EEVblog Electronics Community Forum
Products => Test Equipment => Topic started by: analogRF on October 21, 2019, 02:27:26 pm
-
Hi
I was wondering if anyone ever hacked these ESA spectrum analyzers to enable options?
some options like 1DR and 1DS (or even 1D5 for S/N > 4421) can be enabled by license key only
https://www.keysight.com/main/editorial.jspx?cc=US&lc=eng&ckey=277453&nid=-11143.0.00&id=277453 (https://www.keysight.com/main/editorial.jspx?cc=US&lc=eng&ckey=277453&nid=-11143.0.00&id=277453)
-
I have the same question! Specifically I want to enable the RF Preamp option. (the hardware should be there) Wondering if I can set a bit in the EEprom on the processor card. OR maybe figure out the key(s) based on the serial number.
Anyone?
Mark B
-
I have heard that these analyzers have been cracked but people who know how it's done, won't disclose anything :-//
-
I have an idea but it would be tedious and slightly dangerous...
Pull the EEPROM (processor board - an assumption on my part) from a unit that has some options enabled, and read that.
Put it back, disable an option or two, remove it again and reread, then look for changes.
Ug!
-
disabling the option in the menus does not remove it from the EEPROM
I am pretty sure someone has found a way to enable the options but it is not shared....
-
If it's the same as the N1996a CSA and the E7495 it uses FlexLM, I'm the one to blame for the "enhancement" and I have no problem to have a look at these machines as they are discontinued anyway. Does anyone have root access to these machines already?
-
If it's the same as the N1996a CSA and the E7495 it uses FlexLM, I'm the one to blame for the "enhancement" and I have no problem to have a look at these machines as they are discontinued anyway. Does anyone have root access to these machines already?
that would be awesome. unfortunately I don't have root access . I think N1996A is a much newer machine than ESA series...but of course they might be using the same os
-
Can you see what format the license code should be? That would probably show if it is FlexLM or something else.
I just downloaded the firmware upgrade but it is 9 discs |O And the other version for older OS does not run on my PC.
-to be continued-
-
actually I personally do not have one of these analyzers but have been hunting for one for quite some time. if there is a way to enable some non-hardware options then it would be awesome...I have worked with them though...
maybe this page will help?
https://www.keysight.com/main/editorial.jspx?cc=US&lc=eng&ckey=1000004808:epsg:faq&nid=-35489.384884&id=1000004808:epsg:faq (https://www.keysight.com/main/editorial.jspx?cc=US&lc=eng&ckey=1000004808:epsg:faq&nid=-35489.384884&id=1000004808:epsg:faq)
-
I think you may be able to just concatenate the five ESAFW files, though I'm not completely sure - there might be a header on each.
There are references in the source to FlexLM, and an RTOS named pSOS.
-
So it runs on some kind of *nix, it is FlexLM and the license file is here: /usr/local/flexlm/licenses/license.dat.
The bad news is that the bytes that have to be patched in the other instruments are not to be found in the ESAFW file.
So, is there any way to communicate with the ESA, is there a prompt on a serial port? I don't think it has ethernet..
Is there a harddisk inside that is readable? [Edit] No, it's flash.
-
Processor is Motorola Coldfire:
[attachimg=1]
-
Not sure what you are trying to convey here. The ESA instruments use the MC68LC040 (integer only version) and as far as I know do not have a "traditional" OS at all, unlike the newer units.
If there is a way to interrogate the system, I would love to know how!
-
I'm trying to find a way into the ESA to be able to patch the FlexLM part. It looks like the code disassembles fine as a Coldfire processor but you could be right that it is a 68LC040. It looks like it's not that different and it disassembles fine. The method I used to get around the FlexLM stuff in the other instruments is always returning "ok" on an entered license but you have to patch the FlexLM daemon. If you can't get to the file that is going to be difficult so I'm looking at the install.o file to see how it works and if there is a way to install a patched file, that's basically it :)
-
Yeah, not much differs I think between those processors, at least basic op codes. Coldfire is newer than the old MOT 680xx.
As mentioned, don't think these run HP-UX, Windows or any such OS. So no idea if there is anything resembling a file system.
Although it has A: and C: drives (floppy and flash) so who knows! If it's there, you do not see it when the system boots.
-
No, the preamp option is not just software. It actually does have a hardware preamp after the input that can be turned on and off.
-
The method I used to get around the FlexLM stuff in the other instruments is always returning "ok" on an entered license but you have to patch the FlexLM daemon. If you can't get to the file that is going to be difficult so I'm looking at the install.o file to see how it works and if there is a way to install a patched file, that's basically it :)
Have you succeeded? Do you have JTAG access?
-
Have you succeeded? Do you have JTAG access?
I gave up looking at the install file (can't remember why) and I don't have the hardware myself so the motivation is low.
-
My turn to chime in. I just got ahold of a broken E4407B from Alltest. I will be posting a blog about the repair once it arrives
in the mean time, this is a topic I am also interested in. I'd love to enable any of the license only options I could.
everything I see says this is not linux at all which I think we agree on
I don't think FLExm is involved, they would have had to port it to their proprietary software which seems a waste.
I wonder if you could brute force this over SCPI. you can enter the license that way.
be interesting to get a few options done.
Me first, I have to wait for mine to arrive then figure out what's broke
Does anyone have the actual CLIP for this I could borrow. I have the scanned version and even it the schematics are hard to read
also anyone have a handle they are not using? Ill post in the wanted section but thought I would ask
edit: I need to walk back the statement over FLEXLM. it is part of the code as was pointed out by @Miek and the OS is PSOS as also pointed out
-
Does anyone have a Personality Disk from any of the options and/or a license file
I need your hostID also if anyone is willing to share
-
I extracted strings from the E4407B and found some interesting ones
in particular is SCPI Debuger
Line 7267: 3679704:@(#)LDS Rev:3.10 - Module Incremental (Aug 4 2008) ; hpib (68xxx asm) Rev 1.20
Line 7360: 3769948:@(#)LDS Rev:3.10 - Module Incremental (Oct 11 1999); Semeval Rev 3.10
Line 7438: 3859435:@(#)LDS Rev:3.10 - Module Incremental (Oct 11 1999); scpi_lp Rev 3.10
Line 7451: 3862796:@(#)LDS Rev:3.10 - Module Incremental (Oct 11 1999); shr Rev 3.10
Line 7509: 3894168:@(#)LDS Rev:3.10 - Module Incremental (Mar 26 2007); active function Rev 3.10
Line 7515: 3919656:@(#)LDS Rev:3.10 - Module Incremental (Mar 26 2007); fpanel control Rev 3.10
Line 7581: 3942204:@(#)LDS Rev:3.10 - Module Incremental (Mar 26 2007); menu system Rev 3.10
Line 7590: 3950528:@(#)LDS Rev:3.10 - Module Incremental (Jul 8 2003); ptp Rev 3.10
Line 7607: 3990652:@(#)LDS Rev:3.10 - Module Incremental (Oct 11 1999); scum Rev 3.10
Line 7613: 3997792:@(#)LDS Rev:3.10 - Module Incremental (Oct 11 1999); Math64 Rev 3.10
Line 7614: 4008452:@(#)LDS Rev:3.10 - Module Incremental (Oct 11 1999); cvt (asm source) Rev 3.10
Line 7615: 4009139:@(#)LDS Rev:3.10 - Module Incremental (Oct 11 1999); mcat Rev 3.10
Line 7630: 4012400:@(#)LDS Rev:3.10 - Module Incremental (Oct 11 1999); rlock Rev 3.10
Line 7644: 4017028:@(#)LDS Rev:3.10 - Module Incremental (Oct 11 1999); Save-Recall Rev 3.10
Line 7646: 4021306:@(#)LDS Rev:3.10 - Module Incremental (Sep 10 1999); OS wrapper for psos Rev 3.10
Line 7723: 4051040:@(#)LDS Rev:3.10 - Module Incremental (Oct 11 1999); HIHR Rev 3.10
Line 7737: 4059944:@(#)LDS Rev:3.10 - Module Incremental (Oct 11 1999); Null Happening Reporter Rev 3.10
Line 7738: 4060052:@(#)LDS Rev:3.10 - Module Incremental (Oct 11 1999); Tee Happening Reporter Rev 3.10
Line 7740: 4060976:@(#)LDS Rev:3.10 - Module Incremental (Oct 11 1999); Stderr Happening Reporter Rev 3.10
Line 7741: 4061100:@(#)LDS Rev:3.10 - Module Incremental (Oct 11 1999); Stdio Happening Reporter Rev 3.10
Line 7746: 4061988:@(#)LDS Rev:3.10 - Module Incremental (Oct 11 1999); Scpi Debugger Rev 3.10
Line 7765: 4072404:@(#)LDS Rev:3.10 - Module Incremental (Sep 10 1999); optimized memory manager Rev 3.10
I also extracted all the FlexLM items i could see
one of interest is
/usr/local/flexlm/licenses/license.dat
4072496:@(#) FLEXlm 6.0d (liblmgr.a), Copyright (C) 1988-1997 Globetrotter Software, Inc.
4072583:FLEXLM_COMM_TRANSPORT
4074343:FLEXLM_INTERVAL_OK
4074373:FLEXLM_USE_FINDER
4076772:FLEXLM_DIAGNOSTICS
4076795:LM_LICENSE_FILE
4076811:%s_LICENSE_FILE
4076830:%s%s%s%s%s
4078034:FLEXLM_DIAGNOSTICS
4078057:FLEXlm checkout error
4078079:license file(s):
4078103:lm_checkout("%s", %s, %d, 0x%x, ..., 0x%x)
4079117:x%s > %s
4079130:%d-%[^-]-%d
4080510:NOMORE
4080771:%d %d
4082547:,PORT_AT_HOST_PLUS
4083270:DUP_GROUP
4083280:SUITE_DUP_GROUP
4083296:W_LIC_LOSS
4083307:OVERDRAFT
4083322:USER_BASED
4083333:HOST_BASED
4083352:PLATFORMS
4083369:SUPERSEDE
4083410:DIST_CONSTRAINT
4086112:%s=%s
4086286:%s=%d
4086618:%ld-%[^-]-%ld
4093632:PORT_AT_HOST_PLUS
4094790:%s %s %s
4094811:INCREMENT
4094838:%s %s %s %s %s %s %s %s %[^
4094869:%s %s %s %s %s %s %s %[^
4094897:permanent
4094915:uncounted
4096630:PORT_AT_HOST_PLUS
4096796:%s %s
4096936:USE_SERVER
4097583:All licenses are reserved for others
4097621:Cannot remove a linger license
4097652:The decimal format license is typed incorrectly
4097700:This FEATURE line can't be converted to decimal format
4097755:The desired vendor daemon is down
4097789:Server node is down or not responding
4097827:Network connect to THIS_HOST failed
4097863:Attempt to generate license with incompatible attributes
4097920:This feature is available in a different license pool
4097974:feature removed during lmreread, or wrong SERVER line hostid
4098035:ENCRYPTION_SEEDs are non-unique
4098067:Future license file format or misspelling in license file
4098125:This platform not authorized by license
4098165:System clock has been set back
4098196:Checkout exceeds MAX specified in options file
4098243:License object already in use
4098273:License server doesn't support this request
4098317:USER_BASED license has no specified users -- see server log
4098377:FLEXlm version of client newer than server
4098420:Invalid PACKAGE line in license file
4098457:FLEXlm internal error -81
4098483:FLEXlm internal error -80
4098509:FLEXlm internal error -79
4098535:FLEXadmin API functions not available
4098573:Bad version number - must be floating point number, with no letters
4098641:Internal FLEXlm Error - Please report to Globetrotter Software
4098704:SYS$SETIMR call failed
4098727:Attempt to read beyond end of license file path
4098775:Local checkout filter rejected request
4098814:Old VENDORCODE (3-word) struct type passed to lm_init()
4098870:Invalid TZ environment variable
4098902:Attempt to borrow the same (destination) license twice
4098957:License borrowing database corrupted
4098994:License borrowing not enabled
4099024:No licenses available to borrow
4099056:FLEXlm include file/library version mismatch
4099101:Unknown VENDORCODE struct type passed to lm_init()
4099152:lmremove request before the minimum lmremove interval
4099206:You are not a license administrator
4099242:Network software (tcp/ip) not available
4099282:Cannot read license file data from server
4099324:Server message checksum failure
4099356:Message checksum failure
4099381:setsockopt() call failed
4099406:socket() call failed
4099427:Cannot compute FEATURESET data from license file
4099476:Incorrect FEATURESET line in license file
4099518:No FEATURESET line in license file
4099553:Checkout request rejected by vendor-defined checkout filter
4099613:FLEXlm vendor daemon did not respond within timeout interval
4099674:FLEXlm not initialized
4099697:FLEXlm key data has expired
4099725:Date invalid for binary format
4099756:FLEXlm platform not enabled
4099784:Clock setting check not available in daemon
4099828:FLEXlm software is demonstration version
4099869:FLEXlm function not available in this version
4099915:Invalid FLEXlm key data supplied
4099948:No FLEXlm key data supplied in lm_init() call
4099994:Invalid parameter
4100012:Feature was never checked out
4100042:Cannot allocate dynamic memory
4100073:User/host not on INCLUDE list for feature
4100115:User/host on EXCLUDE list for feature
4100153:Duplicate selection mismatch for this feature
4100199:Feature database corrupted in daemon
4100236:In the queue for this feature
4100266:Clock difference too large between client and server
4100319:Bad encryption handshake with daemon
4100356:No such attribute
4100374:Feature start date is in the future
4100410:Cannot read license file
4100435:Cannot find ethernet device
4100463:Cannot read /vmunix
4100483:Cannot read /dev/kmem
4100505:Request for more licenses than this feature supports
4100558:License server does not support this version of this feature
4100619:Users are queued for this feature
4100653:License server temporarily busy (new server connecting)
4100709:Feature checkin failure detected at license server
4100760:License file does not support this version
4100803:License server busy (no majority)
4100837:Error in select system call
4100865:License server does not support this feature
4100910:Cannot write data to license server
4100946:Cannot read data from license server
4100983:Cannot connect to license server
4101016:Cannot find SERVER hostname in network database
4101064:No SERVER lines in license file
4101096:Invalid returned data from license server
4101138:Invalid date format in license file
4101174:Feature has expired
4101194:Invalid host
4101207:Invalid (inconsistent) license key
4101242:No socket connection to license manager server
4101289:No port number in license file and "FLEXlm" service does not exist
4101356:No such feature exists
4101379:Licensed number of users already reached
4101420:No server for this feature
4101447:Invalid license file syntax
4101475:Cannot find license file
4101910:The system administrator has reserved all the licenses for others.
4101978:Reservations are made in the options file. The server must be restarted
4102051:for options file changes to take effect.
4102093:1) Check the lmgrd log file, or 2) Try lmreread.
4102143:See the system adminstrator about starting the server, or
4102202:make sure the you're referring to the right host (see LM_LICENSE_FILE).
4102275:The license file indicates THIS_HOST, and the server is not
4102336:running on this host. If it's running on a different host,
4102398:THIS_HOST should be changed to the correct host.
4102448:This is a warning condition. The server has pooled one or more
4102513:INCREMENT lines into a single pool, and the request was made on
4102578:an INCREMENT line that has been pooled. If this is reported as an
4102646:error, it's an internal error in FLEXlm
4102687:The file was issued for a later version of FLEXlm than this
4102748:program understands.
4102770:The server (lmgrd) has not been started yet, or
4102819:the wrong port@host or license file is being used, or the
4102878:port or hostname in the license file has been changed.
4102934:The lookup for the hostname on the SERVER line in the
4102989:license file failed. This often happens when NIS or DNS
4103047:or the hosts file is incorrect. Workaround:Use IP-Address
4103108:(e.g., 123.456.789.123) instead of hostname
4103153:The hostid of this system does not match the hostid
4103206:specified in the license file
4103237:The license-key and data for the feature do no match.
4103292:This usually happens when a license file has been altered
4103351:The license files (or server network addresses) attempted are
4103415:listed below. Use LM_LICENSE_FILE to use a different license file,
4103484:or contact your software provider for a license file.
4103539:Usually this error message should be ignored.
4103586:It occurs when the FLEXlm error message function was called
4103647:though no error was detected
4104086:Vendor:Host
4104098:Platforms
4104108:PACKAGE text
4104121:Version text
4104134:Start date
4104145:Application version > License version
4104183:Server name
4104195:Date text
4104205:Expire date
4104224:Hostname
4104233:License text
4104246:Filename
4104257:INVALID FLEXlm error code
4104283:Feature:
4104314:%-15s %s
4104323:License path:
4104363:For further information, refer to the FLEXlm End User Manual,
4104425:available at "[url=http://www.globetrotter.com]www.globetrotter.com[/url]".
4104462:FLEXlm error:
4104477:%-15s%d,%d. System Error:%d "%s"%s
4104514:%d,%d:%d (%s)
4104530:%-15s%d,%d
4104541:(%d,%d)
4105410:%s:%s
4105530:no error
4105977:%d-%[^-]-%d
4106804:0123456789ABCDEF
4107098:1-jan-1990
4107113:1-jan-2025
4107127:%d-%s-%d
4108724:hp700_u9
4108978:LM_DEBUG_HOSTID
4109996:/etc/resolv.conf
4110826:DEMO
4110851:INTERNET=
4110876:HOSTNAME=
4110886:DISPLAY=
4110900:ID_STRING=
4110923:SENTINEL_KEY=
4110937:FLEXID=7-
4110952:FLEXID=8-
4110962:FLEXID=9-
4110972:FLEXID=A-
4110987:DISK_SERIAL_NUM=
4111013:VENDORDEF=
4112732:DUP_GROUP not valid with uncounted license
4112775:Hostid required for uncounted feature
4112813:HOST or USER BASED licenses must be counted
4112857:Illegal char in feature name:only alpha-num and '_' allowed
4112918:SUITE only applies to PACKAGE lines
4112954:Can't combine USER_BASED and HOST_BASED
4112994:PACKAGE and COMPONENT name can't be identical
4113040:%d-%[^-]-%d
4113052:ISSUED Invalid date format
4113079:ISSUED Can't have year 0
4113656:03.0
4114484:USE_SERVER
4115223:%s_LICENSE_FILE
4115239:LM_LICENSE_FILE
4115263:FLEXLM_USE_FINDER
4115281:/usr/local/flexlm/licenses/license.dat
4116485:START_LICENSE
4116504:END_LICENSE
4116896:%d%s
4117267:%c%c%c%c%c%c%c%c%s
4119122:%d-%s-%d
4120010:%c%s
4121072:DEMO
4121104:DISPLAY=
4121113:ID_STRING=
4121133:HOSTNAME=
4121155:FLEXID=7-
4121174:SENTINEL_KEY=
4121188:FLEXID=8-
4121201:FLEXID=9-
4121211:FLEXID=A-
4121221:DISK_SERIAL_NUM=
4121243:INTERNET=
4123359:SUPERSEDE
4123377:HOST_BASED
4123388:PLATFORMS
4123398:USER_BASED
4123409:CAPACITY
4123437:SUITE_DUP_GROUP
4123456:COMPONENTS
4123467:dist_info
4123494:asset_info
4123505:user_info
4123515:vendor_info
4123527:OVERDRAFT
4123537:DUP_GROUP
4123554:VENDOR_STRING
4123568:W_LIC_LOSS
4123579:w_term_signal
4123608:w_binary
4124356:SITE
4126380:/dev/tty
4126688:START_LICENSE
4128178:%s %s %s %s %s
4128204:this_host
Also of interest is
0:----- System/pSOS Debug commands:-----
1176785:'?' - this help message.
1176815:'j' - drop into breakpoint.
1176848:'^C' - Abort to monitor.
1176877:'^P' - Process status info, and LOTS of it.
1176925:'[dD]' - Print DLP debug information.
1176965:'[bB]' - Big memory hog report.
1176999:'[pP]' - Process ONLY status info.
1177038:'[eE]' - Exchange info.
1177064:'[gG]' - toggle breakpoint exception handlers on/off
1177119:'[tT]' - Time log.
1177140:'[hH]' - History log.
1177164:'[oO]' - Memory segment ownership.
1177201:'[mM]' - Memory segment summary.
1177236:'[sS]' - Semaphore ownership, etc.
1177273:'[uU]' - maximum process stack Usage.
1177313:'[vV]' - memory Validity check.
1177347:'[iI]' - Show psosSystemData.
1177379:'[1]' - Show NVRAM contents.
1177411:'[9]' - Show Exception Report.
1177445:'[wW] <process name>' - Show process stack trace.
1177497:Unknown debug char:'%c' (0x%02X). Press '?' for help.
-
Sandra,
Can you extract your /usr/local/flexlm/licenses/license.dat ?
Do you have JTAG access?
-
I don't have JTAG access yet.
my SA has no licenses so its' not the best unit to work with.
my plan is to try several things.
the Serial Port to see if any boot info show up and to see if something I saw is correct as it looks like you can dumb memory thru the serial interface or SCPI interface.
JTAG is a boundary scan only interface on the 68040.
I haven't seen any predefined targets for 68040 in OCD
-
A memdump, a boot log, etc. Everything helps.
-
Hum
I read out the boot rom and did the string search there and found some interesting things in there
like a Rom Monitor, GDB, breakpoints, member dump etc... hummmm
Im going to have to get hooked up the J1 Port RS232
3076:@(#)LDS Rev: 3.02 - Module Incremental (Sep 9 2003)
3129:5.00
3774:Self-tests complete.
3795:Main FW Checksum ...
3818:Main Firmware DRAM:
3839:Non Destructive SRAM Test ...
3871:Bootrom DRAM:
3890:Bootrom Checksum ...
3913:addressStrobe ...
3931:onOffStrobe ...
3947:dataStrobe ...
4569:SRAM Cleared
4583:FLASH Cleared
4598:Cache Disabled
4614:Cache Enabled
4629:4MBytes of FLASH
4648:8MBytes of FLASH
4667:12MBytes of FLASH
4687:16MBytes of FLASH
4707:Download to DRAM Selected
4735:Download to Flash Selected
4990:ESALOADR
5800:command not found.
5819:rty test routine
5836:rty
5840:gu [<hex start addr>] - go to start address
5885:bootvars- display bootrom variables
5921:bootvars
5933:[<hex boot config>] - set the bootrom configuration (see bchelp)
6004:[<hex start addr>]
6025:- go to start address
6053:- force a breakpoint when starting
6091:gbreak
6098:- force a gdb breakpoint
6123:gbreak
6130:gdb
6134:- enable gdb trapping of exceptions
6170:gdb
6174:dlong
6180:[<hex start address> [m bytes]] - display memory using longs
6243:dlong
6249:dword
6255:[<hex start address> [m bytes]] - display memory using words
6318:dword
6324:dbyte
6330:[<hex start address> [m bytes]] - display memory using bytes
6393:dbyte
6399:dmem
6404:[<hex start address> [m bytes]] - display memory using bytes
6467:dmem
6472:slong
6478:<hex start address> <hexchars> - set memory using longs
6534:slong
6540:sword
6546:<hex start address> <hexchars> - set memory using words
6602:sword
6608:sbyte
6614:<hex start address> <hexchars> - set memory using bytes
6670:sbyte
6676:smem
6681:<hex start address> <hexchars> - set memory using bytes
6737:smem
6742:hmon
6747:[device] - download into memory
6779:hmon
6784:version
6792:- display bootrom version
6818:version
6826:SRAM selftest results:
6850: Start = 0x%x
6873: End = 0x%x
6896: Errors = 0x%x
6919:DRAM selftest results:
6943:Downloading from floppy
9532: ROM Checksum Failure. Bad Checksum.
9578: ROM Checksum Failure. Bad Table. 01
9623: ROM Checksum Failure. Bad ROM Id. 01
9668: ROM Checksum Failure. Bad Table. 01
9713: ROM Checksum Failure. Bad ROM size. 01
10464:getIoSlotAddr: Illegal slot mber %d
10624:hpibPort = 0x%x
10900:RS232BINARY
10912:HPIB
10917:RS232
11040:hpibPort = 0x%x, bus Address = %d
11418:RAM
11427:Remove disk and cycle power to contie.
11469:LIST
11474:executing at 0x%x
12692:28F032
12699:28F0320
12707:28F016
12714:29F400B
12722:29F400T
12730:29F040
12737:29F010
12744:28F200BX-B
12755:28F200BX-T
12766:MT28F400-B
12777:28F400BX-B
12788:28F400BX-T
12799:28F800BX-B
12810:28F800BX-T
12821:28F001BX-B
12832:28F001BX-T
12843:28F008
12850:28F020A
12858:28F010
12865:28F020
14219: ** Improper device command sequence.
14261: ** Vpp Low Detected.
14492:Checking block at 0x%p for erasure.
14604: Programming memory to zeros
14640:
14648: ** Program to zero failed at address 0x%p
14695: Erasing memory.
14717: ** Block erase failed at block 0x%p
14764:< (.
15359: ** Chip Erase failed at adrs 0x%p
15636: Erasing memory.
16867:Device program failure at 0x%p, write(0x%x), read(0x%x)
19846: ** Unrecognized EPROM Identifier at 0x%p
20582:Unrecognized EPROM identifier at address 0x%p
20633:Flash ROM is %s with width=%d, memorywidth=%d
20680:Programming from %p to %p.
24116: ROM Checksum Failure. Bad Checksum.
24162: ROM Checksum Failure. Bad Table. 01
24207: ROM Checksum Failure. Bad ROM Id. 01
24252: ROM Checksum Failure. Bad Table. 01
24297: ROM Checksum Failure. Bad ROM size. 01
25048:getIoSlotAddr: Illegal slot mber %d
25208:hpibPort = 0x%x
25484:RS232BINARY
25496:HPIB
25501:RS232
25624:hpibPort = 0x%x, bus Address = %d
26124:RS232
26134:RS232BINARY
26146:,LIST
27014:0123456789abcdef
30200:hpibctrl.c: Stubbed version of enableHpibSysControl invoked
30287:Running code from address = 0x%p
30698:***** Mosquito Bootrom *****
30729: ; LDS Bootrom Rev
30752:@(#)HEWLETT-PACKARD, E4401 Bootrom, 5.00
30795:Ron Yamada was here!
31060:Running code from address = 0x%p
35692:FloppyInterruptRoutine: mymsr = %x
44248:media_2mb_512
44466:media_1mb_256
44512:media_1mb_512
44558:media_1mb_1024
44606:media_2mb_256
44652:media_2mb_1024
45384: Bus Error.
45404: Failed with exception 0x
45784:testmain.S: mainEntryPoint variable is LL
47204: Testing
47217: bytes at 0x
47230: bytes
47237: Memory size too small.
47266: Bus Error.
47908: At address(0x
47926:), write(0x
47938:) read(0x
48191:| RAM bit errors: 0x
48215: Bus Error.
48514: RAM refresh errors: 0x
48541: Bus Error.
48638:bootromRevision : 0x%08x
48670:compositeErrors : 0x%08x
48698:bootConfig : 0x%08x
48726:bootromBdataBegin : 0x%08x
48754:bootromBssEnd : 0x%08x
48782:bootromMainStack : 0x%08x
48810:ram1Start : 0x%08x
48838:ram1Stop : 0x%08x
48866:ram1Errors : 0x%08x
48894:ram2Start : 0x%08x
48922:ram2Stop : 0x%08x
48950:ram2Errors : 0x%08x
48978:ram3Start : 0x%08x
49006:ram3Stop : 0x%08x
49034:ram3Errors : 0x%08x
49062:ram4Start : 0x%08x
49090:ram4Stop : 0x%08x
49118:ram4Errors : 0x%08x
52167:MMU Access Level Violation error
52205:MMU Illegal Operation error
52233:MMU Config error
52250:FP Unimplemented Data Type
52277:FP Signaling NAN
52294:FP Overflow
52306:FP Operand Error
52323:FP Underflow
52336:FP Divide by zero
52354:FP Inexact Result
52372:FP Branch or Set on Unordered Condition
52412:Trap #15
52421:Trap #14
52430:Trap #13
52439:Trap #12
52448:Trap #11
52457:Trap #10
52466:Trap #9
52474:Trap #8
52482:Trap #7
52490:Trap #6
52498:Trap #5
52506:Trap #4
52514:Trap #3
52522:Trap #2
52530:Trap #1
52538:Trap #0
52546:Level 7 Autovector
52565:Level 6 Autovector
52584:Level 5 Autovector
52603:Level 4 Autovector
52622:Level 3 Autovector
52641:Level 2 Autovector
52660:Level 1 Autovector
52679:Spurious Interrupt
52698:Uninitialized Interrupt
52722:Format Error
52735:Coprocessor Protocol Violation
52766:Reserved
52775:Trace Exception
52791:Privilege Violation
52811:FTRAPcc, TRAPcc, TRAPV
52834:CHK, CHK2 Instruction
52856:Integer Divide by Zero
52879:Illegal Instruction
52899:Address Error
52913:Access Fault (bus error)
52938:Reset PC
52947:Reset Stack Pointer
52967:Vector #
53355:Unexpected exception at VBR offset 0x%x
53396: %s
53402: format = %d, frame is at 0x%x
53435: PC = 0x%x
53448: SR = 0x%04x
53463: Registers = 0x0a007fa4 thru 0x0a007fef
53505: Access Address = 0x%x
53618:0R/
55368:ROM Monitor
55385:Enter ? for help.
55404:Monitor nested too deep, resetting stack pointer...
56306:DOWNLOAD
56319:HPIB
56324:RS232BINARY
56336:Unable to open '%s' for downloading
56373:Downloading via %s
57090:bad hex char: '%c'
57420:gdb communication enabled.
57496:ERROR: bootConfigAreaSize is zero
57538:ERROR - couldn't zapp boot config!
58600:28F032
58607:28F0320
58615:28F016
58622:29F400B
58630:29F400T
58638:29F040
58645:29F010
58652:28F200BX-B
58663:28F200BX-T
58674:MT28F400-B
58685:28F400BX-B
58696:28F400BX-T
58707:28F800BX-B
58718:28F800BX-T
58729:28F001BX-B
58740:28F001BX-T
58751:28F008
58758:28F020A
58766:28F010
58773:28F020
60127: ** Improper device command sequence.
60169: ** Vpp Low Detected.
60400:Checking block at 0x%p for erasure.
60512: Programming memory to zeros
60548:
60556: ** Program to zero failed at address 0x%p
60603: Erasing memory.
60625: ** Block erase failed at block 0x%p
61267: ** Chip Erase failed at adrs 0x%p
61544: Erasing memory.
62775:Device program failure at 0x%p, write(0x%x), read(0x%x)
65754: ** Unrecognized EPROM Identifier at 0x%p
66490:Unrecognized EPROM identifier at address 0x%p
66541:Flash ROM is %s with width=%d, memorywidth=%d
66588:Programming from %p to %p.
69368:Copyright 1988-1997,
69390:Hewlett-Packard Company, all rights reserved.
69440:@(#)LDS Rev: 3.02 - Module Incremental (Sep 9 2003) ; Bootrom Rev 5.00
69516:0123456789abcdef
69992:bad checksum. My count = 0x%x, sent=0x%x. buf=%s
70874:vector=%d, sr=0x%x, pc=0x%x
70914:malformed read memory command: %s
70952:bus error70962:E02
70966:malformed write memory command: %s
71001:new pc = 0x%x
71016:frame at 0x%p has pc=0x%x, except#=%d
72744:Bootrom Revision 5.00
72960:disable
72972:clear
72980:off
72984:false
72995:enable
73002:set
73011:true
73016:yes
73874:Command too short, try one of
73912:Usage: %s
74562:SUBCMD - Don't know what to do?
74599:"%s" subcommands:
74618:valid subcommands:
74824:Valid options:
75638:RAM
75646:boot config area is full
75816:uhpibctrl.c: Stubbed version of enableHpibSysControl invoked
76152:Linked: Sep 9 2003 14:46:44
76185:By: gy
76196:Sep 9 2003
76208:14:46:44
77630:Memory allocation statistics %s
77678:used:
77687:Total in use: %d, total free: %d
-
For those interested here's the dump of the bootrom
-
not an expert here but I am not sure if the bootrom is that useful for cracking the options.
you probably need to access a serial console that is somewhere on the cpu board to access the main firmware files that are unpacked in the flash (or is it EEPROM?)
is there a place that you can enter a license key and see what error it generates?
-
The reason for posting it is there appears to be monitor functions built in that may help get to the data we’re after
My unit has no licenses and the licenses are stored in the Flash memory not in the ERPROM according to the security doc out there from Agilent
-
So before trying to attach the J1 connector I figured I better determine if it's RS232 levels or TTL level output
U63 is a MAX232. so RS232 levels
Also J1 is a 2mm 2x5 header. I don't have one so Digikey order (along with stuff for my DSKY EL Display ) should be here by Monday I hope.
unless I can rig up something
-
all you need to do is to attach two small grabbers to pin9 and pin10 of the MAX232 chip (TTL level) and you are good to go. Any cheap UART-USB converter will do the job. I prefer my BUSPirate. That's how I have always done this in numerous instruments.
But which RS232 connector is this? Is it the one at the back of instrument? or is it something just on board for debugging?
Because if it is the one at the back of instrument, you won't get any boot log on that or access to the OS
-
Got the connection working. I needed a reboot |O
this is some of the information I see from it
***** Mosquito Bootrom *****
Copyright 1988-1997,
Hewlett-Packard Company, all rights reserved.
@(#)HEWLETT-PACKARD, E4401 Bootrom, 5.00
@(#)LDS Rev: 3.02 - Module Incremental (Sep 9 2003)
@(#)Linked: Sep 9 2003 14:46:44
Bootrom Checksum ...
Bootrom DRAM: Testing 69632 bytes at 0x04000000
Non Destructive SRAM Test ...
Main Firmware DRAM: Testing 33484800 bytes at 0x04011000
Main FW Checksum ...
Self-tests complete.SRAM selftest results:
Start = 0xa000000
End = 0xa007fa3
Errors = 0x0
DRAM selftest results:
Start = 0x4011000
End = 0x6000000
Errors = 0x0
hpibPort = 0x8005000
hpibPort = 0x8005000, bus Address = 19
Cache Enabled
16MBytes of FLASH
Download to Flash Selected
>>> mainMain()
text segment: 0x4011000 thru 0x4435e14 ( 424e14 bytes)
data segment: 0x4600000 thru 0x476dd88 ( 16dd88 bytes)
bss segment: 0x476dd88 thru 0x48bcce8 ( 14ef60 bytes)
ROM size: 0x00592b9c ( 592b9c bytes of 4194304 max.)
memory pool (all): 0x048bcce8 thru 0x05ffffff (24392472 bytes)
Calling start_psos() ...
