DSOX2000 and 3000 series - licence , have anyone tried to hack that scope ?

[salvagedcircuitry]

and remember, at scopes with firmware versions below 2.4x the flash will be corrupted after RND(TIME). The scope will not boot anymore and is bricked and needs to be serviced by Keysight. After firmware 2.4x the scope will detect this and repairs itself .... somehow.
Thus with 2.35 or 2.38 there is the constant danger, that your scope (DSOX2000a and DSOX3000a series) won't boot anymore at some day.

I remember reading that post. I totally forgot about it. I was hoping 2.35 was patched to fix it. Well, I guess I'm going to snag a DSOXLAN module or build one.

Thanks for the input safar, Pinkus and TopLoser

[markb82]

I’ve seen quite a few new R&S RTB 2000 series ones being returned with issues though, they seem to be having some teething problems. Good warranty support from R&S as well though.

Not to hijack the thread but can you give us any more details on issues with the RTB2000 series ?

[TopLoser]

I’ve seen quite a few new R&S RTB 2000 series ones being returned with issues though, they seem to be having some teething problems. Good warranty support from R&S as well though.

Not to hijack the thread but can you give us any more details on issues with the RTB2000 series ?

50/50 dead power supplies and touch screen faults. One with all inputs dead.

[markb82]

50/50 dead power supplies and touch screen faults. One with all inputs dead.

Thanks.  I just got one and the power supply is humming (high pitch whine) when the scope is in standby mode.  Sound like a vibrating ceramic cap or inductor.

[Jwalling]

50/50 dead power supplies and touch screen faults. One with all inputs dead.

Thanks.  I just got one and the power supply is humming (high pitch whine) when the scope is in standby mode.  Sound like a vibrating ceramic cap or inductor.

I *think* there may be a service note on that...

[TheSteve]

50/50 dead power supplies and touch screen faults. One with all inputs dead.

Thanks.  I just got one and the power supply is humming (high pitch whine) when the scope is in standby mode.  Sound like a vibrating ceramic cap or inductor.

I *think* there may be a service note on that...

Pretty sure he is talking about an RTB2000, not a DSOX2000/3000(which does have an old service note about a power supply update because of an audible noise).

[markb82]

Pretty sure he is talking about an RTB2000, not a DSOX2000/3000(which does have an old service note about a power supply update because of an audible noise).

You're right, I'm talking about the RTB2000.  End of thread hijack, will go over to the RTB2000 thread.

[Safar]

Here patched kernel file for 2.42 3000A series FW (- LAN garbage issue)

GDisk

Flash via TelNet session on scope from USB

Code: [Select]

\windows\loadP500Flash -u ceImage1 \usb\nk_patched.bin.comp
This is exactly the same as the installer does, but it makes it two times:

Code: [Select]

<!-- Update CE Kernel (backup) -->
\windows\loadP500Flash -u ceImage2 \usb\nk_patched.bin.comp
<!-- Update bootloader -->
blah...blah...blah...
<!-- Update CE Kernel -->
\windows\loadP500Flash -u ceImage1 \usb\nk_patched.bin.comp

So I suppose that possible make CAB with patched NK and recipe.xml with this code (MD5 checksum is actual for patched kernel) and flash it just from USB without LAN

Code: [Select]

<install>
<!-- Set the ramdisk to 68MB -->
<ramdiskSize>71303168</ramdiskSize>
<!-- Stop the scope application -->
<killProcess>infiniivisionLauncher.exe</killProcess>
<killProcess>AgilentLxiWebService.exe</killProcess>
<killProcess>vncServer.exe</killProcess>
<killProcess>websockify.exe</killProcess>
<!-- ******** -->
<!-- Update CE Kernel -->
<installStep>
<file checksum="03929973A08EFEB08FB31DA8B2AAF200">nk.bin.comp</file>
<command>\windows\loadP500Flash -u ceImage1 %TEMP%\nk.bin.comp</command>
<onFailure>
<filePath>\Agilent Flash\config\errorLog.txt</filePath>
<message>Firmware update failed (0x0422). Please retry firmware update.</message>
<action>reboot</action>
</onFailure>
</installStep>
<!-- Reboot -->
<installStep>
<command>\windows\rebootInfiniivision.exe</command>
</installStep>
<boardLoadOptions>
<ECC>4</ECC>
</boardLoadOptions>
</install>

Not sure but may be better make it like in original recipe.xml and add code before "Update CE Kernel" section (just past instead of <!-- ******** -->). But in this case also need to pack updateBootLoaders2.exe and pboot_rel.bin in CAB.

