Author Topic: Hacking old HP spectrum Analyzers  (Read 20428 times)

0 Members and 3 Guests are viewing this topic.

Offline alex.forencichTopic starter

  • Frequent Contributor
  • **
  • Posts: 397
  • Country: us
    • Alex Forencich
Hacking old HP spectrum Analyzers
« on: April 08, 2014, 02:08:58 am »
So this is something I did a little while ago, but  I figured people here might find it useful, or at least interesting. 

The 859xE series analyzers made by HP/Agilent have a number of installable options.  One of these options is Option 105, the gate option.  For the A series analyzers, this is a card.  However, for the E series analyzers, HP actually built the gate circuitry into the motherboard.  Interestingly, they then provided two ways of adding option 105: one is to send the analyzer back to Agilent, where they will turn on the internal gate option.  If this is too difficult, they can also send out a whole gate card that the customer can install.  The internal option shows up as GATE rev B, while the card shows up as GATE rev A. 

I figured it would be interesting to figure out how to turn on the gate option in the analyzer as installing a whole option card is rather redundant. 

First, the recon: the internal gate module itself just appears as a pair of SMB connectors on the motherboard that must be connected to the back panel with SMB to BNC cables.  Then, the module must be enabled in the firmware somehow.  These analyzers have a small amount of battery-backed NVRAM, the perfect place to store calibration data and possibly this sort of a 'sofware switch.'  The service manual also lists some procedures for when the internal memory is erased.  For most analyzers, nothing special is required as the firmware can detect what analyzer it's running in.  However, there are a couple of cases where this doesn't work and manual intervention is required.  First, there is apparently no detectable difference between the 8595E and the 8596E, so the unit will pop up a box and ask.  However, the procedure for an 8591C is different: it will initialize as an 8591E, and then the manual asks you to send the analyzer FACTSET 11023,1 to switch it to 8591C. 

That's a very pretty looking magic number, there.  I wonder if there are any more of those? 

So, I bought an EPROM programmer, read out all four EPROMs, pieced them together into one, and opened the shebang up in a hex editor.  I searched for FACTSET.  I found exactly one hit at address 0007E3E0, in what appeared to be some sort of command data structure.  That's not going to do me a whole lot of good, so I converted the magic number 11023 to hex (2B 0F) and searched for that.  I got exactly one hit, at address 0001978E.  This one appeared to be buried in some instructions as well - more interesting!  Off to the disassembler....

Right around that address, we find this very interesting piece of code:

Code: [Select]