>>>> debug() process starting
DLP Loaded - Power Suite Utilities, A.06.05, Nov 21 2003 15:45:40
----- System/pSOS Debug commands: -----
'?' - this help message.
'j' - drop into breakpoint.
'^C' - Abort to monitor.
'^P' - Process status info, and LOTS of it.
'[dD]' - Print DLP debug information.
'[bB]' - Big memory hog report.
'[pP]' - Process ONLY status info.
'[eE]' - Exchange info.
'[gG]' - toggle breakpoint exception handlers on/off
'[tT]' - Time log.
'[hH]' - History log.
'[oO]' - Memory segment ownership.
'[mM]' - Memory segment summary.
'[sS]' - Semaphore ownership, etc.
'[uU]' - maximum process stack Usage.
'[vV]' - memory Validity check.
'[iI]' - Show psosSystemData.
'[1]' - Show NVRAM contents.
'[9]' - Show Exception Report.
'[wW] <process name>' - Show process stack trace.
>d
==============================================================
DLP LIST
Name State Text Data BSS
c:dlp\ps2\ps2.o Loaded 0x5c3dcc8/1751472 0x5c3bcb4/8192 0x5b6abe0/856256
c:dlp\pn\pn.o Unlicensed 0x0/0 0x0/0 0x0/0
c:dlp\catv\catv.o Unlicensed 0x0/0 0x0/0 0x0/0
==============================================================
Currently 1 DLP's loaded
>b
=================================================================
Memory HOG report - oink oink
caller PC count bytes
0x04338902 17072 5349060
0x04361be2 1 1751492
0x00000000 111 1049872
0x04361bfe 1 856276
0x05d00d06 194 798504
0x05d01948 83 341628
0x043ebcfe 83 294836
0x05cefb16 61 245220
0x05cf28b6 40 160800
0x05ceceb2 33 132660
0x05cf564a 15 60300
0x043eb0f0 339 39892
0x042b66a2 1 32792
0x05cea37a 7 28140
0x04345af2 53 26632
0x05d0235c 3 12348
0x042def9e 1 11108
0x04361bf0 1 8212
0x042ec426 1 2596
0x042ec3e2 1 2148
0x0412a3d0 1 2068
0x042ec404 1 1196
0x04364636 1 1032
0x042ec3c0 1 1028
0x042def8c 1 812
0x0414b2a2 3 624
0x0a0008f6 1 532
0x0a000446 1 532
0x0a0005ea 1 532
0x0a000626 1 84
=================================================================
>p
pid PNAME STAT/M PRI GID POS TIX MEMORY STK CPU
0x048ca38c SWFI RUN 51 0 * 1 0kB 8% 25%
0x048cc0f0 AAFI RDY 51 0 1 1 0kB 12% 0%
0x048c9714 IDLE RDY 0 0 2 1 0kB 6% 8%
0x048ccf30 CLOK paus 100 0 . 0 0kB 16% 0%
0x048c9ffc DIst paus 52 0 . 3106 0kB 3% 0%
0x048c9aa4 DRST paus 80 0 . 61 0kB 47% 0%
0x048c99c0 FMOT paus 100 0 . 43 0kB 47% 0%
0x048cd014 UPDT xblk 249 0 . 1 0kB 23% 0%
0x048cce4c MAXM xblk 60 0 . 1 0kB 6% 0%
0x048ccc84 LLMR xblk 60 0 . 1 0kB 6% 0%
0x048ccba0 PRNT xblk 60 0 . 1 0kB 8% 0%
0x048ccabc DSPF xblk 51 0 . 1 0kB 5% 0%
0x048cc9d8 DSPM xblk 60 0 . 1 0kB 6% 0%
0x048cc8f4 DMFI xblk 51 0 . 1 0kB 5% 0%
0x048cc810 DMMR xblk 60 0 . 1 0kB 6% 0%
0x048cc648 FCFI xblk 51 0 . 1 0kB 5% 0%
0x048cc564 FCMR xblk 60 0 . 1 0kB 6% 0%
0x048cc480 ANSQ xblk 52 0 . 1 0kB 13% 0%
0x048cc39c ANFI xblk 51 0 . 1 0kB 13% 0%
0x048cc2b8 ANMR xblk 60 0 . 1 0kB 6% 0%
0x048cc1d4 AASQ xblk 52 0 . 1 0kB 21% 28%
0x048cc00c AAMR xblk 60 0 . 1 0kB 6% 0%
0x048cbf28 SYMR xblk 60 0 . 1 0kB 8% 0%
0x048cbe44 SGMR xblk 60 0 . 1 0kB 6% 0%
0x048cbd60 ZMKR xblk 60 0 . 1 0kB 6% 0%
0x048cbc7c MKR xblk 60 0 . 1 0kB 6% 0%
0x048cbb98 DEF3 xblk 51 0 . 1 0kB 5% 0%
0x048cbab4 SNFI xblk 51 0 . 1 0kB 5% 0%
0x048cb9d0 SNMR xblk 60 0 . 1 0kB 6% 0%
0x048cb8ec DEF2 xblk 51 0 . 1 0kB 5% 0%
0x048cb808 LGDT xblk 251 0 . 1 0kB 8% 0%
0x048cb724 LGDE xblk 60 0 . 1 0kB 6% 0%
0x048cb640 DSFI xblk 51 0 . 1 0kB 5% 0%
0x048cb55c LGDT xblk 251 0 . 1 0kB 8% 0%
0x048cb478 LGDS xblk 60 0 . 1 0kB 6% 0%
0x048cb394 SWFI xblk 51 0 . 1 0kB 5% 0%
0x048cb2b0 LGST xblk 251 0 . 1 0kB 8% 0%
0x048cb1cc LGSW xblk 60 0 . 1 0kB 6% 0%
0x048cb0e8 DEFI xblk 51 0 . 1 0kB 5% 0%
0x048cb004 DEMT xblk 251 0 . 1 0kB 8% 0%
0x048caf20 DEMR xblk 60 0 . 1 0kB 6% 0%
0x048cae3c DMZF xblk 51 0 . 1 0kB 5% 0%
0x048cad58 ZDMT xblk 251 0 . 1 0kB 8% 0%
0x048cac74 ZDMR xblk 60 0 . 1 0kB 6% 0%
0x048cab90 SIFI xblk 51 0 . 1 0kB 5% 0%
0x048caaac SIMT xblk 251 0 . 1 0kB 8% 0%
0x048ca9c8 SIMR xblk 60 0 . 1 0kB 6% 0%
0x048ca8e4 DZFI xblk 51 0 . 1 0kB 5% 0%
0x048ca800 DZMT xblk 251 0 . 1 0kB 8% 0%
0x048ca71c DZMR xblk 60 0 . 1 0kB 6% 0%
0x048ca638 DSFI xblk 51 0 . 1 0kB 5% 0%
0x048ca554 DSMT xblk 251 0 . 1 0kB 8% 0%
0x048ca470 DSMR xblk 60 0 . 1 0kB 6% 0%
0x048ca2a8 SWMT xblk 251 0 . 1 0kB 8% 0%
0x048ca1c4 SWMR xblk 60 0 . 1 0kB 6% 1%
0x048ca0e0 MIME xblk 79 0 . 1 0kB 6% 2%
0x048c9f18 FPLP xblk 250 0 . 1 0kB 9% 0%
0x048c9e34 DCAS xblk 251 0 . 1 0kB 8% 0%
0x048c9d50 RLCN xblk 230 0 . 1 0kB 8% 0%
0x048c9c6c REMT xblk 250 0 . 1 0kB 5% 0%
0x048c9b88 PCKB xblk 230 0 . 1 0kB 8% 0%
0x048c97f8 DISP xblk 253 0 . 1 0kB 8% 4%
0x048c98dc APPS xblk 230 0 . 1 0kB 25% 0%
0x048c9630 ROOT xblk 230 0 . 1 0kB 4% 32%
>> EVENTS: W(0x0) S(0x2000)
64 Process(s) (27 avail); Total time: 4569 ticks.
>e
xid XNAME TYPE ACC maxQ Qlen BLOCKED
0x048c1584 fifo any 1 0 REMT
0x048c1562 UPDI fifo any 1 0 UPDT
0x048c1540 MAXM fifo any inf 0 MAXM
0x048c151e Sign fifo any inf 0
0x048c14fc LIMI fifo any inf 0 LLMR
0x048c14da DSPM fifo any inf 0 DSPM
0x048c14b8 DSPS fifo any 1 0
0x048c1496 DSPF fifo any inf 0 DSPF
0x048c1474 SPEC fifo any 1 0
0x048c1452 SPEC fifo any 1 0
0x048c1430 DMMR fifo any inf 0 DMMR
0x048c140e DMFI fifo any inf 0 DMFI
0x048c13ec SPEC fifo any 1 0
0x048c13ca FCMR fifo any inf 0 FCMR
0x048c13a8 FCFI fifo any inf 0 FCFI
0x048c1386 SPEC fifo any 1 0
0x048c1364 ANSQ fifo any inf 0 ANSQ
0x048c1342 ANFI fifo any inf 0 ANFI
0x048c1320 ANFS fifo any inf 0
0x048c12fe ANOW fifo any 20 0
0x048c12dc ANMR fifo any inf 0 ANMR
0x048c12ba SPEC fifo any 1 0
0x048c1298 AARS fifo any 1 0 AASQ
0x048c1276 AAFI fifo any inf 0
0x048c1254 AAFS fifo any inf 0
0x048c1232 AAMR fifo any inf 0 AAMR
0x048c1210 SPEC fifo any 1 0
0x048c11ee CMR fifo any inf 0
0x048c11cc SPEC fifo any 1 0
0x048c11aa SIGT fifo any inf 0 SGMR
0x048c1188 ZMKM fifo any inf 0 ZMKR
0x048c1166 MKMR fifo any inf 0 MKR
0x048c1144 DEF3 fifo any inf 0 DEF3
0x048c1122 SNFI fifo any inf 0 SNFI
0x048c1100 SNMR fifo any inf 0 SNMR
0x048c10de SPEC fifo any 1 0
0x048c10bc DEF2 fifo any inf 0 DEF2
0x048c109a LGDT fifo any 1 0 LGDT
0x048c1078 LGDE fifo any inf 0 LGDE
0x048c1056 SPEC fifo any 1 0
0x048c1034 DSFI fifo any inf 0 DSFI
0x048c1012 LGDT fifo any 1 0 LGDT
0x048c0ff0 LGDS fifo any inf 0 LGDS
0x048c0fce SPEC fifo any 1 0
0x048c0fac SWFI fifo any inf 0 SWFI
0x048c0f8a LGST fifo any 1 0 LGST
0x048c0f68 LGSW fifo any inf 0 LGSW
0x048c0f46 SPEC fifo any 1 0
0x048c0f24 DEFI fifo any inf 0 DEFI
0x048c0f02 DEMT fifo any 1 0 DEMT
0x048c0ee0 DEMR fifo any inf 0 DEMR
0x048c0ebe SPEC fifo any 1 0
0x048c0e9c DMZF fifo any inf 0 DMZF
0x048c0e7a ZDMT fifo any 1 0 ZDMT
0x048c0e58 ZDMR fifo any inf 0 ZDMR
0x048c0e36 SPEC fifo any 1 0
0x048c0e14 SIFI fifo any inf 0 SIFI
0x048c0df2 SIMT fifo any 1 0 SIMT
0x048c0dd0 SIMR fifo any inf 0 SIMR
0x048c0dae SPEC fifo any 1 0
0x048c0d8c DZFI fifo any inf 0 DZFI
0x048c0d6a DZMT fifo any 1 0 DZMT
0x048c0d48 DZMR fifo any inf 0 DZMR
0x048c0d26 SPEC fifo any 1 0
0x048c0d04 DSFI fifo any inf 0 DSFI
0x048c0ce2 DSMT fifo any 1 0 DSMT
0x048c0cc0 DSMR fifo any inf 0 DSMR
0x048c0c9e SPEC fifo any 1 0
0x048c0c7c SWFI fifo any inf 0
0x048c0c5a SWMT fifo any 1 0 SWMT
0x048c0c38 SWMR fifo any inf 0 SWMR
0x048c0c16 SPEC fifo any 1 0
0x048c0bf4 shrL fifo any 1 0
0x048c0bd2 ACTV fifo any 1 0
0x048c0bb0 hihr fifo any 1 0
0x048c0b8e hihr fifo any 1 0
0x048c0b6c hihr fifo any 1 0
0x048c0b4a hihr fifo any 1 0
0x048c0b28 MENU fifo any 1 0
0x048c0b06 MENU fifo any 1 0
0x048c0ae4 MENU fifo any 1 0
0x048c0ac2 MENU fifo any 1 0
0x048c0aa0 MENU fifo any 1 0
0x048c0a7e MENU fifo any 1 0
0x048c0a5c MENU fifo any 1 0
0x048c0a3a MENU fifo any 1 0
0x048c0a18 MENU fifo any 1 0
0x048c09f6 ACTV fifo any 1 0
0x048c09d4 SDRL fifo any 1 0
0x048c09b2 SDIL fifo any 1 0
0x048c0990 R2 fifo any 1 0
0x048c096e R1 fifo any 1 0
0x048c094c R0 fifo any 1 0
0x048c092a isLk fifo any 1 0
0x048c0908 dtLk fifo any 1 0
0x048c08e6 mSTM fifo any inf 0 MIME
0x048c08c4 mMIN fifo any inf 0
0x048c08a2 mMCL fifo any inf 0
0x048c0880 mMCR fifo any inf 0
0x048c085e mMDA fifo any inf 1
0x048c083c mMSA fifo any inf 0
0x048c081a mDVL fifo any inf 0
0x048c07f8 dest fifo any inf 0
0x048c07d6 mLDS fifo any inf 0
0x048c07b4 FNSL fifo any 1 0
0x048c0792 DDET fifo any inf 0
0x048c0770 DTRG fifo any inf 0
0x048c074e DSWP fifo any inf 0
0x048c072c Didi fifo any inf 0
0x048c070a cntw fifo any 1 0
0x048c06e8 cntx fifo any 1 0
0x048c06c6 dRes fifo any 1 0
0x048c06a4 Dlp fifo any 1 0
0x048c0682 CalC fifo any 1 0
0x048c0660 Scpi fifo any 1 0
0x048c063e LG1 fifo any 1 0
0x048c061c ANON fifo any 1 0
0x048c05fa GPIB fifo any 1 0
0x048c05d8 PCkb fifo any 1 0 PCKB
0x048c05b6 DISP fifo any 1 0 DISP
0x048c0594 OMMG fifo any 1 0
0x048c0572 UNS fifo any 1 0
0x048c0550 RLDS fifo any 1 0 ROOT
0x048c052e BW fifo any 1 0
0x048c050c GLds fifo any 1 0
0x048c04ea BLds fifo any inf 1
0x048c04c8 CISW fifo any 1 0
0x048c04a6 MRLK fifo any 1 0
0x048c0484 HWLK fifo any 1 0
0x048c0462 FP fifo any 1 0 FPLP
0x048c0440 ADCF fifo any 1 0
0x048c041e DIRg fifo any 1 0
0x048c03fc ANON fifo any 1 0
0x048c03da DIRf fifo any 1 0
0x048c03b8 ANON fifo any 1 0
0x048c0396 SIOB fifo any 1 0
0x048c0374 CALM fifo any 1 0
0x048c0352 DIRe fifo any 1 0
0x048c0330 ANON fifo any 1 0
0x048c030e DIRd fifo any 1 0
0x048c02ec DIRc fifo any 1 0
0x048c02ca DIRb fifo any 1 0
0x048c02a8 DIRa fifo any 1 0
0x048c0286 APPS fifo any inf 0 APPS
0x048c0264 DLLK fifo any 1 0
0x048c0242 SUBL fifo any 1 0
0x048c0220 LCSH fifo any 1 0
0x048c01fe FBUF fifo any 1 0
0x048c01dc DCAS fifo any 1 0 DCAS
0x048c01ba RLCN fifo any 1 0 RLCN
0x048c0198 MROF fifo any 1 0
0x048c0176 MRON fifo any 1 0
0x048c0154 SWSP fifo any 1 0
0x048c0132 SRQ fifo any 1 0 SYMR
0x048c0110 PRTH fifo any 1 0 PRNT
155 Exchange(s) (245 avail).
2 Msg buffer(s) (1022 avail).
>g
Breakpoint handler installed
>i
PsosSystemData (0x048bcce8):
(0x048bcce8) OS_PCB *runningPCB = 0x048ca38c
(0x048bccec) OS_PCB *readyList = 0x048c97f8
(0x048bccf0) OS_PCB *pauseList = 0x048ccf30
(0x048bccf4) OS_PCB *pcbActiveHead = 0x048cd014
(0x048bccf8) OS_PCB *pcbFreeHead = 0x048ccd68
(0x048bccfc) OS_XCB *xcbActiveHead = 0x048c1584
(0x048bcd00) OS_XCB *xcbFreeHead = 0x048c15a6
(0x048bcd04) OS_Message *mgbFreeHead = 0x048c3750
(0x048bcd08) void *sstackEnd = 0x048c0110
(0x048bcd0c) short kernelLevel = 0
(0x048bcd0e) short reserved1 = 0
(0x048bcd10) int reserved2 = 1280
(0x048bcd14) int phileData = 620765184
(0x048bcd18) int probeEntry = 71205862
(0x048bcd1c) OS_PCB *memQHead = 0x048bcd1c
(0x048bcd20) OS_PCB *memQTail = 0x048bcd1c
(0x048bcd24) int timeoutTicks = 41
(0x048bcd28) short ticks = 45
(0x048bcd2a) short pad1 = 0
(0x048bcd2c) int time = 292
(0x048bcd30) int date = 130155777
(0x048bcd34) char motbl[12] =
(0x048bcd40) short ticksPerSec = 100
(0x048bcd42) short ticksPerSlice = 1
(0x048bcd44) char todset =
(0x048bcd45) char eventRace = (0x048bcd46) char unusedPad[2] =
(0x048bcd48) Lds_UInt32 switchProc = 0
(0x048bcd4c) regionInfo[0].minSeg = 20
(0x048bcd50) regionInfo[0].maxSeg = 58796
(0x048bcd54) regionInfo[0].minPend = 6020
(0x048bcd58) regionInfo[0].regionEnd = 0x048dcce7
(0x048bcd5c) regionInfo[0].regionName = REG1
(0x048bcd60) regionInfo[0].freeHead = 0x048ce73c
(0x048bcd64) regionInfo[0].freeTail = 0x048d3e30
(0x048bcd68) regionInfo[0].regionFlags = 0
(0x048bcd6c) regionInfo[1].minSeg = 20
(0x048bcd70) regionInfo[1].maxSeg = 24261400
(0x048bcd74) regionInfo[1].minPend = 24261401
(0x048bcd78) regionInfo[1].regionEnd = 0x05ffffff
(0x048bcd78) regionInfo[1].regionEnd = 0x05Bfffff
(0x048bcd80) regionInfo[1].freeHead = 0x048dcce8
(0x048bcd84) regionInfo[1].freeTail = 0x05e74208
(0x048bcd88) regionInfo[1].regionFlags = 0
(0x048bcd8c) regionInfo[2].minSeg = 20
(0x048bcd90) regionInfo[2].maxSeg = 21844
(0x048bcd94) regionInfo[2].minPend = 21845
(0x048bcd98) regionInfo[2].regionEnd = 0x0a006393
(0x048bcd9c) regionInfo[2].regionName = dyna
(0x048bcda0) regionInfo[2].freeHead = 0x0a000e40
(0x048bcda4) regionInfo[2].freeTail = 0x0a000e40
(0x048bcda8) regionInfo[2].regionFlags = 1
(0x048bcdac) regionInfo[3].minSeg = 128
(0x048bcdb0) regionInfo[3].maxSeg = 7120
(0x048bcdb4) regionInfo[3].minPend = 7121
(0x048bcdb8) regionInfo[3].regionEnd = 0x0a007fa3
(0x048bcdbc) regionInfo[3].regionName = nvra
(0x048bcdc0) regionInfo[3].freeHead = 0x0a0063d4
(0x048bcdc4) regionInfo[3].freeTail = 0x0a0063d4
(0x048bcdc8) regionInfo[3].regionFlags = 0
(0x048bcdcc) regionInfo[4].minSeg = 0
(0x048bcdd0) regionInfo[4].maxSeg = 0
(0x048bcdd4) regionInfo[4].minPend = 0
(0x048bcdd8) regionInfo[4].regionEnd = 0x00000000
(0x048bcddc) regionInfo[4].regionName =
(0x048bcde0) regionInfo[4].freeHead = 0x00000000
(0x048bcde4) regionInfo[4].freeTail = 0x00000000
(0x048bcde8) regionInfo[4].regionFlags = 0
(0x048bcdec) regionInfo[5].minSeg = 0
(0x048bcdf0) regionInfo[5].maxSeg = 0
(0x048bcdf4) regionInfo[5].minPend = 0
(0x048bcdf8) regionInfo[5].regionEnd = 0x00000000
(0x048bcdfc) regionInfo[5].regionName =
(0x048bce00) regionInfo[5].freeHead = 0x00000000
(0x048bce04) regionInfo[5].freeTail = 0x00000000
(0x048bce08) regionInfo[5].regionFlags = 0
(0x048bce0c) regionInfo[6].minSeg = 0
(0x048bce10) regionInfo[6].maxSeg = 0
(0x048bce14) regionInfo[6].minPend = 0
(0x048bce18) regionInfo[6].regionEnd = 0x00000000
(0x048bce1c) regionInfo[6].regionName =
(0x048bce20) regionInfo[6].freeHead = 0x00000000
(0x048bce24) regionInfo[6].freeTail = 0x00000000
(0x048bce28) regionInfo[6].regionFlags = 0
(0x048bce2c) regionInfo[7].minSeg = 0
(0x048bce30) regionInfo[7].maxSeg = 0
(0x048bce34) regionInfo[7].minPend = 0
(0x048bce38) regionInfo[7].regionEnd = 0x00000000
(0x048bce3c) regionInfo[7].regionName =
(0x048bce40) regionInfo[7].freeHead = 0x00000000
(0x048bce44) regionInfo[7].freeTail = 0x00000000
(0x048bce48) regionInfo[7].regionFlags = 0
(0x048bce4c) regionInfo[8].minSeg = 0
(0x048bce50) regionInfo[8].maxSeg = 0
(0x048bce54) regionInfo[8].minPend = 0
(0x048bce58) regionInfo[8].regionEnd = 0x00000000
(0x048bce5c) regionInfo[8].regionName =
(0x048bce60) regionInfo[8].freeHead = 0x00000000
(0x048bce64) regionInfo[8].freeTail = 0x00000000
(0x048bce68) regionInfo[8].regionFlags = 0
(0x048bce6c) regionInfo[9].minSeg = 0
(0x048bce70) regionInfo[9].maxSeg = 0
(0x048bce74) regionInfo[9].minPend = 0
(0x048bce78) regionInfo[9].regionEnd = 0x00000000
(0x048bce7c) regionInfo[9].regionName =
(0x048bce80) regionInfo[9].freeHead = 0x00000000
(0x048bce84) regionInfo[9].freeTail = 0x00000000
(0x048bce88) regionInfo[9].regionFlags = 0
(0x048bce8c) regionInfo[10].minSeg = 0
(0x048bce90) regionInfo[10].maxSeg = 0
(0x048bce94) regionInfo[10].minPend = 0
(0x048bce98) regionInfo[10].regionEnd = 0x00000000
(0x048bce9c) regionInfo[10].regionName =
(0x048bcea0) regionInfo[10].freeHead = 0x00000000
(0x048bcea4) regionInfo[10].freeTail = 0x00000000
(0x048bcea8) regionInfo[10].regionFlags = 0
(0x048bceac) regionInfo[11].minSeg = 0
(0x048bceb0) regionInfo[11].maxSeg = 0
(0x048bceb4) regionInfo[11].minPend = 0
(0x048bceb8) regionInfo[11].regionEnd = 0x00000000
(0x048bcebc) regionInfo[11].regionName =
(0x048bcec0) regionInfo[11].freeHead = 0x00000000
(0x048bcec4) regionInfo[11].freeTail = 0x00000000
(0x048bcec8) regionInfo[11].regionFlags = 0
(0x048bcecc) regionInfo[12].minSeg = 0
(0x048bced0) regionInfo[12].maxSeg = 0
(0x048bced4) regionInfo[12].minPend = 0
(0x048bced8) regionInfo[12].regionEnd = 0x00000000
(0x048bcedc) regionInfo[12].regionName =
(0x048bcee0) regionInfo[12].freeHead = 0x00000000
(0x048bcee4) regionInfo[12].freeTail = 0x00000000
(0x048bcee8) regionInfo[12].regionFlags = 0
(0x048bceec) regionInfo[13].minSeg = 0
(0x048bcef0) regionInfo[13].maxSeg = 0
(0x048bcef4) regionInfo[13].minPend = 0
(0x048bcef8) regionInfo[13].regionEnd = 0x00000000
(0x048bcefc) regionInfo[13].regionName =
(0x048bcf00) regionInfo[13].freeHead = 0x00000000
(0x048bcf04) regionInfo[13].freeTail = 0x00000000
(0x048bcf08) regionInfo[13].regionFlags = 0
(0x048bcf0c) regionInfo[14].minSeg = 0
(0x048bcf10) regionInfo[14].maxSeg = 0
(0x048bcf14) regionInfo[14].minPend = 0
(0x048bcf18) regionInfo[14].regionEnd = 0x00000000
(0x048bcf1c) regionInfo[14].regionName =
(0x048bcf20) regionInfo[14].freeHead = 0x00000000
(0x048bcf24) regionInfo[14].freeTail = 0x00000000
(0x048bcf28) regionInfo[14].regionFlags = 0
(0x048bcf2c) regionInfo[15].minSeg = 0
(0x048bcf30) regionInfo[15].maxSeg = 0
(0x048bcf34) regionInfo[15].minPend = 0
(0x048bcf38) regionInfo[15].regionEnd = 0x00000000
(0x048bcf3c) regionInfo[15].regionName =
(0x048bcf40) regionInfo[15].freeHead = 0x00000000
(0x048bcf44) regionInfo[15].freeTail = 0x00000000
(0x048bcf48) regionInfo[15].regionFlags = 0
(0x048bcf4c) regionInfo[16].minSeg = 0
(0x048bcf50) regionInfo[16].maxSeg = 0
(0x048bcf54) regionInfo[16].minPend = 0
(0x048bcf58) regionInfo[16].regionEnd = 0x00000000
(0x048bcf5c) regionInfo[16].regionName =
(0x048bcf60) regionInfo[16].freeHead = 0x00000000
(0x048bcf64) regionInfo[16].freeTail = 0x00000000
(0x048bcf68) regionInfo[16].regionFlags = 0
(0x048bcf6c) regionInfo[17].minSeg = 0
(0x048bcf70) regionInfo[17].maxSeg = 0
(0x048bcf74) regionInfo[17].minPend = 0
(0x048bcf78) regionInfo[17].regionEnd = 0x00000000
(0x048bcf7c) regionInfo[17].regionName =
(0x048bcf80) regionInfo[17].freeHead = 0x00000000
(0x048bcf84) regionInfo[17].freeTail = 0x00000000
(0x048bcf88) regionInfo[17].regionFlags = 0
(0x048bcf8c) regionInfo[18].minSeg = 0
(0x048bcf90) regionInfo[18].maxSeg = 0
(0x048bcf94) regionInfo[18].minPend = 0
(0x048bcf98) regionInfo[18].regionEnd = 0x00000000
(0x048bcf9c) regionInfo[18].regionName =
(0x048bcfa0) regionInfo[18].freeHead = 0x00000000
(0x048bcfa4) regionInfo[18].freeTail = 0x00000000
(0x048bcfa8) regionInfo[18].regionFlags = 0
(0x048bcfac) regionInfo[19].minSeg = 0
(0x048bcfb0) regionInfo[19].maxSeg = 0
(0x048bcfb4) regionInfo[19].minPend = 0
(0x048bcfb8) regionInfo[19].regionEnd = 0x00000000
(0x048bcfbc) regionInfo[19].regionName =
(0x048bcfc0) regionInfo[19].freeHead = 0x00000000
(0x048bcfc4) regionInfo[19].freeTail = 0x00000000
(0x048bcfc8) regionInfo[19].regionFlags = 0
(0x048bcfcc) regionSaveInfo[0] = 0x00000000
(0x048bcfd0) regionSaveInfo[1] = 0x00000000
(0x048bcfd4) regionSaveInfo[2] = 0x0a000004
(0x048bcfd8) regionSaveInfo[3] = 0x00000000
(0x048bcfdc) regionSaveInfo[4] = 0x00000000
(0x048bcfe0) regionSaveInfo[5] = 0x00000000
(0x048bcfe4) regionSaveInfo[6] = 0x00000000
(0x048bcfe8) regionSaveInfo[7] = 0x00000000
(0x048bcfec) regionSaveInfo[8] = 0x00000000
(0x048bcff0) regionSaveInfo[9] = 0x00000000
(0x048bcff4) regionSaveInfo[10] = 0x00000000
(0x048bcff8) regionSaveInfo[11] = 0x00000000
(0x048bcffc) regionSaveInfo[12] = 0x00000000
(0x048bd000) regionSaveInfo[13] = 0x00000000
(0x048bd004) regionSaveInfo[14] = 0x00000000
(0x048bd008) regionSaveInfo[15] = 0x00000000
(0x048bd00c) regionSaveInfo[16] = 0x00000000
(0x048bd010) regionSaveInfo[17] = 0x00000000
(0x048bd014) regionSaveInfo[18] = 0x00000000
(0x048bd018) regionSaveInfo[19] = 0x00000000
9>
Contents of the Exception Report:
[0x0a007fa4] D0 = 0x00000000
[0x0a007fa8] D1 = 0x00000000
[0x0a007fac] D2 = 0x00000000
[0x0a007fb0] D3 = 0x00000000
[0x0a007fb4] D4 = 0x00000000
[0x0a007fb8] D5 = 0x00000000
[0x0a007fbc] D6 = 0x00000000
[0x0a007fc0] D7 = 0x00000000
[0x0a007fc4] A0 = 0x00000000
[0x0a007fc8] A1 = 0x00000000
[0x0a007fcc] A2 = 0x00000000
[0x0a007fd0] A3 = 0x00008000
[0x0a007fd4] A4 = 0x00000000
[0x0a007fd8] A5 = 0x00000000
[0x0a007fdc] A6 = 0x00000000
[0x0a007fe0] A7 = 0x00000000
[0x0a007fe4] SSP = 0x00000000
[0x0a007fe8] SR = 0x0000
[0x0a007fec] PC = 0x00000000
[0x0a007fec] FMT/VO = 0x0000
----- System/pSOS Debug commands: -----
'?' - this help message.
'j' - drop into breakpoint.
'^C' - Abort to monitor.
'^P' - Process status info, and LOTS of it.
'[dD]' - Print DLP debug information.
'[bB]' - Big memory hog report.
'[pP]' - Process ONLY status info.
'[eE]' - Exchange info.
'[gG]' - toggle breakpoint exception handlers on/off
'[tT]' - Time log.
'[hH]' - History log.
'[oO]' - Memory segment ownership.
'[mM]' - Memory segment summary.
'[sS]' - Semaphore ownership, etc.
'[uU]' - maximum process stack Usage.
'[vV]' - memory Validity check.
'[iI]' - Show psosSystemData.
'[1]' - Show NVRAM contents.
'[9]' - Show Exception Report.
'[wW] <process name>' - Show process stack trace.
-
The first item needed is a full dump of the memory. a dump of one with licensed options would really help. mine has no licensed options
flexlm 6.01 which appears to be in the update file which I extracted strings from has been hacked and there's articles on how to find the different key values.
the part at the moment is how to get that dump, flash and sdram from a running system
i figured out the JTAG pins and where you can pick them up but JTAG is not something I'm good with
if all you have is a boundary scan ability can you get a dump of memory?
[attach=1]
anyone who can help with that and setting up OCD I'll do it on my ESA
I just need the help
the processor is a 68LC040 I believe (its the LC part i'm not 100% sure of off top of the head)
-
The first item needed is a full dump of the memory. a dump of one with licensed options would really help. mine has no licensed options
flexlm 6.01 which appears to be in the update file which I extracted strings from has been hacked and there's articles on how to find the different key values.
the part at the moment is how to get that dump, flash and sdram from a running system
I don't think flexLM is in the update file. It should be already inside the machine. That's why a flash dump would be great.
The FlexLM version should be no problem. Regarding the places where to find the seeds it's not so simple as the several guides don't cover this lang/processor.
-
Ive done jtag in a bunch of things.. Its not normally what is in your pic ? Maybe that is something else ? OR I am just stupid,, I CAN be that.. Normally its a 4 pin header. +5, tx, rx, gnd.. With ther TTL or RS232 voltages. I will look more at the board shortly..
TX,RX,GND is not a JTAG, it's UART . you dont even need the Vcc necessarily.
this thing has a JTAG interface but i dont think it will be of much help. The content of bootrom is not what we need.
you only need the dump of flash memory to access the file system of the main OS, nothing else really. Another way would be to figure out how to combine the 9 floppy disks to create a single file firmware and then "explore" it ;)
-
Another way would be to figure out how to combine the 9 floppy disks to create a single file firmware and then "explore" it ;)
Where are those 9 disks?
-
Another way would be to figure out how to combine the 9 floppy disks to create a single file firmware and then "explore" it ;)
Where are those 9 disks?
on keysight website
https://www.keysight.com/main/software.jspx?cc=CA&lc=eng&ckey=1000001085:epsg:sud&nid=-32406.536879915.02&id=1000001085:epsg:sud&cmpid=92448 (https://www.keysight.com/main/software.jspx?cc=CA&lc=eng&ckey=1000001085:epsg:sud&nid=-32406.536879915.02&id=1000001085:epsg:sud&cmpid=92448)
EDIT: i dont have the instrument so I have never gone through the process of making the firmware update. I just know that it creates 9 floppy disks
-
I have combined the 5 disks that make up the ESA Firmware. the other 4 are the power suite I can combine those as well if you want?
There is no guarantee that just combining them will give a correct image.
They may contain loader information that the internal bootrom reads to build the actual firmware that is loaded (just thinking, or over thinking)
This is a full image it's not an upgrade. I had to do a full erase of mines memory to restore it so I can attest everything is on those disks.
I also have the Discs for all the DLPs (personalities) that can be installed.
The reason I provided the boot loader rom is it looks like GDB server is in the bootroom. if you have GDB could you dump memory thur it?
