Agilent MSO 5000/6000/7000 - anyone hacked these scopes?

[alex.forencich]

Could someone summarize how to enable the licensable options? I've read all posts in the thread and get the feeling this is possible but not how it's done. Thanks!

The less risky method is performed over telnet.  This is very simple to implement, and all you need is an ethernet cable:

Use telnet to connect to the instrument on port 5810 (telnet <ip> 5810) with username 'panther' and password 'pictures'. 

At ->, type cmd and press enter.  Then type mem modify -w 1 0x009A2187 and press enter.  Then type 0x01 and press enter.  Then type . and press enter.  It should look like this:

-> cmd
[vxWorks]# mem modify -w 1 0x009A2187
0x009a2187:  0x00-0x01
0x009a2188:  0x00-.

Then, on the scope, press utility -> options -> licenses -> options, enable 'service mode' and 'all licenses'.  Turn the scope off and back on again.  Check that the licenses are now enabled. 

[mikeselectricstuff]

Could someone summarize how to enable the licensable options? I've read all posts in the thread and get the feeling this is possible but not how it's done. Thanks!

The less risky method is performed over telnet.  This is very simple to implement, and all you need is an ethernet cable:

Use telnet to connect to the instrument on port 5810 (telnet <ip> 5810) with username 'panther' and password 'pictures'. 

At ->, type cmd and press enter.  Then type mem modify -w 1 0x009A2187 and press enter.  Then type 0x01 and press enter.  Then type . and press enter.  It should look like this:

-> cmd
[vxWorks]# mem modify -w 1 0x009A2187
0x009a2187:  0x00-0x01
0x009a2188:  0x00-.

Then, on the scope, press utility -> options -> licenses -> options, enable 'service mode' and 'all licenses'.  Turn the scope off and back on again.  Check that the licenses are now enabled.

Is this the same for 5/6000 and 7000?

I wonder if there is some "hidden" way to enable service mode from the front panel.

[abyrvalg]

Some drawbacks:
- FMS, BAT, FRS, TEL, 1MV, TOM, CIR features are not enabled by "ALL"
- the address is version dependent, this one will not work on 5k/6k

If somebody wants to go ServiceMode way, there is more portable way: execute setServiceMode(1) in C mode console ("->" prompt). But, as it was discussed already, there is no danger patching sys.bin - we are not touching the bootloader, where "emergency" restore lives.

[euzer]

Could someone summarize how to enable the licensable options? I've read all posts in the thread and get the feeling this is possible but not how it's done. Thanks!

Download the sys6000 or sys7000 v06.16.001 update file from Agilent's website (5000 and 6000 both use sys6000)
Download packjzp and unjzp tools from here

Unpack to a binary using unjzp , and use a hex editor to make the following changes

sys6000.bin 06.16.0001:
002E7B80: 94 21 F8 E0 7C 08 02 A6 -> change to -> 38 60 00 00 4E 80 00 20

sys7000A.bin 06.16.0001:
002E7C60: 94 21 F8 E0 7C 08 02 A6 -> change to -> 38 60 00 00 4E 80 00 20

save the edited version, and repack to .jzp using packjzp.

Note pack/unpack are quite slow - about a minute

Update the scope firmware with the new version

Then enable each license by entering the 3-letter license name, with all zeros as the rest of the key

Note that decodes only work on models with 4 analogue channels - it will refuse to install on 2-ch models and consensus is the decodes use some hardware that isn't present on 2ch models

Enjoy!

Excellent, thanks. Worked on DSO5014A and a DSO6012A.
I do wonder what the * next to the license codes signify when using ALL.
I can't see how to access the MSO functionality on the DSO5014A. the controls are probably staring me in the face though. The MSO on the DSO6012A seems Ok but haven't connected a cable up yet.
Out of interest what difference in code does the 8 bytes change?
Is the telnet method sticky between power cycles?

[Hugoneus]

Thank you.

[alex.forencich]

Is the telnet method sticky between power cycles?

Yes, it is.  Otherwise it would be a bit of a pain.  The only thing you need to do is leave 'service mode' enabled.  If you turn that off, then the menu (and licenses) will go away and you'll need to enable the service menu via telnet again. 