ROM:0001974C ; =============== S U B R O U T I N E =======================================
ROM:0001974C
ROM:0001974C ; Attributes: bp-based frame
ROM:0001974C
ROM:0001974C process_factset:                        ; CODE XREF: j_process_factsetj
ROM:0001974C
ROM:0001974C var_4           = -4
ROM:0001974C arg_0           =  8
ROM:0001974C
ROM:0001974C ; FUNCTION CHUNK AT ROM:0001977A SIZE 00000082 BYTES
ROM:0001974C
ROM:0001974C                 link        a6,#-2
ROM:00019750                 move.w      d0,(sp)
ROM:00019752                 bra.s       loc_1977A
ROM:00019752 ; End of function process_factset
ROM:00019752
ROM:00019754
ROM:00019754 ; =============== S U B R O U T I N E =======================================
ROM:00019754
ROM:00019754
ROM:00019754 update_bff6:                            ; CODE XREF: process_factset+3Cp
ROM:00019754                                         ; process_factset+4Cp ...
ROM:00019754                 btst        #0,9(a6)
ROM:0001975A                 beq.s       loc_19768
ROM:0001975C                 move.w      ($FFFFBFF6).w,d6
ROM:00019760                 move.w      -4(a6),d0
ROM:00019764                 bset        d0,d6
ROM:00019766                 bra.s       loc_19774
ROM:00019768 ; ---------------------------------------------------------------------------
ROM:00019768
ROM:00019768 loc_19768:                              ; CODE XREF: update_bff6+6j
ROM:00019768                 move.w      ($FFFFBFF6).w,d0
ROM:0001976C                 move.w      -4(a6),d6
ROM:00019770                 bclr        d6,d0
ROM:00019772                 move.w      d0,d6
ROM:00019774
ROM:00019774 loc_19774:                              ; CODE XREF: update_bff6+12j
ROM:00019774                 move.w      d6,($FFFFBFF6).w
ROM:00019778                 rts
ROM:00019778 ; End of function update_bff6
ROM:00019778
ROM:0001977A ; ---------------------------------------------------------------------------
ROM:0001977A ; START OF FUNCTION CHUNK FOR process_factset
ROM:0001977A
ROM:0001977A loc_1977A:                              ; CODE XREF: process_factset+6j
ROM:0001977A                 subq.l      #2,sp
ROM:0001977C                 cmp.w       #$3421,d0
ROM:00019780                 bne.s       loc_1978C
ROM:00019782                 move.w      #$A,var_4(a6)
ROM:00019788                 bsr.s       update_bff6
ROM:0001978A                 bra.s       loc_197F4
ROM:0001978C ; ---------------------------------------------------------------------------
ROM:0001978C
ROM:0001978C loc_1978C:                              ; CODE XREF: process_factset+34j
ROM:0001978C                 cmp.w       #$2B0F,d0
ROM:00019790                 bne.s       loc_1979C
ROM:00019792                 move.w      #9,var_4(a6)
ROM:00019798                 bsr.s       update_bff6
ROM:0001979A                 bra.s       loc_197F4
ROM:0001979C ; ---------------------------------------------------------------------------
ROM:0001979C
ROM:0001979C loc_1979C:                              ; CODE XREF: process_factset+44j
ROM:0001979C                 cmp.w       #$2B44,d0
ROM:000197A0                 bne.s       loc_197AC
ROM:000197A2                 move.w      #$E,var_4(a6)
ROM:000197A8                 bsr.s       update_bff6
ROM:000197AA                 bra.s       loc_197F4
ROM:000197AC ; ---------------------------------------------------------------------------
ROM:000197AC
ROM:000197AC loc_197AC:                              ; CODE XREF: process_factset+54j
ROM:000197AC                 cmp.w       #$30E,d0
ROM:000197B0                 bne.s       loc_197BA
ROM:000197B2                 move.w      arg_0(a6),($FFFF9FBC).w
ROM:000197B8                 bra.s       loc_197F4
ROM:000197BA ; ---------------------------------------------------------------------------
ROM:000197BA
ROM:000197BA loc_197BA:                              ; CODE XREF: process_factset+64j
ROM:000197BA                 cmp.w       #$30F,d0
ROM:000197BE                 bne.s       loc_197C8
ROM:000197C0                 move.w      arg_0(a6),($FFFF9FBE).w
ROM:000197C6                 bra.s       loc_197F4
ROM:000197C8 ; ---------------------------------------------------------------------------
ROM:000197C8
ROM:000197C8 loc_197C8:                              ; CODE XREF: process_factset+72j
ROM:000197C8                 cmp.w       #$310,d0
ROM:000197CC                 bne.s       loc_197D6
ROM:000197CE                 move.w      arg_0(a6),($FFFF9FC0).w
ROM:000197D4                 bra.s       loc_197F4
ROM:000197D6 ; ---------------------------------------------------------------------------
ROM:000197D6
ROM:000197D6 loc_197D6:                              ; CODE XREF: process_factset+80j
ROM:000197D6                 cmp.w       #$311,d0
ROM:000197DA                 bne.s       loc_197E4
ROM:000197DC                 move.w      arg_0(a6),($FFFF9FC2).w
ROM:000197E2                 bra.s       loc_197F4
ROM:000197E4 ; ---------------------------------------------------------------------------
ROM:000197E4
ROM:000197E4 loc_197E4:                              ; CODE XREF: process_factset+8Ej
ROM:000197E4                 cmp.w       #$44,d0 ; 'D'
ROM:000197E8                 bne.s       loc_197F4
ROM:000197EA                 move.w      #6,var_4(a6)
ROM:000197F0                 bsr.w       update_bff6
ROM:000197F4
ROM:000197F4 loc_197F4:                              ; CODE XREF: process_factset+3Ej
ROM:000197F4                                         ; process_factset+4Ej ...
ROM:000197F4                 unlk        a6
ROM:000197F6                 movea.l     (sp)+,a0
ROM:000197F8                 addq.l      #2,sp
ROM:000197FA                 jmp         (a0)
ROM:000197FA ; END OF FUNCTION CHUNK FOR process_factset

This code appears to take two arguments, where one is compared with several 'magic numbers' and the other is then either compared with zero to set/clear a bit or is directly written to a memory location.  After some experimentation, it became clear that this code is definitely called by the factset command somehow.  This is what these magic numbers do:

FACTSET 13345,1 sets a bit in NVRAM with unknown effect
FACTSET 11023,1 sets the analyzer to C series
FACTSET 11076,1 sets the analyzer to L series
FACTSET 782,n sets the FM demod zero to n
FACTSET 783,n sets the FM demod slope to n
FACTSET 784,n sets the FM demod narrow bw setting to n
FACTSET 785,n sets the FM demod wide bw setting to n
FACTSET 68 sets a bit in NVRAM with unknown effect

The memory addresses that 782-785 write to correspond with NVRAM registers for the FM demodulator.  I do not know why FACTSET can access them, I presume it is for calibration or debugging, but these commands do not appear in the calibration guide.  Searching on the addresses eventually yielded the corresponding strings where the values are displayed in the 'cal data' screens.  Two of the bits that FACTSET can change in location FFFFBFF6 have unknown functions, while two of them change the analyzer to C or L series. 

None of this has anything to do with the gate module, though!  Or does it?  Hmm....

