that can be installed.   

The reason I provided the boot loader rom is it looks like GDB server is in the bootroom.  if you have GDB could you dump memory thur it?
There is also apparently a SCPI Debug interface,   maybe there a memory read function in there?

i'll try to attach it here.

If this does not work the other way I could brute force this is I could remove all of the FLASH memory and read them out with the Xgpro (formerly TL866) reader/programmer.
I have a spare processor card I'm willing to experiment on.




Title: Re: Enabling options on Agilent ESA series E4402B E4404B E4405B E4407B
Post by: analogRF on September 03, 2020, 12:22:43 pm
there is also a series of F000000 to F000003 files that I wonder what they contain...i think they must be combined too.
also there is a bootloader file on the first floppy

have you been able to analyze the single firmware file with tools that are available in linux?

Title: Re: Enabling options on Agilent ESA series E4402B E4404B E4405B E4407B
Post by: analogRF on September 03, 2020, 12:29:09 pm
I think having the actual unpacked firmware image from the flash memory will make it a lot easier and certainly possible to hack this thing
if i am not mistaken there are more than one flash rom, right? so again their contents must be concatenated

EDIT: but then we know that a simple concatenation will give us the whole system
with the firmware installation files, I am not sure about that because each of those 5 files may have a header and when you connect them together you get a broken image of the actual file structure
Title: Re: Enabling options on Agilent ESA series E4402B E4404B E4405B E4407B
Post by: smgvbest on September 03, 2020, 01:18:42 pm
there is also a series of F000000 to F000003 files that I wonder what they contain...i think they must be combined too.
also there is a bootloader file on the first floppy

have you been able to analyze the single firmware file with tools that are available in linux?
When I tried the linux tools they did not recognize the contents

PDISC is the physical Disc Number below whereas the DISC # is the as LABELED Disc for installation

BOOTROM:  This looks for a DISK with ESALOADER on it and if so loads and runs it
DISC ESALOADER(PDISC1),   This is what's run to install the FIRMWARE.
DISC1-5(PDISC2-6),  this is the ESA Firmware Discs  (this is the the ESAFW I uploaded)
DISC1-3(PDISC7-9),  These contain the ESA Power Suite Software)  (the F000000 to F000003 are the Powersuite Image files)

I'll combine and upload the Powersute after work today
Title: Re: Enabling options on Agilent ESA series E4402B E4404B E4405B E4407B
Post by: smgvbest on September 03, 2020, 01:24:27 pm
I'd love to be able to enable all DLP's and License only options
example RF PREAMP is a License only option (hardware is there above certain serial numbers) you only need the 16 digit license key
but DLP for Cable Fault Analyzer requires the Tracking Gen be installed.  (i have a TG installed so would like this one)

I'm installing the DLP for Cable Fault Analyzer and grabbing screen caps so you can see the process of installing a DLP
Title: Re: Enabling options on Agilent ESA series E4402B E4404B E4405B E4407B
Post by: tv84 on September 03, 2020, 02:41:58 pm
If this does not work the other way I could brute force this is I could remove all of the FLASH memory and read them out with the Xgpro (formerly TL866) reader/programmer.
I have a spare processor card I'm willing to experiment on.

This seems the best option. How many flash chips are there? Isn't just one?
Title: Re: Enabling options on Agilent ESA series E4402B E4404B E4405B E4407B
Post by: smgvbest on September 03, 2020, 05:56:40 pm
Total of 4
One on cpu board which is main firmware
3 on simm which is where licenses are supposed to be stored
Title: Re: Enabling options on Agilent ESA series E4402B E4404B E4405B E4407B
Post by: tv84 on September 03, 2020, 08:46:24 pm
Those that want to play in IDA with @smgvbest's ESAFW can use these settings:

Proc: Motorola Coldfire
Load address: 0x04011000
Title: Re: Enabling options on Agilent ESA series E4402B E4404B E4405B E4407B
Post by: smgvbest on September 03, 2020, 08:47:22 pm
Memory module on a memory simm 72 pins old style sdram memory formfactor

It’s how the e4407b had its memory expanded

Title: Re: Enabling options on Agilent ESA series E4402B E4404B E4405B E4407B
Post by: tv84 on September 03, 2020, 08:58:20 pm
Memory module on a memory simm 72 pins old style sdram memory formfactor

It’s how the e4407b had its memory expanded

Never had seen one of those expansions!

We don't need a dump from the "license's flashes". The licenses are already visible on the screen.
Title: Re: Enabling options on Agilent ESA series E4402B E4404B E4405B E4407B
Post by: smgvbest on September 03, 2020, 09:15:37 pm
Those that want to play in IDA with @smgvbest's ESAFW can use these settings:

Proc: Motorola Coldfire
Load address: 0x04011000

Is the Motorla Coldfire same as a M68040?
the Motorola 68LC040 is the actual processor on the board is why I ask

how did you manage to get the load address?
Title: Re: Enabling options on Agilent ESA series E4402B E4404B E4405B E4407B
Post by: smgvbest on September 03, 2020, 10:54:36 pm
The static ram is not where licenses are stored.  They’re in the flash memory so unless you wipe flash you maintain them

Loosing the sram looses the date/time and calibration and other settings like printer setup. 
You just do an align all to get it back and reset date/time
Title: Re: Enabling options on Agilent ESA series E4402B E4404B E4405B E4407B
Post by: smgvbest on September 04, 2020, 01:41:46 am
So are you gals/guys thinking about patching the image and then loading a new image in ? Might be able to add all sorts of stuff that way. Hopefully its not checksummed or anything..

So a personality MUST have a key before running ? So no stripping that requirement from the personality ? The ESA wont run a personality that has no license requirements ?

Just thinking out loud.. And most likely being stupid..

I think what we're after is a keygen more or less.
if we can find all the keys FlexLM uses (I think there 8 total if I understand) then we find out id using the host ID we can generate a valid license we hopefully can generate them all
Yes a personality must also have license ,  you load the personality (DLP) and license it then its usable
the only DLP that's not licensed is the Power Suite


Title: Re: Enabling options on Agilent ESA series E4402B E4404B E4405B E4407B
Post by: smgvbest on September 04, 2020, 03:16:18 am
I  don’t know that would help
The licenses are to the hostid not the serial number
You could change the serial to match a machine basically.  Install the license and it would not work

Title: Re: Enabling options on Agilent ESA series E4402B E4404B E4405B E4407B
Post by: tv84 on September 04, 2020, 09:10:49 am
how did you manage to get the load address?

Educated trial & error...    |O

I would like to know if there is any way to manually upload a license.dat file to the instrument?  (If this is not possible we can't do an universal license file.)

Also, can anyone provide a printscreen of the license input menu?

Edit: Now that you asked...  |O |O |O |O

Bootrom Checksum ...
Bootrom DRAM:     Testing 69632 bytes at 0x04000000
Non Destructive SRAM Test ...
Main Firmware DRAM:     Testing 33484800 bytes at 0x04011000
Main FW Checksum ...
Title: Re: Enabling options on Agilent ESA series E4402B E4404B E4405B E4407B
Post by: tv84 on September 04, 2020, 10:41:51 am
After a few more educated googles I arrived here (https://www.eevblog.com/forum/testgear/_free_-vsa-options/msg584857/#msg584857).     ;D

So, we're halfway there!

The licenses should have this format:

FEATURE 202 TMOMID01 1.0 permanent uncounted 0123456789AB  HOSTID=E1234567

Now, we just need the seeds.  ;)
Title: Re: Enabling options on Agilent ESA series E4402B E4404B E4405B E4407B
Post by: analogRF on September 04, 2020, 11:57:20 am
Those that want to play in IDA with @smgvbest's ESAFW can use these settings:

Proc: Motorola Coldfire
Load address: 0x04011000

i have been trying to open this in IDA with above settings but still I either get an error (loading address must belong to RAM or ROM) or it opens as a raw binary. any more hint?
Title: Re: Enabling options on Agilent ESA series E4402B E4404B E4405B E4407B
Post by: tv84 on September 04, 2020, 01:22:04 pm
i have been trying to open this in IDA with above settings but still I either get an error (loading address must belong to RAM or ROM) or it opens as a raw binary. any more hint?

You put the address also in ROM address.
Title: Re: Enabling options on Agilent ESA series E4402B E4404B E4405B E4407B
Post by: smgvbest on September 06, 2020, 05:00:45 am
I'm attaching the ESALOADER file and the install.o which loads the power suite
I'm not sure but I think one or both of these indicate the files on the discs make me think it may be compressed or partially compressed

ESALOADR is from DISC1 and loads the firmware
UPGRADE.O is from DISC6 which is the last disk of the firmware
install.o is the installer from the Power Suite software
all where zipped to allow upload

edit: fixed this missing install.o file
Title: Re: Enabling options on Agilent ESA series E4402B E4404B E4405B E4407B
Post by: tv84 on September 06, 2020, 11:28:30 am
ESALOADR - Load address: 0x04011000
UPGRADE.O - Load address: 0x0 (after removing a 0x20 size header)
INSTALL.O - Load address: 0x0 (after removing a 0x20 size header)


install.o contains (in the beginning) MD5 hashes (in plain ASCII) of the files that it installs.
Title: Re: Enabling options on Agilent ESA series E4402B E4404B E4405B E4407B
Post by: smgvbest on September 07, 2020, 05:48:07 pm
I'm trying to figure out how to read out the FLASH SIMM without de-soldering the Flash ICs
I've created a map between the LH28F320STKD -> SIMM -> T56 Programmer
There's a few signals that need investigation,  shown in RED.

mainly the LCS_FLASH (CS Selects), Program Voltage ,RYBY (why are there 6 of these, 3 makes sense) , PA0 (possible tried low) ,PA1 (should be straight thru), byte# (likely tied high)
I'll have to ohm out the simm to figure out

Ill still have to de-solder U74 from the processor board (no way around that)

has anyone ever use JTAG on a 68040?
I dont' see a def for it in OCD
if all you can do is a boundary scan can you access memory or do you need debug for that?



Title: Re: Enabling options on Agilent ESA series E4402B E4404B E4405B E4407B
Post by: smgvbest on September 07, 2020, 08:15:57 pm
"has anyone ever use JTAG on a 68040? "

I have not...

What is that 2x5 J16 ? There is one on every interface card except the GPIB. It happens to have the same number of pins and 2x5 as a std RS232 header for a typical computer of that era.

ALSO, where can I get a nice complete set of schematics with block diagrams ? The downloadable service manual is missing those.

On the Processor Card that is a STD JTAG Header for the main FPGA,  its not connected to the processor.
for the CLIP,  http://artekmanuals.com/manuals/hp-manuals/ (http://artekmanuals.com/manuals/hp-manuals/)   search for E4400-90310
there are some pages missing.

if anyone has an original CLIP and is willing share (or sell) I'm very interested in getting ahold of it.  PM me off list if you do please
Title: Re: Enabling options on Agilent ESA series E4402B E4404B E4405B E4407B
Post by: xymox on September 07, 2020, 10:42:08 pm
I ordered this one off ebay.. Once I get it AND IF ITS COMPLETE,, I will compress and upload for distribution.. Assuming its not just a copy of what is in your link..

https://www.ebay.com/itm/HP-E4401B-Component-Level-Info-Package-Schematics-/390129973036 (https://www.ebay.com/itm/HP-E4401B-Component-Level-Info-Package-Schematics-/390129973036)

I have spent hours getting ALL the files related to ESA off Keysight's terribly organized and painful to use web site. I have collected those and organized them far better. This includes manuals, guides, firmware, personalities discs & docs, options, install notes, application notes ESA related, software drivers, software and more.. I intend on organizing it all even better and making a single downloadable file. I Will also include the CL stuff as well once I have it.

One file to rule them all..
Title: Re: Enabling options on Agilent ESA series E4402B E4404B E4405B E4407B
Post by: smgvbest on September 07, 2020, 10:50:33 pm
Yes that's the one.   
they are scans of the CLIP but very legible.

I've let them know of missing pages I've found so far.  not many 2-3,  processor is missing the last page(s) of the BOM but schematics are good
another is missing a schematic page but don't remember which it was

Note   the CLIP from Artek can not be distributed
Title: Re: Enabling options on Agilent ESA series E4402B E4404B E4405B E4407B
Post by: xymox on September 07, 2020, 11:00:06 pm
Were else was the processor card used ? That Ethernet header and unpopulated parts for it must have been used by something ? I am going to poke around and see what other HP / Agilent devices might have used that same card. I suppose the FPGAs might be loaded totally different tho :( But maybe it might be possible to load it with ESA firmware and have a Ethernet... Or not.. hahaha.. I am still gonna look around tho..
Title: Re: Enabling options on Agilent ESA series E4402B E4404B E4405B E4407B
Post by: smgvbest on September 07, 2020, 11:15:00 pm
I have a Processor Card with Network and there's no way to configure it in the ESA menus.
only the original card had the ethernet parts.   it's likely part of their debug system
Title: Re: Enabling options on Agilent ESA series E4402B E4404B E4405B E4407B
Post by: xymox on September 08, 2020, 02:46:08 am
IS it just me ? Im trying to get all the firmware files and the ones from Keysight for the ESA for win 7/8 produce a SSL error ?  https://sa.support.keysight.com/ESA/Firmware/A.14.06.zip?id=2401677
Title: Re: Enabling options on Agilent ESA series E4402B E4404B E4405B E4407B
Post by: Miek on September 08, 2020, 06:20:08 pm
Yeah, same. "Error code: SSL_ERROR_RX_RECORD_TOO_LONG" almost always means the site is serving plain http on that port (no SSL). Change the link to http and it works: http://sa.support.keysight.com/ESA/Firmware/A.14.06.zip?id=2401677 (http://sa.support.keysight.com/ESA/Firmware/A.14.06.zip?id=2401677)
Title: Re: Enabling options on Agilent ESA series E4402B E4404B E4405B E4407B
Post by: gslick on September 08, 2020, 07:23:42 pm
Were else was the processor card used ? That Ethernet header and unpopulated parts for it must have been used by something ? I am going to poke around and see what other HP / Agilent devices might have used that same card.

There are other instruments which reuse a processor card without using all of the hardware features. For example the 16700 logic analyzers use an E4406 processor card. I was curious about why there is a TI 9914 GPIB controller and 75ALS160 / 75ALS164 bus transceivers on the 16700 processor card but the GPIB connector is unpopulated. Turns out the GPIB connector is populated and used on the E4406A.
Title: Re: Enabling options on Agilent ESA series E4402B E4404B E4405B E4407B
Post by: smgvbest on September 09, 2020, 03:55:19 am
Spent a little bit of time making a PCB for the T56 Programmer to work with the FLASH SIMM.
nothing fancy,  even autorouted, just some switches to let you configure the lines to pick the correct Flash to read out.  U1/U2 or U3.

before I send to PCB house I want to verify a few more things
Title: Re: Enabling options on Agilent ESA series E4402B E4404B E4405B E4407B
Post by: Kean on September 09, 2020, 04:53:20 am
before I send to PCB house I want to verify a few more things

Maybe fix the spelling mistake on Astronomics  ;D
Title: Re: Enabling options on Agilent ESA series E4402B E4404B E4405B E4407B
Post by: smgvbest on September 09, 2020, 06:22:39 am
before I send to PCB house I want to verify a few more things

Maybe fix the spelling mistake on Astronomics  ;D

Yes I caught that and a much bigger issue that I've about fixed.  the spacing on the 2 24pin sockets was wrong.   it needed to be 600mils not 1060mils
would not have fit the ZIF socket on the programmer.

should be good now,  placed order from JCLPCB

Title: Re: Enabling options on Agilent ESA series E4402B E4404B E4405B E4407B
Post by: analogRF on September 09, 2020, 10:14:00 am
Spent a little bit of time making a PCB for the T56 Programmer to work with the FLASH SIMM.
nothing fancy,  even autorouted, just some switches to let you configure the lines to pick the correct Flash to read out.  U1/U2 or U3.

before I send to PCB house I want to verify a few more things

that's awesome  :-+
Title: Re: Enabling options on Agilent ESA series E4402B E4404B E4405B E4407B
Post by: smgvbest on September 09, 2020, 03:43:35 pm
I injured my back and have been pretty much confined to bed so haven’t been able to reflash my SA with a byte change.  But you can design things while confined :)

I’ll reflash soon as possible to test that out
Title: Re: Enabling options on Agilent ESA series E4402B E4404B E4405B E4407B
Post by: smgvbest on September 09, 2020, 04:05:32 pm
Guess what I just found. 

This is the monitor program I was after. 
to get it i caused an error.   the error was planned,  getting the monitor program was not
question will be how to get this when loading normally.

Code: [Select]
***** Mosquito Bootrom *****
Copyright 1988-1997,
Hewlett-Packard Company, all rights reserved.

@(#)HEWLETT-PACKARD, E4401 Bootrom, 3.10
@(#)LDS Rev: 3.02 - Module Incremental (Feb 18 1999)
@(#)Linked: Feb 18 1999 11:46:22

Bootrom Checksum ...
Bootrom DRAM:     Testing 69632 bytes at 0x04000000
Non Destructive SRAM Test ...
Main Firmware DRAM:     Testing 33484800 bytes at 0x04011000
Main FW Checksum ...
    ROM Checksum Failure.  Bad Checksum.  01, 0
Self-tests complete.SRAM selftest results:
        Start  = 0xa000000
        End    = 0xa007fa3
        Errors = 0x0
DRAM selftest results:
        Start  = 0x4011000
        End    = 0x6000000
        Errors = 0x0
hpibPort = 0x8005000
hpibPort = 0x8005000, bus Address = 19

Cache Enabled
16MBytes of FLASH

Download to Flash Selected

***** Mosquito Bootrom *****
Copyright 1988-1997,
Hewlett-Packard Company, all rights reserved.

@(#)HEWLETT-PACKARD, E4401 Bootrom, 3.10
@(#)LDS Rev: 3.02 - Module Incremental (Feb 18 1999)
@(#)Linked: Feb 18 1999 11:46:22

Bootrom Checksum ...
Bootrom DRAM:     Testing 69632 bytes at 0x04000000
Non Destructive SRAM Test ...
Main Firmware DRAM:     Testing 33484800 bytes at 0x04011000
Main FW Checksum ...
    ROM Checksum Failure.  Bad Checksum.  01, 0
Self-tests complete.SRAM selftest results:
        Start  = 0xa000000
        End    = 0xa007fa3
        Errors = 0x0
DRAM selftest results:
        Start  = 0x4011000
        End    = 0x6000000
        Errors = 0x0
hpibPort = 0x8005000
hpibPort = 0x8005000, bus Address = 19

Cache Enabled
16MBytes of FLASH

Download to Flash Selected

Unexpected exception at VBR offset 0x2c
  Vector #663
  format = 4, frame is at 0x4004794
  PC = 0xcff80000
  SR = 0x0400
  Registers = 0x0a007fa4 thru 0x0a007fef
ROM Monitor
Enter ? for help.
->?
bc      [<hex boot config>] - set the bootrom configuration (see bchelp)
bootvars- display bootrom variables
bs      - force a breakpoint when starting
dbyte   [<hex start address> [num bytes]] - display memory using bytes
dlong   [<hex start address> [num bytes]] - display memory using longs
dmem    [<hex start address> [num bytes]] - display memory using bytes
dword   [<hex start address> [num bytes]] - display memory using words
gbreak  - force a gdb breakpoint
gdb     - enable gdb trapping of exceptions
gu      [<hex start addr>]      - go to start address
hmon    [device] - download into memory
rty test routine
sbyte   <hex start address> <hexchars> - set memory using bytes
slong   <hex start address> <hexchars> - set memory using longs
smem    <hex start address> <hexchars> - set memory using bytes
sword   <hex start address> <hexchars> - set memory using words
version - display bootrom version
->dbyte
00000000  00 00 00 00 00 00 ad 34 4e 56 00 00 4e 41 00 00   .......4NV..NA..
->dbyte 0401100 255



***** Mosquito Bootrom *****
Copyright 1988-1997,
Hewlett-Packard Company, all rights reserved.

@(#)HEWLETT-PACKARD, E4401 Bootrom, 3.10
@(#)LDS Rev: 3.02 - Module Incremental (Feb 18 1999)
@(#)Linked: Feb 18 1999 11:46:22

Bootrom Checksum ...
Bootrom DRAM:     Testing 69632 bytes at 0x04000000
Non Destructive SRAM Test ...
Main Firmware DRAM:     Testing 33484800 bytes at 0x04011000
Main FW Checksum ...
    ROM Checksum Failure.  Bad Checksum.  01, 0
Self-tests complete.SRAM selftest results:
        Start  = 0xa000000
        End    = 0xa007fa3
        Errors = 0x0
DRAM selftest results:
        Start  = 0x4011000
        End    = 0x6000000
        Errors = 0x0
hpibPort = 0x8005000
hpibPort = 0x8005000, bus Address = 19

Cache Enabled
16MBytes of FLASH

Download to Flash Selected

Unexpected exception at VBR offset 0x8
  Access Fault (bus error)
  format = 7, frame is at 0x4004648
  PC = 0xdc9a
  SR = 0x2004
  Registers = 0x0a007fa4 thru 0x0a007fef
  Access Address = 0x401100
ROM Monitor
Enter ? for help.
->?
bc      [<hex boot config>] - set the bootrom configuration (see bchelp)
bootvars- display bootrom variables
bs      - force a breakpoint when starting
dbyte   [<hex start address> [num bytes]] - display memory using bytes
dlong   [<hex start address> [num bytes]] - display memory using longs
dmem    [<hex start address> [num bytes]] - display memory using bytes
dword   [<hex start address> [num bytes]] - display memory using words
gbreak  - force a gdb breakpoint
gdb     - enable gdb trapping of exceptions
gu      [<hex start addr>]      - go to start address
hmon    [device] - download into memory
rty test routine
sbyte   <hex start address> <hexchars> - set memory using bytes
slong   <hex start address> <hexchars> - set memory using longs
smem    <hex start address> <hexchars> - set memory using bytes
sword   <hex start address> <hexchars> - set memory using words
version - display bootrom version
->dbyte
00000000  00 00 00 00 00 00 ad 34 4e 56 00 00 4e 41 00 00   .......4NV..NA..
->dbyte 1024
00001024  53 49 53 00 6a fa 20 49 72 ff b2 90 67 04 4a 90   SIS.j. Ir...g.J.
->version
Bootrom Revision 3.10


Serial is at 19.2Kb so dumping memory will be slow but may be doable soon (I hope)
and if you notice the menu you can dump and write memory  :-+
Title: Re: Enabling options on Agilent ESA series E4402B E4404B E4405B E4407B
Post by: tv84 on September 09, 2020, 05:17:16 pm
Sandra,

Do some dumps of 0x04011000 and beyond just to test and compare with ESAFW.

Later i'll provide some specific addresses.
Title: Re: Enabling options on Agilent ESA series E4402B E4404B E4405B E4407B
Post by: suj on September 09, 2020, 05:28:47 pm
I am the owner of the E4407B with AYZ (external mixing) and 1DR (narrow resolution bandwitch) options installed. Also B72 and 1D5. If the memory dump is possible using the monitor program via the J1/RS-232C connector, I can prepare the hardware and do such a dump. Will it be helpful?
Title: Re: Enabling options on Agilent ESA series E4402B E4404B E4405B E4407B
Post by: tv84 on September 09, 2020, 06:28:39 pm
Code: [Select]
->dbyte
00000000  00 00 00 00 00 00 ad 34 4e 56 00 00 4e 41 00 00   .......4NV..NA..
->dbyte 1024
00001024  53 49 53 00 6a fa 20 49 72 ff b2 90 67 04 4a 90   SIS.j. Ir...g.J.

These are exactly the bytes of bootrom at 0x00 and 0x1024.  :popcorn:
Title: Re: Enabling options on Agilent ESA series E4402B E4404B E4405B E4407B
Post by: smgvbest on September 09, 2020, 06:42:21 pm
SO far my Playing around to get a dump off a fully running E4407B has not been successful
biggest issue with a successful load your not in the monitor program where you can dump memory.
I am dumping 0401100 on but it's going to take some time at 19.6Kb

From the System/pSOS menu it says that ^C gets you to the monitor.   I've assuming that's CTRL+C and that don't work.  get un-recognized char also tried literal ^C didn't recognize the ^.  looks like its a single char command so not sure what ^C was to be.

the hmon device command will load from a device into memory but I can't figure out the device names
i do know that hmon alone will try to load from GPIB
i tried hmon GPIB and get un-recognized device

I'm find all the things that don't work.  just to find the one that does.
pSOS being so old it's hard to find DOC on as well
Title: Re: Enabling options on Agilent ESA series E4402B E4404B E4405B E4407B
Post by: suj on September 09, 2020, 06:50:07 pm
...
pSOS being so old it's hard to find DOC on as well

I have also Anritsu MS4623B and it use pSOS. I have some DOC's for pSOS.
Title: Re: Enabling options on Agilent ESA series E4402B E4404B E4405B E4407B
Post by: analogRF on September 09, 2020, 06:50:16 pm
maybe it just means capital C
Title: Re: Enabling options on Agilent ESA series E4402B E4404B E4405B E4407B
Post by: suj on September 09, 2020, 06:51:09 pm
Part 2
Title: Re: Enabling options on Agilent ESA series E4402B E4404B E4405B E4407B
Post by: smgvbest on September 09, 2020, 06:52:47 pm
Code: [Select]
->dbyte
00000000  00 00 00 00 00 00 ad 34 4e 56 00 00 4e 41 00 00   .......4NV..NA..
->dbyte 1024
00001024  53 49 53 00 6a fa 20 49 72 ff b2 90 67 04 4a 90   SIS.j. Ir...g.J.

These are exactly the bytes of bootrom at 0x00 and 0x1024.  :popcorn:

Cool, and that would make sense.  the boot rom would exist at 0x00000000
if I recall the 1024 bytes on the M68K is the vector table
of course that command dbyte 1024 is dump 0x1024 not dec 1024  :O
Title: Re: Enabling options on Agilent ESA series E4402B E4404B E4405B E4407B
Post by: tv84 on September 09, 2020, 06:52:54 pm
Be carefull, the address is 0x0401 1000. Not 0x0040 1100!

For now, just get me this region:

0x048B9200 -> 0x048B9500
Title: Re: Enabling options on Agilent ESA series E4402B E4404B E4405B E4407B
Post by: smgvbest on September 09, 2020, 06:53:23 pm
maybe it just means capital C

Tried, does not accept it either :(
Title: Re: Enabling options on Agilent ESA series E4402B E4404B E4405B E4407B
Post by: smgvbest on September 09, 2020, 07:03:08 pm
Be carefull, the address is 0x0401 1000. Not 0x0040 1100!

For now, just get me this region:

0x048B9200 -> 0x048B9500

Here ya go

Code: [Select]
**** Mosquito Bootrom ***** 00 00 00 00 00 00 00 00 00 00   ................
Copyright 1988-1997,
Hewlett-Packard Company, all rights reserved.

