|
Hello Everyone, While working on my own E4407B I uncovered a few things. My own machine had an untuned YTF in the RYTHM which I have since successfully corrected. I discovered from the N7800 docs that no special equipment is used except an external synthesizer with great enough frequency range and a GPIB interface. I therefore set about looking for hidden commands for the SCPI interface. Here are some that I have found so far, with my own notes on format/function calls. Disclaimer: Using these commands can mess with your calibration data, making your unit worse. Please use with caution. SCPI Command Function call
DIAG:CAL:ADC?\n
DIAG:CAL? nnn,n\n GetStateEEPROM, nnn,n = address
DIAG:CAL nnn,n,xxx.yyy\n SetStateEEPROMData (RAM), nnn,n = address, xxx.yyy = new value
DIAG:CAL:BEG\n SetStateEEPROMBegin
DIAG:CAL:STOR %s\n SetStateEEPROMStore
DIAG:CAL:END\n SetStateEEPROMEnd
DIAG:CAL:SOUR?\n GetStateCalSource
DIAG:CAL:SOUR %s\n SetStateCalSource
SYST:PASS %s\n SetStatePassword
DIAG:CAL:PIECE %s\n SetStateUpdate
DIAG:OPT %s\n SetStateEEPROMOption
DIAG:PARK:LO?\n GetStateParkLO
DIAG:PARK:LO %d\n SetStateParkLO
DIAG:CARD? %s\n GetStateInformation
DIAG:TEMP? %s\n GetStateTemperature
DIAG:LATC:VAL %f\n SetStateRAM
DIAG:LATC:SEL %s\n
DIAG:LATC:VAL?\nGetStateRAM
In addition, I have started mapping out the address space accessible with the DIAG:CAL? nnn,n command. Here a few of the addresses and their corresponding register contents
Addr: Keyword:43,0 TG CAL OFFSET43,1 TG CAL SLOPE111,0 IF CAL LEVEL112,0 RF CAL LEVEL112,0 112,1 50 MHZ CAL ADJUST DAC (EEPROM)?113,0 COARSE SET FREQ REF113,1 FINE SET FREQ REF114,0 LO LEVEL DAC (EEPROM)115,0 COARSE RF GAIN DAC120,0 BITG LO LEVEL DAC (EEPROM)121,0 TG CORNER122,0 TG MOD OFFSET123,0 TG GAIN124,0 TG A OFFSET124,1 TG LB OFFSET124,2 TG A SLOPE125,0 TG X OFFSET125,1 TG X SLOPE126,0 TG F SLOPE131,0 FEXT B1 LO LEVEL DAC131,1 FEXT B2 LO LEVEL DAC131,2 FEXT B3 LO LEVEL DAC131,3 FEXT B4 LO LEVEL DAC131,4 FEXT TG LO LEVEL DAC131,5 FEXT B5 LO LEVEL DAC131,6 FEXT MIX LO LEVEL DAC132,0 YTF TUNE A0132,1 YTF TUNE A1132,2 YTF TUNE A2132,3 YTF TUNE A3132,4 YTF TUNE EXT 0132,5 YTF TUNE EXT 1132,6 YTF TUNE EXT 2132,7 YTF TUNE EXT 3133,0 FEXT YTF DELAY OFFSET 0133,1 FEXT YTF DELAY OFFSET 1133,2 FEXT YTF DELAY OFFSET 2133,3 FEXT YTF DELAY OFFSET 3133,4 FEXT YTF DELAY OFFSET 4133,5 FEXT YTF DELAY OFFSET 5133,6 FEXT YTF DELAY OFFSET 6133,7 FEXT YTF DELAY OFFSET 7133,8 FEXT YTF DELAY OFFSET 8133,9 FEXT YTF DELAY OFFSET 9134,0 B0 REF TEMP PA OFF 0134,1 B0 REF TEMP PA OFF 1134,2 B0 REF TEMP PA OFF 2135,0 B0 REF TEMP PA ON 0135,1 B0 REF TEMP PA ON 1135,2 B0 REF TEMP PA ON 2136,0 B1 REF TEMP 0136,1 B1 REF