Author Topic: Enabling options on Agilent ESA series E4402B E4404B E4405B E4407B  (Read 62211 times)

0 Members and 1 Guest are viewing this topic.

Offline tv84

  • Super Contributor
  • ***
  • Posts: 3212
  • Country: pt
Re: Enabling options on Agilent ESA series E4402B E4404B E4405B E4407B
« Reply #225 on: September 18, 2020, 09:53:09 pm »
I'm currently analyzing the encrypt function (pretty old flexlm) and have not been following all your new debug/dump capabilities.

@abyrvalg, can we place an infinite loop in the code and prepare to do some selected dumps? can you provide the patch? Later I'll provide the address(es).
 

Offline smgvbest

  • Supporter
  • ****
  • Posts: 630
  • Country: us
    • Kilbourne Astronomics
Re: Enabling options on Agilent ESA series E4402B E4404B E4405B E4407B
« Reply #226 on: September 18, 2020, 10:24:16 pm »
I'm currently analyzing the encrypt function (pretty old flexlm) and have not been following all your new debug/dump capabilities.

@abyrvalg, can we place an infinite loop in the code and prepare to do some selected dumps? can you provide the patch? Later I'll provide the address(es).

Yeh flexlm should be 6.0d so yeh very old
Sandra
(Yes, I am a Woman :p )
 

Offline abyrvalg

  • Frequent Contributor
  • **
  • Posts: 823
  • Country: es
Re: Enabling options on Agilent ESA series E4402B E4404B E4405B E4407B
« Reply #227 on: September 18, 2020, 11:02:33 pm »
@tv84, you want to stop some function in an infinite loop before it destroys FLEXlm seeds and enter dump mode in that state?
Just patch the instruction where you want to stop to "jmp ROMMonitor":
sword YourAddr 4EF9   - "jmp imm32" opcode
slong YourAddr+2 0000D8A4    - address of ROMMonitor
 

Offline suj

  • Regular Contributor
  • *
  • Posts: 92
  • Country: pl
Re: Enabling options on Agilent ESA series E4402B E4404B E4405B E4407B
« Reply #228 on: September 19, 2020, 09:33:48 am »
Should I try to add new licenses or in my case the installed ones are enough?
 

Offline tv84

  • Super Contributor
  • ***
  • Posts: 3212
  • Country: pt
Re: Enabling options on Agilent ESA series E4402B E4404B E4405B E4407B
« Reply #229 on: September 19, 2020, 09:53:07 am »
Should I try to add new licenses or in my case the installed ones are enough?

The installed are enough because, when it tries to validate the installed ones (at app start), it will break into ROM Monitor so you won't be able to try a new one.

In the case of Sandra, where there is no license, I think she must force the licensing.
 

Offline suj

  • Regular Contributor
  • *
  • Posts: 92
  • Country: pl
Re: Enabling options on Agilent ESA series E4402B E4404B E4405B E4407B
« Reply #230 on: September 19, 2020, 10:50:32 am »
From my calculations, the memory dump should end around 15:40 CET (13:40 GMT). Approximately 120 MB text file.
Now I go to the grocery store to do my shopping, allowing me to stay within 20 meters from my "laboratory" for the next week. 8)
 

Offline abyrvalg

  • Frequent Contributor
  • **
  • Posts: 823
  • Country: es
Re: Enabling options on Agilent ESA series E4402B E4404B E4405B E4407B
« Reply #231 on: September 19, 2020, 11:00:14 am »
@tv84, now I understand why you need such big dumps, your values of interest are local variables with no fixed addresses - right?
What we can do is to patch the code to save a register to some fixed unused location, then dump it from there.
A patch to save "vendor key 5" to 045FFFFC (this address is unused) and continue normally:
Code: [Select]
sword 043F398E 23C0
slong 043F3990 045FFFFC
slong 043F3994 60000018
+ our earlier patch to go to Mon with r key press
sword 04139614 4ef9
sword 04139618 d8a4
- enter any license
- press "r" to go to Mon
- dump 4 bytes from 045FFFFC
« Last Edit: September 19, 2020, 11:04:24 am by abyrvalg »
 

Offline tv84

  • Super Contributor
  • ***
  • Posts: 3212
  • Country: pt
Re: Enabling options on Agilent ESA series E4402B E4404B E4405B E4407B
« Reply #232 on: September 19, 2020, 11:13:02 am »
@tv84, now I understand why you need such big dumps, your values of interest are local variables with no fixed addresses - right?

Right.  :-+  Your suggestion was also on my mind. I hope we don't need it but, if we do, I will need your help. I also need to have a full confirmation of what is being hashed and, for that, the dump should provide the definitive answer.

