Fluke/Tektronix Bushealth Code: 192C/196C/199C/215C/225C/190 (I & II) THS3000

[patpat]

FlukeBushealth v1.0 2024

 Provided the Scope SN it creates the Bushealth Code
 It works on Fluke and Tektronix* Scopes with bushealth capable firmware
  Fluke 192C/196C/199C/215C/225C
  Fluke 190 - 062/102/104/202/204/502/504 (Series I & II)
  Tektronix THS3014/3024

 Reaching the Bushealth Install screen:
  Fluke: USER -> VERSION & CAL -> F1
  Tektronix: TBD*


Usage:
        FlukeBushealth -s SerialNumber

        Examples:
        FlukeBushealth -s DM9010124


Options:
-h, --help     Get help
-s, --Serial   Scopemeter Serial


Tektronix uses the same firmware than 190-XXX II and includes bushealth support but at the moment I couldn't find
how to trigger the "Install Bushealth Option" screen




VirusTotal again gives positives,
https://www.virustotal.com/gui/file/c715fce191c28dc591854ebf0ec94f0f14ce8349f69e217ec8a177640f40f713
but this just came out from my Microsoft VS

I tested on my 199C USA w/ firmware 8.04 and it worked w/o issues,
if it does not work for you just let me know model, firmware and serial.
Pat
 

[squadchannel]

hi pat.
I hope it works on THS, but I can't find the hidden menu.

I was messing around with commands from serial yesterday and found some data dumped by the qc command.
It outputs an undocumented command list.

qc mean "quality control"? hmm...

Code: [Select]

Universal Host Mask software; UHM V3.0��0123456789ABCDEF����BaudregRead     : BR<cr>
BaudregWrite    : BW<dddd><cr>
EXtension cmd   : EX<exnr>,<...>
Fill Mem Byte   : FM<hexAddr>','<hexLen>','<bb><cr>
Fill Mem Long   : FL<hexAddr>','<hexLen>','<llllllll><cr>
Fill Mem Word   : FW<hexAddr>','<hexLen>','<wwww><cr>
Call program    : GO<hexAddr><cr>
Get Binary Byte : GB<hexAddr>','<hexLen><cr>
Get Binary Long : GL<hexAddr>','<hexLen><cr>
Get Binary Word : GW<hexAddr>','<hexLen><cr>
IDentity        : ID<cr>
Put Binary Byte : PB<hexAddr>','<hexLen><cr><B...B><cr>
Put Binary Long : PL<hexAddr>','<hexLen><cr><LLLL...LLLL><cr>
Put Binary Word : PW<hexAddr>','<hexLen><cr><WW...WW><cr>
Reset Instrument: RI<cr>
Read hex Byte   : RB<hexAddr>','<hexLen><cr>
Read hex Long   : RL<hexAddr>','<hexLen><cr>
Read hex Word   : RW<hexAddr>','<hexLen><cr>
Write hex Byte  : WB<hexAddr>','<hexLen>','<bb...bb><cr>
Write hex Long  : WL<hexAddr>','<hexLen>','<llllllll...llllllll><cr>
Write hex Word  : WW<hexAddr>','<hexLen>','<wwww...wwww><cr>
��HOI (c) Rob van de Schepop

The dumped data is attached.

I also tried to see if I could read the contents of the flash that should have been assigned to $4000 0000 using the RB command, and sure enough, there was data, but not the data I expected.
It seems to be different from the contents of the flash. I am not too familiar with CL-PS7111 or arm.

MOD:
overflowing.



enter GO40000000 on UHM, boot from flash. No doubt $4000 0000 would be flash.

[patpat]

Hi squadchannel,

FlukeBushealth v1.0 has been tested on my Fluke 199C USA and it worked as intended.

Looking at the firmware I inferred it should also work on the Fluke 190 and Tektronix THS3000 lines.

As you see Tektronix serials are longer numbers and  FlukeBushealth 1.0 as-is has a sign issue in this case.
I need to see the code a bit more to fix this but first I want to reach Tektronix Bushealth install screen (if possible) but I'm also stuck not finding the way.

