Author Topic: Agilent MSO 5000/6000/7000 - anyone hacked these scopes?  (Read 265563 times)

0 Members and 1 Guest are viewing this topic.

Offline mikeselectricstuff

  • Super Contributor
  • ***
  • Posts: 13695
  • Country: gb
    • Mike's Electric Stuff
Re: Agilent MSO 5000/6000/7000 - anyone hacked these scopes?
« Reply #125 on: February 17, 2014, 11:44:09 pm »
I just scored a DSO6034A (now MSO6034+all the goodies!)  for GBP1750, so will be selling the MSO6012A soon - let me know if any info is needed  from this model, though it doesn't appear that much is possible apart from non-trial SGM, CIR and LMT options.
 
Youtube channel:Taking wierd stuff apart. Very apart.
Mike's Electric Stuff: High voltage, vintage electronics etc.
Day Job: Mostly LEDs
 

Offline Carrington

  • Super Contributor
  • ***
  • Posts: 1202
  • Country: es
Re: Agilent MSO 5000/6000/7000 - anyone hacked these scopes?
« Reply #126 on: February 17, 2014, 11:56:17 pm »
This motherboard is an agilent 7000 series.
As can be appreciated is very similar to the 6000 series.



This other is an DSO6104A, also there are some differences.



Unfortunately these images don't have enough detail to see the resistors near the FPGA.
« Last Edit: February 18, 2014, 12:02:22 am by Carrington »
My English can be pretty bad, so suggestions are welcome. ;)
Space Weather.
Lightning & Thunderstorms in Real Time.
 

Offline Carrington

  • Super Contributor
  • ***
  • Posts: 1202
  • Country: es
Re: Agilent MSO 5000/6000/7000 - anyone hacked these scopes?
« Reply #127 on: February 18, 2014, 12:11:55 am »
And another MSO6104A.



Is very likely that the 1NB7-8453 support up to 1GHz. But all the 6104A boards have additional hardware compared with 6034A.
I was unable to find any 6054A board.
« Last Edit: February 18, 2014, 12:20:05 am by Carrington »
My English can be pretty bad, so suggestions are welcome. ;)
Space Weather.
Lightning & Thunderstorms in Real Time.
 

Offline tesla500

  • Regular Contributor
  • *
  • Posts: 149
Re: Agilent MSO 5000/6000/7000 - anyone hacked these scopes?
« Reply #128 on: February 18, 2014, 12:57:22 am »
I have an MSO6104A, I'll get some pictures later.
 

Offline Carrington

  • Super Contributor
  • ***
  • Posts: 1202
  • Country: es
Re: Agilent MSO 5000/6000/7000 - anyone hacked these scopes?
« Reply #129 on: February 18, 2014, 03:17:38 pm »
This look very interesting XCF04S:


Platform Flash series of in-system programmable configuration PROMs. Available in 1 to 32 Megabit (Mbit) densities, these PROMs provide an easy-to-use, cost-effective, and reprogrammable method for storing large Xilinx FPGA configuration bitstreams.
« Last Edit: February 18, 2014, 07:00:34 pm by Carrington »
My English can be pretty bad, so suggestions are welcome. ;)
Space Weather.
Lightning & Thunderstorms in Real Time.
 

Offline Carrington

  • Super Contributor
  • ***
  • Posts: 1202
  • Country: es
Re: Agilent MSO 5000/6000/7000 - anyone hacked these scopes?
« Reply #130 on: February 18, 2014, 04:39:02 pm »
As mikeselectricstuff already discovered:

MODEL    X1 X0
-------------------
6032       0    0
6102       0    1
6034       1    0
6104       1    1

X1 = NÂș Channels.
X0 = BW.

How is set 605*? 



