Agilent E7495 linux root account

[DogP]

Anyone figure out a fix for the screen bezel coming undone? The system works fine, but part of the screen is obscured. Picture attached

If you look at the service manual, there's a detailed procedure for removing and disassembling the display.  Pg. 111 removes the front panel from the unit, and pg. 145 removes the display from the front panel.  Once there, it looks like the gasket is accessible (MP29).

Pat

[DogP]

I spent a bit of time looking at this again, trying to get some remote access/control working.  As noted earlier, the E7495 has a webpage, but doesn't accept the normal login.  I noticed a similar non-working login on port 5025.  Using netstat, I saw that elgato was listening on those ports.  When looking in the /flash/egServer directory, I noticed a passwd file.  It looked different than the standard *nix passwd file, but appeared to have a hashed root password in it (RzSdSbSdye).

Rather than trying to crack the password, I decided to try simply renaming the passwd file and rebooting.  Surprisingly, it didn't recreate it, and now simply accepts any login! (on both the webpage and port 5025).

The webpage has a bunch of configuration stuff, though the coolest thing seems to be the "Transducer I/O" section.  For example, if you click "Active STIM" you can select 16 (Spectrum Analyzer), and then go to the "Channel I/O" page and click "Array" under Channel 1 to get the spectrum data.  You can set parameters, etc. as well, which get set using http POST.  I'm not really familiar with it, but I believe this is IEEE 1451 standard stuff.  Maybe there's a way to tell elgato to do these operations directly, rather than through http.

Port 5025 now accepts any login as well, though I was hoping it'd be SCPI (commonly on that port)... instead, it looks like it's something called the "DMC Shell".  Typing "help", it says "The Dmc Shell accepts "C" like function statements and assignments" and gives some examples... not sure how useful it is.


I also took a look at the remote GUI... it didn't seem to work on Windows with Java 8 (even using the commands further up in the thread).  Rather than dig into it, I installed Java 1.4.2 in a VM, grabbed the jre directory, and explicitly ran RemoteGui.jar using that version of java ("jre\bin\java -jar RemoteGui.jar").  By doing that, the remote GUI worked first try.

I was interested in how it communicated, so I sniffed the packets.  It looks like most stuff goes over port 5028.  The commands and acknowledgements go over TCP, and the spectrum display data goes over UDP.  It looks like there’s some status (power, GPS, etc) coming out 1027 as well.

I had to make sure Windows allowed the data through the firewall (without it, the TCP commands would go through, but the UDP data wouldn’t, so the GUI would never show the spectrum).  Also, Windows 7 temporarily goes back to basic graphics (disabling Aero) when you run Java 1.4.2.

The commands going over 5028 don't look to be any standard I'm familiar with.  Some examples are (without the quotes, <\n> is hex 0A): “cmd: local<\n><\n>”, "cmd: set<\n>topic: display.global<\n>printFilter: 0<\n><\n>", etc.  If you dig through the elgato binary, you can see a bunch of available commands (and you can test them out using nc).

 
Oh, and I quickly glanced at the decompiled egclient posted earlier in the thread... if you look in the manufacturing directory, it appears that there’s a Snake and Tetris game, seemingly in a hidden menu on the Display Test screen.  It wasn’t immediately obvious how to access it though.


Pat

[DogP]

Heh, it bugged me having games on here that I couldn't get to, so I tracked it down. :-P

Though the code has it with the DisplayTestScreen stuff, it really doesn't have anything to do with that.  To get there, you click the Spectrum Analyzer / Tools menu, then quickly click the bottom right display button 3 times.  Then the "Extras" buttons pop up with Tetris and Nibbles.

DogP

[TheSteve]

Nice find!

You can enable the same web login etc on the E7495's big brother, the N1996A by renaming the /flash/toroServer/passwd file.