Regarding serial communication, the codes you found seem they might run in Mask Mode?
I tried in regular mode the RB (Read Byte ) command on my THS3024 and it always return error 1.
I booted my THS3024 in Mask Mode (Power-on the unit holding the up and right arrows and hearing a soft beep)
but then I couldn't establish the serial connection with the scope, are you able to communicate in Mask Mode with your THS3024?


Regarding Fluke options alternatively I found the sequence of Serial commands that would enable the following 3 features
* Medical 
* Bushealth          
* Medical + Bushealth

The command sequence is contained in the file cpl.bin within the firmware updater with Bushealth enabled, once decrypted with FlukeFlashTool2txt 
https://www.eevblog.com/forum/microcontrollers/fluke-19xbcii-tektronix-ths30143024-flashtool-ini-cpl-bin-deobfuscator
it gives

Code: [Select]

EM
MAINTENANCE
CI 12,0
CI 13,confix
CI 14,0
CI 17,110195
CI 18,y
CI 320,N
RC
EO
The line:

CI 17,110195   => Enables Bushealth
but also
CI 17,271267   => Enables Medical 
CI 17,161027   => Enables Medical + Bushealth

Note: It is good to mention that enabling the Medical "software" features on a unit will not improve
any electrical feature like CAT Safety Ratings, AFAIK the medical units have higher CAT ratings.

CI (Configure Instrument?) is a multi function command, the first number is the function number, followed by a single parameter.
The number 17 deals with the scope software options.
So far I do not know the rest of commands.

This data comes just from looking at the code, I haven't tried myself, sure the CI 17,xxx command might need one or more commands in the sequence to work,
I know the code is identical in Tektronix then it could potentially work with the THS3024.

Best
Pat

[mahi]

Just tested on a 2009 Fluke 196C with firmware 8.04 and it worked great! The Bushealth feature is now available under the Recorder menu.

Thank you!

[squadchannel]

hi patpat.

can communicate with THS in mask mode by pressing the up button, right button and power button as in fluke, listening for a weak beep, and entering many “X ” at the terminal.

trying the commands for several hours.
What we know so far is,

Code: [Select]

EM = Engeneering Mode
FLUKEUHM = reboot UHM (after EM command)
MAINTENANCE = entry calibration mode (after EM command)
CI = change instruments? rewrite the value of the QI command.
RC = rewrite calibration?
EO = ? calibraion menu closes.? engeneering mode closes?

CI commands can be used after the EM and MAINTENANCE commands have been executed.
RC command is supposed to override the calibration, and EO closes the calibration menu.

after entering the EM and MAINTENANCE commands (while entry the calibration menu), the QC command seems to output the calibration data inside flash. but, there is a slight difference compare flash data.

CI 17,110195 command, does not change on the THS.
although I can indeed see the number change at QI 17.


THS3024:
CI/QI 10 is model name
CI/QI 11 is serial number
CI/QI 12 is serial number(same #11)
CI/QI 13 is board serial number
CI/QI 14 is CI and QI command not allowed.
CI/QI 17 ?
CI/QI 18 ?
CI/QI 320 ?

these commands only work UHM mode.

Universal Host Mask software; UHM V3.0��0123456789ABCDEF����BaudregRead     : BR<cr>
BaudregWrite    : BW<dddd><cr>
EXtension cmd   : EX<exnr>,<...>
Fill Mem Byte   : FM<hexAddr>','<hexLen>','<bb><cr>
Fill Mem Long   : FL<hexAddr>','<hexLen>','<llllllll><cr>
Fill Mem Word   : FW<hexAddr>','<hexLen>','<wwww><cr>
Call program    : GO<hexAddr><cr>
Get Binary Byte : GB<hexAddr>','<hexLen><cr>
Get Binary Long : GL<hexAddr>','<hexLen><cr>
Get Binary Word : GW<hexAddr>','<hexLen><cr>
IDentity        : ID<cr>
Put Binary Byte : PB<hexAddr>','<hexLen><cr><B...B><cr>
Put Binary Long : PL<hexAddr>','<hexLen><cr><LLLL...LLLL><cr>
Put Binary Word : PW<hexAddr>','<hexLen><cr><WW...WW><cr>
Reset Instrument: RI<cr>
Read hex Byte   : RB<hexAddr>','<hexLen><cr>
Read hex Long   : RL<hexAddr>','<hexLen><cr>
Read hex Word   : RW<hexAddr>','<hexLen><cr>
Write hex Byte  : WB<hexAddr>','<hexLen>','<bb...bb><cr>
Write hex Long  : WL<hexAddr>','<hexLen>','<llllllll...llllllll><cr>
Write hex Word  : WW<hexAddr>','<hexLen>','<wwww...wwww><cr>
��HOI (c) Rob van de Schepop

RB commands, for example
RB40000000,100
reads 100 bytes from $4000 0000.