TEMP 1136,2 B1 REF TEMP 2137,0 B2 REF TEMP 0137,1 B2 REF TEMP 1137,2 B2 REF TEMP 2138,0 B3 REF TEMP 0138,1 B3 REF TEMP 1138,2 B3 REF TEMP 2139,0 B4 REF TEMP 0139,1 B4 REF TEMP 1139,2 B4 REF TEMP 2140,0 LO PRETUNE CONST 0140,1 LO PRETUNE CONST 1142,0 FEXT YTF DELAY SLOPE 0142,1 FEXT YTF DELAY SLOPE 1142,2 FEXT YTF DELAY SLOPE 2142,3 FEXT YTF DELAY SLOPE 3142,4 FEXT YTF DELAY SLOPE 4142,5 FEXT YTF DELAY SLOPE 5142,6 FEXT YTF DELAY SLOPE 6142,7 FEXT YTF DELAY SLOPE 7142,8 FEXT YTF DELAY SLOPE 8142,9 FEXT YTF DELAY SLOPE 9143,0 FEXT BREATHING ROOM 0143,1 FEXT BREATHING ROOM 1143,2 FEXT BREATHING ROOM 2143,3 FEXT BREATHING ROOM 3145,0 FEXT PULSE WIDTH145,1 FEXT SWEEP DWELL145,2 FEXT OVERTUNE FREQ145,3 FEXT OVERTUNE STATE145,4 FEXT MIX PULSE WIDTH145,5 FEXT MIX SWEEP DWELL145,6 FEXT MIX OVERTUNE FREQ145,7 FEXT MIX OVERTUNE STATE145,6 FEXT MIX OVERTUNE FREQ146,0 B5 REF TEMP 0146,1 B5 REF TEMP 1146,2 B5 REF TEMP 2147,0 EXT MIX REF TEMP 0147,1 EXT MIX REF TEMP 1147,2 EXT MIX REF TEMP 2
Perhaps with the community's help we can find out more on these units and work together on keeping them running going forwards. Best regards
|
This is a lot of work ! Congrats and thank you !? Ing. Patricio A. GrecoTaller Aeron¨¢utico de Reparaci¨®n 1B-349Organizaci¨®n de Mantenimiento Aeron¨¢utico de la Defensa OMAD-001Gral. Mart¨ªn Rodr¨ªguez 2159San Miguel (1663)Buenos AiresT:?+5411-4455-2557F:?+5411-4032-0072
toggle quoted message
Show quoted text
On 5 Jun 2022, at 17:00, Kalle Kempe <kalle.kempe@...> wrote:
?Hello Everyone, While working on my own E4407B I uncovered a few things. My own machine had an untuned YTF in the RYTHM which I have since successfully corrected. I discovered from the N7800 docs that no special equipment is used except an external synthesizer with great enough frequency range and a GPIB interface. I therefore set about looking for hidden commands for the SCPI interface. Here are some that I have found so far, with my own notes on format/function calls. Disclaimer: Using these commands can mess with your calibration data, making your unit worse. Please use with caution. SCPI Command Function call
DIAG:CAL:ADC?\n
DIAG:CAL? nnn,n\n GetStateEEPROM, nnn,n = address
DIAG:CAL nnn,n,xxx.yyy\n SetStateEEPROMData (RAM), nnn,n = address, xxx.yyy = new value
DIAG:CAL:BEG\n SetStateEEPROMBegin
DIAG:CAL:STOR %s\n SetStateEEPROMStore
DIAG:CAL:END\n SetStateEEPROMEnd
DIAG:CAL:SOUR?\n GetStateCalSource
DIAG:CAL:SOUR %s\n SetStateCalSource
SYST:PASS %s\n SetStatePassword
DIAG:CAL:PIECE %s\n SetStateUpdate
DIAG:OPT %s\n SetStateEEPROMOption
DIAG:PARK:LO?\n GetStateParkLO
DIAG:PARK:LO %d\n SetStateParkLO
DIAG:CARD? %s\n GetStateInformation
