DSOX2000 and 3000 series - licence , have anyone tried to hack that scope ?

[Safar]

tia,
george.

Mind you
0) Install correct version FW

7b) delete (or rename) any another lnk in startup folder. Should be only one file with lnk extension here.

[jasonbrent]

That is a wonderful trade-in! I traded in a pristine Agilent scope for a DSOX3024T about 18 months ago. They asked a lot of questions about the scope and wanted to be sure that it was working. Supposedly someone was going to pick up the Agilent scope from me but then they asked me to ship it from New Jersey to California. Luckily I got the distributor to pay the $150 shipping cost, but I pad FedEx about $30 for the packing.

Of course I was worried that something would go wrong in shipping, so I took photos  of the scope running next to the the current day's New York Times front page. I did not want to get a bill from Keysight for $1400! Apparently it arrived OK, I never heard from them.

In any case, I 'm surprised that a "non-top tier" scope would get the 30% discount since the offer says "up to 30%". When I did my trade-in there was also a free MSO option but they would not allow the offers to be combined.

Indeed, I was surprised and this may be a one-off! It took a few days for them to approve it... their T&Cs for the trade in didn't suggest there were any limits other than certain frequency for frequency bands. i.e., 0-100Mhz could get 0-100Mhz at 30%, but 0-100Mhz for 1Ghz would get 5%. I offered up 3 possible trades in preference of dslogic/rigol1052e/rigol1054z. Once I submitted, however, I was informed that none were on their list of scopes and would be handled as a "custom trade in". Took about 2 days to get an approved response and they'd accepted the dslogic; no further questions were asked about it.

Heck, if they had said the 1052e, I was going to just buy a new one to trade in since I don't have my old one anymore, lol!

Now, the wait. I'm hoping they beat the heck out of their 1+ month lead time estimate.

-j

DSOX3014T arrived today; ~12 days after they processed the order, not bad. Unfortunately the "DSOXLAN" module is still waiting for shipment with the same ETA of April 6th. Liberation will have to wait... now to go turn it on! :-)

-j

[bigeblis]

I make patched.bin.comp with PhillyFlyers info and with corrected checksum:

Patched2.43

You can flash it as usual by loadP500Flash via telnet in scope
Code: [Select]

\windows\loadP500Flash -u ceImage1 \usb\patched_nk.bin.comp


Checked on my DSOX3034A

*** FYI ****

The file you posted is the 'uncompressed' and patched nk.bin, so make sure anyone, you do the

'bincompress /d patched_nk.bin patched_nk.bin.comp'  first!!  as you don't want to flash the uncompressed image, the scope will not boot...

************

Ohhh, sorry, I will change it

Ok, so I assume the minimal steps are:

0) Install correct Firmware version first (i.e. in this case 2.43)
1) Download Safar's patched_nk_bin.comp file and copy to a USB stick and plug in.
2) Telnet into the scope.
3) Login infiniivision / skywalker1977
4) processmgr kill infiniivisionlauncher.exe
5) \windows\loadP500Flash -u ceImage1 \usb\patched_nk.bin.comp
6) Create a file on the USB stick called infiniivision.lnk with contents (e.g.) "88#infiniivisionLauncher.exe -l MSO -l BW20 -l DIS -l PLUS -l SCPIPS -l VID -l CABLE --perf"
7a) delete (or rename) any other lnk in \secure\startup folder. Should be only one file with lnk extension here.
7b) copy \usb\infiniivision.lnk to \secure\startup
8 ) reboot and good to go

Do I have the basic steps correct or

tia,
george.

Edited as per Safar. Thanks!!

Excuse me, after following your steps, will there be a "Firmware error" prompt at startup?

[Safar]

Excuse me, after following your steps, will there be a "Firmware error" prompt at startup?

No, something wrong. Tell all possible details. Which model? Is OS loaded? Can you connect scope via network?

[PhillyFlyers]

Excuse me, after following your steps, will there be a "Firmware error" prompt at startup?

No, something wrong. Tell all possible details. Which model? Is OS loaded? Can you connect scope via network?