[patpat]

Hi squadchannel,

I finally connected to the Mask Mode, I forgot the sequence of "X"!

I think the pair CI/QI is Configure Instrument, Query instrument.

If I call in my THS3024 Firmware V01.02 I correctly get
QI 17 -> 1
RB44097761,1 -> 00

From firmware I see that the commands
CI 17,271267   => Enables Medical
CI 17,110195   => Enables Bushealth
CI 17,161027   => Enables Medical + Bushealth

But they really end up writing a single byte position of flash as follow:

44097761 = 00 -> No Options
44097761 = 01 -> Medical
44097761 = 02 -> Bushealth
44097761 = 03 -> Medical+Bushealth

What I do not know if there's any command that Recalculates the Checksum/s after altering the Instrument configuration, probably RC?.
I'll be able to check this on my 119C as soon as the adapter for my IR189 adapter comes
https://www.printables.com/model/1017246-fluke-scopemeter-adapter-for-ir189usb-cable


You did CI 17,110195 in your THS3024?
what do you see if you do the following commands
QI 17  ?
RB44097761,1   ?

I do not have a back up of my config that's why I'm a bit cautious about testing these command,
I understand you have one from your repairing thread.



The RB command could be a valuable tool for a back up utility
We need to completely understand the memory map.

Best,
Pat
 

[squadchannel]

You did CI 17,110195 in your THS3024?
what do you see if you do the following commands
QI 17  ?
RB44097761,1   ?

I think the addr is different.

RC command seems to be accepted in maintenance mode.

we want someone who understands ARMv3....

[patpat]

These findings are consisting with what I see in firmware:
CI 17,0           /  QI 17 = 0  => None
CI 17,271267 /  QI 17 = 1  => Enables Medical
CI 17,110195 /  QI 17 = 2  => Enables Bushealth
CI 17,161027 /  QI 17 = 3  => Enables Medical + Bushealth
 
I think the address of the variable 0x44097761 is the right one.

The problem is the command "RB" which reads whatever. So far I couldn't make any sense of what it provides,
especially looking at the address 0x40000000+ that is where the known firmware binary is installed.

I'm not an ARM "expert" but the problem understanding the code is not the assembler but the complex flow+convoluted code.

[squadchannel]

believe that the contents of the flash are assigned to $4000 0000.
but, rb to $4000 0000 from the initial state does not seem to get valid data.
After the EM and MAINTENANCE commands, data “close to flush” from $4000 0000 can be read.

To begin with, does series2 have an option key menu?

10/08/24 11:43 am MOD:

I found the cause of the difference between the internal flash and the value when using gb.
There was a problem with the dump method I was using, I was dumping with stdout in cmd with plink software which can be used on the putty command line, but either plink or stdout specs were dumping with some of the binaries missing.

[patpat]

About the read byte command RB this is what I found so far testing on the THS3024 and 199C

Booting in MASK mode:
The command without a space takes 2 hexadecimal parameters i.e.

Code: [Select]

RB40000000,100Returns just the hexadecimal values.
but the readings are not as expected, probably in MASK mode the MMU is not set, hard to tell.

Booting in FIRMWARE mode:
The command before its first use requires to enter the sequence

Code: [Select]

EM
MAINTENANCEThe command with a space takes 2 "decimal" parameters i.e.