@(#)HEWLETT-PACKARD, E4401 Bootrom, 3.10
@(#)LDS Rev: 3.02 - Module Incremental (Feb 18 1999)
@(#)Linked: Feb 18 1999 11:46:22

Bootrom Checksum ...
Bootrom DRAM:     Testing 69632 bytes at 0x04000000
Non Destructive SRAM Test ...
Main Firmware DRAM:     Testing 33484800 bytes at 0x04011000
Main FW Checksum ...
    ROM Checksum Failure.  Bad Checksum.  01, 0
Self-tests complete.SRAM selftest results:
        Start  = 0xa000000
        End    = 0xa007fa3
        Errors = 0x0
DRAM selftest results:
        Start  = 0x4011000
        End    = 0x6000000
        Errors = 0x0
hpibPort = 0x8005000
hpibPort = 0x8005000, bus Address = 19

Unexpected exception at VBR offset 0x8
  Access Fault (bus error)
  format = 7, frame is at 0x400473c
  PC = 0x4e410000
  SR = 0x2700
  Registers = 0x0a007fa4 thru 0x0a007fef
  Access Address = 0x4e410000
ROM Monitor
Enter ? for help.
-> ?
bc      [<hex boot config>] - set the bootrom configuration (see bchelp)
bootvars- display bootrom variables
bs      - force a breakpoint when starting
dbyte   [<hex start address> [num bytes]] - display memory using bytes
dlong   [<hex start address> [num bytes]] - display memory using longs
dmem    [<hex start address> [num bytes]] - display memory using bytes
dword   [<hex start address> [num bytes]] - display memory using words
gbreak  - force a gdb breakpoint
gdb     - enable gdb trapping of exceptions
gu      [<hex start addr>]      - go to start address
hmon    [device] - download into memory
rty test routine
sbyte   <hex start address> <hexchars> - set memory using bytes
slong   <hex start address> <hexchars> - set memory using longs
smem    <hex start address> <hexchars> - set memory using bytes
sword   <hex start address> <hexchars> - set memory using words
version - display bootrom version

->dbyte 0x048b9200 2048
048b9200  cc dd 4c cc d4 cc cd dc 4c 8c 8c ee c8 cc c4 cc   ..L.....L.......
048b9210  33 33 33 b1 75 b7 33 13 10 b6 32 33 23 a2 33 37   333.u.3...23#.37
048b9220  33 33 33 31 71 b7 33 93 10 b6 32 32 3b a2 33 33   3331q.3...22;.33
048b9230  dc dc 4c cd d5 ec ce dc 4c 8c 8c ce c8 ce c4 cc   ..L.....L.......
048b9240  dc dd 4c cd d4 ec cc ce 4c 8c 8c ee c9 cc c4 dc   ..L.....L.......
048b9250  33 33 33 b3 71 b7 33 93 10 36 36 33 3b a2 33 33   333.q.3..663;.33
048b9260  37 33 33 b3 75 b7 33 13 10 b6 32 32 3b 22 33 33   733.u.3...22;"33
048b9270  cc dd 4c cd d4 ec cf dc 4c 8c 8c ce c8 ce c6 cc   ..L.....L.......
048b9280  5c c4 9c 80 dc ec 6c c5 cc 40 86 c1 cc cd cc cc   \.....l..@......
048b9290  13 33 b3 33 33 bf 33 33 33 33 33 51 32 27 35 b7   .3.33.33333Q2'5.
048b92a0  13 33 b3 33 33 b7 33 33 33 31 33 11 32 27 35 37   .3.33.33313.2'57
048b92b0  5e c4 9c 84 fc ec 6c e5 cd 48 86 c1 cc cd cc cc   ^.....l..H......
048b92c0  5e c4 9c 84 cc ec 6c c4 cc 40 84 c1 cc cd cd ce   ^.....l..@......
048b92d0  13 33 b3 33 33 b3 33 b3 33 33 33 51 32 27 31 b7   .3.33.3.333Q2'1.
048b92e0  13 33 b3 33 33 bf 33 b3 33 31 33 11 32 27 31 b7   .3.33.3.313.2'1.
048b92f0  5e c4 9c 84 dc ec 6e c5 cc 48 84 c1 cc cd cc cc   ^.....n..H......
048b9300  dc dd 4e cd c4 cc cd de 4c 8c 8c ce c9 cc c4 8c   ..N.....L.......
048b9310  37 33 33 33 75 b7 33 13 10 b6 36 b2 33 a2 33 37   7333u.3...6.3.37
048b9320  37 33 33 31 75 b7 33 13 10 b6 36 b2 3b a6 33 33   7331u.3...6.;.33
048b9330  cc dc 4c cd d4 cc cd cc 4c 8c 8c ce c9 ce c6 cc   ..L.....L.......
048b9340  cc dd 4c cd d4 cc ce ce 4c 8c 8c cc c9 cc c4 8c   ..L.....L.......
048b9350  33 33 33 b1 71 b3 33 13 10 b6 32 32 3b a2 33 37   333.q.3...22;.37
048b9360  37 31 33 b1 35 b3 33 93 10 b6 36 32 23 a2 33 37   713.5.3...62#.37
048b9370  cc dc 4c cd d4 cc cc dc 4c 8c 8c ce c8 ce c6 cc   ..L.....L.......
048b9380  5c c4 9c 84 fc ec 6c c5 cc 40 85 c1 cc cc cc ce   \.....l..@......
048b9390  53 33 b3 33 3b bf 33 b3 33 33 33 51 32 23 31 b7   S3.3;.3.333Q2#1.
048b93a0  53 33 b3 33 33 bb 33 33 33 33 33 51 36 23 35 33   S3.33.33333Q6#53
048b93b0  5e c4 9c 84 fc ec 6c c7 cd 48 87 c0 cc cd cc cc   ^.....l..H......
048b93c0  5c c4 9c 80 fc ec 6e c5 cd 40 84 c1 cc cc cc ce   \.....n..@......
048b93d0  13 33 b3 33 33 bb 33 33 33 33 33 51 32 27 31 b7   .3.33.33333Q2'1.
048b93e0  13 33 b3 33 3b bf 33 b3 33 33 33 51 32 27 35 b3   .3.3;.3.333Q2'5.
048b93f0  5c c4 9c 84 fc ec 6c c4 cd 48 84 c1 cc cd cd ce   \.....l..H......
048b9400  aa aa ec 4c c8 8c ec c0 4c c4 cc cc de c5 ce 4c   ...L....L......L
048b9410  73 13 23 5b 39 b3 33 11 23 33 3a 2f 73 e7 b3 73   s.#[9.3.#3:/s..s
048b9420  73 13 a3 5b 71 b3 37 10 03 33 3a 2f 73 e3 bb 73   s..[q.7..3:/s..s
048b9430  dc cc ee 4c c8 8c ec c4 4e c4 cc cc de cd cc 4c   ...L....N......L
048b9440  dc cc ee 4c c8 9d ec c0 4c c4 cc cc de cd cc 6c   ...L....L......l
048b9450  33 13 23 5b 39 b3 33 11 23 33 32 2b 73 e3 bb 33   3.#[9.3.#32+s..3
048b9460  73 13 a3 1b 39 bb 37 11 03 33 32 af 73 e3 b3 73   s...9.7..32.s..s
048b9470  dc cc ec 4c c8 8c ec c4 4e c4 ce cc dc cc cc 4c   ...L....N......L
048b9480  ce 4c 8d e4 c8 cc ce cc 4c ec ef 8c 9d dd cc 08   .L......L.......
048b9490  22 3b 33 23 33 33 b3 83 33 33 77 3b 97 33 f3 12   ";3#33..33w;.3..
048b94a0  22 3b b3 67 33 33 b3 03 73 3b 67 3f 93 33 f3 12   ";.g33..s;g?.3..
048b94b0  ce 4c 8c e4 c8 cc ee cc 4c cc ec 8c 9d dd cd 08   .L......L.......
048b94c0  4c 4c 8c c4 c8 cc ee cc 4c cd ec 8c 9d dc cc 08   LL......L.......
048b94d0  26 3b b3 23 33 33 b3 63 33 3b 63 37 17 33 f7 12   &;.#33.c3;c7.3..
048b94e0  22 3f b3 63 33 33 b3 03 33 3b 67 3f 9f 33 b3 12   "?.c33..3;g?.3..
048b94f0  cc 4d 8c e4 c8 cc ec cc 4c ec ee 8c 9c df cc 08   .M......L.......
048b9500  de cc ec 4c c8 9d ec c0 4e c4 ce cc dc cc cc 6c   ...L....N......l

048b9510  33 13 23 13 31 b3 33 11 23 33 3a 2f 33 e7 b3 73   3.#.1.3.#3:/3..s
048b9520  33 13 a3 53 79 bb 37 11 03 33 32 2f 33 e3 b3 73   3..Sy.7..32/3..s
048b9530  df cc ee 4c c8 8c cc c4 4c c4 ce cc dc cd ce 4c   ...L....L......L
048b9540  de cc ee 4c c9 9d ec c0 4c c4 cc cc dc cd ce 6c   ...L....L......l
048b9550  73 13 23 1b 31 bb 37 11 23 33 3a 2f 33 a3 bb 73   s.#.1.7.#3:/3..s
048b9560  73 13 a3 1b 79 b3 37 11 23 33 32 bf 7b e3 bb 73   s...y.7.#32.{..s
048b9570  cc cc ec 4c c8 8d ec c4 4e c4 ce cc dc cc ce 4c   ...L....N......L
048b9580  ce 4c 8d e4 c8 cc ec cc 4c cc ee 8c 8c df cd 08   .L......L.......
048b9590  22 3b b3 23 33 33 b3 03 33 3b 63 3f 9b 33 f3 12   ";.#33..3;c?.3..
048b95a0  26 33 b3 67 33 33 b3 03 33 3b 77 3f 17 33 d7 12   &3.g33..3;w?.3..
048b95b0  ec 4c 8d c4 c8 cc ee cc 4c ec ee 8c 9c df cc 88   .L......L.......
048b95c0  4c 4c 8d c4 c8 cc ec cd 4c ed ec 8c 9c df cd 08   LL......L.......
048b95d0  22 3b b3 23 33 33 b3 03 33 3b 77 3f 97 33 f7 12   ";.#33..3;w?.3..
048b95e0  22 3b b3 23 33 33 b3 83 33 33 6b 3f 17 33 f7 12   ";.#33..33k?.3..
048b95f0  cc 4c 8c e4 c8 cc ec cc 4c ec ec 8c 9c df cd 08   .L......L.......
048b9600  dc dd 4c cd d4 cc cd ce 4c 8c 8e ce c9 ce c4 8c   ..L.....L.......
048b9610  37 33 33 b3 71 33 33 93 10 b6 32 33 2b a2 33 37   733.q33...23+.37
048b9620  33 33 33 b1 71 b3 33 93 10 b6 32 b2 3b a6 33 37   333.q.3...2.;.37
048b9630  dc dc 4c cc d4 cc cf ce 4c 8c 8c ce c9 ce c6 dc   ..L.....L.......
048b9640  dc 5d 4c cd c5 cc cf dc 4c 8c 8c ee c8 ce c6 cc   .]L.....L.......
048b9650  37 33 33 b3 75 b3 33 13 10 b6 32 32 2b a2 33 33   733.u.3...22+.33
048b9660  37 33 33 b1 35 b3 33 93 10 b6 36 b2 2b a6 33 37   733.5.3...6.+.37
048b9670  dc 4c 4c cd d4 cc cf cc 5c 8c 8c ce c8 cc c6 dc   .LL.....\.......
048b9680  4c c4 9c 84 ec ec 6c c5 cc 40 84 c1 cc cc cc ce   L.....l..@......
048b9690  53 33 b3 33 33 bb 33 b3 33 33 33 51 32 23 35 33   S3.33.3.333Q2#53
048b96a0  13 33 b3 33 3b b3 33 b3 33 31 33 51 32 27 31 b7   .3.3;.3.313Q2'1.
048b96b0  5c c4 9c 84 fc ec 6c c5 cc 48 86 c1 cc cc cc cc   \.....l..H......
048b96c0  5c c4 9c 84 fc ec 6e c4 cf 40 96 c1 cc cc cc ce   \.....n..@......
048b96d0  53 33 b3 33 33 bf 33 33 33 33 33 51 32 27 31 37   S3.33.33333Q2'17
048b96e0  53 33 b3 33 33 bb 33 b3 33 33 33 11 32 27 35 37   S3.33.3.333.2'57
048b96f0  4c c4 9c 84 fc ec 6e c5 cd 48 84 c1 cc cd cc cc   L.....n..H......
048b9700  dc dd 4c cd d4 ec cc de 4c 8c 8c ce c8 cc c6 8c   ..L.....L.......
048b9710  37 33 33 31 75 b3 33 93 10 b2 32 b3 23 a6 33 37   7331u.3...2.#.37
048b9720  37 33 33 31 75 b3 33 13 10 b2 32 b2 2b a2 33 33   7331u.3...2.+.33
048b9730  dc dc 4c cd c4 cc cf de 4c 8c 8c cc c9 cc c4 cc   ..L.....L.......
048b9740  dc 5c 4c cd d4 cc ce cc 4c 8c 8c ce c9 ce c4 cc   .\L.....L.......
048b9750  33 33 33 b3 75 b3 33 13 10 b6 32 b2 2b a6 33 37   333.u.3...2.+.37
048b9760  33 31 33 b1 31 b7 33 93 10 b2 36 b2 2b a6 33 37   313.1.3...6.+.37
048b9770  dc 5c 4c cd d4 cc cf cc 4c 8c 8c ce c9 cc c4 dc   .\L.....L.......
048b9780  5c c4 9c 84 fc ec 6e c5 cd 48 86 c0 cc cd cd ce   \.....n..H......
048b9790  13 33 b3 33 3b b7 33 b3 33 33 33 51 32 27 31 37   .3.3;.3.333Q2'17
048b97a0  53 33 b3 33 33 bf 33 b3 33 31 33 11 32 23 35 37   S3.33.3.313.2#57
048b97b0  5e c4 9c 84 dc ec 4c c5 cd 48 86 c0 cc cd cc ce   ^.....L..H......
048b97c0  5e c4 9c 84 fc ec 6e e5 cd 48 84 c1 cc cd cc ce   ^.....n..H......
048b97d0  53 33 b3 33 33 b3 33 b3 33 33 33 11 32 23 35 33   S3.33.3.333.2#53
048b97e0  53 33 b3 33 33 bf 33 b3 33 31 33 11 32 27 31 37   S3.33.3.313.2'17
048b97f0  5e c4 9c 84 ec ec 6e c5 ce 48 86 c1 cc cc cc ce   ^.....n..H......
048b9800  aa aa cc cc c5 1c ac ec ec 48 84 c4 cc f5 cc cd   .........H......
048b9810  33 f3 62 3b 73 12 33 fb a0 12 13 31 17 b7 3a 69   3.b;s.3....1..:i
048b9820  33 b3 20 3b 37 12 33 3b a0 12 13 b1 17 b7 3e 61   3. ;7.3;......>a
048b9830  c5 c5 cc cc c4 1c af ec ec 48 85 c4 dd f5 cc cc   .........H......
048b9840  d5 c4 c4 cc c4 1c ae ec cc 48 8e c4 cc f5 cc cc   .........H......
048b9850  b3 b3 62 3b 73 12 33 33 a0 12 13 33 13 b3 3e 21   ..b;s.33...3..>!
048b9860  b3 f3 60 33 73 12 37 2b 20 12 17 b1 17 b7 be e1   ..`3s.7+ .......
048b9870  d5 c4 cc ec c4 1c af ec ec 48 85 c4 cd f5 cc cc   .........H......
048b9880  88 c4 9c ce 45 cc 4c ce ec ec cd 0c c0 cc c6 ac   ....E.L.........
048b9890  a3 a3 36 37 27 93 13 ab 73 37 b7 33 73 53 e3 3e   ..67'...s7.3sS.>
048b98a0  a3 a3 32 37 27 93 13 ab 33 37 b7 3b 33 5b e3 2a   ..27'...37.;3[.*
048b98b0  88 c4 9c cc 44 cc 4e cc ec ec cc 0c c0 cc c4 ac   ....D.N.........
048b98c0  89 c4 9c 8e 44 cc 4f cc 6c ec cc 0c c2 cc c5 8c   ....D.O.l.......
048b98d0  23 a3 32 37 23 93 17 2b 33 33 b7 3b 73 53 e3 2e   #.27#..+33.;sS..
048b98e0  23 a3 36 37 27 93 17 ab 73 33 b3 33 b3 5b e3 3e   #.67'...s3.3.[.>
048b98f0  89 c4 9c ec 44 cc 4d ce 6c ec cc 8c d2 cc c5 ac   ....D.M.l.......
048b9900  d5 c4 c4 ec c4 1c ae ec cc 48 84 c4 cd f4 cc cd   .........H......
048b9910  b7 f3 62 3b 73 12 33 73 a0 12 13 b3 17 b7 be 69   ..b;s.3s.......i
048b9920  b7 b7 60 3b 73 12 33 bb a0 12 13 31 17 b7 36 69   ..`;s.3....1..6i
048b9930  d5 c4 cc cc c4 1c ad ce cc 48 85 c4 cd f4 cc cd   .........H......
048b9940  d4 c4 c4 ec c4 1c ac ec ec 48 8c c4 dd f5 cc cd   .........H......
048b9950  b7 f7 60 3b 73 32 33 3b b0 12 17 31 17 b7 32 29   ..`;s23;...1..2)
048b9960  17 f3 62 3b 73 12 33 2b a0 12 13 31 17 b7 b6 69   ..b;s.3+...1...i
048b9970  c5 c4 cc cc c6 1c af ec ec 48 84 c4 cd f4 cc cc   .........H......
048b9980  89 c4 9c ec 65 cc 4f ce ec ec cc 0c d2 cc c6 8c   ....e.O.........
048b9990  a3 a3 32 37 23 93 17 ab 73 33 b7 33 b3 5b e3 3a   ..27#...s3.3.[.:
048b99a0  a3 a3 32 37 27 93 1f a3 73 37 b7 33 f3 5b e3 2e   ..27'...s7.3.[..
048b99b0  88 c4 9c ec 44 cc 4d cc ec ec cc 0d d0 cc c4 8c   ....D.M.........
048b99c0  89 c4 8c ec 44 cc 4f ce ec ec cd 0c d2 cc c6 8c   ....D.O.........
048b99d0  23 a3 36 37 27 93 17 ab 73 33 27 3b f3 5f e3 2e   #.67'...s3';._..
048b99e0  a3 a3 32 37 23 93 17 2b 73 37 b7 33 b3 57 e3 3e   ..27#..+s7.3.W.>
048b99f0  88 c4 8c ec 44 cc 4f ce ec ec cc 8c d0 cc c6 8c   ....D.O.........

Title: Re: Enabling options on Agilent ESA series E4402B E4404B E4405B E4407B
Post by: suj on September 09, 2020, 09:35:49 pm
OK, I prepared the hardware to handle the serial port, set up 19200 8n1. After start, E4407B sends information.

Code: [Select]
***** Mosquito Bootrom *****                                                   
Copyright 1988-1997,                                                           
Hewlett-Packard Company, all rights reserved.                                   
                                                                               
@(#)HEWLETT-PACKARD, E4401 Bootrom, 5.00                                       
@(#)LDS Rev: 3.02 - Module Incremental (Sep  9 2003)                           
@(#)Linked: Sep  9 2003 14:46:44                                               
                                                                               
Bootrom Checksum ...                                                           
Bootrom DRAM:     Testing 69632 bytes at 0x04000000                             
Non Destructive SRAM Test ...                                                   
Main Firmware DRAM:     Testing 33484800 bytes at 0x04011000                   
Main FW Checksum ...                                                           
Self-tests complete.SRAM selftest results:                                     
        Start  = 0xa000000                                                     
        End    = 0xa007fa3                                                     
        Errors = 0x0                                                           
DRAM selftest results:                                                         
        Start  = 0x4011000                                                     
        End    = 0x6000000                                                     
        Errors = 0x0                                                           
hpibPort = 0x8005000                                                           
hpibPort = 0x8005000, bus Address = 19                                         
                                                                               
Cache Enabled                                                                   
16MBytes of FLASH                                                               
                                                                               
Download to Flash Selected                                                     
>>> mainMain()                                                                 
text segment:           0x4011000 thru 0x4435674 ( 424674 bytes)               
data segment:           0x4600000 thru 0x476dd88 ( 16dd88 bytes)               
bss  segment:           0x476dd88 thru 0x48bcce8 ( 14ef60 bytes)               
                                                                               
ROM size:               0x005923fc ( 5923fc bytes of 4194304 max.)             
                                                                               
memory pool (all):      0x048bcce8 thru 0x05ffffff (24392472 bytes)             
Calling start_psos() ...                                                       
FLOPPY_Media::read: Could not read sector 1 on track 0 on side 0               
>>>> debug() process starting                                                   
DLP Loaded - Power Suite Utilities, A.06.05, Nov 21 2003 15:45:40               
----- System/pSOS Debug commands: -----                                         
    '?' - this help message.                                                   
    'j' - drop into breakpoint.                                                 
   '^C' - Abort to monitor.                                                     
   '^P' - Process status info, and LOTS of it.                                 
 '[dD]' - Print DLP debug information.                                         
 '[bB]' - Big memory hog report.                                               
 '[pP]' - Process ONLY status info.                                             
                                                                               
 '[eE]' - Exchange info.                                                       
 '[gG]' - toggle breakpoint exception handlers on/off                           
 '[tT]' - Time log.                                                             
 '[hH]' - History log.                                                         
 '[oO]' - Memory segment ownership.                                             
 '[mM]' - Memory segment summary.                                               
 '[sS]' - Semaphore ownership, etc.                                             
 '[uU]' - maximum process stack Usage.                                         
 '[vV]' - memory Validity check.                                               
 '[iI]' - Show psosSystemData.                                                 
 '[1]' -  Show NVRAM contents.                                                 
 '[wW] <process name>' - Show process stack trace.


How do I enter the monitor? Sandra, you wrote about a planned error. How to do it?

I am ready to deliver information from my device with the options installed, please just keep in mind that I am not an experienced hacker :)
I will also point out that my SA has the A.14.01 firmware installed. Can't install the latest firmware yet, FDD can't read floppy disks reliably. It crashes on 2nd or 3rd disk when trying to update. I have to look for a new FDD.

EDIT

I'm now motivated to solve the FDD problem in my SA. I ordered 2 used SLIM FDD from the local auction site. One type NEC FD3238T and the other Teac FD-05HG. The FDD Teac FD-05HF was originally installed in my E4407B, but I haven't found one. Hope one of them will work well, both have a 26 pin connector. If they work, I will update the firmware to version A.14.06.
Title: Re: Enabling options on Agilent ESA series E4402B E4404B E4405B E4407B
Post by: smgvbest on September 10, 2020, 03:54:27 pm
I've had a setback
That FLASH SIMM I used to cause an error that got me into the monitor program.   well, it blew the board.  fortunately it's my spare processor board I've been using to experiment on but its DEAD  :palm:
At least it wasn't my actual board I normally use.
DS1-DS7 all on, no boot at all. Likely and hopefully blew a buffer chip (data or address) and not the FPGA.
Title: Re: Enabling options on Agilent ESA series E4402B E4404B E4405B E4407B
Post by: smgvbest on September 10, 2020, 04:03:08 pm

How do I enter the monitor? Sandra, you wrote about a planned error. How to do it?


Cause a error.
I was playing with this before I had the issue om the Processor Board and i think if you put in the ESALOADER disc you can get the Monitor Program that way.
of course this might be a problem for you with the FD issue your having

Title: Re: Enabling options on Agilent ESA series E4402B E4404B E4405B E4407B
Post by: analogRF on September 10, 2020, 05:38:39 pm
can you connect a keyboard and keep slapping it during boot up. maybe that will cause the boot loader to redirect to a console monitor
i dont see any message saying this in the boot log you posted but still it might work

Title: Re: Enabling options on Agilent ESA series E4402B E4404B E4405B E4407B
Post by: andrew9875 on September 10, 2020, 07:09:03 pm
Looks like Sandra is correct, you can easily enter the monitor program by booting from the ESALOADR floppy. Just tried it on my E4402B.

When the SA completes booting from the floppy, press 'j' at the serial console then CTRL+C and you're in the monitor program.

Code: [Select]
***** Mosquito Bootrom *****
Copyright 1988-1997,
Hewlett-Packard Company, all rights reserved.

@(#)HEWLETT-PACKARD, E4401 Bootrom, 3.10
@(#)LDS Rev: 3.02 - Module Incremental (Feb 18 1999)
@(#)Linked: Feb 18 1999 11:46:22

Bootrom Checksum ...
Bootrom DRAM:     Testing 69632 bytes at 0x04000000
Non Destructive SRAM Test ...
Main Firmware DRAM:     Testing 33484800 bytes at 0x04011000
Main FW Checksum ...
Self-tests complete.SRAM selftest results:
        Start  = 0xa000000
        End    = 0xa007fa3
        Errors = 0x0
DRAM selftest results:
        Start  = 0x4011000
        End    = 0x6000000
        Errors = 0x0
hpibPort = 0x8005000
hpibPort = 0x8005000, bus Address = 19

Cache Enabled
16MBytes of FLASH

Download to Flash Selected
Downloading from floppy
>>> mainMain()
text segment:           0x4011000 thru 0x40c0c80 (  afc80 bytes)
data segment:           0x4400000 thru 0x4405ec8 (   5ec8 bytes)
bss  segment:           0x4405ec8 thru 0x4424710 (  1e848 bytes)

ROM size:               0x000b5b48 (  b5b48 bytes of 4194304 max.)

memory pool (all):      0x04424710 thru 0x05ffffff (29210864 bytes)
Calling start_psos() ...
>>>> debug() process starting
Unknown debug char: '' (0x03).  Press '?' for help.
Unknown debug char: '' (0x03).  Press '?' for help.
Unknown debug char: 'c' (0x63).  Press '?' for help.
Unknown debug char: '' (0x03).  Press '?' for help.
Unknown debug char: 'c' (0x63).  Press '?' for help.
Unknown debug char: '' (0x03).  Press '?' for help.
----- System/pSOS Debug commands: -----
    '?' - this help message.
    'j' - drop into breakpoint.
   '^C' - Abort to monitor.
   '^P' - Process status info, and LOTS of it.
 '[dD]' - Print DLP debug information.
 '[bB]' - Big memory hog report.
 '[pP]' - Process ONLY status info.

 '[eE]' - Exchange info.
 '[tT]' - Time log.
 '[hH]' - History log.
 '[oO]' - Memory segment ownership.
 '[mM]' - Memory segment summary.
 '[sS]' - Semaphore ownership, etc.
 '[uU]' - maximum process stack Usage.
 '[vV]' - memory Validity check.
 '[iI]' - Show psosSystemData.
 '[1]' -  Show NVRAM contents.
 '[wW] <process name>' - Show process stack trace.

⸤�Ӱ����Unknown debug char: '' (0x03).  Press '?' for help.