DIAG:TEMP? %s\n GetStateTemperature
DIAG:LATC:VAL %f\n SetStateRAM
DIAG:LATC:SEL %s\n
DIAG:LATC:VAL?\nGetStateRAM
In addition, I have started mapping out the address space accessible with the DIAG:CAL? nnn,n command. Here a few of the addresses and their corresponding register contents
Addr: Keyword:43,0 TG CAL OFFSET43,1 TG CAL SLOPE111,0 IF CAL LEVEL112,0 RF CAL LEVEL112,0 112,1 50 MHZ CAL ADJUST DAC (EEPROM)?113,0 COARSE SET FREQ REF113,1 FINE SET FREQ REF114,0 LO LEVEL DAC (EEPROM)115,0 COARSE RF GAIN DAC120,0 BITG LO LEVEL DAC (EEPROM)121,0 TG CORNER122,0 TG MOD OFFSET123,0 TG GAIN124,0 TG A OFFSET124,1 TG LB OFFSET124,2 TG A SLOPE125,0 TG X OFFSET125,1 TG X SLOPE126,0 TG F SLOPE131,0 FEXT B1 LO LEVEL DAC131,1 FEXT B2 LO LEVEL DAC131,2 FEXT B3 LO LEVEL DAC131,3 FEXT B4 LO LEVEL DAC131,4 FEXT TG LO LEVEL DAC131,5 FEXT B5 LO LEVEL DAC131,6 FEXT MIX LO LEVEL DAC132,0 YTF TUNE A0132,1 YTF TUNE A1132,2 YTF TUNE A2132,3 YTF TUNE A3132,4 YTF TUNE EXT 0132,5 YTF TUNE EXT 1132,6 YTF TUNE EXT 2132,7 YTF TUNE EXT 3133,0 FEXT YTF DELAY OFFSET 0133,1 FEXT YTF DELAY OFFSET 1133,2 FEXT YTF DELAY OFFSET 2133,3 FEXT YTF DELAY OFFSET 3133,4 FEXT YTF DELAY OFFSET 4133,5 FEXT YTF DELAY OFFSET 5133,6 FEXT YTF DELAY OFFSET 6133,7 FEXT YTF DELAY OFFSET 7133,8 FEXT YTF DELAY OFFSET 8133,9 FEXT YTF DELAY OFFSET 9134,0 B0 REF TEMP PA OFF 0134,1 B0 REF TEMP PA OFF 1134,2 B0 REF TEMP PA OFF 2135,0 B0 REF TEMP PA ON 0135,1 B0 REF TEMP PA ON 1135,2 B0 REF TEMP PA ON 2136,0 B1 REF TEMP 0136,1 B1 REF TEMP 1136,2 B1 REF TEMP 2137,0 B2 REF TEMP 0137,1 B2 REF TEMP 1137,2 B2 REF TEMP 2138,0 B3 REF TEMP 0138,1 B3 REF TEMP 1138,2 B3 REF TEMP 2139,0 B4 REF TEMP 0139,1 B4 REF TEMP 1139,2 B4 REF TEMP 2140,0 LO PRETUNE CONST 0140,1 LO PRETUNE CONST 1142,0 FEXT YTF DELAY SLOPE 0142,1 FEXT YTF DELAY SLOPE 1142,2 FEXT YTF DELAY SLOPE 2142,3 FEXT YTF DELAY SLOPE 3142,4 FEXT YTF DELAY SLOPE 4142,5 FEXT YTF DELAY SLOPE 5142,6 FEXT YTF DELAY SLOPE 6142,7 FEXT YTF DELAY SLOPE 7142,8 FEXT YTF DELAY SLOPE 8142,9 FEXT YTF DELAY SLOPE 9143,0 FEXT BREATHING ROOM 0143,1 FEXT BREATHING ROOM 1143,2 FEXT BREATHING ROOM 2143,3 FEXT BREATHING ROOM 3145,0 FEXT PULSE WIDTH145,1 FEXT SWEEP DWELL145,2 FEXT OVERTUNE FREQ145,3 FEXT OVERTUNE STATE145,4 FEXT MIX PULSE WIDTH145,5 FEXT MIX SWEEP DWELL145,6 FEXT MIX OVERTUNE FREQ145,7 FEXT MIX OVERTUNE STATE145,6 FEXT MIX OVERTUNE FREQ146,0 B5 REF TEMP 0146,1 B5 REF TEMP 1146,2 B5 REF TEMP 2147,0 EXT MIX REF TEMP 0147,1 EXT MIX REF TEMP 1147,2 EXT MIX REF TEMP 2
Perhaps with the community's help we can find out more on these units and work together on keeping them running going forwards. Best regards
|
Hi Kalle.