Code: [Select]

RB 1073741824,25Returning hexadecimal values as follow
#H112233445566778855555555AAAAAAAA33333333CCCCCCCC0F
when finishing using RB we go back sending the sequence

Code: [Select]

RC
EO
In this case the value 1073741824 (decimal) is equivalent to 0x40000000 (hexadecimal C notation) and #H40000000 (hexadecimal Assembler notation)
and we get 25 bytes in hexadecimal notation that now perfectly match the first 25 bytes of the firmware image


Knowing all of the above I checked the value of

Code: [Select]

RB 1141471073,1 1141471073=0x44097761
it should've been 02 (Bushealth) but I got 00 then I need to work on this more.
Edit 01: I look further and I stand corrected, the correct address is
0x4409B555=1141486933 and correctly holds 0,1,2 or 3 depending on the CI 17,xxxx command


Regarding the Fluke 190-xxx II, I do not know if it has a "Install Bushealth Option" screen, it would be good to know from some reader having one of those.
Is anyone out there? The screen can be reached by pressing the User button, then Version & language (F3), then F1 and see if a screen asking for a
Bushealth code shows up or not. Thanks


I just received the optical adapter, I connected to my Fluke 199C which has installed Bushealth with a code and I checked

Code: [Select]

QI 14and it also returned error 1 like the THS3024
The Fluke 199C Bushealth Firmware install sequence sets CI 14,0 but this apparently wouldn't be unnecessary;
some involuntary error, or there's some sort of trick here.

[squadchannel]

hi pat.
I will read your reply later. I am terribly tired.
For now, I am attaching the software to dump flash using the GB command.
How to use:

Code: [Select]

gb comport baudrate dump_address dump_size dump_filename
ex) gb com3 9600 40000000 1000 dump.bin
It is still incomplete. I will resume work when I wake up.

I am not sure if it works in all environments. It works on my machine.
You should monitor it with doclight and com0com.
Note: Do not update firmware while using doclight. It will corrupt the flash.

If you just want to dump a few bytes, don't use it.
This software is designed for backup purposes.

Good night, 3 am in japan.

[squadchannel]

Serial communication sniffed at THS/Series2 internal FTDI chip and isolator.
460800baud.

run firmware update with sniffed.

EXTENSION DATA in the .idf of the updater is the binary needed for the update, as has been said before.
EXTENSION COMMAND TABLE appears to be a command that can be used after the EXTENSION DATA are loaded.

In the sniffed dump data, the CF and PF commands for ENTENSION COMMAND TABLE are used. maybe:

Code: [Select]

CF: Clear Flash?
PF: Put Flash?

Can only be used in EXTENSION. Cannot be used in normal mode or UHM.
EXTENSION DATA should not be run. I broke the flash again.

Also:

Code: [Select]

WC: Write Calibration
also found out new commands.

Code: [Select]

No Disk

e
e
E
E
FWV

MAIN 03.68-324VDPSF
RPRG 1.00R
D:\>
These commands have nothing to do with updaters.
communication for USB memory devices is also done via the same serial bus.

[patpat]

Interesting data,
do you know if it is possible to back up and restore calibration data?
if not we'll keep breaking things, I also screw up the 199C cal ;-)

I'm still analyzing the THS code, trying to make sense of the NUCLEUS RTOS, it has a pipes, the Keyboard uses pipes, hopefully finding where the keyboard input is handled.

I was thinking; do you think THS can run Fluke's 190 II firmware?? The keyboards are not identical the [meter] button is missing.
Patching the Fluke updater checking serials and things like that should be a joke.
The 190 II firmware has progressed much more than the THS3000.
https://www.fluke.com/en-us/support/software-downloads/fluke-190-series-ii-2-and-4-channel-instruments-with-firmware-version-v0900-onwards
THS' v1.10 corresponds to Fluke's V10.41

[smaultre]

My little addition, QI (like a querry ?) and (RI) (like "write on", or maybe WI?) as i remember more than two years ago..
So we can read and write serial and models numbers.
But changing the models numbers, does not affect on performance GS\s..

[patpat]

The pair is QI/CI, I think Query Instrument  and Configure Instrument
I have changed Model and Serial w/o issue.
QI works on OS mode
CI requires the maintenance mode

Code: [Select]

EM
MAINTENANCE

CI xx1,yyy1
CI xx2,yyy2
...

