A while since I've made an EEVBlog post, but delved enough into what I'm about to describe that I figured anyone else with the same issue as me would really appreciate the documentation (I know I would've myself). Anyways... here goes.
I got an MSO-X 2012A scope from my uni 2 years ago that had the dreaded NAND corruption problem. Lights flash, screen stays blank, etc. Knowing my uni, the scope's FW had never been upgraded - and checking the working scopes in the labs, it was running the _original_ 1.10 firmware from Agilent.
So, on a whim, I figured I would give this thread a read-through, and ended up finding the famed titiris method. Took apart the scope, attached UART, et cetera. And to my absolute surprise, it worked! I loaded on 2.35 firmware directly, nothing in between and everything worked just fine. Loaded the cab file on at the end, and bingo! Working scope. Even though it's the 3000X firmware DSO firmware, it loaded onto my 2000X MSO. Still maintained the MSO license, too.
And a quick FYI - for anyone who is looking to find SOME of the old firmwares - anything >= 2.37 (non-hacked), you can go to the link elsewhere in this thread -
https://cal.equipment/doc/HP_Agilent_Keysight/DSOX/ - it will show you a 403 error - but if you put the same link into the Internet Archive/Wayback machine, you can still get to the firmwares! Haven't found anything newer than 2.37 though, unfortunately... if anyone's got a patched 2.65, send me a PM - that would be awesome
...anyways. Here's where I got cocky. "Oh," I thought, "I've gotten this far - may as well try to hack the scope." So, I read a few more pages and saw someone had created a 2.41 cab file - and without _any_ thinking, I downloaded that and loaded it onto my scope.
TERRIBLE idea. It bricked the scope - sent it into a boot loop.
It would get to the point where it loaded the splash screen for 2.35 and then it would reboot. After reading a few more pages (like my impatient *** should've done beforehand), I realized that A. you need patched DLLs, and B. you can't just ...load 2.41 on top of 2.35. DUH!
So I just figured "oh, well I'll just redo the titiris method." That didn't work. It'd send the file over YMODEM and then just... not boot off of the USB. I tried no less than 5 times. Waiting 45 minutes each time.
I gave up on it for a few days and was pretty frustrated - I'd gotten SO close, and yet, for nothing. But after a bit of stewing, I came back to it - I realized that I might've been able to use telnet to recover the scope. Not wanting to shell out for a LAN board, just in case it didn't work (and again... did I mention that I'm impatient?), I stuck wires into the pins of the header on the mainboard (using the schematics/pinout from the DSOXLAN schematics found from elsewhere in this thread). I tried once with standard breadboarding wires but those were too large, and although they fit, they didn't fit well and kinda goofed the connector up a bit. I tried again with logic probe tips, but again, too cramped. Came back to it the next day and realized ethernet cable wire is pretty thin, right? Well - turns out that 24 gauge solid-core ethernet wire works _perfect_ for this - stuck a bunch of those into the connector wires and BINGO! LAN!
(this is getting long, sorry in advance... it's just how I am)
LAN worked now - but the biggest issue now was, how the **** could I connect to it? Because the scope was stuck in a boot loop, I (connected to the UART in one window) could see that it initialized the LAN immediately before trying to load the infiniivision_ext.lnk file, and then would die very quickly. Enough time to get the telnet to connect but not to actually log in, let alone to kill infiniivisionLauncher.exe.
A stroke of genius had me write a quick AutoHotKey script to auto-type the entire username/password combo with just 2 key presses - and with that, I could just barely get logged onto the telnet before the scope looped again - but, even with a 3rd AHK macro for "processMgr.exe kill infiniivisionSetup.exe", the scope didn't have enough time to actually kill the process before hitting the fault and looping. After a LOT of toying around, I figured that maybe the .lnk file was bad? Or that if I renamed it, it wouldn't be able to call it, and therefore wouldn't try to run the faulted Launcher. So, doing one command at a time, with an incredible amount of patience (you have to open the telnet at just the right time for it to connect), I:
1. Listed the files in \Secure\Startup
2. Ran a `type` (MS equivalent of cat) on \Secure\Startup\infiniivision_ext.lnk - this showed me that it had the "hacked" commandline from the 2.41 I tried to load; the one with all of the options.
3. Created a file `test.txt` in \Secure\Startup
4. Filled `test.txt` with a new .lnk command - XX#\usb\Secure\Startup\infiniivision.lnk (can't recall what the number before the # was, unfortunately - I had to try a few) - note the \usb at the start, too.
5. Renamed test.txt to `infiniivision.lnk`
After the rename, the scope used infiniivision.lnk instead of the _ext version - and would boot, load telnet, and presumably because the usb wasn't even plugged in, would try to execute a nonexistent program - which meant that instead of looping because of a fault, the scope would just hang. Which is fine - because now I could get into Telnet! And stay there!
From there, it was pretty simple. Kill the infiniivision launcher first - `processMgr.exe kill infiniivisionLauncher.exe` I loaded the firmware onto a thumb drive in the same folder structure described in titiris's post (2.35 - NOT 2.41 - mostly because I couldn't find 2.41) and then just put in the flash drive and manually executed `\usb\Secure\infiniiVision\infiniivisionlauncher.exe` in Telnet - and it worked!! The scope booted. Which was incredible! From there, it was as simple as changing the infiniivision.lnk file on the scope (\Secure\Startup\infiniivision.lnk) to include the proper link to boot from the scope's exe as normal, and then I just used the scope's GUI to flash the 2.35 firmware. Note that if `infiniivisionStartupOverride.txt` is present on the USB, the FW flash will fail - you need to remove that. And from there, all was well - scope works just fine, and I avoided having to send it to Keysight to get it fixed!
This isn't so much of a guide as it is an explanation of what I did wrong... but that said - I wrote this all out in the slim chance that someone else did an oopsie like I did and thinks they ruined their scope - and if so, hopefully this helps you fix it!! Good luck, and cheers!
P.S. Again... if anyone's got patched FW of any version >= 2.35, that would be awesome... PM me! I'm suddenly not overly afraid to try again - but I also will probably need more thorough instructions this time
Home
Help
Search
Login
Register