[DogP]

Here's a quick (and kinda pointless) mod... I didn't really like this being called a "Base Station" test set, since it's never gonna test another base station in its life.   So I opened up the egclient JAR file (with 7-zip), and replaced the cell tower background with a generic modern Agilent background (that they use on their documentation, etc... grabbed from: http://eprocurement.agilent.com/ ).  I also got rid of the "Base Station" text.  It's just a matter of modifying the ModeScreen.jpg and ModeScreen_overlay-E7495A.png (-E7495B if you've got the B model).

The colors on the LCD aren't very accurate (it had a much greener tint than it should have), so I adjusted the hue/saturation a bit to get it kinda close to the original blue, and it turned out pretty good.

Oh, and something interesting I noticed... in the JAR file is a graphic for the an E7496A.  AFAIK, that doesn't exist... I wonder what the specs of that unit would have been.

Pat

[kirill_ka]

Thank you all for information in this thread. Because of it now I have a new toy (A model).

Port 5025 now accepts any login as well, though I was hoping it'd be SCPI (commonly on that port)... instead, it looks like it's something called the "DMC Shell".  Typing "help", it says "The Dmc Shell accepts "C" like function statements and assignments" and gives some examples... not sure how useful it is.

The "DMC shell" looks like some kind debugger. It knows functions and variables of elgato process. I don't think it's useful without source code.
Interesting thing I found that E7495 is supported by toro executable - N1996A server.
I guess, E7495 might be used during N1996A development when N1996 hw was not ready. Maybe E7496 = N1996.
Up to this point I got "toro" running on E7495 with some tweaking. It responds to SCPI and HTTP and looks quite healthy. toroGui starts but it might be useless due to keypad differencies.
Next thing is to deal with license file and options. Spectrum analyser refuses to work without license. I don't expect a lot, because toro doesn't handle E7495 as N1996.
We'll see...

[DogP]

Interesting thing I found that E7456A is supported by toro executable - N1996A server.
I guess, E7456 might be used during N1996A development when N1996 hw was not ready. Maybe E7496 = N1996.
Up to this point I got "toro" running on E7456 with some tweaking. It responds to SCPI and HTTP and looks quite healthy. toroGui starts but it might be useless due to keypad differencies.
Next thing is to deal with license file and options. Spectrum analyser refuses to work without license. I don't expect a lot, because toro doesn't handle E7456 as N1996.
We'll see...

Hmm... interesting!

I'm not quite sure I totally understand though... what is the E7456?  When you run toro, is that what it detects your E7495A as?  That's a good guess that maybe E7496 = N1996, since both pieces of hardware seem to be related.

Regarding toroGui, maybe you could run it over the network, like the E7495 remote GUI, in which case the keypad wouldn't be a problem (using a virtual keypad on the PC)?

Pat

[kirill_ka]

I'm not quite sure I totally understand though... what is the E7456?  When you run toro, is that what it detects your E7495A as?  That's a good guess that maybe E7496 = N1996, since both pieces of hardware seem to be related.

Regarding toroGui, maybe you could run it over the network, like the E7495 remote GUI, in which case the keypad wouldn't be a problem (using a virtual keypad on the PC)?

Typo... 95, not 56. Fixed that. toro detects E7495A as E7495A. There's a special option for it called GPSA. I see two separate option lists (E7495 and N1996) inside the executable.
Unfortunately that GPSA (= general purpose spectrum analyser) doesn't work. I mean it tries. It seems to load dsp program Dragonfly/Measurements/KernelBasic/Superfly/gpSpecAn  but fails to communicate with it.
"Basic" sectrum analyser (Dragonfly/Measurements/KernelBasic/Superfly/nSpecAn) works according to web page (Active STIM/Transducer IO), but SCPI and GUI both trying to use GPSA.
Now I'm out of ideas what to try. Maybe older N1996 firmware...
Anyway, if you want to try:
1. copy flash/toroServer from N1996 firmware A.02.07 to CF/PCMCIA formatted as ext2 (fat may work, I didn't try it)
2. change baud rate in toroServer/registry/df1.ini 921600 -> 230400
3. patch toro executable and add GPSA license option to license/elgato.lic
4. copy cals from egServer
5. copy Dragonfly/Firmware/E7495A and Dragonfly/Firmware/CPXSRC from egServer
If you don't copy, toroServer includes older firmware versions and tries to update. A bit frightening. It failed to update CPXSRC. After reboot elgato recovered the firmware, but it took some minutes to start.
6. copy Dragonfly/Receivers/comPort4 from egServer
Although, It didn't change anything.
7. killall _siege; /etc/rc.d/init.d/egServer stop
8. run toro from toroServer directory
Attaching output from toro.