RC
EO
Manually entering commands in maintenance mode is very easy to make mistakes, we need to be careful in this mode

Best,
Pat

[smaultre]

Yes! Thank you Pat!!
Additionally some data dumps from COM port to explain how application updates firmware Fluke 199 series

You can backup and restore cal data and config by QC\WC on Fluke 199

Code: [Select]

0

0
SO
1
PC 19200
0
IS
0
26696
ID
0
FLUKE 199C;V07.06;2008-01-23;ENGLISH,FRENCH,SPANISH,PORTUGUESE
QI 11
0
13150000
.
.
0

0
SO
1
PC 19200
0
IS
0
14408
ID
0
FLUKE 199C;V07.06;2008-01-23;ENGLISH,FRENCH,SPANISH,PORTUGUESE
QI 11
0
13150000
EM
0
MAINTENANCE
0
QI 10
0
199C
QC
0


"HERE CONFIG"

EO
0
EM
0
FLUKEUHM
0
XXXXXXXXXXX0
WW10000000,4,0002000200020002
0
WB44000000,200,10402DE9000000EB1080BDE810402DE96E0500EB060600EB2D0600EB5C0600EBEB0900EB440A00EB500A00EB1080BDE8104F2DE90080A0E148999FE524C099E500005CE30500000A883088E038C99FE50331A0E10C0093E7140000EB120000EA883088E020C99FE50331A0E10CB093E700A0A0E30B00A0E11F0100EB010050E30100A0030800000A00C99FE58AC18CE004C09CE501A08AE20BB08CE030C099E50C005AE1F2FFFF3A0000A0E3108FBDE8B04F2DE90080A0E1ED0000EAD0289FE503C0C8E3FF10A0E300C082E5FF1881E200108CE500C092E55030A0E300108CE500C092E5053683E200308CE53030A0E300C092E5033683E200308CE5D030A0E300C092E50D3683E200308CE580B0A0E302B58BE200C092E500909CE50B3009E00B0053E1FBFFFF1A4000A0E300108CE500C092E5010580E2000019E100108CE50700001A20E0A0E302E68EE20E0019E10300001A10C0A0E301C68CE20C0019E10100000A0100A0E3E20000EAE00000EA1C289FE503C0C8E3F010A0E300C082E50F1681E200108CE5FF5FE0E300C092E50F5B45E2559FA0E305C00CE0059B89E2AAE0A0E309708CE1AAE88EE200E087E500C092E5AAAFA0E305C00CE05500A0E30AAB8AE20AC08CE1550880E200008CE500C092E580B0A0E305C00CE009708CE102B58BE200B087E500C092E505C00CE009708CE100E087E500C092E505C00C

.........

"HERE FLASH"
........

RI
0
.
0

0
PC 19200
0
EM
0
MAINTENANCE
0
WC
0

"HERE CONFIG"

0
0
RC
0
CI 10,199C
0
RC
0
EO
0
ID
0
FLUKE 199C;V08.04;2009-11-05;ENGLISH,FRENCH,SPANISH,PORTUGUESE
EM
0
MAINTENANCE
0
CI 12,0
0
CI 13,confix
0
CI 14,0
0
CI 17,110195
0
CI 18,y
0
CI 320,N
0
RC
0
EO
0
RD
0
1995,1,1
WD 1995,1,1
0
IS
0
24648
WD 1995,1,1
0
GD
0
...

And from R&S FSH3 series

You can backup and restore cal data and config by QC\WC on R&S FSH3 series

Code: [Select]

D
@
0

0
IS
0
24672
EM
0
maintenance
0
PC
0
115200
0
115200
0
IS
0
8289
ID
0
Rohde&Schwarz,03,1340102000,V7.20,2004-08-31 13:39:50,WORLD
QI
0
400
2
QI
0
11
0
1340102000
QC
0

"HERE CONFIG"