There is also apparently a SCPI Debug interface, maybe there a memory read function in there?
i'll try to attach it here.
If this does not work the other way I could brute force this is I could remove all of the FLASH memory and read them out with the Xgpro (formerly TL866) reader/programmer.
I have a spare processor card I'm willing to experiment on.
-
there is also a series of F000000 to F000003 files that I wonder what they contain...i think they must be combined too.
also there is a bootloader file on the first floppy
have you been able to analyze the single firmware file with tools that are available in linux?
-
I think having the actual unpacked firmware image from the flash memory will make it a lot easier and certainly possible to hack this thing
if i am not mistaken there are more than one flash rom, right? so again their contents must be concatenated
EDIT: but then we know that a simple concatenation will give us the whole system
with the firmware installation files, I am not sure about that because each of those 5 files may have a header and when you connect them together you get a broken image of the actual file structure
-
there is also a series of F000000 to F000003 files that I wonder what they contain...i think they must be combined too.
also there is a bootloader file on the first floppy
have you been able to analyze the single firmware file with tools that are available in linux?
When I tried the linux tools they did not recognize the contents
PDISC is the physical Disc Number below whereas the DISC # is the as LABELED Disc for installation
BOOTROM: This looks for a DISK with ESALOADER on it and if so loads and runs it
DISC ESALOADER(PDISC1), This is what's run to install the FIRMWARE.
DISC1-5(PDISC2-6), this is the ESA Firmware Discs (this is the the ESAFW I uploaded)
DISC1-3(PDISC7-9), These contain the ESA Power Suite Software) (the F000000 to F000003 are the Powersuite Image files)
I'll combine and upload the Powersute after work today
-
I'd love to be able to enable all DLP's and License only options
example RF PREAMP is a License only option (hardware is there above certain serial numbers) you only need the 16 digit license key
but DLP for Cable Fault Analyzer requires the Tracking Gen be installed. (i have a TG installed so would like this one)
I'm installing the DLP for Cable Fault Analyzer and grabbing screen caps so you can see the process of installing a DLP
-
If this does not work the other way I could brute force this is I could remove all of the FLASH memory and read them out with the Xgpro (formerly TL866) reader/programmer.
I have a spare processor card I'm willing to experiment on.
This seems the best option. How many flash chips are there? Isn't just one?
-
Total of 4
One on cpu board which is main firmware
3 on simm which is where licenses are supposed to be stored
-
Those that want to play in IDA with @smgvbest's ESAFW can use these settings:
Proc: Motorola Coldfire
Load address: 0x04011000
-
Memory module on a memory simm 72 pins old style sdram memory formfactor
It’s how the e4407b had its memory expanded
-
Memory module on a memory simm 72 pins old style sdram memory formfactor
It’s how the e4407b had its memory expanded
Never had seen one of those expansions!
We don't need a dump from the "license's flashes". The licenses are already visible on the screen.
-
Those that want to play in IDA with @smgvbest's ESAFW can use these settings:
Proc: Motorola Coldfire
Load address: 0x04011000
Is the Motorla Coldfire same as a M68040?
the Motorola 68LC040 is the actual processor on the board is why I ask
how did you manage to get the load address?
-
The static ram is not where licenses are stored. They’re in the flash memory so unless you wipe flash you maintain them
Loosing the sram looses the date/time and calibration and other settings like printer setup.
You just do an align all to get it back and reset date/time
-
So are you gals/guys thinking about patching the image and then loading a new image in ? Might be able to add all sorts of stuff that way. Hopefully its not checksummed or anything..
So a personality MUST have a key before running ? So no stripping that requirement from the personality ? The ESA wont run a personality that has no license requirements ?
Just thinking out loud.. And most likely being stupid..
I think what we're after is a keygen more or less.
if we can find all the keys FlexLM uses (I think there 8 total if I understand) then we find out id using the host ID we can generate a valid license we hopefully can generate them all
Yes a personality must also have license , you load the personality (DLP) and license it then its usable
the only DLP that's not licensed is the Power Suite
-
I don’t know that would help
The licenses are to the hostid not the serial number
You could change the serial to match a machine basically. Install the license and it would not work
-
how did you manage to get the load address?
Educated trial & error... |O
I would like to know if there is any way to manually upload a license.dat file to the instrument? (If this is not possible we can't do an universal license file.)
Also, can anyone provide a printscreen of the license input menu?
Edit: Now that you asked... |O |O |O |O
Bootrom Checksum ...
Bootrom DRAM: Testing 69632 bytes at 0x04000000
Non Destructive SRAM Test ...
Main Firmware DRAM: Testing 33484800 bytes at 0x04011000
Main FW Checksum ...
-
After a few more educated googles I arrived here (https://www.eevblog.com/forum/testgear/_free_-vsa-options/msg584857/#msg584857). ;D
So, we're halfway there!
The licenses should have this format:
FEATURE 202 TMOMID01 1.0 permanent uncounted 0123456789AB HOSTID=E1234567
Now, we just need the seeds. ;)
-
Those that want to play in IDA with @smgvbest's ESAFW can use these settings:
Proc: Motorola Coldfire
Load address: 0x04011000
i have been trying to open this in IDA with above settings but still I either get an error (loading address must belong to RAM or ROM) or it opens as a raw binary. any more hint?
-
i have been trying to open this in IDA with above settings but still I either get an error (loading address must belong to RAM or ROM) or it opens as a raw binary. any more hint?
You put the address also in ROM address.
-
I'm attaching the ESALOADER file and the install.o which loads the power suite
I'm not sure but I think one or both of these indicate the files on the discs make me think it may be compressed or partially compressed
ESALOADR is from DISC1 and loads the firmware
UPGRADE.O is from DISC6 which is the last disk of the firmware
install.o is the installer from the Power Suite software
all where zipped to allow upload
edit: fixed this missing install.o file
-
ESALOADR - Load address: 0x04011000
UPGRADE.O - Load address: 0x0 (after removing a 0x20 size header)
INSTALL.O - Load address: 0x0 (after removing a 0x20 size header)
install.o contains (in the beginning) MD5 hashes (in plain ASCII) of the files that it installs.
-
I'm trying to figure out how to read out the FLASH SIMM without de-soldering the Flash ICs
I've created a map between the LH28F320STKD -> SIMM -> T56 Programmer
There's a few signals that need investigation, shown in RED.
mainly the LCS_FLASH (CS Selects), Program Voltage ,RYBY (why are there 6 of these, 3 makes sense) , PA0 (possible tried low) ,PA1 (should be straight thru), byte# (likely tied high)
I'll have to ohm out the simm to figure out
Ill still have to de-solder U74 from the processor board (no way around that)
has anyone ever use JTAG on a 68040?
I dont' see a def for it in OCD
if all you can do is a boundary scan can you access memory or do you need debug for that?
-
"has anyone ever use JTAG on a 68040? "
I have not...
What is that 2x5 J16 ? There is one on every interface card except the GPIB. It happens to have the same number of pins and 2x5 as a std RS232 header for a typical computer of that era.
ALSO, where can I get a nice complete set of schematics with block diagrams ? The downloadable service manual is missing those.
On the Processor Card that is a STD JTAG Header for the main FPGA, its not connected to the processor.
for the CLIP, http://artekmanuals.com/manuals/hp-manuals/ (http://artekmanuals.com/manuals/hp-manuals/) search for E4400-90310
there are some pages missing.
if anyone has an original CLIP and is willing share (or sell) I'm very interested in getting ahold of it. PM me off list if you do please
-
I ordered this one off ebay.. Once I get it AND IF ITS COMPLETE,, I will compress and upload for distribution.. Assuming its not just a copy of what is in your link..
https://www.ebay.com/itm/HP-E4401B-Component-Level-Info-Package-Schematics-/390129973036 (https://www.ebay.com/itm/HP-E4401B-Component-Level-Info-Package-Schematics-/390129973036)
I have spent hours getting ALL the files related to ESA off Keysight's terribly organized and painful to use web site. I have collected those and organized them far better. This includes manuals, guides, firmware, personalities discs & docs, options, install notes, application notes ESA related, software drivers, software and more.. I intend on organizing it all even better and making a single downloadable file. I Will also include the CL stuff as well once I have it.
One file to rule them all..
-
Yes that's the one.
they are scans of the CLIP but very legible.
I've let them know of missing pages I've found so far. not many 2-3, processor is missing the last page(s) of the BOM but schematics are good
another is missing a schematic page but don't remember which it was
Note the CLIP from Artek can not be distributed
-
Were else was the processor card used ? That Ethernet header and unpopulated parts for it must have been used by something ? I am going to poke around and see what other HP / Agilent devices might have used that same card. I suppose the FPGAs might be loaded totally different tho :( But maybe it might be possible to load it with ESA firmware and have a Ethernet... Or not.. hahaha.. I am still gonna look around tho..
-
I have a Processor Card with Network and there's no way to configure it in the ESA menus.
only the original card had the ethernet parts. it's likely part of their debug system
-
IS it just me ? Im trying to get all the firmware files and the ones from Keysight for the ESA for win 7/8 produce a SSL error ? https://sa.support.keysight.com/ESA/Firmware/A.14.06.zip?id=2401677
-
Yeah, same. "Error code: SSL_ERROR_RX_RECORD_TOO_LONG" almost always means the site is serving plain http on that port (no SSL). Change the link to http and it works: http://sa.support.keysight.com/ESA/Firmware/A.14.06.zip?id=2401677 (http://sa.support.keysight.com/ESA/Firmware/A.14.06.zip?id=2401677)
-
Were else was the processor card used ? That Ethernet header and unpopulated parts for it must have been used by something ? I am going to poke around and see what other HP / Agilent devices might have used that same card.
There are other instruments which reuse a processor card without using all of the hardware features. For example the 16700 logic analyzers use an E4406 processor card. I was curious about why there is a TI 9914 GPIB controller and 75ALS160 / 75ALS164 bus transceivers on the 16700 processor card but the GPIB connector is unpopulated. Turns out the GPIB connector is populated and used on the E4406A.
-
Spent a little bit of time making a PCB for the T56 Programmer to work with the FLASH SIMM.
nothing fancy, even autorouted, just some switches to let you configure the lines to pick the correct Flash to read out. U1/U2 or U3.
before I send to PCB house I want to verify a few more things
-
before I send to PCB house I want to verify a few more things
Maybe fix the spelling mistake on Astronomics ;D
-
before I send to PCB house I want to verify a few more things
Maybe fix the spelling mistake on Astronomics ;D
Yes I caught that and a much bigger issue that I've about fixed. the spacing on the 2 24pin sockets was wrong. it needed to be 600mils not 1060mils
would not have fit the ZIF socket on the programmer.
should be good now, placed order from JCLPCB
-
Spent a little bit of time making a PCB for the T56 Programmer to work with the FLASH SIMM.
nothing fancy, even autorouted, just some switches to let you configure the lines to pick the correct Flash to read out. U1/U2 or U3.
before I send to PCB house I want to verify a few more things
that's awesome :-+
-
I injured my back and have been pretty much confined to bed so haven’t been able to reflash my SA with a byte change. But you can design things while confined :)
I’ll reflash soon as possible to test that out
-
Guess what I just found.
This is the monitor program I was after.
to get it i caused an error. the error was planned, getting the monitor program was not
question will be how to get this when loading normally.
***** Mosquito Bootrom *****
Copyright 1988-1997,
Hewlett-Packard Company, all rights reserved.
@(#)HEWLETT-PACKARD, E4401 Bootrom, 3.10
@(#)LDS Rev: 3.02 - Module Incremental (Feb 18 1999)
@(#)Linked: Feb 18 1999 11:46:22
Bootrom Checksum ...
Bootrom DRAM: Testing 69632 bytes at 0x04000000
Non Destructive SRAM Test ...
Main Firmware DRAM: Testing 33484800 bytes at 0x04011000
Main FW Checksum ...
ROM Checksum Failure. Bad Checksum. 01, 0
Self-tests complete.SRAM selftest results:
Start = 0xa000000
End = 0xa007fa3
Errors = 0x0
DRAM selftest results:
Start = 0x4011000
End = 0x6000000
Errors = 0x0
hpibPort = 0x8005000
hpibPort = 0x8005000, bus Address = 19
Cache Enabled
16MBytes of FLASH
Download to Flash Selected
***** Mosquito Bootrom *****
Copyright 1988-1997,
Hewlett-Packard Company, all rights reserved.
@(#)HEWLETT-PACKARD, E4401 Bootrom, 3.10
@(#)LDS Rev: 3.02 - Module Incremental (Feb 18 1999)
@(#)Linked: Feb 18 1999 11:46:22
Bootrom Checksum ...
Bootrom DRAM: Testing 69632 bytes at 0x04000000
Non Destructive SRAM Test ...
Main Firmware DRAM: Testing 33484800 bytes at 0x04011000
Main FW Checksum ...
ROM Checksum Failure. Bad Checksum. 01, 0
Self-tests complete.SRAM selftest results:
Start = 0xa000000
End = 0xa007fa3
Errors = 0x0
DRAM selftest results:
Start = 0x4011000
End = 0x6000000
Errors = 0x0
hpibPort = 0x8005000
hpibPort = 0x8005000, bus Address = 19
Cache Enabled
16MBytes of FLASH
Download to Flash Selected
Unexpected exception at VBR offset 0x2c
Vector #663
format = 4, frame is at 0x4004794
PC = 0xcff80000
SR = 0x0400
Registers = 0x0a007fa4 thru 0x0a007fef
ROM Monitor
Enter ? for help.
->?
bc [<hex boot config>] - set the bootrom configuration (see bchelp)
bootvars- display bootrom variables
bs - force a breakpoint when starting
dbyte [<hex start address> [num bytes]] - display memory using bytes
dlong [<hex start address> [num bytes]] - display memory using longs
dmem [<hex start address> [num bytes]] - display memory using bytes
dword [<hex start address> [num bytes]] - display memory using words
gbreak - force a gdb breakpoint
gdb - enable gdb trapping of exceptions
gu [<hex start addr>] - go to start address
hmon [device] - download into memory
rty test routine
sbyte <hex start address> <hexchars> - set memory using bytes
slong <hex start address> <hexchars> - set memory using longs
smem <hex start address> <hexchars> - set memory using bytes
sword <hex start address> <hexchars> - set memory using words
version - display bootrom version
->dbyte
00000000 00 00 00 00 00 00 ad 34 4e 56 00 00 4e 41 00 00 .......4NV..NA..
->dbyte 0401100 255
***** Mosquito Bootrom *****
Copyright 1988-1997,
Hewlett-Packard Company, all rights reserved.
@(#)HEWLETT-PACKARD, E4401 Bootrom, 3.10
@(#)LDS Rev: 3.02 - Module Incremental (Feb 18 1999)
@(#)Linked: Feb 18 1999 11:46:22
Bootrom Checksum ...
Bootrom DRAM: Testing 69632 bytes at 0x04000000
Non Destructive SRAM Test ...
Main Firmware DRAM: Testing 33484800 bytes at 0x04011000
Main FW Checksum ...
ROM Checksum Failure. Bad Checksum. 01, 0
Self-tests complete.SRAM selftest results:
Start = 0xa000000
End = 0xa007fa3
Errors = 0x0
DRAM selftest results:
Start = 0x4011000
End = 0x6000000
Errors = 0x0
hpibPort = 0x8005000
hpibPort = 0x8005000, bus Address = 19
Cache Enabled
16MBytes of FLASH
Download to Flash Selected
Unexpected exception at VBR offset 0x8
Access Fault (bus error)
format = 7, frame is at 0x4004648
PC = 0xdc9a
SR = 0x2004
Registers = 0x0a007fa4 thru 0x0a007fef
Access Address = 0x401100
ROM Monitor
Enter ? for help.
->?
bc [<hex boot config>] - set the bootrom configuration (see bchelp)
bootvars- display bootrom variables
bs - force a breakpoint when starting
dbyte [<hex start address> [num bytes]] - display memory using bytes
dlong [<hex start address> [num bytes]] - display memory using longs
dmem [<hex start address> [num bytes]] - display memory using bytes
dword [<hex start address> [num bytes]] - display memory using words
gbreak - force a gdb breakpoint
gdb - enable gdb trapping of exceptions
gu [<hex start addr>] - go to start address
hmon [device] - download into memory
rty test routine
sbyte <hex start address> <hexchars> - set memory using bytes
slong <hex start address> <hexchars> - set memory using longs
smem <hex start address> <hexchars> - set memory using bytes
sword <hex start address> <hexchars> - set memory using words
version - display bootrom version
->dbyte
00000000 00 00 00 00 00 00 ad 34 4e 56 00 00 4e 41 00 00 .......4NV..NA..
->dbyte 1024
00001024 53 49 53 00 6a fa 20 49 72 ff b2 90 67 04 4a 90 SIS.j. Ir...g.J.
->version
Bootrom Revision 3.10
Serial is at 19.2Kb so dumping memory will be slow but may be doable soon (I hope)
and if you notice the menu you can dump and write memory :-+
-
Sandra,
Do some dumps of 0x04011000 and beyond just to test and compare with ESAFW.
Later i'll provide some specific addresses.
-
I am the owner of the E4407B with AYZ (external mixing) and 1DR (narrow resolution bandwitch) options installed. Also B72 and 1D5. If the memory dump is possible using the monitor program via the J1/RS-232C connector, I can prepare the hardware and do such a dump. Will it be helpful?
-
->dbyte
00000000 00 00 00 00 00 00 ad 34 4e 56 00 00 4e 41 00 00 .......4NV..NA..
->dbyte 1024
00001024 53 49 53 00 6a fa 20 49 72 ff b2 90 67 04 4a 90 SIS.j. Ir...g.J.
These are exactly the bytes of bootrom at 0x00 and 0x1024. :popcorn:
-
SO far my Playing around to get a dump off a fully running E4407B has not been successful
biggest issue with a successful load your not in the monitor program where you can dump memory.
I am dumping 0401100 on but it's going to take some time at 19.6Kb
From the System/pSOS menu it says that ^C gets you to the monitor. I've assuming that's CTRL+C and that don't work. get un-recognized char also tried literal ^C didn't recognize the ^. looks like its a single char command so not sure what ^C was to be.
the hmon device command will load from a device into memory but I can't figure out the device names
i do know that hmon alone will try to load from GPIB
i tried hmon GPIB and get un-recognized device
I'm find all the things that don't work. just to find the one that does.
pSOS being so old it's hard to find DOC on as well
-
...
pSOS being so old it's hard to find DOC on as well
I have also Anritsu MS4623B and it use pSOS. I have some DOC's for pSOS.
-
maybe it just means capital C
-
Part 2
-
->dbyte
00000000 00 00 00 00 00 00 ad 34 4e 56 00 00 4e 41 00 00 .......4NV..NA..
->dbyte 1024
00001024 53 49 53 00 6a fa 20 49 72 ff b2 90 67 04 4a 90 SIS.j. Ir...g.J.
These are exactly the bytes of bootrom at 0x00 and 0x1024. :popcorn:
Cool, and that would make sense. the boot rom would exist at 0x00000000
if I recall the 1024 bytes on the M68K is the vector table
of course that command dbyte 1024 is dump 0x1024 not dec 1024 :O
-
Be carefull, the address is 0x0401 1000. Not 0x0040 1100!
For now, just get me this region:
0x048B9200 -> 0x048B9500
-
maybe it just means capital C
Tried, does not accept it either :(
-
Be carefull, the address is 0x0401 1000. Not 0x0040 1100!
For now, just get me this region:
0x048B9200 -> 0x048B9500
Here ya go
**** Mosquito Bootrom ***** 00 00 00 00 00 00 00 00 00 00 ................
Copyright 1988-1997,
Hewlett-Packard Company, all rights reserved.
@(#)HEWLETT-PACKARD, E4401 Bootrom, 3.10
@(#)LDS Rev: 3.02 - Module Incremental (Feb 18 1999)
@(#)Linked: Feb 18 1999 11:46:22
Bootrom Checksum ...
Bootrom DRAM: Testing 69632 bytes at 0x04000000
Non Destructive SRAM Test ...
Main Firmware DRAM: Testing 33484800 bytes at 0x04011000
Main FW Checksum ...
ROM Checksum Failure. Bad Checksum. 01, 0
Self-tests complete.SRAM selftest results:
Start = 0xa000000
End = 0xa007fa3
Errors = 0x0
DRAM selftest results:
Start = 0x4011000
End = 0x6000000
Errors = 0x0
hpibPort = 0x8005000
hpibPort = 0x8005000, bus Address = 19
Unexpected exception at VBR offset 0x8
Access Fault (bus error)
format = 7, frame is at 0x400473c
PC = 0x4e410000
SR = 0x2700
Registers = 0x0a007fa4 thru 0x0a007fef
Access Address = 0x4e410000
ROM Monitor
Enter ? for help.
-> ?
bc [<hex boot config>] - set the bootrom configuration (see bchelp)
bootvars- display bootrom variables
bs - force a breakpoint when starting
dbyte [<hex start address> [num bytes]] - display memory using bytes
dlong [<hex start address> [num bytes]] - display memory using longs
dmem [<hex start address> [num bytes]] - display memory using bytes
dword [<hex start address> [num bytes]] - display memory using words
gbreak - force a gdb breakpoint
gdb - enable gdb trapping of exceptions
gu [<hex start addr>] - go to start address
hmon [device] - download into memory
rty test routine
sbyte <hex start address> <hexchars> - set memory using bytes
slong <hex start address> <hexchars> - set memory using longs
smem <hex start address> <hexchars> - set memory using bytes
sword <hex start address> <hexchars> - set memory using words
version - display bootrom version
->dbyte 0x048b9200 2048
048b9200 cc dd 4c cc d4 cc cd dc 4c 8c 8c ee c8 cc c4 cc ..L.....L.......
048b9210 33 33 33 b1 75 b7 33 13 10 b6 32 33 23 a2 33 37 333.u.3...23#.37
048b9220 33 33 33 31 71 b7 33 93 10 b6 32 32 3b a2 33 33 3331q.3...22;.33
048b9230 dc dc 4c cd d5 ec ce dc 4c 8c 8c ce c8 ce c4 cc ..L.....L.......
048b9240 dc dd 4c cd d4 ec cc ce 4c 8c 8c ee c9 cc c4 dc ..L.....L.......
048b9250 33 33 33 b3 71 b7 33 93 10 36 36 33 3b a2 33 33 333.q.3..663;.33
048b9260 37 33 33 b3 75 b7 33 13 10 b6 32 32 3b 22 33 33 733.u.3...22;"33
048b9270 cc dd 4c cd d4 ec cf dc 4c 8c 8c ce c8 ce c6 cc ..L.....L.......
048b9280 5c c4 9c 80 dc ec 6c c5 cc 40 86 c1 cc cd cc cc \.....l..@......
048b9290 13 33 b3 33 33 bf 33 33 33 33 33 51 32 27 35 b7 .3.33.33333Q2'5.
048b92a0 13 33 b3 33 33 b7 33 33 33 31 33 11 32 27 35 37 .3.33.33313.2'57
048b92b0 5e c4 9c 84 fc ec 6c e5 cd 48 86 c1 cc cd cc cc ^.....l..H......
048b92c0 5e c4 9c 84 cc ec 6c c4 cc 40 84 c1 cc cd cd ce ^.....l..@......
048b92d0 13 33 b3 33 33 b3 33 b3 33 33 33 51 32 27 31 b7 .3.33.3.333Q2'1.
048b92e0 13 33 b3 33 33 bf 33 b3 33 31 33 11 32 27 31 b7 .3.33.3.313.2'1.
048b92f0 5e c4 9c 84 dc ec 6e c5 cc 48 84 c1 cc cd cc cc ^.....n..H......
048b9300 dc dd 4e cd c4 cc cd de 4c 8c 8c ce c9 cc c4 8c ..N.....L.......
048b9310 37 33 33 33 75 b7 33 13 10 b6 36 b2 33 a2 33 37 7333u.3...6.3.37
048b9320 37 33 33 31 75 b7 33 13 10 b6 36 b2 3b a6 33 33 7331u.3...6.;.33
048b9330 cc dc 4c cd d4 cc cd cc 4c 8c 8c ce c9 ce c6 cc ..L.....L.......
048b9340 cc dd 4c cd d4 cc ce ce 4c 8c 8c cc c9 cc c4 8c ..L.....L.......
048b9350 33 33 33 b1 71 b3 33 13 10 b6 32 32 3b a2 33 37 333.q.3...22;.37
048b9360 37 31 33 b1 35 b3 33 93 10 b6 36 32 23 a2 33 37 713.5.3...62#.37
048b9370 cc dc 4c cd d4 cc cc dc 4c 8c 8c ce c8 ce c6 cc ..L.....L.......
048b9380 5c c4 9c 84 fc ec 6c c5 cc 40 85 c1 cc cc cc ce \.....l..@......
048b9390 53 33 b3 33 3b bf 33 b3 33 33 33 51 32 23 31 b7 S3.3;.3.333Q2#1.
048b93a0 53 33 b3 33 33 bb 33 33 33 33 33 51 36 23 35 33 S3.33.33333Q6#53
048b93b0 5e c4 9c 84 fc ec 6c c7 cd 48 87 c0 cc cd cc cc ^.....l..H......
048b93c0 5c c4 9c 80 fc ec 6e c5 cd 40 84 c1 cc cc cc ce \.....n..@......
048b93d0 13 33 b3 33 33 bb 33 33 33 33 33 51 32 27 31 b7 .3.33.33333Q2'1.
048b93e0 13 33 b3 33 3b bf 33 b3 33 33 33 51 32 27 35 b3 .3.3;.3.333Q2'5.
048b93f0 5c c4 9c 84 fc ec 6c c4 cd 48 84 c1 cc cd cd ce \.....l..H......
048b9400 aa aa ec 4c c8 8c ec c0 4c c4 cc cc de c5 ce 4c ...L....L......L
048b9410 73 13 23 5b 39 b3 33 11 23 33 3a 2f 73 e7 b3 73 s.#[9.3.#3:/s..s
048b9420 73 13 a3 5b 71 b3 37 10 03 33 3a 2f 73 e3 bb 73 s..[q.7..3:/s..s
048b9430 dc cc ee 4c c8 8c ec c4 4e c4 cc cc de cd cc 4c ...L....N......L
048b9440 dc cc ee 4c c8 9d ec c0 4c c4 cc cc de cd cc 6c ...L....L......l
048b9450 33 13 23 5b 39 b3 33 11 23 33 32 2b 73 e3 bb 33 3.#[9.3.#32+s..3
048b9460 73 13 a3 1b 39 bb 37 11 03 33 32 af 73 e3 b3 73 s...9.7..32.s..s
048b9470 dc cc ec 4c c8 8c ec c4 4e c4 ce cc dc cc cc 4c ...L....N......L
048b9480 ce 4c 8d e4 c8 cc ce cc 4c ec ef 8c 9d dd cc 08 .L......L.......
048b9490 22 3b 33 23 33 33 b3 83 33 33 77 3b 97 33 f3 12 ";3#33..33w;.3..
048b94a0 22 3b b3 67 33 33 b3 03 73 3b 67 3f 93 33 f3 12 ";.g33..s;g?.3..
048b94b0 ce 4c 8c e4 c8 cc ee cc 4c cc ec 8c 9d dd cd 08 .L......L.......
048b94c0 4c 4c 8c c4 c8 cc ee cc 4c cd ec 8c 9d dc cc 08 LL......L.......
048b94d0 26 3b b3 23 33 33 b3 63 33 3b 63 37 17 33 f7 12 &;.#33.c3;c7.3..
048b94e0 22 3f b3 63 33 33 b3 03 33 3b 67 3f 9f 33 b3 12 "?.c33..3;g?.3..
048b94f0 cc 4d 8c e4 c8 cc ec cc 4c ec ee 8c 9c df cc 08 .M......L.......
048b9500 de cc ec 4c c8 9d ec c0 4e c4 ce cc dc cc cc 6c ...L....N......l
048b9510 33 13 23 13 31 b3 33 11 23 33 3a 2f 33 e7 b3 73 3.#.1.3.#3:/3..s
048b9520 33 13 a3 53 79 bb 37 11 03 33 32 2f 33 e3 b3 73 3..Sy.7..32/3..s
048b9530 df cc ee 4c c8 8c cc c4 4c c4 ce cc dc cd ce 4c ...L....L......L
048b9540 de cc ee 4c c9 9d ec c0 4c c4 cc cc dc cd ce 6c ...L....L......l
048b9550 73 13 23 1b 31 bb 37 11 23 33 3a 2f 33 a3 bb 73 s.#.1.7.#3:/3..s
048b9560 73 13 a3 1b 79 b3 37 11 23 33 32 bf 7b e3 bb 73 s...y.7.#32.{..s
048b9570 cc cc ec 4c c8 8d ec c4 4e c4 ce cc dc cc ce 4c ...L....N......L
048b9580 ce 4c 8d e4 c8 cc ec cc 4c cc ee 8c 8c df cd 08 .L......L.......
048b9590 22 3b b3 23 33 33 b3 03 33 3b 63 3f 9b 33 f3 12 ";.#33..3;c?.3..
048b95a0 26 33 b3 67 33 33 b3 03 33 3b 77 3f 17 33 d7 12 &3.g33..3;w?.3..
048b95b0 ec 4c 8d c4 c8 cc ee cc 4c ec ee 8c 9c df cc 88 .L......L.......
048b95c0 4c 4c 8d c4 c8 cc ec cd 4c ed ec 8c 9c df cd 08 LL......L.......
048b95d0 22 3b b3 23 33 33 b3 03 33 3b 77 3f 97 33 f7 12 ";.#33..3;w?.3..
048b95e0 22 3b b3 23 33 33 b3 83 33 33 6b 3f 17 33 f7 12 ";.#33..33k?.3..
048b95f0 cc 4c 8c e4 c8 cc ec cc 4c ec ec 8c 9c df cd 08 .L......L.......
048b9600 dc dd 4c cd d4 cc cd ce 4c 8c 8e ce c9 ce c4 8c ..L.....L.......
048b9610 37 33 33 b3 71 33 33 93 10 b6 32 33 2b a2 33 37 733.q33...23+.37
048b9620 33 33 33 b1 71 b3 33 93 10 b6 32 b2 3b a6 33 37 333.q.3...2.;.37
048b9630 dc dc 4c cc d4 cc cf ce 4c 8c 8c ce c9 ce c6 dc ..L.....L.......
048b9640 dc 5d 4c cd c5 cc cf dc 4c 8c 8c ee c8 ce c6 cc .]L.....L.......
048b9650 37 33 33 b3 75 b3 33 13 10 b6 32 32 2b a2 33 33 733.u.3...22+.33
048b9660 37 33 33 b1 35 b3 33 93 10 b6 36 b2 2b a6 33 37 733.5.3...6.+.37
048b9670 dc 4c 4c cd d4 cc cf cc 5c 8c 8c ce c8 cc c6 dc .LL.....\.......
048b9680 4c c4 9c 84 ec ec 6c c5 cc 40 84 c1 cc cc cc ce L.....l..@......
048b9690 53 33 b3 33 33 bb 33 b3 33 33 33 51 32 23 35 33 S3.33.3.333Q2#53
048b96a0 13 33 b3 33 3b b3 33 b3 33 31 33 51 32 27 31 b7 .3.3;.3.313Q2'1.
048b96b0 5c c4 9c 84 fc ec 6c c5 cc 48 86 c1 cc cc cc cc \.....l..H......
048b96c0 5c c4 9c 84 fc ec 6e c4 cf 40 96 c1 cc cc cc ce \.....n..@......
048b96d0 53 33 b3 33 33 bf 33 33 33 33 33 51 32 27 31 37 S3.33.33333Q2'17
048b96e0 53 33 b3 33 33 bb 33 b3 33 33 33 11 32 27 35 37 S3.33.3.333.2'57
048b96f0 4c c4 9c 84 fc ec 6e c5 cd 48 84 c1 cc cd cc cc L.....n..H......
048b9700 dc dd 4c cd d4 ec cc de 4c 8c 8c ce c8 cc c6 8c ..L.....L.......
048b9710 37 33 33 31 75 b3 33 93 10 b2 32 b3 23 a6 33 37 7331u.3...2.#.37
048b9720 37 33 33 31 75 b3 33 13 10 b2 32 b2 2b a2 33 33 7331u.3...2.+.33
048b9730 dc dc 4c cd c4 cc cf de 4c 8c 8c cc c9 cc c4 cc ..L.....L.......
048b9740 dc 5c 4c cd d4 cc ce cc 4c 8c 8c ce c9 ce c4 cc .\L.....L.......
048b9750 33 33 33 b3 75 b3 33 13 10 b6 32 b2 2b a6 33 37 333.u.3...2.+.37
048b9760 33 31 33 b1 31 b7 33 93 10 b2 36 b2 2b a6 33 37 313.1.3...6.+.37
048b9770 dc 5c 4c cd d4 cc cf cc 4c 8c 8c ce c9 cc c4 dc .\L.....L.......
048b9780 5c c4 9c 84 fc ec 6e c5 cd 48 86 c0 cc cd cd ce \.....n..H......
048b9790 13 33 b3 33 3b b7 33 b3 33 33 33 51 32 27 31 37 .3.3;.3.333Q2'17
048b97a0 53 33 b3 33 33 bf 33 b3 33 31 33 11 32 23 35 37 S3.33.3.313.2#57
048b97b0 5e c4 9c 84 dc ec 4c c5 cd 48 86 c0 cc cd cc ce ^.....L..H......
048b97c0 5e c4 9c 84 fc ec 6e e5 cd 48 84 c1 cc cd cc ce ^.....n..H......
048b97d0 53 33 b3 33 33 b3 33 b3 33 33 33 11 32 23 35 33 S3.33.3.333.2#53
048b97e0 53 33 b3 33 33 bf 33 b3 33 31 33 11 32 27 31 37 S3.33.3.313.2'17
048b97f0 5e c4 9c 84 ec ec 6e c5 ce 48 86 c1 cc cc cc ce ^.....n..H......
048b9800 aa aa cc cc c5 1c ac ec ec 48 84 c4 cc f5 cc cd .........H......
048b9810 33 f3 62 3b 73 12 33 fb a0 12 13 31 17 b7 3a 69 3.b;s.3....1..:i
048b9820 33 b3 20 3b 37 12 33 3b a0 12 13 b1 17 b7 3e 61 3. ;7.3;......>a
048b9830 c5 c5 cc cc c4 1c af ec ec 48 85 c4 dd f5 cc cc .........H......
048b9840 d5 c4 c4 cc c4 1c ae ec cc 48 8e c4 cc f5 cc cc .........H......
048b9850 b3 b3 62 3b 73 12 33 33 a0 12 13 33 13 b3 3e 21 ..b;s.33...3..>!