Code: [Select]

<!-- Update CE Kernel (backup) -->
<installStep>
<file checksum="03929973A08EFEB08FB31DA8B2AAF200">nk.bin.comp</file>
<command>\windows\loadP500Flash -u ceImage2 %TEMP%\nk.bin.comp</command>
<onFailure>
<filePath>\Agilent Flash\config\errorLog.txt</filePath>
<message>Firmware update failed (0x0420). Please retry firmware update.</message>
<action>reboot</action>
</onFailure>
</installStep>
<!-- Update bootloader -->
<installStep>
<file checksum="7ccacd88343adb62f9276a362bc7f5d3">updateBootLoaders2.exe</file>
<file checksum="33bb47d750ae3732cd8657f407008ef0">pboot_rel.bin</file>
<command>%TEMP%\updatebootloaders2.exe</command>
<onFailure>
<filePath>\Agilent Flash\config\errorLog.txt</filePath>
<message>Firmware update failed (0x0421). Please retry firmware update.</message>
<action>reboot</action>
</onFailure>
</installStep>

And of course it is need to check paths and filenames.

[maxpayne]

you mentioned "bricked the scope" ,i'm not good at english ,does it mean this way may be harmful to scope  ,such as breaking the scope ?
DE BD7JAT

Yes, a wrong step or wrong link might lead to your scope being unusable, and you'd need to send it back to the factory for repair.
That being said... has anyone actually BRICKED their scope yet? I don't remember of one but eh... it's quite a long thread.

Also, I've attached the file all inside a zip. The steps are basically :

1) Extract all files (including the .lnk) to the root of your usb drive
2) From the scope's front panel, press Utility ->File Explorer -> Press to go to: <USB Drive label>(usually "usb")
3) From the drop down, scroll to the v241_link_install.cab to select
4) Press Load file

The scope will ask for your confirmation and then it will load/update and reboot.

FYI, my link file is :
160#\Secure\infiniiVision\infiniivisionLauncher.exe -l DIS -l MSO --perf -l MEMUP -l SCPIPS -l CABLE -l SGMC -l FLEXC -l TOM -l BW20 -l ADVMATH -l EMBD -l EDK -l VID

the other cab uninstall the link file and restores your previous setting.

Cheers

Does this hack work with DSOX2012A ? I am planning to buy one

[EE-digger]

Has anyone performed (and can you post)  a response sweep on their improved BW 3000A or T?  I'm interested on seeing how well behaved the response is after a 500M or 1G upgrade.  I synch a generator sweep with a slow sweep on the scope.  Normally I turn on <peak> just to be safe but the 2000 and 3000 seem to show the envelope properly either way, with BW where I expect it (50% point around 265MHz for a 200MHz scope, same as by actual BW measurement, on a 3000T and 2000A).

[Pinkus]

Does this hack work with DSOX2012A ? I am planning to buy one

Sure, it will work with all versions. However, I would strongly advice not to purchase one: The DSOX2000 series does not allow serial protocoll analysis on the digital channels (only analogue channels) and with only two analogue channels you will be stucked quickly (e.g. with a simple SPI protocol).

My advice: either get a 2-channel 3000-series scope (they allow protocol analysis on digital channels) or go for the 4-channel version of the DSOX2K. The 2-channel version of a DSOX2K should be purchased only if it comes with a massive price reduction, as selling this later will become very difficult.

[maxpayne]

Does this hack work with DSOX2012A ? I am planning to buy one

Sure, it will work with all versions. However, I would strongly advice not to purchase one: The DSOX2000 series does not allow serial protocoll analysis on the digital channels (only analogue channels) and with only two analogue channels you will be stucked quickly (e.g. with a simple SPI protocol).

My advice: either get a 2-channel 3000-series scope or go for the 4-channel version. The 2-channel version should be purchased only if it comes with a massive price reduction as selling this later will become very difficult.

I think I should wait then.