EM
0
galaxy
0
XXXXXXXXXXX0
WW10000000,4,0002000200020002
0
WB48000000,200,10402DE91040BDE8FFFFFFEA10402DE9050500EBA00500EBCD0500EBF60500EBD30800EB2A0900EB1040BDE8330900EA00472DE90090A0E1893489E0033189E08331A0E18CC99FE50CC093E700005CE3893089E00331A0E17CC99FE50200000A0C0093E7160000EB140000EA0CA093E70080A0E30A00A0E12F0100EB010050E30100A0030D00000A893489E0033189E08331A0E144299FE502C083E088C18CE028C09CE50AA08CE0018088E21CC082E20CC093E70C0058E1EDFFFF3A0000A0E30087BDE800472DE90080A0E100E0A0E30000A0E3803080E00331A0E1F8189FE5032091E7020058E10B00003A04C081E20CC093E702C08CE00C0058E10400009A08C081E20CC093E702C08CE00C0058E10100008A01E0A0E3010000EA010090E2EBFFFF0A00005EE32800000A2E0200EB020C50E3E50000BAED0000CA2B0000EA03C0C8E398189FE500C081E5FF30A0E3FF3883E200308CE500C091E500308CE55030A0E3053683E200C091E500308CE53030A0E3033683E200C091E500308CE5D030A0E30D3683E200C091E500308CE54C189FE500C091E500209CE58030A0E3023583E2030012E1F8FFFF0AFF30A0E3FF3883E200308CE500C091E500308CE54000A0E3010580E2000012E17300000A0100A0E3040000EA10C0A0E301C68CE20C0012E1F9FFFF1A0000A0E30087BDE803C0C8E3E8179FE500C081E5F030A0E3
0
.........

"HERE FLASH"
........

RI
0

t
D
0

0
IS
0
24672
PC
0
19200
0
19200
0
EM
0
maintenance
0
WC
0

"HERE CONFIG"

WD
0
2020,9,11
0
WT
0
1,28,50
0
ID
0
Rohde&Schwarz,03,1340102000,V14.0,2011-01-24 09:59:28,WORLD
RI
0

D
D
0

0
IS
0
24672


Maybe we can also enable options on R&S as FSH3 -TV??

[squadchannel]

helpful information. Thanks.

I am currently working on a flash dump and restore tool for THS.

As you know, Fluke's scopemeter series(early. 5-button), Tek's THS3000 and Rohde's FSH(early. 5-button) are based on the Fluke “Spider” chipset.
Therefore, it is also obvious that they are equipped with the exact same UHM software.
I was convinced when I saw the FSH firmware today. It is exactly the same update tool, Flashtool.ini encryption.

wait a little longer.

Currently, i know that the adjustment data that can be obtained by the QC command after entering the MAINTENANCE mode is slightly different from the data written by the WC command.

The adjustment data sent by the WC command is divided into blocks (3E3h for THS3000), and a header is added to the beginning of each block, and a checksum is added to the end of each block, which is then sent to the scope.
The scope side checks the data received by the WC command against the checksum, and if they match, only the "real" adjustment data without the checksum is written.

Flashtool.exe also generates a file with a .CAL extension in the Temp folder.
In the case of the THS3000 updater, inside you will find the results of QI10, 11, and 12 runs and the adjustment data obtained by the QC command.
It will be deleted after the updater is completed, but if you backup it during the update, it will be useful in case something goes wrong.
It won't mean anything once the update is done, though.

If I go into too much detail, it would get out of the scope of this topic, so I'll leave it at that.

Not sure about the options, maybe they can be unlocked via serial commands, like bushhealth on Fluke's C-series.
Or if there is a menu to enter a code to unlock an option similar to the Fluke scope, there may be a way to generate a key.
I too would like to know how patpat's keygen works.

If you don't mind, could you attach the sniffed data? You may exclude the adjustment data.

[patpat]

@smaultre
Not having the units connected now, then you say
QC/WC Query Calibration / Write Calibration
QC and WC deal with pure ASCII or a binary blob? knowing this correctly is critical for developing a good Calibration Backup

Do you know links to current firmware for the R&S FHS3/6 family?
Edit01: Found it.


@squadchannel
I agree with you about the same firmware but to be 100% certain we should compare both
THS3000_FW_v0102_Installer.zip
Flash_190II_V10_41.exe
both versions are "symmetric" because both fix the same "Safety Notice and Recall" of the previous FW version where the voltage
reading could've been wrong by a factor of 10.
We have THS3000_FW_v0102_Installer.zip; so far I couldn't find Flash_190II_V10_41.exe (archive.org is down)

The differences between what QC gives and WC takes are critical for developing any serious back-up software.
I think there should be a binary oriented pair of commands just taking a binary blob, that's what I think we need to find and it seems QC/WC is not the answer.
Do you know if WC takes a binary blob? dividing it in 0x3E3 chunks and adding checksums makes sense in order to validate the unreliable serial connection.
I do not know if this segmentation is also valid for the Fluke 199C family.

