MSO2000 Application module hack

[Lunasix]

I just found at a reasonnable price a MSO2024 with the original DPO2COMP module. I would never have thought, before reading this post, that there was nothing else in this module...
Fortunately, the global price was made whithout taking into account this module.

[relu]

So, did anybody tried this hack?

I have order the boards, the sim card holder and the memory. Soldered everything. Programmed the memory with the PICkit2.
check that the eeprom is programmed correctly. plug in the module (another small PCB taped to have the right width).

Aaaaand it doesn't work.
Maybe I haven't checked carefully enough if the module makes contact with the scope.
or maybe because I have Firmware version v1.52 PP3 15-Aug-12.
or what other?

Would be nice to hear that someone tried it and it works. . .

[Lunasix]

Tested for fun (I have original one) with very old revision and then with last revision, no problem. With a 08 eeprom, A2 (hard and soft) will always be 0. A1 and A0 are only selected by scope software, and A0 remains to 0. A1 will select key 0 or key 1 (normally, A1 is hard coded from slot to eeprom pin, allowing two keys), and will select in the eeprom the corresponding virtual key. Reading starts at address 04, find the string (terminated with 0) and reads 3 more bytes at FF (thus, ending on a 16 bytes boundary). If the scope reads garbage (or 0xFF), it will say it needs a software update, since value in the key isn't recognized (but supposed to be valid).

[Lunasix]

Small eeprom (BGA, 0.8 x 0.8 mm)  is wired directly on back of sim connector (don't drink before....).

[drsurfer]

Relu, I was about to post the same message    you did exactly what I did, ending in the very same frustration   

My scope is MSO 2024B with same v1.52 PP3 15-Aug-12 firmware.

As soon as I can I will borrow another scope and I will connect to eeprom's I2C bus to understand what's going on.

The first stupid thing I will try is to write protect the EEprom (the damn trace to cut is under the chip). A successful write could easily tell the presence of an EEprom in place of a ROM (or a write protected EEprom).

Lunasix, can you clarify what do you mean with "old revision" and "last revision"? Scope firmware version ?


DrSurfer

So, did anybody tried this hack?

I have order the boards, the sim card holder and the memory. Soldered everything. Programmed the memory with the PICkit2.
check that the eeprom is programmed correctly. plug in the module (another small PCB taped to have the right width).

Aaaaand it doesn't work.
Maybe I haven't checked carefully enough if the module makes contact with the scope.
or maybe because I have Firmware version v1.52 PP3 15-Aug-12.
or what other?

Would be nice to hear that someone tried it and it works. . .

[Lunasix]

When I bought my scope (MSO2024), the software version was very old (2009 I think) and I've installed the v1.56 PP3 17-Jul-14 11:00 firmware.

It is very difficult to remove the original Tektronix key I have (RS232), the new one is a bit smaller and very easy to remove thanks to the hole in the plastic support.

Recently, I have had a problem : sometimes, the scope was displaying a warning "Not allowed to remove key during working, please reboot" (or something like that) and I was obliged to reboot the scope, and finally, the key was not working any more. A bad solder of a wire (SCL, not realy soldered, in place thanks to solder flux) was the source of the problem, now all is fine.

I have programmed the eeprom with a board I have (PIC32), with a modified program, but I've seen that it was possible with MPLab.

Eeprom is CAT24C08C4ATR, without write protect pin, but I've tested with Atmel 24C08, and the write protect pin was tied to VSS

I've connected a Saleae analyzer with I2C protocol and nothing noticed like write attempt. It's only reading : if eeprom acknowledges readings, the scope has found a key. If the string is a valid one, it's ok, if not (like empty eeprom, all 0xff), it says it has found a key, and it asks for an update frmware as it can't use the unknown key. If you see nothing of that, you can be sure that the eeprom doesn't respond. First, try with an empty eeprom. If you see what I've described, try to programm it, if not, understand why.

[drsurfer]

Thanks Lunasix.
I never saw any message from the scope.

My eeprom is programmed with all 0xFF but the null terminated strings at 0x004 and 0x204.
According to your notes, if it was wrong I should see a specific message from the scope, but this didn't happen.

My PCB is simply put in place with a cardboard . As far I can see, there isn't any "module presence switch", am I right?

At this point I would feel more relaxed if I could try the slot with an original module, but I don't know anyone can borrow it near to me.

Ciao
DrSurfer

[Lunasix]

It's I2C : if circuit is present at right address, it responds. With a scope, it will not be obvious as there are other components on the bus, and eeprom access is not at the beginning. You should connect 4 wires (VSS, VDD, SCL and SDA) going out of the scope and verifiy that all are correct, before attempting to connect the eeprom.

[drsurfer]

Ok, finally it worked!!!!