This is fantastic work.? ?
When I was working on hacking the E4407B one thing I was looking for was the SCPI commands but could never find them.
Did you find these on the E4407B or did you find them in the looking at N7800?files?
I really hope we can find a way to be able to do a cal.? personally I'd like to cal my TG as I think that it needs it?
If I can help on this I'm more than will.
Sandra
|
Hi Sandra
I couldn't resist? though I'm pretty sure you are not related to me.? I am Robert Carroll and was raised starting in 1945 in East Point, GA.? I went to Georgia Tech through my Masters and thanks to the draft was inducted into the USAF and was assigned to intelligence work and development of false target repeaters to protect the B-52 bombers.? ?And there I was frequently using HP equipment at Wright Patterson Air Force Base. And though now an ancient one, I still use HP equipment in connection with my Ham Radio.
Robert Carroll (w2wg now in Cobb County, GA.)
Sent from my Verizon, Samsung Galaxy smartphone
toggle quoted message
Show quoted text
-------- Original message -------- From: Sandra Carroll <smgvbest@...> Date: 6/5/22 9:36 PM (GMT-05:00) Subject: Re: [HP-Agilent-Keysight-equipment] ESA instrument adjustments - reverse engineering
Hi Kalle. This is fantastic work.? ? When I was working on hacking the E4407B one thing I was looking for was the SCPI commands but could never find them. Did you find these on the E4407B or did you find them in the looking at N7800?files? I really hope we can find a way to be able to do a cal.? personally I'd like to cal my TG as I think that it needs it? If I can help on this I'm more than will. Sandra
|
It would be desirable to catalog those commands so they can be analyzed and further documented and eventually be used in creating some calibration routines that can be used by people !
Let me however render some words of caution :?
Keysight/agilent has chosen the path of not to provide service software any longer for a very good reason and to put it simple its all about MONEY !
Used to service was purely auxiliary now it¡¯s a profit center , keysight wants to keep their service centers busy and they want to control end of life of their equipment , if the analyzer requires software to do adjustments and you don¡¯t
have the software than you cant fix the unit period !? when it was still available the N7800A software was very expensive , If I remember correctly the framework was $7500 and then you had to pay for the different support modules separately , once you shilled
out the $? you needed very specific test equipment which set you back another 100-200K depending on what you wanted to run ¡¡..? after a little while they stopped issuing licenses altogether and only made them available to big corporate self supporters !
Having said this keysight may not take kindly to the information becoming public and may undertake measures to deter the effort , therefore I strongly suggest not to use any techniques to extract the information that could be interpreted
as reverse engineering or hacking
?
toggle quoted message
Show quoted text
From: [email protected] < [email protected]>
On Behalf Of Sandra Carroll via groups.io
Sent: Sunday, June 5, 2022 8:37 PM
To: [email protected]
Subject: Re: [HP-Agilent-Keysight-equipment] ESA instrument adjustments - reverse engineering
?
Hi Kalle.
This is fantastic work.? ?
When I was working on hacking the E4407B one thing I was looking for was the SCPI commands but could never find them.
Did you find these on the E4407B or did you find them in the looking at N7800?files?
I really hope we can find a way to be able to do a cal.? personally I'd like to cal my TG as I think that it needs it?
If I can help on this I'm more than will.
Sandra
|
Hi Robert,? Can't blame you,? I would have done the same and yeh probably not related though I do have some family in GA but most is in TN in the tri-cities area.? ?My Uncle Dave was there in GA and ran a business making Monitors used at airports.? ?My Father was also in the USAF in the 1155th Techops division based in Sacramento CA. where I grew up.? ?I do know the Carroll family had a split back in Ireland so there's now 2 clans of Carroll's.? ?mine was the one that split off as I understand it.? ?My best friend back in CA was Joe Carroll,? ?we had a blast teasing people we were related but we weren't
Sandra Carroll
|
Yep,? exact reason for us to do work like this.
Several of us on a repair thread I had for the SRS PS350 High Voltage Supply ended up decoding the Roms and came up with a cal procedure as SRS gave no other way of doing it.