BTW when you say -adjustment data- you mean "Calibration Data" right?

About options on the THS3000, I already tried using the serial approach with CI 17, and the rest of CIs commands found encrypted in the cpl file for the 199C family updater but they did not work.
I emailed people owning Fluke190-204 II and they also "cannot" find the Bushealth Code screen, then things are challenging.

Now I'm looking at assembler, I found some phone fw image using a similar version of Nucleus Plus (RTOS) that had debug info on it then that helped a bit
finding the keyboard pipe, function handlers etc, much better than before but still pretty cryptic, let's see.

The point today is understanding if the Bushealth Code screen is reachable or the access is removed in the 190/THS3000 family
Also if there's some other CI command that is necessary not only the CI 17, for the serial approach to work in this case

What "sniffer" data do you need? you can send me PM (I think).

Best,
Pat

[squadchannel]

I would like to see the entire sniffing data that smaultre posted. It would be helpful if you could attach it.

Because the commands in the updater only use 2 (CF,PF) of the 7 EXTENSION COMMAND that are defined.
know if this is only the case for THS3000.

I tried writing the 190II_V11_46 binary to the THS3024. It works fine.
I also tried writing the calibration data to the 11.46'ed 3024. It is recognized normally. No error also appears.
It is safe to assume that the pcb are exactly the same. However, the keypad layout is different from 190II. It is not usable.

At present, are in a situation where I can analyze the data without worrying.
It is no longer necessary to go to the trouble of soldering a flash to write. Everything can be solved with serial commands.

The waybackmachine is provisionally available.
was available to some extent from the archived fluke site., but could not get the 10.41 updater.
11.10 was available, which is the next oldest after 10.41.
The updater I was able to obtain is attached.

Difference between data in qc and wc:

Code: [Select]

23 30 80 03 E3
is added at the beginning.

Code: [Select]

03 E3
is the chunk size.
Then, for each chunk,

Code: [Select]

?? ?? 0D 30 0D 23 30 80 03 E3continues to the end. The last chunk has a different size.
I believe that the two bytes indicated by "?" are calculated with some kind of checksum. It is different for each chunk.
The updater adds 0D for each completed transmit(each chunk).
This is the same behavior as when writing to flash with the EXTENSION command.

Code: [Select]

30 0Dis not relevant. I believe it is a ACKN response from the scope.

The way I dumped it, I put TX and RX in an AND gate and receive with a separate USB serial adapter. So all data sent and received is sniffed.

Also, the firmware of the internal PIC microcontroller was found to be included in the flash dumps and LDFs.
there seems to have been an update to that in V11.20.
The comma-separated first part of the subversions shown in the scope's VER&CAL is the firmware version of the PIC microcontroller; the second is the firmware version of the FTDI VNC1L.

Just to be safe, I dumped the firmware of the PIC microcontroller with TL866 before applying 11.46 to THS. attaching it in case it fails, but can probably extract it from the updater LDF file.

[patpat]

@squadchannel
You uploaded 190II_V11_46 binary to THS3024:
How did you do it? burning Flash or serial?
Remember editing the flashtool.ini of the 190II_V11_46.exe with the decrypting tool
should be enough for flashing the scope in the regular way.
You say that the THS with Fluke FWis unusable: why?
wouldn't be just like using a Fluke 190 only in "Scope" mode (No Meter Button)?


I carefully tried understanding the format of the packet but it is not clear, do you have WC command capture to attach?
In your sniffing capture you should see

Code: [Select]

WC20[Header][Payload][Trailer]...[Header][Payload][Trailer]0D
some ASCII to remember
0D  Carriage Return
20  Space
23  #
30  0
31  1
32  2
...
39  9

Now could you please describe the [header] and the [Trailer]
thanks


@smaultre
I looked at the FHS code I clearly see the following features
1   DEMO
2   B1
3   K2
4   K1
5   K3
6   K21
7   K22
8   K4
9   K60
A   K15

It seems each pin is also a 10 digit number, different pins should enable different feature always based on SN of course,
Are you able to reach the Feature Pin window?