603 SMD Marking Code:
33C = 21.5 x 1000 = 21K5.
01B = 10.0 x 100 = 1K.



X1=X0=0 -> 6032:
   mem dump -n 1 -w 8 0xF6000004  ->  0x00000262

X1=0, X0=1 -> 6102:
   mem dump -n 1 -w 8 0xF6000004  ->  0x00000268

X1=1, X0=0 -> 6034:
   mem dump -n 1 -w 8 0xF6000004  ->  0x000002A2

X1=X0=1 -> 6104:
   mem dump -n 1 -w 8 0xF6000004  ->  0x000002A8
« Last Edit: February 19, 2014, 10:56:58 am by Carrington »
My English can be pretty bad, so suggestions are welcome. ;)
Space Weather.
Lightning & Thunderstorms in Real Time.
 

Offline Carrington

  • Super Contributor
  • ***
  • Posts: 1202
  • Country: es
Re: Agilent MSO 5000/6000/7000 - anyone hacked these scopes?
« Reply #131 on: February 18, 2014, 06:44:03 pm »
For the moment I have only clear one thing, is impossible convert a 603* in a 610*, due to the absence of a lot of components (I'll upload pictures later).
Seems that the jumpers and FPGA just indicates the capabilities, as abyrvalg was feared.

However I continue searching jumpers, but we need pictures of a 605*.
My English can be pretty bad, so suggestions are welcome. ;)
Space Weather.
Lightning & Thunderstorms in Real Time.
 

Offline abyrvalg

  • Frequent Contributor
  • **
  • Posts: 823
  • Country: es
Re: Agilent MSO 5000/6000/7000 - anyone hacked these scopes?
« Reply #132 on: February 18, 2014, 07:01:24 pm »
Try removing that other resistor connected to X0. There must be 4 combinations for BW field.
I can try DeBIT'ing the bitstream, but this will be "cannon against sparrows" as we say here :D
 

Offline Carrington

  • Super Contributor
  • ***
  • Posts: 1202
  • Country: es
Re: Agilent MSO 5000/6000/7000 - anyone hacked these scopes?
« Reply #133 on: February 18, 2014, 07:07:59 pm »
Try removing that other resistor connected to X0. There must be 4 combinations for BW field.
Do you think that it have an internal "momentary" pull down, or something like that?

No resistance (X0 side), no effect, still indicates 6104. 
Only 1K as (X0 side) pull down, still indicates 6034.
Only 1K as (X0 side) pull up, still indicates 6014.
So there is nothing unusual here... But it is clear, the FPGA also should indicate 605*.

@mikeselectricstuff: What returns your 6012 (default settings) to "mem dump -n 1 -w 8 0xF6000004"?

I can try DeBIT'ing the bitstream, but this will be "cannon against sparrows" as we say here :D
LOL...
Yes, highly probable...
« Last Edit: February 19, 2014, 11:14:13 am by Carrington »
My English can be pretty bad, so suggestions are welcome. ;)
Space Weather.
Lightning & Thunderstorms in Real Time.
 

Offline Carrington

  • Super Contributor
  • ***
  • Posts: 1202
  • Country: es
Re: Agilent MSO 5000/6000/7000 - anyone hacked these scopes?
« Reply #134 on: February 18, 2014, 08:57:32 pm »
Looks like no more jumpers near the FPGA.  >:(

  - 69X (51.1 ohm) and 01A (100 ohm) seen to maintain signal integrity.
  - 01C (10K) are oscillator pull up.

My English can be pretty bad, so suggestions are welcome. ;)
Space Weather.
Lightning & Thunderstorms in Real Time.
 

Offline mikeselectricstuff

  • Super Contributor
  • ***
  • Posts: 13695
  • Country: gb
    • Mike's Electric Stuff
Re: Agilent MSO 5000/6000/7000 - anyone hacked these scopes?
« Reply #135 on: February 18, 2014, 10:03:57 pm »
This look very interesting XCF04S:
Yes - this is where the FPGA code lives. I assume they use this rather than soft-loading so there's a display at startup. When reprogramming (gsp6000.jzp) it shows a red "not power off "message - my guess is at the very least it would leave you with no display, maybe even unrecoverable if teh FPGA does other critical stuff, though you could probably program it via JTAG by copying from another scope.
Youtube channel:Taking wierd stuff apart. Very apart.
Mike's Electric Stuff: High voltage, vintage electronics etc.
Day Job: Mostly LEDs
 

