Author Topic: DSOX2000 and 3000 series - licence , have anyone tried to hack that scope ?  (Read 1249212 times)

0 Members and 8 Guests are viewing this topic.

Offline Howardlong

  • Super Contributor
  • ***
  • Posts: 5411
  • Country: gb
Regarding the timebase quadrature encoder on the MSOX3000A, is it just mine/me, or does this very frequently miss clicks? It's my only irritation in an otherwise slick UI. Other knobs work fine.

In comparison, the MSO7000B and 54642D are perfect in this respect. Even the Tek MDO3000, renowned for its sedentary nature, doesn't actually miss QE inputs, although it might take a while to respond.
I have an MSOX3104A and the timebase encoder gradually got worse over time with missing clicks.  At about 2.5 years old it was so bad I sent it back to Agilent for repair.  They confirmed the problem and replaced the encoder.  Plus refreshed the cal (that was nice since I wasn't expecting it.)

The encoder replacement was almost 3 years ago and now it's getting bad again.  Fortunately I have a service agreement, but I think it will be going back again within the next couple of months.

Mine's still under its three year warranty, but I can't be bothered with the effort of sending it back, plus there's also the minor gratification of resolving myself. I am sure if it were someone else's company's scope I'd be doing a return but as I'm a one man band I don't mind having a go.

I looked at the service manual just before I started, looks like tere are no user serviceable parts, even at the module/board level, in Keysight's eyes.
 
The following users thanked this post: Andrew

Offline JeffreyLatter

  • Contributor
  • Posts: 28
  • Country: dk
  • Electronics Technician
Regarding the permanent mod on the 3000T series - Anyone managed succesfully to edit/replace files inside the nk.bin file?

BTW - Big thank you to all, who made these mods and discoveries available to us all!  :-+
 
The following users thanked this post: Andrew

Offline bigeblis

  • Contributor
  • Posts: 40
  • Country: cn
Today, when using the DSOX3012A measurement, inadvertently found that the signal input to the instrument more than 2Vpp, the offset will be too large when the wrong waveform. Specific settings and waveform parameters see figure.
Because my oscilloscope is MOD after upgrading the bandwidth, it can not confirm the BUG will not be the result of MOD. Have the original machine friends, you can test it?

English is not my mother tongue, so it may be bad to understand?
 
The following users thanked this post: Andrew

Offline bigeblis

  • Contributor
  • Posts: 40
  • Country: cn
After I repeatedly tested, the key is the vertical sensitivity is equal to less than 200mV, the input signal amplitude is greater than 1.3Vpp, and then as long as the waveform is offset by a certain value, it will be seriously distorted.
« Last Edit: July 18, 2017, 01:26:20 pm by bigeblis »
 
The following users thanked this post: Andrew

Offline georges80

  • Frequent Contributor
  • **
  • Posts: 929
  • Country: us
After I repeatedly tested, the key is the vertical sensitivity is equal to less than 200mV, the input signal amplitude is greater than 1.3Vpp, and then as long as the waveform is offset by a certain value, it will be seriously distorted.

The scope is warning you that you have CLIPPED the signal.  You are overloading the input of the scope by having a signal that is a greater voltage span (including your offset adjustment) than the range of the input circuitry.

This is a common mistake folk make that aren't aware of the scope's input working range.

cheers,
george.
 
The following users thanked this post: Andrew

Offline bigeblis

  • Contributor
  • Posts: 40
  • Country: cn
Agilent is the same explanation.
But with such a setting to observe the bottom of the waveform details are very common operation, Tektronix models do not have such a problem.
« Last Edit: July 19, 2017, 01:04:48 pm by bigeblis »
 
The following users thanked this post: Andrew

Offline Safar

  • Regular Contributor
  • *
  • Posts: 119
  • Country: ru
Comrades,

Can anybody tell me is there exist patched version of infiniiVisionCore.dll for 2.42 DSOX3000A or something for fix LAN problem. It seems like this lib is not used in this firmware. I can't found it in the scope (in any places). And with unpacked one from 2.42 fw file I get critical error while loading scope with restart scope. Even with unpatched version.