[PhillyFlyers]

Hugoneus, check this post for CPU JTAG https://www.eevblog.com/forum/testgear/dsox2000-and-3000-series-licence-have-anyone-tried-to-hack-that-scope/msg274963/#msg274963

Another possibility is BootROM USB flash loader mode:
ST's flash utility http://www.st.com/web/en/catalog/tools/PF257557
This mode should be activated by pulling BOOT_SEL pin (K18, check the picture) low at power on, but no reports on this so far. The PCB picture in JTAG post looks like there is a track in inner layer going to this pin, perhaps you can look closer. If it is tied straight to VCC then bad luck, otherwise try shorting it to GND and turning the scope on with USB cable attached to PC - does something pops up?
Also SPEAr600 RM says that ROM enters USB boot if normal (flash) boot fails regardless of BOOT_SEL state. But this requires primary bootloader in flash to be corrupted "correctly" so ROM doesn't recognize it (briefly shorting some flash DATA lines at power up is common way to simulate this state).

And this one is awesome as well, just putting the patch right into flash..

https://www.eevblog.com/forum/testgear/dsox2000-and-3000-series-licence-have-anyone-tried-to-hack-that-scope/msg1419736/#msg1419736

Hi All,

I'm finally joining in on this fun, just got a used 3024A..... I plan on 'playing' with it as well, and doing the bw mods, etc..


So, I do want to look deeper into this JTAG and flashing functionality, just thinking ahead a bit.  I know the one thread referenced in this post (way back on page 6 or 7 of this thread), a poster said he dumped some of the flash, so it should be possible, and probably can be done through openOCD with a standard arm jtag device.

We really have no idea as to what the mfr. will end up doing in future firmwares, maybe they don't care all that much about what we are doing here?  but we know for sure they are on here paying attention!  So if anything, they are reporting this info back to the devs, which may end up in some of our avenues to get in being tightened even further...

So, I'll be looking at this avenue some more, as soon as my LAN board shows up and I can get things rolling....


But, something funny to show, my scope came with this GPIB board in the slot, didn't even know they made this thing?  wonder what things out there you can interface to it?

At least I can use this board for tracing references, etc, if we need any more pinouts of the GPIB bus on the scope...

[KrudyZ]

Looks like they had to take a serial interface from the scope and turn it into GPIB using an FPGA on this board.

[mikeselectricstuff]

Looks like they had to take a serial interface from the scope and turn it into GPIB using an FPGA on this board.

FPGAs are probably cheaper than mostly-obsolete dedicated GPIB chips these days

[ELIK]

Hello
Earlier I promises to share my project of LAN card.
Here is my pcb and schematic (version with simple LAN connector and separated transformer).
This pcb was completed with parts from my garbage, therefore have no BOM, sorry.

[Safar]

The message about the "System OS concerns detected...", that still comes up, that may be a check against the file that's in the flash, I'm not sure, but haven't figured out yet how to remove that message.. but I'm curious if that one doesn't appear if we flash the patched DLL into the ceimage1 in flash...?  I will be trying that soon...

I suppose that this message can appear when loader checking rom for checksum and as DLL has been patched then loader write this message. I saw some table with all checksums in filesystem, but I don't remember exact place. Hope it is possible eliminate this message if makes correction there.

When you flash patched kernel via telnet command you do not mention MD5 for this, so no error here. But installer use this MD5 information when do command from recipe.XML script.

And sorry but I slightly misunderstand about VNC. DSOX already have VNC server (vncServer.exe), and you can use it without any restrictions (>1 min). If you trying to start another one it would be conflicted as they use one port

[PhillyFlyers]

Yeah,

I just verified your method of flashing 'ceimage1' with the patched nk.bin worked perfect.. I put both of the .dll patches in there, the one patch for the cmd line args, and the 2nd patch I mentioned to disable the 'Warning: Unfinalized Software'....

I also fixed the checksum in the file as you mentioned how to do... I didn't do anything with the MD5 since I was not doing a full install from a cab, I just flashed the fixed nk.bin file using the 'loadp500 flash.exe' as you described...