048b9860 b3 f3 60 33 73 12 37 2b 20 12 17 b1 17 b7 be e1 ..`3s.7+ .......
048b9870 d5 c4 cc ec c4 1c af ec ec 48 85 c4 cd f5 cc cc .........H......
048b9880 88 c4 9c ce 45 cc 4c ce ec ec cd 0c c0 cc c6 ac ....E.L.........
048b9890 a3 a3 36 37 27 93 13 ab 73 37 b7 33 73 53 e3 3e ..67'...s7.3sS.>
048b98a0 a3 a3 32 37 27 93 13 ab 33 37 b7 3b 33 5b e3 2a ..27'...37.;3[.*
048b98b0 88 c4 9c cc 44 cc 4e cc ec ec cc 0c c0 cc c4 ac ....D.N.........
048b98c0 89 c4 9c 8e 44 cc 4f cc 6c ec cc 0c c2 cc c5 8c ....D.O.l.......
048b98d0 23 a3 32 37 23 93 17 2b 33 33 b7 3b 73 53 e3 2e #.27#..+33.;sS..
048b98e0 23 a3 36 37 27 93 17 ab 73 33 b3 33 b3 5b e3 3e #.67'...s3.3.[.>
048b98f0 89 c4 9c ec 44 cc 4d ce 6c ec cc 8c d2 cc c5 ac ....D.M.l.......
048b9900 d5 c4 c4 ec c4 1c ae ec cc 48 84 c4 cd f4 cc cd .........H......
048b9910 b7 f3 62 3b 73 12 33 73 a0 12 13 b3 17 b7 be 69 ..b;s.3s.......i
048b9920 b7 b7 60 3b 73 12 33 bb a0 12 13 31 17 b7 36 69 ..`;s.3....1..6i
048b9930 d5 c4 cc cc c4 1c ad ce cc 48 85 c4 cd f4 cc cd .........H......
048b9940 d4 c4 c4 ec c4 1c ac ec ec 48 8c c4 dd f5 cc cd .........H......
048b9950 b7 f7 60 3b 73 32 33 3b b0 12 17 31 17 b7 32 29 ..`;s23;...1..2)
048b9960 17 f3 62 3b 73 12 33 2b a0 12 13 31 17 b7 b6 69 ..b;s.3+...1...i
048b9970 c5 c4 cc cc c6 1c af ec ec 48 84 c4 cd f4 cc cc .........H......
048b9980 89 c4 9c ec 65 cc 4f ce ec ec cc 0c d2 cc c6 8c ....e.O.........
048b9990 a3 a3 32 37 23 93 17 ab 73 33 b7 33 b3 5b e3 3a ..27#...s3.3.[.:
048b99a0 a3 a3 32 37 27 93 1f a3 73 37 b7 33 f3 5b e3 2e ..27'...s7.3.[..
048b99b0 88 c4 9c ec 44 cc 4d cc ec ec cc 0d d0 cc c4 8c ....D.M.........
048b99c0 89 c4 8c ec 44 cc 4f ce ec ec cd 0c d2 cc c6 8c ....D.O.........
048b99d0 23 a3 36 37 27 93 17 ab 73 33 27 3b f3 5f e3 2e #.67'...s3';._..
048b99e0 a3 a3 32 37 23 93 17 2b 73 37 b7 33 b3 57 e3 3e ..27#..+s7.3.W.>
048b99f0 88 c4 8c ec 44 cc 4f ce ec ec cc 8c d0 cc c6 8c ....D.O.........
-
OK, I prepared the hardware to handle the serial port, set up 19200 8n1. After start, E4407B sends information.
***** Mosquito Bootrom *****
Copyright 1988-1997,
Hewlett-Packard Company, all rights reserved.
@(#)HEWLETT-PACKARD, E4401 Bootrom, 5.00
@(#)LDS Rev: 3.02 - Module Incremental (Sep 9 2003)
@(#)Linked: Sep 9 2003 14:46:44
Bootrom Checksum ...
Bootrom DRAM: Testing 69632 bytes at 0x04000000
Non Destructive SRAM Test ...
Main Firmware DRAM: Testing 33484800 bytes at 0x04011000
Main FW Checksum ...
Self-tests complete.SRAM selftest results:
Start = 0xa000000
End = 0xa007fa3
Errors = 0x0
DRAM selftest results:
Start = 0x4011000
End = 0x6000000
Errors = 0x0
hpibPort = 0x8005000
hpibPort = 0x8005000, bus Address = 19
Cache Enabled
16MBytes of FLASH
Download to Flash Selected
>>> mainMain()
text segment: 0x4011000 thru 0x4435674 ( 424674 bytes)
data segment: 0x4600000 thru 0x476dd88 ( 16dd88 bytes)
bss segment: 0x476dd88 thru 0x48bcce8 ( 14ef60 bytes)
ROM size: 0x005923fc ( 5923fc bytes of 4194304 max.)
memory pool (all): 0x048bcce8 thru 0x05ffffff (24392472 bytes)
Calling start_psos() ...
FLOPPY_Media::read: Could not read sector 1 on track 0 on side 0
>>>> debug() process starting
DLP Loaded - Power Suite Utilities, A.06.05, Nov 21 2003 15:45:40
----- System/pSOS Debug commands: -----
'?' - this help message.
'j' - drop into breakpoint.
'^C' - Abort to monitor.
'^P' - Process status info, and LOTS of it.
'[dD]' - Print DLP debug information.
'[bB]' - Big memory hog report.
'[pP]' - Process ONLY status info.
'[eE]' - Exchange info.
'[gG]' - toggle breakpoint exception handlers on/off
'[tT]' - Time log.
'[hH]' - History log.
'[oO]' - Memory segment ownership.
'[mM]' - Memory segment summary.
'[sS]' - Semaphore ownership, etc.
'[uU]' - maximum process stack Usage.
'[vV]' - memory Validity check.
'[iI]' - Show psosSystemData.
'[1]' - Show NVRAM contents.
'[wW] <process name>' - Show process stack trace.
How do I enter the monitor? Sandra, you wrote about a planned error. How to do it?
I am ready to deliver information from my device with the options installed, please just keep in mind that I am not an experienced hacker :)
I will also point out that my SA has the A.14.01 firmware installed. Can't install the latest firmware yet, FDD can't read floppy disks reliably. It crashes on 2nd or 3rd disk when trying to update. I have to look for a new FDD.
EDIT
I'm now motivated to solve the FDD problem in my SA. I ordered 2 used SLIM FDD from the local auction site. One type NEC FD3238T and the other Teac FD-05HG. The FDD Teac FD-05HF was originally installed in my E4407B, but I haven't found one. Hope one of them will work well, both have a 26 pin connector. If they work, I will update the firmware to version A.14.06.
-
I've had a setback
That FLASH SIMM I used to cause an error that got me into the monitor program. well, it blew the board. fortunately it's my spare processor board I've been using to experiment on but its DEAD :palm:
At least it wasn't my actual board I normally use.
DS1-DS7 all on, no boot at all. Likely and hopefully blew a buffer chip (data or address) and not the FPGA.
-
How do I enter the monitor? Sandra, you wrote about a planned error. How to do it?
Cause a error.
I was playing with this before I had the issue om the Processor Board and i think if you put in the ESALOADER disc you can get the Monitor Program that way.
of course this might be a problem for you with the FD issue your having
-
can you connect a keyboard and keep slapping it during boot up. maybe that will cause the boot loader to redirect to a console monitor
i dont see any message saying this in the boot log you posted but still it might work
-
Looks like Sandra is correct, you can easily enter the monitor program by booting from the ESALOADR floppy. Just tried it on my E4402B.
When the SA completes booting from the floppy, press 'j' at the serial console then CTRL+C and you're in the monitor program.
***** Mosquito Bootrom *****
Copyright 1988-1997,
Hewlett-Packard Company, all rights reserved.
@(#)HEWLETT-PACKARD, E4401 Bootrom, 3.10
@(#)LDS Rev: 3.02 - Module Incremental (Feb 18 1999)
@(#)Linked: Feb 18 1999 11:46:22
Bootrom Checksum ...
Bootrom DRAM: Testing 69632 bytes at 0x04000000
Non Destructive SRAM Test ...
Main Firmware DRAM: Testing 33484800 bytes at 0x04011000
Main FW Checksum ...
Self-tests complete.SRAM selftest results:
Start = 0xa000000
End = 0xa007fa3
Errors = 0x0
DRAM selftest results:
Start = 0x4011000
End = 0x6000000
Errors = 0x0
hpibPort = 0x8005000
hpibPort = 0x8005000, bus Address = 19
Cache Enabled
16MBytes of FLASH
Download to Flash Selected
Downloading from floppy
>>> mainMain()
text segment: 0x4011000 thru 0x40c0c80 ( afc80 bytes)
data segment: 0x4400000 thru 0x4405ec8 ( 5ec8 bytes)
bss segment: 0x4405ec8 thru 0x4424710 ( 1e848 bytes)
ROM size: 0x000b5b48 ( b5b48 bytes of 4194304 max.)
memory pool (all): 0x04424710 thru 0x05ffffff (29210864 bytes)
Calling start_psos() ...
>>>> debug() process starting
Unknown debug char: '' (0x03). Press '?' for help.
Unknown debug char: '' (0x03). Press '?' for help.
Unknown debug char: 'c' (0x63). Press '?' for help.
Unknown debug char: '' (0x03). Press '?' for help.
Unknown debug char: 'c' (0x63). Press '?' for help.
Unknown debug char: '' (0x03). Press '?' for help.
----- System/pSOS Debug commands: -----
'?' - this help message.
'j' - drop into breakpoint.
'^C' - Abort to monitor.
'^P' - Process status info, and LOTS of it.
'[dD]' - Print DLP debug information.
'[bB]' - Big memory hog report.
'[pP]' - Process ONLY status info.
'[eE]' - Exchange info.
'[tT]' - Time log.
'[hH]' - History log.
'[oO]' - Memory segment ownership.
'[mM]' - Memory segment summary.
'[sS]' - Semaphore ownership, etc.
'[uU]' - maximum process stack Usage.
'[vV]' - memory Validity check.
'[iI]' - Show psosSystemData.
'[1]' - Show NVRAM contents.
'[wW] <process name>' - Show process stack trace.
⸤�Ӱ����Unknown debug char: '' (0x03). Press '?' for help.
Unexpected exception at VBR offset 0x80
Trap #0
format = 0, frame is at 0x4423a50
PC = 0x40b8648
SR = 0x2704
Registers = 0x0a007fa4 thru 0x0a007fef
ROM Monitor
Enter ? for help.
->
I will attempt a memory dump later today. I have a few options installed (B72, 1DN, B7B, A4H, BAA, AYX, B7D, B7E), so hopefully this will be useful.
-
This procedure works for me. Tomorrow I should have a fully functional FDD, then I will upgrade the firmware to the last one. In the older firmware version, from 0x048B9200, they are all zeros.
-
Guys, feel bad for Sandra but great news from the others.
Try to make a dump from 0x0401 1000 up to 0x0490 0000. Those that don't have any license should try to insert a random license before the dump. Just insert "0123456789AB".
-
This procedure works for me. Tomorrow I should have a fully functional FDD, then I will upgrade the firmware to the last one. In the older firmware version, from 0x048B9200, they are all zeros.
:-+ That's why it's important to normalize versions. My analysis was done with the A.14.06 ESAFW shared by Sandra.
-
Looks like Sandra is correct, you can easily enter the monitor program by booting from the ESALOADR floppy. Just tried it on my E4402B.
I will attempt a memory dump later today. I have a few options installed (B72, 1DN, B7B, A4H, BAA, AYX, B7D, B7E), so hopefully this will be useful.
If that is the menu you see that is the debug menu not the monitor menu where you can dump memory
the dump command is
dbyte start(in hex),len(in bytes)
-
It's working for monitor menu
1. Connect serial to the J1 (19200, 8/N/1)
2. boot from bootloader floppy disk
3. press "j" then "ctrl+c"
After next power cycle (the front power button not working), SA needs full aligment.
-
Starting to fix what I broke.
I have noticed looking at the CLIP there is a Bus defined as DBS_D_T[15.0] that goes to all the FLASH memory but goes no where else.
DBS_D[15.0] goes from the Dynamic bus sizer to the IO buffers but there's no Data buffers. Strange
Looking at what the FLASH SIMM was attached to is why I'm looking though I did remove all the FLASH Memory from the SIMM and tested it. All 3 tested Good so thats a plus
I did identify that that 0 ohm is by the U2 Label. if it's on the right side it connect VPP_FLASH_5V to the memory, if on the left it connects VPP_FLASH_12V to the memory
that little resistor at the top of the SIMM pulls #BYTE High
PA0_DBS is not connected to the memory
PA1_DB2 is connected to the A1 ping on all the memory
LCS_FLASH4/5 are connected reverse of the other ones BE1H/BE1L instead of BE1L/BE1H like the others
Only the FLASH OC0_RYBY/U1, FLASH OC1_RYBY/U2 and FLASH OC2_RYBY/U3 are connected the other are NC
Attaching Some Pic of the unpopulated SIMM module
For the Processor Board working with it is difficult while in the SA. I'l going to see if I can supply 5v to it and troubleshoot on the bench
should let me use the scope much easier.
-
Try to make a dump from 0x0401 1000 up to 0x0490 0000.
My memory dump is attached.
FYI, my unit is running the latest A.14.06 firmware.
-
My memory dump is attached.
FYI, my unit is running the latest A.14.06 firmware.
Curious. It seems a correct dump BUT from a different memory bank (as if it was possible)...
I have to take a deeper look.
It's not the ESAFW. But I don't have here the rest of the package...
EDIT: It's the ESALOADR.
-
My memory dump is attached.
FYI, my unit is running the latest A.14.06 firmware.
Curious. It seems a correct dump BUT from a different memory bank (as if it was possible)...
I have to take a deeper look.
It's not the ESAFW. But I don't have here the rest of the package...
@tv84 Do you run anything to convert these dumps into a bin file or other format?
since they're ascii dumps I figured you might do something like that.
-
Curious. It seems a correct dump BUT from a different memory bank (as if it was possible)...
I have to take a deeper look.
It's not the ESAFW. But I don't have here the rest of the package...
Hmmm. I wonder if this is because ESALOADR is loaded and running.
I think I figured how to access the ROM monitor without ESALOADR running:
- Boot from ESALOADR floppy, drop into ROM monitor menu (j, CTRL+C)
- Retry test routine ('rty')
- Test routine will fail/hang, then remove floppy and power cycle the unit
- Boot from flash will fail and drop you back into ROM monitor
So far the dump is at least slightly different, just need to wait several hours for it to complete.
-
Curious. It seems a correct dump BUT from a different memory bank (as if it was possible)...
I have to take a deeper look.
It's not the ESAFW. But I don't have here the rest of the package...
Hmmm. I wonder if this is because ESALOADR is loaded and running.
I think I figured how to access the ROM monitor without ESALOADR running:
- Boot from ESALOADR floppy, drop into ROM monitor menu (j, CTRL+C)
- Retry test routine ('rty')
- Test routine will fail/hang, then remove floppy and power cycle the unit
- Boot from flash will fail and drop you back into ROM monitor
So far the dump is at least slightly different, just need to wait several hours for it to complete.
Have your tried the (J, CTRL+C) on a normal boot
that's what we're after, if it will work
anytime loading ESALOADER you won't get ESAFW loaded off flash and executed.
the ideal is
Boot Normally
Get into Monitor
then Dump Memory
probably should let TV84 know your HOSTID and be sure your running 14.06 of the firmware (I know you are, this is more for anyone else who tries int he future)
-
What do you think about this
1. we need the ESAFW loaded. So far though we cant' get into the monitor to do the dbyte dump command
2. J14 is Reset on the Processor Card
what if we powered up normally. once up and firmware loaded we insert the ESALOADER disc and reset
DRAM should still be loaded.
we can then break into monitor and try to dump memory?
another thought is would it be worth hacking the boot rom to enable the ^C to break into the monitor.
it lets you in the monitor when loading the ESALOADER but not the main firmware
-
another thought is would it be worth hacking the boot rom to enable the ^C to break into the monitor.
it lets you in the monitor when loading the ESALOADER but not the main firmware
Not so easy because the DEBUG MENU is in the ESALOADR, not the BOOTROM.
-
My memory dump is attached.
FYI, my unit is running the latest A.14.06 firmware.
In binary format.
This Andrews's dump is a dump of ESALOADR (size 0xB5B48 bytes). Not ESAFW.
-
what if we powered up normally. once up and firmware loaded we insert the ESALOADER disc and reset
DRAM should still be loaded.
we can then break into monitor and try to dump memory?
That is a nice idea. Please try it.
-
Ctrl+C is also the Break key, you can try that.
-
Ctrl+C is also the Break key, you can try that.
Not working.
What BootRom Version are you on
Mine is E4401 Bootrom, 5.00
-
Just to be sure we're all on same Page
This is the Debug menu and not what we need
----- System/pSOS Debug commands: -----
'?' - this help message.
'j' - drop into breakpoint.
'^C' - Abort to monitor.
'^P' - Process status info, and LOTS of it.
'[dD]' - Print DLP debug information.
'[bB]' - Big memory hog report.
'[pP]' - Process ONLY status info.
'[eE]' - Exchange info.
'[gG]' - toggle breakpoint exception handlers on/off
'[tT]' - Time log.
'[hH]' - History log.
'[oO]' - Memory segment ownership.
'[mM]' - Memory segment summary.
'[sS]' - Semaphore ownership, etc.
'[uU]' - maximum process stack Usage.
'[vV]' - memory Validity check.
'[iI]' - Show psosSystemData.
'[1]' - Show NVRAM contents.
'[wW] <process name>' - Show process stack trace.
This is the Monitor Menu and what we're after.
bc [<hex boot config>] - set the bootrom configuration (see bchelp)
bootvars- display bootrom variables
bs - force a breakpoint when starting
dbyte [<hex start address> [num bytes]] - display memory using bytes
dlong [<hex start address> [num bytes]] - display memory using longs
dmem [<hex start address> [num bytes]] - display memory using bytes
dword [<hex start address> [num bytes]] - display memory using words
gbreak - force a gdb breakpoint
gdb - enable gdb trapping of exceptions
gu [<hex start addr>] - go to start address
hmon [device] - download into memory
rty test routine
sbyte <hex start address> <hexchars> - set memory using bytes
slong <hex start address> <hexchars> - set memory using longs
smem <hex start address> <hexchars> - set memory using bytes
sword <hex start address> <hexchars> - set memory using words
version - display bootrom version
-
Please dump from 0x0400 0000 to 0x0401 1000. Just to check if this is BOOTROM-related.
I think this can be done with ESALOADR. No need for ESAFW.
-
Just to be sure we're all on same Page
How do you trigger DEBUG MENU?
For information:
DEBUG MENU is inside ESALOADR
MONITOR MENU is inside BOOTROM (called from within DEBUG MENU via ^C)
-
Using this procedure:
- Boot from ESALOADR floppy, drop into ROM monitor menu (j, CTRL+C)
- Retry test routine ('rty')
- Test routine will fail/hang, then remove floppy and power cycle the unit
- Boot from flash will fail and drop you back into ROM monitor
My memory dump (0x04011000-0x04900000) looks nearly identical to the concatenated ESAFW file that Sandra shared earlier with only a handful of addresses differing, and differs quite a lot from the ESALOADR.
I believe this dump is the ESAFW from flash. On the second boot (step 4 of my procedure), the ESALOADR disk is not present so the unit must load from flash.
-
when you boot normally the Debug Menu "----- System/pSOS Debug commands: ----- " is always there.
when you boot from the ESALOADER you don't initially see a menu. Pressing ? when show same menu above, you can CTRL+C and it causes an exception then you're in the Monitor menu where you can dump memory
I've hooked up a reset switch, booted normally, entered AXZ for the opt and 0123456789ABC for the code.
inserted the ESALOADER, and hit reset.
once rebooted I got into the mornitor and did 2 dumps (ones still dumping)
first is will be
0x0400 0000 to 0x0401 1000
second will be
0x0401 1000 to 0x0490 0000
soon as done i'll edit and post to this message
My HostID is 29611027
My BootRom is V5.00
-
My memory dump (0x04011000-0x04900000) looks nearly identical to the concatenated ESAFW file that Sandra shared earlier with only a handful of addresses differing, and differs quite a lot from the ESALOADR.
I believe this dump is the ESAFW from flash. On the second boot (step 4 of my procedure), the ESALOADR disk is not present so the unit must load from flash.
This dump is exactly Sandra's ESAFW with 8 bytes different (in the middle of the code :-//).
The problem is that you didn't run the app before taking the dump. We need the dump after the app has run/is running. Because all the rest of the mem is 0x00s.
-
It MUST be possible to abort into Monitor mode from within ESAFW because ESAFW also has the DEBUG MENU in the code (with the ^C option). Just saw that in the code.
-
This dump is exactly Sandra's ESAFW with 8 bytes different (in the middle of the code :-//).
The problem is that you didn't run the app before taking the dump. We need the dump after the app has run/is running. Because all the rest of the mem is 0x00s.
Got it, didn't quite grasp what the issue was before. The application was definitely not running when I created the new dump.
Looking forward to seeing Sandra's results
-
When I boot from the ESALOADER and see the Menu ^C works fine
when I boot normally and see the Menu, even though ^C is in the menu all I see is a message that it doesn't recognize the keypress
-
When I boot from the ESALOADER and see the Menu ^C works fine
when I boot normally and see the Menu, even though ^C is in the menu all I see is a message that it doesn't recognize the keypress
Ohhh. That's another story. Let's wait for your dumps. I've got my fingers crossed.
If not successfull, I'll ask you to do me a log dump of all the submenu options of the DEBUG MENU (just the 1st screen) so that I can crosscheck the functions.
-
This dump is exactly Sandra's ESAFW with 8 bytes different (in the middle of the code :-//).
The problem is that you didn't run the app before taking the dump. We need the dump after the app has run/is running. Because all the rest of the mem is 0x00s.
Got it, didn't quite grasp what the issue was before. The application was definitely not running when I created the new dump.
Looking forward to seeing Sandra's results
still dumping, it's up to 0x040Dxxxx and it's all zero's in this area
i'm trying to figure our device addressing
the max address is 0x07FFFFFF only ADDRESS BIT 0..27 are used
21,22,23 are used to address the FLASH memory (thru a 74138)
U55 controls the addressing which is the communications controller which goes to the enable pin on the 74138
-
all I see is a message that it doesn't recognize the keypress
What is the specific msg?
-
the max address is 0x07FFFFFF only ADDRESS BIT 0..27 are used
I saw somewhere that the app and mem would not go upper that 0x06000000. Maybe in your boot logs...
That doesn't mean that physically it couldn't go to that limit mentioned by you.
-
I saw somewhere that the app and mem would not go upper that 0x06000000. Maybe in your boot logs...
That doesn't mean that physically it couldn't go to that limit mentioned by you.
From the hardware side it's physically limited to 0x07FFFFFF (A0..A27) the remaining bits are NC
-
all I see is a message that it doesn't recognize the keypress
What is the specific msg?
Unknown debug char: 'C' (0x43). Press '?' for help.
if I do CTRL+C its
Unknown debug char: ' ' (0x03). Press '?' for help. (i think) still dumping so I can't check
I do not miss dialup speeds
-
When I boot from the ESALOADER and see the Menu ^C works fine
when I boot normally and see the Menu, even though ^C is in the menu all I see is a message that it doesn't recognize the keypress
Ohhh. That's another story. Let's wait for your dumps. I've got my fingers crossed.
If not successfull, I'll ask you to do me a log dump of all the submenu options of the DEBUG MENU (just the 1st screen) so that I can crosscheck the functions.
There are no sub menus
each option is a direct action in the menus
the may take parms but that is passed with the option you want
-
Is anyone able when booting normally (no ESALOADER Disc) able to do the CTRL+C and enter the Monitor Program?
-
There are no sub menus
each option is a direct action in the menus
the may take parms but that is passed with the option you want
Sure, all I want is a dump of the 1st page of those direct actions (just to identify the strings in it).
You don't need to try other keys. The DEBUG in ESAFW doesn't have the code for "^C". So we would need to patch it.
BTW, the DEBUG MENUs of ESAFW and ESALOADR have slight differences. I think ESAFW has more options.
I do have some spare FLASH memory for the BootLoader so if a patch isnt to hard maybe thats the way to go???
These are the menu options seen when booting
This is the Debug menu when booting Normally, you have to do a ? to see it
----- System/pSOS Debug commands: -----
'?' - this help message.
'j' - drop into breakpoint.
'^C' - Abort to monitor.
'^P' - Process status info, and LOTS of it.
'[dD]' - Print DLP debug information.
'[bB]' - Big memory hog report.
'[pP]' - Process ONLY status info.
'[eE]' - Exchange info.
'[gG]' - toggle breakpoint exception handlers on/off
'[tT]' - Time log.
'[hH]' - History log.
'[oO]' - Memory segment ownership.
'[mM]' - Memory segment summary.
'[sS]' - Semaphore ownership, etc.
'[uU]' - maximum process stack Usage.
'[vV]' - memory Validity check.
'[iI]' - Show psosSystemData.
'[1]' - Show NVRAM contents.
'[wW] <process name>' - Show process stack trace.
This is the Monitor Menu from when using ESALOADER.
bc [<hex boot config>] - set the bootrom configuration (see bchelp)
bootvars- display bootrom variables
bs - force a breakpoint when starting
dbyte [<hex start address> [num bytes]] - display memory using bytes
dlong [<hex start address> [num bytes]] - display memory using longs
dmem [<hex start address> [num bytes]] - display memory using bytes
dword [<hex start address> [num bytes]] - display memory using words
gbreak - force a gdb breakpoint
gdb - enable gdb trapping of exceptions
gu [<hex start addr>] - go to start address
hmon [device] - download into memory
rty test routine
sbyte <hex start address> <hexchars> - set memory using bytes
slong <hex start address> <hexchars> - set memory using longs
smem <hex start address> <hexchars> - set memory using bytes
sword <hex start address> <hexchars> - set memory using words
version - display bootrom version
-
I tried but it did not work.
I didn't get FDD todayso I still have older firmware.
-
that was these then
No, maybe I explained wrong:
I want the next steps in each of those options (just DEBUG MENU).
-
that was these then
No, maybe I explained wrong:
I want the next steps in each of those options (just DEBUG MENU).
if I type a option it executes the command so if thats what you want heres some
is this what you're after?
***** Mosquito Bootrom *****
Copyright 1988-1997,
Hewlett-Packard Company, all rights reserved.
@(#)HEWLETT-PACKARD, E4401 Bootrom, 5.00
@(#)LDS Rev: 3.02 - Module Incremental (Sep 9 2003)
@(#)Linked: Sep 9 2003 14:46:44
Bootrom Checksum ...
Bootrom DRAM: Testing 69632 bytes at 0x04000000
Non Destructive SRAM Test ...
Main Firmware DRAM: Testing 33484800 bytes at 0x04011000
Main FW Checksum ...
Self-tests complete.SRAM selftest results:
Start = 0xa000000
End = 0xa007fa3
Errors = 0x0
DRAM selftest results:
Start = 0x4011000
End = 0x6000000
Errors = 0x0
hpibPort = 0x8005000
hpibPort = 0x8005000, bus Address = 19
Cache Enabled
16MBytes of FLASH
Download to Flash Selected
>>> mainMain()
text segment: 0x4011000 thru 0x4435e14 ( 424e14 bytes)
data segment: 0x4600000 thru 0x476dd88 ( 16dd88 bytes)
bss segment: 0x476dd88 thru 0x48bcce8 ( 14ef60 bytes)
ROM size: 0x00592b9c ( 592b9c bytes of 4194304 max.)
memory pool (all): 0x048bcce8 thru 0x05ffffff (24392472 bytes)
Calling start_psos() ...
>>>> debug() process starting
DLP Loaded - Power Suite Utilities, A.06.05, Nov 21 2003 15:45:40
----- System/pSOS Debug commands: -----
'?' - this help message.
'j' - drop into breakpoint.
'^C' - Abort to monitor.
'^P' - Process status info, and LOTS of it.
'[dD]' - Print DLP debug information.
'[bB]' - Big memory hog report.
'[pP]' - Process ONLY status info.
'[eE]' - Exchange info.
'[gG]' - toggle breakpoint exception handlers on/off
'[tT]' - Time log.
'[hH]' - History log.
'[oO]' - Memory segment ownership.
'[mM]' - Memory segment summary.
'[sS]' - Semaphore ownership, etc.
'[uU]' - maximum process stack Usage.
'[vV]' - memory Validity check.
'[iI]' - Show psosSystemData.
'[1]' - Show NVRAM contents.
'[9]' - Show Exception Report.
'[wW] <process name>' - Show process stack trace.
>d
==============================================================
DLP LIST
Name State Text Data BSS
c:dlp\ps2\ps2.o Loaded 0x5c3dcc8/1751472 0x5c3bcb4/8192 0x5b6abe0/856256
c:dlp\pn\pn.o Unlicensed 0x0/0 0x0/0 0x0/0
c:dlp\catv\catv.o Unlicensed 0x0/0 0x0/0 0x0/0
==============================================================
Currently 1 DLP's loaded
>b
=================================================================
Memory HOG report - oink oink
caller PC count bytes
0x04338902 17072 5349060
0x04361be2 1 1751492
0x00000000 111 1049872
0x04361bfe 1 856276
0x05d00d06 194 798504
0x05d01948 83 341628
0x043ebcfe 83 294836
0x05cefb16 61 245220
0x05cf28b6 40 160800
0x05ceceb2 33 132660
0x05cf564a 15 60300
0x043eb0f0 339 39892
0x042b66a2 1 32792
0x05cea37a 7 28140
0x04345af2 53 26632
0x05d0235c 3 12348
0x042def9e 1 11108
0x04361bf0 1 8212
0x042ec426 1 2596
0x042ec3e2 1 2148
0x0412a3d0 1 2068
0x042ec404 1 1196
0x04364636 1 1032
0x042ec3c0 1 1028
0x042def8c 1 812
0x0414b2a2 3 624
0x0a0008f6 1 532
0x0a000446 1 532
0x0a0005ea 1 532
0x0a000626 1 84
=================================================================
>p
pid PNAME STAT/M PRI GID POS TIX MEMORY STK CPU
0x048ca38c SWFI RUN 51 0 * 1 0kB 8% 25%
0x048cc0f0 AAFI RDY 51 0 1 1 0kB 12% 0%
0x048c9714 IDLE RDY 0 0 2 1 0kB 6% 8%
0x048ccf30 CLOK paus 100 0 . 0 0kB 16% 0%
0x048c9ffc DIst paus 52 0 . 3106 0kB 3% 0%
0x048c9aa4 DRST paus 80 0 . 61 0kB 47% 0%
0x048c99c0 FMOT paus 100 0 . 43 0kB 47% 0%
0x048cd014 UPDT xblk 249 0 . 1 0kB 23% 0%
0x048cce4c MAXM xblk 60 0 . 1 0kB 6% 0%
0x048ccc84 LLMR xblk 60 0 . 1 0kB 6% 0%
0x048ccba0 PRNT xblk 60 0 . 1 0kB 8% 0%
0x048ccabc DSPF xblk 51 0 . 1 0kB 5% 0%
0x048cc9d8 DSPM xblk 60 0 . 1 0kB 6% 0%
0x048cc8f4 DMFI xblk 51 0 . 1 0kB 5% 0%
0x048cc810 DMMR xblk 60 0 . 1 0kB 6% 0%
0x048cc648 FCFI xblk 51 0 . 1 0kB 5% 0%
0x048cc564 FCMR xblk 60 0 . 1 0kB 6% 0%
0x048cc480 ANSQ xblk 52 0 . 1 0kB 13% 0%
0x048cc39c ANFI xblk 51 0 . 1 0kB 13% 0%
0x048cc2b8 ANMR xblk 60 0 . 1 0kB 6% 0%
0x048cc1d4 AASQ xblk 52 0 . 1 0kB 21% 28%
0x048cc00c AAMR xblk 60 0 . 1 0kB 6% 0%
0x048cbf28 SYMR xblk 60 0 . 1 0kB 8% 0%
0x048cbe44 SGMR xblk 60 0 . 1 0kB 6% 0%
0x048cbd60 ZMKR xblk 60 0 . 1 0kB 6% 0%
0x048cbc7c MKR xblk 60 0 . 1 0kB 6% 0%
0x048cbb98 DEF3 xblk 51 0 . 1 0kB 5% 0%
0x048cbab4 SNFI xblk 51 0 . 1 0kB 5% 0%
0x048cb9d0 SNMR xblk 60 0 . 1 0kB 6% 0%
0x048cb8ec DEF2 xblk 51 0 . 1 0kB 5% 0%
0x048cb808 LGDT xblk 251 0 . 1 0kB 8% 0%
0x048cb724 LGDE xblk 60 0 . 1 0kB 6% 0%
0x048cb640 DSFI xblk 51 0 . 1 0kB 5% 0%
0x048cb55c LGDT xblk 251 0 . 1 0kB 8% 0%
0x048cb478 LGDS xblk 60 0 . 1 0kB 6% 0%
0x048cb394 SWFI xblk 51 0 . 1 0kB 5% 0%
0x048cb2b0 LGST xblk 251 0 . 1 0kB 8% 0%
0x048cb1cc LGSW xblk 60 0 . 1 0kB 6% 0%
0x048cb0e8 DEFI xblk 51 0 . 1 0kB 5% 0%
0x048cb004 DEMT xblk 251 0 . 1 0kB 8% 0%
0x048caf20 DEMR xblk 60 0 . 1 0kB 6% 0%
0x048cae3c DMZF xblk 51 0 . 1 0kB 5% 0%
0x048cad58 ZDMT xblk 251 0 . 1 0kB 8% 0%
0x048cac74 ZDMR xblk 60 0 . 1 0kB 6% 0%
0x048cab90 SIFI xblk 51 0 . 1 0kB 5% 0%
0x048caaac SIMT xblk 251 0 . 1 0kB 8% 0%
0x048ca9c8 SIMR xblk 60 0 . 1 0kB 6% 0%
0x048ca8e4 DZFI xblk 51 0 . 1 0kB 5% 0%
0x048ca800 DZMT xblk 251 0 . 1 0kB 8% 0%
0x048ca71c DZMR xblk 60 0 . 1 0kB 6% 0%
0x048ca638 DSFI xblk 51 0 . 1 0kB 5% 0%
0x048ca554 DSMT xblk 251 0 . 1 0kB 8% 0%
0x048ca470 DSMR xblk 60 0 . 1 0kB 6% 0%
0x048ca2a8 SWMT xblk 251 0 . 1 0kB 8% 0%
0x048ca1c4 SWMR xblk 60 0 . 1 0kB 6% 1%
0x048ca0e0 MIME xblk 79 0 . 1 0kB 6% 2%
0x048c9f18 FPLP xblk 250 0 . 1 0kB 9% 0%
0x048c9e34 DCAS xblk 251 0 . 1 0kB 8% 0%
0x048c9d50 RLCN xblk 230 0 . 1 0kB 8% 0%
0x048c9c6c REMT xblk 250 0 . 1 0kB 5% 0%
0x048c9b88 PCKB xblk 230 0 . 1 0kB 8% 0%
0x048c97f8 DISP xblk 253 0 . 1 0kB 8% 4%
0x048c98dc APPS xblk 230 0 . 1 0kB 25% 0%
0x048c9630 ROOT xblk 230 0 . 1 0kB 4% 32%
>> EVENTS: W(0x0) S(0x2000)