Yeah, agreed, something is definitely corrupt to screwed up there, are you sure you installed firmware 2.43 before doing anything else??

FYI, I'll post much more detailed info once I get done putting everything together, but the nice thing about this scope and the SPEAR600, is that it is essentially bullet-proof from completely bricking the scope.   ST did quite a nice job setting up the internal BootROM in the SPEAR600 itself...

spelled out in the documentation is the boot flow process, since in these scopes the boot pins are setup to boot to NOR flash.. the SPEAR600 will follow this path:
(I simplified it a bit, but when I get all my info together, I will post more specifics)

Code: [Select]

1) Attempt to locate 'Xloader' in NOR flash...  if fail, goto USB BOOT
    if OK, goto step 2

2) Attempt to locate 'U-Boot' in NOR flash, if fail, goto UsB BOOT
    if OK, goto step 3

3) boot up OS from NAND flash

** For all NOR boot failures (XLOADER/UBOOT), the scope will sit at USB Boot, waiting for the USB-Flasher program to communicate back, upon which you can then reflash NOR & NAND to recover... ***

In this case though, if the OS (Windows CE - nk.bin.comp) is corrupt, it will be beyond USB boot, and prob. as you noticed, just hang at OS failure.   But for these cases, you can easily get into UBoot Loader or CE-Boot loader by just having the 3.3v RS232 to USB cable... of course you have to open up the scope to connect to the header.

USB-Flasher is available from the ST-Micro web-site under the SPEAR600 page..


I haven't myself tried this out, as I didn't want to purposely corrupt my flash, but the docs in the flasher tool explain how to use it, but basically you connect USB right from back of scope to your PC...

[mikeselectricstuff]

USB-Flasher is available from the ST-Micro web-site under the SPEAR600 page..

But is a compatible image available to flash with this tool ?

[abyrvalg]

You don’t need to write corrupt flash data to enter USB loader. Just short some flash data pins with tweezers at poweron.

Edit: there is a BOOT_SEL pin also, search the thread.

[bigeblis]

Excuse me, after following your steps, will there be a "Firmware error" prompt at startup?

No, something wrong. Tell all possible details. Which model? Is OS loaded? Can you connect scope via network?

Sorry
my English is not good.
I mean, after this operation, is there a warning that the firmware version is incorrect? The previous crack was like this.

[corn11]

When you've the original LAN/VGA module installed there should be no warning but with the DIY module there is a little popup saying the LAN/VGA module has a fault but you can skip that by pressing any key

[Pinkus]

When you've the original LAN/VGA module installed there should be no warning but with the DIY module there is a little popup saying the LAN/VGA module has a fault but you can skip that by pressing any key

What I read, not on all scopes. The reason why this happens on some scopes and on some scopes not is still unknown.

[bigeblis]

When you've the original LAN/VGA module installed there should be no warning but with the DIY module there is a little popup saying the LAN/VGA module has a fault but you can skip that by pressing any key

This means that the latest crack will not have the "Firmware incorrect" warning?

[Safar]

When you've the original LAN/VGA module installed there should be no warning but with the DIY module there is a little popup saying the LAN/VGA module has a fault but you can skip that by pressing any key

This means that the latest crack will not have the "Firmware incorrect" warning?

Yes, last 2.43 FW DLL patched in two places in BIN file: NETWORK patch and NAG patch. NAG patch eliminate any FW warning messages (in start and in about screen IIR).
Edit: and these messages shows if you start infiniivisionloader.exe with any params (with normal unpatched DLL)

[TheSteve]

When you've the original LAN/VGA module installed there should be no warning but with the DIY module there is a little popup saying the LAN/VGA module has a fault but you can skip that by pressing any key

What I read, not on all scopes. The reason why this happens on some scopes and on some scopes not is still unknown.

This is long known! The error occurs because there is a jumper which tells the scope the card is present but of course it can't find the VGA driver hardware. If you remove that jumper(or cut a trace) on your lan card you will get no error. The lan will still work for web access, telnet etc but you will see no config option in the scope menu's. You will also not be able to control the scope with BenchVue etc(generally no big deal).