Unexpected exception at VBR offset 0x80
  Trap #0
  format = 0, frame is at 0x4423a50
  PC = 0x40b8648
  SR = 0x2704
  Registers = 0x0a007fa4 thru 0x0a007fef
ROM Monitor
Enter ? for help.
->

I will attempt a memory dump later today. I have a few options installed (B72, 1DN, B7B, A4H, BAA, AYX, B7D, B7E), so hopefully this will be useful.
Title: Re: Enabling options on Agilent ESA series E4402B E4404B E4405B E4407B
Post by: suj on September 10, 2020, 07:26:06 pm
This procedure works for me. Tomorrow I should have a fully functional FDD, then I will upgrade the firmware to the last one. In the older firmware version, from 0x048B9200, they are all zeros.
Title: Re: Enabling options on Agilent ESA series E4402B E4404B E4405B E4407B
Post by: tv84 on September 10, 2020, 07:48:37 pm
Guys, feel bad for Sandra but great news from the others.

Try to make a dump from 0x0401 1000 up to 0x0490 0000. Those that don't have any license should try to insert a random license before the dump. Just insert "0123456789AB".
Title: Re: Enabling options on Agilent ESA series E4402B E4404B E4405B E4407B
Post by: tv84 on September 10, 2020, 08:05:06 pm
This procedure works for me. Tomorrow I should have a fully functional FDD, then I will upgrade the firmware to the last one. In the older firmware version, from 0x048B9200, they are all zeros.

 :-+ That's why it's important to normalize versions. My analysis was done with the A.14.06 ESAFW shared by Sandra.
Title: Re: Enabling options on Agilent ESA series E4402B E4404B E4405B E4407B
Post by: smgvbest on September 10, 2020, 08:30:19 pm
Looks like Sandra is correct, you can easily enter the monitor program by booting from the ESALOADR floppy. Just tried it on my E4402B.
I will attempt a memory dump later today. I have a few options installed (B72, 1DN, B7B, A4H, BAA, AYX, B7D, B7E), so hopefully this will be useful.

If that is the menu you see that is the debug menu not the monitor menu where you can dump memory
the dump command is
dbyte start(in hex),len(in bytes)

Title: Re: Enabling options on Agilent ESA series E4402B E4404B E4405B E4407B
Post by: suj on September 10, 2020, 09:00:21 pm
It's working for monitor menu
1. Connect serial to the J1 (19200, 8/N/1)
2. boot from bootloader floppy disk
3. press "j" then "ctrl+c"

After next power cycle (the front power button not working), SA needs full aligment.
Title: Re: Enabling options on Agilent ESA series E4402B E4404B E4405B E4407B
Post by: smgvbest on September 11, 2020, 04:04:09 am
Starting to fix what I broke.
I have noticed looking at the CLIP there is a Bus defined as DBS_D_T[15.0] that goes to all the FLASH memory but goes no where else.
DBS_D[15.0] goes from the Dynamic bus sizer to the IO buffers but there's no Data buffers.  Strange

Looking at what the FLASH SIMM was attached to is why I'm looking though I did remove all the FLASH Memory from the SIMM and tested it.   All 3 tested Good so thats a plus
I did identify that that 0 ohm is by the U2 Label.   if it's on the right side it connect VPP_FLASH_5V to the memory,  if on the left it connects VPP_FLASH_12V to the memory
that little resistor at the top of the SIMM pulls #BYTE High
PA0_DBS is not connected to the memory
PA1_DB2 is connected to the A1 ping on all the memory

LCS_FLASH4/5 are connected reverse of the other ones   BE1H/BE1L instead of BE1L/BE1H like the others
Only the FLASH OC0_RYBY/U1, FLASH OC1_RYBY/U2 and FLASH OC2_RYBY/U3 are connected the other are NC

Attaching Some Pic of the unpopulated SIMM module

For the Processor Board working with it is difficult while in the SA.   I'l going to see if I can supply 5v to it and troubleshoot on the bench
should let me use the scope much easier.




 
Title: Re: Enabling options on Agilent ESA series E4402B E4404B E4405B E4407B
Post by: andrew9875 on September 11, 2020, 11:18:21 am
Try to make a dump from 0x0401 1000 up to 0x0490 0000.

My memory dump is attached.

FYI, my unit is running the latest A.14.06 firmware.
Title: Re: Enabling options on Agilent ESA series E4402B E4404B E4405B E4407B
Post by: tv84 on September 11, 2020, 11:42:08 am
My memory dump is attached.

FYI, my unit is running the latest A.14.06 firmware.

Curious. It seems a correct dump BUT from a different memory bank (as if it was possible)...

I have to take a deeper look.

It's not the ESAFW. But I don't have here the rest of the package...

EDIT: It's the ESALOADR.
Title: Re: Enabling options on Agilent ESA series E4402B E4404B E4405B E4407B
Post by: smgvbest on September 11, 2020, 12:02:56 pm
My memory dump is attached.

FYI, my unit is running the latest A.14.06 firmware.

Curious. It seems a correct dump BUT from a different memory bank (as if it was possible)...

I have to take a deeper look.

It's not the ESAFW. But I don't have here the rest of the package...

@tv84  Do you run anything to convert these dumps into a bin file or other format?
since they're ascii dumps I figured you might do something like that.
Title: Re: Enabling options on Agilent ESA series E4402B E4404B E4405B E4407B
Post by: andrew9875 on September 11, 2020, 01:44:50 pm
Curious. It seems a correct dump BUT from a different memory bank (as if it was possible)...

I have to take a deeper look.

It's not the ESAFW. But I don't have here the rest of the package...

Hmmm. I wonder if this is because ESALOADR is loaded and running.

I think I figured how to access the ROM monitor without ESALOADR running:

 So far the dump is at least slightly different, just need to wait several hours for it to complete.
Title: Re: Enabling options on Agilent ESA series E4402B E4404B E4405B E4407B
Post by: smgvbest on September 11, 2020, 02:38:24 pm
Curious. It seems a correct dump BUT from a different memory bank (as if it was possible)...

I have to take a deeper look.

It's not the ESAFW. But I don't have here the rest of the package...

Hmmm. I wonder if this is because ESALOADR is loaded and running.

I think I figured how to access the ROM monitor without ESALOADR running:
  • Boot from ESALOADR floppy, drop into ROM monitor menu (j, CTRL+C)
  • Retry test routine ('rty')
  • Test routine will fail/hang, then remove floppy and power cycle the unit
  • Boot from flash will fail and drop you back into ROM monitor

 So far the dump is at least slightly different, just need to wait several hours for it to complete.

Have your tried the (J, CTRL+C) on a normal boot
that's what we're after, if it will work

anytime loading ESALOADER you won't get ESAFW loaded off flash and executed.
the ideal is
Boot Normally
Get into Monitor
then Dump Memory

probably should let TV84 know your HOSTID and be sure your running 14.06 of the firmware (I know you are, this is more for anyone else who tries int he future)
Title: Re: Enabling options on Agilent ESA series E4402B E4404B E4405B E4407B
Post by: smgvbest on September 11, 2020, 04:45:29 pm
What do you think about this
1. we need the ESAFW loaded.  So far though we cant' get into the monitor to do the dbyte dump command
2. J14 is Reset on the Processor Card

what if we powered up normally.  once up and firmware loaded we insert the ESALOADER disc and reset
DRAM should still be loaded.

we can then break into monitor and try to dump memory?

another thought is would it be worth hacking the boot rom to enable the ^C to break into the monitor.
it lets you in the monitor when loading the ESALOADER but not the main firmware

Title: Re: Enabling options on Agilent ESA series E4402B E4404B E4405B E4407B
Post by: tv84 on September 11, 2020, 04:59:42 pm
another thought is would it be worth hacking the boot rom to enable the ^C to break into the monitor.
it lets you in the monitor when loading the ESALOADER but not the main firmware

Not so easy because the DEBUG MENU is in the ESALOADR, not the BOOTROM.
Title: Re: Enabling options on Agilent ESA series E4402B E4404B E4405B E4407B
Post by: tv84 on September 11, 2020, 06:17:29 pm
My memory dump is attached.

FYI, my unit is running the latest A.14.06 firmware.

In binary format.

This Andrews's dump is a dump of ESALOADR (size 0xB5B48 bytes). Not ESAFW.
Title: Re: Enabling options on Agilent ESA series E4402B E4404B E4405B E4407B
Post by: tv84 on September 11, 2020, 06:28:46 pm
what if we powered up normally.  once up and firmware loaded we insert the ESALOADER disc and reset
DRAM should still be loaded.

we can then break into monitor and try to dump memory?

That is a nice idea. Please try it.
Title: Re: Enabling options on Agilent ESA series E4402B E4404B E4405B E4407B
Post by: Gribo on September 11, 2020, 06:42:25 pm
Ctrl+C is also the Break key, you can try that.
Title: Re: Enabling options on Agilent ESA series E4402B E4404B E4405B E4407B
Post by: smgvbest on September 11, 2020, 07:02:13 pm
Ctrl+C is also the Break key, you can try that.

Not working.
What BootRom Version are you on
Mine is E4401 Bootrom, 5.00
Title: Re: Enabling options on Agilent ESA series E4402B E4404B E4405B E4407B
Post by: smgvbest on September 11, 2020, 07:07:40 pm
Just to be sure we're all on same Page

This is the Debug menu and not what we need
Code: [Select]
----- System/pSOS Debug commands: -----                                         
    '?' - this help message.                                                   
    'j' - drop into breakpoint.                                                 
   '^C' - Abort to monitor.                                                     
   '^P' - Process status info, and LOTS of it.                                 
 '[dD]' - Print DLP debug information.                                         
 '[bB]' - Big memory hog report.                                               
 '[pP]' - Process ONLY status info.                                             
                                                                               
 '[eE]' - Exchange info.                                                       
 '[gG]' - toggle breakpoint exception handlers on/off                           
 '[tT]' - Time log.                                                             
 '[hH]' - History log.                                                         
 '[oO]' - Memory segment ownership.                                             
 '[mM]' - Memory segment summary.                                               
 '[sS]' - Semaphore ownership, etc.                                             
 '[uU]' - maximum process stack Usage.                                         
 '[vV]' - memory Validity check.                                               
 '[iI]' - Show psosSystemData.                                                 
 '[1]' -  Show NVRAM contents.                                                 
 '[wW] <process name>' - Show process stack trace.

This is the Monitor Menu and what we're after.

Code: [Select]
bc      [<hex boot config>] - set the bootrom configuration (see bchelp)
bootvars- display bootrom variables
bs      - force a breakpoint when starting
dbyte   [<hex start address> [num bytes]] - display memory using bytes
dlong   [<hex start address> [num bytes]] - display memory using longs
dmem    [<hex start address> [num bytes]] - display memory using bytes
dword   [<hex start address> [num bytes]] - display memory using words
gbreak  - force a gdb breakpoint
gdb     - enable gdb trapping of exceptions
gu      [<hex start addr>]      - go to start address
hmon    [device] - download into memory
rty test routine
sbyte   <hex start address> <hexchars> - set memory using bytes
slong   <hex start address> <hexchars> - set memory using longs
smem    <hex start address> <hexchars> - set memory using bytes
sword   <hex start address> <hexchars> - set memory using words
version - display bootrom version

Title: Re: Enabling options on Agilent ESA series E4402B E4404B E4405B E4407B
Post by: tv84 on September 11, 2020, 07:19:24 pm
Please dump from 0x0400 0000 to 0x0401 1000.  Just to check if this is BOOTROM-related.

I think this can be done with ESALOADR. No need for ESAFW.
Title: Re: Enabling options on Agilent ESA series E4402B E4404B E4405B E4407B
Post by: tv84 on September 11, 2020, 07:20:50 pm
Just to be sure we're all on same Page

How do you trigger DEBUG MENU?


For information:

DEBUG MENU is inside ESALOADR

MONITOR MENU is inside BOOTROM   (called from within DEBUG MENU via ^C)
Title: Re: Enabling options on Agilent ESA series E4402B E4404B E4405B E4407B
Post by: andrew9875 on September 11, 2020, 08:12:52 pm

Using this procedure:

  • Boot from ESALOADR floppy, drop into ROM monitor menu (j, CTRL+C)
  • Retry test routine ('rty')
  • Test routine will fail/hang, then remove floppy and power cycle the unit
  • Boot from flash will fail and drop you back into ROM monitor

My memory dump (0x04011000-0x04900000) looks nearly identical to the concatenated ESAFW file that Sandra shared earlier with only a handful of addresses differing, and differs quite a lot from the ESALOADR.

I believe this dump is the ESAFW from flash. On the second boot (step 4 of my procedure), the ESALOADR disk is not present so the unit must load from flash.
Title: Re: Enabling options on Agilent ESA series E4402B E4404B E4405B E4407B
Post by: smgvbest on September 11, 2020, 08:15:20 pm
when you boot normally the Debug Menu "----- System/pSOS Debug commands: ----- " is always there.
when you boot from the ESALOADER you don't initially see a menu.   Pressing ? when show same menu above, you can CTRL+C and it causes an exception then you're in the Monitor menu where you can dump memory

I've hooked up a reset switch,   booted normally,   entered AXZ for the opt and 0123456789ABC for the code.
inserted the ESALOADER,  and hit reset.
once rebooted I got into the mornitor and did 2 dumps (ones still dumping)

first is will be
0x0400 0000 to 0x0401 1000

second will be
0x0401 1000 to 0x0490 0000
 
soon as done i'll edit and post to this message
My HostID is 29611027
My BootRom is V5.00



Title: Re: Enabling options on Agilent ESA series E4402B E4404B E4405B E4407B
Post by: tv84 on September 11, 2020, 08:32:11 pm
My memory dump (0x04011000-0x04900000) looks nearly identical to the concatenated ESAFW file that Sandra shared earlier with only a handful of addresses differing, and differs quite a lot from the ESALOADR.

I believe this dump is the ESAFW from flash. On the second boot (step 4 of my procedure), the ESALOADR disk is not present so the unit must load from flash.

This dump is exactly Sandra's ESAFW with 8 bytes different (in the middle of the code  :-//).

The problem is that you didn't run the app before taking the dump. We need the dump after the app has run/is running. Because all the rest of the mem is 0x00s.
Title: Re: Enabling options on Agilent ESA series E4402B E4404B E4405B E4407B
Post by: tv84 on September 11, 2020, 08:38:49 pm
It MUST be possible to abort into Monitor mode from within ESAFW because ESAFW also has the DEBUG MENU in the code (with the ^C option). Just saw that in the code.
Title: Re: Enabling options on Agilent ESA series E4402B E4404B E4405B E4407B
Post by: andrew9875 on September 11, 2020, 08:41:18 pm
This dump is exactly Sandra's ESAFW with 8 bytes different (in the middle of the code  :-//).

The problem is that you didn't run the app before taking the dump. We need the dump after the app has run/is running. Because all the rest of the mem is 0x00s.

Got it, didn't quite grasp what the issue was before. The application was definitely not running when I created the new dump.

Looking forward to seeing Sandra's results
Title: Re: Enabling options on Agilent ESA series E4402B E4404B E4405B E4407B
Post by: smgvbest on September 11, 2020, 08:41:40 pm
When I boot from the ESALOADER and see the Menu ^C works fine
when I boot normally and see the Menu,  even though ^C is in the menu all I see is a message that it doesn't recognize the keypress
Title: Re: Enabling options on Agilent ESA series E4402B E4404B E4405B E4407B
Post by: tv84 on September 11, 2020, 08:45:28 pm
When I boot from the ESALOADER and see the Menu ^C works fine
when I boot normally and see the Menu,  even though ^C is in the menu all I see is a message that it doesn't recognize the keypress

Ohhh. That's another story. Let's wait for your dumps. I've got my fingers crossed.

If not successfull, I'll ask you to do me a log dump of all the submenu options of the DEBUG MENU (just the 1st screen) so that I can crosscheck the functions.
Title: Re: Enabling options on Agilent ESA series E4402B E4404B E4405B E4407B
Post by: smgvbest on September 11, 2020, 08:53:04 pm
This dump is exactly Sandra's ESAFW with 8 bytes different (in the middle of the code  :-//).

The problem is that you didn't run the app before taking the dump. We need the dump after the app has run/is running. Because all the rest of the mem is 0x00s.

Got it, didn't quite grasp what the issue was before. The application was definitely not running when I created the new dump.

Looking forward to seeing Sandra's results

still dumping,  it's up to 0x040Dxxxx and it's all zero's in this area

i'm trying to figure our device addressing
the max address is 0x07FFFFFF  only ADDRESS BIT 0..27 are used
21,22,23 are used to address the FLASH memory (thru a 74138)

U55 controls the addressing which is the communications controller which goes to the enable pin on the 74138


Title: Re: Enabling options on Agilent ESA series E4402B E4404B E4405B E4407B
Post by: tv84 on September 11, 2020, 09:01:36 pm
all I see is a message that it doesn't recognize the keypress

What is the specific msg?
Title: Re: Enabling options on Agilent ESA series E4402B E4404B E4405B E4407B
Post by: tv84 on September 11, 2020, 09:05:23 pm
the max address is 0x07FFFFFF  only ADDRESS BIT 0..27 are used

I saw somewhere that the app and mem would not go upper that 0x06000000. Maybe in your boot logs...

That doesn't mean that physically it couldn't go to that limit mentioned by you.
Title: Re: Enabling options on Agilent ESA series E4402B E4404B E4405B E4407B
Post by: smgvbest on September 11, 2020, 09:09:56 pm

I saw somewhere that the app and mem would not go upper that 0x06000000. Maybe in your boot logs...

That doesn't mean that physically it couldn't go to that limit mentioned by you.

From the hardware side it's physically limited to 0x07FFFFFF (A0..A27) the remaining bits are NC
Title: Re: Enabling options on Agilent ESA series E4402B E4404B E4405B E4407B
Post by: smgvbest on September 11, 2020, 09:14:03 pm
all I see is a message that it doesn't recognize the keypress

What is the specific msg?

Unknown debug char: 'C' (0x43).  Press '?' for help.
if I do CTRL+C its
Unknown debug char: ' ' (0x03).  Press '?' for help. (i think)   still dumping so I can't check

I do not miss dialup speeds
Title: Re: Enabling options on Agilent ESA series E4402B E4404B E4405B E4407B
Post by: smgvbest on September 11, 2020, 09:16:17 pm
When I boot from the ESALOADER and see the Menu ^C works fine
when I boot normally and see the Menu,  even though ^C is in the menu all I see is a message that it doesn't recognize the keypress

Ohhh. That's another story. Let's wait for your dumps. I've got my fingers crossed.

If not successfull, I'll ask you to do me a log dump of all the submenu options of the DEBUG MENU (just the 1st screen) so that I can crosscheck the functions.

There are no sub menus
each option is a direct action in the menus
the may take parms but that is passed with the option you want
Title: Re: Enabling options on Agilent ESA series E4402B E4404B E4405B E4407B
Post by: smgvbest on September 11, 2020, 09:27:28 pm
Is anyone able when booting normally (no ESALOADER Disc) able to do the CTRL+C and enter the Monitor Program?
Title: Re: Enabling options on Agilent ESA series E4402B E4404B E4405B E4407B
Post by: smgvbest on September 11, 2020, 09:30:02 pm
There are no sub menus
each option is a direct action in the menus
the may take parms but that is passed with the option you want

Sure, all I want is a dump of the 1st page of those direct actions (just to identify the strings in it).

You don't need to try other keys. The DEBUG in ESAFW doesn't have the code for "^C". So we would need to patch it.

BTW, the DEBUG MENUs of ESAFW and ESALOADR have slight differences. I think ESAFW has more options.

I do have some spare FLASH memory for the BootLoader so if a patch isnt to hard maybe thats the way to go???


These are the menu options seen when booting

This is the Debug menu when booting Normally, you have to do a ? to see it
Code: [Select]
----- System/pSOS Debug commands: -----                                         
    '?' - this help message.                                                   
    'j' - drop into breakpoint.                                                 
   '^C' - Abort to monitor.                                                     
   '^P' - Process status info, and LOTS of it.                                 
 '[dD]' - Print DLP debug information.                                         
 '[bB]' - Big memory hog report.                                               
 '[pP]' - Process ONLY status info.                                             
                                                                               
 '[eE]' - Exchange info.                                                       
 '[gG]' - toggle breakpoint exception handlers on/off                           
 '[tT]' - Time log.                                                             
 '[hH]' - History log.                                                         
 '[oO]' - Memory segment ownership.                                             
 '[mM]' - Memory segment summary.                                               
 '[sS]' - Semaphore ownership, etc.                                             
 '[uU]' - maximum process stack Usage.                                         
 '[vV]' - memory Validity check.                                               
 '[iI]' - Show psosSystemData.                                                 
 '[1]' -  Show NVRAM contents.                                                 
 '[wW] <process name>' - Show process stack trace.

This is the Monitor Menu from when using ESALOADER.

Code: [Select]
bc      [<hex boot config>] - set the bootrom configuration (see bchelp)
bootvars- display bootrom variables
bs      - force a breakpoint when starting
dbyte   [<hex start address> [num bytes]] - display memory using bytes
dlong   [<hex start address> [num bytes]] - display memory using longs
dmem    [<hex start address> [num bytes]] - display memory using bytes
dword   [<hex start address> [num bytes]] - display memory using words
gbreak  - force a gdb breakpoint
gdb     - enable gdb trapping of exceptions
gu      [<hex start addr>]      - go to start address
hmon    [device] - download into memory
rty test routine
sbyte   <hex start address> <hexchars> - set memory using bytes
slong   <hex start address> <hexchars> - set memory using longs
smem    <hex start address> <hexchars> - set memory using bytes
sword   <hex start address> <hexchars> - set memory using words
version - display bootrom version
Title: Re: Enabling options on Agilent ESA series E4402B E4404B E4405B E4407B
Post by: suj on September 11, 2020, 09:30:17 pm
I tried but it did not work.
I didn't get FDD todayso I still have older firmware.
Title: Re: Enabling options on Agilent ESA series E4402B E4404B E4405B E4407B
Post by: tv84 on September 11, 2020, 09:31:38 pm
that was these then

No, maybe I explained wrong:

I want the next steps in each of those options (just DEBUG MENU).
Title: Re: Enabling options on Agilent ESA series E4402B E4404B E4405B E4407B
Post by: smgvbest on September 11, 2020, 09:37:12 pm
that was these then

No, maybe I explained wrong:

I want the next steps in each of those options (just DEBUG MENU).

if I type a option it executes the command so if thats what you want heres some
is this what you're after?


Code: [Select]

***** Mosquito Bootrom *****
Copyright 1988-1997,
Hewlett-Packard Company, all rights reserved.

@(#)HEWLETT-PACKARD, E4401 Bootrom, 5.00
@(#)LDS Rev: 3.02 - Module Incremental (Sep  9 2003)
@(#)Linked: Sep  9 2003 14:46:44

Bootrom Checksum ...
Bootrom DRAM:     Testing 69632 bytes at 0x04000000
Non Destructive SRAM Test ...
Main Firmware DRAM:     Testing 33484800 bytes at 0x04011000
Main FW Checksum ...
Self-tests complete.SRAM selftest results:
        Start  = 0xa000000
        End    = 0xa007fa3
        Errors = 0x0
DRAM selftest results:
        Start  = 0x4011000
        End    = 0x6000000
        Errors = 0x0
hpibPort = 0x8005000
hpibPort = 0x8005000, bus Address = 19

Cache Enabled
16MBytes of FLASH

Download to Flash Selected
>>> mainMain()
text segment:           0x4011000 thru 0x4435e14 ( 424e14 bytes)
data segment:           0x4600000 thru 0x476dd88 ( 16dd88 bytes)
bss  segment:           0x476dd88 thru 0x48bcce8 ( 14ef60 bytes)

ROM size:               0x00592b9c ( 592b9c bytes of 4194304 max.)

memory pool (all):      0x048bcce8 thru 0x05ffffff (24392472 bytes)
Calling start_psos() ...
>>>> debug() process starting
DLP Loaded - Power Suite Utilities, A.06.05, Nov 21 2003 15:45:40

----- System/pSOS Debug commands: -----
    '?' - this help message.
    'j' - drop into breakpoint.
   '^C' - Abort to monitor.
   '^P' - Process status info, and LOTS of it.
 '[dD]' - Print DLP debug information.
 '[bB]' - Big memory hog report.
 '[pP]' - Process ONLY status info.

 '[eE]' - Exchange info.
 '[gG]' - toggle breakpoint exception handlers on/off
 '[tT]' - Time log.
 '[hH]' - History log.
 '[oO]' - Memory segment ownership.
 '[mM]' - Memory segment summary.
 '[sS]' - Semaphore ownership, etc.
 '[uU]' - maximum process stack Usage.
 '[vV]' - memory Validity check.
 '[iI]' - Show psosSystemData.
 '[1]' -  Show NVRAM contents.
 '[9]' -  Show Exception Report.
 '[wW] <process name>' - Show process stack trace.