64 Process(s) (27 avail); Total time: 4569 ticks.
>e
xid XNAME TYPE ACC maxQ Qlen BLOCKED
0x048c1584 fifo any 1 0 REMT
0x048c1562 UPDI fifo any 1 0 UPDT
0x048c1540 MAXM fifo any inf 0 MAXM
0x048c151e Sign fifo any inf 0
0x048c14fc LIMI fifo any inf 0 LLMR
0x048c14da DSPM fifo any inf 0 DSPM
0x048c14b8 DSPS fifo any 1 0
0x048c1496 DSPF fifo any inf 0 DSPF
0x048c1474 SPEC fifo any 1 0
0x048c1452 SPEC fifo any 1 0
0x048c1430 DMMR fifo any inf 0 DMMR
0x048c140e DMFI fifo any inf 0 DMFI
0x048c13ec SPEC fifo any 1 0
0x048c13ca FCMR fifo any inf 0 FCMR
0x048c13a8 FCFI fifo any inf 0 FCFI
0x048c1386 SPEC fifo any 1 0
0x048c1364 ANSQ fifo any inf 0 ANSQ
0x048c1342 ANFI fifo any inf 0 ANFI
0x048c1320 ANFS fifo any inf 0
0x048c12fe ANOW fifo any 20 0
0x048c12dc ANMR fifo any inf 0 ANMR
0x048c12ba SPEC fifo any 1 0
0x048c1298 AARS fifo any 1 0 AASQ
0x048c1276 AAFI fifo any inf 0
0x048c1254 AAFS fifo any inf 0
0x048c1232 AAMR fifo any inf 0 AAMR
0x048c1210 SPEC fifo any 1 0
0x048c11ee CMR fifo any inf 0
0x048c11cc SPEC fifo any 1 0
0x048c11aa SIGT fifo any inf 0 SGMR
0x048c1188 ZMKM fifo any inf 0 ZMKR
0x048c1166 MKMR fifo any inf 0 MKR
0x048c1144 DEF3 fifo any inf 0 DEF3
0x048c1122 SNFI fifo any inf 0 SNFI
0x048c1100 SNMR fifo any inf 0 SNMR
0x048c10de SPEC fifo any 1 0
0x048c10bc DEF2 fifo any inf 0 DEF2
0x048c109a LGDT fifo any 1 0 LGDT
0x048c1078 LGDE fifo any inf 0 LGDE
0x048c1056 SPEC fifo any 1 0
0x048c1034 DSFI fifo any inf 0 DSFI
0x048c1012 LGDT fifo any 1 0 LGDT
0x048c0ff0 LGDS fifo any inf 0 LGDS
0x048c0fce SPEC fifo any 1 0
0x048c0fac SWFI fifo any inf 0 SWFI
0x048c0f8a LGST fifo any 1 0 LGST
0x048c0f68 LGSW fifo any inf 0 LGSW
0x048c0f46 SPEC fifo any 1 0
0x048c0f24 DEFI fifo any inf 0 DEFI
0x048c0f02 DEMT fifo any 1 0 DEMT
0x048c0ee0 DEMR fifo any inf 0 DEMR
0x048c0ebe SPEC fifo any 1 0
0x048c0e9c DMZF fifo any inf 0 DMZF
0x048c0e7a ZDMT fifo any 1 0 ZDMT
0x048c0e58 ZDMR fifo any inf 0 ZDMR
0x048c0e36 SPEC fifo any 1 0
0x048c0e14 SIFI fifo any inf 0 SIFI
0x048c0df2 SIMT fifo any 1 0 SIMT
0x048c0dd0 SIMR fifo any inf 0 SIMR
0x048c0dae SPEC fifo any 1 0
0x048c0d8c DZFI fifo any inf 0 DZFI
0x048c0d6a DZMT fifo any 1 0 DZMT
0x048c0d48 DZMR fifo any inf 0 DZMR
0x048c0d26 SPEC fifo any 1 0
0x048c0d04 DSFI fifo any inf 0 DSFI
0x048c0ce2 DSMT fifo any 1 0 DSMT
0x048c0cc0 DSMR fifo any inf 0 DSMR
0x048c0c9e SPEC fifo any 1 0
0x048c0c7c SWFI fifo any inf 0
0x048c0c5a SWMT fifo any 1 0 SWMT
0x048c0c38 SWMR fifo any inf 0 SWMR
0x048c0c16 SPEC fifo any 1 0
0x048c0bf4 shrL fifo any 1 0
0x048c0bd2 ACTV fifo any 1 0
0x048c0bb0 hihr fifo any 1 0
0x048c0b8e hihr fifo any 1 0
0x048c0b6c hihr fifo any 1 0
0x048c0b4a hihr fifo any 1 0
0x048c0b28 MENU fifo any 1 0
0x048c0b06 MENU fifo any 1 0
0x048c0ae4 MENU fifo any 1 0
0x048c0ac2 MENU fifo any 1 0
0x048c0aa0 MENU fifo any 1 0
0x048c0a7e MENU fifo any 1 0
0x048c0a5c MENU fifo any 1 0
0x048c0a3a MENU fifo any 1 0
0x048c0a18 MENU fifo any 1 0
0x048c09f6 ACTV fifo any 1 0
0x048c09d4 SDRL fifo any 1 0
0x048c09b2 SDIL fifo any 1 0
0x048c0990 R2 fifo any 1 0
0x048c096e R1 fifo any 1 0
0x048c094c R0 fifo any 1 0
0x048c092a isLk fifo any 1 0
0x048c0908 dtLk fifo any 1 0
0x048c08e6 mSTM fifo any inf 0 MIME
0x048c08c4 mMIN fifo any inf 0
0x048c08a2 mMCL fifo any inf 0
0x048c0880 mMCR fifo any inf 0
0x048c085e mMDA fifo any inf 1
0x048c083c mMSA fifo any inf 0
0x048c081a mDVL fifo any inf 0
0x048c07f8 dest fifo any inf 0
0x048c07d6 mLDS fifo any inf 0
0x048c07b4 FNSL fifo any 1 0
0x048c0792 DDET fifo any inf 0
0x048c0770 DTRG fifo any inf 0
0x048c074e DSWP fifo any inf 0
0x048c072c Didi fifo any inf 0
0x048c070a cntw fifo any 1 0
0x048c06e8 cntx fifo any 1 0
0x048c06c6 dRes fifo any 1 0
0x048c06a4 Dlp fifo any 1 0
0x048c0682 CalC fifo any 1 0
0x048c0660 Scpi fifo any 1 0
0x048c063e LG1 fifo any 1 0
0x048c061c ANON fifo any 1 0
0x048c05fa GPIB fifo any 1 0
0x048c05d8 PCkb fifo any 1 0 PCKB
0x048c05b6 DISP fifo any 1 0 DISP
0x048c0594 OMMG fifo any 1 0
0x048c0572 UNS fifo any 1 0
0x048c0550 RLDS fifo any 1 0 ROOT
0x048c052e BW fifo any 1 0
0x048c050c GLds fifo any 1 0
0x048c04ea BLds fifo any inf 1
0x048c04c8 CISW fifo any 1 0
0x048c04a6 MRLK fifo any 1 0
0x048c0484 HWLK fifo any 1 0
0x048c0462 FP fifo any 1 0 FPLP
0x048c0440 ADCF fifo any 1 0
0x048c041e DIRg fifo any 1 0
0x048c03fc ANON fifo any 1 0
0x048c03da DIRf fifo any 1 0
0x048c03b8 ANON fifo any 1 0
0x048c0396 SIOB fifo any 1 0
0x048c0374 CALM fifo any 1 0
0x048c0352 DIRe fifo any 1 0
0x048c0330 ANON fifo any 1 0
0x048c030e DIRd fifo any 1 0
0x048c02ec DIRc fifo any 1 0
0x048c02ca DIRb fifo any 1 0
0x048c02a8 DIRa fifo any 1 0
0x048c0286 APPS fifo any inf 0 APPS
0x048c0264 DLLK fifo any 1 0
0x048c0242 SUBL fifo any 1 0
0x048c0220 LCSH fifo any 1 0
0x048c01fe FBUF fifo any 1 0
0x048c01dc DCAS fifo any 1 0 DCAS
0x048c01ba RLCN fifo any 1 0 RLCN
0x048c0198 MROF fifo any 1 0
0x048c0176 MRON fifo any 1 0
0x048c0154 SWSP fifo any 1 0
0x048c0132 SRQ fifo any 1 0 SYMR
0x048c0110 PRTH fifo any 1 0 PRNT
155 Exchange(s) (245 avail).
2 Msg buffer(s) (1022 avail).
>g
Breakpoint handler installed
>i
PsosSystemData (0x048bcce8):
(0x048bcce8) OS_PCB *runningPCB = 0x048ca38c
(0x048bccec) OS_PCB *readyList = 0x048c97f8
(0x048bccf0) OS_PCB *pauseList = 0x048ccf30
(0x048bccf4) OS_PCB *pcbActiveHead = 0x048cd014
(0x048bccf8) OS_PCB *pcbFreeHead = 0x048ccd68
(0x048bccfc) OS_XCB *xcbActiveHead = 0x048c1584
(0x048bcd00) OS_XCB *xcbFreeHead = 0x048c15a6
(0x048bcd04) OS_Message *mgbFreeHead = 0x048c3750
(0x048bcd08) void *sstackEnd = 0x048c0110
(0x048bcd0c) short kernelLevel = 0
(0x048bcd0e) short reserved1 = 0
(0x048bcd10) int reserved2 = 1280
(0x048bcd14) int phileData = 620765184
(0x048bcd18) int probeEntry = 71205862
(0x048bcd1c) OS_PCB *memQHead = 0x048bcd1c
(0x048bcd20) OS_PCB *memQTail = 0x048bcd1c
(0x048bcd24) int timeoutTicks = 41
(0x048bcd28) short ticks = 45
(0x048bcd2a) short pad1 = 0
(0x048bcd2c) int time = 292
(0x048bcd30) int date = 130155777
(0x048bcd34) char motbl[12] =
(0x048bcd40) short ticksPerSec = 100
(0x048bcd42) short ticksPerSlice = 1
(0x048bcd44) char todset =
(0x048bcd45) char eventRace = (0x048bcd46) char unusedPad[2] =
(0x048bcd48) Lds_UInt32 switchProc = 0
(0x048bcd4c) regionInfo[0].minSeg = 20
(0x048bcd50) regionInfo[0].maxSeg = 58796
(0x048bcd54) regionInfo[0].minPend = 6020
(0x048bcd58) regionInfo[0].regionEnd = 0x048dcce7
(0x048bcd5c) regionInfo[0].regionName = REG1
(0x048bcd60) regionInfo[0].freeHead = 0x048ce73c
(0x048bcd64) regionInfo[0].freeTail = 0x048d3e30
(0x048bcd68) regionInfo[0].regionFlags = 0
(0x048bcd6c) regionInfo[1].minSeg = 20
(0x048bcd70) regionInfo[1].maxSeg = 24261400
(0x048bcd74) regionInfo[1].minPend = 24261401
(0x048bcd78) regionInfo[1].regionEnd = 0x05ffffff
(0x048bcd78) regionInfo[1].regionEnd = 0x05Bfffff
(0x048bcd80) regionInfo[1].freeHead = 0x048dcce8
(0x048bcd84) regionInfo[1].freeTail = 0x05e74208
(0x048bcd88) regionInfo[1].regionFlags = 0
(0x048bcd8c) regionInfo[2].minSeg = 20
(0x048bcd90) regionInfo[2].maxSeg = 21844
(0x048bcd94) regionInfo[2].minPend = 21845
(0x048bcd98) regionInfo[2].regionEnd = 0x0a006393
(0x048bcd9c) regionInfo[2].regionName = dyna
(0x048bcda0) regionInfo[2].freeHead = 0x0a000e40
(0x048bcda4) regionInfo[2].freeTail = 0x0a000e40
(0x048bcda8) regionInfo[2].regionFlags = 1
(0x048bcdac) regionInfo[3].minSeg = 128
(0x048bcdb0) regionInfo[3].maxSeg = 7120
(0x048bcdb4) regionInfo[3].minPend = 7121
(0x048bcdb8) regionInfo[3].regionEnd = 0x0a007fa3
(0x048bcdbc) regionInfo[3].regionName = nvra
(0x048bcdc0) regionInfo[3].freeHead = 0x0a0063d4
(0x048bcdc4) regionInfo[3].freeTail = 0x0a0063d4
(0x048bcdc8) regionInfo[3].regionFlags = 0
(0x048bcdcc) regionInfo[4].minSeg = 0
(0x048bcdd0) regionInfo[4].maxSeg = 0
(0x048bcdd4) regionInfo[4].minPend = 0
(0x048bcdd8) regionInfo[4].regionEnd = 0x00000000
(0x048bcddc) regionInfo[4].regionName =
(0x048bcde0) regionInfo[4].freeHead = 0x00000000
(0x048bcde4) regionInfo[4].freeTail = 0x00000000
(0x048bcde8) regionInfo[4].regionFlags = 0
(0x048bcdec) regionInfo[5].minSeg = 0
(0x048bcdf0) regionInfo[5].maxSeg = 0
(0x048bcdf4) regionInfo[5].minPend = 0
(0x048bcdf8) regionInfo[5].regionEnd = 0x00000000
(0x048bcdfc) regionInfo[5].regionName =
(0x048bce00) regionInfo[5].freeHead = 0x00000000
(0x048bce04) regionInfo[5].freeTail = 0x00000000
(0x048bce08) regionInfo[5].regionFlags = 0
(0x048bce0c) regionInfo[6].minSeg = 0
(0x048bce10) regionInfo[6].maxSeg = 0
(0x048bce14) regionInfo[6].minPend = 0
(0x048bce18) regionInfo[6].regionEnd = 0x00000000
(0x048bce1c) regionInfo[6].regionName =
(0x048bce20) regionInfo[6].freeHead = 0x00000000
(0x048bce24) regionInfo[6].freeTail = 0x00000000
(0x048bce28) regionInfo[6].regionFlags = 0
(0x048bce2c) regionInfo[7].minSeg = 0
(0x048bce30) regionInfo[7].maxSeg = 0
(0x048bce34) regionInfo[7].minPend = 0
(0x048bce38) regionInfo[7].regionEnd = 0x00000000
(0x048bce3c) regionInfo[7].regionName =
(0x048bce40) regionInfo[7].freeHead = 0x00000000
(0x048bce44) regionInfo[7].freeTail = 0x00000000
(0x048bce48) regionInfo[7].regionFlags = 0
(0x048bce4c) regionInfo[8].minSeg = 0
(0x048bce50) regionInfo[8].maxSeg = 0
(0x048bce54) regionInfo[8].minPend = 0
(0x048bce58) regionInfo[8].regionEnd = 0x00000000
(0x048bce5c) regionInfo[8].regionName =
(0x048bce60) regionInfo[8].freeHead = 0x00000000
(0x048bce64) regionInfo[8].freeTail = 0x00000000
(0x048bce68) regionInfo[8].regionFlags = 0
(0x048bce6c) regionInfo[9].minSeg = 0
(0x048bce70) regionInfo[9].maxSeg = 0
(0x048bce74) regionInfo[9].minPend = 0
(0x048bce78) regionInfo[9].regionEnd = 0x00000000
(0x048bce7c) regionInfo[9].regionName =
(0x048bce80) regionInfo[9].freeHead = 0x00000000
(0x048bce84) regionInfo[9].freeTail = 0x00000000
(0x048bce88) regionInfo[9].regionFlags = 0
(0x048bce8c) regionInfo[10].minSeg = 0
(0x048bce90) regionInfo[10].maxSeg = 0
(0x048bce94) regionInfo[10].minPend = 0
(0x048bce98) regionInfo[10].regionEnd = 0x00000000
(0x048bce9c) regionInfo[10].regionName =
(0x048bcea0) regionInfo[10].freeHead = 0x00000000
(0x048bcea4) regionInfo[10].freeTail = 0x00000000
(0x048bcea8) regionInfo[10].regionFlags = 0
(0x048bceac) regionInfo[11].minSeg = 0
(0x048bceb0) regionInfo[11].maxSeg = 0
(0x048bceb4) regionInfo[11].minPend = 0
(0x048bceb8) regionInfo[11].regionEnd = 0x00000000
(0x048bcebc) regionInfo[11].regionName =
(0x048bcec0) regionInfo[11].freeHead = 0x00000000
(0x048bcec4) regionInfo[11].freeTail = 0x00000000
(0x048bcec8) regionInfo[11].regionFlags = 0
(0x048bcecc) regionInfo[12].minSeg = 0
(0x048bced0) regionInfo[12].maxSeg = 0
(0x048bced4) regionInfo[12].minPend = 0
(0x048bced8) regionInfo[12].regionEnd = 0x00000000
(0x048bcedc) regionInfo[12].regionName =
(0x048bcee0) regionInfo[12].freeHead = 0x00000000
(0x048bcee4) regionInfo[12].freeTail = 0x00000000
(0x048bcee8) regionInfo[12].regionFlags = 0
(0x048bceec) regionInfo[13].minSeg = 0
(0x048bcef0) regionInfo[13].maxSeg = 0
(0x048bcef4) regionInfo[13].minPend = 0
(0x048bcef8) regionInfo[13].regionEnd = 0x00000000
(0x048bcefc) regionInfo[13].regionName =
(0x048bcf00) regionInfo[13].freeHead = 0x00000000
(0x048bcf04) regionInfo[13].freeTail = 0x00000000
(0x048bcf08) regionInfo[13].regionFlags = 0
(0x048bcf0c) regionInfo[14].minSeg = 0
(0x048bcf10) regionInfo[14].maxSeg = 0
(0x048bcf14) regionInfo[14].minPend = 0
(0x048bcf18) regionInfo[14].regionEnd = 0x00000000
(0x048bcf1c) regionInfo[14].regionName =
(0x048bcf20) regionInfo[14].freeHead = 0x00000000
(0x048bcf24) regionInfo[14].freeTail = 0x00000000
(0x048bcf28) regionInfo[14].regionFlags = 0
(0x048bcf2c) regionInfo[15].minSeg = 0
(0x048bcf30) regionInfo[15].maxSeg = 0
(0x048bcf34) regionInfo[15].minPend = 0
(0x048bcf38) regionInfo[15].regionEnd = 0x00000000
(0x048bcf3c) regionInfo[15].regionName =
(0x048bcf40) regionInfo[15].freeHead = 0x00000000
(0x048bcf44) regionInfo[15].freeTail = 0x00000000
(0x048bcf48) regionInfo[15].regionFlags = 0
(0x048bcf4c) regionInfo[16].minSeg = 0
(0x048bcf50) regionInfo[16].maxSeg = 0
(0x048bcf54) regionInfo[16].minPend = 0
(0x048bcf58) regionInfo[16].regionEnd = 0x00000000
(0x048bcf5c) regionInfo[16].regionName =
(0x048bcf60) regionInfo[16].freeHead = 0x00000000
(0x048bcf64) regionInfo[16].freeTail = 0x00000000
(0x048bcf68) regionInfo[16].regionFlags = 0
(0x048bcf6c) regionInfo[17].minSeg = 0
(0x048bcf70) regionInfo[17].maxSeg = 0
(0x048bcf74) regionInfo[17].minPend = 0
(0x048bcf78) regionInfo[17].regionEnd = 0x00000000
(0x048bcf7c) regionInfo[17].regionName =
(0x048bcf80) regionInfo[17].freeHead = 0x00000000
(0x048bcf84) regionInfo[17].freeTail = 0x00000000
(0x048bcf88) regionInfo[17].regionFlags = 0
(0x048bcf8c) regionInfo[18].minSeg = 0
(0x048bcf90) regionInfo[18].maxSeg = 0
(0x048bcf94) regionInfo[18].minPend = 0
(0x048bcf98) regionInfo[18].regionEnd = 0x00000000
(0x048bcf9c) regionInfo[18].regionName =
(0x048bcfa0) regionInfo[18].freeHead = 0x00000000
(0x048bcfa4) regionInfo[18].freeTail = 0x00000000
(0x048bcfa8) regionInfo[18].regionFlags = 0
(0x048bcfac) regionInfo[19].minSeg = 0
(0x048bcfb0) regionInfo[19].maxSeg = 0
(0x048bcfb4) regionInfo[19].minPend = 0
(0x048bcfb8) regionInfo[19].regionEnd = 0x00000000
(0x048bcfbc) regionInfo[19].regionName =
(0x048bcfc0) regionInfo[19].freeHead = 0x00000000
(0x048bcfc4) regionInfo[19].freeTail = 0x00000000
(0x048bcfc8) regionInfo[19].regionFlags = 0
(0x048bcfcc) regionSaveInfo[0] = 0x00000000
(0x048bcfd0) regionSaveInfo[1] = 0x00000000
(0x048bcfd4) regionSaveInfo[2] = 0x0a000004
(0x048bcfd8) regionSaveInfo[3] = 0x00000000
(0x048bcfdc) regionSaveInfo[4] = 0x00000000
(0x048bcfe0) regionSaveInfo[5] = 0x00000000
(0x048bcfe4) regionSaveInfo[6] = 0x00000000
(0x048bcfe8) regionSaveInfo[7] = 0x00000000
(0x048bcfec) regionSaveInfo[8] = 0x00000000
(0x048bcff0) regionSaveInfo[9] = 0x00000000
(0x048bcff4) regionSaveInfo[10] = 0x00000000
(0x048bcff8) regionSaveInfo[11] = 0x00000000
(0x048bcffc) regionSaveInfo[12] = 0x00000000
(0x048bd000) regionSaveInfo[13] = 0x00000000
(0x048bd004) regionSaveInfo[14] = 0x00000000
(0x048bd008) regionSaveInfo[15] = 0x00000000
(0x048bd00c) regionSaveInfo[16] = 0x00000000
(0x048bd010) regionSaveInfo[17] = 0x00000000
(0x048bd014) regionSaveInfo[18] = 0x00000000
(0x048bd018) regionSaveInfo[19] = 0x00000000
9>
Contents of the Exception Report:
[0x0a007fa4] D0 = 0x00000000
[0x0a007fa8] D1 = 0x00000000
[0x0a007fac] D2 = 0x00000000
[0x0a007fb0] D3 = 0x00000000
[0x0a007fb4] D4 = 0x00000000
[0x0a007fb8] D5 = 0x00000000
[0x0a007fbc] D6 = 0x00000000
[0x0a007fc0] D7 = 0x00000000
[0x0a007fc4] A0 = 0x00000000
[0x0a007fc8] A1 = 0x00000000
[0x0a007fcc] A2 = 0x00000000
[0x0a007fd0] A3 = 0x00008000
[0x0a007fd4] A4 = 0x00000000
[0x0a007fd8] A5 = 0x00000000
[0x0a007fdc] A6 = 0x00000000
[0x0a007fe0] A7 = 0x00000000
[0x0a007fe4] SSP = 0x00000000
[0x0a007fe8] SR = 0x0000
[0x0a007fec] PC = 0x00000000
[0x0a007fec] FMT/VO = 0x0000
----- System/pSOS Debug commands: -----
'?' - this help message.
'j' - drop into breakpoint.
'^C' - Abort to monitor.
'^P' - Process status info, and LOTS of it.
'[dD]' - Print DLP debug information.
'[bB]' - Big memory hog report.
'[pP]' - Process ONLY status info.
'[eE]' - Exchange info.
'[gG]' - toggle breakpoint exception handlers on/off
'[tT]' - Time log.
'[hH]' - History log.
'[oO]' - Memory segment ownership.
'[mM]' - Memory segment summary.
'[sS]' - Semaphore ownership, etc.
'[uU]' - maximum process stack Usage.
'[vV]' - memory Validity check.
'[iI]' - Show psosSystemData.
'[1]' - Show NVRAM contents.
'[9]' - Show Exception Report.
'[wW] <process name>' - Show process stack trace.
-
I found a debug interface command that is undocumented. Pressing "F4" had the effect shown below. I can't interpret it, but it might mean something.
(Firmware still A14.01, probably until Monday ...)
-
This dump is exactly Sandra's ESAFW with 8 bytes different (in the middle of the code :-//).
The problem is that you didn't run the app before taking the dump. We need the dump after the app has run/is running. Because all the rest of the mem is 0x00s.
Got it, didn't quite grasp what the issue was before. The application was definitely not running when I created the new dump.
Looking forward to seeing Sandra's results
still dumping, it's up to 0x040Dxxxx and it's all zero's in this area
i'm trying to figure our device addressing
the max address is 0x07FFFFFF only ADDRESS BIT 0..27 are used
21,22,23 are used to address the FLASH memory (thru a 74138)
U55 controls the addressing which is the communications controller which goes to the enable pin on the 74138
Ok here's my 2 dumps
one is from ESALOADER
second is after normal boot, entering a license, getting a fail. hit reset into ESALOADER then dump memory
-
Ok here's my 2 dumps
Binary form.
-
SIMM Repaired
the simm that caused the processor board to blow has been repaired. it apparently was upgraded from 4M to 12M of flash and the soldering was , um poor
I removed all flash and caps. tested all of the them. flash was read, erased, programmed, read, erased and read for each of the 3 flash memories.
checked caps and replaced all.
also started work on the processor board. FWIW,
On J3 you can supply 5v @ 1.3A to 3rd (of the longer) pin from right side and on P7 for GND and youv'e got power.
it does need more voltages but Boots with just 5V
-
Ok here's my 2 dumps
Binary form.
what tool(s) did you use to do that?
-
what tool(s) did you use to do that?
I use UltraEdit in "Column Mode" which allows me to strip the left and right columns of text. Then do a Select All and paste it in HxD (in the binary zone). It's very simple and doesn't require any scripting and/or custom programming.
It's the same as selecting/copying just the binary dump bytes (in UltraEdit's "Column Mode") and paste them in HxD. See image.
-
I use UltraEdit in "Column Mode" which allows me to strip the left and right columns of text. Then do a Select All and paste it in HxD (in the binary zone). It's very simple and doesn't require any scripting and/or custom programming.
It's the same as selecting/copying just the binary dump bytes (in UltraEdit's "Column Mode") and paste them in HxD. See image.
And here I was thinking it was some python or other script to do it
Ultraedit I have, ever since V1, love it.
That's it! :-+ Please send the other options.
I will get other options today, some take awhile to dump
-
I will get other options today, some take awhile to dump
Sandra, repeat also your ESAFW dump because yours is incomplete. You didn't dump from 0x0401 1000 up to 0x0490 0000.
-
I will get other options today, some take awhile to dump
Sandra, repeat also your ESAFW dump because yours is incomplete. You didn't dump from 0x0401 1000 up to 0x0490 0000.
Yeh, think power died on the surface tablet before it finished
I’ll do again with power plugged in this time
edit:
Here's all the Debug menu options with thier output
I edited to show the option selected as its not echoed normally
ESAFW dump is running, tablet is plugged in this time
I entered 2 licenses
AYZ 888888888888
IDS 999999999999
-
ok it took many hours to dump that amount of memory but here's the "complete" dump this time
-
I just finished the firmware upgrade, I have the A14.06 version installed now. I have SA open, if necessary, I can disassemble the controller card and boot it on the table. I can make a memory dump, please just write me according to the procedure from which post 8)
EDIT
https://www.eevblog.com/forum/testgear/enabling-options-on-agilent-esa-series-e4402b-e4404b-e4405b-e4407b/msg3228528/#msg3228528 (https://www.eevblog.com/forum/testgear/enabling-options-on-agilent-esa-series-e4402b-e4404b-e4405b-e4407b/msg3228528/#msg3228528)
should I do according to this description (post #120 written by Sandra)?
As I understand it, reset is a shorting of the pins of connector J14.
-
EDIT
https://www.eevblog.com/forum/testgear/enabling-options-on-agilent-esa-series-e4402b-e4404b-e4405b-e4407b/msg3228528/#msg3228528 (https://www.eevblog.com/forum/testgear/enabling-options-on-agilent-esa-series-e4402b-e4404b-e4405b-e4407b/msg3228528/#msg3228528)
should I do according to this description (post #120 written by Sandra)?
That method is what she has just tried and doesn't work. It dumps the ESALOADR environment. The reset crushes all the ESAFW previous state.
-
OK, I get it. It would be best to have access to hardware ICE. I checked on ebay, there is no one unnecessary, dusty, complete Lauterbach ICE32_LA-6780_LA-6782_LA-6786. There is also no HP 64783A/B with the HP 9000 series 300 included. Anyway, none of them would cost $ 200... :-//
As a last resort, I see a solution in the ICE type. The board between the PGA socket and the processor. There is an additional uC on it. After system boots up, it stops MC68EC040 and reads memory and sends via its own serial port. Dynamic memory refresh is handled by the MC68EN360, but there can be tons of bus arbitration issues. It's just a rather complicated project ...
-
EDIT
https://www.eevblog.com/forum/testgear/enabling-options-on-agilent-esa-series-e4402b-e4404b-e4405b-e4407b/msg3228528/#msg3228528 (https://www.eevblog.com/forum/testgear/enabling-options-on-agilent-esa-series-e4402b-e4404b-e4405b-e4407b/msg3228528/#msg3228528)
should I do according to this description (post #120 written by Sandra)?
That method is what she has just tried and doesn't work. It dumps the ESALOADR environment. The reset crushes all the ESAFW previous state.
yeh it was worth a try but its a no-go
it looks like we need to find out who to get the monitor menu from a normal boot.
You mention though that CTRL+C is disabled in the BootRom? or is it disabled in the ESAFW?
would it be hard to patch to enable that function?
the other thing is SCPI, There's suppose to be a debug interface (but undocumented) via SCPI and it may be faster than the serial interface.
Any recommendations on how to proceed?
-
Any recommendations on how to proceed?
I don't know if the Bootrom is somewhat old and maps the ^C jump address in a memory place that the ESALOADR A.05.00 knows where to find but the ESAFW A.14.06 doesn't (I've seen that both use different addresses, I think). Just a guess... I've tried to discover that to force the jump but... arghhh. damn language...
The way to proceed is to try a patch.
Please test if you can flash a patched FW (or live patch the ESAFW). You can test with a string used in any message onscreen.
If you are successful, I think I can craft a special patch.
-
Any recommendations on how to proceed?
Has anyone looked at the service information for these analyzers? Maybe another vector we can explore:
DRAM and flash EPROM can be erased by flipping switches on S1 or holding down front panel buttons during boot. Maybe there's some hidden features there...
-
Any recommendations on how to proceed?
I don't know if the Bootrom is somewhat old and maps the ^C jump address in a memory place that the ESALOADR A.05.00 knows where to find but the ESAFW A.14.06 doesn't (I've seen that both use different addresses, I think). Just a guess... I've tried to discover that to force the jump but... arghhh. damn language...
The way to proceed is to try a patch.
Please test if you can flash a patched FW (or live patch the ESAFW). You can test with a string used in any message onscreen.
If you are successful, I think I can craft a special patch.
If you know the address where the ctrl+c code is then I think in the debug menu the gu address command will jump to that address???
Maybe we can force it there?
-
The HOSTID is based on the PROCESSOR board. so if you change processor boards you do change the hostid
you are correct in that flash has nothing to do with it.
I have tried all the DIP switches but not all combinations. most seem to do nothing. SW2/SW3 erase SRAM/FLASH
if you load any software you don't get a running version of the ESAFW into DRAM and thats' what we need. We need it running
edit:
The Keys are stored on the FLASH SIMM according to the Security Manual
The Processor is a 68LC040. kind of old
-
Before actually re-flashing my SA I thought I would try just changing the ESALOADR and after I changed some text the ESALOADR would not load, it just skipped it and booted normally.
I watched the serial port and saw nothing special there
can someone else try this on the loader disc and change some text and see if you get same result?
I know we're not after the loader for this but its a test before going thru a full re-flash, I only cried 9 times ;)
-
can someone else try this on the loader disc and change some text and see if you get same result?
I can try it out tomorrow, just change a few bytes in the ESALOADR image?
But, I have the feeling that it will fail. The boot ROM indicates that it calculates a checksum on flash before attempting to boot, and I have the feeling it does the same before booting from floppy.
-
can someone else try this on the loader disc and change some text and see if you get same result?
I can try it out tomorrow, just change a few bytes in the ESALOADR image?
But, I have the feeling that it will fail. The boot ROM indicates that it calculates a checksum on flash before attempting to boot, and I have the feeling it does the same before booting from floppy.
This is to find out if we can patch the FW ultimately. this was just a test using the esaloader. i'm using a USB floppy drive and I have had problems writting disc so I want to see it its that causing my problem and not a checksum problem. I dont 'think it is.
-
Be extremely careful! I just partially bricked my unit. In the first step, I made a little modification to the ESALOADR file (ESALOADR_1.PNG, ESALOADR_2.PNG). I restarted SA from FDD and it loaded. It showed a message to insert a second floppy disk, I was able to enter the monitor etc. Then I tried larger modifications to the ESALOADR file (shortened, more characters changed in the texts etc.). But after such modifications, he no longer wanted to load. At this point, I noticed that my options are not working and the maximum upper frequency is 6.78 GHz instead of 26.5 GHz. The options (1D5, 1DR, AYZ) could be restored by retyping the keys that are displayed on the licensing screen. But with maximum frequency there is a problem. Factory preset doesn't help. Only when I load my previous "User Preset" the frequency range is up to 26.5 GHz, but the following messages are displayed: LO Unlock, LO Unlevel.
In the evening I will look at the problem in more detail. :-BROKE
-
OK, I'm changing the level from DEFCON1 to DEFCON5. In the service menu, it's possible to limit the upper frequency to 6.7 or 13.2 GHz (Initialize Instrument/Max Freq). After switching to 26.5 GHz, rebooting and full align, everything returned to the normal state.