[PhillyFlyers]

You don’t need to write corrupt flash data to enter USB loader. Just short some flash data pins with tweezers at poweron.

Edit: there is a BOOT_SEL pin also, search the thread.

LOL, nice, that will do the trick!


Also, I know there was much discussion about the BOOL_SEL pin, but I don't recall anyone ever verifying if the pin was actually brought out to a via?

And if so, is the pin pulled via a resistor, or is it tied directly to VCC rail?

[PhillyFlyers]

USB-Flasher is available from the ST-Micro web-site under the SPEAR600 page..

But is a compatible image available to flash with this tool ?

Well, technically we have all of the 'pieces' in order to flash, as most of the pieces are in the firmware file... but we still have to construct the image files first, but I haven't figured all of the mapping out yet, unless someone else knows offhand the flat file arrangement of the NOR & NAND flashes...

I've dumped the NOR flash via JTAG, and see the XLOADER, UBOOT, PBOOT, and MAC address locations in there, but I haven't finished going over it..

to dump NAND I believe I have to configure the spear600 memory controller (FSMC) to be able to read NAND, and you have to read it out in pages... I haven't done anything with that yet...

Also, with that USB flasher tool it looks like you need to know exact mem locations, etc for each part, so we'd have to spell all that out... but from what I see, it should be do-able... but hopefully we'd never have to get that far down the rabbit hole...

It's probably not a common thing to have the NOR flash corrupted, I think all the issues people have mentioned about 'corrupt flash' have been with the NAND flash, which is all OS components.

UBOOT/CEBoot should still be available via RS232 to reload a new OS image (nk.bin), and fix the NAND flash from there...

[Safar]

USB-Flasher is available from the ST-Micro web-site under the SPEAR600 page..

But is a compatible image available to flash with this tool ?

Well, technically we have all of the 'pieces' in order to flash

Very possible it is .NB0 file as it ROM image (and it used in uBoot for flash via TFTP IIR). You can convert it from .BIN file with cvrtbin.exe
Cvrtbin need start address and image length that can be viewed with viewbin.exe

Code: [Select]

cvrtbin -r -a start_in_hex -w 32 -l length_in_hex nk.bin
-w 32 is length of block (4 bytes)

[Safar]

Well, technically we have all of the 'pieces' in order to flash, as most of the pieces are in the firmware file... but we still have to construct the image files first, but I haven't figured all of the mapping out yet, unless someone else knows offhand the flat file arrangement of the NOR & NAND flashes...

I've dumped the NOR flash via JTAG, and see the XLOADER, UBOOT, PBOOT, and MAC address locations in there, but I haven't finished going over it..

to dump NAND I believe I have to configure the spear600 memory controller (FSMC) to be able to read NAND, and you have to read it out in pages... I haven't done anything with that yet...

Also, with that USB flasher tool it looks like you need to know exact mem locations, etc for each part, so we'd have to spell all that out... but from what I see, it should be do-able... but hopefully we'd never have to get that far down the rabbit hole...

It's probably not a common thing to have the NOR flash corrupted, I think all the issues people have mentioned about 'corrupt flash' have been with the NAND flash, which is all OS components.

UBOOT/CEBoot should still be available via RS232 to reload a new OS image (nk.bin), and fix the NAND flash from there...

May be dumprom can help. This utility can make dump of files and modules from NB0 file and out txt file with address map

Code: [Select]

dumprom -d files_dump -5 NK.nb0 >> map.txt
files_dump is subdirectory for files output (should be exist)
-5 - WinCE5 compression mode

Edit: one more util that can extract one file from NB0

Code: [Select]

dumpromx -f file_name -d files_dump -5 NK.nb0
files_dump - destination subdirectory (should be exist)

[bigeblis]

When you've the original LAN/VGA module installed there should be no warning but with the DIY module there is a little popup saying the LAN/VGA module has a fault but you can skip that by pressing any key

This means that the latest crack will not have the "Firmware incorrect" warning?