Next step is to search for what is displayed when the gate is enabled - "GATE rev B"

Python-based instrument control: Python IVI, Python VXI-11, Python USBTMC
 

Offline rastro

  • Frequent Contributor
  • **
  • Posts: 388
  • Country: 00
 

Offline alex.forencichTopic starter

  • Frequent Contributor
  • **
  • Posts: 397
  • Country: us
    • Alex Forencich
Re: Hacking old HP spectrum Analyzers
« Reply #2 on: April 08, 2014, 03:43:56 am »
Whoops, sorry about the double post.  Not sure how that got posted twice. 
Python-based instrument control: Python IVI, Python VXI-11, Python USBTMC
 

Offline Ron Curry

  • Contributor
  • Posts: 12
  • Country: us
Re: Hacking old HP spectrum Analyzers
« Reply #3 on: August 28, 2016, 02:28:50 am »
Has anyone made any progress on this? Anyone dumped the NVRAM?

Cheers,
Ron
 

Offline MarkL

  • Supporter
  • ****
  • Posts: 2219
  • Country: us
Re: Hacking old HP spectrum Analyzers
« Reply #4 on: August 28, 2016, 06:27:44 pm »
Has anyone made any progress on this? Anyone dumped the NVRAM?
I've dumped the NVRAM on a 8595E.  Attached below; have at it.  Let us know if you find anything interesting.

This dump was obtained by removing the NVRAM (SRAM) card and reading it out with an external processor (Silabs C8051F581).  Perhaps it's possible, but I couldn't find a way to do it with the native firmware.

My goal was to transfer the EMC personality which was loaded into the NVRAM to another 8595E which had the quasi-peak detector hardware.  I was unsuccessful with this approach but eventually found a way to do it via GPIB.

One useful thing I found on my journey was the undocumented "SERSET nnn" command which can be used to change the serial number.  If your NVRAM battery goes dead, you lose the cal contants AND the serial number.  This can be used to restore the SN.


Possibly useful info for anyone else wanting to dump their NVRAM the hard way: The connector to mate with the board is a Molex 15-92-2050.  And be careful since the battery power is present on one of the connector pins.
 
The following users thanked this post: Ron Curry, Tantratron

Offline dfnr2

  • Regular Contributor
  • *
  • Posts: 241
  • Country: us
Re: Hacking old HP spectrum Analyzers
« Reply #5 on: September 06, 2016, 08:42:06 pm »
My goal was to transfer the EMC personality which was loaded into the NVRAM to another 8595E which had the quasi-peak detector hardware.  I was unsuccessful with this approach but eventually found a way to do it via GPIB.
Could you write up the procedure here?  I have an 8594E with opt 119 and the noise figure measurement personality installed, but I don't have the original noise figure personality card.  It would be great to be able to safely back it up.
 

Offline AlanG

  • Newbie
  • Posts: 2
Re: Hacking old HP spectrum Analyzers
« Reply #6 on: September 07, 2016, 01:31:12 am »
+1 - if you need any further encouragement  :)
 
The following users thanked this post: Mkpirulo

Offline rastro

  • Frequent Contributor
  • **
  • Posts: 388
  • Country: 00
Re: Hacking old HP spectrum Analyzers
« Reply #7 on: September 07, 2016, 02:26:35 pm »
Additional Info...Verified to work on rev: 950308

Enable Gate Option 105:
1) Press Frequency -2001 Hz
2) Press Cal, More 1 of 4, More 2 of 4
3) Press Service Cal, Flatness Data, More
4) Press top softkey (not labeled)
5) Press Exit

To verify Install:
press Config, More 1 of 3, Show Options
 
The following users thanked this post: Bicurico, james_s, mr.fabe, tabajaralabs, Tekton, bg1wxd

Offline MarkL

  • Supporter
  • ****
  • Posts: 2219
  • Country: us
Re: Hacking old HP spectrum Analyzers
« Reply #8 on: September 07, 2016, 05:55:41 pm »
My goal was to transfer the EMC personality which was loaded into the NVRAM to another 8595E which had the quasi-peak detector hardware.  I was unsuccessful with this approach but eventually found a way to do it via GPIB.
Could you write up the procedure here?  I have an 8594E with opt 119 and the noise figure measurement personality installed, but I don't have the original noise figure personality card.  It would be great to be able to safely back it up.
Well, it's not a straightforward procedure, unfortunately.  But I'll give it shot.

Let me caveat all this by first saying it worked on a 8595E (maybe it was a 8591E?) loaded with the EMC personality.  I don't have the EMC card itself to double check, but everything seemed to work fine after being transplanted to a second 8595E that had the quasi-peak HW installed.

One thing missing, however, are the various EMC limit profiles which are loaded by the DLPs directly from the card.  Since I don't have the card, manual entry of the profiles is needed.  I don't know if Noise Figure and other personality cards have the same issue.

Also, I did this a couple of years ago, so hopefully I got it right.


In a nutshell, everything the card loads is visible via GPIB commands but they are scattered throughout different storage types.  The procedure is to get a directory of all of them, retrieve them one-by-one, and then push them back into the target.

I'll point out there is a command call "USTATE?" which appears to dump everything in the SA, including what was loaded by the card.  In theory I think it can be used to transplant the personality, but I couldn't get it to work.  I think something was wrong with the format of the dump I captured.  Pushing it into the target always failed.  Perhaps someone else can try with better luck.