>d
==============================================================
                                DLP LIST
Name         State      Text            Data            BSS
c:dlp\ps2\ps2.o Loaded  0x5c3dcc8/1751472       0x5c3bcb4/8192  0x5b6abe0/856256
c:dlp\pn\pn.o Unlicensed        0x0/0   0x0/0   0x0/0
c:dlp\catv\catv.o Unlicensed    0x0/0   0x0/0   0x0/0
==============================================================
Currently 1 DLP's loaded

>b
=================================================================

Memory HOG report - oink oink

caller PC    count      bytes
0x04338902   17072    5349060
0x04361be2       1    1751492
0x00000000     111    1049872
0x04361bfe       1     856276
0x05d00d06     194     798504
0x05d01948      83     341628
0x043ebcfe      83     294836
0x05cefb16      61     245220
0x05cf28b6      40     160800
0x05ceceb2      33     132660
0x05cf564a      15      60300
0x043eb0f0     339      39892
0x042b66a2       1      32792
0x05cea37a       7      28140
0x04345af2      53      26632
0x05d0235c       3      12348
0x042def9e       1      11108
0x04361bf0       1       8212
0x042ec426       1       2596
0x042ec3e2       1       2148
0x0412a3d0       1       2068
0x042ec404       1       1196
0x04364636       1       1032
0x042ec3c0       1       1028
0x042def8c       1        812
0x0414b2a2       3        624
0x0a0008f6       1        532
0x0a000446       1        532
0x0a0005ea       1        532
0x0a000626       1         84
=================================================================

>p

    pid    PNAME  STAT/M PRI GID POS  TIX MEMORY STK CPU
0x048ca38c  SWFI   RUN    51  0   *     1    0kB  8% 25%

0x048cc0f0  AAFI   RDY    51  0   1     1    0kB 12%  0%
0x048c9714  IDLE   RDY     0  0   2     1    0kB  6%  8%

0x048ccf30  CLOK  paus   100  0   .     0    0kB 16%  0%
0x048c9ffc  DIst  paus    52  0   .  3106    0kB  3%  0%
0x048c9aa4  DRST  paus    80  0   .    61    0kB 47%  0%
0x048c99c0  FMOT  paus   100  0   .    43    0kB 47%  0%

0x048cd014  UPDT  xblk   249  0   .     1    0kB 23%  0%
0x048cce4c  MAXM  xblk    60  0   .     1    0kB  6%  0%
0x048ccc84  LLMR  xblk    60  0   .     1    0kB  6%  0%
0x048ccba0  PRNT  xblk    60  0   .     1    0kB  8%  0%
0x048ccabc  DSPF  xblk    51  0   .     1    0kB  5%  0%
0x048cc9d8  DSPM  xblk    60  0   .     1    0kB  6%  0%
0x048cc8f4  DMFI  xblk    51  0   .     1    0kB  5%  0%
0x048cc810  DMMR  xblk    60  0   .     1    0kB  6%  0%
0x048cc648  FCFI  xblk    51  0   .     1    0kB  5%  0%
0x048cc564  FCMR  xblk    60  0   .     1    0kB  6%  0%
0x048cc480  ANSQ  xblk    52  0   .     1    0kB 13%  0%
0x048cc39c  ANFI  xblk    51  0   .     1    0kB 13%  0%
0x048cc2b8  ANMR  xblk    60  0   .     1    0kB  6%  0%
0x048cc1d4  AASQ  xblk    52  0   .     1    0kB 21% 28%
0x048cc00c  AAMR  xblk    60  0   .     1    0kB  6%  0%
0x048cbf28  SYMR  xblk    60  0   .     1    0kB  8%  0%
0x048cbe44  SGMR  xblk    60  0   .     1    0kB  6%  0%
0x048cbd60  ZMKR  xblk    60  0   .     1    0kB  6%  0%
0x048cbc7c   MKR  xblk    60  0   .     1    0kB  6%  0%
0x048cbb98  DEF3  xblk    51  0   .     1    0kB  5%  0%
0x048cbab4  SNFI  xblk    51  0   .     1    0kB  5%  0%
0x048cb9d0  SNMR  xblk    60  0   .     1    0kB  6%  0%
0x048cb8ec  DEF2  xblk    51  0   .     1    0kB  5%  0%
0x048cb808  LGDT  xblk   251  0   .     1    0kB  8%  0%
0x048cb724  LGDE  xblk    60  0   .     1    0kB  6%  0%
0x048cb640  DSFI  xblk    51  0   .     1    0kB  5%  0%
0x048cb55c  LGDT  xblk   251  0   .     1    0kB  8%  0%
0x048cb478  LGDS  xblk    60  0   .     1    0kB  6%  0%
0x048cb394  SWFI  xblk    51  0   .     1    0kB  5%  0%
0x048cb2b0  LGST  xblk   251  0   .     1    0kB  8%  0%
0x048cb1cc  LGSW  xblk    60  0   .     1    0kB  6%  0%
0x048cb0e8  DEFI  xblk    51  0   .     1    0kB  5%  0%
0x048cb004  DEMT  xblk   251  0   .     1    0kB  8%  0%
0x048caf20  DEMR  xblk    60  0   .     1    0kB  6%  0%
0x048cae3c  DMZF  xblk    51  0   .     1    0kB  5%  0%
0x048cad58  ZDMT  xblk   251  0   .     1    0kB  8%  0%
0x048cac74  ZDMR  xblk    60  0   .     1    0kB  6%  0%
0x048cab90  SIFI  xblk    51  0   .     1    0kB  5%  0%
0x048caaac  SIMT  xblk   251  0   .     1    0kB  8%  0%
0x048ca9c8  SIMR  xblk    60  0   .     1    0kB  6%  0%
0x048ca8e4  DZFI  xblk    51  0   .     1    0kB  5%  0%
0x048ca800  DZMT  xblk   251  0   .     1    0kB  8%  0%
0x048ca71c  DZMR  xblk    60  0   .     1    0kB  6%  0%
0x048ca638  DSFI  xblk    51  0   .     1    0kB  5%  0%
0x048ca554  DSMT  xblk   251  0   .     1    0kB  8%  0%
0x048ca470  DSMR  xblk    60  0   .     1    0kB  6%  0%
0x048ca2a8  SWMT  xblk   251  0   .     1    0kB  8%  0%
0x048ca1c4  SWMR  xblk    60  0   .     1    0kB  6%  1%
0x048ca0e0  MIME  xblk    79  0   .     1    0kB  6%  2%
0x048c9f18  FPLP  xblk   250  0   .     1    0kB  9%  0%
0x048c9e34  DCAS  xblk   251  0   .     1    0kB  8%  0%
0x048c9d50  RLCN  xblk   230  0   .     1    0kB  8%  0%
0x048c9c6c  REMT  xblk   250  0   .     1    0kB  5%  0%
0x048c9b88  PCKB  xblk   230  0   .     1    0kB  8%  0%
0x048c97f8  DISP  xblk   253  0   .     1    0kB  8%  4%
0x048c98dc  APPS  xblk   230  0   .     1    0kB 25%  0%
0x048c9630  ROOT  xblk   230  0   .     1    0kB  4% 32%
           >> EVENTS: W(0x0) S(0x2000)

        64 Process(s) (27 avail); Total time: 4569 ticks.

>e
    xid    XNAME  TYPE  ACC  maxQ  Qlen BLOCKED
0x048c1584        fifo  any    1    0    REMT
0x048c1562  UPDI  fifo  any    1    0    UPDT
0x048c1540  MAXM  fifo  any  inf    0    MAXM
0x048c151e  Sign  fifo  any  inf    0   
0x048c14fc  LIMI  fifo  any  inf    0    LLMR
0x048c14da  DSPM  fifo  any  inf    0    DSPM
0x048c14b8  DSPS  fifo  any    1    0   
0x048c1496  DSPF  fifo  any  inf    0    DSPF
0x048c1474  SPEC  fifo  any    1    0   
0x048c1452  SPEC  fifo  any    1    0   
0x048c1430  DMMR  fifo  any  inf    0    DMMR
0x048c140e  DMFI  fifo  any  inf    0    DMFI
0x048c13ec  SPEC  fifo  any    1    0   
0x048c13ca  FCMR  fifo  any  inf    0    FCMR
0x048c13a8  FCFI  fifo  any  inf    0    FCFI
0x048c1386  SPEC  fifo  any    1    0   
0x048c1364  ANSQ  fifo  any  inf    0    ANSQ
0x048c1342  ANFI  fifo  any  inf    0    ANFI
0x048c1320  ANFS  fifo  any  inf    0   
0x048c12fe  ANOW  fifo  any   20    0   
0x048c12dc  ANMR  fifo  any  inf    0    ANMR
0x048c12ba  SPEC  fifo  any    1    0   
0x048c1298  AARS  fifo  any    1    0    AASQ
0x048c1276  AAFI  fifo  any  inf    0   
0x048c1254  AAFS  fifo  any  inf    0   
0x048c1232  AAMR  fifo  any  inf    0    AAMR
0x048c1210  SPEC  fifo  any    1    0   
0x048c11ee   CMR  fifo  any  inf    0   
0x048c11cc  SPEC  fifo  any    1    0   
0x048c11aa  SIGT  fifo  any  inf    0    SGMR
0x048c1188  ZMKM  fifo  any  inf    0    ZMKR
0x048c1166  MKMR  fifo  any  inf    0    MKR
0x048c1144  DEF3  fifo  any  inf    0    DEF3
0x048c1122  SNFI  fifo  any  inf    0    SNFI
0x048c1100  SNMR  fifo  any  inf    0    SNMR
0x048c10de  SPEC  fifo  any    1    0   
0x048c10bc  DEF2  fifo  any  inf    0    DEF2
0x048c109a  LGDT  fifo  any    1    0    LGDT
0x048c1078  LGDE  fifo  any  inf    0    LGDE
0x048c1056  SPEC  fifo  any    1    0   
0x048c1034  DSFI  fifo  any  inf    0    DSFI
0x048c1012  LGDT  fifo  any    1    0    LGDT
0x048c0ff0  LGDS  fifo  any  inf    0    LGDS
0x048c0fce  SPEC  fifo  any    1    0   
0x048c0fac  SWFI  fifo  any  inf    0    SWFI
0x048c0f8a  LGST  fifo  any    1    0    LGST
0x048c0f68  LGSW  fifo  any  inf    0    LGSW
0x048c0f46  SPEC  fifo  any    1    0   
0x048c0f24  DEFI  fifo  any  inf    0    DEFI
0x048c0f02  DEMT  fifo  any    1    0    DEMT
0x048c0ee0  DEMR  fifo  any  inf    0    DEMR
0x048c0ebe  SPEC  fifo  any    1    0   
0x048c0e9c  DMZF  fifo  any  inf    0    DMZF
0x048c0e7a  ZDMT  fifo  any    1    0    ZDMT
0x048c0e58  ZDMR  fifo  any  inf    0    ZDMR
0x048c0e36  SPEC  fifo  any    1    0   
0x048c0e14  SIFI  fifo  any  inf    0    SIFI
0x048c0df2  SIMT  fifo  any    1    0    SIMT
0x048c0dd0  SIMR  fifo  any  inf    0    SIMR
0x048c0dae  SPEC  fifo  any    1    0   
0x048c0d8c  DZFI  fifo  any  inf    0    DZFI
0x048c0d6a  DZMT  fifo  any    1    0    DZMT
0x048c0d48  DZMR  fifo  any  inf    0    DZMR
0x048c0d26  SPEC  fifo  any    1    0   
0x048c0d04  DSFI  fifo  any  inf    0    DSFI
0x048c0ce2  DSMT  fifo  any    1    0    DSMT
0x048c0cc0  DSMR  fifo  any  inf    0    DSMR
0x048c0c9e  SPEC  fifo  any    1    0   
0x048c0c7c  SWFI  fifo  any  inf    0   
0x048c0c5a  SWMT  fifo  any    1    0    SWMT
0x048c0c38  SWMR  fifo  any  inf    0    SWMR
0x048c0c16  SPEC  fifo  any    1    0   
0x048c0bf4  shrL  fifo  any    1    0   
0x048c0bd2  ACTV  fifo  any    1    0   
0x048c0bb0  hihr  fifo  any    1    0   
0x048c0b8e  hihr  fifo  any    1    0   
0x048c0b6c  hihr  fifo  any    1    0   
0x048c0b4a  hihr  fifo  any    1    0   
0x048c0b28  MENU  fifo  any    1    0   
0x048c0b06  MENU  fifo  any    1    0   
0x048c0ae4  MENU  fifo  any    1    0   
0x048c0ac2  MENU  fifo  any    1    0   
0x048c0aa0  MENU  fifo  any    1    0   
0x048c0a7e  MENU  fifo  any    1    0   
0x048c0a5c  MENU  fifo  any    1    0   
0x048c0a3a  MENU  fifo  any    1    0   
0x048c0a18  MENU  fifo  any    1    0   
0x048c09f6  ACTV  fifo  any    1    0   
0x048c09d4  SDRL  fifo  any    1    0   
0x048c09b2  SDIL  fifo  any    1    0   
0x048c0990    R2  fifo  any    1    0   
0x048c096e    R1  fifo  any    1    0   
0x048c094c    R0  fifo  any    1    0   
0x048c092a  isLk  fifo  any    1    0   
0x048c0908  dtLk  fifo  any    1    0   
0x048c08e6  mSTM  fifo  any  inf    0    MIME
0x048c08c4  mMIN  fifo  any  inf    0   
0x048c08a2  mMCL  fifo  any  inf    0   
0x048c0880  mMCR  fifo  any  inf    0   
0x048c085e  mMDA  fifo  any  inf    1   
0x048c083c  mMSA  fifo  any  inf    0   
0x048c081a  mDVL  fifo  any  inf    0   
0x048c07f8  dest  fifo  any  inf    0   
0x048c07d6  mLDS  fifo  any  inf    0   
0x048c07b4  FNSL  fifo  any    1    0   
0x048c0792  DDET  fifo  any  inf    0   
0x048c0770  DTRG  fifo  any  inf    0   
0x048c074e  DSWP  fifo  any  inf    0   
0x048c072c  Didi  fifo  any  inf    0   
0x048c070a  cntw  fifo  any    1    0   
0x048c06e8  cntx  fifo  any    1    0   
0x048c06c6  dRes  fifo  any    1    0   
0x048c06a4  Dlp   fifo  any    1    0   
0x048c0682  CalC  fifo  any    1    0   
0x048c0660  Scpi  fifo  any    1    0   
0x048c063e   LG1  fifo  any    1    0   
0x048c061c  ANON  fifo  any    1    0   
0x048c05fa  GPIB  fifo  any    1    0   
0x048c05d8  PCkb  fifo  any    1    0    PCKB
0x048c05b6  DISP  fifo  any    1    0    DISP
0x048c0594  OMMG  fifo  any    1    0   
0x048c0572   UNS  fifo  any    1    0   
0x048c0550  RLDS  fifo  any    1    0    ROOT
0x048c052e    BW  fifo  any    1    0   
0x048c050c  GLds  fifo  any    1    0   
0x048c04ea  BLds  fifo  any  inf    1   
0x048c04c8  CISW  fifo  any    1    0   
0x048c04a6  MRLK  fifo  any    1    0   
0x048c0484  HWLK  fifo  any    1    0   
0x048c0462    FP  fifo  any    1    0    FPLP
0x048c0440  ADCF  fifo  any    1    0   
0x048c041e  DIRg  fifo  any    1    0   
0x048c03fc  ANON  fifo  any    1    0   
0x048c03da  DIRf  fifo  any    1    0   
0x048c03b8  ANON  fifo  any    1    0   
0x048c0396  SIOB  fifo  any    1    0   
0x048c0374  CALM  fifo  any    1    0   
0x048c0352  DIRe  fifo  any    1    0   
0x048c0330  ANON  fifo  any    1    0   
0x048c030e  DIRd  fifo  any    1    0   
0x048c02ec  DIRc  fifo  any    1    0   
0x048c02ca  DIRb  fifo  any    1    0   
0x048c02a8  DIRa  fifo  any    1    0   
0x048c0286  APPS  fifo  any  inf    0    APPS
0x048c0264  DLLK  fifo  any    1    0   
0x048c0242  SUBL  fifo  any    1    0   
0x048c0220  LCSH  fifo  any    1    0   
0x048c01fe  FBUF  fifo  any    1    0   
0x048c01dc  DCAS  fifo  any    1    0    DCAS
0x048c01ba  RLCN  fifo  any    1    0    RLCN
0x048c0198  MROF  fifo  any    1    0   
0x048c0176  MRON  fifo  any    1    0   
0x048c0154  SWSP  fifo  any    1    0   
0x048c0132   SRQ  fifo  any    1    0    SYMR
0x048c0110  PRTH  fifo  any    1    0    PRNT
        155 Exchange(s) (245 avail).
        2 Msg buffer(s) (1022 avail).

>g

Breakpoint handler installed

>i
PsosSystemData (0x048bcce8):
        (0x048bcce8) OS_PCB   *runningPCB    = 0x048ca38c
        (0x048bccec) OS_PCB   *readyList     = 0x048c97f8
        (0x048bccf0) OS_PCB   *pauseList     = 0x048ccf30
        (0x048bccf4) OS_PCB   *pcbActiveHead = 0x048cd014
        (0x048bccf8) OS_PCB   *pcbFreeHead   = 0x048ccd68
        (0x048bccfc) OS_XCB   *xcbActiveHead = 0x048c1584
        (0x048bcd00) OS_XCB   *xcbFreeHead   = 0x048c15a6
        (0x048bcd04) OS_Message *mgbFreeHead = 0x048c3750
        (0x048bcd08) void  *sstackEnd        = 0x048c0110
        (0x048bcd0c) short kernelLevel       = 0
        (0x048bcd0e) short reserved1         = 0
        (0x048bcd10) int   reserved2         = 1280
        (0x048bcd14) int   phileData         = 620765184
        (0x048bcd18) int   probeEntry        = 71205862
        (0x048bcd1c) OS_PCB   *memQHead      = 0x048bcd1c
        (0x048bcd20) OS_PCB   *memQTail      = 0x048bcd1c
        (0x048bcd24) int   timeoutTicks      = 41
        (0x048bcd28) short ticks             = 45
        (0x048bcd2a) short pad1              = 0
        (0x048bcd2c) int   time              = 292
        (0x048bcd30) int   date              = 130155777
        (0x048bcd34) char  motbl[12]         =
        (0x048bcd40) short ticksPerSec       = 100
        (0x048bcd42) short ticksPerSlice     = 1
        (0x048bcd44) char  todset            =
        (0x048bcd45) char  eventRace         = (0x048bcd46) char  unusedPad[2]      =   
        (0x048bcd48) Lds_UInt32 switchProc   = 0
        (0x048bcd4c) regionInfo[0].minSeg      = 20
        (0x048bcd50) regionInfo[0].maxSeg      = 58796
        (0x048bcd54) regionInfo[0].minPend     = 6020
        (0x048bcd58) regionInfo[0].regionEnd   = 0x048dcce7
        (0x048bcd5c) regionInfo[0].regionName  = REG1
  (0x048bcd60) regionInfo[0].freeHead    = 0x048ce73c
        (0x048bcd64) regionInfo[0].freeTail    = 0x048d3e30
        (0x048bcd68) regionInfo[0].regionFlags = 0
        (0x048bcd6c) regionInfo[1].minSeg      = 20
        (0x048bcd70) regionInfo[1].maxSeg      = 24261400
        (0x048bcd74) regionInfo[1].minPend     = 24261401
        (0x048bcd78) regionInfo[1].regionEnd   = 0x05ffffff
        (0x048bcd78) regionInfo[1].regionEnd   = 0x05Bfffff
        (0x048bcd80) regionInfo[1].freeHead    = 0x048dcce8
        (0x048bcd84) regionInfo[1].freeTail    = 0x05e74208
        (0x048bcd88) regionInfo[1].regionFlags = 0
        (0x048bcd8c) regionInfo[2].minSeg      = 20
        (0x048bcd90) regionInfo[2].maxSeg      = 21844
        (0x048bcd94) regionInfo[2].minPend     = 21845
        (0x048bcd98) regionInfo[2].regionEnd   = 0x0a006393
        (0x048bcd9c) regionInfo[2].regionName  = dyna

        (0x048bcda0) regionInfo[2].freeHead    = 0x0a000e40
        (0x048bcda4) regionInfo[2].freeTail    = 0x0a000e40
        (0x048bcda8) regionInfo[2].regionFlags = 1
        (0x048bcdac) regionInfo[3].minSeg      = 128
        (0x048bcdb0) regionInfo[3].maxSeg      = 7120
        (0x048bcdb4) regionInfo[3].minPend     = 7121
        (0x048bcdb8) regionInfo[3].regionEnd   = 0x0a007fa3
        (0x048bcdbc) regionInfo[3].regionName  = nvra

        (0x048bcdc0) regionInfo[3].freeHead    = 0x0a0063d4
        (0x048bcdc4) regionInfo[3].freeTail    = 0x0a0063d4
        (0x048bcdc8) regionInfo[3].regionFlags = 0
        (0x048bcdcc) regionInfo[4].minSeg      = 0
        (0x048bcdd0) regionInfo[4].maxSeg      = 0
        (0x048bcdd4) regionInfo[4].minPend     = 0
        (0x048bcdd8) regionInfo[4].regionEnd   = 0x00000000
        (0x048bcddc) regionInfo[4].regionName  =     
        (0x048bcde0) regionInfo[4].freeHead    = 0x00000000
        (0x048bcde4) regionInfo[4].freeTail    = 0x00000000
        (0x048bcde8) regionInfo[4].regionFlags = 0
        (0x048bcdec) regionInfo[5].minSeg      = 0
        (0x048bcdf0) regionInfo[5].maxSeg      = 0
        (0x048bcdf4) regionInfo[5].minPend     = 0
        (0x048bcdf8) regionInfo[5].regionEnd   = 0x00000000
        (0x048bcdfc) regionInfo[5].regionName  =     
        (0x048bce00) regionInfo[5].freeHead    = 0x00000000
        (0x048bce04) regionInfo[5].freeTail    = 0x00000000
        (0x048bce08) regionInfo[5].regionFlags = 0
        (0x048bce0c) regionInfo[6].minSeg      = 0
        (0x048bce10) regionInfo[6].maxSeg      = 0
        (0x048bce14) regionInfo[6].minPend     = 0
        (0x048bce18) regionInfo[6].regionEnd   = 0x00000000
        (0x048bce1c) regionInfo[6].regionName  =     
        (0x048bce20) regionInfo[6].freeHead    = 0x00000000
        (0x048bce24) regionInfo[6].freeTail    = 0x00000000
        (0x048bce28) regionInfo[6].regionFlags = 0
        (0x048bce2c) regionInfo[7].minSeg      = 0
        (0x048bce30) regionInfo[7].maxSeg      = 0
        (0x048bce34) regionInfo[7].minPend     = 0
        (0x048bce38) regionInfo[7].regionEnd   = 0x00000000
        (0x048bce3c) regionInfo[7].regionName  =     
        (0x048bce40) regionInfo[7].freeHead    = 0x00000000
        (0x048bce44) regionInfo[7].freeTail    = 0x00000000
        (0x048bce48) regionInfo[7].regionFlags = 0
        (0x048bce4c) regionInfo[8].minSeg      = 0
        (0x048bce50) regionInfo[8].maxSeg      = 0
        (0x048bce54) regionInfo[8].minPend     = 0
        (0x048bce58) regionInfo[8].regionEnd   = 0x00000000
        (0x048bce5c) regionInfo[8].regionName  =     
        (0x048bce60) regionInfo[8].freeHead    = 0x00000000
        (0x048bce64) regionInfo[8].freeTail    = 0x00000000
        (0x048bce68) regionInfo[8].regionFlags = 0
        (0x048bce6c) regionInfo[9].minSeg      = 0
        (0x048bce70) regionInfo[9].maxSeg      = 0
        (0x048bce74) regionInfo[9].minPend     = 0
        (0x048bce78) regionInfo[9].regionEnd   = 0x00000000
        (0x048bce7c) regionInfo[9].regionName  =     
        (0x048bce80) regionInfo[9].freeHead    = 0x00000000
        (0x048bce84) regionInfo[9].freeTail    = 0x00000000
        (0x048bce88) regionInfo[9].regionFlags = 0
        (0x048bce8c) regionInfo[10].minSeg      = 0
        (0x048bce90) regionInfo[10].maxSeg      = 0
        (0x048bce94) regionInfo[10].minPend     = 0
        (0x048bce98) regionInfo[10].regionEnd   = 0x00000000
        (0x048bce9c) regionInfo[10].regionName  =     
        (0x048bcea0) regionInfo[10].freeHead    = 0x00000000
        (0x048bcea4) regionInfo[10].freeTail    = 0x00000000
        (0x048bcea8) regionInfo[10].regionFlags = 0
        (0x048bceac) regionInfo[11].minSeg      = 0
        (0x048bceb0) regionInfo[11].maxSeg      = 0
        (0x048bceb4) regionInfo[11].minPend     = 0
        (0x048bceb8) regionInfo[11].regionEnd   = 0x00000000
        (0x048bcebc) regionInfo[11].regionName  =     
        (0x048bcec0) regionInfo[11].freeHead    = 0x00000000
        (0x048bcec4) regionInfo[11].freeTail    = 0x00000000
        (0x048bcec8) regionInfo[11].regionFlags = 0
        (0x048bcecc) regionInfo[12].minSeg      = 0
        (0x048bced0) regionInfo[12].maxSeg      = 0
        (0x048bced4) regionInfo[12].minPend     = 0
        (0x048bced8) regionInfo[12].regionEnd   = 0x00000000
        (0x048bcedc) regionInfo[12].regionName  =     
        (0x048bcee0) regionInfo[12].freeHead    = 0x00000000
        (0x048bcee4) regionInfo[12].freeTail    = 0x00000000
        (0x048bcee8) regionInfo[12].regionFlags = 0
        (0x048bceec) regionInfo[13].minSeg      = 0
        (0x048bcef0) regionInfo[13].maxSeg      = 0
        (0x048bcef4) regionInfo[13].minPend     = 0
        (0x048bcef8) regionInfo[13].regionEnd   = 0x00000000
        (0x048bcefc) regionInfo[13].regionName  =     
        (0x048bcf00) regionInfo[13].freeHead    = 0x00000000
        (0x048bcf04) regionInfo[13].freeTail    = 0x00000000
        (0x048bcf08) regionInfo[13].regionFlags = 0
        (0x048bcf0c) regionInfo[14].minSeg      = 0
        (0x048bcf10) regionInfo[14].maxSeg      = 0
        (0x048bcf14) regionInfo[14].minPend     = 0
        (0x048bcf18) regionInfo[14].regionEnd   = 0x00000000
        (0x048bcf1c) regionInfo[14].regionName  =     
        (0x048bcf20) regionInfo[14].freeHead    = 0x00000000
        (0x048bcf24) regionInfo[14].freeTail    = 0x00000000
        (0x048bcf28) regionInfo[14].regionFlags = 0
        (0x048bcf2c) regionInfo[15].minSeg      = 0
        (0x048bcf30) regionInfo[15].maxSeg      = 0
        (0x048bcf34) regionInfo[15].minPend     = 0
        (0x048bcf38) regionInfo[15].regionEnd   = 0x00000000
        (0x048bcf3c) regionInfo[15].regionName  =     
        (0x048bcf40) regionInfo[15].freeHead    = 0x00000000
        (0x048bcf44) regionInfo[15].freeTail    = 0x00000000
        (0x048bcf48) regionInfo[15].regionFlags = 0
        (0x048bcf4c) regionInfo[16].minSeg      = 0
        (0x048bcf50) regionInfo[16].maxSeg      = 0
        (0x048bcf54) regionInfo[16].minPend     = 0
        (0x048bcf58) regionInfo[16].regionEnd   = 0x00000000
        (0x048bcf5c) regionInfo[16].regionName  =     
        (0x048bcf60) regionInfo[16].freeHead    = 0x00000000
        (0x048bcf64) regionInfo[16].freeTail    = 0x00000000
        (0x048bcf68) regionInfo[16].regionFlags = 0
        (0x048bcf6c) regionInfo[17].minSeg      = 0
        (0x048bcf70) regionInfo[17].maxSeg      = 0
        (0x048bcf74) regionInfo[17].minPend     = 0
        (0x048bcf78) regionInfo[17].regionEnd   = 0x00000000
        (0x048bcf7c) regionInfo[17].regionName  =     
        (0x048bcf80) regionInfo[17].freeHead    = 0x00000000
        (0x048bcf84) regionInfo[17].freeTail    = 0x00000000
        (0x048bcf88) regionInfo[17].regionFlags = 0
        (0x048bcf8c) regionInfo[18].minSeg      = 0
        (0x048bcf90) regionInfo[18].maxSeg      = 0
        (0x048bcf94) regionInfo[18].minPend     = 0
        (0x048bcf98) regionInfo[18].regionEnd   = 0x00000000
        (0x048bcf9c) regionInfo[18].regionName  =     
        (0x048bcfa0) regionInfo[18].freeHead    = 0x00000000
        (0x048bcfa4) regionInfo[18].freeTail    = 0x00000000
        (0x048bcfa8) regionInfo[18].regionFlags = 0
        (0x048bcfac) regionInfo[19].minSeg      = 0
        (0x048bcfb0) regionInfo[19].maxSeg      = 0
        (0x048bcfb4) regionInfo[19].minPend     = 0
        (0x048bcfb8) regionInfo[19].regionEnd   = 0x00000000
        (0x048bcfbc) regionInfo[19].regionName  =     
        (0x048bcfc0) regionInfo[19].freeHead    = 0x00000000
        (0x048bcfc4) regionInfo[19].freeTail    = 0x00000000
        (0x048bcfc8) regionInfo[19].regionFlags = 0
        (0x048bcfcc) regionSaveInfo[0] = 0x00000000
        (0x048bcfd0) regionSaveInfo[1] = 0x00000000
        (0x048bcfd4) regionSaveInfo[2] = 0x0a000004
        (0x048bcfd8) regionSaveInfo[3] = 0x00000000
        (0x048bcfdc) regionSaveInfo[4] = 0x00000000
        (0x048bcfe0) regionSaveInfo[5] = 0x00000000
        (0x048bcfe4) regionSaveInfo[6] = 0x00000000
        (0x048bcfe8) regionSaveInfo[7] = 0x00000000
        (0x048bcfec) regionSaveInfo[8] = 0x00000000
        (0x048bcff0) regionSaveInfo[9] = 0x00000000
        (0x048bcff4) regionSaveInfo[10] = 0x00000000
        (0x048bcff8) regionSaveInfo[11] = 0x00000000
        (0x048bcffc) regionSaveInfo[12] = 0x00000000
        (0x048bd000) regionSaveInfo[13] = 0x00000000
        (0x048bd004) regionSaveInfo[14] = 0x00000000
        (0x048bd008) regionSaveInfo[15] = 0x00000000
        (0x048bd00c) regionSaveInfo[16] = 0x00000000
        (0x048bd010) regionSaveInfo[17] = 0x00000000
        (0x048bd014) regionSaveInfo[18] = 0x00000000
        (0x048bd018) regionSaveInfo[19] = 0x00000000


9>

Contents of the Exception Report:
[0x0a007fa4] D0 = 0x00000000
[0x0a007fa8] D1 = 0x00000000
[0x0a007fac] D2 = 0x00000000
[0x0a007fb0] D3 = 0x00000000
[0x0a007fb4] D4 = 0x00000000
[0x0a007fb8] D5 = 0x00000000
[0x0a007fbc] D6 = 0x00000000
[0x0a007fc0] D7 = 0x00000000
[0x0a007fc4] A0 = 0x00000000
[0x0a007fc8] A1 = 0x00000000
[0x0a007fcc] A2 = 0x00000000
[0x0a007fd0] A3 = 0x00008000
[0x0a007fd4] A4 = 0x00000000
[0x0a007fd8] A5 = 0x00000000
[0x0a007fdc] A6 = 0x00000000
[0x0a007fe0] A7 = 0x00000000
[0x0a007fe4] SSP = 0x00000000
[0x0a007fe8] SR = 0x0000
[0x0a007fec] PC = 0x00000000
[0x0a007fec] FMT/VO = 0x0000

----- System/pSOS Debug commands: -----
    '?' - this help message.
    'j' - drop into breakpoint.
   '^C' - Abort to monitor.
   '^P' - Process status info, and LOTS of it.
 '[dD]' - Print DLP debug information.
 '[bB]' - Big memory hog report.
 '[pP]' - Process ONLY status info.

