MSO2000 Application module hack

[DiodomanX]

I will do it this weekend, can you tell me wich ic i have to search.

Enviado desde mi XT1563 mediante Tapatalk

[luisprata]

To check if you have a CPLD take a look at this video (10min10sec). It's an altera MAX II.


About bandwidth upgrade, my earlier tests were wrong.

After upgrading again, I could notice that filtervu shows me 200MHz max value instead of 100MHz before, and time\dv decrease to 2ns instead of 4ns before. So I really think there is a chance that have worked.

I really would like to test it with a signal generator to check 3db frequency.

[drsurfer]

Hello

I really would like to find someone who has a 2024 and could connect linux console and capture the messages.

I have a MSO 2024B and I could do it for you. 
Please tell me exactly where I have to attach the RS232 level converter.
I read "MPC870 U13(SMTX) and T12(SMRX) pins are routed to B23 and B25 pins on external connector", but I'm too lazy to actually find them.

[luisprata]

Look at expansion, you can put some small rigid wires into connector.
They are 8th and 10th positions counting as shown in figure.

Update: **** Please check voltage on TX and RX pins before connect...

[drsurfer]

Luis, I did the connections according your picture.

I've verified that the markings on PCB match with your previous post, B25=RX (input) and B23=TX (output).
I've connected GND to the matching pin on the other side, A23.

No significant voltage at pins: on TX I would have expected to see 3.3V or similar.

Then I've connected the TX pin (B23) and ground to my to USB 3V3 converter;
I'm afraid to connect my converter output pin until I'm sure I'm doing right...

No activity on terminal. 
Should I send some char to trigger the boot log start?

At what baud rate should happen the communication ? (later) Ok, I've read on your posted log 115200 bps.

[luisprata]

Should I send some char to trigger the boot log start?

No.

Terminal should be configured to "No hardware hand shaking".

You have to get 3v when measuring TX pin. If you don't, probably your connection is not good. You can use metal case as ground.

Thank you.

[drsurfer]

My dear friend, I think it's time to give up.

Trying to have a good contact,  I think I've pushed too far the terminal: the connector spring contact went outside the black plastic shell.
It was so pushed  down that it was shortened with the ground terminal in front of it. 
This happens when your eyes are not so good as when you were young.

Now I have disassembled the board and using a microscope I was able to restore the spring in its slot.
Now when I measure voltage I read 220 mV from TX terminal, when the scope is turned on.
I suppose that I have broken the output stage of my chip, it didn't survive to the overcurrent. 

Two weeks later: it did survive, luckily. I was doing something wrong. What? I don't know! Who really cares?

[timb]

I found this https://github.com/dmitrodem/tek_softhack, and install the modified firmware in my DPO2012B and all modules was unlocked, but i have an issue, without the modified firmware autoset take 2-3 seconds to work with 1M point record, with the modified firmware it takes about 5 and a half second, any one with hardware module can check this. Same for math functions, and i dont know if affect the decode of buses. Can someone confirm, i can share my update image.

Enviado desde mi XT1563 mediante Tapatalk

Anyone done this for 1.56 firmware? I'm having a rough time getting crosstools to build. So a ready made image would be nice.

[DiodomanX]

I have a ready to flash image, i can share it with you.

Enviado desde mi XT1563 mediante Tapatalk

[computer7geek9]

Does anyone have any info on doing this for a MSO3000b series? I know it is encrypted because it talks about loading keys in the manual. I really want to unlock it to 500mhz but this is the closest info I have found.

[miguelvp]

Does anyone have any info on doing this for a MSO3000b series? I know it is encrypted because it talks about loading keys in the manual. I really want to unlock it to 500mhz but this is the closest info I have found.

Not my post but maybe? 
https://www.eevblog.com/forum/testgear/tektronix-dpomso-3000-and-4000-module/

Note: it links back to this thread but adds some additional information.

[computer7geek9]

So I had a bit of a drunk moment and thought I had the mso3014b but its a mso2014b. I'm interested if anyone has had luck enabling the feature modules "DPO2AUDIO" or the other ones listed in the OS that are available only on the 3000 series and can confirm that they work?

Also what did you do to remove the login password? I've always known the password of embedded linux machines that i work on

[luisprata]

computer7geek9,

In the bellow message, drsurfer says there are several strings in source code. But only few of them are properly recognized.
https://www.eevblog.com/forum/testgear/mso2000-application-module-hack/msg547336/#msg547336

About removing password, it's related with firmware update. You have to edit passwd file and update the firmware. I don't know if it will be helpfull with a generic embedded system.