It was simply a mechanical issue: I just filed the PCB to allow it to enter more deeply into the slot.
I did it because looking at your photos, I had the feeling that on my device the distance between the contacts and the board edge was larger.

Just to be sure and build a finally reliable device, could you kindly provide me some actual measurements of your module? I need the outside dimensions of the module and the distances of the contacts from the edges. I refer to "contacts" because I have a different type of SIM card connector (see Relu's post).

Thanks for your support and patience!

[Lunasix]

Size of a key : 33.4 x 10.4 x 4.4mm (lightly smaller than the original, and without retaining slot, as the original is very hard to extract).
Center of sim connector is at 11.95mm from left side of key and on center in vertical direction.

[drsurfer]

Thanks for your info.
So it's confirmed that the PCB published (and the SIM socket choosen) is simply too big. 
The center of SIM connector on it is at ~15 mm from the edge, so it's mandatory to file it as much as possible to have a reliable contact with the scope pads.

I did a little investigation on the strings inside the last firmware, hoping to find a "magic" string that will enable at same time all the three features available. It seems this does not exist, but there are five strings that could enable some undocumented/abandoned/<whatever> features.

Code: [Select]

DPO2EMBD    Embedded Serial Triggering and Analysis
DPO2AUTO    Automotive Serial Triggering and Analysis
DPO2COMP    Computer Serial Triggering and Analysis

DPO2AUTOMAX Extended Auto Serial Triggering and Analysis
DPO2VID     Extended Video
DPO2AUDIO   Audio Serial Triggering and Analysi
DPO2PWR     Power Analysis
DPO2BTA     Beta Enabled

DPO2VID is the only string I've found referenced in some Tek docs related to our scopes.
I hope that someone finds the time to do a little experimentation on these. 

[Lunasix]

Thanks !

I will try asap.

[Lunasix]

AUTOMAX and VID are correctly detected. But I can't see any difference between AUTO and AUTOMAX, probably none, and video trigger (SECAM/PAL/NTSC) is now useless, and is already available without any key.
Others have no effect, except warning.

[drsurfer]

May be deeper in the firmware there are hidden other exploits, but I feel satisfied of the results I got and I will not spend more time on it.
BTW, the binary format of firmware is straightforward, and even a linux beginner (like me) can easily find the way to do some investigations on it, so I will not disclose any details on the process.

Ciao
DrSurfer

[Dreamster]

Reading starts at address 04, find the string (terminated with 0) and reads 3 more bytes at FF (thus, ending on a 16 bytes boundary). If the scope reads garbage (or 0xFF), it will say it needs a software update, since value in the key isn't recognized (but supposed to be valid).

Hi.

Can you elaborate on this? I see the request for software update but I am already at 1.56. Apart from the bytes set to DPO2COM\0 or EMBED, what should the rest of the eeprom be set to.

Regards

[drsurfer]

All 0xFF, as in an erased eeprom.

[Dreamster]

All 0xFF, as in an erased eeprom.

 
It does by the way work better if you remember that there is a difference between 2 as in ascii STX and 50 as in ascii "2"
Actually wrote this comment before trying out the fix once I located my error. I should probably go home and sleep.

[relu]

Hi all,

I was quite busy lately, forgot to report that I finally got the module working.
The problems was mechanical, there was poor contact between the module and oscilloscope.

It seems that the sim connector on the PCB's I have ordered from OSH Park needs to be soldered right on the edge.

See attached my module. . .

[luisprata]

Eeprom worked for me.

Besides that, I sniffed I2C bus of Application module slot...   I found 0x76, 0x2b, 0x50 and 0x52 address. 0x50 and 0x52 are for eeprom reading... But what are the others for?

BTW, I have a MSO2014 and I'm trying to upgrade bandwith...
I figure out MPC870 U13(SMTX) and T12(SMRX) pins are routed to B23 and B25 pins on external connector...
I'm going to build a TTL serial cable and try to get access to linux.

[luisprata]

Here is what I got

"