[kirill_ka]

Debug log from GPSA.
That "waiting for getMessage(1000)" looks like a problem.

[kirill_ka]

I didn't see if it was mentioned, GSM analyser provides some time domain display. It's quite limited, but still usable. Bandwidth is fixed 500kHz. Frequency is in 200kHz increments, but config file can be tweaked for finer adjustments.
Here's analogue video signal caught from the air:

[kirill_ka]

BTW, I did some more testing on waveform files, and it appears that the largest file it'll fully process is 2MB (corresponds to 200ms @ 2.5Msps, or 2s @ 250Ksps).  I haven't gotten it to actually play any longer than the original file length though.

Length seems to be hardcoded in DSP program genIS95.
AFAIK debug log show what is passed to DSP. It's modulation type (4, 5, 6, 7 - separate value for each Arb file). And then the ARB file is written to DSP memory.

To get debug output:
1. Save settings (save state button) to <set>
2. Set debug parameter in registy/<set>/sourceStim.ini
3. connect to that DMC shell
4. activate <set>
5. play with generator
Debug output will appear in DMC shell.

[kirill_ka]

I just noticed a weird thing. If I change sig gen amplitude in spectrum analyser mode, signal level jumps up about 25dB. This only happens if spectrum analyser runs in full span (500kHz-2.7GHz). Amplitude control still works, but signal level is higher than normal (i.e. at -50dBm setting, actual level is -23dBm). It recovers after suspend-resume cycle.

[technogeeky]

I just picked up one of these for a bargain (partially broken / incomplete). The only known problem is a intermittent busted LCD screen. Since I don't necessarily plan to use it in a portable mode, I may not replace the LCD right away especially if I can get all of this PC-based GUI stuff working. The other problem I anticipate is that it seems like I am just getting the unit -- no accessories whatsoever. Maybe when the seller ships the backpack to me, it might have some items in it.

So, I have a slew of questions:

For reference, the unit I supposedly will have in a few days is:

Agilent E7495A Options:

• 200
  
• 205
  
• 210
  
• 220
  
• 510
  
• 600
  
• 700
  

My current questions:

• What are the minimum set of accessories I will need to test the unit, and test the self-calibration? It seems like I need rather specific cable lengths, specific Agilent-branded 10dB pads, etc. Can I get away with cheaper parts?
• Does anyone know the full list of power sensors that will work with this device? It seems like there are only one or two.
• When I entered the model and serial number on Keysight's site, the list of options did not match the advertised list, nor did it match the list on the metallic sticker shown in the auction. Does anyone know if this is normal? Is it possible that this unit was upgraded after initial selling? I know the sticker on the device says Agilent last calibrated it in 2013.
• Does anyone know what kind of power supplies one can get away with? One of the manuals lists a range of voltages. I have a whole slew of power bricks, but I don't think I have a 24V 4A one. I don't have any batteries to charge, so presumably I don't need that much current anyway.
• I doubt I have any PCMCIA flash cards. Do I need to buy a specific size? Like really, do I need exactly a 64MB one?
• The service manual mentions an optional, internal 90dB attenuator. But I can't find any reference to this anywhere else. Do any of your units have this? Do all units have it? Does nobody have it?
  

I will no doubt have further questions, but for now I don't even have the device in hand.

Thanks in advance!

[DogP]

I'll try to take a crack at your Qs...