Offline Carrington

  • Super Contributor
  • ***
  • Posts: 1202
  • Country: es
Re: Agilent MSO 5000/6000/7000 - anyone hacked these scopes?
« Reply #136 on: February 18, 2014, 10:28:30 pm »
Yes - this is where the FPGA code lives. I assume they use this rather than soft-loading so there's a display at startup. When reprogramming (gsp6000.jzp) it shows a red "not power off "message - my guess is at the very least it would leave you with no display, maybe even unrecoverable if teh FPGA does other critical stuff, though you could probably program it via JTAG by copying from another scope.
Yes, I think so too.
Seems that there something more connected to this JTAG connector, but I only can read this identifier 05046093h (XCF04S).
My English can be pretty bad, so suggestions are welcome. ;)
Space Weather.
Lightning & Thunderstorms in Real Time.
 

Offline mikeselectricstuff

  • Super Contributor
  • ***
  • Posts: 13695
  • Country: gb
    • Mike's Electric Stuff
Re: Agilent MSO 5000/6000/7000 - anyone hacked these scopes?
« Reply #137 on: February 18, 2014, 10:35:27 pm »
Yes - this is where the FPGA code lives. I assume they use this rather than soft-loading so there's a display at startup. When reprogramming (gsp6000.jzp) it shows a red "not power off "message - my guess is at the very least it would leave you with no display, maybe even unrecoverable if teh FPGA does other critical stuff, though you could probably program it via JTAG by copying from another scope.
Yes, I think so too.
Seems that there something more connected to this JTAG connector, but I only can read this identifier 05046093h (XCF04S).
You'd normally have the config memory and FPGA on the JTAG, but maybe also the main CPU. It could also be that the memory has a dedicated programming connector - I'm not too familar with the Xilinx confg devices. 
Youtube channel:Taking wierd stuff apart. Very apart.
Mike's Electric Stuff: High voltage, vintage electronics etc.
Day Job: Mostly LEDs
 

Offline Carrington

  • Super Contributor
  • ***
  • Posts: 1202
  • Country: es
Re: Agilent MSO 5000/6000/7000 - anyone hacked these scopes?
« Reply #138 on: February 18, 2014, 11:02:48 pm »
You'd normally have the config memory and FPGA on the JTAG, but maybe also the main CPU. It could also be that the memory has a dedicated programming connector - I'm not too familar with the Xilinx confg devices.
Surely XCF04S and FPGA share the same JTAG connector. But like you, I'm not familiar with this configuration. Anyway, I fear that investigate here, will be a waste of time.



I wonder if these resistors will make a difference between 603* and 605*. The strange thing is that they are 0 ohm.
« Last Edit: February 18, 2014, 11:04:52 pm by Carrington »
My English can be pretty bad, so suggestions are welcome. ;)
Space Weather.
Lightning & Thunderstorms in Real Time.
 

Offline mikeselectricstuff

  • Super Contributor
  • ***
  • Posts: 13695
  • Country: gb
    • Mike's Electric Stuff
Re: Agilent MSO 5000/6000/7000 - anyone hacked these scopes?
« Reply #139 on: February 18, 2014, 11:09:22 pm »
I think we really need to see inside a 605x!
Youtube channel:Taking wierd stuff apart. Very apart.
Mike's Electric Stuff: High voltage, vintage electronics etc.
Day Job: Mostly LEDs
 

Offline Carrington

  • Super Contributor
  • ***
  • Posts: 1202
  • Country: es
Re: Agilent MSO 5000/6000/7000 - anyone hacked these scopes?
« Reply #140 on: February 18, 2014, 11:13:58 pm »
I think we really need to see inside a 605x!
Definitely, yes.
My English can be pretty bad, so suggestions are welcome. ;)
Space Weather.
Lightning & Thunderstorms in Real Time.
 