[computer7geek9]

Ok, I was under the impression that he hadn't done anything with them.

I'll take a look at the firmware file and see what I can do after I program the eeprom and get that working. Thanks!

[drsurfer]

Hi, you're right, personally I didn't try other codes, but "lunasix" did and all other codes were not working or unuseful. 

You're free to try again, but I'm afraid it's only a waste of time. 

Ok, I was under the impression that he hadn't done anything with them.

I'll take a look at the firmware file and see what I can do after I program the eeprom and get that working. Thanks!

[drsurfer]

It's always a good sensation when you prove you were wrong.
I don't want to know what went wrong the other time, something stupid, I think. May be it's related to the old 1.52 firmware I had. I've just upgraded to the latest 1.56.

Anyway here it is the boot log for my MSO 2024B scope.

Code: [Select]


U-Boot 1.1.4 (Oct 29 2008 - 14:14:00) Tektronix, Inc. V1.01

CPU:   MPC870ZPnn at 133.333 MHz: 8 kB I-Cache 8 kB D-Cache FEC present
Board: Tektronix Fusion MPC870 Main Board
  Version: 4 (QUAL) 4 channel  MSO
  Tek0001A ChipId:      0x1400c
  Tek0001A SubBlocksId: 0x0
  Tek0001B ChipId:      0x1400c
  Tek0001B SubBlocksId: 0x0
  CPLD Version:         0x11
I2C:   ready
DRAM:  64 MB
FLASH: 32 MB
In:    serial
Out:   serial
Err:   serial
Net:   FEC ETHERNET
Enter password - autobooting in 3 seconds
## Booting image at efec0000 ...
   Image Name:   Linux-2.4.20_mvl31-885ads
   Image Type:   PowerPC Linux Multi-File Image (gzip compressed)
   Data Size:    1278107 Bytes =  1.2 MB
   Load Address: 00000000
   Entry Point:  00000000
   Contents:
   Image 0:   868895 Bytes = 848.5 kB
   Image 1:   409199 Bytes = 399.6 kB
   Verifying Checksum ... OK
   Uncompressing Multi-File Image ... OK
cmdline is console=ttyS0,115200 quiet bigphysarea=10570 panic=2 root=/dev/mtdblock4 rw mem=175190k  NO_option_board
   Loading Ramdisk to 03e3a000, end 03e9de6f ... OK
No option module board found

Checking for firmware update...
No USB mass storage devices found to update from.
Linux 2.4.20_mvl31-885ads V 1.06 Tektronix Fusion Tue Apr 26 14:44:49 PDT 2011
Warning: loading NiDKEng-1.6 will taint the kernel: non-GPL license - Proprietary
  See http://www.tux.org/lkml/#export-tainted for information about tainted modules
Warning: loading NiDUsb-1.6 will taint the kernel: non-GPL license - Proprietary
  See http://www.tux.org/lkml/#export-tainted for information about tainted modules
Warning: loading tek will taint the kernel: non-GPL license - Proprietary
  See http://www.tux.org/lkml/#export-tainted for information about tainted modules

 Scope application starting (normal mode)
-----------------------------------------------------------------
  Running Init code
versionBuildFWVersionString(), TimestampString:               17-Jul-14  11:00   
versionBuildFWVersionString(), VersionFIRMWAREVERSIONversion: v1.56
versionBuildFWVersionString(), Major ver num: 1 Minor ver num: 56
   hwInit
    mpc8xx GPIO open successful
     Initializing Mpc8xx[0]
    adg420a open successful.
    adg420b open successful.
     Initializing Adg420[3]
     Initializing Adg420[2]
     Initializing Adg420[1]
     Initializing Adg420[0]
    adg420b open successful.
     Initializing ExtTrig[0]
    adc08d1020a open successful.
    adc08d1020b open successful.
     Initializing Adc08D1000[1]
     Initializing Adc08D1000[0]
     Initializing Dac121s101[1]
     Initializing Dac121s101[0]
     Initializing ad5160[0]
    ad5305 open successful.
     Initializing ad5300[0]
     tek0001 detected, patching device offsets.
    lm95241[0] open successful.
    lm95241[1] not present.
     Initializing Lm95241[1]
     Initializing Lm95241[0]
     Initializing ResetCpld[0]
Factory Checksum: Stored: 29892, Calculated: 29892 - OK
Spc CheckSum: stored: 64237 calculated: 64237 - OK