 '[eE]' - Exchange info.
 '[gG]' - toggle breakpoint exception handlers on/off
 '[tT]' - Time log.
 '[hH]' - History log.
 '[oO]' - Memory segment ownership.
 '[mM]' - Memory segment summary.
 '[sS]' - Semaphore ownership, etc.
 '[uU]' - maximum process stack Usage.
 '[vV]' - memory Validity check.
 '[iI]' - Show psosSystemData.
 '[1]' -  Show NVRAM contents.
 '[9]' -  Show Exception Report.
 '[wW] <process name>' - Show process stack trace.
Title: Re: Enabling options on Agilent ESA series E4402B E4404B E4405B E4407B
Post by: suj on September 11, 2020, 10:19:08 pm
I found a debug interface command that is undocumented. Pressing "F4" had the effect shown below. I can't interpret it, but it might mean something.
(Firmware still A14.01, probably until Monday ...)
Title: Re: Enabling options on Agilent ESA series E4402B E4404B E4405B E4407B
Post by: smgvbest on September 12, 2020, 03:34:47 am
This dump is exactly Sandra's ESAFW with 8 bytes different (in the middle of the code  :-//).

The problem is that you didn't run the app before taking the dump. We need the dump after the app has run/is running. Because all the rest of the mem is 0x00s.

Got it, didn't quite grasp what the issue was before. The application was definitely not running when I created the new dump.

Looking forward to seeing Sandra's results

still dumping,  it's up to 0x040Dxxxx and it's all zero's in this area

i'm trying to figure our device addressing
the max address is 0x07FFFFFF  only ADDRESS BIT 0..27 are used
21,22,23 are used to address the FLASH memory (thru a 74138)

U55 controls the addressing which is the communications controller which goes to the enable pin on the 74138

Ok here's my 2 dumps

one is from ESALOADER
second is after normal boot,  entering a license, getting a fail.  hit reset into ESALOADER then dump memory

Title: Re: Enabling options on Agilent ESA series E4402B E4404B E4405B E4407B
Post by: tv84 on September 12, 2020, 07:36:28 am
Ok here's my 2 dumps

Binary form.
Title: Re: Enabling options on Agilent ESA series E4402B E4404B E4405B E4407B
Post by: smgvbest on September 12, 2020, 07:36:50 am
SIMM Repaired

the simm that caused the processor board to blow has been repaired.   it apparently was upgraded from 4M to 12M of flash and the soldering was , um poor
I removed all flash and caps.   tested all of the them.   flash was read, erased, programmed, read, erased and read for each of the 3 flash memories.
checked caps and replaced all.

also started work on the processor board.   FWIW,
On J3 you can supply 5v @ 1.3A to 3rd (of the longer) pin from right side and on P7 for GND and youv'e got power.
it does need more voltages but Boots with just 5V

Title: Re: Enabling options on Agilent ESA series E4402B E4404B E4405B E4407B
Post by: smgvbest on September 12, 2020, 07:37:32 am
Ok here's my 2 dumps

Binary form.

what tool(s) did you use to do that?
Title: Re: Enabling options on Agilent ESA series E4402B E4404B E4405B E4407B
Post by: tv84 on September 12, 2020, 07:54:42 am
what tool(s) did you use to do that?

I use UltraEdit in "Column Mode" which allows me to strip the left and right columns of text. Then do a Select All and paste it in HxD (in the binary zone). It's very simple and doesn't require any scripting and/or custom programming.

It's the same as selecting/copying just the binary dump bytes (in UltraEdit's "Column Mode") and paste them in HxD. See image.
Title: Re: Enabling options on Agilent ESA series E4402B E4404B E4405B E4407B
Post by: smgvbest on September 12, 2020, 01:43:30 pm
I use UltraEdit in "Column Mode" which allows me to strip the left and right columns of text. Then do a Select All and paste it in HxD (in the binary zone). It's very simple and doesn't require any scripting and/or custom programming.

It's the same as selecting/copying just the binary dump bytes (in UltraEdit's "Column Mode") and paste them in HxD. See image.

And here I was thinking it was some python or other script to do it
Ultraedit I have,  ever since V1,  love it.

That's it!  :-+  Please send the other options.
I will get other options today,   some take awhile to dump
Title: Re: Enabling options on Agilent ESA series E4402B E4404B E4405B E4407B
Post by: tv84 on September 12, 2020, 10:23:00 pm
I will get other options today,   some take awhile to dump

Sandra, repeat also your ESAFW dump because yours is incomplete. You didn't dump from 0x0401 1000 up to 0x0490 0000.

Title: Re: Enabling options on Agilent ESA series E4402B E4404B E4405B E4407B
Post by: smgvbest on September 12, 2020, 10:44:36 pm
I will get other options today,   some take awhile to dump

Sandra, repeat also your ESAFW dump because yours is incomplete. You didn't dump from 0x0401 1000 up to 0x0490 0000.

Yeh, think power died on the surface tablet before it finished

I’ll do again with power plugged in this time


edit:
Here's all the Debug menu options with thier output
I edited to show the option selected as its not echoed normally

ESAFW dump is running,   tablet is plugged in this time
I entered 2 licenses
AYZ 888888888888
IDS 999999999999

Title: Re: Enabling options on Agilent ESA series E4402B E4404B E4405B E4407B
Post by: smgvbest on September 13, 2020, 07:06:51 pm
ok it took many hours to dump that amount of memory but here's the "complete" dump this time

Title: Re: Enabling options on Agilent ESA series E4402B E4404B E4405B E4407B
Post by: suj on September 14, 2020, 04:20:43 pm
I just finished the firmware upgrade, I have the A14.06 version installed now. I have SA open, if necessary, I can disassemble the controller card and boot it on the table. I can make a memory dump, please just write me according to the procedure from which post  8)

EDIT
https://www.eevblog.com/forum/testgear/enabling-options-on-agilent-esa-series-e4402b-e4404b-e4405b-e4407b/msg3228528/#msg3228528 (https://www.eevblog.com/forum/testgear/enabling-options-on-agilent-esa-series-e4402b-e4404b-e4405b-e4407b/msg3228528/#msg3228528)
should I do according to this description (post #120 written by Sandra)?
As I understand it, reset is a shorting of the pins of connector J14.
Title: Re: Enabling options on Agilent ESA series E4402B E4404B E4405B E4407B
Post by: tv84 on September 14, 2020, 05:17:36 pm
EDIT
https://www.eevblog.com/forum/testgear/enabling-options-on-agilent-esa-series-e4402b-e4404b-e4405b-e4407b/msg3228528/#msg3228528 (https://www.eevblog.com/forum/testgear/enabling-options-on-agilent-esa-series-e4402b-e4404b-e4405b-e4407b/msg3228528/#msg3228528)
should I do according to this description (post #120 written by Sandra)?

That method is what she has just tried and doesn't work. It dumps the ESALOADR environment. The reset crushes all the ESAFW previous state.
Title: Re: Enabling options on Agilent ESA series E4402B E4404B E4405B E4407B
Post by: suj on September 14, 2020, 08:15:52 pm
OK, I get it. It would be best to have access to hardware ICE. I checked on ebay, there is no one unnecessary, dusty, complete Lauterbach ICE32_LA-6780_LA-6782_LA-6786. There is also no HP 64783A/B with the HP 9000 series 300 included. Anyway, none of them would cost $ 200...  :-//
As a last resort, I see a solution in the ICE type. The board between the PGA socket and the processor. There is an additional uC on it. After system boots up, it stops MC68EC040 and reads memory and sends via its own serial port. Dynamic memory refresh is handled by the MC68EN360, but there can be tons of bus arbitration issues. It's just a rather complicated project ...
Title: Re: Enabling options on Agilent ESA series E4402B E4404B E4405B E4407B
Post by: smgvbest on September 14, 2020, 08:23:09 pm
EDIT
https://www.eevblog.com/forum/testgear/enabling-options-on-agilent-esa-series-e4402b-e4404b-e4405b-e4407b/msg3228528/#msg3228528 (https://www.eevblog.com/forum/testgear/enabling-options-on-agilent-esa-series-e4402b-e4404b-e4405b-e4407b/msg3228528/#msg3228528)
should I do according to this description (post #120 written by Sandra)?

That method is what she has just tried and doesn't work. It dumps the ESALOADR environment. The reset crushes all the ESAFW previous state.

yeh it was worth a try but its a no-go
it looks like we need to find out who to get the monitor menu from a normal boot.
You mention though that CTRL+C is disabled in the BootRom?  or is it disabled in the ESAFW?
would it be hard to patch to enable that function?

the other thing is SCPI,   There's suppose to be a debug interface (but undocumented) via SCPI and it may be faster than the serial interface.

Any recommendations on how to proceed?
Title: Re: Enabling options on Agilent ESA series E4402B E4404B E4405B E4407B
Post by: tv84 on September 14, 2020, 09:13:22 pm
Any recommendations on how to proceed?

I don't know if the Bootrom is somewhat old and maps the ^C jump address in a memory place that the ESALOADR A.05.00 knows where to find but the ESAFW A.14.06 doesn't (I've seen that both use different addresses, I think). Just a guess... I've tried to discover that to force the jump but... arghhh. damn language...

The way to proceed is to try a patch.

Please test if you can flash a patched FW (or live patch the ESAFW). You can test with a string used in any message onscreen.

If you are successful, I think I can craft a special patch.
Title: Re: Enabling options on Agilent ESA series E4402B E4404B E4405B E4407B
Post by: andrew9875 on September 14, 2020, 10:08:55 pm
Any recommendations on how to proceed?

Has anyone looked at the service information for these analyzers? Maybe another vector we can explore:

DRAM and flash EPROM can be erased by flipping switches on S1 or holding down front panel buttons during boot. Maybe there's some hidden features there...
Title: Re: Enabling options on Agilent ESA series E4402B E4404B E4405B E4407B
Post by: smgvbest on September 14, 2020, 10:49:40 pm
Any recommendations on how to proceed?

I don't know if the Bootrom is somewhat old and maps the ^C jump address in a memory place that the ESALOADR A.05.00 knows where to find but the ESAFW A.14.06 doesn't (I've seen that both use different addresses, I think). Just a guess... I've tried to discover that to force the jump but... arghhh. damn language...

The way to proceed is to try a patch.

Please test if you can flash a patched FW (or live patch the ESAFW). You can test with a string used in any message onscreen.

If you are successful, I think I can craft a special patch.

If you know the address where the ctrl+c code is then I think in the debug menu the gu address command will jump to that address???

Maybe we can force it there?
Title: Re: Enabling options on Agilent ESA series E4402B E4404B E4405B E4407B
Post by: smgvbest on September 15, 2020, 03:48:01 am
The HOSTID is based on the PROCESSOR board.   so if you change processor boards you do change the hostid
you are correct in that flash has nothing to do with it.

I have tried all the DIP switches but not all combinations.   most seem to do nothing.   SW2/SW3 erase SRAM/FLASH

if you load any software you don't get a running version of the ESAFW into DRAM and thats' what we need.  We need it running

edit:
The Keys are stored on the FLASH SIMM according to the Security Manual
The Processor is a 68LC040.   kind of old
Title: Re: Enabling options on Agilent ESA series E4402B E4404B E4405B E4407B
Post by: smgvbest on September 17, 2020, 12:44:07 am
Before actually re-flashing my SA I thought I would try just changing the ESALOADR and after I changed some text the ESALOADR would not load,  it just skipped it and booted normally.
I watched the serial port and saw nothing special there

can someone else try this on the loader disc and change some text and see if you get same result?

I know we're not after the loader for this but its a test before going thru a full re-flash,   I only cried 9 times ;)

Title: Re: Enabling options on Agilent ESA series E4402B E4404B E4405B E4407B
Post by: andrew9875 on September 17, 2020, 01:12:41 am
can someone else try this on the loader disc and change some text and see if you get same result?

I can try it out tomorrow, just change a few bytes in the ESALOADR image?

But, I have the feeling that it will fail. The boot ROM indicates that it calculates a checksum on flash before attempting to boot, and I have the feeling it does the same before booting from floppy.
Title: Re: Enabling options on Agilent ESA series E4402B E4404B E4405B E4407B
Post by: smgvbest on September 17, 2020, 01:23:35 am
can someone else try this on the loader disc and change some text and see if you get same result?

I can try it out tomorrow, just change a few bytes in the ESALOADR image?

But, I have the feeling that it will fail. The boot ROM indicates that it calculates a checksum on flash before attempting to boot, and I have the feeling it does the same before booting from floppy.

This is to find out if we can patch the FW ultimately.   this was just a test using the esaloader.   i'm using a USB floppy drive and I have had problems writting disc so I want to see it its that causing my problem and not a checksum problem.   I dont 'think it is. 
Title: Re: Enabling options on Agilent ESA series E4402B E4404B E4405B E4407B
Post by: suj on September 17, 2020, 09:57:06 am
Be extremely careful! I just partially bricked my unit. In the first step, I made a little modification to the ESALOADR file (ESALOADR_1.PNG, ESALOADR_2.PNG). I restarted SA from FDD and it loaded. It showed a message to insert a second floppy disk, I was able to enter the monitor etc. Then I tried larger modifications to the ESALOADR file (shortened, more characters changed in the texts etc.). But after such modifications, he no longer wanted to load. At this point, I noticed that my options are not working and the maximum upper frequency is 6.78 GHz instead of 26.5 GHz. The options (1D5, 1DR, AYZ) could be restored by retyping the keys that are displayed on the licensing screen. But with maximum frequency there is a problem. Factory preset doesn't help. Only when I load my previous "User Preset" the frequency range is up to 26.5 GHz, but the following messages are displayed: LO Unlock, LO Unlevel.
In the evening I will look at the problem in more detail.  :-BROKE
Title: Re: Enabling options on Agilent ESA series E4402B E4404B E4405B E4407B
Post by: suj on September 17, 2020, 10:41:22 am
OK, I'm changing the level from DEFCON1 to DEFCON5. In the service menu, it's possible to limit the upper frequency to 6.7 or 13.2 GHz (Initialize Instrument/Max Freq). After switching to 26.5 GHz, rebooting and full align, everything returned to the normal state.
Be careful!
Title: Re: Enabling options on Agilent ESA series E4402B E4404B E4405B E4407B
Post by: tv84 on September 17, 2020, 01:02:59 pm
Please don't do changes in the ESALOADR. Try them in the ESAFW.
Title: Re: Enabling options on Agilent ESA series E4402B E4404B E4405B E4407B
Post by: smgvbest on September 17, 2020, 01:58:31 pm
Be extremely careful! I just partially bricked my unit. In the first step, I made a little modification to the ESALOADR file (ESALOADR_1.PNG, ESALOADR_2.PNG). I restarted SA from FDD and it loaded. It showed a message to insert a second floppy disk, I was able to enter the monitor etc. Then I tried larger modifications to the ESALOADR file (shortened, more characters changed in the texts etc.). But after such modifications, he no longer wanted to load. At this point, I noticed that my options are not working and the maximum upper frequency is 6.78 GHz instead of 26.5 GHz. The options (1D5, 1DR, AYZ) could be restored by retyping the keys that are displayed on the licensing screen. But with maximum frequency there is a problem. Factory preset doesn't help. Only when I load my previous "User Preset" the frequency range is up to 26.5 GHz, but the following messages are displayed: LO Unlock, LO Unlevel.
In the evening I will look at the problem in more detail.  :-BROKE

The issue is you changed the base identifier for the SA.    while E4407B is the specific model.  E4401 is the line of SA and which almost all use to identify parts.
when doing these tests I would advise against changing E4401 to anything else.  change other TEXT
Title: Re: Enabling options on Agilent ESA series E4402B E4404B E4405B E4407B
Post by: suj on September 17, 2020, 02:06:37 pm
..Try them in the ESAFW.
I tried. I changed the text on the first floppy disk (first disk of the upgrade, not loader disk). In the menu for the external mixer, I changed the text: "Presel" to "11974Q". I started the upgrade. After the last floppy disk was loaded, a message was displayed on the SA screen. Nothing special on the serial terminal.
Title: Re: Enabling options on Agilent ESA series E4402B E4404B E4405B E4407B
Post by: smgvbest on September 17, 2020, 03:57:08 pm
Please don't do changes in the ESALOADR. Try them in the ESAFW.

The reason for this is a FW update takes a very long time,   about 30-45 minutes to read all the discs and then flash the firmware.
ESALOADR loads in a minute or so to see if a cksum error occurred there.   it sounds like @suj was able to load so we can move on to changing the ESAFW
Title: Re: Enabling options on Agilent ESA series E4402B E4404B E4405B E4407B
Post by: smgvbest on September 17, 2020, 04:07:58 pm
..Try them in the ESAFW.
I tried. I changed the text on the first floppy disk (first disk of the upgrade, not loader disk). In the menu for the external mixer, I changed the text: "Presel" to "11974Q". I started the upgrade. After the last floppy disk was loaded, a message was displayed on the SA screen. Nothing special on the serial terminal.

Well Pooh
So the LOADER must run a cksum on the FW before continuing

That would mean either find that routine in the loader or find how to patch the active system I would think
Title: Re: Enabling options on Agilent ESA series E4402B E4404B E4405B E4407B
Post by: suj on September 17, 2020, 04:50:54 pm
On the serial terminal there were only the number of bytes loaded from each disk. Nothing more.
Title: Re: Enabling options on Agilent ESA series E4402B E4404B E4405B E4407B
Post by: abyrvalg on September 17, 2020, 05:26:58 pm
Checksum-relates fields:
Code: [Select]
+2C  db NumInterleavedBanks = 02
+38  db BankSizeH[NumInterleavedBanks] = 00, 00
        db BankSizeMH[NumInterleavedBanks] = 2C, 2C
        db BankSizeML[NumInterleavedBanks] = 95, 95
        db BankSizeL[NumInterleavedBanks] = CE, CE
        db ChecksumH[NumInterleavedBanks] = 58, B2
        db ChecksumL[NumInterleavedBanks] = 5C, A4
- so BankSize[0]=BankSize[1]=2C95CE, BankSize[0]+BankSize[1]=2C95CE+2C95CE=592B9C - matches file size
Checksum[bank] = sum(all bytes of bank):
Checksum[0] = 585C - matches sum of all even bytes of file
Checksum[1] = B2A4 - matches sum of all odd bytes of file

Edit: note that checksum calculation includes the checksum bytes themselves! (yes, they are not zeroed/skipped)
Title: Re: Enabling options on Agilent ESA series E4402B E4404B E4405B E4407B
Post by: abyrvalg on September 17, 2020, 07:02:57 pm
More info:
"bulk" flash starts from C000000.

How to enter ROM monitor before jumping to FW:
BootROM loads ESALOADER (from floppy) or main fw (from bulk flash) to DRAM then sends a 05 byte (ascii ENQ char) and waits for 06 (ascii ACK) reply with timeout. If this wait times out - jump to DRAM normally, otherwise - bypass jump and enter ROM monitor.

This can be used to try patches without flashing them:
- don't insert ESALOADER floppy
- interrupt normal start by replying to 05 with 06
- modify firmware in RAM (with smem/sbyte/sword/slong cmds)
- jump to modified firmware (with gu cmd)
Title: Re: Enabling options on Agilent ESA series E4402B E4404B E4405B E4407B
Post by: suj on September 17, 2020, 07:28:08 pm
The timeout is very short, it looks like 0.5 seconds maybe. These are probably those marked with 05, because the transmission stops for a moment at this point.

Code: [Select]
0D 0A 2A 2A 2A 2A 2A 20 4D 6F 73 71 75 69 74 6F 20 42 6F 6F 74 72 6F 6D
20 2A 2A 2A 2A 2A 0D 0A 43 6F 70 79 72 69 67 68 74 20 31 39 38 38 2D 31
39 39 37 2C 0D 0A 48 65 77 6C 65 74 74 2D 50 61 63 6B 61 72 64 20 43 6F
6D 70 61 6E 79 2C 20 61 6C 6C 20 72 69 67 68 74 73 20 72 65 73 65 72 76
65 64 2E 0D 0A 0D 0A 40 28 23 29 48 45 57 4C 45 54 54 2D 50 41 43 4B 41
52 44 2C 20 45 34 34 30 31 20 42 6F 6F 74 72 6F 6D 2C 20 35 2E 30 30 0D
0A 40 28 23 29 4C 44 53 20 52 65 76 3A 20 33 2E 30 32 20 2D 20 4D 6F 64
75 6C 65 20 49 6E 63 72 65 6D 65 6E 74 61 6C 20 28 53 65 70 20 20 39 20
32 30 30 33 29 0D 0A 40 28 23 29 4C 69 6E 6B 65 64 3A 20 53 65 70 20 20
39 20 32 30 30 33 20 31 34 3A 34 36 3A 34 34 0D 0A 0D 0A 42 6F 6F 74 72
6F 6D 20 43 68 65 63 6B 73 75 6D 20 2E 2E 2E 0D 0A 42 6F 6F 74 72 6F 6D
20 44 52 41 4D 3A 20 20 20 20 20 54 65 73 74 69 6E 67 20 36 39 36 33 32
20 62 79 74 65 73 20 61 74 20 30 78 30 34 30 30 30 30 30 30 0D 0A 4E 6F
6E 20 44 65 73 74 72 75 63 74 69 76 65 20 53 52 41 4D 20 54 65 73 74 20
2E 2E 2E 0D 0A 4D 61 69 6E 20 46 69 72 6D 77 61 72 65 20 44 52 41 4D 3A
20 20 20 20 20 54 65 73 74 69 6E 67 20 33 33 34 38 34 38 30 30 20 62 79
74 65 73 20 61 74 20 30 78 30 34 30 31 31 30 30 30 0D 0A 4D 61 69 6E 20
46 57 20 43 68 65 63 6B 73 75 6D 20 2E 2E 2E 0D 0A 53 65 6C 66 2D 74 65
73 74 73 20 63 6F 6D 70 6C 65 74 65 2E 53 52 41 4D 20 73 65 6C 66 74 65
73 74 20 72 65 73 75 6C 74 73 3A 0D 0A 20 20 20 20 20 20 20 20 53 74 61
72 74 20 20 3D 20 30 78 61 30 30 30 30 30 30 0D 0A 20 20 20 20 20 20 20
20 45 6E 64 20 20 20 20 3D 20 30 78 61 30 30 37 66 61 33 0D 0A 20 20 20
20 20 20 20 20 45 72 72 6F 72 73 20 3D 20 30 78 30 0D 0A 44 52 41 4D 20
73 65 6C 66 74 65 73 74 20 72 65 73 75 6C 74 73 3A 0D 0A 20 20 20 20 20
20 20 20 53 74 61 72 74 20 20 3D 20 30 78 34 30 31 31 30 30 30 0D 0A 20
20 20 20 20 20 20 20 45 6E 64 20 20 20 20 3D 20 30 78 36 30 30 30 30 30
30 0D 0A 20 20 20 20 20 20 20 20 45 72 72 6F 72 73 20 3D 20 30 78 30 0D
0A 68 70 69 62 50 6F 72 74 20 3D 20 30 78 38 30 30 35 30 30 30 20 0D 0A
68 70 69 62 50 6F 72 74 20 3D 20 30 78 38 30 30 35 30 30 30 2C 20 62 75
73 20 41 64 64 72 65 73 73 20 3D 20 31 39 0D 0A 0D 0A 43 61 63 68 65 20
45 6E 61 62 6C 65 64 0D 0A 31 36 4D 42 79 74 65 73 20 6F 66 20 46 4C 41
53 48 0D 0A 0D 0A 44 6F 77 6E 6C 6F 61 64 20 74 6F 20 46 6C 61 73 68 20
53 65 6C 65 63 74 65 64 0D 0A

05

3E 3E 3E 20 6D 61 69 6E 4D 61 69 6E 28
29 0D 0A 05 74 65 78 74 20 73 65 67 6D 65 6E 74 3A 09 09 30 78 34 30 31
31 30 30 30 20 74 68 72 75 20 30 78 34 34 33 35 65 31 34 20 28 20 34 32
34 65 31 34 20 62 79 74 65 73 29 0D 0A 64 61 74 61 20 73 65 67 6D 65 6E
74 3A 09 09 30 78 34 36 30 30 30 30 30 20 74 68 72 75 20 30 78 34 37 36
64 64 38 38 20 28 20 31 36 64 64 38 38 20 62 79 74 65 73 29 0D 0A 62 73
73 20 20 73 65 67 6D 65 6E 74 3A 09 09 30 78 34 37 36 64 64 38 38 20 74
68 72 75 20 30 78 34 38 62 63 63 65 38 20 28 20 31 34 65 66 36 30 20 62
79 74 65 73 29 0D 0A 0D 0A 52 4F 4D 20 73 69 7A 65 3A 09 09 30 78 30 30
35 39 32 62 39 63 20 28 20 35 39 32 62 39 63 20 62 79 74 65 73 20 6F 66
20 34 31 39 34 33 30 34 20 6D 61 78 2E 29 0D 0A 0D 0A 6D 65 6D 6F 72 79
20 70 6F 6F 6C 20 28 61 6C 6C 29 3A 09 30 78 30 34 38 62 63 63 65 38 20
74 68 72 75 20 30 78 30 35 66 66 66 66 66 66 20 28 32 34 33 39 32 34 37
32 20 62 79 74 65 73 29 0D 0A 43 61 6C 6C 69 6E 67 20 73 74 61 72 74 5F
70 73 6F 73 28 29 20 2E 2E 2E 0D 0A 3E 3E 3E 3E 20 64 65 62 75 67 28 29
20 70 72 6F 63 65 73 73 20 73 74 61 72 74 69 6E 67 0D 0A 44 4C 50 20 4C
6F 61 64 65 64 20 2D 20 50 6F 77 65 72 20 53 75 69 74 65 20 55 74 69 6C
69 74 69 65 73 2C 20 41 2E 30 36 2E 30 35 2C 20 4E 6F 76 20 32 31 20 32
30 30 33 20 31 35 3A 34 35 3A 34 30 0D 0A
Title: Re: Enabling options on Agilent ESA series E4402B E4404B E4405B E4407B
Post by: abyrvalg on September 17, 2020, 07:38:04 pm
I think this should be done with a software, not manually. Short timeout, non-printable characters - this is not for humans.
But. If you have a terminal software capable of sending a 06 char you don't need to wait for 05 and react fast - just send that 06 continuously from power on until you see ROM Monitor command prompt.
Title: Re: Enabling options on Agilent ESA series E4402B E4404B E4405B E4407B
Post by: tv84 on September 17, 2020, 08:44:58 pm
The timeout is very short, it looks like 0.5 seconds maybe. These are probably those marked with 05, because the transmission stops for a moment at this point.