To do it piecemeal like I did, you would first use the "cat" command to get a directory list of everything.  The EMC card created ACTDEFs, DLPs. KEYs, and TRs.

  cat d*   <-- includes dlps, actdefs, and keys
  cat t*   <-- includes traces and variables

There are other "cat" commands for other storage types which other cards may use (cat on*, cat prefix*, etc).  See the programmer manual for the full list.  You may need more than what I used.

From the "cat" output above you then sort out what's what.  The output is minimal with each item name and the length in bytes.  As you retrieve individual items it's a good idea to always sanity check the number of bytes received against the length reported by cat.

For cat d*:

  - KEYCMDs and KEYLBLs are tagged with "KEY#nnn".  Both the KEYDEF and the KEYCMD must be retrieved for each KEY entry.  This is done with the commands (nnn is the key number):

      keydef nnn?
      keycmd nnn?

  - DLPs and ACTDEFs are co-mingled.  Retrieve everything with (xxx is the name):

      xxx?

    Compare the length of the item returned against the length reported by cat.  If it's wrong, it's an ACTDEF.  Retrieve ACTDEFs with:

      actdef xxx?

For cat t*:

    Both variables and traces are retrieved with:

      xxx?

    If the returned value is in A-block format (see programmer manual), it's a trace.  Otherwise, it's a scalar variable.  I can imagine other cards could also store vectors in addition to traces.  They should show up here too in A-block format.


Ok, so now you have a pile of ACTDEFs, DLPs. KEYCMDs, and variables, and traces.  How to get them into another analyzer?

ACTDEFs: They can be pushed back in the exact same format that they were read out.  The readout includes the "ACTDEF" command, and the value is in A-block format.  (Note: In fact, much of the data retrieved in the preceeding commands is in A-block format so you need to do everything with an 8-bit clean path.)

DLPs: Recreate using "FUNCDEF xxx,yyy" where xxx is the name and yyy was the definition.

Variables: If the variable retrieved is in A-block format, it's a vector and restored as a trace (below).  Otherwise it's a scalar.  Recreate scalars using "VARDEF xxx,nnn" where nnn is the value.

Traces: Recreate by reading into trace C with "TRCyyy".  Then define the target trace with "TRDEF xxx,401", and move trace C to the target with "MOV xxx,TRC".

KEYs are complicated.  You will find that for each key number, a KEYDEF and a KEYCMD exists, AND they are different, BUT some of the definition overlaps in memory, so you can't use both.  How do you know which one to pick?

If the KEYCMD retrieval has an A-block, its either a KEYCMD or KEYDEF.  If no A-block, then it's a label and recreate with "KEYLBL xxx,yyy" where yyy is from the KEYDEF.  That case is easy.

If the definition has two commands in it, it's a KEYCMD.  Recreate with "KEYCMD xxx,yyy".  If a single command it's a KEYDEF.  Recreate with "KEYDEF xxx,yyy".  If the definition of the KEYDEF of the same number as the KEYCMD also has a label associated with it, recreate the label with "KEYLBL xxx,yyy" where yyy is the label from the KEYDEF readout.

That should be it.  It seems likely I did a "DISPOSE ALL" on the target to make sure it was clean before pushing the new definitions at it.


I never said it was simple.  HP's crazy formats and inconsistencies in the command parser doesn't help.

The EMC card loaded 3 ACTDEFs, 103 KEYCMD/KEYDEFs, 118 trace/variables, and 118 DLPs into memory.  The procedure is not something you want to do by hand.

I have a pile of perl and bash scripts written for linux that calls linux-gpib that does what I've described above.  Some hand tweaking of the data was also needed.  This was a one-shot use for me, so I never finished it to be generalized.  If there's any interest I can post it with the expectation that it's a guideline for someone who wants to do a real implementation.  There was one eevblog member who was interested in doing this, but other priorities indicated it would be months away.

I'll say again that the "USTATE?" command has promise to replace all this nonsense.  It bothers me I couldn't figure out why it wouldn't work.
 

Offline Ron Curry

  • Contributor
  • Posts: 12
  • Country: us
Re: Hacking old HP spectrum Analyzers
« Reply #9 on: September 08, 2016, 05:34:08 pm »
I've dumped the NVRAM on a 8595E.  Attached below; have at it.....
This dump was obtained by removing the NVRAM (SRAM) card and reading it out with an external processor (Silabs C8051F581).

Mark,
Thanks! That's awesome. I just finished building something similar using an Arduino Mega board (LOTS of I/O pins) but haven't had time to get back to analyzing the data yet. I couldn't find the exact connector without waiting a few weeks so I created my own by cutting off the card edge of an old PCIe card. Unfortunately, in my checking for fit, I must have shorted the battery and corrupted the card. Hence the need for the serial number info. The good news is I have another 8595E and now, your dump to compare against. Reality is though, now that I have both the info to enable option 105 and fix the serial number from the front panel, my need to dig through the RAM is now only curiosity!

Thanks again,
Ron

« Last Edit: September 08, 2016, 05:39:45 pm by Ron Curry »
 

Offline MarkL

  • Supporter
  • ****
  • Posts: 2219
  • Country: us
Re: Hacking old HP spectrum Analyzers
« Reply #10 on: September 08, 2016, 06:49:57 pm »
I've dumped the NVRAM on a 8595E.  Attached below; have at it.....
This dump was obtained by removing the NVRAM (SRAM) card and reading it out with an external processor (Silabs C8051F581).