[Carrington]

Out of interest what difference in code does the 8 bytes change?

If I'm not mistaken.

94 21 F8 E0 -> stwu r1, -0x720(r1)
7C 08 02 A6 -> mflr r0

38 60 00 00 -> li r3, 0
4E 80 00 20 -> blr

This force to accept any license string (like XXX-000000000000-000000000).

[alex.forencich]

Some drawbacks:
- FMS, BAT, FRS, TEL, 1MV, TOM, CIR features are not enabled by "ALL"
- the address is version dependent, this one will not work on 5k/6k

If somebody wants to go ServiceMode way, there is more portable way: execute setServiceMode(1) in C mode console ("->" prompt). But, as it was discussed already, there is no danger patching sys.bin - we are not touching the bootloader, where "emergency" restore lives.

Well, now that is an even simpler method of enabling service mode.  Might be able to do the whole thing as a one-liner script. 

As for the patching method, I was unable to get that to work for some reason.  I am unsure why.  After attempting to install the patch, the scope did not reboot correctly and (after some consternation) I had to use the emergency recovery off of the flash drive with the original firmware. 

[abyrvalg]

94 21 F8 E0 -> stwu r1, -0x720(r1)
7C 08 02 A6 -> mflr r0

38 60 00 00 -> li r3, 0
4E 80 00 20 -> blr

This patch changes first bytes of big code check function to short "return 0". Result 0 means "code is ok" here.

After attempting to install the patch, the scope did not reboot correctly

Did you saved/restored jzp revision header string? Some tests shows that it is important somehow. There is a 3rd parameter (revision.txt) to unjzp/packjzp for that. You can try unpacking then repacking an unmodified file first to verify your setup - the repacked file must match the original exactly, then proceed with patching.
Another possibility is that you were "lucky" to catch the very first packjzp version which had several issues. Latest version (28 january commit) produces 100% correct files when used with 3 parameters.

[alex.forencich]

94 21 F8 E0 -> stwu r1, -0x720(r1)
7C 08 02 A6 -> mflr r0

38 60 00 00 -> li r3, 0
4E 80 00 20 -> blr

This patch changes first bytes of big code check function to short "return 0". Result 0 means "code is ok" here.

After attempting to install the patch, the scope did not reboot correctly

Did you saved/restored jzp revision header string? Some tests shows that it is important somehow. There is a 3rd parameter (revision.txt) to unjzp/packjzp for that. You can try unpacking then repacking an unmodified file first to verify your setup - the repacked file must match the original exactly, then proceed with patching.
Another possibility is that you were "lucky" to catch the very first packjzp version which had several issues. Latest version (28 january commit) produces 100% correct files when used with 3 parameters.

I did save and restore the version information, IIRC.  Also, I had to make a couple of minor changes to a couple of the source files to get it to compile on my computer (Arch Linux).  I don't think these would have affected the operation of the program, though. 

[mikeselectricstuff]

Excellent, thanks. Worked on DSO5014A and a DSO6012A.
I do wonder what the * next to the license codes signify when using ALL.

I would assume it just indicates that it is "temporary" and not an installed license

I can't see how to access the MSO functionally on the DSO5014A. the controls are probably staring me in the face though.

That would be because there is no MSO variant of the 5000 series - that is the main (only?) difference between 5000 and 6000

[alex.forencich]

Excellent, thanks. Worked on DSO5014A and a DSO6012A.
I do wonder what the * next to the license codes signify when using ALL.

I would assume it just indicates that it is "temporary" and not an installed license

That sounds about right to me.  Anything that the 'all licenses' option enables has a * after it, but everything that was installed separately does not.  For example, one scope that I enabled this on has segmented memory installed, and it appears as SGM.  The other scope does not, and it appears as SGM*. 

[euzer]

Can anyone report what the DIS and DSW distributor package options do?
The 1MV code seems to allow a vertical resolution of 10mV/div rather than 1mV.

