Products > Test Equipment

R&S RTB2004 Snooping

<< < (3/20) > >>

abyrvalg:
Maybe that gpio is on one of those debug connectors? Would be more logical than having it accessible on the front panel (if the mode it triggers requires access to internal UART). Try grounding unknown pins (using some 500 Ohm resistor to stay safe) while observing that gpio reg bit via JTAG?

ElectronMan:

--- Quote from: abyrvalg on September 30, 2020, 06:32:05 am ---Maybe that gpio is on one of those debug connectors? Would be more logical than having it accessible on the front panel (if the mode it triggers requires access to internal UART). Try grounding unknown pins (using some 500 Ohm resistor to stay safe) while observing that gpio reg bit via JTAG?

--- End quote ---

Could be. I was a bit wary of connecting together things that were unknown, so I went the software route to get past it.

I've finally made some progress on producing some IDA and Ghidra FunctionID signatures for these binaries too (figuring out the compiler options they used was a bear).

reyntjensm:
I don't understand what you are trying to achieve? Just to see how R&S has build there software? I also have an RTB2004 and i'm very happy with it. I got a big discount on the scope with a lot of options( just send them an email and you can buy straight from the manufacturer, if you ask for a discount they can do some things). Sadly enough i don't have the full bandwith option. I only have 70 MHz.... If you know how to hack it to 300MHz please let me know :D. Do you know if the FFT functions depend on the bandwith option? I'm not sure about this since i can use the FFT above the 70MHz bandwith. It looks like you are doing very difficult stuff. I hope you don't blow up the logic with poking around, but i'm sure you know what you are doing with this ;)

ElectronMan:

--- Quote from: reyntjensm on October 05, 2020, 11:21:54 pm ---I don't understand what you are trying to achieve? Just to see how R&S has build there software? I also have an RTB2004 and i'm very happy with it. I got a big discount on the scope with a lot of options( just send them an email and you can buy straight from the manufacturer, if you ask for a discount they can do some things). Sadly enough i don't have the full bandwith option. I only have 70 MHz.... If you know how to hack it to 300MHz please let me know :D. Do you know if the FFT functions depend on the bandwith option? I'm not sure about this since i can use the FFT above the 70MHz bandwith. It looks like you are doing very difficult stuff. I hope you don't blow up the logic with poking around, but i'm sure you know what you are doing with this ;)

--- End quote ---

I just like to know what is inside the "black boxes" that I own. If I find something "useful" or provide a path for someone else to find something useful, all the better.

I am pretty much done poking around the insides. I made a JTAG cable and ran it out the little door in the back so I can connect back up if I need to test something. I am using the firmware I recovered to learn more about software reverse-engineering in general. I have no plans to do anything potentially destructive, as this is my primary scope right now.

tv84:
Preloader: U-Boot SPL 2013.01.01 (Oct 06 2016 - 16:39:22)
Loading address - 0xFFFF0000

Bootloader:

--- Code: ---00010000                 Magic: 27051956    uImage File OK
00010004         Header CRC-32: FB7A652B  [00010000-0001003F]    CRC OK
00010008               Created: 06/10/2016 14:40:27
0001000C             Data Size: 0000AFB0
00010010     Data Load Address: 00100000
00010014   Entry Point Address: 00000000
00010018           Data CRC-32: 8CF4BA9E  [00010040-0001AFEF]    CRC OK
0001001C      Operating System: U-Boot Firmware
0001001D      CPU Architecture: ARM
0001001E                  Type: Firmware Image
0001001F           Compression: None
00010020                  Name: Monitor CycloneVSoC CB-2Ax
00010040 - Image 0 [00010040-0001AFEF]  0000AFB0 bytes
--- End code ---

I included also a NAND visual map of its contents (512MB). The initial zone is the bootloader + 7 .ELF files.


--- Code: --- Offset     Size    CRC32     ???        #
00020001  00222DA0 667AD7B6 0177B8C9  00000000  [00020040-00242DDF]  CRC OK
0025FEE1  011C2270 99B593B8 017889C3  00000001  [0025FF20-0142218F]  CRC OK
0143F5F1  01249710 0F20C41A 017A8953  00000002  [0143F630-02688D3F]  CRC OK
0269ECC1  01255230 13A3E181 017C7C27  00000003  [0269ED00-038F3F2F]  CRC OK
038FE391  01364C10 55559A0E 0180559F  00000004  [038FE3D0-04C62FDF]  CRC OK
04C7D9D1  013C9110 35F2A042 0185479D  00000005  [04C7DA10-06046B1F]  CRC OK
0605CFE1  01482CF0 DE645734 0188065F  00000006  [0605D020-074DFD0F]  CRC OK
--- End code ---

Navigation

[0] Message Index

[#] Next page

[*] Previous page

There was an error while thanking
Thanking...
Go to full version
Powered by SMFPacks Advanced Attachments Uploader Mod