Be careful!
-
Please don't do changes in the ESALOADR. Try them in the ESAFW.
-
Be extremely careful! I just partially bricked my unit. In the first step, I made a little modification to the ESALOADR file (ESALOADR_1.PNG, ESALOADR_2.PNG). I restarted SA from FDD and it loaded. It showed a message to insert a second floppy disk, I was able to enter the monitor etc. Then I tried larger modifications to the ESALOADR file (shortened, more characters changed in the texts etc.). But after such modifications, he no longer wanted to load. At this point, I noticed that my options are not working and the maximum upper frequency is 6.78 GHz instead of 26.5 GHz. The options (1D5, 1DR, AYZ) could be restored by retyping the keys that are displayed on the licensing screen. But with maximum frequency there is a problem. Factory preset doesn't help. Only when I load my previous "User Preset" the frequency range is up to 26.5 GHz, but the following messages are displayed: LO Unlock, LO Unlevel.
In the evening I will look at the problem in more detail. :-BROKE
The issue is you changed the base identifier for the SA. while E4407B is the specific model. E4401 is the line of SA and which almost all use to identify parts.
when doing these tests I would advise against changing E4401 to anything else. change other TEXT
-
..Try them in the ESAFW.
I tried. I changed the text on the first floppy disk (first disk of the upgrade, not loader disk). In the menu for the external mixer, I changed the text: "Presel" to "11974Q". I started the upgrade. After the last floppy disk was loaded, a message was displayed on the SA screen. Nothing special on the serial terminal.
-
Please don't do changes in the ESALOADR. Try them in the ESAFW.
The reason for this is a FW update takes a very long time, about 30-45 minutes to read all the discs and then flash the firmware.
ESALOADR loads in a minute or so to see if a cksum error occurred there. it sounds like @suj was able to load so we can move on to changing the ESAFW
-
..Try them in the ESAFW.
I tried. I changed the text on the first floppy disk (first disk of the upgrade, not loader disk). In the menu for the external mixer, I changed the text: "Presel" to "11974Q". I started the upgrade. After the last floppy disk was loaded, a message was displayed on the SA screen. Nothing special on the serial terminal.
Well Pooh
So the LOADER must run a cksum on the FW before continuing
That would mean either find that routine in the loader or find how to patch the active system I would think
-
On the serial terminal there were only the number of bytes loaded from each disk. Nothing more.
-
Checksum-relates fields:
+2C db NumInterleavedBanks = 02
+38 db BankSizeH[NumInterleavedBanks] = 00, 00
db BankSizeMH[NumInterleavedBanks] = 2C, 2C
db BankSizeML[NumInterleavedBanks] = 95, 95
db BankSizeL[NumInterleavedBanks] = CE, CE
db ChecksumH[NumInterleavedBanks] = 58, B2
db ChecksumL[NumInterleavedBanks] = 5C, A4
- so BankSize[0]=BankSize[1]=2C95CE, BankSize[0]+BankSize[1]=2C95CE+2C95CE=592B9C - matches file size
Checksum[bank] = sum(all bytes of bank):
Checksum[0] = 585C - matches sum of all even bytes of file
Checksum[1] = B2A4 - matches sum of all odd bytes of file
Edit: note that checksum calculation includes the checksum bytes themselves! (yes, they are not zeroed/skipped)
-
More info:
"bulk" flash starts from C000000.
How to enter ROM monitor before jumping to FW:
BootROM loads ESALOADER (from floppy) or main fw (from bulk flash) to DRAM then sends a 05 byte (ascii ENQ char) and waits for 06 (ascii ACK) reply with timeout. If this wait times out - jump to DRAM normally, otherwise - bypass jump and enter ROM monitor.
This can be used to try patches without flashing them:
- don't insert ESALOADER floppy
- interrupt normal start by replying to 05 with 06
- modify firmware in RAM (with smem/sbyte/sword/slong cmds)
- jump to modified firmware (with gu cmd)
-
The timeout is very short, it looks like 0.5 seconds maybe. These are probably those marked with 05, because the transmission stops for a moment at this point.
0D 0A 2A 2A 2A 2A 2A 20 4D 6F 73 71 75 69 74 6F 20 42 6F 6F 74 72 6F 6D
20 2A 2A 2A 2A 2A 0D 0A 43 6F 70 79 72 69 67 68 74 20 31 39 38 38 2D 31
39 39 37 2C 0D 0A 48 65 77 6C 65 74 74 2D 50 61 63 6B 61 72 64 20 43 6F
6D 70 61 6E 79 2C 20 61 6C 6C 20 72 69 67 68 74 73 20 72 65 73 65 72 76
65 64 2E 0D 0A 0D 0A 40 28 23 29 48 45 57 4C 45 54 54 2D 50 41 43 4B 41
52 44 2C 20 45 34 34 30 31 20 42 6F 6F 74 72 6F 6D 2C 20 35 2E 30 30 0D
0A 40 28 23 29 4C 44 53 20 52 65 76 3A 20 33 2E 30 32 20 2D 20 4D 6F 64
75 6C 65 20 49 6E 63 72 65 6D 65 6E 74 61 6C 20 28 53 65 70 20 20 39 20
32 30 30 33 29 0D 0A 40 28 23 29 4C 69 6E 6B 65 64 3A 20 53 65 70 20 20
39 20 32 30 30 33 20 31 34 3A 34 36 3A 34 34 0D 0A 0D 0A 42 6F 6F 74 72
6F 6D 20 43 68 65 63 6B 73 75 6D 20 2E 2E 2E 0D 0A 42 6F 6F 74 72 6F 6D
20 44 52 41 4D 3A 20 20 20 20 20 54 65 73 74 69 6E 67 20 36 39 36 33 32
20 62 79 74 65 73 20 61 74 20 30 78 30 34 30 30 30 30 30 30 0D 0A 4E 6F
6E 20 44 65 73 74 72 75 63 74 69 76 65 20 53 52 41 4D 20 54 65 73 74 20
2E 2E 2E 0D 0A 4D 61 69 6E 20 46 69 72 6D 77 61 72 65 20 44 52 41 4D 3A
20 20 20 20 20 54 65 73 74 69 6E 67 20 33 33 34 38 34 38 30 30 20 62 79
74 65 73 20 61 74 20 30 78 30 34 30 31 31 30 30 30 0D 0A 4D 61 69 6E 20
46 57 20 43 68 65 63 6B 73 75 6D 20 2E 2E 2E 0D 0A 53 65 6C 66 2D 74 65
73 74 73 20 63 6F 6D 70 6C 65 74 65 2E 53 52 41 4D 20 73 65 6C 66 74 65
73 74 20 72 65 73 75 6C 74 73 3A 0D 0A 20 20 20 20 20 20 20 20 53 74 61
72 74 20 20 3D 20 30 78 61 30 30 30 30 30 30 0D 0A 20 20 20 20 20 20 20
20 45 6E 64 20 20 20 20 3D 20 30 78 61 30 30 37 66 61 33 0D 0A 20 20 20
20 20 20 20 20 45 72 72 6F 72 73 20 3D 20 30 78 30 0D 0A 44 52 41 4D 20
73 65 6C 66 74 65 73 74 20 72 65 73 75 6C 74 73 3A 0D 0A 20 20 20 20 20
20 20 20 53 74 61 72 74 20 20 3D 20 30 78 34 30 31 31 30 30 30 0D 0A 20
20 20 20 20 20 20 20 45 6E 64 20 20 20 20 3D 20 30 78 36 30 30 30 30 30
30 0D 0A 20 20 20 20 20 20 20 20 45 72 72 6F 72 73 20 3D 20 30 78 30 0D
0A 68 70 69 62 50 6F 72 74 20 3D 20 30 78 38 30 30 35 30 30 30 20 0D 0A
68 70 69 62 50 6F 72 74 20 3D 20 30 78 38 30 30 35 30 30 30 2C 20 62 75
73 20 41 64 64 72 65 73 73 20 3D 20 31 39 0D 0A 0D 0A 43 61 63 68 65 20
45 6E 61 62 6C 65 64 0D 0A 31 36 4D 42 79 74 65 73 20 6F 66 20 46 4C 41
53 48 0D 0A 0D 0A 44 6F 77 6E 6C 6F 61 64 20 74 6F 20 46 6C 61 73 68 20
53 65 6C 65 63 74 65 64 0D 0A
05
3E 3E 3E 20 6D 61 69 6E 4D 61 69 6E 28
29 0D 0A 05 74 65 78 74 20 73 65 67 6D 65 6E 74 3A 09 09 30 78 34 30 31
31 30 30 30 20 74 68 72 75 20 30 78 34 34 33 35 65 31 34 20 28 20 34 32
34 65 31 34 20 62 79 74 65 73 29 0D 0A 64 61 74 61 20 73 65 67 6D 65 6E
74 3A 09 09 30 78 34 36 30 30 30 30 30 20 74 68 72 75 20 30 78 34 37 36
64 64 38 38 20 28 20 31 36 64 64 38 38 20 62 79 74 65 73 29 0D 0A 62 73
73 20 20 73 65 67 6D 65 6E 74 3A 09 09 30 78 34 37 36 64 64 38 38 20 74
68 72 75 20 30 78 34 38 62 63 63 65 38 20 28 20 31 34 65 66 36 30 20 62
79 74 65 73 29 0D 0A 0D 0A 52 4F 4D 20 73 69 7A 65 3A 09 09 30 78 30 30
35 39 32 62 39 63 20 28 20 35 39 32 62 39 63 20 62 79 74 65 73 20 6F 66
20 34 31 39 34 33 30 34 20 6D 61 78 2E 29 0D 0A 0D 0A 6D 65 6D 6F 72 79
20 70 6F 6F 6C 20 28 61 6C 6C 29 3A 09 30 78 30 34 38 62 63 63 65 38 20
74 68 72 75 20 30 78 30 35 66 66 66 66 66 66 20 28 32 34 33 39 32 34 37
32 20 62 79 74 65 73 29 0D 0A 43 61 6C 6C 69 6E 67 20 73 74 61 72 74 5F
70 73 6F 73 28 29 20 2E 2E 2E 0D 0A 3E 3E 3E 3E 20 64 65 62 75 67 28 29
20 70 72 6F 63 65 73 73 20 73 74 61 72 74 69 6E 67 0D 0A 44 4C 50 20 4C
6F 61 64 65 64 20 2D 20 50 6F 77 65 72 20 53 75 69 74 65 20 55 74 69 6C
69 74 69 65 73 2C 20 41 2E 30 36 2E 30 35 2C 20 4E 6F 76 20 32 31 20 32
30 30 33 20 31 35 3A 34 35 3A 34 30 0D 0A
-
I think this should be done with a software, not manually. Short timeout, non-printable characters - this is not for humans.
But. If you have a terminal software capable of sending a 06 char you don't need to wait for 05 and react fast - just send that 06 continuously from power on until you see ROM Monitor command prompt.
-
The timeout is very short, it looks like 0.5 seconds maybe. These are probably those marked with 05, because the transmission stops for a moment at this point.
***** Mosquito Bootrom *****
Copyright 1988-1997,
Hewlett-Packard Company, all rights reserved.
@(#)HEWLETT-PACKARD, E4401 Bootrom, 5.00
@(#)LDS Rev: 3.02 - Module Incremental (Sep 9 2003)
@(#)Linked: Sep 9 2003 14:46:44
Bootrom Checksum ...
Bootrom DRAM: Testing 69632 bytes at 0x04000000
Non Destructive SRAM Test ...
Main Firmware DRAM: Testing 33484800 bytes at 0x04011000
Main FW Checksum ...
Self-tests complete.SRAM selftest results:
Start = 0xa000000
End = 0xa007fa3
Errors = 0x0
DRAM selftest results:
Start = 0x4011000
End = 0x6000000
Errors = 0x0
hpibPort = 0x8005000
hpibPort = 0x8005000, bus Address = 19
Cache Enabled
16MBytes of FLASH
Download to Flash Selected
05
>>> mainMain()
text segment: 0x4011000 thru 0x4435e14 ( 424e14 bytes)
data segment: 0x4600000 thru 0x476dd88 ( 16dd88 bytes)
bss segment: 0x476dd88 thru 0x48bcce8 ( 14ef60 bytes)
ROM size: 0x00592b9c ( 592b9c bytes of 4194304 max.)
memory pool (all): 0x048bcce8 thru 0x05ffffff (24392472 bytes)
Calling start_psos() ...
>>>> debug() process starting
DLP Loaded - Power Suite Utilities, A.06.05, Nov 21 2003 15:45:40
-
I think this should be done with a software, not manually. Short timeout, non-printable characters - this is not for humans.
But. If you have a terminal software capable of sending a 06 char you don't need to wait for 05 and react fast - just send that 06 continuously from power on until you see ROM Monitor command prompt.
And we're in, normal boot, SecureCRT set to expect a 0x05 and send a 0x06 in response
What next?
***** Mosquito Bootrom *****
Copyright 1988-1997,
Hewlett-Packard Company, all rights reserved.
@(#)HEWLETT-PACKARD, E4401 Bootrom, 5.00
@(#)LDS Rev: 3.02 - Module Incremental (Sep 9 2003)
@(#)Linked: Sep 9 2003 14:46:44
Bootrom Checksum ...
Bootrom DRAM: Testing 69632 bytes at 0x04000000
Non Destructive SRAM Test ...
Main Firmware DRAM: Testing 33484800 bytes at 0x04011000
Main FW Checksum ...
Self-tests complete.SRAM selftest results:
Start = 0xa000000
End = 0xa007fa3
Errors = 0x0
DRAM selftest results:
Start = 0x4011000
End = 0x6000000
Errors = 0x0
hpibPort = 0x8005000
hpibPort = 0x8005000, bus Address = 19
Cache Enabled
16MBytes of FLASH
Download to Flash Selected
ROM Monitor
Enter ? for help.
->
->?
bc [<hex boot config>] - set the bootrom configuration (see bchelp)
bootvars- display bootrom variables
bs - force a breakpoint when starting
dbyte [<hex start address> [num bytes]] - display memory using bytes
dlong [<hex start address> [num bytes]] - display memory using longs
dmem [<hex start address> [num bytes]] - display memory using bytes
dword [<hex start address> [num bytes]] - display memory using words
gbreak - force a gdb breakpoint
gdb - enable gdb trapping of exceptions
gu [<hex start addr>] - go to start address
hmon [device] - download into memory
rty test routine
sbyte <hex start address> <hexchars> - set memory using bytes
slong <hex start address> <hexchars> - set memory using longs
smem <hex start address> <hexchars> - set memory using bytes
sword <hex start address> <hexchars> - set memory using words
version - display bootrom version
->
-
What next?
"In like Flynn...."
Get us the memdump. You can make from 0x0401 1000 up to 0x0490 0000.
Great progress from abyrvalg! :clap:
-
Now I'm in the monitor software too. I will try memory dump.
-
What next?
"In like Flynn...."
Get us the memdump. You can make from 0x0401 1000 up to 0x0490 0000.
Great progress from abyrvalg! :clap:
Given it looks like it interupted the flash did it have a chance to copy it?
can we dump a smaller segment to verify before spending many hours reading out something that may not be good?
-
IMO there is no point in 0x4011000 dump, that should be an exact copy of ESAFW image. I see BootROM getting the image size from the same offset 0x38 (from flash at C000000), then just copying that amount of bytes from C000000 to 4011000. Dumping first 0x80-0x100 bytes and comparing them against ESAFW start should be enough to verify this.
-
IMO there is no point in 0x4011000 dump, that should be an exact copy of ESAFW image. I see BootROM getting the image size from the same offset 0x38 (from flash at C000000), then just copying that amount of bytes from C000000 to 4011000. Dumping first 0x80-0x100 bytes and comparing them against ESAFW start should be enough to verify this.
What’s our next step then?
-
What’s our next step then?
OK, do a memdump from 0x045A 0000 up to 0x0490 0000.
Before doing it, try to license 1 or 2 options, as you did before.
Your msg raised me a doubt: when you are in ROM Monitor, the equipment is not running? I ask this because we need to take the dump AFTER the licensing attempt. So if going into ROM monitor stopped the boot process we still need to finish booting.
If it's not like this then we need to setup a breakpoint. Tell me and I'll suggest an address.
-
What’s our next step then?
...when you are in ROM Monitor, the equipment is not running?...
The application does not appear to be running. Nothing is displayed on the SA screen, the off button does not work and you need to disconnect the mains plug to turn off the SA.
-
The application does not appear to be running. Nothing is displayed on the SA screen, the off button does not work and you need to disconnect the mains plug to turn off the SA.
Damn. Then we need to place a breakpoint and try to continue booting.
@abyrvalg, any suggestion for the restart address?
If we didn't intersect boot, where would the next addresses be?
Or, if you can say where is the address of ROM Monitor function, we can patch ESAFW to safely run monitor after it has tried licensing.
-
"gu" command without parameters should start the loaded image (without parameter it jumps to "image entry point" variable that is set to 4011000. That's where the normal uninterrupted start goes).
But there is one problem that I didn't noticed before: depending on some peripheral reg bit (addr 200200C, mask 100) the jump function will reload the firmware image from flash before jumping (resetting any patches). And it looks like this bit is in wrong (for us) state: "Download to Flash Selected" message in log depends on it (otherwise it will say "Download to DRAM Selected").
This hw bit looks like one of the DIP switches. Someone please try this:
- enter ROM monitor
- dump reg with "dword 200200C" command
- flip one of the DIP switches
- dump reg again to check if it is changed
- repeat with the next switch
@tv84, ROM Monitor address is D8A4. Interesting, there is a "syscall" to execute a single ROM Monitor command from the main app (at 04132418: trap #0E with arg=0A. All "trap #0E" functions are BootROM calls leading to handler at D1EC), but I see no refs to it.
-
Interesting, there is a "syscall" to execute a single ROM Monitor command from the main app (at 04132418: trap #0E with arg=0A. All "trap #0E" functions are BootROM calls leading to handler at D1EC), but I see no refs to it.
What about patching one of the ones that we (I mean you! :) )know how to trigger, like arg=03, 04, 05 ? ;)
-
Invoking a single command via syscall would require a command string to be prepared somewhere in memory and passed to the syscall. If the goal is to capture the data section contents after a single action then it should be easier just to jump to the monitor.
Or do this:
- start the ESA normally
- do the action (enter license key)
- prepare 05-06 boot interruption
- reset the ESA to go to ROM mon
- dump the data section (4600000+)
The data section gets reinitialized by ESAFW, so if we don't start it after reboot - there will be previous content available for dump.
Another option (if you want to watch some specific var and do it many times) is to patch some debug printf to output the desired data.
-
give me a few minutes please 8) I have a MB reset connected with an external button, it should work.
-
To verify that RAM content is still alive (before going for long dumps) you can do this: dlong 4600020 - should display 04028318
-
To verify that RAM content is still alive (before going for long dumps) you can do this: dlong 4600020 - should display 04028318
It's god tip. I'm not sure about DRAM refreshing after reset.
-
Not working. I Will try one's more but after reset (using motherboard reset connector) I have this result:
->dlong 0x04600020
04600020 00000000 00000000 00000000 00000000 ................
-
I've studied the PSOS debug handler: nothing like "^C" handling there, but there is one undocumented cmd with unclear functionality: lowercase "r".
-
Ok, so we need patching. Could someone try figuring out the DIP switch responsible for Flash/DRAM boot as described here: https://www.eevblog.com/forum/testgear/enabling-options-on-agilent-esa-series-e4402b-e4404b-e4405b-e4407b/msg3238002/#msg3238002 (https://www.eevblog.com/forum/testgear/enabling-options-on-agilent-esa-series-e4402b-e4404b-e4405b-e4407b/msg3238002/#msg3238002) ?
-
I conducted an experiment. In the monitor:
->slong 04600020 04028318
->dlong 04600020
04600020 04028318 00000000 00000000 00000000 ................
Then reset and:
->dlong 04600020
04600020 00000000 00000000 00000000 00000000 ................
Clearly the contents of the DRAM cannot survive the hardware reset.
-
Ok, so we need patching. Could someone try figuring out the DIP switch responsible for Flash/DRAM boot as described here: https://www.eevblog.com/forum/testgear/enabling-options-on-agilent-esa-series-e4402b-e4404b-e4405b-e4407b/msg3238002/#msg3238002 (https://www.eevblog.com/forum/testgear/enabling-options-on-agilent-esa-series-e4402b-e4404b-e4405b-e4407b/msg3238002/#msg3238002) ?
I need some time. MB need to be removed to change dip-switch settings
-
Could you try the "r" cmd (in normal mode) also?
-
Of course. I have SA opened and its possible to change dip-switch without removing MB.
-
"r" like RESET. But:
->dlong 04600020
04600020 00000000 00000000 00000000 00000000
-
I conducted an experiment. In the monitor:
->slong 04600020 04028318
->dlong 04600020
04600020 04028318 00000000 00000000 00000000 ................
Then reset and:
->dlong 04600020
04600020 00000000 00000000 00000000 00000000 ................
Clearly the contents of the DRAM cannot survive the hardware reset.
I missed something... |O
@abyrvalg, when is that location filled with the 04028318 ?
-
I can't get consistent readings from address 0x0200200c when changing dip-switches. It looks different after the reset. Sometimes, with the same settings, the readings are different depending on the time in which the reading is made.
-
DRAM not surviving: found the reason - BootROM clears entire DRAM at each start, so reset is not our friend :(
Inconsistent switch reg reading: there can be some other bits not related to switches, ignore them. We are interested in bit 8 (hex mask 0100), normally it should be 0 (for "Download to Flash Selected") and we need to switch it to 1 (for "Download to DRAM Selected").
-
@tv84, a function at 04011078 in ESAFW initializes data section (04600000-0476DD88) by copying from 04435E14 and clears bss section (0476DD88-048BCCE8)
-
DIP switch #4, ON position (default)
->dword 0x0200200c
0200200c 0400 ..
DIP switch #4, OFF position
->dword 0x0200200c
0200200c 0500 ..
-
After booting with DIP switch #4 in OFF position:
***** Mosquito Bootrom *****
Copyright 1988-1997,
Hewlett-Packard Company, all rights reserved.
@(#)HEWLETT-PACKARD, E4401 Bootrom, 5.00
@(#)LDS Rev: 3.02 - Module Incremental (Sep 9 2003)
@(#)Linked: Sep 9 2003 14:46:44
Bootrom Checksum ...
Bootrom DRAM: Testing 69632 bytes at 0x04000000
Non Destructive SRAM Test ...
Main Firmware DRAM: Testing 33484800 bytes at 0x04011000
Main FW Checksum ...
Self-tests complete.SRAM selftest results:
Start = 0xa000000
End = 0xa007fa3
Errors = 0x0
DRAM selftest results:
Start = 0x4011000
End = 0x6000000
Errors = 0x0
hpibPort = 0x8005000
hpibPort = 0x8005000, bus Address = 19
Cache Enabled
16MBytes of FLASH
Download to DRAM Selected
ROM Monitor
Enter ? for help.
-
Great! That's it!
So, what we can do now:
- set DIP4 to ON (to enable ESAFW loading from flash)
- start the ESA with boot interruption
--- now we have stock ESAFW loaded from flash into DRAM, but we are in ROM Monitor
- patch ESAFW in RAM (with smem/sbyte/sword/slong)
- set DIP4 to OFF (to disable ESAFW reload in "gu" command)
- send gu command to start the patched image from DRAM
@tv84, any ideas what to patch?
I'm going to prepare some patch to jump from ESAFW back to ROM Monitor (i.e. with some of the psos debug commands) without reset to dump the data section content finally.
-
sword 04139614 4ef9
sword 04139618 d8a4
gu
- ESAFW should start normally after this. Then, when it is running already, press "r" and you should get back to ROM Monitor with DRAM keeping the content (try dlong 04600020 there to see).
-
->dlong 04600020
04600020 04028318 04028324 0402832a 04028331 .......$...*...1
-
My steps:
0. Set the serial terminal to 19200,8n1
1. DIP sw #4 set to ON
2. break the boot process with 0x06
3. sword 04139614 4ef9
4. sword 04139618 d8a4
5. DIP sw #4 set to OFF
6. gu
7. SA restart in normal mode
8. Press "r" and we are in the monitor now 8)
9. Change the serial port speed.
>slong 815F4 1001A
10. Change speed of the serial terminal to 115200, 8n1
Respect for you :-+ :-+ :-+
-
My steps:
1. DIP sw #4 set to ON
2. break the boot process with 0x06
3. sword 04139614 4ef9
4. sword 04139618 d8a4
5. DIP sw #4 set to OFF
6. gu
7. SA restart in normal mode
8. Press "r" and we are in the monitor now 8)
Respect for you :-+ :-+ :-+
Cool, I wake up and you all have done allot.
@suj how are you flipping the DIP SW without removing the Processor Card?
a long stick??? LOL
-
@suj how are you flipping the DIP SW without removing the Processor Card?
a long stick??? LOL
-
@suj how are you flipping the DIP SW without removing the Processor Card?
a long stick??? LOL
Ah, right angle tweezers and coming in from that angle, thanks. :-+
-
Great!
@tv84, your turn! :)
Btw, does anyone know what UART IC is used in ESA? Perhaps it is possible to raise the baudrate by writing to some regs manually from the Monitor.
-
Btw, does anyone know what UART IC is used in ESA? Perhaps it is possible to raise the baudrate by writing to some regs manually from the Monitor.
It's part of the 68EN360 QICC. Its working in "companion" mode with 68LC040
-
Great!
@tv84, your turn! :)
Btw, does anyone know what UART IC is used in ESA? Perhaps it is possible to raise the baudrate by writing to some regs manually from the Monitor.
Given where we are I don't know if this is worth pursuing or not but there appears to be some kind of undocumented SCPI debug interface and FLASH from SCPI is a supported option as well
found it by mistake ,
hmon [device] - download into memory
defaults to loading from SCPI
I've not been able to find what [device] is supported
SCPI does not work but hmon on own loads from it
tried FLOPPY, FLASH, 0-1, A-Z, A:-C: and a few more
even things like /dev/fd0
if we want to avoid that, that's fine I defer to the Guru's here.
-
@tv84, any ideas what to patch?
I'm going to prepare some patch to jump from ESAFW back to ROM Monitor (i.e. with some of the psos debug commands) without reset to dump the data section content finally.
I think I can patch the license validation ATM. Although, having some idea of how flexlm tests licenses, I don't know what are the consequences of activating all licenses.
I would prefer 1st to have the dump, so that I can search for the seeds. If I can find the seeds in the dump, the keygen will be instantaneous.
Do you want the same dump we've had before or a different one?
-
I would not like to look too far into the future, but maybe it would also be worth reflecting on one of the problems. Probably most owners of the E4401 series hope to unlock the 219 option. Due to the measurement method (Y-factor), cooperation with the equipment is required. And here comes the problem under the name E4401-60123. It is not described in CLIP and there is no schematic diagram. I only found one low resolution photo on the internet. The card works with two types of noise sources: traditional sources of the 346 series and newer SNS series (N4000A, N4001A, N4002A). Cooperation with newer ones is more demanding. The noise source has a memory (probably EEPROM) with a stored ENR table and measures its temperature. Working out this can be very difficult. The type 346 sources, on the other hand, only require +28 V voltage switch. A DC/DC converter is placed on the card. One bit is required for ON/OFF keying only. The card itself should work without option 219, there is an option "Press Service, More, Noise Source (On)" in the service menu. And that could be a hook for finding the address of that bit that needs to be switched. Another thing is the card identification. FW should think the card is inserted. This is a way to create hardware that emulates part of the E4401-60123 card to work with 346 series sources. Connectors such as on the E4401 series expansion cards are available from Mouser. The E4401-60123 card itself is available in Keysight as far as I remember. Over $2800...
-
Supported hmon devices:
DOWNLOAD - this is wrong, no such device in device table
HPIB - HP's GPIB ?
RS232BINARY - self-explanatory
this command invokes a dedicated protocol handler supporting commands like "jump to address", "write to RAM", "write to flash", "start fw from flash", so nothing new there.
Baudrate:
there are 4 baud rate generators (each can be assigned to one of 4 ports independently), all of them are initialized to the same value corresponding to 19200 @25MHz source. I didn't searched for BRG->port assignment, it looks faster to try writing to divider regs one by one until we loose the communication (that will mean that speed is changed, time to reconfigure the PC port and try the new speed).
Divider register addresses:
815F0
815F4
815F8
815FC
- all are 32-bit, so use slong cmd to write to them
Values for different baud rates:
100A0 - 19200 (current setting)
10050 - 38400
10034 - 57600
1001A - 115200
-
I'll try. This is the serial port which we use.
-
So the correct register is 815F4
- write new value with slong
- check if communication is lost
- change the baudrate of PC to the new value
- check if communication is back
- do dumps at high speed
...
- profit!
-
Supported hmon devices:
DOWNLOAD - this is wrong, no such device in device table
HPIB - HP's GPIB ?
RS232BINARY - self-explanatory
this command invokes a dedicated protocol handler supporting commands like "jump to address", "write to RAM", "write to flash", "start fw from flash", so nothing new there.
Baudrate:
there are 4 baud rate generators (each can be assigned to one of 4 ports independently), all of them are initialized to the same value corresponding to 19200 @25MHz source. I didn't searched for BRG->port assignment, it looks faster to try writing to divider regs one by one until we loose the communication (that will mean that speed is changed, time to reconfigure the PC port and try the new speed).
Divider register addresses:
815F0
815F4
815F8
815FC
- all are 32-bit, so use slong cmd to write to them
Values for different baud rates:
100A0 - 19200 (current setting)
10050 - 38400
10034 - 57600
1001A - 115200
BINGO
dlong 815F4 1001A
wrote, disconnect, reconnect at 115200
btw:
dlong 815f0 1001a loose connect and can not reconnect
-
Great! :-+
Looks like 815F0 controls some internal module-to-module port, so the CPU looses the communication with some essential part of hw.
-
I have edited my list in the post https://www.eevblog.com/forum/testgear/enabling-options-on-agilent-esa-series-e4402b-e4404b-e4405b-e4407b/msg3238350/#msg3238350 (https://www.eevblog.com/forum/testgear/enabling-options-on-agilent-esa-series-e4402b-e4404b-e4405b-e4407b/msg3238350/#msg3238350). As memo.
-
Do you want the same dump we've had before or a different one?
To start let's do:
A memdump from 0x045A 0000 up to 0x0490 0000.
Before doing it, try to license 1 or 2 options, as you did before.
-
My memory dump with real licences.
-
Do you want the same dump we've had before or a different one?
To start let's do:
A memdump from 0x045A 0000 up to 0x0490 0000.
Before doing it, try to license 1 or 2 options, as you did before.
Order is important on this
follow the steps from @suj
dump started @ 115Kb
dbyte 045a0000 3538944
lincenses entered
AYZ 888888888888
IDS 999999999999
-
My memory dump with real licences.
What options/keys did you have installed? might help searching for them
FWIW , according the sanatazation guide. Options/Licenses are stored in FLASH.
the FLASH on the BOARD is for FW, the FLASH SIMM is where your c: drive is an likely where options are stored permamently
-
My E4407B came to me with the following licensed options:
1D5 Hi Stability Freq Ref
1DR Narrow Resolution BW
AYZ External Mixing
-
My E4407B came to me with the following licensed options:
1D5 Hi Stability Freq Ref
1DR Narrow Resolution BW
AYZ External Mixing
1DR Narrow Resolution BW
this is where I think we should start. most by not all SA's have the hardware for this built in
Mine has no licensed options installed, but hardware options that do not require licenses I have
1D5 Hi Stability Freq Ref
1DN TG 3.0Ghz
IDN
-
BTW, with modern serial ports supporting fractional baud rates (i.e. FTDI-based) and terminal sw supporting arbitrary baudrate numbers (not a dropdown list of fixed values) it should be possible to achieve speeds higher than 115200. The relation is: baudrate=25000000/(16*(((BRG & FFFF)>>1)+1), so the theoretical maximum is 1.56mbps. With 25MHz base frequency higher speeds deviate too much from the standard values, but fractional-capable ports should handle it. The only question is ESA’s hardware limit (i.e. some slow buffers in the signal path).
-
Do you want the same dump we've had before or a different one?
To start let's do:
A memdump from 0x045A 0000 up to 0x0490 0000.
Before doing it, try to license 1 or 2 options, as you did before.
dbyte 045a0000 3538944
lincenses entered
AYZ 888888888888
IDS 999999999999
dump attached
-
BTW, with modern serial ports supporting fractional baud rates (i.e. FTDI-based) and terminal sw supporting arbitrary baudrate numbers (not a dropdown list of fixed values) it should be possible to achieve speeds higher than 115200. The relation is: baudrate=25000000/(16*(((BRG & FFFF)>>1)+1), so the theoretical maximum is 1.56mbps. With 25MHz base frequency higher speeds deviate too much from the standard values, but fractional-capable ports should handle it. The only question is ESA’s hardware limit (i.e. some slow buffers in the signal path).
The RXD_RP and TXD_RP go direct to U63/MAX232ACWE
-
From DS MAX232ACWE
High Data Rates
These transceivers maintain the RS-232 ±5.0V minimum
driver output voltages at data rates of over
120kbps. For data rates above 120kbps, refer to the
Transmitter Output Voltage vs. Load Capacitance
graphs in the Typical Operating Characteristics.
Communication at these high rates is easier if the
capacitive loads on the transmitters are small; i.e.,
short cables are best.
-
@suj
Do you by chance have a XGecu T56 Universal programmer by chance?
I just got my PCB to try to read the FLASH SIMM
assuming it works I could send a board to you to read out yours.
unless we know the address for that FLASH SIMM and we can read out thru the monitor now?
-
I don't have this programmer. I have an older SEPROG programmer that supports some FLASH but I have to check. I doubt if such large memories. I finished using the programmer and EPROM emulator with the end of the 8051 and EPROM with a UV window era. Maybe send me your PCB gerbers? I will order from JLCPCB or locally and I will have it in a week. I would also have to order a 72 pin SIMM socket from Mouser. I haven't seen a SIMM anymore at the local main supplier, but I will check with smaller sellers.
I can also locally look for a more modern programmer. Any suggestion of type of the programmer?
-
I don't have this programmer. I have an older SEPROG programmer that supports some FLASH but I have to check. I doubt if such large memories. I finished using the programmer and EPROM emulator with the end of the 8051 and EPROM with a UV window era. Maybe send me your PCB gerbers? I will order from JLCPCB or locally and I will have it in a week. I would also have to order a 72 pin SIMM socket from Mouser. I haven't seen a SIMM anymore at the local main supplier, but I will check with smaller sellers.
I can also locally look for a more modern programmer. Any suggestion of type of the programmer?