1. What are the minimum set of accessories I will need to test the unit, and test the self-calibration? It seems like I need rather specific cable lengths, specific Agilent-branded 10dB pads, etc. Can I get away with cheaper parts?

I don't think there's anything special about the ones supplied.  I'm personally using standard cables and attenuators, and a homemade short, open, and load.

2. Does anyone know the full list of power sensors that will work with this device? It seems like there are only one or two.

The manual specifies that it works with the 8481A, 8481D, and 8482A (and CFT variants).

3. When I entered the model and serial number on Keysight's site, the list of options did not match the advertised list, nor did it match the list on the metallic sticker shown in the auction. Does anyone know if this is normal? Is it possible that this unit was upgraded after initial selling? I know the sticker on the device says Agilent last calibrated it in 2013.

Got a link where you entered the info?  I can try mine and see if it's different as well... though I personally wouldn't worry what Agilent thinks you've got.  If you go into setup and read out your options, that's what you've got.  And if you hack the file described earlier in the thread, you can have all the software options. :-P

4. Does anyone know what kind of power supplies one can get away with? One of the manuals lists a range of voltages. I have a whole slew of power bricks, but I don't think I have a 24V 4A one. I don't have any batteries to charge, so presumably I don't need that much current anyway.

The manual states +9V to +25V DC (55W).  I've personally run mine from a 24V 5A supply (cheap Chinese power pack) as well as a universal 90W 19.5V laptop power supply.

5. I doubt I have any PCMCIA flash cards. Do I need to buy a specific size? Like really, do I need exactly a 64MB one?

I'm not aware of any limitations... I'm using an 8GB card in mine.

6.The service manual mentions an optional, internal 90dB attenuator. But I can't find any reference to this anywhere else. Do any of your units have this? Do all units have it? Does nobody have it?

If mine has it, I'm not aware of it.

Pat

[technogeeky]

Well, I forgot an important question. I just got my unit today, so before I do something stupid...

• Is the power supply center-pin positive? Yes*.

* I looked through this thread more carefully; it's 9-24V DC, somewhere between 3 and 5 amps; center-pin positive.

[kirill_ka]

2. Does anyone know the full list of power sensors that will work with this device? It seems like there are only one or two.

The manual specifies that it works with the 8481A, 8481D, and 8482A (and CFT variants).

I've read somewhere that 8484 should work. I got 8481D, but not tested yet - cable is on the way.

5. I doubt I have any PCMCIA flash cards. Do I need to buy a specific size? Like really, do I need exactly a 64MB one?

I'm not aware of any limitations... I'm using an 8GB card in mine.

I use CF with CF to pcmcia adapter. Note that there's also CF slot (it works same as PCMCIA, but doesn't allow to close the door).

6.The service manual mentions an optional, internal 90dB attenuator. But I can't find any reference to this anywhere else. Do any of your units have this? Do all units have it? Does nobody have it?

If mine has it, I'm not aware of it.

It's for signal generator (source). I think, it's included if it allows to change level to -90 dBm.

[kirill_ka]

Here it is, ATTN OUT to J7/SOURCE IN connection.

[technogeeky]

Another few questions:

1) Is it possible to keep the power meter reference output on but go back to the spectrum analyzer window, to see it? Apparently this is possible to do with the signal generator, but not with the spectrum analyzer.

2) Does anyone have the Service Test software? By this I mean the software package that lets you test all of the functions of the device, as described in the service manual. Perhaps this is something which is on the machine but is not available until you login as root (or some other method to gain access)?

3) In terms of disassembly, what actions are likely to destroy any hope of keeping the calibration? E.g. can I (without automatic ruining of calibration):

• Disconnect the internal flexible SMA connectors?
• Disconnect the internal rigid SMA connectors (without bending the rigid cables)?
• Open the various metal cans, while being ESD protected and latex gloved, but without noting torque values for the screws?