Code: [Select]
***** Mosquito Bootrom *****
Copyright 1988-1997,
Hewlett-Packard Company, all rights reserved.

@(#)HEWLETT-PACKARD, E4401 Bootrom, 5.00
@(#)LDS Rev: 3.02 - Module Incremental (Sep  9 2003)
@(#)Linked: Sep  9 2003 14:46:44

Bootrom Checksum ...
Bootrom DRAM:     Testing 69632 bytes at 0x04000000
Non Destructive SRAM Test ...
Main Firmware DRAM:     Testing 33484800 bytes at 0x04011000
Main FW Checksum ...
Self-tests complete.SRAM selftest results:
        Start  = 0xa000000
        End    = 0xa007fa3
        Errors = 0x0
DRAM selftest results:
        Start  = 0x4011000
        End    = 0x6000000
        Errors = 0x0
hpibPort = 0x8005000
hpibPort = 0x8005000, bus Address = 19

Cache Enabled
16MBytes of FLASH

Download to Flash Selected

05

Code: [Select]
>>> mainMain()
text segment: 0x4011000 thru 0x4435e14 ( 424e14 bytes)
data segment: 0x4600000 thru 0x476dd88 ( 16dd88 bytes)
bss  segment: 0x476dd88 thru 0x48bcce8 ( 14ef60 bytes)

ROM size: 0x00592b9c ( 592b9c bytes of 4194304 max.)

memory pool (all): 0x048bcce8 thru 0x05ffffff (24392472 bytes)
Calling start_psos() ...
>>>> debug() process starting
DLP Loaded - Power Suite Utilities, A.06.05, Nov 21 2003 15:45:40
Title: Re: Enabling options on Agilent ESA series E4402B E4404B E4405B E4407B
Post by: smgvbest on September 17, 2020, 08:48:01 pm
I think this should be done with a software, not manually. Short timeout, non-printable characters - this is not for humans.
But. If you have a terminal software capable of sending a 06 char you don't need to wait for 05 and react fast - just send that 06 continuously from power on until you see ROM Monitor command prompt.

And we're in,  normal boot,  SecureCRT set to expect a 0x05 and send a 0x06 in response

What next?

Code: [Select]
***** Mosquito Bootrom *****
Copyright 1988-1997,
Hewlett-Packard Company, all rights reserved.

@(#)HEWLETT-PACKARD, E4401 Bootrom, 5.00
@(#)LDS Rev: 3.02 - Module Incremental (Sep  9 2003)
@(#)Linked: Sep  9 2003 14:46:44

Bootrom Checksum ...
Bootrom DRAM:     Testing 69632 bytes at 0x04000000
Non Destructive SRAM Test ...
Main Firmware DRAM:     Testing 33484800 bytes at 0x04011000
Main FW Checksum ...
Self-tests complete.SRAM selftest results:
        Start  = 0xa000000
        End    = 0xa007fa3
        Errors = 0x0
DRAM selftest results:
        Start  = 0x4011000
        End    = 0x6000000
        Errors = 0x0
hpibPort = 0x8005000
hpibPort = 0x8005000, bus Address = 19

Cache Enabled
16MBytes of FLASH

Download to Flash Selected
 ROM Monitor
Enter ? for help.
->
->?
bc      [<hex boot config>] - set the bootrom configuration (see bchelp)
bootvars- display bootrom variables
bs      - force a breakpoint when starting
dbyte   [<hex start address> [num bytes]] - display memory using bytes
dlong   [<hex start address> [num bytes]] - display memory using longs
dmem    [<hex start address> [num bytes]] - display memory using bytes
dword   [<hex start address> [num bytes]] - display memory using words
gbreak  - force a gdb breakpoint
gdb     - enable gdb trapping of exceptions
gu      [<hex start addr>]      - go to start address
hmon    [device] - download into memory
rty test routine
sbyte   <hex start address> <hexchars> - set memory using bytes
slong   <hex start address> <hexchars> - set memory using longs
smem    <hex start address> <hexchars> - set memory using bytes
sword   <hex start address> <hexchars> - set memory using words
version - display bootrom version
->
Title: Re: Enabling options on Agilent ESA series E4402B E4404B E4405B E4407B
Post by: tv84 on September 17, 2020, 08:50:28 pm
What next?

"In like Flynn...."

Get us the memdump. You can make from 0x0401 1000 up to 0x0490 0000.

Great progress from abyrvalg!  :clap:
Title: Re: Enabling options on Agilent ESA series E4402B E4404B E4405B E4407B
Post by: suj on September 17, 2020, 08:54:10 pm
Now I'm in the monitor software too. I will try memory dump.
Title: Re: Enabling options on Agilent ESA series E4402B E4404B E4405B E4407B
Post by: smgvbest on September 17, 2020, 09:03:51 pm
What next?

"In like Flynn...."

Get us the memdump. You can make from 0x0401 1000 up to 0x0490 0000.

Great progress from abyrvalg!  :clap:

Given it looks like it interupted the flash did it have a chance to copy it?
can we dump a smaller segment to verify before spending many hours reading out something that may not be good?
Title: Re: Enabling options on Agilent ESA series E4402B E4404B E4405B E4407B
Post by: abyrvalg on September 17, 2020, 09:35:43 pm
IMO there is no point in 0x4011000 dump, that should be an exact copy of ESAFW image. I see BootROM getting the image size from the same offset 0x38 (from flash at C000000), then just copying that amount of bytes from C000000 to 4011000. Dumping first 0x80-0x100 bytes and comparing them against ESAFW start should be enough to verify this.
Title: Re: Enabling options on Agilent ESA series E4402B E4404B E4405B E4407B
Post by: smgvbest on September 17, 2020, 10:10:15 pm
IMO there is no point in 0x4011000 dump, that should be an exact copy of ESAFW image. I see BootROM getting the image size from the same offset 0x38 (from flash at C000000), then just copying that amount of bytes from C000000 to 4011000. Dumping first 0x80-0x100 bytes and comparing them against ESAFW start should be enough to verify this.

What’s our next step then?
Title: Re: Enabling options on Agilent ESA series E4402B E4404B E4405B E4407B
Post by: tv84 on September 18, 2020, 07:33:40 am
What’s our next step then?

OK, do a memdump from 0x045A 0000 up to 0x0490 0000.

Before doing it, try to license 1 or 2 options, as you did before.

Your msg raised me a doubt: when you are in ROM Monitor, the equipment is not running? I ask this because we need to take the dump AFTER the licensing attempt. So if going into ROM monitor stopped the boot process we still need to finish booting.

If it's not like this then we need to setup a breakpoint. Tell me and I'll suggest an address.
Title: Re: Enabling options on Agilent ESA series E4402B E4404B E4405B E4407B
Post by: suj on September 18, 2020, 07:38:00 am
What’s our next step then?
...when you are in ROM Monitor, the equipment is not running?...
The application does not appear to be running. Nothing is displayed on the SA screen, the off button does not work and you need to disconnect the mains plug to turn off the SA.
Title: Re: Enabling options on Agilent ESA series E4402B E4404B E4405B E4407B
Post by: tv84 on September 18, 2020, 07:45:44 am
The application does not appear to be running. Nothing is displayed on the SA screen, the off button does not work and you need to disconnect the mains plug to turn off the SA.

Damn. Then we need to place a breakpoint and try to continue booting.

@abyrvalg, any suggestion for the restart address?

If we didn't intersect boot, where would the next addresses be?

Or, if you can say where is the address of ROM Monitor function, we can patch ESAFW to safely run monitor after it has tried licensing.
Title: Re: Enabling options on Agilent ESA series E4402B E4404B E4405B E4407B
Post by: abyrvalg on September 18, 2020, 10:13:48 am
"gu" command without parameters should start the loaded image (without parameter it jumps to "image entry point" variable that is set to 4011000. That's where the normal uninterrupted start goes).
But there is one problem that I didn't noticed before: depending on some peripheral reg bit (addr 200200C, mask 100) the jump function will reload the firmware image from flash before jumping (resetting any patches). And it looks like this bit is in wrong (for us) state: "Download to Flash Selected" message in log depends on it (otherwise it will say "Download to DRAM Selected").
This hw bit looks like one of the DIP switches. Someone please try this:
- enter ROM monitor
- dump reg with "dword 200200C" command
- flip one of the DIP switches
- dump reg again to check if it is changed
- repeat with the next switch

@tv84, ROM Monitor address is D8A4. Interesting, there is a "syscall" to execute a single ROM Monitor command from the main app (at 04132418: trap #0E with arg=0A. All "trap #0E" functions are BootROM calls leading to handler at D1EC), but I see no refs to it.
Title: Re: Enabling options on Agilent ESA series E4402B E4404B E4405B E4407B
Post by: tv84 on September 18, 2020, 10:29:45 am
Interesting, there is a "syscall" to execute a single ROM Monitor command from the main app (at 04132418: trap #0E with arg=0A. All "trap #0E" functions are BootROM calls leading to handler at D1EC), but I see no refs to it.

What about patching one of the ones that we (I mean you! :) )know how to trigger, like arg=03, 04, 05 ?  ;)
Title: Re: Enabling options on Agilent ESA series E4402B E4404B E4405B E4407B
Post by: abyrvalg on September 18, 2020, 10:42:28 am
Invoking a single command via syscall would require a command string to be prepared somewhere in memory and passed to the syscall. If the goal is to capture the data section contents after a single action then it should be easier just to jump to the monitor.

Or do this:
- start the ESA normally
- do the action (enter license key)
- prepare 05-06 boot interruption
- reset the ESA to go to ROM mon
- dump the data section (4600000+)
The data section gets reinitialized by ESAFW, so if we don't start it after reboot - there will be previous content available for dump.

Another option (if you want to watch some specific var and do it many times) is to patch some debug printf to output the desired data.
Title: Re: Enabling options on Agilent ESA series E4402B E4404B E4405B E4407B
Post by: suj on September 18, 2020, 10:51:03 am
give me a few minutes please 8) I have a MB reset connected with an external button, it should work.
Title: Re: Enabling options on Agilent ESA series E4402B E4404B E4405B E4407B
Post by: abyrvalg on September 18, 2020, 10:53:55 am
To verify that RAM content is still alive (before going for long dumps) you can do this: dlong 4600020 - should display 04028318
Title: Re: Enabling options on Agilent ESA series E4402B E4404B E4405B E4407B
Post by: suj on September 18, 2020, 10:56:05 am
To verify that RAM content is still alive (before going for long dumps) you can do this: dlong 4600020 - should display 04028318
It's god tip. I'm not sure about DRAM refreshing after reset.
Title: Re: Enabling options on Agilent ESA series E4402B E4404B E4405B E4407B
Post by: suj on September 18, 2020, 11:25:51 am
Not working. I Will try one's more but after reset (using motherboard reset connector) I have this result:

Code: [Select]
->dlong 0x04600020                                                             
04600020  00000000 00000000 00000000 00000000   ................
Title: Re: Enabling options on Agilent ESA series E4402B E4404B E4405B E4407B
Post by: abyrvalg on September 18, 2020, 11:45:22 am
I've studied the PSOS debug handler: nothing like "^C" handling there, but there is one undocumented cmd with unclear functionality: lowercase "r".
Title: Re: Enabling options on Agilent ESA series E4402B E4404B E4405B E4407B
Post by: abyrvalg on September 18, 2020, 11:48:07 am
Ok, so we need patching. Could someone try figuring out the DIP switch responsible for Flash/DRAM boot as described here: https://www.eevblog.com/forum/testgear/enabling-options-on-agilent-esa-series-e4402b-e4404b-e4405b-e4407b/msg3238002/#msg3238002 (https://www.eevblog.com/forum/testgear/enabling-options-on-agilent-esa-series-e4402b-e4404b-e4405b-e4407b/msg3238002/#msg3238002) ?
Title: Re: Enabling options on Agilent ESA series E4402B E4404B E4405B E4407B
Post by: suj on September 18, 2020, 11:48:56 am
I conducted an experiment. In the monitor:
Code: [Select]
->slong 04600020 04028318                                                       
->dlong 04600020                                                               
04600020  04028318 00000000 00000000 00000000   ................
Then reset and:
Code: [Select]
->dlong 04600020                                                               
04600020  00000000 00000000 00000000 00000000   ................
Clearly the contents of the DRAM cannot survive the hardware reset.
Title: Re: Enabling options on Agilent ESA series E4402B E4404B E4405B E4407B
Post by: suj on September 18, 2020, 11:50:01 am
Ok, so we need patching. Could someone try figuring out the DIP switch responsible for Flash/DRAM boot as described here: https://www.eevblog.com/forum/testgear/enabling-options-on-agilent-esa-series-e4402b-e4404b-e4405b-e4407b/msg3238002/#msg3238002 (https://www.eevblog.com/forum/testgear/enabling-options-on-agilent-esa-series-e4402b-e4404b-e4405b-e4407b/msg3238002/#msg3238002) ?
I need some time. MB need to be removed to change dip-switch settings
Title: Re: Enabling options on Agilent ESA series E4402B E4404B E4405B E4407B
Post by: abyrvalg on September 18, 2020, 12:03:38 pm
Could you try the "r" cmd (in normal mode) also?
Title: Re: Enabling options on Agilent ESA series E4402B E4404B E4405B E4407B
Post by: suj on September 18, 2020, 12:06:10 pm
Of course. I have SA opened and its possible to change dip-switch without removing MB.
Title: Re: Enabling options on Agilent ESA series E4402B E4404B E4405B E4407B
Post by: suj on September 18, 2020, 12:23:58 pm
"r" like RESET. But:
Code: [Select]
->dlong 04600020
04600020  00000000 00000000 00000000 00000000
Title: Re: Enabling options on Agilent ESA series E4402B E4404B E4405B E4407B
Post by: tv84 on September 18, 2020, 12:38:30 pm
I conducted an experiment. In the monitor:
Code: [Select]
->slong 04600020 04028318                                                       
->dlong 04600020                                                               
04600020  04028318 00000000 00000000 00000000   ................
Then reset and:
Code: [Select]
->dlong 04600020                                                               
04600020  00000000 00000000 00000000 00000000   ................
Clearly the contents of the DRAM cannot survive the hardware reset.

I missed something...  |O

@abyrvalg, when is that location filled with the 04028318 ?
Title: Re: Enabling options on Agilent ESA series E4402B E4404B E4405B E4407B
Post by: suj on September 18, 2020, 12:47:22 pm
I can't get consistent readings from address 0x0200200c when changing dip-switches. It looks different after the reset. Sometimes, with the same settings, the readings are different depending on the time in which the reading is made.
Title: Re: Enabling options on Agilent ESA series E4402B E4404B E4405B E4407B
Post by: abyrvalg on September 18, 2020, 01:09:53 pm
DRAM not surviving: found the reason - BootROM clears entire DRAM at each start, so reset is not our friend :(

Inconsistent switch reg reading: there can be some other bits not related to switches, ignore them. We are interested in bit 8 (hex mask 0100), normally it should be 0 (for "Download to Flash Selected") and we need to switch it to 1 (for "Download to DRAM Selected").
Title: Re: Enabling options on Agilent ESA series E4402B E4404B E4405B E4407B
Post by: abyrvalg on September 18, 2020, 01:16:07 pm
@tv84, a function at 04011078 in ESAFW initializes data section (04600000-0476DD88) by copying from 04435E14 and clears bss section (0476DD88-048BCCE8)
Title: Re: Enabling options on Agilent ESA series E4402B E4404B E4405B E4407B
Post by: suj on September 18, 2020, 01:29:45 pm
DIP switch #4, ON position (default)

Code: [Select]
->dword 0x0200200c                                                             
0200200c  0400   ..

DIP switch #4, OFF position

Code: [Select]
->dword 0x0200200c                                                             
0200200c  0500   ..
Title: Re: Enabling options on Agilent ESA series E4402B E4404B E4405B E4407B
Post by: suj on September 18, 2020, 01:43:20 pm
After booting with DIP switch #4 in OFF position:

Code: [Select]
***** Mosquito Bootrom *****                                                   
Copyright 1988-1997,                                                           
Hewlett-Packard Company, all rights reserved.                                   
                                                                               
@(#)HEWLETT-PACKARD, E4401 Bootrom, 5.00                                       
@(#)LDS Rev: 3.02 - Module Incremental (Sep  9 2003)                           
@(#)Linked: Sep  9 2003 14:46:44                                               
                                                                               
Bootrom Checksum ...                                                           
Bootrom DRAM:     Testing 69632 bytes at 0x04000000                             
Non Destructive SRAM Test ...                                                   
Main Firmware DRAM:     Testing 33484800 bytes at 0x04011000                   
Main FW Checksum ...                                                           
Self-tests complete.SRAM selftest results:                                     
        Start  = 0xa000000                                                     
        End    = 0xa007fa3                                                     
        Errors = 0x0                                                           
DRAM selftest results:                                                         
        Start  = 0x4011000                                                     
        End    = 0x6000000                                                     
        Errors = 0x0                                                           
hpibPort = 0x8005000                                                           
hpibPort = 0x8005000, bus Address = 19                                         
                                                                               
Cache Enabled                                                                   
16MBytes of FLASH                                                               
                                                                               
Download to DRAM Selected                                                       
ROM Monitor                                                                     
Enter ? for help.                                                               
Title: Re: Enabling options on Agilent ESA series E4402B E4404B E4405B E4407B
Post by: abyrvalg on September 18, 2020, 01:49:30 pm
Great! That's it!
So, what we can do now:
- set DIP4 to ON (to enable ESAFW loading from flash)
- start the ESA with boot interruption
--- now we have stock ESAFW loaded from flash into DRAM, but we are in ROM Monitor
- patch ESAFW in RAM (with smem/sbyte/sword/slong)
- set DIP4 to OFF (to disable ESAFW reload in "gu" command)
- send gu command to start the patched image from DRAM

@tv84, any ideas what to patch?
I'm going to prepare some patch to jump from ESAFW back to ROM Monitor (i.e. with some of the psos debug commands) without reset to dump the data section content finally.
Title: Re: Enabling options on Agilent ESA series E4402B E4404B E4405B E4407B
Post by: abyrvalg on September 18, 2020, 01:59:54 pm
Code: [Select]
sword 04139614 4ef9
sword 04139618 d8a4
gu
- ESAFW should start normally after this. Then, when it is running already, press "r" and you should get back to ROM Monitor with DRAM keeping the content (try dlong 04600020 there to see).
Title: Re: Enabling options on Agilent ESA series E4402B E4404B E4405B E4407B
Post by: tv84 on September 18, 2020, 02:29:07 pm
@tv84, any ideas what to patch?
I'm going to prepare some patch to jump from ESAFW back to ROM Monitor (i.e. with some of the psos debug commands) without reset to dump the data section content finally.

I think I can patch the license validation ATM. Although, having some idea of how flexlm tests licenses, I don't know what are the consequences of activating all licenses.

I would prefer 1st to have the dump, so that I can search for the seeds. If I can find the seeds in the dump, the keygen will be instantaneous.
Title: Re: Enabling options on Agilent ESA series E4402B E4404B E4405B E4407B
Post by: suj on September 18, 2020, 02:37:32 pm
Code: [Select]
->dlong 04600020                                                               
04600020  04028318 04028324 0402832a 04028331   .......$...*...1
Title: Re: Enabling options on Agilent ESA series E4402B E4404B E4405B E4407B
Post by: suj on September 18, 2020, 02:45:58 pm
My steps:
0. Set the serial terminal to 19200,8n1
1. DIP sw #4 set to ON
2. break the boot process with 0x06
3. sword 04139614 4ef9
4. sword 04139618 d8a4
5. DIP sw #4 set to OFF
6. gu
7. SA restart in normal mode
8. Press "r" and we are in the monitor now  8)
9. Change the serial port speed.
>slong 815F4 1001A
10. Change speed of the serial terminal to 115200, 8n1



Respect for you  :-+ :-+ :-+
Title: Re: Enabling options on Agilent ESA series E4402B E4404B E4405B E4407B
Post by: smgvbest on September 18, 2020, 02:54:58 pm
My steps:
1. DIP sw #4 set to ON
2. break the boot process with 0x06
3. sword 04139614 4ef9
4. sword 04139618 d8a4
5. DIP sw #4 set to OFF
6. gu
7. SA restart in normal mode
8. Press "r" and we are in the monitor now  8)

Respect for you  :-+ :-+ :-+

Cool,  I wake up and you all have done allot.

@suj how are you flipping the DIP SW without removing the Processor Card?
a long stick???  LOL
Title: Re: Enabling options on Agilent ESA series E4402B E4404B E4405B E4407B
Post by: suj on September 18, 2020, 02:59:17 pm
@suj how are you flipping the DIP SW without removing the Processor Card?
a long stick???  LOL
Title: Re: Enabling options on Agilent ESA series E4402B E4404B E4405B E4407B
Post by: smgvbest on September 18, 2020, 03:01:51 pm
@suj how are you flipping the DIP SW without removing the Processor Card?
a long stick???  LOL

Ah,  right angle tweezers and coming in from that angle,   thanks.  :-+
Title: Re: Enabling options on Agilent ESA series E4402B E4404B E4405B E4407B
Post by: abyrvalg on September 18, 2020, 03:05:10 pm
Great!
@tv84, your turn! :)

Btw, does anyone know what UART IC is used in ESA? Perhaps it is possible to raise the baudrate by writing to some regs manually from the Monitor.
Title: Re: Enabling options on Agilent ESA series E4402B E4404B E4405B E4407B
Post by: suj on September 18, 2020, 03:09:42 pm
Btw, does anyone know what UART IC is used in ESA? Perhaps it is possible to raise the baudrate by writing to some regs manually from the Monitor.

It's part of the 68EN360 QICC. Its working in "companion" mode with 68LC040
Title: Re: Enabling options on Agilent ESA series E4402B E4404B E4405B E4407B
Post by: smgvbest on September 18, 2020, 03:24:26 pm
Great!
@tv84, your turn! :)

Btw, does anyone know what UART IC is used in ESA? Perhaps it is possible to raise the baudrate by writing to some regs manually from the Monitor.

Given where we are I don't know if this is worth pursuing or not but there appears to be some kind of undocumented SCPI debug interface and FLASH from SCPI is a supported option as well
found it by mistake , 
hmon    [device] - download into memory
defaults to loading from SCPI
I've not been able to find what [device] is supported
SCPI does not work but hmon on own loads from it
tried FLOPPY, FLASH, 0-1, A-Z, A:-C: and a few more
even things like /dev/fd0


if we want to avoid that, that's fine I defer to the Guru's here.
Title: Re: Enabling options on Agilent ESA series E4402B E4404B E4405B E4407B
Post by: smgvbest on September 18, 2020, 03:46:38 pm
@tv84, any ideas what to patch?
I'm going to prepare some patch to jump from ESAFW back to ROM Monitor (i.e. with some of the psos debug commands) without reset to dump the data section content finally.

I think I can patch the license validation ATM. Although, having some idea of how flexlm tests licenses, I don't know what are the consequences of activating all licenses.

I would prefer 1st to have the dump, so that I can search for the seeds. If I can find the seeds in the dump, the keygen will be instantaneous.

Do you want the same dump we've had before or a different one?
Title: Re: Enabling options on Agilent ESA series E4402B E4404B E4405B E4407B
Post by: suj on September 18, 2020, 03:52:42 pm
I would not like to look too far into the future, but maybe it would also be worth reflecting on one of the problems. Probably most owners of the E4401 series hope to unlock the 219 option. Due to the measurement method (Y-factor), cooperation with the equipment is required. And here comes the problem under the name E4401-60123. It is not described in CLIP and there is no schematic diagram. I only found one low resolution photo on the internet. The card works with two types of noise sources: traditional sources of the 346 series and newer SNS series (N4000A, N4001A, N4002A). Cooperation with newer ones is more demanding. The noise source has a memory (probably EEPROM) with a stored ENR table and measures its temperature. Working out this can be very difficult. The type 346 sources, on the other hand, only require +28 V voltage switch. A DC/DC converter is placed on the card. One bit is required for ON/OFF keying only. The card itself should work without option 219, there is an option "Press Service, More, Noise Source (On)" in the service menu. And that could be a hook for finding the address of that bit that needs to be switched. Another thing is the card identification. FW should think the card is inserted. This is a way to create hardware that emulates part of the E4401-60123 card to work with 346 series sources. Connectors such as on the E4401 series expansion cards are available from Mouser. The E4401-60123 card itself is available in Keysight as far as I remember. Over $2800...
Title: Re: Enabling options on Agilent ESA series E4402B E4404B E4405B E4407B
Post by: abyrvalg on September 18, 2020, 04:08:21 pm
Supported hmon devices:
DOWNLOAD - this is wrong, no such device in device table
HPIB - HP's GPIB ?
RS232BINARY - self-explanatory
this command invokes a dedicated protocol handler supporting commands like "jump to address", "write to RAM", "write to flash", "start fw from flash", so nothing new there.