I'm making some changes to the PCB to fix some minor issues I encountered. happy to share the gerbers though
this could be used with any programmer that supports the FLASH Memory but is designed for the T56
the T56 is the TL866II Plus (very popular unit) bigger brother and the direction they are going. supports 25K+ memorys and logic IC's
-
My quick research favors TL866II+. Over 3x cheaper in my country than the T56.
-
My quick research favors TL866II+. Over 3x cheaper in my country than the T56.
But it can’t read the flash on the simm module
T56 has extra I/O to do it
If you want a unit for general use the TL866II+
Is a great unit
-
I performed a memory dump after a reset. It's different :-//
-
I can derive a rough memory map from QUICC's BRx/ORx regs initialization:
0: 00000000 [20000] SRAM-like, slow timing - this is BootROM as we already know
1: 04000000 [400000] DRAM-like, fast timing - this is DRAM bank 0
2: 04400000 [400000] DRAM-like, fast timing - this is DRAM bank 1
3: 02000000 [20000] SRAM-like, external timing - FPGA ? DIP switches regs are here, flash size reg, DRAM size reg
4: 08000000 [100000] SRAM-like, external timing - ??
5: 0A000000 [80000] SRAM-like, external timing - this is SRAM
6: 0C000000 [400000] SRAM-like, external timing - this is firmware flash
7: 0E000000 [20000] SRAM-like, external timing - ??
Try dumping a small piece from each of the two unknown regions (08000000, 0E000000), maybe the content will provide some ideas.
-
->dbyte 08000000 256
08000000 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ................
08000010 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ................
08000020 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ................
08000030 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ................
08000040 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ................
08000050 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ................
08000060 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ................
08000070 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ................
08000080 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ................
08000090 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ................
080000a0 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ................
080000b0 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ................
080000c0 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ................
080000d0 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ................
080000e0 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ................
080000f0 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ................
->dbyte 0E000000 256
0e000000 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 ................
0e000010 bc 00 bc 00 bc 00 bc 00 bc 00 bc 00 bc 00 bc 00 ................
0e000020 bc 00 bc 00 bc 00 bc 00 bc 00 bc 00 bc 00 bc 00 ................
0e000030 bc 00 bc 00 bc 00 bc 00 bc 00 bc 00 bc 00 bc 00 ................
0e000040 bc 00 bc 00 bc 00 bc 00 bc 00 bc 00 bc 00 bc 00 ................
0e000050 bc 00 bc 00 bc 00 bc 00 bc 00 bc 00 bc 00 bc 00 ................
0e000060 bc 00 bc 00 bc 00 bc 00 bc 00 bc 00 bc 00 bc 00 ................
0e000070 bc 00 bc 00 bc 00 bc 00 bc 00 bc 00 bc 00 bc 00 ................
0e000080 bc 00 bc 00 bc 00 bc 00 bc 00 bc 00 bc 00 bc 00 ................
0e000090 bc 00 bc 00 bc 00 bc 00 bc 00 bc 00 bc 00 bc 00 ................
0e0000a0 bc 00 bc 00 bc 00 bc 00 bc 00 bc 00 bc 00 bc 00 ................
0e0000b0 bc 00 bc 00 bc 00 bc 00 bc 00 bc 00 bc 00 bc 00 ................
0e0000c0 bc 00 bc 00 bc 00 bc 00 bc 00 bc 00 bc 00 bc 00 ................
0e0000d0 bc 00 bc 00 bc 00 bc 00 bc 00 bc 00 bc 00 bc 00 ................
0e0000e0 bc 00 bc 00 bc 00 bc 00 bc 00 bc 00 bc 00 bc 00 ................
0e0000f0 bc 00 bc 00 bc 00 bc 00 bc 00 bc 00 bc 00 bc 00 ................
-
Maybe this memory map is related to CS signals from QICC?
-
I'm currently analyzing the encrypt function (pretty old flexlm) and have not been following all your new debug/dump capabilities.
@abyrvalg, can we place an infinite loop in the code and prepare to do some selected dumps? can you provide the patch? Later I'll provide the address(es).
-
I'm currently analyzing the encrypt function (pretty old flexlm) and have not been following all your new debug/dump capabilities.
@abyrvalg, can we place an infinite loop in the code and prepare to do some selected dumps? can you provide the patch? Later I'll provide the address(es).
Yeh flexlm should be 6.0d so yeh very old
-
@tv84, you want to stop some function in an infinite loop before it destroys FLEXlm seeds and enter dump mode in that state?
Just patch the instruction where you want to stop to "jmp ROMMonitor":
sword YourAddr 4EF9 - "jmp imm32" opcode
slong YourAddr+2 0000D8A4 - address of ROMMonitor
-
Should I try to add new licenses or in my case the installed ones are enough?
-
Should I try to add new licenses or in my case the installed ones are enough?
The installed are enough because, when it tries to validate the installed ones (at app start), it will break into ROM Monitor so you won't be able to try a new one.
In the case of Sandra, where there is no license, I think she must force the licensing.
-
From my calculations, the memory dump should end around 15:40 CET (13:40 GMT). Approximately 120 MB text file.
Now I go to the grocery store to do my shopping, allowing me to stay within 20 meters from my "laboratory" for the next week. 8)
-
@tv84, now I understand why you need such big dumps, your values of interest are local variables with no fixed addresses - right?
What we can do is to patch the code to save a register to some fixed unused location, then dump it from there.
A patch to save "vendor key 5" to 045FFFFC (this address is unused) and continue normally:
sword 043F398E 23C0
slong 043F3990 045FFFFC
slong 043F3994 60000018
+ our earlier patch to go to Mon with r key press
sword 04139614 4ef9
sword 04139618 d8a4
- enter any license
- press "r" to go to Mon
- dump 4 bytes from 045FFFFC
-
@tv84, now I understand why you need such big dumps, your values of interest are local variables with no fixed addresses - right?
Right. :-+ Your suggestion was also on my mind. I hope we don't need it but, if we do, I will need your help. I also need to have a full confirmation of what is being hashed and, for that, the dump should provide the definitive answer.
I have a hard time recognizing how the registers of this thing work. It's almost like Blackfin! :)
-
Dumping “vendor key 5” should be enough - this is old FLEXlm, the seeds are stored in VENDORCODE xored with this vk5 (look down from the location I’m patching - they verify if the seeds are “demo” 12345678 87654321 by direct xoring with this value. Various tutorials from 6.0 era says the same).
I have an universal recipe how to start feeling at home with any CISC asm - spend some time in QDSP (Hexagon) asm :-DD
-
Dumping “vendor key 5” should be enough - this is old FLEXlm, the seeds are stored in VENDORCODE xored with this vk5 (look down from the location I’m patching - they verify if the seeds are “demo” 12345678 87654321 by direct xoring with this value. Various tutorials from 6.0 era says the same).
Sure but where is vendorcode? You still need it. With vendorcode, we would be done.
-
At 04600D5C. A search for "6.0" gets you there easily. You need to have the data section initialized of course, mentioned that earlier - copy from 04435E14 to 04600000-0476DD88. But a copy of that structure can be found in the "source" area too.
-
Stop the press! (and the dumps...) :popcorn:
Enc_seeds validated OK!
@suj license correctly validated.
How dumb!! How could I've missed that structure!!!! |O |O
EDIT: Mystery solved! This proc is BIG ENDIAN and my search function only searches in LITTLE ENDIAN (will correct it)! Sorry all for all the trouble but it was a new experience. A special recognition to @abyrvalg. Amazing talent! :clap:
-
Stop the press! (and the dumps...) :popcorn:
Enc_seeds validated OK!
@suj license correctly validated.
How dumb!! How could I've missed that structure!!!! |O |O
Other than some banging head on wall this sounds good right?
I was just getting ready to do the dump :phew:
-
Other than some banging head on wall this sounds good right?
AYZ EA726914DBAD
-
Other than some banging head on wall this sounds good right?
AYZ EA726914DBAD
I will let a picture speak for me
:clap: :clap: :clap:
-
To check option AYZ you can go to "Input" menu and check if you can change mixer to external. To use this you must connect connector J6 from the A8A4 module and J4 from the same module to external sockets (IF in, LO Out). And you can use unpreselected harmonic mixers (for example 11970 series). To use preselected (11974) you need the frequency extension module.
-
That was a straight OPTION
can we try a personality to see if those work?
if so try Option 225
-
To check option AYZ you can go to "Input" menu and check if you can change mixer to external. To use this you must connect connector J6 from the A8A4 module and J4 from the same module to external sockets (IF in, LO Out). And you can use unpreselected harmonic mixers (for example 11970 series). To use preselected (11974) you need the frequency extension module.
I don't have the external mixers but I do have a 4407B with frequency extension and the menu is available
-
Here is the fishing rod. (a little homework is always beneficial)
-
That was a great teamwork, thanks to everyone! :clap: See you in the next “instrument improvement” thread >:D
-
That was a great teamwork, thanks to everyone! :clap: See you in the next “instrument improvement” thread >:D
Sure it was. Always a pleasure when it is like this. smgvbest and suj also had a special recognition for all their hard work. ;)
I've just checked a BAC personality and all is good! See you in next quest (now with BigEnd activated!).
-
A big thank you to the whole team. You are geniuses!
I will now work on addressing cards via the E4401. When I have conclusions, I will ask you for help in finding this I/O address that allows to turn the noise source on and off.
:-+ :-+ :-+
EDIT
If you are looking for a challenge, I am always ready to provide support. LE, BE who wants what...
;D
-
Some info on card addressing:
there are 8 "I/O slots" (0-7), each one gets an address window at 08000000+0x4000*slot_number
register at BASE+3FFE (size: byte) looks like "device type":
1 - HPIB adapter
4 - floppy controller
Edit: other card types recognized by ESAFW:
6
8
3, 7, 10 - some similar types handled by common code
-
This (https://www.eevblog.com/forum/testgear/enabling-options-on-agilent-esa-series-e4402b-e4404b-e4405b-e4407b/msg3239946/#msg3239946) can also be used in the old E44xxB ESG Signal Generators.
Just checked.
-
Some info on card addressing:
there are 8 "I/O slots" (0-7), each one gets an address window at 08000000+0x4000*slot_number
register at BASE+3FFE (size: byte) looks like "device type":
1 - HPIB adapter
4 - floppy controller
Edit: other card types recognized by ESAFW:
6
8
3, 7, 10 - some similar types handled by common code
My first analyzes:
1. Backplane is hardcoded, card known in whitch slot is inserted (red)
2. Adress decode and initialization. For example GPIB/Parallel card (red/green)
3. Signals for above at the cpu card (green)
-
Just got back from work, amazing whats gets done when I am tied up
@tv84
@abyrvalg
you both are awesome!! thanks for the hard work
I would love to have a PM chat to understand a bit of how you do this, it intrigues me
@suj thank you for your help as well
-
BootROM HPIB init loops through 0-7 slot numbers, getting a byte from 08000000+4000*slot+3FFE and looking for 01 value, then uses base address of the matched slot for all further IO operations. Same is for floppy (but looking for value 04). Not sure if all slots are equal, maybe some card types must be installed in a specific slot to get i.e. right RF connections, but they are still identified by that +3FFE byte in sw, no hardcoded slots there.
-
BootROM HPIB init loops through 0-7 slot numbers, getting a byte from 08000000+4000*slot+3FFE and looking for 01 value, then uses base address of the matched slot for all further IO operations. Same is for floppy (but looking for value 04). Not sure if all slots are equal, maybe some card types must be installed in a specific slot to get i.e. right RF connections, but they are still identified by that +3FFE byte in sw, no hardcoded slots there.
Each IO card has a 93c66 eeprom on board used to identification and some store calibration data for that card.
i wonder if that address is the address used for the eeprom and getting that byte?
-
Try to start from this point:
https://www.eevblog.com/forum/testgear/hp-agilent-e4433b-esg-d-series-signal-generator-250khz-4-0ghz/msg3240634/#msg3240634 (https://www.eevblog.com/forum/testgear/hp-agilent-e4433b-esg-d-series-signal-generator-250khz-4-0ghz/msg3240634/#msg3240634)
-
After a few more educated googles I arrived here (https://www.eevblog.com/forum/testgear/_free_-vsa-options/msg584857/#msg584857). ;D
So, we're halfway there!
The licenses should have this format:
FEATURE 202 TMOMID01 1.0 permanent uncounted 0123456789AB HOSTID=E1234567
Now, we just need the seeds. ;)
what does 0123456789AB represent. I am almost there :D
EDIT: I got it to work for one example that was in the posts, so I think I got it right :-+ :-+
-
I finally got it :-+ :-+ >:D >:D ;)
thanks to the one example that was in the posts ;)
-
I finally got it :-+ :-+ >:D >:D ;)
thanks to the one example that was in the posts ;)
Here is the example of a good student that does his homework. ;D
-
I finally got it :-+ :-+ >:D >:D ;)
thanks to the one example that was in the posts ;)
Here is the example of a good student that does his homework. ;D
now I need to buy one of these SAs....have been trying to for quite some time with no success |O :(
-
I finally got it :-+ :-+ >:D >:D ;)
thanks to the one example that was in the posts ;)
Here is the example of a good student that does his homework. ;D
now I need to buy one of these SAs....have been trying to for quite some time with no success |O :(
I was in same boat. Finally got one from alltest on eBay. Made an offer. Plead my case and they accepted at a bit higher than I wanted ( ie could afford ) to go but took it
Ended up being bricked was all. I don’t think it had a bad flash. As I’ve now tested that flash many times and no failures
-
I finally got it :-+ :-+ >:D >:D ;)
thanks to the one example that was in the posts ;)
Here is the example of a good student that does his homework. ;D
now I need to buy one of these SAs....have been trying to for quite some time with no success |O :(
I was in same boat. Finally got one from alltest on eBay. Made an offer. Plead my case and they accepted at a bit higher than I wanted ( ie could afford ) to go but took it
Ended up being bricked was all. I don’t think it had a bad flash. As I’ve now tested that flash many times and no failures
a bricked, broken, defective is what I dig :-DD
but still too expensive when they have the "basic" important (for me) HW options on them (1D5,AYX,BAA)
-
So no one wants $1000 ?
Just checking..
Everything you need to do this is in this thread.
And it’s fairly easy to do
-
Well no doubt this works.. I tried EVERY option that I had hardware for.. Discovered I want a card, option 119..
(https://xymox1.com/Misc/IMG_0659.JPG)
(https://xymox1.com/Misc/IMG_0661.JPG)
(https://xymox1.com/Misc/IMG_0662.JPG)
(https://xymox1.com/Misc/IMG_0663.JPG)
-
NEW CHALLENGE...
One other thing that would be REALLY useful is to find the SCPI (GPIB) commands to do some adjustments (especially the frequency response adjustment.).
Keysight doesn't want to share the commands - They do use them in their own calibration software (N7800A) - but I think they don't want to enable others....
Perhaps if somebody has this calibration software (Keysight doesn't sell it anymore - they stopped selling it a few years back) - then the GPIB commands can be traced using a tracing/logging tool that logs
all GPIB activity...
The calibration software requires a license. There are older versions that run on older versions of windows that might be less protected.. https://cal.software.keysight.com/
Also I really need software that does waterfall plots and spectrograms. Logging to a computer. Etc..
There is Benchlink Web and I think that takes a key. It only runs on NT or Win 2000. Which I have setup..
Now that the SA is more unlocked I will look into all this more..
-
Today I did the initial verification of the E4407B phase noise measurement. I have put together a measuring system consisting of the following elements:
1. R&S SMF100A generator
2. Power divider Anritsu 11N50B
3. DUT1: E4407B
4. DUT2: Advantest R3681
I made the measurements at the frequency of 1.005 GHz.
The first measurement was performed without modulation.
Then I modulated the carrier frequency with the noise generator signal. With the following settings, the result should be a signal with phase noise falling by 20 dB per decade.
It is not a device with outstanding parameters, because probably HP was not supposed to be like that. After all, it could not compete with the higher-end SA (for example PSA).
-
Yes i saw that.. I was also after phase noise.. A bit dissapointing, but, its still useful :)
SO... I spent half my day playing with software..
I got Keysight VSA working on it. This is expensive software and seriously licensed using very modern methods. No hacking this one.. It is however REALLY powerful software.. It does exactly what I want from it.. You gotta install the Lk-VSA personality on the unit. "ESA to 89601A Software Link Utility" Its 2 floppies.
It seriously takes over the unit, complete with turning off the screen..
This software can turn the ESA into a VERY powerful device and can do things never possible from the ESA alone..
This are the AM radio stations around me..
(http://www.xymox1.com/Misc/VSA.gif)
-
The VSA software does a great many things you can't do with just the unit.
It seems to be tryign to do 5G, all forms of Wifi, DOCSIS 3.1, OFDM, QAM just tons of stuff..
I cant quite get it to decode my cable company DOCSIS 3.1 or my own wifi.. Its trying. I just dont know enough about settings on this yet.. The trial software gives me 1 month.. So I will have some time to play with it fully...
BUT at at least $500 PER YEAR,,, this is not friendly.. Its the PER YEAR part that bothers me... The spectrogram stuff is great.. Thats all I really want..
I am a tad confuzed by one thing, but, im sure its me.. I can't get a span more then 10Mhz for some reason..
(http://xymox1.com/Misc/WiFi.gif)
-
Well this software is nearly unusable for my use. For some freaky reason its limited to a 10Mhz span no matter what I do. This is comeplty useless for me. At the high freq is useless. Like how do you look at wifi ? This limitation seems to be with the hardware. I can simulate other devices and they have different max spans, but still not full. Even brand new keysight gear does not do the full span like the actual device will..
Because of this, the software seems crippled for my use.
-
Well that is interesting...
I have a second ESA-E Very basic.
I licensed 1DR narrow resolution bandwidth and 1D5 Hi Stability Freq Ref... These work.. I can now hit a span of 100hz and a Res BW of 1 hz.. OK Sure I enabled the software, but, I dont have those right ? WELL its performance exactly the same as my main one which has those options for real. BUT this can't be right ???
SO.. One thing for sure.. Its now possible to cheat.. Units could be made to look like they have more options then they actually have.. So thats not good.. However,, in this case, it added to functionality, even if its a bit wonky.
Makes me wonder what other options could be enabled this way..
-
I truly stuffed full ESA... I cant fit anything else..
There is hardware I dont have which limits me. Low freq extension, modulation analysis board, noise measurement board..
GPIB can do a lot. I will have to explore this. I would imagine any software written for GPIB Spectrum Analyzers will work as the GPIB commands look pretty universal. Well. I can load a number of standards, so, hopefully.. VSA does not do what I need and is stupid expensive with little hope of a keygen and patch.
(http://www.xymox1.com/Misc/IMG_0668.JPG)
-
Well that is interesting...
I have a second ESA-E Very basic.
I licensed 1DR narrow resolution bandwidth and 1D5 Hi Stability Freq Ref... These work.. I can now hit a span of 100hz and a Res BW of 1 hz.. OK Sure I enabled the software, but, I dont have those right ? WELL its performance exactly the same as my main one which has those options for real. BUT this can't be right ???
SO.. One thing for sure.. Its now possible to cheat.. Units could be made to look like they have more options then they actually have.. So thats not good.. However,, in this case, it added to functionality, even if its a bit wonky.
Makes me wonder what other options could be enabled this way..
There are items that are License Only.
1DR i think is one, Preamp is another past a certain serial number
there 5-6 that are license only
-
I dont suppose in any of the dumps is a list of things that can be turned on ? Maybe there are some undocumented ones ? It knows all these because it populates names for them after you enable them.. You never know, maybe there is some fun option that enables something interesting.
-
I dont suppose in any of the dumps is a list of things that can be turned on ? Maybe there are some undocumented ones ? It knows all these because it populates names for them after you enable them.. You never know, maybe there is some fun option that enables something interesting.
They are all in the ESAFW file and dumps
I do not recall anything thats not already listed on the keysight page
https://www.keysight.com/main/editorial.jspx?cc=US&lc=eng&ckey=277453&nid=-32406.536881907.02&id=277453 (https://www.keysight.com/main/editorial.jspx?cc=US&lc=eng&ckey=277453&nid=-32406.536881907.02&id=277453)
BTW: I just started a new thread in the repair forum for repairing the Tracking Generator thats getting a Source Unlevel error if anyone is interest
https://www.eevblog.com/forum/repair/e4407b-tracking-generator-repair/msg3246922/#msg3246922 (https://www.eevblog.com/forum/repair/e4407b-tracking-generator-repair/msg3246922/#msg3246922)
-
BTW: I just started a new thread in the repair forum for repairing the Tracking Generator thats getting a Source Unlevel error if anyone is interest
You will eventually need to calibrate it. We gotta figure out how to do that..
I am trying to get Keysight to simply quote me on TME.. I want a license for "self Maintainers" and for a single serial number unit. They responded once and asked me what the company name was, I told them it was for personal use and they never responded again. I would pay them for this.. As long as it was not a insane number. BUT they seem to be going in the direction that will lead to the system getting hacked into. At the least the GPIB stuff that goes back and forth during calibration can be captured and easily figured out. Im going to ask one more time.
I want this https://cal.software.keysight.com/?id=2525023 (https://cal.software.keysight.com/?id=2525023) under this license.. https://www.keysight.com/us/en/assets/7018-01623/data-sheets/5989-6956.pdf (https://www.keysight.com/us/en/assets/7018-01623/data-sheets/5989-6956.pdf) for 1 unit, a ESA E4402B.. Its supported..
I VASTLY prefer to use software legitly. As long as its not too expensive, I am happy to pay it.
Keysight seems to be unpleasant and stupid.
What they should do is just allow all these tools and things to go free. Real businesses are not buying these older devices, hobbyists are. Like me, a Ham radio guy.. They are NOT loosing sales to this old gear...
Maybe I need to target someone higher up the chain at Keysight..
-
BTW: I just started a new thread in the repair forum for repairing the Tracking Generator thats getting a Source Unlevel error if anyone is interest
You will eventually need to calibrate it. We gotta figure out how to do that..
I am trying to get Keysight to simply quote me on TME.. I want a license for "self Maintainers" and for a single serial number unit. They responded once and asked me what the company name was, I told them it was for personal use and they never responded again. I would pay them for this.. As long as it was not a insane number. BUT they seem to be going in the direction that will lead to the system getting hacked into. At the least the GPIB stuff that goes back and forth during calibration can be captured and easily figured out. Im going to ask one more time.
I want this https://cal.software.keysight.com/?id=2525023 (https://cal.software.keysight.com/?id=2525023) under this license.. https://www.keysight.com/us/en/assets/7018-01623/data-sheets/5989-6956.pdf (https://www.keysight.com/us/en/assets/7018-01623/data-sheets/5989-6956.pdf) for 1 unit, a ESA E4402B.. Its supported..
I VASTLY prefer to use software legitly. As long as its not too expensive, I am happy to pay it.
Keysight seems to be unpleasant and stupid.
What they should do is just allow all these tools and things to go free. Real businesses are not buying these older devices, hobbyists are. Like me, a Ham radio guy.. They are NOT loosing sales to this old gear...
Maybe I need to target someone higher up the chain at Keysight..
Keysight is not in business to support hobbyist. that's not their business model. for TME you're looking at 5K+ i believe.
Hobbyist arent buying these usually either, at a cost of 3K+ for a broken one most hobbyist can not afford that. every now and then you find you for much less. I did, I got very lucky and the repair was simple. the TG may be a different issues. it's been repaired before. I need to figure out if the Source Unlevel is the LO Control board (i hope) or the BITG which is not documented
Far as calibration, first run a performance test to see if it need to be calibrated. All documented in the calibration guide
-
Yea I have been thru the "calibration" guide.. Hehehe.. Im still not sure how to set Course and Fine in the timebase in the service menu..
I do have something off on both my units. If I give them my rubidihum clock std 10Mhz it displays slightly off center if I set the SA for 1hz res bw and 100 hz span. Also the freq counter is off a bit..
Amplitute is reading slightly off at various frequency points.
These are not much off, but with this many years on these devices, its normal to have drift.
Also if we want to swap boards around between units and maintain these over the next 10 years we just gotta be able to calibrate them.
These calibration adjustments must also be kept in some flash. If the flash goes or gets wiped, thats it. No hope of recovery.
We gotta be able to do TME.. I can't find old versions of TME. Or maybe some old different program used to calibrate.
I have sent a nice email to Ron Nersesian. He has a awesome career that goes way back with HP. Back to the good old days of HP. I have suggested that hobbyists fuel young engineers and so thier future customers could well be buying this older gear from ebay. i suggested its helpful for EoL devices that are locked away with keys to maybe get a free online key gen process. This would fuel many hobbyists into engineers and maybe future customers. It wont hurt Keysight sales as hobbyists cannot afford to buy new gear and companies using this kind of test equipment don't buy old gear like this.
Im sure I wont get a response. BUT the email did not reflect back. So I did find the right email to use for him.
WTH... Why not try...
BTW the self calibration license has provisions for a single serial number instrument. That would have to be way cheaper then a single seat.
Maybe I can get a trial license. If so, I can capture all the GPIB..AND calibrate my unit at least once..
-
OooOOo... TMA has a help file for the ESA series.. It has a lot of interesting things in it..
It *SEEMS* like you could set the freq limit and pick the model when you replace the processor board.. I believe there are hardware differences tho between models, so, its not JUST a setting. BUT its interesting tho.. Plus there are a lot of things in here that are interesting.. The part about processor initialization is interesting. http://www.xymox1.com/Misc/Utilities.pdf (http://www.xymox1.com/Misc/Utilities.pdf)
All the adjustments you can do.. http://www.xymox1.com/Misc/Adjustments.pdf (http://www.xymox1.com/Misc/Adjustments.pdf)
I am still unsure if you can manually enter any values. It may be the TSE software forces hooking up automated bench gear and standards and then operates all that via GPIB and does the calibration fully automated.. This would not be useful. It would be better, for hobbyist use, that we could enter values manually.
-
THIS is the software I want... I think... Its old too so maybe hackable.. This can do spectrograms with full width spans..
BUT its OLD... Runs on Windows 2000.. But thats fine I have a laptop of that vintage AND there is always VM..
https://www.keysight.com/en/pd-1000004487%3Aepsg%3Apro/esa-and-psa-option-230-benchlink-web-remote-control-software?pm=PL&nid=-32406.536880458&cc=US&lc=eng (https://www.keysight.com/en/pd-1000004487%3Aepsg%3Apro/esa-and-psa-option-230-benchlink-web-remote-control-software?pm=PL&nid=-32406.536880458&cc=US&lc=eng)
-
THIS is the software I want... I think... Its old too so maybe hackable.. This can do spectrograms with full width spans..
BUT its OLD... Runs on Windows 2000.. But thats fine I have a laptop of that vintage AND there is always VM..
https://www.keysight.com/en/pd-1000004487%3Aepsg%3Apro/esa-and-psa-option-230-benchlink-web-remote-control-software?pm=PL&nid=-32406.536880458&cc=US&lc=eng (https://www.keysight.com/en/pd-1000004487%3Aepsg%3Apro/esa-and-psa-option-230-benchlink-web-remote-control-software?pm=PL&nid=-32406.536880458&cc=US&lc=eng)
Far as I understand this one just need Option 230 enabled on the SA. you can do that.
-
TME is Keysights premier package used to calibrate instruments and sold to calibration shops all over the world
I can see in any way Keysight is going to give that up to hobbyist. Hobbyist are not any major part of their sales revenue.
I would love it but I'll put my money on no reply or a negative reply
-
Just want to thank the people on this thread for their wonderful effort.
I have 3 x ESA 4402Bs that now have RF Pre-Amp which is what I needed. One of them though is showing two distinct spikes (actually holes I suppose) in the response at 997.5MHz and 1.32GHz and when you turn the RF Pre Amp, the others don't do this. Outside these gaps, the pre-amp is working fine.
Anyone know what could cause this? Loose connectors ??
-
What’s the serial number on the unit?
The preamp hardware is only installed after a certain serial number
Maybe you don’t have the actual hardware ???
Just guessing but might be worth a check
-
Just want to thank the people on this thread for their wonderful effort.
I have 3 x ESA 4402Bs that now have RF Pre-Amp which is what I needed. One of them though is showing two distinct spikes (actually holes I suppose) in the response at 997.5MHz and 1.32GHz and when you turn the RF Pre Amp, the others don't do this. Outside these gaps, the pre-amp is working fine.
Anyone know what could cause this? Loose connectors ??
first of all to figure out if your preamps are working, a simple test is to set your Ref Lvl to something small like -40dBm (no signal needs to be connected) and then turn on/off the preamp. your noise floor must jump up and down by about 15-20db depending on the gain of the preamp
i am not sure if those spikes are created by the preamp. maybe as Sandra said you dont actually have the hardware for it and it is creating garbage
otherwise the preamp is self oscillating! :o
-
this thread has been going off rail for quite some time. it must have been pretty much closed after the final solution. things that came after that, though interesting and useful, should have been in threads of their own.
-
@analogRF -fair point.
I considered it was somewhat relevant as others are sure to use the method for this and what I'm seeing might just be a limitation of just turning the 1DS option on without having the correct re-calibration software.
For completeness, I can confirm that in my case at least the preamp IS installed and IS working as expected apart from these 'spikes'. I'll carry on the conversation as necessary on a new thread.
-
let me pose a fresh and more useful and interesting challenge with regard to these analyzers:
how can we convert E4404B (6.7GHz) to E4405B (13.2GHz) if at all?
All boards and modules including the critical ones (attenuator and RYTHM) are common between these two
so the frequency must be limited by software only
of course calibration after such upgrade is a must and can pose a problem since the cal procedure is not possible by hobbyist
but still it would be awesome ;D
-
Service menu allow change of model and frequency range.
SERVICE/-2010/SERVICE
Other way is to program EEPROM on back of Processor card
Last if you have TME and ESA Module can do it there
-
Service menu allow change of model and frequency range.
SERVICE/-2010/SERVICE
Other way is to program EEPROM on back of Processor card
Last if you have TME and ESA Module can do it there
What's the catch then? Could it be just the calibration thing? if it can be converted so easily then why did Agilent even sell E4404B? or why did anybody buy E4405B? Their original prices were hugely different...
-
Service menu allow change of model and frequency range.
SERVICE/-2010/SERVICE
Other way is to program EEPROM on back of Processor card
Last if you have TME and ESA Module can do it there
What's the catch then? Could it be just the calibration thing? if it can be converted so easily then why did Agilent even sell E4404B? or why did anybody buy E4405B? Their original prices were hugely different...
IDK, I've used it to change mine to the EMC model (same firmware), the service menu with the right password looks to even permit you to change the serial number. the -2010 does not permit then though. the Serial Number and Save Serial Number are greyed out so there's additional service passwords.
-
This (https://www.eevblog.com/forum/testgear/enabling-options-on-agilent-esa-series-e4402b-e4404b-e4405b-e4407b/msg3239946/#msg3239946) can also be used in the old E44xxB ESG Signal Generators.
Just checked.
Really with the same vendor name and seeds? I cannot get it to work with a lmcrypt.exe that works for ESA. I've also tried HOST_ID variations like the VSA but with ESG and ESG-D instead. None of them produce a working code (i.e. a code for an option I already have installed).
-
Service menu allow change of model and frequency range.
SERVICE/-2010/SERVICE
Other way is to program EEPROM on back of Processor card
Last if you have TME and ESA Module can do it there
maybe it is only possible to downgrade or convert to equivalent EMC model from ESA and vice versa.
someone with E4404B should try this
-
This (https://www.eevblog.com/forum/testgear/enabling-options-on-agilent-esa-series-e4402b-e4404b-e4405b-e4407b/msg3239946/#msg3239946) can also be used in the old E44xxB ESG Signal Generators.
Just checked.
Really with the same vendor name and seeds? I cannot get it to work with a lmcrypt.exe that works for ESA. I've also tried HOST_ID variations like the VSA but with ESG and ESG-D instead. None of them produce a working code (i.e. a code for an option I already have installed).
The ESG uses the following format:
FEATURE ABC TMOMID01 1.0 permanent uncounted 0123456789AB VENDOR_STRING=0 HOSTID=12345678
-
I've got my E4407B today :)
Juggled floppies and upgraded it to latest FW and Power Suite.
Also generated codes for possible options for my HW config and successfully installed installed 1D6 Time gating.
Now I'm having a hard time downloading and extracting the additional options. I either fail to extract the file due to corruption or errors that implies I need a real floppy and not a USB one.
Anyone that could share the following options SW in a better way than Keysight:
225 Cable fault
226 Phase noise
227 Cable TV
BAH GSM/GPRS
J36 FM deviation (I assume J35 is included in J36)
TIA
Edits: Realized 225 and BAH requires HW options that I currently do not have.
-
I had to use a real floppy for some reason
-
Good to know, unfortunately I do not have a computer with a real floppy available without hours of Frankensteinian work.
Besides that it's only option 225 (which I do not have HW for) that gets downloaded properly. All the others are really small files (16-32kB) and corrupt so even with a computer with a proper floppy I cannot advance further. That is why I am doing this request.
-
The download indeed turns up a bit of a fight, I was not able to download 226, tried 4 different browsers. However 227 worked, and also J36 which offered me 2 different files, please see the attachment.
-
Many thanks PA0PBZ, now have a updated option 227 to A.02.08 and latest version of J25/J36 B01.02. A friend reminded me that I have a oscilloscope running Windows 98. HP54820A FTW ;D
I tried 2 browsers myself, Firefox and Chrome on Windows 7. How did you succeed?
So now I'm just lacking the 226 Phase noise.
Regarding J35/J36: I could install both, but I ended up keeping the J35/J36 B.01.02 version since its newer and it seems option J36 is included in J35 newer versions which requires extra memory A72. My unit reports personality J35 as installed but reports no name for its J35 license. However J36 license is still installed and reports FM deviation.
-
I tried 2 browsers myself, Firefox and Chrome on Windows 7. How did you succeed?
Chrome on Windows 10 downloaded the 2 J36 files without a problem and 227 on the second try, 226 failed on Chrome, Edge, Firefox and IE.
-
Found the file URL with Edge: https://www.keysight.com/upload/cmc_upload/All/226_B0131.exe (https://www.keysight.com/upload/cmc_upload/All/226_B0131.exe). But all my wget tricks ends up with " Connection closed at byte 32272" :'(
-
I have more to offer :D
-
Yes, I clicked it for fun and this time it worked :-+
-
Thanks again PA0PBZ :)
Now I have the options that is useful for my HW.
[attachimg=1]
As a way of paying it forward, I've attached zipped disk folders so no need for real floppy drives. I also managed to run the disk image SW in my XP Virtual Box, it was the fastest floppy drive I have ever used :)
-
Hi
I have an e4403B, I would like to start activating the option 049 color display ...