 Starting POST diags

 Finished POST diags
Fp Id response: 6 4 19
Front Panel Software Rev 19 - no update needed.
cfgGetBoardModel: modelID 6 idStr MSO2024B
 hcPtpInit: Starting PictBridge PTP subsystem
 fusadInit
   utilInit
-----------------------------------------------------------------
  Running Start code
 diagStart
 fusionTrigStart(): calibrateTrigIf() ran 1 times and passed
 fusionTrigStart(): testTrigIf() for TEK0001A returned 0
 fusionTrigStart(): testTrigIf() for TEK0001B returned 0
 fusadStart
-----------------------------------------------------------------
  Running Run code

 wfmMgr OK for diags
 diagRun
 fusadRun
eth0: unknown interface: No such device
eth0: unknown interface: No such device
 enetLinkPresent: ioctl failed, errno 19
 enetLinkPresent: ioctl failed, errno 19
-----------------------------------------------------------------
 Scope startup complete; duration = 22.829660 seconds
=================================================================

PID to Task info:

PID: 62 ThrdID: 16386 Task: tUsrRoot
PID: 63 ThrdID: 32771 Task: tExcTask
PID: 64 ThrdID: 49156 Task: errSuspendAllThread
PID: 65 ThrdID: 65541 Task: hwIntReceiver
PID: 66 ThrdID: 81926 Task: fpIntTask
PID: 67 ThrdID: 98311 Task: fpIrqMonitor
PID: 68 ThrdID: 114696 Task: usbHotplug
PID: 0 ThrdID: 131081 Task: probesSharedUnloadCmdQueueThread
PID: 70 ThrdID: 147466 Task: fusad executive
PID: 71 ThrdID: 163851 Task: UsbTmcOutputMgr
PID: 72 ThrdID: 180236 Task: piUsb
PID: 73 ThrdID: 196621 Task: piVGpib
PID: 74 ThrdID: 213006 Task: Nios A listener
PID: 75 ThrdID: 229391 Task: Nios B listener
PID: 76 ThrdID: 245776 Task: exec
PID: 77 ThrdID: 262161 Task: autoset
PID: 78 ThrdID: 278546 Task: cal
PID: 79 ThrdID: 294931 Task: diag
PID: 80 ThrdID: 311316 Task: fp
PID: 81 ThrdID: 327701 Task: hc
PID: 82 ThrdID: 344086 Task: UsbSicInputMsgMgr
PID: 83 ThrdID: 360471 Task: wfmMgrTest
PID: 84 ThrdID: 376856 Task: search
PID: 85 ThrdID: 393241 Task: periodicZoom
PID: 86 ThrdID: 409626 Task: periodicClockAnimation
PID: 87 ThrdID: 426011 Task: periodicBusyIndicAnimation
PID: 88 ThrdID: 442396 Task: math
PID: 89 ThrdID: 458781 Task: meas
PID: 90 ThrdID: 475166 Task: measImmed
PID: 91 ThrdID: 491551 Task: piCmdIntfc
PID: 92 ThrdID: 507936 Task: probes
PID: 93 ThrdID: 524321 Task: ref
PID: 94 ThrdID: 540706 Task: rtl
PID: 0 ThrdID: 557091 Task: thttpd
PID: 112 ThrdID: 573476 Task: tVxi11SRQd
PID: 0 ThrdID: 589861 Task: tVxi11Rpcd
PID: 114 ThrdID: 606246 Task: tVxi11FlushThread
PID: 0 ThrdID: 622631 Task: bus
PID: 0 ThrdID: 639016 Task: debugConsole
PID: 117 ThrdID: 655401 Task: VgpibRead
PID: 118 ThrdID: 671786 Task: VgpibWrite
PID: 119 ThrdID: 688171 Task: UsbTmcEventDispatcher
PID: 0 ThrdID: 704556 Task: probesHandleBulkPowerChangeThread


  Power Up Completed at 20:28:37
Enter 'ctrl-\' twice to quit scopeApp
Received testTrigIfcMsgAck, nios = 1, payload = 10
OK to connect by: telnet MSO2024B-05NTD7 1072
Received testTrigIfcMsgAck, nios = 0, payload = 10
20:28:37 fusadSetNiosUsable
20:28:42 --- Power Up Phase Cal - PASSED


[luisprata]

Gooood!!!