Offline abyrvalg

  • Frequent Contributor
  • **
  • Posts: 823
  • Country: es
Re: Agilent MSO 5000/6000/7000 - anyone hacked these scopes?
« Reply #141 on: February 19, 2014, 12:01:01 am »
We have a 6012 that must have some difference from both 6034/6104 (from FPGA's point of view), so:
1. carefully comparing 6034 board to 6012 can give some clue (there must be some other FPGA input that differs)
2. if 4 possible BW codes are defined as 4 combinations of just 2 FPGA inputs, we know a resistor that defines one bit (3rd from the left, changing 300M/1G), then 6012 should have that yet unknown second input in a state inverted relative to 6034/6104, so inverting ONLY our known 300M/1G input should convert 6012 to 6052.
mikeselectricstuff, are you 100% sure that 6012 hangs with both left and right resistors present? This can be critical. For example if you had something wrong with left resistor when testing this combination, the scope would hang just because of 4CH mode activated. Even if it hangs, trying telnet can still work (there is multitasking OS inside), so examining F6000004 value still can be possible.

FPGA PROM JTAG header should be connected in parallel with main CPU. I mean not including the CPU into the scan chain, but CPU being a JTAG master (it's CPU who programs that PROM normally). The PROM contents can be obtained from gspXXXX.jzp - it's just a compressed XSVF file.
 

Offline havok1919

  • Newbie
  • Posts: 2
Re: Agilent MSO 5000/6000/7000 - anyone hacked these scopes?
« Reply #142 on: February 19, 2014, 12:25:07 am »
Having just made it through the thread I was preparing to update my DSO5014A with the latest firmware from the Agilent site (06.16.0001) and opted out of curiosity to check what version was actually on there in the first place:

System Version: 06.17.0001

Soooo... Does an update .jzp get copied and remain on the scope during an update?  (Put another way, is there any way to archive this version?)
 

Offline Carrington

  • Super Contributor
  • ***
  • Posts: 1202
  • Country: es
Re: Agilent MSO 5000/6000/7000 - anyone hacked these scopes?
« Reply #143 on: February 19, 2014, 12:51:00 am »
To set the 25MHZ BW limit, does not use a serial protocol, for all the other parameters  no idea, I can't see changes (I used a DMM).

Edit: Yes, it uses a serial protocol.



FPGA PROM JTAG header should be connected in parallel with main CPU. I mean not including the CPU into the scan chain, but CPU being a JTAG master (it's CPU who programs that PROM normally). The PROM contents can be obtained from gspXXXX.jzp - it's just a compressed XSVF file.
Yes, the JTAG connector seem to be connected to the CPU too.

We have a 6012 that must have some difference from both 6034/6104 (from FPGA's point of view), so:
1. carefully comparing 6034 board to 6012 can give some clue (there must be some other FPGA input that differs)
2. if 4 possible BW codes are defined as 4 combinations of just 2 FPGA inputs, we know a resistor that defines one bit (3rd from the left, changing 300M/1G), then 6012 should have that yet unknown second input in a state inverted relative to 6034/6104, so inverting ONLY our known 300M/1G input should convert 6012 to 6052.
Right now this, to me, is a mystery.
« Last Edit: February 24, 2014, 04:32:47 pm by Carrington »
My English can be pretty bad, so suggestions are welcome. ;)
Space Weather.
Lightning & Thunderstorms in Real Time.
 

Offline Carrington

  • Super Contributor
  • ***
  • Posts: 1202
  • Country: es
Re: Agilent MSO 5000/6000/7000 - anyone hacked these scopes?
« Reply #144 on: February 19, 2014, 01:03:18 am »
Having just made it through the thread I was preparing to update my DSO5014A with the latest firmware from the Agilent site (06.16.0001) and opted out of curiosity to check what version was actually on there in the first place:

System Version: 06.17.0001

Soooo... Does an update .jzp get copied and remain on the scope during an update?  (Put another way, is there any way to archive this version?)
Yes. Open a telnet:

Telnet [Your IP] 5810
VxWorks login: panther
Password:pictures
->cmd
[vxWorks]#show devices
[vxWorks]#cd C:
[vxWorks]#cd bin
[vxWorks]#ls
[vxWorks]#file copy sys5000.bin /usb0/
« Last Edit: February 19, 2014, 10:49:07 am by Carrington »
My English can be pretty bad, so suggestions are welcome. ;)
Space Weather.
Lightning & Thunderstorms in Real Time.
 