Yes, last 2.43 FW DLL patched in two places in BIN file: NETWORK patch and NAG patch. NAG patch eliminate any FW warning messages (in start and in about screen IIR).
Edit: and these messages shows if you start infiniivisionloader.exe with any params (with normal unpatched DLL)

Thank you for sharing! Perfect crack! Thank you!
Can I share it with my friends?

[udhay_cit]

Hi, I'm new to this forum and its my first post. I'm too late to visit here and the discussions are extended to 70+ pages.

Is it finally the DSOX3000 hacked? My firmware version is 2.36.2013091201. I'm looking for bandwidth upgradation from 100MHz to any higher. If it is hackable, please any one redirect me to a right post.

Regards
Udhay

[jasonbrent]

Hi, I'm new to this forum and its my first post. I'm too late to visit here and the discussions are extended to 70+ pages.

Is it finally the DSOX3000 hacked? My firmware version is 2.36.2013091201. I'm looking for bandwidth upgradation from 100MHz to any higher. If it is hackable, please any one redirect me to a right post.

Regards
Udhay

Hint: Print button at the top right gets it all into one page, then search using CTRL-F/CMD-F.

[georges80]

Hi, I'm new to this forum and its my first post. I'm too late to visit here and the discussions are extended to 70+ pages.

Is it finally the DSOX3000 hacked? My firmware version is 2.36.2013091201. I'm looking for bandwidth upgradation from 100MHz to any higher. If it is hackable, please any one redirect me to a right post.

Regards
Udhay

Hint: Print button at the top right gets it all into one page, then search using CTRL-F/CMD-F.

Short answer is yes, you can release ALL features of your scope. The 2000/3000 share the exact same firmware/software.

Read backwards and you'll get the latest information on the latest firmware update. You really need to get yourself a LAN card (either a DIY version of which gerbers etc are in this thread, OR, the Keysight VGA/LAN). The LAN card lets you telnet into the scope to initiate the steps necessary to release all the features . Again, read backwards from this point, won't take you more than 30 mins or so to get the most recent firmware update sequence (using a LAN card and an external USB flash drive).

cheers,
george.

[jasonbrent]

Hi, I'm new to this forum and its my first post. I'm too late to visit here and the discussions are extended to 70+ pages.

Is it finally the DSOX3000 hacked? My firmware version is 2.36.2013091201. I'm looking for bandwidth upgradation from 100MHz to any higher. If it is hackable, please any one redirect me to a right post.

Regards
Udhay

Hint: Print button at the top right gets it all into one page, then search using CTRL-F/CMD-F.

Short answer is yes, you can release ALL features of your scope. The 2000/3000 share the exact same firmware/software.

Read backwards and you'll get the latest information on the latest firmware update. You really need to get yourself a LAN card (either a DIY version of which gerbers etc are in this thread, OR, the Keysight VGA/LAN). The LAN card lets you telnet into the scope to initiate the steps necessary to release all the features . Again, read backwards from this point, won't take you more than 30 mins or so to get the most recent firmware update sequence (using a LAN card and an external USB flash drive).

cheers,
george.

The 3KT firmware is 7.x. .. but otherwise, I expect what you said is correct. My DSOXLAN is awaiting customs clearance at the moment before I experiment with my 3KT.

*EDIT*: DSOXLAN arrived. I've been able to telnet in, but haven't had time to try other options yet. Perhaps tomorrow.

-j

[PhillyFlyers]

Hi All,


I put together a 3-in-1 DSOX LAN board, to incorporate the LAN setup everyone is already using, plus a USB-UART

setup and JTAG buffer, to have all 3 interfaces available via the LAN card faceplate. 

(Thanks to everyone on here that did the real work getting the LAN card figured out, all the hard work.  I just

incorporated those setups, and tacked on an RS232 setup and JTAG setup.)