Now you can prepare a root blank password firmware....  mount firmware.img, untar filesystem.tar.gz, edit /etc/passwd to remove root password... tar filesystem.tar.gz again... calc m5sum... update md5sum.txt with new filesysytem.tar.gz md5 and unmount firmware.img.

Then after boot serial messages press ctrl \ twice and you can get accesss to internal linux.

[luisprata]

The log is identical to MSO2014, except for SPC and Factory check sums and...

"cfgGetBoardModel: modelID 6 idStr MSO2024B"

After upgrading, I can change this Model message to MSO2024 too, so I really think the bandwidth upgrade was successful.

Thank you drsurfer, and I am so happy your scope serial is not damaged.

[drsurfer]

I think I will do this when I find a reliable way to attach the wires to the connector.
Beside the personal satisfaction to have broken a lock, is there any pratical purpose in accessing to linux shell?
Is there any chance to decrypt the original password? I'm not exactly a linux expert, as you may have understood...

After a while: Could anyone try "taurus" as root password?   I'm not at my desk...

Gooood!!!

Now you can prepare a root blank password firmware....  mount firmware.img, untar filesystem.tar.gz, edit /etc/passwd to remove root password... tar filesystem.tar.gz again... calc m5sum... update md5sum.txt with new filesysytem.tar.gz md5 and unmount firmware.img.

Then after boot serial messages press ctrl \ twice and you can get accesss to internal linux.

[computer7geek9]

Well I managed to brick my mso2014b so thats fun. Any ideas on how to repair? I was attempting to install a firmware version with no password and it stayed on the splash screen for hours so I had no choice but to unplug it. Now it just has a white screen. Any ideas?

[timb]

Well I managed to brick my mso2014b so thats fun. Any ideas on how to repair? I was attempting to install a firmware version with no password and it stayed on the splash screen for hours so I had no choice but to unplug it. Now it just has a white screen. Any ideas?

Ohh, that's bad. Is it still under warranty? Tektronix might need to replace it.

When Tek first sent me a MSO2024 (about 2 years ago), the first thing I did was to upgrade to the latest firmware. So I grabbed it from their site, popped it on an SD card and used a USB to SD dongle (I didn't have a sub-8GB USB drive handy) to load it. Same thing happened. Sat on the firmware screen for hours, so I finally unplugged it and...white screen.

I relayed the info to my contact at Tek, hoping they maybe had a sequence to get into an emergency boot loader or something. She put me in touch with a technician who put me in touch with one of the firmware engineers. No such luck. They ended up replacing it with a brand new MSO2024B.

Now, if you're not under warranty, maybe we can get some info out of the serial console as it boots. Perhaps force the boot loader to try the USB drive, if it's still intact.

Worse case scenario, it might require figuring out how factory firmware is programmed in. Maybe an onboard debug connector or something.

I know this isn't what you wanted to hear. :-/

[computer7geek9]

I tried connecting to the serial console but was unable to get any data, plus I don't know the password (hence why I was updating it). I will try again to see if I have the wrong pins on the connector or something, but I'm afraid I might be out of luck. I don't know what could've gone wrong. I just edited the /etc/passwd file, re-tar, re-gz, changed the MD5, then made an img file. I used and online md5 calculator so I wonder if thats what caused it, but I would expect to see some kind of "upgrade failed" problem if it was just an md5 error. Could it be that the serial port isn't even initialized? 

[drsurfer]

I simply don't understand.   
I just posted the password, and decoding it from /etc/passwd is a trivial task for any casual "hacker" like myself.
I haven't actually tried it, but there is no reason it does not work.
The point is you hadn't a working console. Where do you hope to go, even with removed password?

Anyway did you try to load the original unmodified firmware on a fresh USB key and retry flashing from scratch?

[timb]

One would think that it wouldn't overwrite the boot loader first, but I don't know exactly how the upgraded works. It obviously copies the installer into to ram. Judging by the white screen and lack of serial data, I suspect it may wipe flash before copying the new bootloader and OS over.

If this is the case, the machine obviously wiped the flash and then encountered a silent error while copying the new data over.

If that's the case, then the only way to get the thing going may be through some sort of JTAG process.

[timb]

Anyway did you try to load the original unmodified firmware on a fresh USB key and retry flashing from scratch?

He can't reload off the USB key. The scope won't even boot.

When this happens you get nothing. Just a white display (meaning it's not getting past the bootloader).