Mark,
Thanks! That's awesome. I just finished building something similar using an Arduino Mega board (LOTS of I/O pins) but haven't had time to get back to analyzing the data yet. I couldn't find the exact connector without waiting a few weeks so I created my own by cutting off the card edge of an old PCIe card. Unfortunately, in my checking for fit, I must have shorted the battery and corrupted the card. Hence the need for the serial number info. The good news is I have another 8595E and now, your dump to compare against. Reality is though, now that I have both the info to enable option 105 and fix the serial number from the front panel, my need to dig through the RAM is now only curiosity!

Thanks again,
Ron
You're welcome but sorry to hear you lost your NVRAM.  Hopefully you had your cal constants backed up!

I needed more pins on the SiLabs part (oops), so I had to do the readout in two banks, and for even/odd.

I found digging into the NVRAM/SRAM contents to be fairly frustrating.  I had written some programs that helped me search for items and begin to parse sections of HP's storage structures, but it got increasingly messy with more and more dangling pointers into more rat holes to try to decode.  There was a diminishing possibility that I was going to be able to filter out what belonged to the EMC personality.

And I wasn't in the mood to start disassembling the OS.  Really.  How much time was I going to burn on this.

Looking at it with "strings -a" is probably as useful as it's going to get.

One plus is that the SRAM reader provided me with a full backup of the unit.  If I totally blew it, I could always code-up the SRAM writer and restore the state of the SA down to the last byte.
 

Offline Ron Curry

  • Contributor
  • Posts: 12
  • Country: us
Re: Hacking old HP spectrum Analyzers
« Reply #11 on: September 19, 2016, 03:29:32 am »
.........
I have a pile of perl and bash scripts written for linux that calls linux-gpib that does what I've described above.  Some hand tweaking of the data was also needed.  This was a one-shot use for me, so I never finished it to be generalized.  If there's any interest I can post it with the expectation that it's a guideline for someone who wants to do a real implementation.  There was one eevblog member who was interested in doing this, but other priorities indicated it would be months away.

I'll say again that the "USTATE?" command has promise to replace all this nonsense.  It bothers me I couldn't figure out why it wouldn't work.

Hi Mark,
I'd be interested if you could post or send me the scripts. Also which GPIB card did use. I'm wondering if one could do the same thing over serial if the SA had a serial card in it?

Thanks,
Ron
 

Offline MarkL

  • Supporter
  • ****
  • Posts: 2219
  • Country: us
Re: Hacking old HP spectrum Analyzers
« Reply #12 on: September 20, 2016, 12:28:36 am »
Hi Mark,
I'd be interested if you could post or send me the scripts. Also which GPIB card did use. I'm wondering if one could do the same thing over serial if the SA had a serial card in it?

Thanks,
Ron
Hi Ron,

I have an NI-PCI card, but I have no reason to believe it wouldn't work with any card supported by linux-gpib.  I've never tried a serial card, so I'm not familiar with its capabilities or if it's 8-bit clean.

I put a copy of my working directory for that project here:

  http://www.employees.org/~markl/gpib-dlp-poc.tgz

Please consider it a "proof of concept" and not even close to something that's complete enough for routine use.  Since this thread is already dedicated to SA hacking, feel free to post questions or findings back here.

In the tar file there's a notes/ directory with a couple of messages from me re-telling the procedure in answer to some PM's, and how to run the command scripts.  (Edited slightly to be anonymous and fix a couple of links.)

You will also need the perl wrapper:

  http://www.employees.org/~markl/gpib-perl-v0.3a.tgz

This is a generic set of programs that allows commands and queries to GPIB instruments from bash (has nothing specific to do with DLPs).  It may be of interest to hard-core unix users beyond what we're doing here.  There's a README on how to set it up.

Let us know if you come up with anything!

EDIT: Clarify perl wrapper stuff.
« Last Edit: September 20, 2016, 12:39:13 am by MarkL »
 

Offline Ron Curry

  • Contributor
  • Posts: 12
  • Country: us
Re: Hacking old HP spectrum Analyzers
« Reply #13 on: September 20, 2016, 05:14:26 pm »
Mark,
Thanks for making that info available. The reason why it came up is I found that one of my 8591E's has the EMC personality loaded but I'm parting the unit out and want to load the personality on my personal 8595E along with the QPD card. I do have the card for the QPD drivers but not the EMC personality (I have the empty case for it though!).

On idea I came up with is to simply do a dump of the 8591E NVRAM card and load that to my 8595E NVRAM card. Reset the serial number, module ID, and attenuator calibration and see what happens. Haven't tried it yet. I may have to abandon my homemade NVRAM card connector for an actual commercial connector though because it seems easy to corrupt the card when plugging and unplugging which causes a lot of extra effort when it happens.

Another idea which may or not be more straightforward, is to identify the area in NVRAM where the file system resides and only duplicate that section. In the course of your firmware research, if you've come up with anything that might help with that I'd be interested.