I tried to follow these steps but I believe I am doing something ...
can someone detail the steps more?
I'm using Putty as a serial monitor ...
I can make the morning calls until 9 ...
doing this procedure I need to do what else?
My steps:
0. Set the serial terminal to 19200,8n1
1. DIP sw # 4 set to ON
2. break the boot process with 0x06
3. sword 04139614 4ef9
4. sword 04139618 d8a4
5. DIP sw # 4 set to OFF
6. gu
7. SA restart in normal mode
8. Press "r" and we are in the monitor now 8)
9. Change the serial port speed.
> slong 815F4 1001A
10. Change speed of the serial terminal to 115200, 8n1
does you SA actually have a Color Display?
depending on the Unit some where not shipped with a Color Display and hence the need for Opt 049 when installing a color display
if you have a color display and its not showing color then you need to create a license for 049, information of which is in this thread on how to do
-
...
I don't know if I'm doing it wrong or skipping some process to activate the licenses ...
after this procedure what do i need to do more?
0. Set the serial terminal to 19200.8n1
1. DIP sw # 4 set to ON
2. interrupt the boot process with 0x06
3. sword 04139614 4ef9
4. sword 04139618 d8a4
5. DIP sw # 4 set to OFF
6 .gu
7. Restart SA in normal mode
8. Press "r" and we are on the monitor now 8)
9. Change the speed of the serial port.
> slong 815F4 1001A
10. Change the speed of the serial terminal to 115200, 8n1
That was a procedure to get a dump for debugging, not useful to you. The solution is in post #244.
-
Weirdly enough I have the same download issue again, this time its the latest ESG fw that fails the same way. Can I bother some of the master downloaders in this thread for assistance? https://www.keysight.com/main/software.jspx?cc=US&lc=eng&nid=-32463.536880925&id=1000001137:epsg:sud&pageMode=CV (https://www.keysight.com/main/software.jspx?cc=US&lc=eng&nid=-32463.536880925&id=1000001137:epsg:sud&pageMode=CV)
-
No problem for me with this one.
-
Dear all,
I have read this thread with interest and utter admiration! I have recently acquired an almost working E4411B which I'm trying to fix. Eventually, and if the repair session goes well, the E4411B will deserve to have option 1DR (narrow BW) enabled. However, I fail to see exactly which steps to carry out in order to enable this option. Could some of you perhaps be persuaded to write up a small tutorial that takes the reader through the concrete steps? My E4411B has FW version A.14.03 and was born with B72 Expansion Memory, so I guess an update should be doable.
Best regards
-
Eventually, and if the repair session goes well, the E4411B will deserve to have option 1DR (narrow BW) enabled. However, I fail to see exactly which steps to carry out in order to enable this option.
Send me a PM with your hostid and the required option and I think we can work it out ;)
-
I've been trying to do my homework, but a day of searching the interwebs for lmcryptgui has only turned up references in message boards 10 years ago with links to locations that are long gone.
If anyone here has, or can help me find, the file, I'd really appreciate it.
Thanks!
John
-
This would be nice, I have TME!
added: I looked at the E4406A bin and the E4440A and found the flexlm structure,
the data is the same for both so I would think that the keys and seeds for the E4406A would work with the E444xA specans.
has anyone tried this?
I can not seem to get the keys and or seeds correct to reproduce any of the lic codes I have. can anyone point me in the correct direction?
frank
-
For early units, option 1D5 is added by installing a Corning / VECTRON MC867X4-002W OCXO (10MHz +12V sinewave EFC) to the reference/third converter board.
Is this OCXO controlled by the same DACs as the regular timebase, i.e. using the System - Alignments - Timebase menu?
Or does it require the N7811A software package to set the control voltage? If so, does anybody know the required GPIB commands? Otherwise it could be easier to use some precision resistors and a pot to provide the tune voltage in hardware.
Generally, have any of the N7811A alignment procedures been reverse engineered, so that they could be done with a simple GPIB interface and some own code?
-
I managed to unlock my ESA-L E4411, but the question I have is if it is possible to convert an ESA-L SA to ESA-E through service manual?
I will screw up the set?
Unhappily I don't have boards to use extended functions either :-// ...
Regards
Manuel
-
I managed to unlock my ESA-L E4411, but the question I have is if it is possible to convert an ESA-L SA to ESA-E through service manual?
I will screw up the set?
Unhappily I don't have boards to use extended functions either :-// ...
Regards
Manuel
you can change the model in the service manual but your SA has to have all the hardware needed to do it successfully.
you can not convert up either you can only convert down from what I see.
I also do not know of any ramification of doing so.
-
Thank You Sandra!
I don't have hardware options, so I cannot upgrade the instruments and I think It would be complicated.
The ESA-E E4411B was bottom line feature-wise SA from HP. No hardware options. So little more can I do.
I was looking for the option table and I manage to find it.
But the only option I can really use was the pre-amplifier. All other options were crippled or not applicable.
I suppose it is lacking some hardware as there are no way to select low BW filter although I enabled 1D5 option.
So, now only pre-amplifier and 200Hz EMI filter is working. :-//
Regards
Manuel
-
I, too, am looking for the magic program which is required to add options to the E4400 series, and no matter my google duck duck fu, I also only find dead links to sites which no longer exist. And this isn't my first rodeo.
Anyone have any ideas?
Regards-
Edit: Ask and you shall receive! Thanks, y'all!
-
Hi
I have followed this thread with great interest,as i am the lucky owner of an very clean Agilent E4402B.
Have a option 219 Noise Figure card on its way and have downloaded the option 219 personality from keysight---but its an exe file greater than a 3.5 floppy.Found that its a special selfextractor working with windows xp--have tried with no luck!
Could somone possibly help with this peronality????
Regards
Hardy
-
What is not clear in the Keysight instructions? https://www.keysight.com/nl/en/assets/9018-07418/release-notes/9018-07418.pdf (https://www.keysight.com/nl/en/assets/9018-07418/release-notes/9018-07418.pdf)
-
Hi
The only option 219 personality file from keysight are an exe bigger than one floppy--its an selfextraxtor from North Beach Labs DiskDuplicator,supposed to run with win xp---but it doesnt work for me in an old xp pc
Regards
Hardy.
-
Here are the install instructions for the option 219
Hardy
-
Hi
The only option 219 personality file from keysight are an exe bigger than one floppy--its an selfextraxtor from North Beach Labs DiskDuplicator,supposed to run with win xp---but it doesnt work for me in an old xp pc
Regards
Hardy.
I downloaded the file but it won't extract as you say, in any compatibility mode, or running as administrator.
-
no matter my google duck duck fu, I also only find dead links to sites which no longer exist.
2021 Xmas gift (https://pediy.com/kssd/pediy10/76340/532727/20327.rar).
-
Hi
The only option 219 personality file from keysight are an exe bigger than one floppy--its an selfextraxtor from North Beach Labs DiskDuplicator,supposed to run with win xp---but it doesnt work for me in an old xp pc
Regards
Hardy.
I downloaded the file but it won't extract as you say, in any compatibility mode, or running as administrator.
It looks like the instructions are wrong, it wants to extract a disk image. I'm going to try to get it working on a W7 VM and an USB floppy tomorrow, stay tuned.
-
Here are the 2 disks, just copy the content to the root of the drive (and report back ;) )
(For reference: This is to install option 219 on the ESA series)
-
Thanks!!!
I can confirm its working.
Happy New Year
Hardy
-
@suj Any progress to report in reverse engineering board addressing for building an option 219 board?
Maybe @harha can provide help with measurements on his.
-
I lost my motivation ;). I bought an N8973A, and at higher frequencies I use frequency conversion before the N8973A. Maybe I will come back to it someday, especially since I have the hardware in place.
I was also thinking about using the E4407B as a frequency converter for the N8973A and feed the signal from the 321.4 MHz IF to the NFA. Since the external heterodyne control commands on the N8973A are configurable, it might be possible to configure both so that the NFA controls the SA.
-
I have an E4401B 1.5GHz analyzer that has all of the options I need (including the tracking generator) but was wondering if it is the same as the 3GHz version just limited in someway by software key or other method.
Sam
W3OHM
-
Just spent the last hour reading this thread!
A lot of posts by those are very into this, which are quite difficult to understand by the unenlightened!
Would anyone be able to summarise what was actually achieved here? For example, it started with someone wanting to enable the RF pre-amp. From reading through, it appears unclear whether or not that was actually achieved?
-
I have an E4401B 1.5GHz analyzer that has all of the options I need (including the tracking generator) but was wondering if it is the same as the 3GHz version just limited in someway by software key or other method.
Sam
W3OHM
1.5 GHz model cannot be upgraded because the base RF deck is different to the 3 GHz model
3.0 GHz model cannot be upgraded either, because it lacks the IF/LO Amplifier and Yig Filter/Mixer assembly, and frequency extension card which controls them
6.7 GHz model apparently can be software upgraded to 12 GHz
-
Hi guys.
Tell me how to update Bootrom in the device?
-
1.5 GHz model cannot be upgraded because the base RF deck is different to the 3 GHz model
3.0 GHz model cannot be upgraded either, because it lacks the IF/LO Amplifier and Yig Filter/Mixer assembly, and frequency extension card which controls them
6.7 GHz model apparently can be software upgraded to 12 GHz
I tried 'upgrading' my 4404B to 12ghz and 26ghz neither worked. Kept getting the LO Unset message on the screen and the alignments wouldn't complete properly.
--Chris
-
Hello all, many thanks for the effort!
Been reading through. How the heck are you extracting the personality files?
I need 226, but as I don't have the extended memory - I'm limited to version A.01.15 (as per instructions).
I am completely unable to extract the .exe file in any compatibility mode.
Tnx
-
I have more to offer :D
I am new to this thread, regarding to the 226 option, I can see you provided the exe file, where should I execute it to get the 226 in my EE4402 ? do I need to do anything else ? thanks
-
I don't have an ESA myself but I think you have to run the exe on a PC with a floppy drive to extract the contents to the floppy, then use the floppy in the ESA. You probably also need a license code to activate it, I can generate that for you if you give me your HOSTID.
-
I don't have an ESA myself but I think you have to run the exe on a PC with a floppy drive to extract the contents to the floppy, then use the floppy in the ESA. You probably also need a license code to activate it, I can generate that for you if you give me your HOSTID.
Thank you so much, will let you know when I have the ESA in my possession (it is on its way to Sweden)
Best regards
-
Hello all, many thanks for the effort!
Been reading through. How the heck are you extracting the personality files?
I need 226, but as I don't have the extended memory - I'm limited to version A.01.15 (as per instructions).
I am completely unable to extract the .exe file in any compatibility mode.
Tnx
Little curious , I am waiting to receive my ESA4402 and has some questions, Is the "extended memory" a specific hardware option for the ESA or just an additional standard memory module (SIMM) ? If you have the "extended memory", can you then upgrade to the latest software? thanks
-
The attached PDFs should answer some of your questions. The extended memory is required to go beyond A.08.02
Notes:
Instruments must have Option B72 (expanded memory) to install version A.08.02 or newer firmware. Option B72 has been standard in all new ESA analyzers since the end of 2001, and has always been standard in the EMC analyzers.
Also look here for documents etc:
https://xdevs.com/doc/HP_Agilent_Keysight/HP%20ESA%20E4400%20Series%20Spectrum%20Analyzer%20Documentation%20Firmware%20Tools/
-
The attached PDFs should answer some of your questions. The extended memory is required to go beyond A.08.02
Notes:
Instruments must have Option B72 (expanded memory) to install version A.08.02 or newer firmware. Option B72 has been standard in all new ESA analyzers since the end of 2001, and has always been standard in the EMC analyzers.
Also look here for documents etc:
https://xdevs.com/doc/HP_Agilent_Keysight/HP%20ESA%20E4400%20Series%20Spectrum%20Analyzer%20Documentation%20Firmware%20Tools/
Thank you so much for the information!
-
Sorry, total noob to this. Do I just then use the licence no generated an enter it in using the panel, or do I need to copy this file to the ESG? - If I need to copy it, can you point me in the right direction. There is no floppy drive or LAN connection I can see on my E4432B.
-
Sorry, total noob to this. Do I just then use the licence no generated an enter it in using the panel, or do I need to copy this file to the ESG? - If I need to copy it, can you point me in the right direction. There is no floppy drive or LAN connection I can see on my E4432B.
For ESG you need to enter it via keypad.
-
A huge thank you to all of you who worked on this. It will sure make these out of support analyzers more useful.
Sam
W3OHM
-
For option 219 - Noise Figure:
- How looks like the Noise Figure Card?
- ... Option 119 required - what is this? This is the noise figure card?
-
Hi Eeveryone,
Can anyone help generate "enable keys"
for options: 229 , 225, 226,227, 228, 1D6, 1DR,1D5
Hostid : 9151B74D
e4404 with B72 option enable
-
Here you go:
229 69DA1A5A2472
225 3D1246863C66
226 3C1847874661
227 3B1648884064
228 6ADC19592A6F
1D6 0B9268F4709A
1DR 2F4A44D028BE
1D5 0C8C67F3669F
-
PA0PBZ: Many thanks! All worked !
All useful options, you think you can get one more option (Option 231 (ESA to 89601A VSA software link utility) ?
Thanks a million!
-
231 B66D1B6337C7
-
Does anyone know where or if possible to download Flexlm. I want to update an old e4404 and e4433B. Thanks,
-
In a previous post I asked for help acquiring flexlm software and or keys for some options. I was able to get the software and I am in business! I didn't get any responses but I thought I would let it known so no one wastes time on my previous requests. Thanks for anyone's time who may have looked at my requests.
-
In a previous post I asked for help acquiring flexlm software and or keys for some options.
I was going to generate the keys for you but noted your edit, good that it's solved!
-
Thanks, I appreciate all the efforts. I originally did the stupid thing of google searching and downloading against my better judgement, what was supposed to be flexlm but turned out to be some kind of ransom virus. I asked the IT guy at my work for help with removing the virus. Not only did he remove the virus for me but he actually had the old flexlm. About 5 hours later, I figured out the procedure and voila! It's exciting for me. I am at the tail end of my social distancing because of a nice lady who was behind me at the bank last week so I had the time to commit. I have a few of these e4404, e4405, e4407 Some of them had the 8m flash module. seems the only difference between the 8 and 16 simm flash is the flash chip count and some decoupling caps so I ordered them and will try to solder them to the simms and see if that will work. Don't know if anyone has done this before but I will post my result.
-
In a previous post I said I would try to populate the missing components to the flash simm of a Agilent E4404 spectrum analyzer to enable the B72 expansion memory option. So here we go. I was able to get some flash chips, for the flash module. The ram module look like a standard 72pin edo simm. I did have a 32mb edo simm on hand so I will try that with after I install the flash chips to the flash simm. Like I said, not sure if anyone has done this before but I couldn't find any. If so, sorry for the redundancy. I will get the chips soldered up and post the results.
-
In a previous post I said I would try to populate the missing components to the flash simm of a Agilent E4404 spectrum analyzer to enable the B72 expansion memory option. So here we go. I was able to get some flash chips, for the flash module. The ram module look like a standard 72pin edo simm. I did have a 32mb edo simm on hand so I will try that with after I install the flash chips to the flash simm. Like I said, not sure if anyone has done this before but I couldn't find any. If so, sorry for the redundancy. I will get the chips soldered up and post the results.
Yes, I have been through it in this thread -
https://www.eevblog.com/forum/repair/agilent-esa-e4401b-memory-(b72)-and-firmware-upgrade/ (https://www.eevblog.com/forum/repair/agilent-esa-e4401b-memory-(b72)-and-firmware-upgrade/)
-
Hi,
I have a E4401B with following HostID: 2FC6C709
Can you please generate the codes for following options:
060, 219, 226,1D5, 1D6, 1DR, BAA, B7B
Kind Regards and 73 M0XQX
-
Hi,
I have a E4407B with following HostID: AC73B50A
Can you please generate the codes for following options:
106, 219, 227, 228, 229, AYQ, 1D6 ?
Kind Regards and 73 PETER SP6VXS
-
I did not check if the options make sense, I just generated the keys.
cwetomir:
060 BA76AABEAB9C
219 D5E7A0B49AA0
226 EA54EAD6BB90
1D5 8005F20ADB0E
1D6 5F2B132BE509
1DR A3C3CFE79D2D
BAA B4FAD88C7A28
B7B C68FABBB52F5
apko:
106 C4B203FB620D
219 7848ECC84318
227 3AC3F3D75E0B
228 45ADE8CC4816
229 48A7E5C94219
AYQ A295FF1B2B2B
1D6 C2C847478E61
Let me know if it worked.
-
Thank You!
I have a general question.
Do I need to install these options as Software from a diskete and then enable them, or they are included in the firmware and need only to be enabled?
In case there are separate, does anyone here in the forum have them?
Kind Regards,
cwetomir
I did not check if the options make sense, I just generated the keys.
Let me know if it worked.
-
Do I need to install these options as Software from a diskete and then enable them, or they are included in the firmware and need only to be enabled?
I don't own one of these myself so it's better if an owner can respond. I however seem to remember that at least some options have to be installed, and that you need enough memory to do that.
-
1DR works, it has been pre-installed and entering the key, it functions. By chance I found a couple of more Options on the Keysight website for download but through google search
One needs to put the search in the following format
ESA Phase Noise Measurement Personality (Option 226)
Do I need to install these options as Software from a diskete and then enable them, or they are included in the firmware and need only to be enabled?
I don't own one of these myself so it's better if an owner can respond. I however seem to remember that at least some options have to be installed, and that you need enough memory to do that.
-
Thank you very much for help,
the code keys have been loaded correctly.
Kind Regards and 73 PETER SP6VXS
-
Hi PA0PBZ,
I selected additionally some options for HostID: 2FC6C709
225,227,A4H,AYX,1DS, B7B
Kind Regards
-
I got an E4402B with option 1DR built in. licence key seems to be installed, but I can get the low resolution performance. Does anyone have an idea what’s wrong?
-
I selected additionally some options for HostID: 2FC6C709
225,227,A4H,AYX,1DS, B7B
You already have B7B, here is the rest:
225 0B2EC9B5B195
227 E952EBD7B593
A4H 77C9B5AD7947
AYX 5B4FCA7EB8F8
1DS A2C1D0E89730
-
Hello. I have an E4402B device with HostID: 2110A131
Can someone help me out with the AYQ option? Thank you!
-
Hello. I have an E4402B device with HostID: 2110A131
Can someone help me out with the AYQ option? Thank you!
Try 4E8B53B7D02D and let me know.
-
That worked. Thank you so much!
-
Hi PA0PBZ,
I'm another on that recently acquired a E4402B that would like to enable options. I have some primary functions I would like to see if I can add. But at the same time, I'm trying to understand what options are capable on this hardware. I'm looking to maximize the the hardware for a consultant role.
Hardware:
E4402B, MY45109xxx, A.14.01, Aug 30, 2004, B-ROM 500, ROM-16, RAM-32
HostID: DE229E3E
Installed: 1D5, 231, B72, B7D, B7E
Primary requested options: 1D6, 1DR, 1DS, 219, 225, 226
I didn't know if I could install 226 (above), 227, 229, or functions for CDMA and GSM since this have the communications board...???
Any help/direction would be appreciated! I have to hand it to everyone on this forum - lots of amazing people!
regards
-
Primary requested options: 1D6, 1DR, 1DS, 219, 225, 226
I have no idea what you can install and I'm loo lazy to find out, I don't have an ESA myself but here are the keys, let us know.
1D6 0D06A4A1C576
1DR 31BE807D7D9A
1DS 14D89D9A779D
219 9314C9AAB6F1
225 578FB697D1E2
226 5299BB9CDBDD
-
Hi,
Could you please generate keys for E4402B for options 1D6, 1DN, 1DR, 226, 219? HostID: 6AD22ACE
Could you also tell me how I install the generated keys - in simple terms?
Thank you
-
Could you please generate keys for E4402B for options 1D6, 1DN, 1DR, 226, 219? HostID: 6AD22ACE
Could you also tell me how I install the generated keys - in simple terms?
Try the keys below, I don't have an ESA myself so no idea how to install, it can't be that difficult ;)
1D6 842EE85DBD6E
1DN BCBEB0254DA6
1DR A8E6C4397592
226 BD77AF089395
219 6BB27DD66EA9
-
Many thanks PA0PBZ!
They are all activated now. One can add them in using System/Licensing menu.
However, the license doesn't seem to function. Out of all those options, I specifically wanted 1DR for RBW to go below 1kHz. With 1DR now enabled, RBW is still stuck at 1kHz. Does anybody know if one needs hardware for smaller values of RBW? Thanks.
-
A quick search seems to tell me that no extra hardware is needed for option 1DR. Are you running the latest firmware?
-
I probably don't. It is A.14.01 (Aug 30, 2004). I am kind of newbie for a home lab. I never had to update firmware on Test equipment. I guess I have to search for latest firmware.
-
https://www.keysight.com/us/en/lib/software-detail/instrument-firmware-software/esa-spectrum-analyzer-firmware-1000001085epsgsud.html (https://www.keysight.com/us/en/lib/software-detail/instrument-firmware-software/esa-spectrum-analyzer-firmware-1000001085epsgsud.html)
-
Thanks PA0PBZ! All worked great. :-+
Maybe I should get the keys for 227, 229, BAC, and BAH for HostID: DE229E3E to have while I work through this. I am able to install the CDMA and working on the GSM.
Happy Holidays :)
-
no matter my google duck duck fu, I also only find dead links to sites which no longer exist.
2021 Xmas gift (https://pediy.com/kssd/pediy10/76340/532727/20327.rar).
Is there any chance for a 2023 XMAS Gift?
-
This would be nice, I have TME!
added: I looked at the E4406A bin and the E4440A and found the flexlm structure,
the data is the same for both so I would think that the keys and seeds for the E4406A would work with the E444xA specans.
has anyone tried this?
I can not seem to get the keys and or seeds correct to reproduce any of the lic codes I have. can anyone point me in the correct direction?
frank
I would be VERY happy to check this if somebody could generate the keys :-)
HostID 84242774
Options 215, 215, 219, 226, 233, 239, 241
The 226 would be the most important for me
Thanks! Marc
-
I would be VERY happy to check this if somebody could generate the keys :-)
What model are you talking about, E440X or E444X?
-
What model are you talking about, E440X or E444X?
I've got a E4440A. roxbox said they have the same flex-lm data, so I would love to try it out.
added: I looked at the E4406A bin and the E4440A and found the flexlm structure,
the data is the same for both so I would think that the keys and seeds for the E4406A would work with the E444xA specans.
-
Thank you for your link. Apparently this problem was brought up to Keysight and they answered:
https://edadocs.software.keysight.com/kkbopen/i-ve-upgraded-my-esa-with-option-1dr-narrow-resolution-bandwidths-yet-the-instrument-will-not-go-below-a-1-khz-bandwidth-why-is-this-589744737.html
I haven't tried it as I don't have a GPIB-USB. I will acquire one and try.
-
I've got a E4440A. roxbox said they have the same flex-lm data, so I would love to try it out.
The structure of the license file is slightly different and that's what I need to feed into the license generator. Try this:
215 E3EDAD5542E0
219 B725D9815AD4
226 A527A5753FC2
233 F1B7B5594CBC
239 CBE3DB7F58B6
241 8B9AB05C4FD7
-
Hi PA0PBZ,
I just tried it out, but it doesn't work :'(
I'll got back through the thread and check how I might get the data out of the E4440A.
Thanks for helping me check this out!
Marc
-
I just tried it out, but it doesn't work :'(
Do you have an active option so I can compare?
-
Hi PA0PBZ,
Did I not post correctly or miss a post? Wanted to make an additional request:
Could I please get the keys for 227, 252, BAC, BAH for HostID: DE229E3E
Thanks!
-
Did I not post correctly or miss a post? Wanted to make an additional request:
Well, you said 'maybe I should get' so I was just waiting for you to make up your mind! ;)
Also, first time you asked for 229 and now it is 252, so I included both, no idea if they make sense.
227 5593B899D5E0
229 4397CAABB9EE
252 B63DAA03CCE8
BAC B2A883845AB7
BAH B99A7C7D4CBE
-
Yes, the options are
122 1EECA67647DB
123 1FEEA5754DD8
202 9C78B75B49DC
210 DEF3B25A44DF
B7J 7B3FFAA67A53
BAF 4AAF60E8B0B1
Is there any other way I can help? Marc
-
Thanks PA0PBZ! They worked fine ;)
Sorry for the confusion, as I still needed to research the hardware. The 229 requires the modulation decode board that I'm almost certain I'll never locate. And the 252 is an EDGE adder tot he GSM capabilities, which I do have the hardware for...
Many thanks! You're peaking my interest in this eevblog and I'm hoping that I can return the favors :)
-
Yes, the options are
122 1EECA67647DB
123 1FEEA5754DD8
202 9C78B75B49DC
210 DEF3B25A44DF
B7J 7B3FFAA67A53
BAF 4AAF60E8B0B1
Is there any other way I can help? Marc
Hi Marc,
I generated the first 3 and they match, so I'm confident that I can generate the correct keys and at the same time puzzled why they don't work for you.
Here's the license file I generated, with the first 3 options you asked and the last 3 you provided. The last 3 match what you showed...
FEATURE 215 TMOMID01 1.0 permanent uncounted E3EDAD5542E0 \
HOSTID=HOSTNAME=84242774
FEATURE 219 TMOMID01 1.0 permanent uncounted B725D9815AD4 \
HOSTID=HOSTNAME=84242774
FEATURE 226 TMOMID01 1.0 permanent uncounted A527A5753FC2 \
HOSTID=HOSTNAME=84242774
FEATURE 122 TMOMID01 1.0 permanent uncounted 1EECA67647DB \
HOSTID=HOSTNAME=84242774
FEATURE 123 TMOMID01 1.0 permanent uncounted 1FEEA5754DD8 \
HOSTID=HOSTNAME=84242774
FEATURE 202 TMOMID01 1.0 permanent uncounted 9C78B75B49DC \
HOSTID=HOSTNAME=84242774
-
I generated the first 3 and they match, so I'm confident that I can generate the correct keys and at the same time puzzled why they don't work for you.
Here's the license file I generated, with the first 3 options you asked and the last 3 you provided. The last 3 match what you showed...
Hi PA0PBZ,
I stopped after 2 fails. It is possible that I got the keys wrong when I was copying from my mobile phone.
I'm away this weekend, will try again on Monday.
Thanks again,
Marc
-
I generated the first 3 and they match, so I'm confident that I can generate the correct keys and at the same time puzzled why they don't work for you.
Here's the license file I generated, with the first 3 options you asked and the last 3 you provided. The last 3 match what you showed...
Sorry really stupid mistake from me - didn't enter in the option number when putting in the licence key.
Worked gread once I figured that out.
Thank you !!!
-
Sorry really stupid mistake from me - didn't enter in the option number when putting in the licence key.
Thanks for letting me/us know and happy analyzing!
-
Hi PA0PBZ
I have a challenge for you :-)
This time not an E4402B, but a N8973A Noise Figure Analyzer - which is basically the same
Host ID: 40377DD9
Option: 1D5 (the only option for the N8973A)
/Hans J
-
Hans, try F99444618811
No idea if it works, let us know.
-
Thanks
Will test tonight - and let you know
-
No luck here - the 1D5 option is not upgradeable on the N8973A
Never mind - I can always use the analyzer with an external 10 MHz reference
-
Hi,
In my E4407B had to replace the A4 CPU board, desoldered and replaced the eeprom to keep my serial # but lost my options which were 1D6, 1DR, A4H, AYX, BAA, AYZ.
In addition, I would really appreciate it if you could help me enable a few extra ones: 219, 226, 229 and J36.
My serial is US40241687 and Host ID is: 4AF673B0
BR, 73
Serge
-
Hi Serge,
Try these and let us know:
1D6 EBB70CD48DA8
1DR 0F6FE8B045CC
A4H 1720AE56E1A6
AYX 2BD12FBF2077
BAA B051F9C9E287
AYZ 29D531C12475
219 ADA4E191423F
226 7CDDD387632F
229 6DDBE2964140
J36 B248C8946634
-
Great,
Thanks, works OK, appreciate the fast reply.
GL, 73
Serge
-
PA0PBZ,
Hi,
I have enabled all the options above and I have got a quasi-peak detector board for this E4407B analyzer.
Could you also generate the AYQ code? It would open-up extra detector modes in the menu.
As before, my serial is US40241687 and Host ID is: 4AF673B0
Thanks a bunch, 73
Serge
-
AYQ 46BB14A42A72
-
Hello,
I have a E4402B serial number US39160343 with firmware A.01.02. I attached a picture of my configuration.
Should I upgrade my firmware ?
Can you generate the keys to unlock the options ? Thank you a lot.
Matthieu
-
Options are based on the HOSTID, if you can post that and the options you want I can help.
-
Please help me enabled the options:
1D7
B7B
B7K
BAA
Model: E4404B
HostID: ED47F876
-
HostID: ED47F876
Here you go, let us know if it worked:
1D7 81E4A5AD98B8
B7B 12A3705847E5
B7K 3D6D452D31F0
BAA 00C0B1A52F18
-
HostID: ED47F876
Here you go, let us know if it worked:
1D7 81E4A5AD98B8
B7B 12A3705847E5
B7K 3D6D452D31F0
BAA 00C0B1A52F18
Thank you, licenses have been installed successfully, but the new options don't work :-\
For example, the FM demodulator did not appear in the menu, although the license BAA option was installed successfully
Please help me :'(
-
Check the hardware options, if the demodulator board has been recognized properly.
BAA is the plugin board with the "Ext Video In" and "Ext Video Out" BNC connectors. Part number E4401-60082.
-
Check the hardware options, if the demodulator board has been recognized properly.
BAA is the plugin board with the "Ext Video In" and "Ext Video Out" BNC connectors. Part number E4401-60082.
the composition of the hardware in my spectrum analyzer:
-
Look at this guide: https://www.keysight.com/us/en/assets/9018-04279/installation-guides/9018-04279.pdf (https://www.keysight.com/us/en/assets/9018-04279/installation-guides/9018-04279.pdf)
It says that you need board E4401-60408 for FM demodulation.
-
Look at this guide: https://www.keysight.com/us/en/assets/9018-04279/installation-guides/9018-04279.pdf (https://www.keysight.com/us/en/assets/9018-04279/installation-guides/9018-04279.pdf)
It says that you need board E4401-60408 for FM demodulation.
Yes, thank you, Unfortunately, I don't have this board.
-
Please help me enabled the options:
219
225
226
229
304
B70
1D7
AYX
AYZ
A4H
AYQ
Model: E4407B esa-e
HostID: 1332C613
-
Please tell me who can generate the code.
-
Please tell me who can generate the code.
I see you got a bit impatient ;) so here you go:
219 02458851063E
225 4FA88126218F
226 4EAE82272B8A
229 3BB0953A099B
304 D501733C252F
B70 E3F5814E1A25
1D7 A767AC9D4F66
AYX A714929B24F6
AYZ A518949D28F4
A4H BDC74D1EA961
AYQ BE027B842EF1
I have no idea if you need extra hardware for some options, I don't have an ESA myself. Anyway, let us know how it worked for you.
-
PA0PBZ You are our savior. Thank you!!!
-
Please tell me who can generate the code.
Did you add the HW options yourself?
According to the installation instructions, the BAA should be in slot 3 or slot 4. (page 12)
https://www.keysight.com/us/en/assets/9018-04279/installation-guides/9018-04279.pdf (https://www.keysight.com/us/en/assets/9018-04279/installation-guides/9018-04279.pdf)
-
Please tell me who can generate the code.
Did you add the HW options yourself?
According to the installation instructions, the BAA should be in slot 3 or slot 4. (page 12)
https://www.keysight.com/us/en/assets/9018-04279/installation-guides/9018-04279.pdf (https://www.keysight.com/us/en/assets/9018-04279/installation-guides/9018-04279.pdf)
I didn't add it. These options were installed by the previous owner. I'll come home and figure it out. Thanks for pointing out the installation error.
-
All licenses are accepted. Now I need to install software to measure phase noise.
Once again I express my deep gratitude to everyone who worked on the “code generator”
-
Please tell me who can generate the code.
Did you add the HW options yourself?
According to the installation instructions, the BAA should be in slot 3 or slot 4. (page 12)
https://www.keysight.com/us/en/assets/9018-04279/installation-guides/9018-04279.pdf (https://www.keysight.com/us/en/assets/9018-04279/installation-guides/9018-04279.pdf)
You seem to be absolutely right.
But FM demodulation works
-
Dear PA0PBZ
I have a E4402B, Modle:E4402B ESA-E, Host ID: 718002B1
I need:
1DR
1DS
1D5
226
UKB
1D6
Thanks!!
Best regards! 73! BH1ARE :-* :-* :-*
-
I have a E4402B, Modle:E4402B ESA-E, Host ID: 718002B1
Here you go, as always I have not checked if the options make sense for your model or that you may need additional hardware.
Let us know!
1DR 28666F68E30F
1DS 27647069DD12
1D5 05A8928B21F0
226 51F8722F0192
UKB AEE3A6A3C0BE
1D6 04AE938C2BEB
-
Thanks!
Dear PA0PBZ
1DR 28666F68E30F
1DS 27647069DD12
1D5 05A8928B21F0
UKB AEE3A6A3C0BE
1D6 04AE938C2BEB
These can work good!!!
but 226 can not work, I don't know if I need anything else :'(,Maybe it needs to be install software.
best regards!73!BH1ARE
-
Thanks!
Dear PA0PBZ
1DR 28666F68E30F
1DS 27647069DD12
1D5 05A8928B21F0
UKB AEE3A6A3C0BE
1D6 04AE938C2BEB
These can work good!!!
but 226 can not work, I don't know if I need anything else :'(,Maybe it needs to be install software.
best regards!73!BH1ARE
https://www.keysight.com/us/en/lib/software-detail/instrument-firmware-software/esa-phase-noise-measurement-personality-option-226-1000001091epsgsud.html (https://www.keysight.com/us/en/lib/software-detail/instrument-firmware-software/esa-phase-noise-measurement-personality-option-226-1000001091epsgsud.html)
-
Thanks!
Dear PA0PBZ
1DR 28666F68E30F
1DS 27647069DD12
1D5 05A8928B21F0
UKB AEE3A6A3C0BE
1D6 04AE938C2BEB
These can work good!!!
but 226 can not work, I don't know if I need anything else :'(,Maybe it needs to be install software.
best regards!73!BH1ARE
Write 1 disk floppy 1.44mb. Set disk e440x. Click Setup - more 3of3 -personalities -install