I have a hard time recognizing how the registers of this thing work. It's almost like Blackfin! :)
 

Offline abyrvalg

  • Frequent Contributor
  • **
  • Posts: 823
  • Country: es
Re: Enabling options on Agilent ESA series E4402B E4404B E4405B E4407B
« Reply #233 on: September 19, 2020, 11:31:57 am »
Dumping “vendor key 5” should be enough - this is old FLEXlm, the seeds are stored in VENDORCODE xored with this vk5 (look down from the location I’m patching - they verify if the seeds are “demo” 12345678 87654321 by direct xoring with this value. Various tutorials from 6.0 era says the same).

I have an universal recipe how to start feeling at home with any CISC asm - spend some time in QDSP (Hexagon) asm  :-DD
 

Offline tv84

  • Super Contributor
  • ***
  • Posts: 3212
  • Country: pt
Re: Enabling options on Agilent ESA series E4402B E4404B E4405B E4407B
« Reply #234 on: September 19, 2020, 11:37:43 am »
Dumping “vendor key 5” should be enough - this is old FLEXlm, the seeds are stored in VENDORCODE xored with this vk5 (look down from the location I’m patching - they verify if the seeds are “demo” 12345678 87654321 by direct xoring with this value. Various tutorials from 6.0 era says the same).

Sure but where is vendorcode? You still need it. With vendorcode, we would be done.
« Last Edit: September 19, 2020, 11:44:42 am by tv84 »
 

Offline abyrvalg

  • Frequent Contributor
  • **
  • Posts: 823
  • Country: es
Re: Enabling options on Agilent ESA series E4402B E4404B E4405B E4407B
« Reply #235 on: September 19, 2020, 11:45:22 am »
At 04600D5C. A search for "6.0" gets you there easily. You need to have the data section initialized of course, mentioned that earlier - copy from 04435E14 to 04600000-0476DD88. But a copy of that structure can be found in the "source" area too.
 

Offline tv84

  • Super Contributor
  • ***
  • Posts: 3212
  • Country: pt
Re: Enabling options on Agilent ESA series E4402B E4404B E4405B E4407B
« Reply #236 on: September 19, 2020, 12:51:20 pm »
Stop the press!  (and the dumps...)   :popcorn:

Enc_seeds validated OK!

@suj license correctly validated.

How dumb!! How could I've missed that structure!!!!    |O   |O

EDIT: Mystery solved! This proc is BIG ENDIAN and my search function only searches in LITTLE ENDIAN (will correct it)! Sorry all for all the trouble but it was a new experience. A special recognition to @abyrvalg. Amazing talent!  :clap:
« Last Edit: September 19, 2020, 01:02:55 pm by tv84 »
 
The following users thanked this post: smgvbest, suj

Offline smgvbest

  • Supporter
  • ****
  • Posts: 630
  • Country: us
    • Kilbourne Astronomics
Re: Enabling options on Agilent ESA series E4402B E4404B E4405B E4407B
« Reply #237 on: September 19, 2020, 01:02:54 pm »
Stop the press!  (and the dumps...)   :popcorn:

Enc_seeds validated OK!

@suj license correctly validated.

How dumb!! How could I've missed that structure!!!!    |O   |O

Other than some banging head on wall this sounds good right?
I was just getting ready to do the dump   :phew:
« Last Edit: September 19, 2020, 01:05:30 pm by smgvbest »
Sandra
(Yes, I am a Woman :p )
 

Offline tv84

  • Super Contributor
  • ***
  • Posts: 3212
  • Country: pt
Re: Enabling options on Agilent ESA series E4402B E4404B E4405B E4407B
« Reply #238 on: September 19, 2020, 01:09:35 pm »
Other than some banging head on wall this sounds good right?

AYZ EA726914DBAD
 
The following users thanked this post: smgvbest

Offline smgvbest

  • Supporter
  • ****
  • Posts: 630
  • Country: us
    • Kilbourne Astronomics
Re: Enabling options on Agilent ESA series E4402B E4404B E4405B E4407B
« Reply #239 on: September 19, 2020, 01:24:05 pm »
Other than some banging head on wall this sounds good right?

AYZ EA726914DBAD

I will let a picture speak for me

 :clap: :clap: :clap:

Sandra
(Yes, I am a Woman :p )
 

Offline suj

  • Regular Contributor
  • *
  • Posts: 92
  • Country: pl
Re: Enabling options on Agilent ESA series E4402B E4404B E4405B E4407B
« Reply #240 on: September 19, 2020, 01:26:17 pm »
To check option AYZ you can go to "Input" menu and check if you can change mixer to external. To use this you must connect connector J6 from the A8A4 module and J4 from the same module to external sockets (IF in, LO Out). And you can use unpreselected harmonic mixers (for example 11970 series). To use preselected (11974) you need the frequency extension module.
 