[abyrvalg]

euzer, both DIS and DSW are just bundles of other features.
DSW: LSS, AMS, 232, SGM
DIS:   LSS, AMS, 232, SGM, LMT, FRC, SND, FLX, 553

[alex.forencich]

euzer, both DIS and DSW are just bundles of other features.
DSW: LSS, AMS, 232, SGM
DIS:   LSS, AMS, 232, SGM, LMT, FRC, SND, FLX, 553

I have not looked in to this in depth, but I think one of these two also activates the 'demo' menu that appears on the power-up menu and the utiliy menu.  This menu appeared after enabling 'all licenses' on my scope. 

[euzer]

I can't see how to access the MSO functionally on the DSO5014A. the controls are probably staring me in the face though.

That would be because there is no MSO variant of the 5000 series - that is the main (only?) difference between 5000 and 6000

I think you're right. They look to have the same front fascias and there's a label to the right hand side of the screen on the 5000 masking the holes where the digital controls would be on the 6000.

[bg8up]

BW is limited in factorycal.dat and singnal path hardware?

There are two hardware version ?546xx-66510 is old ?1NB7-84XX applied?546xx-66410 is new witch behind  2009?2AD2-000X applied?

On new platform witch used 2AD2?70-200 is the same singnal path,300-500 is the same path.

In pictures,upper is 7104,blow is 7054.

 

[Sailor]

@alex.forencich

Here is how you enable the service menu:

telnet <ip> 5810
username panther
password pictures

-> cmd
[vxWorks]# mem modify -w 1 0x009A2187
0x009a2187:  0x00-0x01
0x009a2188:  0x00-.

utility -> options -> licenses -> options
enable 'service mode', 'all licenses', and 'mso'
reboot scope

I have tried this on my MSO7054B, but it doesn't alter the menus on the scope i.e. utility -> options -> licenses shows the standard menu i.e. Spell, Enter, Apply (greyed out), and Show license information (and the all-zeros license number waiting to be entered). I double-checked by re-entering the mem modify -w 1 0x009A2187 again, and it returned 0x009a2187:  0x01-, so it had evidently entered correctly the first time. I powered the scope off and on and re-connected to VxWorks again. 0x009a2187 again returned 0x00, so it looks like the 0x01 didn't stick through the power cycle (should it have?), and I am beginning to wonder if that address is perhaps not correct for my scope. The About Oscilloscope screen shows:

System version 06.15.0001
Language version 06.15 Oct 5 2010, 08:07:47
Library version 02.25
Graphics version 01.46

The version info from the C shell is:

-> version
VxWorks (for Agilent KOM PPC405, SA27E rev1) version 6.4.
Kernel: WIND version 2.10.
Made on Oct 15 2010, 11:26:58.
Boot line:
tffs;usb(0,0)boot:sys7000A f=0x8 o=emac0
value = 52 = 0x34 = '4'
->

Do you have any suggestions?

[Carrington]

@ Sailor

If somebody wants to go ServiceMode way, there is more portable way: execute setServiceMode(1) in C mode console ("->" prompt). But, as it was discussed already, there is no danger patching sys.bin - we are not touching the bootloader, where "emergency" restore lives.

But better first:

Download the sys6000 or sys7000 v06.16.001 update file from Agilent's website (5000 and 6000 both use sys6000)

[Sailor]

Jeeez, how did I miss that? Thank you so much, and all others involved in this great work. 

[euzer]

Is there a proven way to increase the bandwidth of a DSO5014A from 100MHz to 300MHz with a hardware and/or firmware mod? And if so how's it done? TIA.

[mikeselectricstuff]

Is there a proven way to increase the bandwidth of a DSO5014A from 100MHz to 300MHz with a hardware and/or firmware mod? And if so how's it done? TIA.

No - the hardware is completely different

[euzer]

Is there a proven way to increase the bandwidth of a DSO5014A from 100MHz to 300MHz with a hardware and/or firmware mod? And if so how's it done? TIA.

No - the hardware is completely different

Thanks. I presume that will also be true for a DSO6014A BW increase also?

[HighVoltage]

Today I tested the information in this thread on my 7000 Series scope.
Thanks to the people in this thread, I was able to activate all licenses.
A big thank you to all the people, who made this happened.
I did this just for fun and entertainment.

[manorth]

Time to open 9000/90000 thread?

I'd love to start working on 9000/90000 hacks, I own 2 MSO9104A scopes. Also we repair 9000 and 90000 series scopes.