Baudrate:
there are 4 baud rate generators (each can be assigned to one of 4 ports independently), all of them are initialized to the same value corresponding to 19200 @25MHz source. I didn't searched for BRG->port assignment, it looks faster to try writing to divider regs one by one until we loose the communication (that will mean that speed is changed, time to reconfigure the PC port and try the new speed).

Divider register addresses:
815F0
815F4
815F8
815FC
- all are 32-bit, so use slong cmd to write to them

Values for different baud rates:
100A0 - 19200 (current setting)
10050 - 38400
10034 - 57600
1001A - 115200
Title: Re: Enabling options on Agilent ESA series E4402B E4404B E4405B E4407B
Post by: suj on September 18, 2020, 04:16:00 pm
I'll try. This is the serial port which we use.
Title: Re: Enabling options on Agilent ESA series E4402B E4404B E4405B E4407B
Post by: abyrvalg on September 18, 2020, 04:28:10 pm
So the correct register is 815F4

- write new value with slong
- check if communication is lost
- change the baudrate of PC to the new value
- check if communication is back
- do dumps at high speed
...
- profit!
Title: Re: Enabling options on Agilent ESA series E4402B E4404B E4405B E4407B
Post by: smgvbest on September 18, 2020, 04:28:48 pm
Supported hmon devices:
DOWNLOAD - this is wrong, no such device in device table
HPIB - HP's GPIB ?
RS232BINARY - self-explanatory
this command invokes a dedicated protocol handler supporting commands like "jump to address", "write to RAM", "write to flash", "start fw from flash", so nothing new there.

Baudrate:
there are 4 baud rate generators (each can be assigned to one of 4 ports independently), all of them are initialized to the same value corresponding to 19200 @25MHz source. I didn't searched for BRG->port assignment, it looks faster to try writing to divider regs one by one until we loose the communication (that will mean that speed is changed, time to reconfigure the PC port and try the new speed).

Divider register addresses:
815F0
815F4
815F8
815FC
- all are 32-bit, so use slong cmd to write to them

Values for different baud rates:
100A0 - 19200 (current setting)
10050 - 38400
10034 - 57600
1001A - 115200

BINGO
dlong 815F4  1001A
wrote,  disconnect,  reconnect at 115200

btw:
dlong 815f0 1001a  loose connect and can not reconnect
Title: Re: Enabling options on Agilent ESA series E4402B E4404B E4405B E4407B
Post by: abyrvalg on September 18, 2020, 04:34:46 pm
Great! :-+
Looks like 815F0 controls some internal module-to-module port, so the CPU looses the communication with some essential part of hw.
Title: Re: Enabling options on Agilent ESA series E4402B E4404B E4405B E4407B
Post by: suj on September 18, 2020, 04:38:39 pm
I have edited my list in the post https://www.eevblog.com/forum/testgear/enabling-options-on-agilent-esa-series-e4402b-e4404b-e4405b-e4407b/msg3238350/#msg3238350 (https://www.eevblog.com/forum/testgear/enabling-options-on-agilent-esa-series-e4402b-e4404b-e4405b-e4407b/msg3238350/#msg3238350). As memo.
Title: Re: Enabling options on Agilent ESA series E4402B E4404B E4405B E4407B
Post by: tv84 on September 18, 2020, 05:00:38 pm
Do you want the same dump we've had before or a different one?

To start let's do:

A memdump from 0x045A 0000 up to 0x0490 0000.

Before doing it, try to license 1 or 2 options, as you did before.
Title: Re: Enabling options on Agilent ESA series E4402B E4404B E4405B E4407B
Post by: suj on September 18, 2020, 05:44:31 pm
My memory dump with real licences.
Title: Re: Enabling options on Agilent ESA series E4402B E4404B E4405B E4407B
Post by: smgvbest on September 18, 2020, 06:02:56 pm
Do you want the same dump we've had before or a different one?

To start let's do:

A memdump from 0x045A 0000 up to 0x0490 0000.

Before doing it, try to license 1 or 2 options, as you did before.

Order is important on this
follow the steps from @suj

dump started @ 115Kb
dbyte 045a0000 3538944

lincenses entered
AYZ 888888888888
IDS 999999999999
Title: Re: Enabling options on Agilent ESA series E4402B E4404B E4405B E4407B
Post by: smgvbest on September 18, 2020, 06:12:06 pm
My memory dump with real licences.

What options/keys did you have installed?  might help searching for them


FWIW ,  according the sanatazation guide.   Options/Licenses are stored in FLASH.   
the FLASH on the BOARD is for FW,  the FLASH SIMM is where your c: drive is an likely where options are stored permamently
Title: Re: Enabling options on Agilent ESA series E4402B E4404B E4405B E4407B
Post by: suj on September 18, 2020, 06:16:35 pm
My E4407B came to me with the following licensed options:
1D5 Hi Stability Freq Ref
1DR Narrow Resolution BW
AYZ External Mixing
Title: Re: Enabling options on Agilent ESA series E4402B E4404B E4405B E4407B
Post by: smgvbest on September 18, 2020, 06:25:53 pm
My E4407B came to me with the following licensed options:
1D5 Hi Stability Freq Ref
1DR Narrow Resolution BW
AYZ External Mixing

1DR Narrow Resolution BW
this is where I think we should start.   most by not all SA's have the hardware for this built in

Mine has no licensed options installed, but hardware options that do not require licenses I have

1D5 Hi Stability Freq Ref
1DN TG 3.0Ghz
IDN
Title: Re: Enabling options on Agilent ESA series E4402B E4404B E4405B E4407B
Post by: abyrvalg on September 18, 2020, 06:28:47 pm
BTW, with modern serial ports supporting fractional baud rates (i.e. FTDI-based) and terminal sw supporting arbitrary baudrate numbers (not a dropdown list of fixed values) it should be possible to achieve speeds higher than 115200. The relation is: baudrate=25000000/(16*(((BRG & FFFF)>>1)+1), so the theoretical maximum is 1.56mbps. With 25MHz base frequency higher speeds deviate too much from the standard values, but fractional-capable ports should handle it. The only question is ESA’s hardware limit (i.e. some slow buffers in the signal path).
Title: Re: Enabling options on Agilent ESA series E4402B E4404B E4405B E4407B
Post by: smgvbest on September 18, 2020, 06:30:49 pm
Do you want the same dump we've had before or a different one?

To start let's do:

A memdump from 0x045A 0000 up to 0x0490 0000.

Before doing it, try to license 1 or 2 options, as you did before.

dbyte 045a0000 3538944

lincenses entered
AYZ 888888888888
IDS 999999999999

dump attached
Title: Re: Enabling options on Agilent ESA series E4402B E4404B E4405B E4407B
Post by: smgvbest on September 18, 2020, 06:34:01 pm
BTW, with modern serial ports supporting fractional baud rates (i.e. FTDI-based) and terminal sw supporting arbitrary baudrate numbers (not a dropdown list of fixed values) it should be possible to achieve speeds higher than 115200. The relation is: baudrate=25000000/(16*(((BRG & FFFF)>>1)+1), so the theoretical maximum is 1.56mbps. With 25MHz base frequency higher speeds deviate too much from the standard values, but fractional-capable ports should handle it. The only question is ESA’s hardware limit (i.e. some slow buffers in the signal path).

The RXD_RP and TXD_RP go direct to U63/MAX232ACWE
Title: Re: Enabling options on Agilent ESA series E4402B E4404B E4405B E4407B
Post by: suj on September 18, 2020, 06:39:10 pm
From DS MAX232ACWE
Code: [Select]
High Data Rates
These transceivers maintain the RS-232 ±5.0V minimum
driver output voltages at data rates of over
120kbps. For data rates above 120kbps, refer to the
Transmitter Output Voltage vs. Load Capacitance
graphs in the Typical Operating Characteristics.
Communication at these high rates is easier if the
capacitive loads on the transmitters are small; i.e.,
short cables are best.
Title: Re: Enabling options on Agilent ESA series E4402B E4404B E4405B E4407B
Post by: smgvbest on September 18, 2020, 08:08:11 pm
@suj

Do you by chance have a XGecu T56 Universal programmer by chance?
I just got my PCB to try to read the FLASH SIMM
assuming it works I could send a board to you to read out yours.

unless we know the address for that FLASH SIMM and we can read out thru the monitor now?
Title: Re: Enabling options on Agilent ESA series E4402B E4404B E4405B E4407B
Post by: suj on September 18, 2020, 08:25:37 pm
I don't have this programmer. I have an older SEPROG programmer that supports some FLASH but I have to check. I doubt if such large memories. I finished using the programmer and EPROM emulator with the end of the 8051 and EPROM with a UV window era. Maybe send me your PCB gerbers? I will order from JLCPCB or locally and I will have it in a week. I would also have to order a 72 pin SIMM socket from Mouser. I haven't seen a SIMM anymore at the local main supplier, but I will check with smaller sellers.
I can also locally look for a more modern programmer. Any suggestion of type of the programmer?
Title: Re: Enabling options on Agilent ESA series E4402B E4404B E4405B E4407B
Post by: smgvbest on September 18, 2020, 08:43:41 pm
I don't have this programmer. I have an older SEPROG programmer that supports some FLASH but I have to check. I doubt if such large memories. I finished using the programmer and EPROM emulator with the end of the 8051 and EPROM with a UV window era. Maybe send me your PCB gerbers? I will order from JLCPCB or locally and I will have it in a week. I would also have to order a 72 pin SIMM socket from Mouser. I haven't seen a SIMM anymore at the local main supplier, but I will check with smaller sellers.
I can also locally look for a more modern programmer. Any suggestion of type of the programmer?
I'm making some changes to the PCB to fix some minor issues I encountered.  happy to share the gerbers though
this could be used with any programmer that supports the FLASH Memory but is designed for the T56
the T56 is the TL866II Plus (very popular unit) bigger brother and the direction they are going.   supports 25K+ memorys and logic IC's

Title: Re: Enabling options on Agilent ESA series E4402B E4404B E4405B E4407B
Post by: suj on September 18, 2020, 08:50:40 pm
My quick research favors TL866II+. Over 3x cheaper in my country than the T56.
Title: Re: Enabling options on Agilent ESA series E4402B E4404B E4405B E4407B
Post by: smgvbest on September 18, 2020, 09:05:33 pm
My quick research favors TL866II+. Over 3x cheaper in my country than the T56.

But it can’t read the flash on the simm module
T56 has extra I/O to do it

If you want a unit for general use the TL866II+
Is a great unit
Title: Re: Enabling options on Agilent ESA series E4402B E4404B E4405B E4407B
Post by: suj on September 18, 2020, 09:08:26 pm
I performed a memory dump after a reset. It's different :-//
Title: Re: Enabling options on Agilent ESA series E4402B E4404B E4405B E4407B
Post by: abyrvalg on September 18, 2020, 09:11:45 pm
I can derive a rough memory map from QUICC's BRx/ORx regs initialization:
0: 00000000 [20000] SRAM-like, slow timing - this is BootROM as we already know
1: 04000000 [400000] DRAM-like, fast timing - this is DRAM bank 0
2: 04400000 [400000] DRAM-like, fast timing - this is DRAM bank 1
3: 02000000 [20000] SRAM-like, external timing - FPGA ? DIP switches regs are here, flash size reg, DRAM size reg
4: 08000000 [100000] SRAM-like, external timing - ??
5: 0A000000 [80000] SRAM-like, external timing - this is SRAM
6: 0C000000 [400000] SRAM-like, external timing - this is firmware flash
7: 0E000000 [20000] SRAM-like, external timing - ??

Try dumping a small piece from each of the two unknown regions (08000000, 0E000000), maybe the content will provide some ideas.
Title: Re: Enabling options on Agilent ESA series E4402B E4404B E4405B E4407B
Post by: suj on September 18, 2020, 09:20:39 pm
Code: [Select]
->dbyte 08000000 256                                                           
08000000  ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff   ................   
08000010  ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff   ................   
08000020  ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff   ................   
08000030  ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff   ................   
08000040  ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff   ................   
08000050  ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff   ................   
08000060  ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff   ................   
08000070  ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff   ................   
08000080  ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff   ................   
08000090  ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff   ................   
080000a0  ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff   ................   
080000b0  ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff   ................   
080000c0  ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff   ................   
080000d0  ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff   ................   
080000e0  ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff   ................   
080000f0  ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff   ................

Code: [Select]
->dbyte 0E000000 256                                                           
0e000000  05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00   ................   
0e000010  bc 00 bc 00 bc 00 bc 00 bc 00 bc 00 bc 00 bc 00   ................   
0e000020  bc 00 bc 00 bc 00 bc 00 bc 00 bc 00 bc 00 bc 00   ................   
0e000030  bc 00 bc 00 bc 00 bc 00 bc 00 bc 00 bc 00 bc 00   ................   
0e000040  bc 00 bc 00 bc 00 bc 00 bc 00 bc 00 bc 00 bc 00   ................   
0e000050  bc 00 bc 00 bc 00 bc 00 bc 00 bc 00 bc 00 bc 00   ................   
0e000060  bc 00 bc 00 bc 00 bc 00 bc 00 bc 00 bc 00 bc 00   ................   
0e000070  bc 00 bc 00 bc 00 bc 00 bc 00 bc 00 bc 00 bc 00   ................   
0e000080  bc 00 bc 00 bc 00 bc 00 bc 00 bc 00 bc 00 bc 00   ................   
0e000090  bc 00 bc 00 bc 00 bc 00 bc 00 bc 00 bc 00 bc 00   ................   
0e0000a0  bc 00 bc 00 bc 00 bc 00 bc 00 bc 00 bc 00 bc 00   ................   
0e0000b0  bc 00 bc 00 bc 00 bc 00 bc 00 bc 00 bc 00 bc 00   ................   
0e0000c0  bc 00 bc 00 bc 00 bc 00 bc 00 bc 00 bc 00 bc 00   ................   
0e0000d0  bc 00 bc 00 bc 00 bc 00 bc 00 bc 00 bc 00 bc 00   ................   
0e0000e0  bc 00 bc 00 bc 00 bc 00 bc 00 bc 00 bc 00 bc 00   ................   
0e0000f0  bc 00 bc 00 bc 00 bc 00 bc 00 bc 00 bc 00 bc 00   ................
Title: Re: Enabling options on Agilent ESA series E4402B E4404B E4405B E4407B
Post by: suj on September 18, 2020, 09:31:51 pm
Maybe this memory map is related to CS signals from QICC?
Title: Re: Enabling options on Agilent ESA series E4402B E4404B E4405B E4407B
Post by: tv84 on September 18, 2020, 09:53:09 pm
I'm currently analyzing the encrypt function (pretty old flexlm) and have not been following all your new debug/dump capabilities.

@abyrvalg, can we place an infinite loop in the code and prepare to do some selected dumps? can you provide the patch? Later I'll provide the address(es).
Title: Re: Enabling options on Agilent ESA series E4402B E4404B E4405B E4407B
Post by: smgvbest on September 18, 2020, 10:24:16 pm
I'm currently analyzing the encrypt function (pretty old flexlm) and have not been following all your new debug/dump capabilities.

@abyrvalg, can we place an infinite loop in the code and prepare to do some selected dumps? can you provide the patch? Later I'll provide the address(es).

Yeh flexlm should be 6.0d so yeh very old
Title: Re: Enabling options on Agilent ESA series E4402B E4404B E4405B E4407B
Post by: abyrvalg on September 18, 2020, 11:02:33 pm
@tv84, you want to stop some function in an infinite loop before it destroys FLEXlm seeds and enter dump mode in that state?
Just patch the instruction where you want to stop to "jmp ROMMonitor":
sword YourAddr 4EF9   - "jmp imm32" opcode
slong YourAddr+2 0000D8A4    - address of ROMMonitor
Title: Re: Enabling options on Agilent ESA series E4402B E4404B E4405B E4407B
Post by: suj on September 19, 2020, 09:33:48 am
Should I try to add new licenses or in my case the installed ones are enough?
Title: Re: Enabling options on Agilent ESA series E4402B E4404B E4405B E4407B
Post by: tv84 on September 19, 2020, 09:53:07 am
Should I try to add new licenses or in my case the installed ones are enough?

The installed are enough because, when it tries to validate the installed ones (at app start), it will break into ROM Monitor so you won't be able to try a new one.

In the case of Sandra, where there is no license, I think she must force the licensing.
Title: Re: Enabling options on Agilent ESA series E4402B E4404B E4405B E4407B
Post by: suj on September 19, 2020, 10:50:32 am
From my calculations, the memory dump should end around 15:40 CET (13:40 GMT). Approximately 120 MB text file.
Now I go to the grocery store to do my shopping, allowing me to stay within 20 meters from my "laboratory" for the next week. 8)
Title: Re: Enabling options on Agilent ESA series E4402B E4404B E4405B E4407B
Post by: abyrvalg on September 19, 2020, 11:00:14 am
@tv84, now I understand why you need such big dumps, your values of interest are local variables with no fixed addresses - right?
What we can do is to patch the code to save a register to some fixed unused location, then dump it from there.
A patch to save "vendor key 5" to 045FFFFC (this address is unused) and continue normally:
Code: [Select]
sword 043F398E 23C0
slong 043F3990 045FFFFC
slong 043F3994 60000018
+ our earlier patch to go to Mon with r key press
sword 04139614 4ef9
sword 04139618 d8a4
- enter any license
- press "r" to go to Mon
- dump 4 bytes from 045FFFFC
Title: Re: Enabling options on Agilent ESA series E4402B E4404B E4405B E4407B
Post by: tv84 on September 19, 2020, 11:13:02 am
@tv84, now I understand why you need such big dumps, your values of interest are local variables with no fixed addresses - right?

Right.  :-+  Your suggestion was also on my mind. I hope we don't need it but, if we do, I will need your help. I also need to have a full confirmation of what is being hashed and, for that, the dump should provide the definitive answer.

I have a hard time recognizing how the registers of this thing work. It's almost like Blackfin! :)
Title: Re: Enabling options on Agilent ESA series E4402B E4404B E4405B E4407B
Post by: abyrvalg on September 19, 2020, 11:31:57 am
Dumping “vendor key 5” should be enough - this is old FLEXlm, the seeds are stored in VENDORCODE xored with this vk5 (look down from the location I’m patching - they verify if the seeds are “demo” 12345678 87654321 by direct xoring with this value. Various tutorials from 6.0 era says the same).

I have an universal recipe how to start feeling at home with any CISC asm - spend some time in QDSP (Hexagon) asm  :-DD
Title: Re: Enabling options on Agilent ESA series E4402B E4404B E4405B E4407B
Post by: tv84 on September 19, 2020, 11:37:43 am
Dumping “vendor key 5” should be enough - this is old FLEXlm, the seeds are stored in VENDORCODE xored with this vk5 (look down from the location I’m patching - they verify if the seeds are “demo” 12345678 87654321 by direct xoring with this value. Various tutorials from 6.0 era says the same).

Sure but where is vendorcode? You still need it. With vendorcode, we would be done.
Title: Re: Enabling options on Agilent ESA series E4402B E4404B E4405B E4407B
Post by: abyrvalg on September 19, 2020, 11:45:22 am
At 04600D5C. A search for "6.0" gets you there easily. You need to have the data section initialized of course, mentioned that earlier - copy from 04435E14 to 04600000-0476DD88. But a copy of that structure can be found in the "source" area too.
Title: Re: Enabling options on Agilent ESA series E4402B E4404B E4405B E4407B
Post by: tv84 on September 19, 2020, 12:51:20 pm
Stop the press!  (and the dumps...)   :popcorn:

Enc_seeds validated OK!

@suj license correctly validated.

How dumb!! How could I've missed that structure!!!!    |O   |O

EDIT: Mystery solved! This proc is BIG ENDIAN and my search function only searches in LITTLE ENDIAN (will correct it)! Sorry all for all the trouble but it was a new experience. A special recognition to @abyrvalg. Amazing talent!  :clap:
Title: Re: Enabling options on Agilent ESA series E4402B E4404B E4405B E4407B
Post by: smgvbest on September 19, 2020, 01:02:54 pm
Stop the press!  (and the dumps...)   :popcorn:

Enc_seeds validated OK!

@suj license correctly validated.

How dumb!! How could I've missed that structure!!!!    |O   |O

Other than some banging head on wall this sounds good right?
I was just getting ready to do the dump   :phew:
Title: Re: Enabling options on Agilent ESA series E4402B E4404B E4405B E4407B
Post by: tv84 on September 19, 2020, 01:09:35 pm
Other than some banging head on wall this sounds good right?

AYZ EA726914DBAD
Title: Re: Enabling options on Agilent ESA series E4402B E4404B E4405B E4407B
Post by: smgvbest on September 19, 2020, 01:24:05 pm
Other than some banging head on wall this sounds good right?

AYZ EA726914DBAD

I will let a picture speak for me

 :clap: :clap: :clap:

Title: Re: Enabling options on Agilent ESA series E4402B E4404B E4405B E4407B
Post by: suj on September 19, 2020, 01:26:17 pm
To check option AYZ you can go to "Input" menu and check if you can change mixer to external. To use this you must connect connector J6 from the A8A4 module and J4 from the same module to external sockets (IF in, LO Out). And you can use unpreselected harmonic mixers (for example 11970 series). To use preselected (11974) you need the frequency extension module.
Title: Re: Enabling options on Agilent ESA series E4402B E4404B E4405B E4407B
Post by: smgvbest on September 19, 2020, 01:26:36 pm
That was a straight OPTION
can we try a personality to see if those work?
if so try Option 225
Title: Re: Enabling options on Agilent ESA series E4402B E4404B E4405B E4407B
Post by: smgvbest on September 19, 2020, 01:29:03 pm
To check option AYZ you can go to "Input" menu and check if you can change mixer to external. To use this you must connect connector J6 from the A8A4 module and J4 from the same module to external sockets (IF in, LO Out). And you can use unpreselected harmonic mixers (for example 11970 series). To use preselected (11974) you need the frequency extension module.

I don't have the external mixers but I do have a 4407B with frequency extension and  the menu is available

Title: Re: Enabling options on Agilent ESA series E4402B E4404B E4405B E4407B
Post by: tv84 on September 19, 2020, 01:56:04 pm
Here is the fishing rod. (a little homework is always beneficial)
Title: Re: Enabling options on Agilent ESA series E4402B E4404B E4405B E4407B
Post by: abyrvalg on September 19, 2020, 02:08:14 pm
That was a great teamwork, thanks to everyone! :clap: See you in the next “instrument improvement” thread >:D
Title: Re: Enabling options on Agilent ESA series E4402B E4404B E4405B E4407B
Post by: tv84 on September 19, 2020, 02:15:20 pm
That was a great teamwork, thanks to everyone! :clap: See you in the next “instrument improvement” thread >:D

Sure it was. Always a pleasure when it is like this. smgvbest and suj also had a special recognition for all their hard work. ;)

I've just checked a BAC personality and all is good! See you in next quest (now with BigEnd activated!).
Title: Re: Enabling options on Agilent ESA series E4402B E4404B E4405B E4407B
Post by: suj on September 19, 2020, 02:20:54 pm
A big thank you to the whole team. You are geniuses!
I will now work on addressing cards via the E4401. When I have conclusions, I will ask you for help in finding this I/O address that allows to turn the noise source on and off.
 :-+ :-+ :-+

EDIT
If you are looking for a challenge, I am always ready to provide support. LE, BE who wants what...
 ;D
Title: Re: Enabling options on Agilent ESA series E4402B E4404B E4405B E4407B
Post by: abyrvalg on September 19, 2020, 03:50:15 pm
Some info on card addressing:
there are 8 "I/O slots" (0-7), each one gets an address window at 08000000+0x4000*slot_number
register at BASE+3FFE (size: byte) looks like "device type":
1 - HPIB adapter
4 - floppy controller
Edit: other card types recognized by ESAFW:
6
8
3, 7, 10 - some similar types handled by common code
Title: Re: Enabling options on Agilent ESA series E4402B E4404B E4405B E4407B
Post by: tv84 on September 19, 2020, 04:14:49 pm
This (https://www.eevblog.com/forum/testgear/enabling-options-on-agilent-esa-series-e4402b-e4404b-e4405b-e4407b/msg3239946/#msg3239946) can also be used in the old E44xxB ESG Signal Generators.

Just checked.
Title: Re: Enabling options on Agilent ESA series E4402B E4404B E4405B E4407B
Post by: suj on September 19, 2020, 04:48:06 pm
Some info on card addressing:
there are 8 "I/O slots" (0-7), each one gets an address window at 08000000+0x4000*slot_number
register at BASE+3FFE (size: byte) looks like "device type":
1 - HPIB adapter
4 - floppy controller
Edit: other card types recognized by ESAFW:
6
8
3, 7, 10 - some similar types handled by common code

My first analyzes:
1. Backplane is hardcoded, card known in whitch slot is inserted (red)
2. Adress decode and initialization. For example GPIB/Parallel card (red/green)
3. Signals for above at the cpu card (green)
Title: Re: Enabling options on Agilent ESA series E4402B E4404B E4405B E4407B
Post by: smgvbest on September 19, 2020, 05:06:15 pm
Just got back from work,   amazing whats gets done when I am tied up

@tv84
@abyrvalg

you both are awesome!!   thanks for the hard work
I would love to have a PM chat to understand a bit of how you do this,  it intrigues me

@suj  thank you for your help as well

Title: Re: Enabling options on Agilent ESA series E4402B E4404B E4405B E4407B
Post by: abyrvalg on September 19, 2020, 05:13:10 pm
BootROM HPIB init loops through 0-7 slot numbers, getting a byte from 08000000+4000*slot+3FFE and looking for 01 value, then uses base address of the matched slot for all further IO operations. Same is for floppy (but looking for value 04). Not sure if all slots are equal, maybe some card types must be installed in a specific slot to get i.e. right RF connections, but they are still identified by that +3FFE byte in sw, no hardcoded slots there.
Title: Re: Enabling options on Agilent ESA series E4402B E4404B E4405B E4407B
Post by: smgvbest on September 19, 2020, 07:45:21 pm
BootROM HPIB init loops through 0-7 slot numbers, getting a byte from 08000000+4000*slot+3FFE and looking for 01 value, then uses base address of the matched slot for all further IO operations. Same is for floppy (but looking for value 04). Not sure if all slots are equal, maybe some card types must be installed in a specific slot to get i.e. right RF connections, but they are still identified by that +3FFE byte in sw, no hardcoded slots there.