And by some reason I put it not to Program Files/infiniivision/ only and to /secure section also and get cyclic restarting scope  :palm:

u-boot via CELoader and other "shaman medicines" did not help for me unfortunately (thanks guys for all advices in this mater). Seems like reloading kernel do not rewrite nand (think /secure section here)

Fortunately scope restarted cyclically and in shot time (several seconds) telnet server was started. I wrote macro for ttempro with log/pass and del infiniiVisionCore.dll from /secure. And it help for me (and spend about 6 hours) :D

So, best way for test - load only to Program Files which reloaded in each start.

Edit:

infiniiVisionCore.dll in \Windows folder and I can't copy it. When I try extract it from kernel files it doesn't work at all even unpatched. infiniiVisionCore.dll from v2.41 extracted by the same way worked normally.

Just tried patched infiniiVisionCore.dll from 2.41 - work good with 2.42 on my DSO3000 (but v2.41 in About and Web Interface and Probe only x0.1 :-[)
« Last Edit: July 29, 2017, 11:57:47 pm by Safar »
 
The following users thanked this post: Andrew

Offline Safar

  • Regular Contributor
  • *
  • Posts: 119
  • Country: ru
I looked inside 2.42 and 2.41 NK.bin (or nb0) and found that difference is infiniiVisionCore.dll packed as "File" in 2.41 and as "Module" in 2.42. Files can be extracted normally and they have allocation table for normal run in each place, but Module don't have, it builded to specific address in ROM and contain several section (code, data, tables etc) in different addresses in ROM. Beside extracting it from ROM it is need to make allocation table.

This reason that extracted file infiniiVisionCore.dll from 2.42 image don't work and that I described in prev post
 
The following users thanked this post: Andrew

Offline Safar

  • Regular Contributor
  • *
  • Posts: 119
  • Country: ru
Hi,

I maked patch for infiniiVisionCore.dll directly in nk.bin in v2.42 (2017032900) FW for DSOX3000A. There 4 bytes for patch "04 00 a0 e1" to "00 00 a0 e3" in start address FBC7FFh and checksum in address D40457h changed from "EB" to "E9". Actually checksum contain 4 bytes, but changed only this last byte (first in file as it's little endian). Checksum algorithm is UByte8bit.

infiniiVisionCore.dll placed in Record [164]: Start in memory = 81111000h, Length = 55D528h, Chksum  of original nk.bin = 2604E8EBh
In nk.bin file this block started in D4045Bh and ended in 129D982h

Then nk.bin compressed by bincompress
Code: [Select]
bincompress.exe /c patched_nk.bin patched_nk.bin.comp
And flash it by loadP500Flash via telnet in scope
Code: [Select]
\windows\loadP500Flash -u ceImage1 \usb\patched_nk.bin.comp

Think that replace nk.bin.comp in CAB file (with original name of course) should work also, but didn't try.

After this mod scope work normally and LAN also. I just make this start link in \secure\startup
Code: [Select]
211#infiniivisionLauncher.exe -l MSO -l MEMUP -l EMBD -l AUTO -l FLEX -l PWR -l COMP -l SGM -l MASK -l BW50 -l AUDIO -l WAVEGEN -l AERO -l VID -l ADVMATH -l ASV -l SCPIPS -l RML -l VID -l CABLE -l DIS -l TOM -l SGMC

Don't included EDK and DVM as it is standard options in 2.42

Of course scope indicate that this FW is Ufinalized

Thanks laserK and Elik for advices.
 

Offline georgd

  • Regular Contributor
  • *
  • Posts: 66
  • Country: cs
Just tried to upgrade my DSOX3032A firmware from 2.35 to 2.24 but scope refuses the upgrade with a message that the file format (.ksx) is unknown for it.
Could someone help me to post one of previous install package?

Thank you in advance.

