HDT debugger: Info wanted.

[ElroyJetson]

Does anyone have any documentation or information regarding the use of the HDT debugger that's built into many M/A-Com radios?

I can get into HDT mode with HyperTerminal but I'm not messing with any data until I understand
what I'm looking at, what the commands are, and how they affect the radio.

If there's a resource of data somewhere about the HDT debugger, I'd like to know about it.


Elroy

 

[HarrisRF]

create an Sc4 file with this in it...

USERIO /f /b3 /=01

good luck!

 

[EnidPuceflange]

create an Sc4 file with this in it...

USERIO /f /b3 /=01

good luck!

What does this do? And on which radio?

Does anyone have any documentation or information regarding the use of the HDT debugger that's built into many M/A-Com radios?

I can get into HDT mode with HyperTerminal but I'm not messing with any data until I understand
what I'm looking at, what the commands are, and how they affect the radio.

If there's a resource of data somewhere about the HDT debugger, I'd like to know about it.


Elroy

OK, first some history. HDT is an engineering debugging feature, that has been part of the M/A Com/Tyco/Comnet/Ericsson/GE radio software since the early days of the MR/K and Orion. It was only there in a debug build, however, so it ISN'T normally available without a special build of code for MR/K,LPE and Orion. Jaguar 700p onward the use of a debug build was done away with and all radios from that point on support it.

To turn it on, you have to disable data (they share the same serial port so it's one or the other, not both). You can tell that you've got it right, when you connect to the radio using a programming cable (19200baud,1stop bit, no parity) and you hit return a few times you should get a * prompt.

? gives a list of commands (not the whole lot, but the most commonly used ones) and the command "sym *" will list what symbols the radio understands.

The commands differ based on radio type - the P7200 is different to the P7100, for example. There is no documentation, simply because the engineers in Lynchburg use it to try stuff out, provide test commands and so on.

One of the most commonly used commands involves logging - the software is capable of logging certain events and data and printing it out for later debugging. TAC asked in the past to give a DSP trace which used the command:

eb drv_dsp 6

Then after a little while, I dumped the data out using the l command (lower case L) - you should get a bunch of hex data.

On the latest radios (the P5400 was what I used) there's a handy command "ps" which displays the adjacent systems, and their RF levels every 3 seconds. It's great for troubleshooting network issues.

Hope this helps,
Enid

 

[ElroyJetson]

I've been playing with it and it's very easy to dump entire blocks of data in memory with it. It can take a while to do a complete dump on a 2 MB flash memory chip, but it's simple to do it. It dumps as opcodes and hex data. Someone who can read pure assembly and knew the chipset language would have a field day with this.

My suspicion is that it could be used as a way to clone personality info from one radio to another, without having to use ProGrammer or RPM. Dump the eprom contents and write them to another radio. Would it work without additional tweaking? I just don't know.


Elroy

 

[EnidPuceflange]

I've been playing with it and it's very easy to dump entire blocks of data in memory with it. It can take a while to do a complete dump on a 2 MB flash memory chip, but it's simple to do it. It dumps as opcodes and hex data. Someone who can read pure assembly and knew the chipset language would have a field day with this.

My suspicion is that it could be used as a way to clone personality info from one radio to another, without having to use ProGrammer or RPM. Dump the eprom contents and write them to another radio. Would it work without additional tweaking? I just don't know.


Elroy

Well, I guess you COULD do this - but be aware that the personality is in 2 sections, the flash part and the EE part, and the EE part is intertwined around the tracking data, the factory data and the feature string. You'd have a hard time erasing the flash section in the target radio though. However, it's MUCH easier using RPM or ProGrammer

 

[HarrisRF]

Yeah, sorry Elroy, theres no documentation. BUT it sounds like you guys are well on your way. good luck!

 

[mitaux8030]

...HDT is an engineering debugging feature, that has been part of the M/A Com/Tyco/Comnet/Ericsson/GE radio software since the early days of the MR/K and Orion. It was only there in a debug build, however, so it ISN'T normally available without a special build of code for MR/K,LPE and Orion.

MR-K & Orion I knew about the test load xxT23n99.bin, but in the LPE wasn't it just a "LPE diagnostic mode" check box and then connect using a terminal program? Or did that only give a limited HDT command set?

 

[ElroyJetson]

I'm still playing with MDT and HyperTerminal. Learning a few little things here and there, but nothing really earth shattering yet. Dumping memory as longs yields some readable clues to what's going on in there.

What's the fastest baud rate the radio will support? A 1 megabyte dump at 19,200 baud is an all night job. I'd like to run as fast as the radio allows, and hopefully that's a lot faster than 19.2.

If it will go faster, what's the configuration command to increase the baud rate?

Elroy

 

[ElroyJetson]

I've also discovered that you can't use the ribless keyloader/programming cable in HDT mode, not on a Jaguar or 7100 series radio, anyway. I don't have the ribless non-keyloader type programming cable
so I don't know about that one, but HDT access works fine when using the regular programming
cable with the TQ3370 interface box.

Elroy

 

[flecom]

I've also discovered that you can't use the ribless keyloader/programming cable in HDT mode, not on a Jaguar or 7100 series radio, anyway. I don't have the ribless non-keyloader type programming cable
so I don't know about that one, but HDT access works fine when using the regular programming
cable with the TQ3370 interface box.

Elroy

ive used the ribless serial cable on a 7200 to play with the console... was just typing in random things until i found some interesting menus... ended up trashing the radio pretty good lol

defiantely worth exploring...

i wonder if when the M-RK/Orions finally retire we can bribe someone for the flash source-code lol

 

[ElroyJetson]

Just use the DIS command with a start address and an end address and you get raw disassembled opcodes and addresses. If you know someone who speaks assembly, this would be the keys to the entire kingdom.

Elroy

 

[flecom]

Just use the DIS command with a start address and an end address and you get raw disassembled opcodes and addresses. If you know someone who speaks assembly, this would be the keys to the entire kingdom.

Elroy

hrmm, is this with any radio? or just like the newer 7200 series etc?

if this will work on an orion/m-rk i definately have some people that speak assembly pretty hardcore actually

 

[ElroyJetson]

7100 for sure. I haven't tried it on other platforms yet. The DIS command was right there to see in the command list.

Elroy