Would it be worth starting a EEVBLOG Thread there for this,? ?I know it made work there on both the PS350 and the E4407B allot easier to collaborate?
it's up to the OP of course so just a suggestion,? ?I'll gladly do what I can?
|
Hi regarding the EEVBLOG? although I do go on it but I find it difficult to track messages also I haven¡¯t found any storage space So I believe if it is ?HP/ Keysight? then this site should provide the best solution ? Regards Paul ?
toggle quoted message
Show quoted text
From: [email protected] [mailto:[email protected]] On Behalf Of Sandra Carroll
Sent: 06 June 2022 15:40
To: [email protected]
Subject: Re: [HP-Agilent-Keysight-equipment] ESA instrument adjustments - reverse engineering ? Yep,? exact reason for us to do work like this.
Several of us on a repair thread I had for the SRS PS350 High Voltage Supply ended up decoding the Roms and came up with a cal procedure as SRS gave no other way of doing it.
Would it be worth starting a EEVBLOG Thread there for this,? ?I know it made work there on both the PS350 and the E4407B allot easier to collaborate?
it's up to the OP of course so just a suggestion,? ?I'll gladly do what I can?
|
interesting,? we've done some rather complex stuff there without any issues and posting a message in a thread automatically subscribes you.? or you can manually subscribe to a thread.
Everything is stored in the thread and images/files can be uploaded locally or shared from any of the online storage sites.
I use my google drive personally unless I want it to remain in the thread
Once a solution is found it can be posted here of course with all related materials
here's a thread we worked that I mentioned
I just find the collaboration that goes on there extremely good
but whatever the OP wants
|
I agree with Sandra, there is a huge amount of collaboration on EEVBlog, following a thread is easy once you click on "notify" While there is not a dedicated storage space, files are attached to the poster's reply so it keeps the uploaded file in context with the reply.
Just my thoughts.........
|
Agreed that the EEVBlog forums are more active with this sort of thing.
As you have already guessed, I wanted to post here since this group is "dedicated" to HP/Agilent/Keysight stuff.
I will cross-post over to the EEVBlog and we'll see how it turns out.
|
I posted over at the EEVBlog here:
Let's see what happens :D
Best regards
|
I will hop on and do what I can to assist.?
Sandra?
|
The full link is:-
Don't forget that trailing '/' char!
(Without it, results in a 404 error.)
Regards.
??? Dave G8KBV
--
Created on and sent from a Unix like PC running and using free and open source software:
|
Thanks Dave,
I'm shamelessly bumping this topic for those interested.
Over at the EEVBLOG thread:
I recently posted a description of how to adjust your preselector YTF on the E44xx instruments
I posted a scan of all registers between 0 - 1000
Other participants are doing some intense thinking on how to give the thread proper attention and retention of the findings.
Best regards
|
HELP!
I've managed to write some code to do this (YTF tune) BUT am stuck on the saving to EEPROM part. None of the SCPI commands seem to work. I get errors like "invalid parameter".
I'm doing this:
DIAG:CAL:BEG (no error)
DIAG:CAL:STOR 132,0 (error)
DIAG:CAL:END (never gets here)
Have tried variations of DIAG:CAL:STOR but all get errors.
Has anyone cracked this???
On the ESG for example, the write to RAM uses different registers (address) than storing to EEPROM.
So maybe the EEPROM is NOT address 132???
Mark
|
CRICKETS!
More info:
DIAG:CAL:STOR 132,n --> error -108, "parameter not allowed" (doesn't like the extra parameter)
DIAG:CAL:STOR 132 --> error -310, "system error" (EEPROM locked?)
Looked at my ESG code and that similar: writes to RAM (CAL nnn,n, xxx.yyy)
Then unlocks EEPROM (CAL:BEG) and stores the entire register (CAL:STOR nnn)
So I think it's close. What am I missing?!
I am having my YIG filter realigned and really need to get this working. Don't want to compute/load new values every time I want the use the SA!
Please and thank you.
Mark
|
SOLVED!
Discovered that DIAG:CAL:BEGIN caused the issue. Without that, it saves to EEPROM w/o error.
Go figure!
Now my YIG Filter Tune program works just fine.
Mark
|
Patricio A. Greco
Paul Bicknell