Offline smgvbest

  • Supporter
  • ****
  • Posts: 630
  • Country: us
    • Kilbourne Astronomics
Re: Enabling options on Agilent ESA series E4402B E4404B E4405B E4407B
« Reply #241 on: September 19, 2020, 01:26:36 pm »
That was a straight OPTION
can we try a personality to see if those work?
if so try Option 225
Sandra
(Yes, I am a Woman :p )
 

Offline smgvbest

  • Supporter
  • ****
  • Posts: 630
  • Country: us
    • Kilbourne Astronomics
Re: Enabling options on Agilent ESA series E4402B E4404B E4405B E4407B
« Reply #242 on: September 19, 2020, 01:29:03 pm »
To check option AYZ you can go to "Input" menu and check if you can change mixer to external. To use this you must connect connector J6 from the A8A4 module and J4 from the same module to external sockets (IF in, LO Out). And you can use unpreselected harmonic mixers (for example 11970 series). To use preselected (11974) you need the frequency extension module.

I don't have the external mixers but I do have a 4407B with frequency extension and  the menu is available

Sandra
(Yes, I am a Woman :p )
 

Offline tv84

  • Super Contributor
  • ***
  • Posts: 3212
  • Country: pt
Re: Enabling options on Agilent ESA series E4402B E4404B E4405B E4407B
« Reply #243 on: September 19, 2020, 01:56:04 pm »
Here is the fishing rod. (a little homework is always beneficial)
 
The following users thanked this post: smgvbest, harha, ps, analogRF, pquadrat, eplpwr, lyncse, ktgun

Offline abyrvalg

  • Frequent Contributor
  • **
  • Posts: 823
  • Country: es
Re: Enabling options on Agilent ESA series E4402B E4404B E4405B E4407B
« Reply #244 on: September 19, 2020, 02:08:14 pm »
That was a great teamwork, thanks to everyone! :clap: See you in the next “instrument improvement” thread >:D
 
The following users thanked this post: tv84, thorswait, smgvbest, suj, analogRF, andrew9875

Offline tv84

  • Super Contributor
  • ***
  • Posts: 3212
  • Country: pt
Re: Enabling options on Agilent ESA series E4402B E4404B E4405B E4407B
« Reply #245 on: September 19, 2020, 02:15:20 pm »
That was a great teamwork, thanks to everyone! :clap: See you in the next “instrument improvement” thread >:D

Sure it was. Always a pleasure when it is like this. smgvbest and suj also had a special recognition for all their hard work. ;)

I've just checked a BAC personality and all is good! See you in next quest (now with BigEnd activated!).
 

Offline suj

  • Regular Contributor
  • *
  • Posts: 92
  • Country: pl
Re: Enabling options on Agilent ESA series E4402B E4404B E4405B E4407B
« Reply #246 on: September 19, 2020, 02:20:54 pm »
A big thank you to the whole team. You are geniuses!
I will now work on addressing cards via the E4401. When I have conclusions, I will ask you for help in finding this I/O address that allows to turn the noise source on and off.
 :-+ :-+ :-+

EDIT
If you are looking for a challenge, I am always ready to provide support. LE, BE who wants what...
 ;D
« Last Edit: September 19, 2020, 02:35:57 pm by suj »
 

Offline abyrvalg

  • Frequent Contributor
  • **
  • Posts: 823
  • Country: es
Re: Enabling options on Agilent ESA series E4402B E4404B E4405B E4407B
« Reply #247 on: September 19, 2020, 03:50:15 pm »
Some info on card addressing:
there are 8 "I/O slots" (0-7), each one gets an address window at 08000000+0x4000*slot_number
register at BASE+3FFE (size: byte) looks like "device type":
1 - HPIB adapter
4 - floppy controller
Edit: other card types recognized by ESAFW:
6
8
3, 7, 10 - some similar types handled by common code
« Last Edit: September 19, 2020, 04:13:21 pm by abyrvalg »
 

Offline tv84

  • Super Contributor
  • ***
  • Posts: 3212
  • Country: pt
Re: Enabling options on Agilent ESA series E4402B E4404B E4405B E4407B
« Reply #248 on: September 19, 2020, 04:14:49 pm »
This can also be used in the old E44xxB ESG Signal Generators.

Just checked.
 
The following users thanked this post: analogRF, eplpwr

Offline suj

  • Regular Contributor
  • *
  • Posts: 92
  • Country: pl
Re: Enabling options on Agilent ESA series E4402B E4404B E4405B E4407B
« Reply #249 on: September 19, 2020, 04:48:06 pm »
Some info on card addressing:
there are 8 "I/O slots" (0-7), each one gets an address window at 08000000+0x4000*slot_number
register at BASE+3FFE (size: byte) looks like "device type":
1 - HPIB adapter
4 - floppy controller
Edit: other card types recognized by ESAFW:
6
8
3, 7, 10 - some similar types handled by common code

My first analyzes:
1. Backplane is hardcoded, card known in whitch slot is inserted (red)
2. Adress decode and initialization. For example GPIB/Parallel card (red/green)
3. Signals for above at the cpu card (green)
 


Share me

Digg  Facebook  SlashDot  Delicious  Technorati  Twitter  Google  Yahoo
Smf