| Products > Test Equipment |
| R&S RTB2004 Snooping |
| << < (3/20) > >> |
| abyrvalg:
Maybe that gpio is on one of those debug connectors? Would be more logical than having it accessible on the front panel (if the mode it triggers requires access to internal UART). Try grounding unknown pins (using some 500 Ohm resistor to stay safe) while observing that gpio reg bit via JTAG? |
| ElectronMan:
--- Quote from: abyrvalg on September 30, 2020, 06:32:05 am ---Maybe that gpio is on one of those debug connectors? Would be more logical than having it accessible on the front panel (if the mode it triggers requires access to internal UART). Try grounding unknown pins (using some 500 Ohm resistor to stay safe) while observing that gpio reg bit via JTAG? --- End quote --- Could be. I was a bit wary of connecting together things that were unknown, so I went the software route to get past it. I've finally made some progress on producing some IDA and Ghidra FunctionID signatures for these binaries too (figuring out the compiler options they used was a bear). |
| reyntjensm:
I don't understand what you are trying to achieve? Just to see how R&S has build there software? I also have an RTB2004 and i'm very happy with it. I got a big discount on the scope with a lot of options( just send them an email and you can buy straight from the manufacturer, if you ask for a discount they can do some things). Sadly enough i don't have the full bandwith option. I only have 70 MHz.... If you know how to hack it to 300MHz please let me know :D. Do you know if the FFT functions depend on the bandwith option? I'm not sure about this since i can use the FFT above the 70MHz bandwith. It looks like you are doing very difficult stuff. I hope you don't blow up the logic with poking around, but i'm sure you know what you are doing with this ;) |
| ElectronMan:
--- Quote from: reyntjensm on October 05, 2020, 11:21:54 pm ---I don't understand what you are trying to achieve? Just to see how R&S has build there software? I also have an RTB2004 and i'm very happy with it. I got a big discount on the scope with a lot of options( just send them an email and you can buy straight from the manufacturer, if you ask for a discount they can do some things). Sadly enough i don't have the full bandwith option. I only have 70 MHz.... If you know how to hack it to 300MHz please let me know :D. Do you know if the FFT functions depend on the bandwith option? I'm not sure about this since i can use the FFT above the 70MHz bandwith. It looks like you are doing very difficult stuff. I hope you don't blow up the logic with poking around, but i'm sure you know what you are doing with this ;) --- End quote --- I just like to know what is inside the "black boxes" that I own. If I find something "useful" or provide a path for someone else to find something useful, all the better. I am pretty much done poking around the insides. I made a JTAG cable and ran it out the little door in the back so I can connect back up if I need to test something. I am using the firmware I recovered to learn more about software reverse-engineering in general. I have no plans to do anything potentially destructive, as this is my primary scope right now. |
| tv84:
Preloader: U-Boot SPL 2013.01.01 (Oct 06 2016 - 16:39:22) Loading address - 0xFFFF0000 Bootloader: --- Code: ---00010000 Magic: 27051956 uImage File OK 00010004 Header CRC-32: FB7A652B [00010000-0001003F] CRC OK 00010008 Created: 06/10/2016 14:40:27 0001000C Data Size: 0000AFB0 00010010 Data Load Address: 00100000 00010014 Entry Point Address: 00000000 00010018 Data CRC-32: 8CF4BA9E [00010040-0001AFEF] CRC OK 0001001C Operating System: U-Boot Firmware 0001001D CPU Architecture: ARM 0001001E Type: Firmware Image 0001001F Compression: None 00010020 Name: Monitor CycloneVSoC CB-2Ax 00010040 - Image 0 [00010040-0001AFEF] 0000AFB0 bytes --- End code --- I included also a NAND visual map of its contents (512MB). The initial zone is the bootloader + 7 .ELF files. --- Code: --- Offset Size CRC32 ??? # 00020001 00222DA0 667AD7B6 0177B8C9 00000000 [00020040-00242DDF] CRC OK 0025FEE1 011C2270 99B593B8 017889C3 00000001 [0025FF20-0142218F] CRC OK 0143F5F1 01249710 0F20C41A 017A8953 00000002 [0143F630-02688D3F] CRC OK 0269ECC1 01255230 13A3E181 017C7C27 00000003 [0269ED00-038F3F2F] CRC OK 038FE391 01364C10 55559A0E 0180559F 00000004 [038FE3D0-04C62FDF] CRC OK 04C7D9D1 013C9110 35F2A042 0185479D 00000005 [04C7DA10-06046B1F] CRC OK 0605CFE1 01482CF0 DE645734 0188065F 00000006 [0605D020-074DFD0F] CRC OK --- End code --- |
| Navigation |
| Message Index |
| Next page |
| Previous page |