Best,
Pat


 

[squadchannel]

You uploaded 190II_V11_46 binary to THS3024:
How did you do it? burning Flash or serial?

Serial. can write by using EXTENSION COMMAND.
I have tried the write commands available in UHM mode, such as PB and WB, but they do not seem to work for flash areas.
0 is returned for ACKN, which seems to be normal, but when I read it in RB, it is not written.

Remember editing the flashtool.ini of the 190II_V11_46.exe with the decrypting tool
should be enough for flashing the scope in the regular way.

it will work if I rewrite flashtool.ini, but the EXTENSION COMMAND is different for the 190II and THS.
Since we do not know how this will affect the scope, used the THS one for EXTENSION COMMAND and the 190II one for the data to be written.

You say that the THS with Fluke FWis unusable: why?
wouldn't be just like using a Fluke 190 only in "Scope" mode (No Meter Button)?

As mentioned, the keypad layout is different.
It can be used to some extent, but the lower buttons(v) on the trigger level serve a different purpose.
If the keypad layout can be changed, it can be used.
Waveform acquisition is working fine, as is saving, etc. Calibration data can also be used without modification from THS.

WC and RC data is attached in #18. https://www.eevblog.com/forum/testgear/fluketektronix-bushealth-code-192c196c199c215c225c190-(i-ii)-ths3000/msg5680847/#msg5680847
If it is all data, it is in #11. https://www.eevblog.com/forum/testgear/fluketektronix-bushealth-code-192c196c199c215c225c190-(i-ii)-ths3000/msg5677207/#msg5677207

[patpat]

This is the WC command format in hex

where each chunk is of the form
[Header][Payload][Trailer]

[233080nnnn][Payload][xxyy0D300D]...[233080nnnn][Payload][xxyy0D300D]

nnnn=payload size
xxyy=some sort of checksum

Edit01
The capture not making distinction between TX and RX bytes makes me think that the previous Trailer
might include an ACK from the scope then could be
[Header][Payload][Trailer]{Scope ACK}

[233080nnnn][Payload][xxyy]{0D300D}...[233080nnnn][Payload][xxyy]{0D300D}

[squadchannel]

In 190II firmware, BUSHEALTH can be enabled with the CI 17 command; Medical does not seem to be enabled.

However, when in BUSHEALTH mode, the screen whiteouts. it is possible to turn BUSHEALTH off with the F4 key.
It appears to be an incomplete mode.

The CI 14 command rewrites $4000816C by 2bytes.
I tested this on a V11.46'ed THS3024. Not sure how it works with the real 190II.




mains voltage in japan.
It is unfortunate that the METER mode is not available in THS firmware.


CI 14 is a command that can limit the languages that can be selected. $4000816C 2bytes change.
THS uses a different language list than 190II. (not available S.CHINESE and T.CHINESE in 190II)


the CI 60 can change the input type of the scope.
0=4ch
1=2ch+DMM
2=4ch
CI 60 command rewrites $400080BF by 1bytes.
2ch+DMM is a model with both DMM and scope functions.
set to CI 60,1 (2ch+DMM), the DMM mode can be used in THS.

I could not measure the resistance, but it beeps in Continuous mode.
I immediately put it back in because I think I will break the frontend if I go too deep. (THS is 0.)

[patpat]

Good Findings,
Confirmed
CI 17,110195
is the way to activate Bushealth in Fluke both 199C and 190 families,
I wonder if THS having a different UI even has the option available or it was never included.
When is the blank screen triggered? does it on its own or after some keyboard interaction?

I can also confirm that the "Medical" option does not work on 199C

In THS there's not [Meter] button but I wonder if there's not Serial commands controlling the UI

Best,
Pat

[squadchannel]

The Meter button unfortunately resides in a key matrix that is not assigned in THS.
The red text is where it differs from THS.



When BUSHEALTH enters the mode, it automatically starts the diagnostics.
The program for that diagnostic screen seems to be incomplete and appears to be a white screen.
It seems that the screen is only white, but the keys can be operated, and pressing the F4 key to turn it off will return the screen to its original state.
Also, the scope gets stuck when WIRING INFO is pressed. Overall bushealth mode seems to be an incomplete program.