U-Boot 1.1.4 (Oct 29 2008 - 14:14:00) Tektronix, Inc. V1.01

CPU:   MPC870ZPnn at 133.333 MHz: 8 kB I-Cache 8 kB D-Cache FEC present
Board: Tektronix Fusion MPC870 Main Board
  Version: 4 (QUAL) 4 channel  MSO
  Tek0001A ChipId:      0x1400c
  Tek0001A SubBlocksId: 0x0
  Tek0001B ChipId:      0x1400c
  Tek0001B SubBlocksId: 0x0
  CPLD Version:         0x11
I2C:   ready
DRAM:  64 MB
FLASH: 32 MB
In:    serial
Out:   serial
Err:   serial
Net:   FEC ETHERNET
Enter password - autobooting in 3 seconds
## Booting image at efec0000 ...
   Image Name:   Linux-2.4.20_mvl31-885ads
   Image Type:   PowerPC Linux Multi-File Image (gzip compressed)
   Data Size:    1278107 Bytes =  1.2 MB
   Load Address: 00000000
   Entry Point:  00000000
   Contents:
   Image 0:   868895 Bytes = 848.5 kB
   Image 1:   409199 Bytes = 399.6 kB
   Verifying Checksum ... OK
   Uncompressing Multi-File Image ... OK
cmdline is console=ttyS0,115200 quiet bigphysarea=10570 panic=2 root=/dev/mtdblock4 rw mem=175190k  NO_option_board
   Loading Ramdisk to 03e3a000, end 03e9de6f ... OK
No option module board found
Checking for firmware update...
No USB mass storage devices found to update from.
Linux 2.4.20_mvl31-885ads V 1.06 Tektronix Fusion Tue Apr 26 14:44:49 PDT 2011
Warning: loading NiDKEng-1.6 will taint the kernel: non-GPL license - Proprietary
  See http://www.tux.org/lkml/#export-tainted for information about tainted modules
Warning: loading NiDUsb-1.6 will taint the kernel: non-GPL license - Proprietary
  See http://www.tux.org/lkml/#export-tainted for information about tainted modules
Warning: loading tek will taint the kernel: non-GPL license - Proprietary
  See http://www.tux.org/lkml/#export-tainted for information about tainted modules

 Scope application starting (normal mode)
-----------------------------------------------------------------
  Running Init code
versionBuildFWVersionString(), TimestampString:               17-Jul-14  11:00 
versionBuildFWVersionString(), VersionFIRMWAREVERSIONversion: v1.56
versionBuildFWVersionString(), Major ver num: 1 Minor ver num: 56
   hwInit
    mpc8xx GPIO open successful
     Initializing Mpc8xx[0]
    adg420a open successful.
    adg420b open successful.
     Initializing Adg420[3]
     Initializing Adg420[2]
     Initializing Adg420[1]
     Initializing Adg420[0]
    adg420b open successful.
     Initializing ExtTrig[0]
    adc08d1020a open successful.
    adc08d1020b open successful.
     Initializing Adc08D1000[1]
     Initializing Adc08D1000[0]
     Initializing Dac121s101[1]
     Initializing Dac121s101[0]
     Initializing ad5160[0]
    ad5305 open successful.
     Initializing ad5300[0]
     tek0001 detected, patching device offsets.
    lm95241[0] open successful.
    lm95241[1] not present.
     Initializing Lm95241[1]
     Initializing Lm95241[0]
     Initializing ResetCpld[0]
Factory Checksum: Stored: 26914, Calculated: 26914 - OK
Spc CheckSum: stored: 6395 calculated: 6395 - OK

 Starting POST diags

 Finished POST diags
ERROR in fpSharedPublic.cpp at 44: Could not get expected fp SW versiin.
Fp Id response: 6 4 19
Front Panel Software Rev 19 - expected -1.
Installing -1 in front panel.
  fpSRecCheckSum /usr/local/nv/route66_fp.s19
  fpSRecCheckSum: open /usr/local/nv/route66_fp.s19 failed
  Checksum failed for /usr/local/nv/route66_fp.s19
Fp software update function reports failure.
IO error reading fp id after reprogram.
Fp Id response after code update: 128 128 128
Fp Id query response NOT as expected after update.
cfgGetBoardModel: modelID 4 idStr MSO2014
 hcPtpInit: Starting PictBridge PTP subsystem
 fusadInit
   utilInit
-----------------------------------------------------------------
  Running Start code
 diagStart
 fusionTrigStart(): calibrateTrigIf() ran 1 times and passed
 fusionTrigStart(): testTrigIf() for TEK0001A returned 0
 fusionTrigStart(): testTrigIf() for TEK0001B returned 0
 fusadStart
-----------------------------------------------------------------
  Running Run code

 wfmMgr OK for diags
 diagRun
 fusadRun
eth0: unknown interface: No such device
eth0: unknown interface: No such device
 enetLinkPresent: ioctl failed, errno 19
 enetLinkPresent: ioctl failed, errno 19
-----------------------------------------------------------------
 Scope startup complete; duration = 23.842631 seconds
=================================================================

PID to Task info:

PID: 62 ThrdID: 16386   Task: tUsrRoot
PID: 63 ThrdID: 32771   Task: tExcTask
PID: 64 ThrdID: 49156   Task: errSuspendAllThread
PID: 65 ThrdID: 65541   Task: hwIntReceiver
PID: 66 ThrdID: 81926   Task: fpIntTask
PID: 67 ThrdID: 98311   Task: fpIrqMonitor
PID: 68 ThrdID: 114696  Task: usbHotplug
PID: 0          ThrdID: 131081  Task: probesSharedUnloadCmdQueueThread
PID: 70 ThrdID: 147466  Task: fusad executive
PID: 71 ThrdID: 163851  Task: UsbTmcOutputMgr
PID: 72 ThrdID: 180236  Task: piUsb
PID: 73 ThrdID: 196621  Task: piVGpib
PID: 74 ThrdID: 213006  Task: Nios A listener
PID: 75 ThrdID: 229391  Task: Nios B listener
PID: 76 ThrdID: 245776  Task: exec
PID: 77 ThrdID: 262161  Task: autoset
PID: 78 ThrdID: 278546  Task: cal
PID: 79 ThrdID: 294931  Task: diag
PID: 80 ThrdID: 311316  Task: fp
PID: 81 ThrdID: 327701  Task: hc
PID: 82 ThrdID: 344086  Task: UsbSicInputMsgMgr
PID: 83 ThrdID: 360471  Task: wfmMgrTest
PID: 84 ThrdID: 376856  Task: search
PID: 85 ThrdID: 393241  Task: periodicZoom
PID: 86 ThrdID: 409626  Task: periodicClockAnimation
PID: 87 ThrdID: 426011  Task: periodicBusyIndicAnimation
PID: 88 ThrdID: 442396  Task: math
PID: 89 ThrdID: 458781  Task: meas
PID: 90 ThrdID: 475166  Task: measImmed
PID: 91 ThrdID: 491551  Task: piCmdIntfc
PID: 92 ThrdID: 507936  Task: probes
PID: 93 ThrdID: 524321  Task: ref
PID: 94 ThrdID: 540706  Task: rtl
PID: 0          ThrdID: 557091  Task: thttpd
PID: 112        ThrdID: 573476  Task: tVxi11SRQd
PID: 0          ThrdID: 589861  Task: tVxi11Rpcd
PID: 114        ThrdID: 606246  Task: tVxi11FlushThread
PID: 0          ThrdID: 622631  Task: bus
PID: 0          ThrdID: 639016  Task: debugConsole
PID: 117        ThrdID: 655401  Task: VgpibRead
PID: 118        ThrdID: 671786  Task: VgpibWrite
PID: 119        ThrdID: 688171  Task: UsbTmcEventDispatcher
PID: 0          ThrdID: 704556  Task: probesHandleBulkPowerChangeThread


  Power Up Completed at 11:26:36
Enter 'ctrl-\' twice to quit scopeApp
Received testTrigIfcMsgAck, nios = 1, payload = 10
Received testTrigIfcMsgAck, nios = 0, payload = 10
11:26:36 fusadSetNiosUsable
OK to connect by: telnet MSO2014-05GK9V 1072
11:26:41 --- Power Up Phase Cal - PASSED

MSO2014-05GK9V login:
MSO2014-05GK9V login:

"

[Edison517]

I wrote a quick program for Arduino that will program the 24LC08 chip to any of the 3 possible combinations. Just hook up the I2C lines and power & ground and run the program
http://pastebin.com/raw/AMZRxq3T

[luisprata]

After some work, I`ve removed password for root, accessed command line and went into dir /usr/share/tek where i found "fw_setenv" and executed:

./fw_setenv model "MSO2024" 

After that, my oscilloscope thinks it is MSO2024.

I think it could be possible just changing fwEnvUpdate.sh. So you have to mount firmware.img, change fwEnvUpdate.sh, change md5sum.txt with new md5 for fwEnvUpdate.sh, umount and that`s it.

To change the file, put before last line of fwEnvUpdate.sh:

$FW_SETENV model "MSO2024"
echo "Finished updating environment variables."

Besides showing MSO2024 I can't test performance after modification. If someone tested, please tell us.

Sorry about bad english.
Thanks.

[DiodomanX]

I found this https://github.com/dmitrodem/tek_softhack, and install the modified firmware in my DPO2012B and all modules was unlocked, but i have an issue, without the modified firmware autoset take 2-3 seconds to work with 1M point record, with the modified firmware it takes about 5 and a half second, any one with hardware module can check this. Same for math functions, and i dont know if affect the decode of buses. Can someone confirm, i can share my update image.

Enviado desde mi XT1563 mediante Tapatalk

[luisprata]

DiodomanX,

Thank you for the tip for software unlock.
About autoset, I measured the time and it is about 3.8s with 1 channel enabled and probing 1kHz compensation signal. With or without hardware keys.
But when I enable all 4 channel the time rises to 7s.

Luis AP Barbosa.

[DiodomanX]

Then it is normal that time is increased, some progress in testing to increase the bandwidth?

Enviado desde mi XT1563 mediante Tapatalk