Thanks,
Ron
 

Offline MarkL

  • Supporter
  • ****
  • Posts: 2219
  • Country: us
Re: Hacking old HP spectrum Analyzers
« Reply #14 on: September 20, 2016, 06:03:25 pm »
On idea I came up with is to simply do a dump of the 8591E NVRAM card and load that to my 8595E NVRAM card. Reset the serial number, module ID, and attenuator calibration and see what happens. Haven't tried it yet. I may have to abandon my homemade NVRAM card connector for an actual commercial connector though because it seems easy to corrupt the card when plugging and unplugging which causes a lot of extra effort when it happens.
I almost did this, but I was concerned that were other things that might get set in an empty NVRAM at boot time that would be specific to the model.

There's at least one thing like that.  It can't tell the difference between a 8595E or 8596E, so once you tell it it's storing that information in the NVRAM.

This approach might work, but I would be concerned of unseen consequences on operation.

Quote
Another idea which may or not be more straightforward, is to identify the area in NVRAM where the file system resides and only duplicate that section. In the course of your firmware research, if you've come up with anything that might help with that I'd be interested.
This is what I tried to do at first, but I could not discover a nice tidy area where it made a copy of the card.  There appears to be separate structures set up to store DLPs, ACTDEFs, variables, etc.  Once the card is read in, the various items are scattered throughout memory.  I don't think it's using an in-memory file system.

I provided an NVRAM dump a few postings ago.  Have a look at it and see if you can discover anything.  Maybe I missed something obvious.

I think the only way to fully understand what's going on in the NVRAM is to disassemble the OS and trace how the OS is using it.  It may even take a logic analyzer to verify execution paths.  That was way too much effort for me and I would rather wait for my ebay search to hit on an EMC card first.
 

Offline MarkL

  • Supporter
  • ****
  • Posts: 2219
  • Country: us
Re: Hacking old HP spectrum Analyzers
« Reply #15 on: September 20, 2016, 06:29:36 pm »
Mark,
Thanks for making that info available. The reason why it came up is I found that one of my 8591E's has the EMC personality loaded but I'm parting the unit out and want to load the personality on my personal 8595E along with the QPD card. I do have the card for the QPD drivers but not the EMC personality (I have the empty case for it though!).
...
No problem - I hope it's useful for you or anyone who is interested.

One side note: If your 8591E was purchased as an EM series (or possibly under some other order option as well), it will have a special EM shielded glass over the CRT.  The shielded glass will have obvious metalization around the edge and it is a little thicker.

If you have it, you might want to move it your 8595E since that's your new EMC analyzer.  Also, the bezel is slightly different to accommodate the thicker glass, so that needs to move too.
 

Offline Ron Curry

  • Contributor
  • Posts: 12
  • Country: us
Re: Hacking old HP spectrum Analyzers
« Reply #16 on: September 20, 2016, 08:18:33 pm »
No problem - I hope it's useful for you or anyone who is interested.

One side note: If your 8591E was purchased as an EM series (or possibly under some other order option as well), it will have a special EM shielded glass over the CRT.  The shielded glass will have obvious metalization around the edge and it is a little thicker.

If you have it, you might want to move it your 8595E since that's your new EMC analyzer.  Also, the bezel is slightly different to accommodate the thicker glass, so that needs to move too.

Mark,
I'll look into that - thx. On a related note. I've been hacking together software on the PC side (Mac in my case) to control the SRAM reader. Right now I have the reader reading and right extended linear Intel Hex. Would rather just do it in binary but getting less and less motivated to dump time into this low priority project. Do you have any software code that controls your reader/writer that you wouldn't mind me leveraging?

Thx,
ROn
 

Offline MarkL

  • Supporter
  • ****
  • Posts: 2219
  • Country: us
Re: Hacking old HP spectrum Analyzers
« Reply #17 on: September 20, 2016, 09:15:04 pm »
Mark,
I'll look into that - thx. On a related note. I've been hacking together software on the PC side (Mac in my case) to control the SRAM reader. Right now I have the reader reading and right extended linear Intel Hex. Would rather just do it in binary but getting less and less motivated to dump time into this low priority project. Do you have any software code that controls your reader/writer that you wouldn't mind me leveraging?

Thx,
ROn
Hi Ron,

The code I have is extremely specific to the Silabs C8051F581 and how it was wired to the NVRAM board.  It really won't be of any help.  All it did was set the address lines (MA1 - MA17), the bank (LUSERRAM0/LUSERRAM1), and then enable the output (LOE) for each word.  Each word was printed on the UART as two hex numbers (xx xx) per line, 8 words per line, like so:


  41 46 d8 1d bc 1d 7c 05 ab 05 ff 05 d4 05 fb 05
  b6 05 13 06 d8 05 36 06 a9 05 0f 06 ff 05 27 06
  e4 05 7e 05 fb 05 13 06 d8 05 26 06 81 05 34 06
  ...


The lines sprayed out of the serial port and I captured them into a file with the "cat" command on linux.  I then used "xxd -r -p" to turn the ASCII hex into binary.  I didn't bother doing Intel format.  That's overkill for such a simple goal.  Any lost or garbage ASCII hex would be obvious since the exact number of characters that should be received was known.