Offline havok1919

  • Newbie
  • Posts: 2
Re: Agilent MSO 5000/6000/7000 - anyone hacked these scopes?
« Reply #145 on: February 19, 2014, 03:50:49 am »
[...]Telnet [Your IP] 5810[...]

Awesome.  Thanks!

I pulled "@(#)REV: 06.17.0001 Dec  1 2011 16:02:27" from my machine (it was a factory reconditioned unit from December 2012).  The patch address appears to be 0x002E7B20 in this version.

I have no idea how it differs from 06.16.0001, but since it seems not to be available from the Agilent website let me know if anyone else wants to check it out.
 

Offline mikeselectricstuff

  • Super Contributor
  • ***
  • Posts: 13695
  • Country: gb
    • Mike's Electric Stuff
Re: Agilent MSO 5000/6000/7000 - anyone hacked these scopes?
« Reply #146 on: February 19, 2014, 09:28:32 am »
We have a 6012 that must have some difference from both 6034/6104 (from FPGA's point of view), so:
1. carefully comparing 6034 board to 6012 can give some clue (there must be some other FPGA input that differs)
2. if 4 possible BW codes are defined as 4 combinations of just 2 FPGA inputs, we know a resistor that defines one bit (3rd from the left, changing 300M/1G), then 6012 should have that yet unknown second input in a state inverted relative to 6034/6104, so inverting ONLY our known 300M/1G input should convert 6012 to 6052.
mikeselectricstuff, are you 100% sure that 6012 hangs with both left and right resistors present? This can be critical. For example if you had something wrong with left resistor when testing this combination, the scope would hang just because of 4CH mode activated. Even if it hangs, trying telnet can still work (there is multitasking OS inside), so examining F6000004 value still can be possible.

FPGA PROM JTAG header should be connected in parallel with main CPU. I mean not including the CPU into the scan chain, but CPU being a JTAG master (it's CPU who programs that PROM normally). The PROM contents can be obtained from gspXXXX.jzp - it's just a compressed XSVF file.
Pretty sure - after a while it went to a mode cycling a few rows of LEDs.
As the 6012 has a completely different front-end I don't think there;s anything worth exploring there.

Another possibility is the 603x/5x front-end hybrids could be graded, and have an indicator pin to indicate type, but an additional link would seem to be more likely.
Have you found anything in software to indicate where it's looking for?
Youtube channel:Taking wierd stuff apart. Very apart.
Mike's Electric Stuff: High voltage, vintage electronics etc.
Day Job: Mostly LEDs
 

Offline Carrington

  • Super Contributor
  • ***
  • Posts: 1202
  • Country: es
Re: Agilent MSO 5000/6000/7000 - anyone hacked these scopes?
« Reply #147 on: February 19, 2014, 10:41:14 am »
Another possibility is the 603x/5x front-end hybrids could be graded, and have an indicator pin to indicate type, but an additional link would seem to be more likely.
Have you found anything in software to indicate where it's looking for?
I don't know, could be.
But I'm pretty sure that the capabilities are indicated by the FPGA, because the firmware patched to switch from MSO6034A to MSO6054A, just modify the registry returned by the FPGA (
and it works perfectly).
My English can be pretty bad, so suggestions are welcome. ;)
Space Weather.
Lightning & Thunderstorms in Real Time.
 