So, that 'System OS concerns' detected only seems to come up if you run the 'launcher' from in the \secure\infiniivision folder.. if you run the launcher from the \program files\infiniivision folder, than there are no warning messages at all.. (except of course for the VGA/LAN card, because we have custom lan cards.. haha)


As far as the 'mobileVNC.exe', the reason I mentioned it is if anyone wanted to see the real 'Windows CE desktop', which is what this mobileVNC takes you to when you login with it.. the 'vncserver.exe' that the scope already runs, just gives you a VNC connection to control the scope itself..  I wanted to see if there was anything interesting to look at with the actual windows CE desktop... there really isn't much to see, I was hoping to be able to view some registry data from there, but no luck..

So, from what I can tell, this 'infiniivisionlauncher.exe' is really just a wrapper file, it doesn't do much except load up the infiniivisioncore.dll and call it's single export 'start'... the core.dll is hardly even a DLL, it really could probably be converted to an EXE and executed directly, with some code changes of course.. but anyhow.. just from what I've observed..

[Safar]

As far as the 'mobileVNC.exe', the reason I mentioned it is if anyone wanted to see the real 'Windows CE desktop', which is what this mobileVNC takes you to when you login with it.. the 'vncserver.exe' that the scope already runs, just gives you a VNC connection to control the scope itself..  I wanted to see if there was anything interesting to look at with the actual windows CE desktop... there really isn't much to see, I was hoping to be able to view some registry data from there, but no luck..

Now it's clear, thanks

[mythos1453]

Hi all,

Has anyone been succesful in hacking the 4000's series? I tried to go through the whole thread but I'm still a bit confused. It seems that the 3000 series shares the same hardware as the 4000. But does that mean that changing the firmware is the same?

I've been offered a great deal on a MSOX4024A and I wanted to see if its hackable. Thanks!

[Gandalf_Sr]

Here's a tip, hit the [Print] button which gives you the whole thread in text only format - then use Ctrl+F to search for "4000", there are 78 hits and one pf them gives you what you want.

[Andrew]

The latest firmware 2.43 (5 March 2018) according to the release notes:

Added support for DSOX2PLUS.

The user guide has been update and includes additional math functions and triggers.

Updating my scope now....

Edit: Sorry, false alarm, no early chrissy present from Keysight for X2000A owners...

Page 313 of version "Ninth edition, February 2018" of the user manual:

Licence Options Available
PLUS = 2000 X-Series Enhancements
Provides additional math functions, triggers, measurements,
memory, segmented memory, and waveform update rate.

...and in the "After purchase model number, notes" column:

Order DSOX2PLUS.

Too bad if you already bought the app bundle.

[Safar]

The latest firmware 2.43 (5 March 2018) according to the release notes:

New Features for the 2000A
 This software revision includes the following new capabilities:
– Added support for DSOX2PLUS.  See product page on www.keysight.com for details.

Enhancements for the 3000A
- Support for the N7026A probe was added. 
- The ability to calibrate the offset was added for the N2820/1A probe.

Enhancements for the 2000A
- The following measurements have been added to the 2000A:
o “X@Max”
o “X@Min”
o “Positive Pulse Count”
o “Negative Pulse Count”
o “Rising Edge Count”
o “Falling Edge Count”

Bug Fixes for both 2000A and 3000A
- An issue preventing a full waveform export in Roll-mode has been corrected.
- An issue preventing DVM’s Auto Range from operating correctly in certain acquisition
modes has been corrected.

[Andrew]

Found a document "Keysight Technologies Distribution Products Catalog" for March 2018.

literature.cdn.keysight.com/litweb/pdf/5991-4833ENDI.pdf

For the X2000 it lists:

2000 X-Series Enhancements
All 2000 X-Series oscilloscopes manufactured after
March 5, 2018 now have:
- Increased waveform update rate of
200,000 wfms/s
- Standard memory upgrade: 1 Mpts
- Standard segmented memory
- Additional trigger modes
- Additional math functions
Any 2000 X-Series oscilloscopes manufactured
before March 5, 2018 can be upgraded using the
DSOX2PLUS option.
See pages 16 and 18.
For more information
www.keysight.com/find/2000X-Series

Assuming the USA website would be updated first, it still shows 50,000wfms/s and no DSOX2Plus info.

[Petter]

infiniivisioncore.dll [snip] ** note:  in 2.42, the dll is no longer on disk, so you have to patch this directly in the nk.bin, and write to flash **

Where does one find the the dll in question?

All the best