If you'd prefer, a qualitative assessment of what I can take a look at would be fine with me. I don't (yet) have a suitable torque wrench, so I don't think I'll be doing any of this until after I get one. But I've heard that it's common for these connectors to be overtightened from the factory, and presumably I wouldn't want to repeat that over tightening.

Thanks!

[DogP]

1) I don't think so, besides maybe manually poking a register under the hood somewhere to turn it on.

2) I assume you're referring to the "Agilent E7495A/B Performance Verification and Adjustment software"?  I've never come across it, and I don't think it's on the unit itself... I'm pretty sure that's PC based software, similar to this: http://www.keysight.com/en/pd-1000000762%3Aepsg%3Apro-pn-N2717A/performance-verification-and-adjustment?cc=US&lc=eng .  It seems like it's generally option 0BW, which includes service and calibration manuals and software, but I don't see this option listed for the E7495, so it may have never been available for customers.

3) I'd say you can open the case of the unit, but as soon as you disconnect ANY RF cable, you're going to ruin the calibration.  Maybe you'll get it close to original spec, but it'll likely change slightly, and the whole point of calibration is that the system is calibrated for those conditions.  Once it changes, you either need to recalibrate, or just live with the fact that your unit isn't calibrated.  I don't know what you're hoping to see, but I definitely wouldn't remove any of the cans.  It might not affect "calibration" much, but you'll likely affect the shielding effectiveness, and increase your noise floor, interference, spurs, etc.

I've never heard about Agilent overtightening of the connectors... that's surprising (I'd figure Agilent would have a pretty good handle on connector torque).  There are different torque specs depending on the connector material, specific type, and application though, so they might be tighter than the 8 in-lbs of a standard SMA torque wrench.  For example: http://www.amphenolrf.com/connectors/sma.html says 4-6"lb recommended for commercial grade parts, 7-10" lb recommended for industrial/military grade parts, and 15" lb maximum for industrial/military grade parts.  Generally, brass parts should be torqued less than stainless steel.

Pat

[technogeeky]

1) I don't think so, besides maybe manually poking a register under the hood somewhere to turn it on.

OK. I'll take a poke around. I also want to reset all of the default setups because they are very silly for my usage. What the hell is "Chan 500" and why did they like it so much?

2) I assume you're referring to the "Agilent E7495A/B Performance Verification and Adjustment software"?  I've never come across it, and I don't think it's on the unit itself... I'm pretty sure that's PC based software, similar to this: http://www.keysight.com/en/pd-1000000762%3Aepsg%3Apro-pn-N2717A/performance-verification-and-adjustment?cc=US&lc=eng .  It seems like it's generally option 0BW, which includes service and calibration manuals and software, but I don't see this option listed for the E7495, so it may have never been available for customers.

Yes indeed. I really hope to get this one day, so perhaps someone here has come across it. I guess I could ask Keysight for it, but I doubt that will get very far.

3) I'd say you can open the case of the unit, but as soon as you disconnect ANY RF cable, you're going to ruin the calibration.  Maybe you'll get it close to original spec, but it'll likely change slightly, and the whole point of calibration is that the system is calibrated for those conditions.  Once it changes, you either need to recalibrate, or just live with the fact that your unit isn't calibrated.  I don't know what you're hoping to see, but I definitely wouldn't remove any of the cans.  It might not affect "calibration" much, but you'll likely affect the shielding effectiveness, and increase your noise floor, interference, spurs, etc.

Well, I am just very curious by nature; and I've never torn down any RF equipment. I also figured it would be nice to get pictures and/or part numbers and post them, since nobody has posted even block diagrams, let alone schematics.

I've never heard about Agilent overtightening of the connectors... that's surprising (I'd figure Agilent would have a pretty good handle on connector torque).  There are different torque specs depending on the connector material, specific type, and application though, so they might be tighter than the 8 in-lbs of a standard SMA torque wrench.  For example: http://www.amphenolrf.com/connectors/sma.html says 4-6"lb recommended for commercial grade parts, 7-10" lb recommended for industrial/military grade parts, and 15" lb maximum for industrial/military grade parts.  Generally, brass parts should be torqued less than stainless steel.