Offline abyrvalg

  • Frequent Contributor
  • **
  • Posts: 823
  • Country: es
Re: Agilent MSO 5000/6000/7000 - anyone hacked these scopes?
« Reply #148 on: February 19, 2014, 11:35:29 am »
FPGA stands in the way, concealing those pins. From CPU side I can see that BW option is defined by bits 3..0 of F6000004 reg:
1 - 100MHz
2 - 300MHz
4 - 500MHz
8 - 1GHz.

Other bits there:
7..6 are number of channels:
1 - 2CH
2 - 4CH

14..10 are instrument family and some other features:
0 - MSO 0 (TBD)
1 - DSO 2
2 - MSO 2
4 - MSO 1
8 - MSO 0 with battery
16-MSO 2 with serial keyboard
families: there are 3 major instrument families selected by bits above, bandwidth bits selects an instrument inside that family:
0: 5462x (never selected),   5464x (never selected), 601x, 603x, 605x, 610x
1: 601x, 603x, 605x, 610x
2: 703x, 705x, 710x,   501x (DSO only), 503x (DSO only), 505x (DSO only)

Carrington's F6000004 dumps:
6034 - 2A2 : bits 14..10=0 -> MSO family 0, bits 7..6=2 -> 4CH, bits 3..0=2 -> 300MHz
6104 - 2A8 : bits 14..10=0 -> MSO family 0, bits 7..6=2 -> 4CH, bits 3..0=8 -> 1GHz

It's hard to say anything about pins based on this: definitely these bits doesn't reflect pins states directly (note changing center right resistor results in 2 or 8 value in 3..0), must be some binary to one-hot decoders. I can try bitstream decompiler next week (I'm away from my bigger PCs now), but that Spartan-3 device is pretty huge, so I'll need some infos to identify that specific part of logic somehow: first is F6000000 register value (0, not 4, this is hardcoded bitstream revision reg) - this can help identifying register bus in general, second is our left/right resistors FPGA pin locations (there are vias to all FPGA pins on the back board side, so a quick sweep with a DMM beeper can identify both pins) - these should lead to straps sensing logic directly.

Another interesting possibility is obtaining different models FPGA pins snapshots with JTAG SAMPLE instruction, then comparing. Sure, there will be many dynamic pins, but they can be filtered out by taking many dumps on the same model and ruling out all changes. This can be hard if done by hand, but pretty easy if programmed.
 

Offline Carrington

  • Super Contributor
  • ***
  • Posts: 1202
  • Country: es
Re: Agilent MSO 5000/6000/7000 - anyone hacked these scopes?
« Reply #149 on: February 19, 2014, 12:22:32 pm »
It's hard to say anything about pins based on this: definitely these bits doesn't reflect pins states directly (note changing center right resistor results in 2 or 8 value in 3..0), must be some binary to one-hot decoders. I can try bitstream decompiler next week (I'm away from my bigger PCs now), but that Spartan-3 device is pretty huge.
Are you sure? That will be a nightmare...

First is F6000000 register value (0, not 4, this is hardcoded bitstream revision reg) - this can help identifying register bus in general, second is our left/right resistors FPGA pin locations (there are vias to all FPGA pins on the back board side, so a quick sweep with a DMM beeper can identify both pins) - these should lead to straps sensing logic directly.
1.  mem dump -n 1 -w 8 0xF6000000  -> 0x02b4141300000262.
2.  X0 FPGA pin is (AB20) (Red circle).
3.  X1 FPGA pis is (AA20) (Blue circle).
Please see attached pictures.

Another interesting possibility is obtaining different models FPGA pins snapshots with JTAG SAMPLE instruction, then comparing. Sure, there will be many dynamic pins, but they can be filtered out by taking many dumps on the same model and ruling out all changes. This can be hard if done by hand, but pretty easy if programmed.
I tried that with TOPJTAG Probe, but it only find the XCF04S, no the FPGA.
« Last Edit: February 20, 2014, 11:35:49 am by Carrington »
My English can be pretty bad, so suggestions are welcome. ;)
Space Weather.
Lightning & Thunderstorms in Real Time.
 


Share me

Digg  Facebook  SlashDot  Delicious  Technorati  Twitter  Google  Yahoo
Smf