From my notes:

  LUSERRAM1=low enables the first bank in ascending memory, LUSERRAM0=low enables the second bank.

  The 68000 is bigendian, so you need to flip the bytes in each word if you want a byte linear representation of the memory.

I never did the "writer" part.
 

Offline Ron Curry

  • Contributor
  • Posts: 12
  • Country: us
Re: Hacking old HP spectrum Analyzers
« Reply #18 on: September 22, 2016, 05:26:55 pm »

From my notes:

  LUSERRAM1=low enables the first bank in ascending memory, LUSERRAM0=low enables the second bank.

  The 68000 is bigendian, so you need to flip the bytes in each word if you want a byte linear representation of the memory.

I never did the "writer" part.

Mark,
Thanks for the info. That's pretty much what I'm doing. I'm generating Intel Hex and shooting it out or in. and then streaming to serial on the Mac end. I thought maybe you'd done more than that on the host end. Thanks though!

You also answered another question I was just about to ask. I assumed LUSERRAM0 would be at the lower addresses just by convention but I saw in the dump file you posted bank 0 and bank 1 were flipped compared to my dumps. It doesn't really matter much for what we are doing as long as one keeps track of it but is there a particular reason you thought LUSERRAM0 is the higher addressed bank and LUSERRAM1 is lower in the address space? The ROM code would tell me but I haven't dug into that and the address decoder is a PAL on the processor board so no way to tell from the schematics alone. Did you get that from the ROM code or was it just arbitrary?

Best regards,
Ron
 

Offline Ron Curry

  • Contributor
  • Posts: 12
  • Country: us
Re: Hacking old HP spectrum Analyzers
« Reply #19 on: September 22, 2016, 06:57:42 pm »
I didn't bother doing Intel format.  That's overkill for such a simple goal. 

Agree. I had a nice library already written so just plugged it in.....
 

Offline MarkL

  • Supporter
  • ****
  • Posts: 2219
  • Country: us
Re: Hacking old HP spectrum Analyzers
« Reply #20 on: September 23, 2016, 01:15:27 am »
Hi Ron,

I took a guess based on context.  The boundary between LUSERRAM0 going to LUSERRAM1 would look like this if you did it in that order:

  ...
  00 bf 97 bf 00 bf 97 bf 00 bf 9d bf 00 bf df bf  ................
  00 bf 9c bf 00 bf ce bf 00 bf df bf 00 bf f3 bf  ................
  00 bf bf bf 00 bf af bf 00 bf b1 bf 00 bf ef bf  ................
  00 bf fb bf 00 bf e7 bf 00 bf d0 bf 00 bf f6 bf  ................
  00 bf ff bf 00 bf 9b bf 00 bf ff bf 00 bf ff 07  ................
  --------------------
  41 46 d8 1d bc 1d 7c 05 ab 05 ff 05 d4 05 fb 05  AF....|.........
  b6 05 13 06 d8 05 36 06 a9 05 0f 06 ff 05 27 06  ......6.......'.
  e4 05 7e 05 fb 05 13 06 d8 05 26 06 81 05 34 06  ..~.......&...4.
  f3 05 d1 05 45 06 f6 05 43 06 de 05 71 06 06 06  ....E...C...q...
  a8 05 4a 06 4a 06 d9 05 1c 06 1d 06 eb 05 28 06  ..J.J.........(.
  ...

The other way, LUSERRAM1 to LUSERRAM0 looks like this:

  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  --------------------
  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................

It seemed like it dovetailed together better, that's all.  Because I was short pins on the Silabs part, I know I did LUSERRAM0 and LUSERRAM1 separately.  I could be wrong, or maybe I had something flipped on the protoboard if you're getting a different order. 

I agree with you and would have expected LUSERRAM0 to be first too.

I found a small C program I wrote that prints out the in-memory directory.  I was able to decode the name, type, and the pointer (I think) where it stashed the object.  Attached if it's of any use to you.

My best guess at the directory structure is this (from my notes, I really don't remember much of the detail anymore):

  each dir entry appears to be 12 bytes
    starts at 004b4cf with _BWST and it seems to go backwards
    lowest address at 004a344 ("PKZOOM"), maybe lower
 
    1 byte name len
    1 byte type
      0x10 trace?
      0x30 func
      0x40 ? name is PKZOOM
      0x50 ?
      0x60 var?
    4 byte pointer
    name, w/ 0x20 pad to force first char to fall on a word boundary

Another tidbit is that the SA does store the model number in the SRAM, probably after it figures it out when the NVRAM is empty.  It stores it as a big-endian 16-bit integer at 0x7bfee.  For example, 8595 is 0x2193.  The letter "E" is right after the serial number, and it seems likely this is to differentiate E vs. C models.
 

Offline Ron Curry

  • Contributor
  • Posts: 12
  • Country: us
Re: Hacking old HP spectrum Analyzers
« Reply #21 on: September 23, 2016, 04:52:06 pm »
Hi Mark,
Cool stuff!