I think my only references are two or three videos of Shahriar's @ The Signal Path. And perhaps it was specifically HP gear that was overtightened. In any case, given the above it won't be a problem since I won't be taking it apart.

[PA0PBZ]

Yes indeed. I really hope to get this one day, so perhaps someone here has come across it. I guess I could ask Keysight for it, but I doubt that will get very far.

If I remember correctly the software it is supposed to work with specific TM equipment (think sig gen, rf meter and such), and as long as you don't have those it will be of no use at all

[technogeeky]

Yes indeed. I really hope to get this one day, so perhaps someone here has come across it. I guess I could ask Keysight for it, but I doubt that will get very far.

If I remember correctly the software it is supposed to work with specific TM equipment (think sig gen, rf meter and such), and as long as you don't have those it will be of no use at all

Oh. I thought this unit sort of contained most of the hardware it needed to test itself. I also figured they left space in the UI for those buttons, so maybe it was on the machine. Ah well. It's still an incredible buy at $300 shipped (and now) fixed.

[technogeeky]

In searching around for possible calibration software information (both on the unit and in general), I have so far only found this document which describes TME or Test Management Environment.

This is the aforementioned piece of software which runs on a computer (apparently with some IO libraries and a GPIB card of some sort).

It seems you can download the latest version though it needs a license key. It seems there are very old calibration applications (C.xx.xx), old calibration applications (D.xx.xx) and newer ones (E.xx.xx).

The are two new facts that I think this document brings to light, however. One concerns Agilent internal numbering for these devices:

• The N1996A CSA is internally known as N7813A
• The E7495x BST is internally known as N7816A

However, the reason I know this is new information is the same reason I also know this is not useful information: a search for N7816A reveals nothing except the above PDF.

Secondly, it seems like a very small subset of devices are labeled (internal Agilent only) which presumably means only Agilent themselves can run that cal application. These include:

• Our E7495x units.
• An ACQ/SW unit 34970A.
• All of the Dragonfly-based Digital Receivers (E640xx, E745xx, E747xx).

I guessed that this is because all of these units incorporate 'Dragonfly' units (the E7495s appear to), but the 34970A seems to be an exception to this. I won't speculate further.


In any case, I wonder if we could appeal to Keysight to release the software and licenses for this, since it's long since unsupported; and they won't even do CALs for these devices anymore.

[technogeeky]

If anyone cares to test, I had a theory that perhaps turning off some levels of logging/debugging might help. It turns out that there is no straightforward way to stop the debugging processes, but you can disable any logging.

Simply edit this file with the following changes:

/flash/linux/etc/rc.d/init.d/egGui

Code: [Select]

-DLogger.level=2
to:

Code: [Select]

-DLogger.level=0
Unfortunately I can't find a good thing to test this with. But the UI does seem a bit snappier. I wonder what other options are there for -Dxxx.


Also, I played around with the files in /flash/egServer/Dragonfly/Recievers, like E7495A and CPXSRC. You can indeed change things here and sometimes see the effects (e.g. you can change E7495A to have Freq Range be 3000e6, and it makes it possible to enter that value). However, some of these changes will have no effect for other reasons (here, I assume it's because there is actually a filter which sharply cuts off at ~ 2.7GHz).

However however, I could not find a way to try and make the signal generator make higher or lower frequency signals.

Did anyone actually try porting things from the N1996 over to ElGato? The only things I'd really be interested in are FM/AM demodulation and audio playing, and Harmonics viewing.

[kirill_ka]

Did anyone actually try porting things from the N1996 over to ElGato? The only things I'd really be interested in are FM/AM demodulation and audio playing, and Harmonics viewing.

N1996A spectrum analyser code doesn't work with E7495 for some reason. It attempts to work, but DSP code seems to hang somewhere. See my post above. If you can find different versions of N1996A firmware, we might have a better luck.