Each IO card has a 93c66 eeprom on board used to identification and some store calibration data for that card.
i wonder if that address is the address used for the eeprom and getting that byte?   

Title: Re: Enabling options on Agilent ESA series E4402B E4404B E4405B E4407B
Post by: suj on September 21, 2020, 09:03:43 am
Try to start from this point:
https://www.eevblog.com/forum/testgear/hp-agilent-e4433b-esg-d-series-signal-generator-250khz-4-0ghz/msg3240634/#msg3240634 (https://www.eevblog.com/forum/testgear/hp-agilent-e4433b-esg-d-series-signal-generator-250khz-4-0ghz/msg3240634/#msg3240634)
Title: Re: Enabling options on Agilent ESA series E4402B E4404B E4405B E4407B
Post by: analogRF on September 21, 2020, 03:21:24 pm
After a few more educated googles I arrived here (https://www.eevblog.com/forum/testgear/_free_-vsa-options/msg584857/#msg584857).     ;D

So, we're halfway there!

The licenses should have this format:

FEATURE 202 TMOMID01 1.0 permanent uncounted 0123456789AB  HOSTID=E1234567

Now, we just need the seeds.  ;)

what does 0123456789AB represent. I am almost there  :D

EDIT: I got it to work for one example that was in the posts, so  I think I got it right  :-+ :-+
Title: Re: Enabling options on Agilent ESA series E4402B E4404B E4405B E4407B
Post by: analogRF on September 21, 2020, 03:27:30 pm
I finally got it  :-+ :-+  >:D >:D ;)
thanks to the one example that was in the posts  ;)
Title: Re: Enabling options on Agilent ESA series E4402B E4404B E4405B E4407B
Post by: tv84 on September 21, 2020, 05:29:22 pm
I finally got it  :-+ :-+  >:D >:D ;)
thanks to the one example that was in the posts  ;)

Here is the example of a good student that does his homework.  ;D
Title: Re: Enabling options on Agilent ESA series E4402B E4404B E4405B E4407B
Post by: analogRF on September 21, 2020, 05:32:06 pm
I finally got it  :-+ :-+  >:D >:D ;)
thanks to the one example that was in the posts  ;)

Here is the example of a good student that does his homework.  ;D


now I need to buy one of these SAs....have been trying to for quite some time with no success  |O :(
Title: Re: Enabling options on Agilent ESA series E4402B E4404B E4405B E4407B
Post by: smgvbest on September 21, 2020, 05:45:10 pm
I finally got it  :-+ :-+  >:D >:D ;)
thanks to the one example that was in the posts  ;)

Here is the example of a good student that does his homework.  ;D


now I need to buy one of these SAs....have been trying to for quite some time with no success  |O :(

I was in same boat.  Finally got one from alltest on eBay.  Made an offer.  Plead my case and they accepted at a bit higher than I wanted ( ie could afford ) to go but took it

Ended up being bricked was all.  I don’t think it had a bad flash. As I’ve now tested that flash many times and no failures

Title: Re: Enabling options on Agilent ESA series E4402B E4404B E4405B E4407B
Post by: analogRF on September 21, 2020, 05:58:25 pm
I finally got it  :-+ :-+  >:D >:D ;)
thanks to the one example that was in the posts  ;)

Here is the example of a good student that does his homework.  ;D


now I need to buy one of these SAs....have been trying to for quite some time with no success  |O :(

I was in same boat.  Finally got one from alltest on eBay.  Made an offer.  Plead my case and they accepted at a bit higher than I wanted ( ie could afford ) to go but took it

Ended up being bricked was all.  I don’t think it had a bad flash. As I’ve now tested that flash many times and no failures

a bricked, broken, defective is what I dig :-DD
but still too expensive when they have the "basic" important (for me) HW options on them (1D5,AYX,BAA)
Title: Re: Enabling options on Agilent ESA series E4402B E4404B E4405B E4407B
Post by: smgvbest on September 21, 2020, 09:26:14 pm
So no one wants $1000 ?

Just checking..

Everything you need to do this is in this thread. 
And it’s fairly easy to do
Title: Re: Enabling options on Agilent ESA series E4402B E4404B E4405B E4407B
Post by: xymox on September 22, 2020, 08:02:22 am
Well no doubt this works..  I tried EVERY option that I had hardware for.. Discovered I want a card, option 119..

(https://xymox1.com/Misc/IMG_0659.JPG)
(https://xymox1.com/Misc/IMG_0661.JPG)
(https://xymox1.com/Misc/IMG_0662.JPG)
(https://xymox1.com/Misc/IMG_0663.JPG)
Title: Re: Enabling options on Agilent ESA series E4402B E4404B E4405B E4407B
Post by: xymox on September 22, 2020, 06:46:18 pm
NEW CHALLENGE...

One other thing that would be REALLY useful is to find the SCPI (GPIB) commands to do some adjustments (especially the frequency response adjustment.).
Keysight doesn't want to share the commands - They do use them in their own calibration software (N7800A) - but I think they don't want to enable others....

Perhaps if somebody has this calibration software (Keysight doesn't sell it anymore - they stopped selling it a few years back) - then the GPIB commands can be traced using a tracing/logging tool that logs
all GPIB activity...

The calibration software requires a license. There are older versions that run on older versions of windows that might be less protected.. https://cal.software.keysight.com/

Also I really need software that does waterfall plots and spectrograms. Logging to a computer. Etc..

There is Benchlink Web and I think that takes a key. It only runs on NT or Win 2000. Which I have setup..

Now that the SA is more unlocked I will look into all this more..
Title: Re: Enabling options on Agilent ESA series E4402B E4404B E4405B E4407B
Post by: suj on September 22, 2020, 09:54:27 pm
Today I did the initial verification of the E4407B phase noise measurement. I have put together a measuring system consisting of the following elements:
1. R&S SMF100A generator
2. Power divider Anritsu 11N50B
3. DUT1: E4407B
4. DUT2: Advantest R3681
I made the measurements at the frequency of 1.005 GHz.
The first measurement was performed without modulation.
Then I modulated the carrier frequency with the noise generator signal. With the following settings, the result should be a signal with phase noise falling by 20 dB per decade.
It is not a device with outstanding parameters, because probably HP was not supposed to be like that. After all, it could not compete with the higher-end  SA (for example PSA).
Title: Re: Enabling options on Agilent ESA series E4402B E4404B E4405B E4407B
Post by: xymox on September 23, 2020, 12:46:46 am
Yes i saw that.. I was also after phase noise.. A bit dissapointing, but, its still useful :)

SO... I spent half my day playing with software..

I got Keysight VSA working on it. This is expensive software and seriously licensed using very modern methods. No hacking this one.. It is however REALLY powerful software.. It does exactly what I want from it.. You gotta install the Lk-VSA personality on the unit. "ESA to 89601A Software Link Utility" Its 2 floppies.

It seriously takes over the unit, complete with turning off the screen..

This software can turn the ESA into a VERY powerful device and can do things never possible from the ESA alone..

This are the AM radio stations around me..



(http://www.xymox1.com/Misc/VSA.gif)
Title: Re: Enabling options on Agilent ESA series E4402B E4404B E4405B E4407B
Post by: xymox on September 23, 2020, 01:52:54 am
The VSA software does a great many things you can't do with just the unit.

It seems to be tryign to do 5G, all forms of Wifi, DOCSIS 3.1, OFDM, QAM just tons of stuff..

I cant quite get it to decode my cable company DOCSIS 3.1 or my own wifi.. Its trying. I just dont know enough about settings on this yet.. The trial software gives me 1 month.. So I will have some time to play with it fully...

BUT at at least $500 PER YEAR,,, this is not friendly.. Its the PER YEAR part that bothers me...  The spectrogram stuff is great.. Thats all I really want..

I am a tad confuzed by one thing, but, im sure its me.. I can't get a span more then 10Mhz for some reason..

(http://xymox1.com/Misc/WiFi.gif)
Title: Re: Enabling options on Agilent ESA series E4402B E4404B E4405B E4407B
Post by: xymox on September 23, 2020, 05:23:07 am
Well this software is nearly unusable for my use. For some freaky reason its limited to a 10Mhz span no matter what I do. This is comeplty useless for me. At the high freq is useless. Like how do you look at wifi ? This limitation seems to be with the hardware. I can simulate other devices and they have different max spans, but still not full. Even brand new keysight gear does not do the full span like the actual device will..

Because of this, the software seems crippled for my use.
Title: Re: Enabling options on Agilent ESA series E4402B E4404B E4405B E4407B
Post by: xymox on September 23, 2020, 06:15:35 am
Well that is interesting...

I have a second ESA-E Very basic.

I licensed 1DR narrow resolution bandwidth and 1D5 Hi Stability Freq Ref... These work.. I can now hit a span of 100hz and a Res BW of 1 hz.. OK Sure I enabled the software, but, I dont have those right ? WELL its performance exactly the same as my main one which has those options for real. BUT this can't be right ???

SO.. One thing for sure.. Its now possible to cheat.. Units could be made to look like they have more options then they actually have.. So thats not good.. However,, in this case, it added to functionality, even if its a bit wonky.

Makes me wonder what other options could be enabled this way..
Title: Re: Enabling options on Agilent ESA series E4402B E4404B E4405B E4407B
Post by: xymox on September 23, 2020, 06:47:35 am
I truly stuffed full ESA... I cant fit anything else..

There is hardware I dont have which limits me. Low freq extension, modulation analysis board, noise measurement board..

GPIB can do a lot. I will have to explore this. I would imagine any software written for GPIB Spectrum Analyzers will work as the GPIB commands look pretty universal. Well. I can load a number of standards, so, hopefully.. VSA does not do what I need and is stupid expensive with little hope of a keygen and patch.

(http://www.xymox1.com/Misc/IMG_0668.JPG)
Title: Re: Enabling options on Agilent ESA series E4402B E4404B E4405B E4407B
Post by: smgvbest on September 23, 2020, 09:28:14 pm
Well that is interesting...

I have a second ESA-E Very basic.

I licensed 1DR narrow resolution bandwidth and 1D5 Hi Stability Freq Ref... These work.. I can now hit a span of 100hz and a Res BW of 1 hz.. OK Sure I enabled the software, but, I dont have those right ? WELL its performance exactly the same as my main one which has those options for real. BUT this can't be right ???

SO.. One thing for sure.. Its now possible to cheat.. Units could be made to look like they have more options then they actually have.. So thats not good.. However,, in this case, it added to functionality, even if its a bit wonky.

Makes me wonder what other options could be enabled this way..

There are items that are License Only.
1DR i think is one, Preamp is another past a certain serial number
there 5-6 that are license only
Title: Re: Enabling options on Agilent ESA series E4402B E4404B E4405B E4407B
Post by: xymox on September 24, 2020, 01:31:36 am
I dont suppose in any of the dumps is a list of things that can be turned on ? Maybe there are some undocumented ones ? It knows all these because it populates names for them after you enable them.. You never know, maybe there is some fun option that enables something interesting.
Title: Re: Enabling options on Agilent ESA series E4402B E4404B E4405B E4407B
Post by: smgvbest on September 24, 2020, 01:40:07 am
I dont suppose in any of the dumps is a list of things that can be turned on ? Maybe there are some undocumented ones ? It knows all these because it populates names for them after you enable them.. You never know, maybe there is some fun option that enables something interesting.

They are all in the ESAFW file and dumps
I do not recall anything thats not already listed on the keysight page

https://www.keysight.com/main/editorial.jspx?cc=US&lc=eng&ckey=277453&nid=-32406.536881907.02&id=277453 (https://www.keysight.com/main/editorial.jspx?cc=US&lc=eng&ckey=277453&nid=-32406.536881907.02&id=277453)

BTW:  I just started a new thread in the repair forum for repairing the Tracking Generator thats getting a Source Unlevel error if anyone is interest
https://www.eevblog.com/forum/repair/e4407b-tracking-generator-repair/msg3246922/#msg3246922 (https://www.eevblog.com/forum/repair/e4407b-tracking-generator-repair/msg3246922/#msg3246922)

Title: Re: Enabling options on Agilent ESA series E4402B E4404B E4405B E4407B
Post by: xymox on September 24, 2020, 03:26:45 am
BTW:  I just started a new thread in the repair forum for repairing the Tracking Generator thats getting a Source Unlevel error if anyone is interest

You will eventually need to calibrate it. We gotta figure out how to do that..

I am trying to get Keysight to simply quote me on TME.. I want a license for "self Maintainers" and for a single serial number unit. They responded once and asked me what the company name was, I told them it was for personal use and they never responded again. I would pay them for this.. As long as it was not a insane number. BUT they seem to be going in the direction that will lead to the system getting hacked into. At the least the GPIB stuff that goes back and forth during calibration can be captured and easily figured out. Im going to ask one more time.

I want this https://cal.software.keysight.com/?id=2525023 (https://cal.software.keysight.com/?id=2525023)  under this license.. https://www.keysight.com/us/en/assets/7018-01623/data-sheets/5989-6956.pdf (https://www.keysight.com/us/en/assets/7018-01623/data-sheets/5989-6956.pdf)  for 1 unit, a ESA E4402B.. Its supported..

I VASTLY prefer to use software legitly. As long as its not too expensive, I am happy to pay it.

Keysight seems to be unpleasant and stupid.

What they should do is just allow all these tools and things to go free. Real businesses are not buying these older devices, hobbyists are. Like me, a Ham radio guy.. They are NOT loosing sales to this old gear...

Maybe I need to target someone higher up the chain at Keysight..
Title: Re: Enabling options on Agilent ESA series E4402B E4404B E4405B E4407B
Post by: smgvbest on September 24, 2020, 03:45:43 am
BTW:  I just started a new thread in the repair forum for repairing the Tracking Generator thats getting a Source Unlevel error if anyone is interest

You will eventually need to calibrate it. We gotta figure out how to do that..

I am trying to get Keysight to simply quote me on TME.. I want a license for "self Maintainers" and for a single serial number unit. They responded once and asked me what the company name was, I told them it was for personal use and they never responded again. I would pay them for this.. As long as it was not a insane number. BUT they seem to be going in the direction that will lead to the system getting hacked into. At the least the GPIB stuff that goes back and forth during calibration can be captured and easily figured out. Im going to ask one more time.

I want this https://cal.software.keysight.com/?id=2525023 (https://cal.software.keysight.com/?id=2525023)  under this license.. https://www.keysight.com/us/en/assets/7018-01623/data-sheets/5989-6956.pdf (https://www.keysight.com/us/en/assets/7018-01623/data-sheets/5989-6956.pdf)  for 1 unit, a ESA E4402B.. Its supported..

I VASTLY prefer to use software legitly. As long as its not too expensive, I am happy to pay it.

Keysight seems to be unpleasant and stupid.

What they should do is just allow all these tools and things to go free. Real businesses are not buying these older devices, hobbyists are. Like me, a Ham radio guy.. They are NOT loosing sales to this old gear...

Maybe I need to target someone higher up the chain at Keysight..

Keysight is not in business to support hobbyist.  that's not their business model.   for TME you're looking at 5K+ i believe.
Hobbyist arent buying these usually either,   at a cost of 3K+ for a broken one most hobbyist can not afford that.   every now and then you find you for much less.  I did,  I got very lucky and the repair was simple.   the TG may be a different issues.   it's been repaired before.   I need to figure out if the Source Unlevel is the LO Control board (i hope) or the BITG which is not documented

Far as calibration,   first run a performance test to see if it need to be calibrated.  All documented in the calibration guide

Title: Re: Enabling options on Agilent ESA series E4402B E4404B E4405B E4407B
Post by: xymox on September 24, 2020, 04:18:19 am
Yea I have been thru the "calibration" guide.. Hehehe..  Im still not sure how to set Course and Fine in the timebase in the service menu..

I do have something off on both my units. If I give them my rubidihum clock std 10Mhz it displays slightly off center if I set the SA for 1hz res bw and 100 hz span. Also the freq counter is off a bit..

Amplitute is reading slightly off at various frequency points.

These are not much off, but with this many years on these devices, its normal to have drift.

Also if we want to swap boards around between units and maintain these over the next 10 years we just gotta be able to calibrate them.

These calibration adjustments must also be kept in some flash. If the flash goes or gets wiped, thats it. No hope of recovery.

We gotta be able to do TME.. I can't find old versions of TME. Or maybe some old different program used to calibrate.

I have sent a nice email to Ron Nersesian. He has a awesome career that goes way back with HP. Back to the good old days of HP. I have suggested that hobbyists fuel young engineers and so thier future customers could well be buying this older gear from ebay. i suggested its helpful for EoL devices that are locked away with keys to maybe get a free online key gen process. This would fuel many hobbyists into engineers and maybe future customers. It wont hurt Keysight sales as hobbyists cannot afford to buy new gear and companies using this kind of test equipment don't buy old gear like this.

Im sure I wont get a response. BUT the email did not reflect back. So I did find the right email to use for him.

WTH... Why not try...

BTW the self calibration license has provisions for a single serial number instrument. That would have to be way cheaper then a single seat.

Maybe I can get a trial license. If so, I can capture all the GPIB..AND calibrate my unit at least once..
Title: Re: Enabling options on Agilent ESA series E4402B E4404B E4405B E4407B
Post by: xymox on September 24, 2020, 05:21:45 am
OooOOo... TMA has a help file for the ESA series.. It has a lot of interesting things in it..


It *SEEMS* like you could set the freq limit and pick the model when you replace the processor board.. I believe there are hardware differences tho between models, so, its not JUST a setting. BUT its interesting tho.. Plus there are a lot of things in here that are interesting.. The part about processor initialization is interesting. http://www.xymox1.com/Misc/Utilities.pdf (http://www.xymox1.com/Misc/Utilities.pdf)

All the adjustments you can do.. http://www.xymox1.com/Misc/Adjustments.pdf (http://www.xymox1.com/Misc/Adjustments.pdf)

I am still unsure if you can manually enter any values. It may be the TSE software forces hooking up automated bench gear and standards and then operates all that via GPIB and does the calibration fully automated.. This would not be useful. It would be better, for hobbyist use, that we could enter values manually.
Title: Re: Enabling options on Agilent ESA series E4402B E4404B E4405B E4407B
Post by: xymox on September 25, 2020, 12:07:59 am
THIS is the software I want... I think... Its old too so maybe hackable.. This can do spectrograms with full width spans..

BUT its OLD... Runs on Windows 2000.. But thats fine I have a laptop of that vintage AND there is always VM..

https://www.keysight.com/en/pd-1000004487%3Aepsg%3Apro/esa-and-psa-option-230-benchlink-web-remote-control-software?pm=PL&nid=-32406.536880458&cc=US&lc=eng (https://www.keysight.com/en/pd-1000004487%3Aepsg%3Apro/esa-and-psa-option-230-benchlink-web-remote-control-software?pm=PL&nid=-32406.536880458&cc=US&lc=eng)
Title: Re: Enabling options on Agilent ESA series E4402B E4404B E4405B E4407B
Post by: smgvbest on September 25, 2020, 01:20:51 am
THIS is the software I want... I think... Its old too so maybe hackable.. This can do spectrograms with full width spans..

BUT its OLD... Runs on Windows 2000.. But thats fine I have a laptop of that vintage AND there is always VM..

https://www.keysight.com/en/pd-1000004487%3Aepsg%3Apro/esa-and-psa-option-230-benchlink-web-remote-control-software?pm=PL&nid=-32406.536880458&cc=US&lc=eng (https://www.keysight.com/en/pd-1000004487%3Aepsg%3Apro/esa-and-psa-option-230-benchlink-web-remote-control-software?pm=PL&nid=-32406.536880458&cc=US&lc=eng)

Far as I understand this one just need Option 230 enabled on the SA.   you can do that.
Title: Re: Enabling options on Agilent ESA series E4402B E4404B E4405B E4407B
Post by: smgvbest on September 25, 2020, 01:24:04 am
TME is Keysights premier package used to calibrate instruments and sold to calibration shops all over the world
I can see in any way Keysight is going to give that up to hobbyist.  Hobbyist are not any major part of their sales revenue.
I would love it but I'll put my money on no reply or a negative reply

Title: Re: Enabling options on Agilent ESA series E4402B E4404B E4405B E4407B
Post by: apples on September 25, 2020, 10:21:58 pm
Just want to thank the people on this thread for their wonderful effort.

I have 3 x ESA 4402Bs that now have RF Pre-Amp which is what I needed.   One of them though is showing two distinct spikes (actually holes I suppose) in the response at 997.5MHz and 1.32GHz and when you turn the RF Pre Amp, the others don't do this.   Outside these gaps, the pre-amp is working fine.

Anyone know what could cause this?  Loose connectors ??
 
Title: Re: Enabling options on Agilent ESA series E4402B E4404B E4405B E4407B
Post by: smgvbest on September 25, 2020, 10:30:44 pm
What’s the serial number on the unit?
The preamp hardware is only installed after a certain serial number
Maybe you don’t have the actual hardware ???

Just guessing but might be worth a check
Title: Re: Enabling options on Agilent ESA series E4402B E4404B E4405B E4407B
Post by: analogRF on September 26, 2020, 12:59:33 am
Just want to thank the people on this thread for their wonderful effort.

I have 3 x ESA 4402Bs that now have RF Pre-Amp which is what I needed.   One of them though is showing two distinct spikes (actually holes I suppose) in the response at 997.5MHz and 1.32GHz and when you turn the RF Pre Amp, the others don't do this.   Outside these gaps, the pre-amp is working fine.

Anyone know what could cause this?  Loose connectors ??
 

first of all to figure out if your preamps are working, a simple test is to set your Ref Lvl to something small like -40dBm (no signal needs to be connected) and then turn on/off the preamp. your noise floor must jump up and down by about 15-20db depending on the gain of the preamp

i am not sure if those spikes are created by the preamp. maybe as Sandra said you dont actually have the hardware for it and it is creating garbage
otherwise the preamp is self oscillating!  :o
Title: Re: Enabling options on Agilent ESA series E4402B E4404B E4405B E4407B
Post by: analogRF on September 26, 2020, 01:03:12 am
this thread has been going off rail for quite some time. it must have been pretty much closed after the final solution. things that came after that, though interesting and useful, should have been in threads of their own.

Title: Re: Enabling options on Agilent ESA series E4402B E4404B E4405B E4407B
Post by: apples on September 26, 2020, 06:40:27 am
@analogRF -fair point.

I considered it was somewhat relevant as others are sure to use the method for this and what I'm seeing might just be a limitation of just turning the 1DS option on without having the correct re-calibration software.

For completeness, I can confirm that in my case at least the preamp IS installed and IS working as expected apart from these 'spikes'.  I'll carry on the conversation as necessary on a new thread.
Title: Re: Enabling options on Agilent ESA series E4402B E4404B E4405B E4407B
Post by: tv84 on September 26, 2020, 07:57:44 am
this thread has been going off rail for quite some time. it must have been pretty much closed after the final solution. things that came after that, though interesting and useful, should have been in threads of their own.

I think we are now seeing the consequences of enabling options on Agilent ESA series so not much of a derailing here, IMHO. Of course, some themes may deserve a thread on their own.
Title: Re: Enabling options on Agilent ESA series E4402B E4404B E4405B E4407B
Post by: analogRF on September 30, 2020, 06:58:11 pm
let me pose a fresh and more useful and interesting challenge with regard to these analyzers:

how can we convert E4404B (6.7GHz) to E4405B (13.2GHz) if at all?

All boards and modules including the critical ones (attenuator and RYTHM) are common between these two
so the frequency must be limited by software only

of course calibration after such upgrade is a must and can pose a problem since the cal procedure is not possible by hobbyist

but still it would be awesome  ;D
Title: Re: Enabling options on Agilent ESA series E4402B E4404B E4405B E4407B
Post by: smgvbest on September 30, 2020, 09:37:43 pm
Service menu allow change of model and frequency range.
SERVICE/-2010/SERVICE

Other way is to program EEPROM on back of Processor card

Last if you have TME and ESA Module can do it there
Title: Re: Enabling options on Agilent ESA series E4402B E4404B E4405B E4407B
Post by: analogRF on October 01, 2020, 01:54:46 am
Service menu allow change of model and frequency range.
SERVICE/-2010/SERVICE

Other way is to program EEPROM on back of Processor card

Last if you have TME and ESA Module can do it there

What's the catch then? Could it be just the calibration thing? if it can be converted so easily then why did Agilent even sell E4404B? or why did anybody buy E4405B? Their original prices were hugely different...
Title: Re: Enabling options on Agilent ESA series E4402B E4404B E4405B E4407B
Post by: smgvbest on October 01, 2020, 02:28:01 am
Service menu allow change of model and frequency range.
SERVICE/-2010/SERVICE

Other way is to program EEPROM on back of Processor card

Last if you have TME and ESA Module can do it there

What's the catch then? Could it be just the calibration thing? if it can be converted so easily then why did Agilent even sell E4404B? or why did anybody buy E4405B? Their original prices were hugely different...

IDK,   I've used it to change mine to the EMC model (same firmware),   the service menu with the right password looks to even permit you to change the serial number.  the -2010 does not permit then though.  the Serial Number and Save Serial Number are greyed out so there's additional service passwords.
Title: Re: Enabling options on Agilent ESA series E4402B E4404B E4405B E4407B
Post by: mankan on October 02, 2020, 11:19:58 am
This (https://www.eevblog.com/forum/testgear/enabling-options-on-agilent-esa-series-e4402b-e4404b-e4405b-e4407b/msg3239946/#msg3239946) can also be used in the old E44xxB ESG Signal Generators.

Just checked.
Really with the same vendor name and seeds? I cannot get it to work with a lmcrypt.exe that works for ESA. I've also tried HOST_ID variations like the VSA but with ESG and ESG-D instead. None of them produce a working code (i.e. a code for an option I already have installed).
Title: Re: Enabling options on Agilent ESA series E4402B E4404B E4405B E4407B
Post by: analogRF on October 02, 2020, 11:22:39 am
Service menu allow change of model and frequency range.
SERVICE/-2010/SERVICE

Other way is to program EEPROM on back of Processor card

Last if you have TME and ESA Module can do it there

maybe it is only possible to downgrade or convert to equivalent EMC model from ESA and vice versa.

someone with E4404B should try this
Title: Re: Enabling options on Agilent ESA series E4402B E4404B E4405B E4407B
Post by: PA0PBZ on October 02, 2020, 11:44:14 am
This (https://www.eevblog.com/forum/testgear/enabling-options-on-agilent-esa-series-e4402b-e4404b-e4405b-e4407b/msg3239946/#msg3239946) can also be used in the old E44xxB ESG Signal Generators.

Just checked.
Really with the same vendor name and seeds? I cannot get it to work with a lmcrypt.exe that works for ESA. I've also tried HOST_ID variations like the VSA but with ESG and ESG-D instead. None of them produce a working code (i.e. a code for an option I already have installed).

The ESG uses the following format:

FEATURE ABC TMOMID01 1.0 permanent uncounted 0123456789AB VENDOR_STRING=0 HOSTID=12345678