Georg
 
The following users thanked this post: Andrew

Offline Safar

  • Regular Contributor
  • *
  • Posts: 119
  • Country: ru
Re: DSOX2000 and 3000 series - licence , have anyone tried to hack that scope ?
« Reply #1710 on: August 14, 2017, 07:13:40 am »
Just tried to upgrade my DSOX3032A firmware from 2.35 to 2.24 but scope refuses the upgrade with a message that the file format (.ksx) is unknown for it.
Could someone help me to post one of previous install package?

Thank you in advance.

Georg
just rename it to .cab

Sent via Tapatalk
 
The following users thanked this post: georgd, Andrew, Keysight DanielBogdanoff

Offline Sany1984

  • Newbie
  • Posts: 8
  • Country: de
Re: DSOX2000 and 3000 series - licence , have anyone tried to hack that scope ?
« Reply #1711 on: September 01, 2017, 08:40:38 pm »
Hello Guys,

I extracted kernel files and more via jtag nand dump, from my DSOX1102A, i have a correct nk0.bin file, the Content with this file Starts with B000FF, but the "bin2nb.py" says its not a B000FF image...
So okay, now i downloaded the WinCE Tools binmod....

Now, i used cvrtbin to convert the .bin to a nk.nb0 file, i wan't to extract the files via dumprom, but this not works, the program does nothing over 10 minutes... takes this longer or can any one help me?

Thanks! :)
 
The following users thanked this post: Andrew

Offline TK

  • Super Contributor
  • ***
  • Posts: 1722
  • Country: us
  • I am a Systems Analyst who plays with Electronics
Is it established that the only way to hack the 3000 series scope after firmware 2.4x is through the LAN? Is there a USB method which works without giving the OS error?

Thank you everyone for all your work.
It works with 2.41 and 2.42  https://www.eevblog.com/forum/testgear/dsox2000-and-3000-series-licence-have-anyone-tried-to-hack-that-scope/msg989285/?topicseen#msg989285
 
The following users thanked this post: Andrew

Offline JeffreyLatter

  • Contributor
  • Posts: 28
  • Country: dk
  • Electronics Technician
I managed to make the mod permanent on the 3000T series, I will write up a little post about it, if it's of any interest?.  :)

But basically, the short version:
I compiled a exe that executes the extracted infiniivisionlauncher with the commandlines, placing this in the secure folder and my own exe in the startup folder, deleting the .lnk, modifying the registrylines for processStartupFolder.exe  and replacing the registry file in the nk.bin image, using a modified binmod.exe, finally reflashing the modified firmware package...  :-+

I am although not sure, if modifying the registry is needed - will need to do a reflash and test that....  ^-^
 
The following users thanked this post: Pinkus, Someone, Jwalling, Dubbie, Andrew

Offline Pinkus

  • Frequent Contributor
  • **
  • Posts: 781
I will write up a little post about it, if it's of any interest?.  :)
I assume, this is just a rhetorical question, isn't it?
 
The following users thanked this post: Andrew

Offline darkstar49

  • Frequent Contributor
  • **
  • Posts: 309

maybe I missed something in this (very long) thread... but did anyone find out why the 100-200 (bandwidth upgrades) and 350-500 are given as 'field upgrades', while 200-350 and 500-1000 (are supposed to) require servicing ??? Was it 'just' to perform a (re)calibration, thereby justifying the steep prices ?? (ok, for 500-1000, there's apparently an acquisition board replacement with a 5GS/s board...)
 
The following users thanked this post: Andrew

Offline Safar

  • Regular Contributor
  • *
  • Posts: 119
  • Country: ru

maybe I missed something in this (very long) thread... but did anyone find out why the 100-200 (bandwidth upgrades) and 350-500 are given as 'field upgrades', while 200-350 and 500-1000 (are supposed to) require servicing ??? Was it 'just' to perform a (re)calibration, thereby justifying the steep prices ?? (ok, for 500-1000, there's apparently an acquisition board replacement with a 5GS/s board...)
Yes, board is replaced in 200-350 and 500-1000. Actually, different boards have same PCB and same ASICs with different frontend and switches sets. So it is possible DIY (I'm don't now details)

Sent via Tapatalk

 
The following users thanked this post: Andrew

Offline darkstar49

  • Frequent Contributor
  • **
  • Posts: 309

"board replaced for 200-350" ??? Are you sure ?? Many people have reported 3024 to 3054 upgrades without a problem...   hence my question...
 