I can't make a strong case for either way on the bank selects. I assumed LUSERRAM0 was lower address and when I did a dump there was a bunch of stuff starting at address 0 that seemed consistent with so many other embedded systems I've reversed engineered and assumed I had it correct. Another reason for my assumption is the first 16 bits seems like it might be a checksum of some sort so it can quickly tell if RAM has become corrupted because it seems to change every time I make changes on the SA between dumps. However, if that C program was done by someone else then there is at least one more person who agrees with you that it's opposite of my assumption. For our purposes, it may not matter as long as we write stuff back in the correct order.

Since I corrupted my card I went ahead and set the model number and serial number via EXECUTE TITLE and then used the the front panel to basically delete everything with the thought of re-initializing the card so I could see what got cleared and what stayed. Both banks are mostly zeroed out with some areas filled with what looks like 16 or 24bit repeating values. Some areas stayed the same of course but they both are mostly cleared LUSERRAM1 more so than LUSERRAM0. There is darned little else! I'm going to try writing your data to my card and determine if that gives me the EMC stuff (I assume your SA has EMC personality installed - let me know if I'm wrong). I want to see if I can get that working before I risk corrupting the 8591E EMC unit I have.

BTW, based on the EMC info you wrote about I checked and the 8591E I have is a factory EMC unit with the thick glass over the CRT etc. - Thanks for that!

I'll let you know what else I find out.

Best regards,
Ron
« Last Edit: September 23, 2016, 04:55:28 pm by Ron Curry »
 

Offline MarkL

  • Supporter
  • ****
  • Posts: 2219
  • Country: us
Re: Hacking old HP spectrum Analyzers
« Reply #22 on: September 23, 2016, 06:40:03 pm »
Hi Mark,
Cool stuff!

I can't make a strong case for either way on the bank selects. I assumed LUSERRAM0 was lower address and when I did a dump there was a bunch of stuff starting at address 0 that seemed consistent with so many other embedded systems I've reversed engineered and assumed I had it correct. Another reason for my assumption is the first 16 bits seems like it might be a checksum of some sort so it can quickly tell if RAM has become corrupted because it seems to change every time I make changes on the SA between dumps. However, if that C program was done by someone else then there is at least one more person who agrees with you that it's opposite of my assumption. For our purposes, it may not matter as long as we write stuff back in the correct order.
If the dump of your SRAM has stuff in the front too and not 0's, it seems more likely I got LUSERRAM[01] backwards.  In that case, I at least hopefully re-assembled the binary correctly.
Quote
Since I corrupted my card I went ahead and set the model number and serial number via EXECUTE TITLE and then used the the front panel to basically delete everything with the thought of re-initializing the card so I could see what got cleared and what stayed. Both banks are mostly zeroed out with some areas filled with what looks like 16 or 24bit repeating values. Some areas stayed the same of course but they both are mostly cleared LUSERRAM1 more so than LUSERRAM0. There is darned little else! I'm going to try writing your data to my card and determine if that gives me the EMC stuff (I assume your SA has EMC personality installed - let me know if I'm wrong). I want to see if I can get that working before I risk corrupting the 8591E EMC unit I have.
The EMC personality is in there.  But of course with my cal constants.

I have two 8595E and one 8591E.  The EMC personality was in the 8591E which also had the QPD card in it.  You're in the exact same situation that I was.

I should note that the SRAM dump was from the 8595E after I moved the QPD card and reloaded the EMC personality via GPIB.  I also have a copy of the 8591E SRAM dump which I've attached.  I'm including it in case I messed something up when re-creating the EMC personality on the 8595E.  The 8591E dump is untouched from when I originally received the unit as an 8591EM.

The program was done by me and it works against the 8591E dump, which is where I started this project.  I just tried it on the 8595E dump for the first time and it doesn't have the start of the directory right in addition to some other issues.  The directory is probably dynamically allocated.

Keep us posted on how it turns out!
 

Offline Ron Curry

  • Contributor
  • Posts: 12
  • Country: us
Re: Hacking old HP spectrum Analyzers
« Reply #23 on: September 27, 2016, 05:23:12 am »
Mark,

Thanks for that! My 8591E EMC had the QPD card as well but I moved that to my 8595E which is now has a fully loaded card cage and includes a TG. I've been busy on higher priority stuff the last week but I plan to do some more experimenting later this week..

Cheers,
Ron
 

Offline Bicurico

  • Super Contributor
  • ***
  • Posts: 1778
  • Country: pt
    • VMA's Satellite Blog
Re: Hacking old HP spectrum Analyzers
« Reply #24 on: March 21, 2019, 06:52:25 pm »
Additional Info...Verified to work on rev: 950308

Enable Gate Option 105:
1) Press Frequency -2001 Hz
2) Press Cal, More 1 of 4, More 2 of 4
3) Press Service Cal, Flatness Data, More
4) Press top softkey (not labeled)
5) Press Exit

To verify Install:
press Config, More 1 of 3, Show Options

Just to confirm that this worked on spot on my HP 8594E!

Now I have to figure out what this option actually does...

Regards,
Vitor


Share me

Digg  Facebook  SlashDot  Delicious  Technorati  Twitter  Google  Yahoo
Smf