The USB uart setup pulls the 3.3v power for the chip from the HOST USB 5v power, so that the serial port can be up

and connected to, before the scope is powered on.  This makes it super easy to power on the scope and immediately

halt in UBOOT. (hitting spacebar while you power on the scope)

The JTAG buffer setup just provides a nice buffered setup (same buffer setup that's been used in numerous other

jtag projects, etc)


I found that the 'SEGGER JLINK-EDU' is a very nice and super easy device to use, and it already has defines setup

for the SPEAR600.  (no defined setup for programming flash or reading the NAND flash, as the SPEAR600-FSMC needs to

be setup manually, but you can easily dump the NOR flash, the most important anyhow).

JLINK-EDU is same as JLINK-BASE, but meant for non-commerical use, which is fine for us.  And it's only $60 from

Digi-key and others.


In order to use JTAG, you have to pull up those two pins as was shown way back around page 6 I think of this

thread, so I added a dip-switch onto the board for all 3 locations, and you can actually run wires from those 3

pads to the board, and use the dipswitches to turn on/off those enable pins.

But since they are by default pulled LO by 81 ohm resistors, you have to remove them, and either replace with 10k,

or just leave open, and let the board do the pullup/pulldown.


You can also just build the board and only populate what you want, ie you can leave JTAG un-populated, and also

don't need to populate any of the LEDs, I just did that for fun, and it looks pretty when they light up



Attached are some pics of the board, the initial UBOOT menu (when halted via the serial port), etc..

(see the hackaday link for all the files)


https://hackaday.io/project/114593-dsoxlanplus

[gamalot]

Hi All,


I put together a 3-in-1 DSOX LAN board, to incorporate the LAN setup everyone is already using, plus a USB-UART

setup and JTAG buffer, to have all 3 interfaces available via the LAN card faceplate. 

(Thanks to everyone on here that did the real work getting the LAN card figured out, all the hard work.  I just

incorporated those setups, and tacked on an RS232 setup and JTAG setup.)


The USB uart setup pulls the 3.3v power for the chip from the HOST USB 5v power, so that the serial port can be up

and connected to, before the scope is powered on.  This makes it super easy to power on the scope and immediately

halt in UBOOT. (hitting spacebar while you power on the scope)

The JTAG buffer setup just provides a nice buffered setup (same buffer setup that's been used in numerous other

jtag projects, etc)


I found that the 'SEGGER JLINK-EDU' is a very nice and super easy device to use, and it already has defines setup

for the SPEAR600.  (no defined setup for programming flash or reading the NAND flash, as the SPEAR600-FSMC needs to

be setup manually, but you can easily dump the NOR flash, the most important anyhow).

JLINK-EDU is same as JLINK-BASE, but meant for non-commerical use, which is fine for us.  And it's only $60 from

Digi-key and others.


In order to use JTAG, you have to pull up those two pins as was shown way back around page 6 I think of this

thread, so I added a dip-switch onto the board for all 3 locations, and you can actually run wires from those 3

pads to the board, and use the dipswitches to turn on/off those enable pins.

But since they are by default pulled LO by 81 ohm resistors, you have to remove them, and either replace with 10k,

or just leave open, and let the board do the pullup/pulldown.


You can also just build the board and only populate what you want, ie you can leave JTAG un-populated, and also

don't need to populate any of the LEDs, I just did that for fun, and it looks pretty when they light up



Attached are some pics of the board, the initial UBOOT menu (when halted via the serial port), etc..

(see the hackaday link for all the files)


https://hackaday.io/project/114593-dsoxlanplus

WOW, looks much better than mine! 

[eevfans]

Hi guys, I have a DSO-X 3034A, unfortunately the firmware was down. The xloader, pboot and uboot works fine. I have updated the pboot and the uboot with the same file in the update packet 3000XSeries.02.43.2018020635.ksb (use uboot with uart to stop booting pboot progress and use kermit protocol to transfer files to memory and use cp command to overwrite the old pboot and uboot).And the nand memory should flash too, but I don't know how and where to get the nand data? In other words how can I fix it by my hand. Have any ideas? (PS: the nand has been erased and I don't have a lan module)