The following users thanked this post: Andrew

Offline Howardlong

  • Super Contributor
  • ***
  • Posts: 5411
  • Country: gb
You can do it with component level replacements from 100/200 to 350/500. I would not say it's for a beginner, it needs reasonable SMD rework soldering equipment and skills. Considering the cost of failure, it's a risky endeavour.
 
The following users thanked this post: Andrew

Offline trevwhite

  • Frequent Contributor
  • **
  • Posts: 946
  • Country: gb
You can do it with component level replacements from 100/200 to 350/500. I would not say it's for a beginner, it needs reasonable SMD rework soldering equipment and skills. Considering the cost of failure, it's a risky endeavour.
I am so tempted to do this on my 3024a but I just don't want to take the risk on such an expensive piece of kit.

Thanks

Trev

 
The following users thanked this post: Andrew

Offline TheSteve

  • Supporter
  • ****
  • Posts: 3781
  • Country: ca
  • Living the Dream

"board replaced for 200-350" ??? Are you sure ?? Many people have reported 3024 to 3054 upgrades without a problem...   hence my question...

100% we are sure. It is all very well documented in this thread and I have extreme first hand experience with the mods. :):):)
VE7FM
 
The following users thanked this post: Andrew

Offline Safar

  • Regular Contributor
  • *
  • Posts: 119
  • Country: ru

"board replaced for 200-350" ??? Are you sure ?? Many people have reported 3024 to 3054 upgrades without a problem...   hence my question...

If I understand "soft" upgrade is possible for 1 step only (and not for all steps), and I believe it is just relay connection different components for anti-aliasing filter.
Think that covering all possible steps is very complex solution for "software only" switching...
 
The following users thanked this post: Andrew

Offline gamalot

  • Super Contributor
  • ***
  • Posts: 1389
  • Country: au
  • Correct my English
    • Youtube
Re: DSOX2000 and 3000 series - licence , have anyone tried to hack that scope ?
« Reply #1722 on: November 02, 2017, 11:01:47 pm »
Just finished my DIY project, dsox lan interface with usb console interface. 

What I've to do next is to buy a 3D printer :-DD
I'm a poet, I didn't even know it. |  https://youtube.com/@gamalot | https://github.com/gamalot
 
The following users thanked this post: albertr, Andrew

Offline TheSteve

  • Supporter
  • ****
  • Posts: 3781
  • Country: ca
  • Living the Dream
Re: DSOX2000 and 3000 series - licence , have anyone tried to hack that scope ?
« Reply #1723 on: November 02, 2017, 11:06:47 pm »
Just finished my DIY project, dsox lan interface with usb console interface. 

What I've to do next is to buy a 3D printer :-DD

Sweet!!!
VE7FM
 
The following users thanked this post: Andrew

Offline georges80

  • Frequent Contributor
  • **
  • Posts: 929
  • Country: us
Re: DSOX2000 and 3000 series - licence , have anyone tried to hack that scope ?
« Reply #1724 on: November 03, 2017, 02:44:44 am »
Just finished my DIY project, dsox lan interface with usb console interface. 

What I've to do next is to buy a 3D printer :-DD

Did you join the  2 pins on the 'finger connector' for auto detect - can't tell since it's the 'other side' of the picture you posted.

No 3D printer really needed... I cut my original back/cover plate to hold my diy lan card - works just fine. Though I'm sure you could still use it as an excuse to get a 3D printer :)

cheers,
george.
« Last Edit: November 03, 2017, 02:46:17 am by georges80 »
 
The following users thanked this post: Andrew


Share me

Digg  Facebook  SlashDot  Delicious  Technorati  Twitter  Google  Yahoo
Smf