EEVblog Electronics Community Forum
EEVblog => EEVblog Specific => Topic started by: EEVblog on March 08, 2017, 09:07:26 pm
-
How to find and inspect hidden serial UART terminal ports inside equipment.
Dave finds the uBoot Windows CE UART part in the new Keysight 1000 X-Series oscilloscope and uses the info to find some of the product mode configuration pins. A hardware hack shows that changing product configuration modes in hardware is possible.
https://www.youtube.com/watch?v=YC6JCVHk80c (https://www.youtube.com/watch?v=YC6JCVHk80c)
-
Dump from a production DSOX1102G unit:
U-Boot 2010.03 (Oct 18 2011 - 14:28:06)Agilent P500
CPU: SPEAr600
DRAM: 128 MiB
Flash: 512 KiB
NAND: internal ecc 128 MiB
Debug serial initialized ........OK
RTC: 2024-16-10 7:86:38.44 UTC
Microsoft Windows CE Bootloader Common Library Version 1.4 Built May 7 2015 01:38:03
Microsoft Windows CE 6.0 Ethernet Bootloader for the Agilent P500 board
Adaptation performed by Agilent Technologies (c) 2008
PHY not found.
System ready!
Preparing for download...
RTC: 2024-16-10 7:86:38.44 UTC
Loading image 1 from memory at 0xD0600000
O
BL_IMAGE_TYPE_BIN
X
XXXXOOOOXXOOOOOOOOXOXOOOOOOOOXOOOXOOOOXXOOOOOOOOOXOOOOXOXXOXOXXOXOXOXOXXXXOOXXXOOOOOOXXOXXOXXXXXXOOOXXXOXXOOOXXXOXXOOOOXOOXXOOOXOOOOXOXOOOOOXOOOXOOXOXXOXOXXXXXXOXXXXOOOXOOOXOXOOOOXOOOOXOXOXOOOOOOXX
OOOXOOXOOOOXOOOOXOOXXOOXOOOOOOOOOXOOOOXOOOOOOXOXOOOOXOXOOOOOOOXXOOXOOXOXOOOXOOOXOOXXOXOXOOOXOXXXXXOXOXXXOXXXXOXOXXOOOXXXXOXXXXOXXXXXXXOXXXXXXOXXOXXOXXOOXXOXXXOXXXXOOOXXX
OOOXXXOXXOOXOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOXXOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOXXXXXOOOXOXOOXOOXXXXXXXXXXXXXrom_offset=0x0.
XXImageStart = 0x80361000, ImageLength = 0x1A80C40, LaunchAddr = 0x80362000
Completed file(s):
-------------------------------------------------------------------------------
[0]: Address=0x80361000 Length=0x1A80C40 Name="" Target=RAM
Loading image 1 succeeded.
ROMHDR at Address 80361044h
Preparing launch...
RTC: 2024-16-10 7:86:38.47 UTC
Launching windows CE image by jumping at address 0x 362000
Windows CE Kernel for ARM (Thumb Enabled) Built on Mar 8 2013 at 17:05:33
Setting up for a Cold Reboot
Done Setting up for a Cold Reboot
Windows CE Firmware Init
BSP 1.0.0 for the SPEARHEAD600AB board (built Sep 28 2016)
Adaptation performed by ADENEO (c) 2005
+OALIntrInit
-OALIntrInit(rc = 1)
Initialize driver globals Zeros area...
pDrvGlobalArea 0xa0060000 size 0x800 (0xa0060800 -0xa0060000)
Initialize driver globals Zeros area...done
OALKitlStart
Firmware Init Done.
OALIoctlHalEnterI2cCriticalSection init i2c cs
++SER_Init: context Drivers\Active\14
SER_Init, dwIndex:2
SER2 got sysintr:0x00000017
SER2 Serial Port, new baud rate:0x1c200 (UARTCLK:48000000 IBRD:0x1a FBRD:0x2)
OHCI\system.c, GCFG_USBH1_SW_RST
OHCI\system.c, GCFG_USBH2_SW_RST
LAN PHY NOT detected.
DeleteP500EnetRegistry:
\Comm\GMAC 0x0
\Comm\GMAC1 0x0
\Comm\Tcpip\Linkage 0x0
\Drivers\Virtual 0x0
\Drivers\BuiltIn\LIN 0x5
LIN: Data Valid
BALDWIN_DDI: cBaldwinHwIf::Init: Initializing...
BALDWIN_DDI: cBaldwinHwIf::Init: Scope successfully identified.
BALDWIN_DDI: cBaldwinHwIf::Init: Success!
Device load time:
NANDFLASH: 1 ms
SNANDFLASH: 1 ms
SHIM DLL, LoadRealDll [PalIO.dll] for [AgilentPalIO.dll]
SHIM [AgilentPalIO.dll] Get Process Addresses
LaunchInfiniiVision:
=========================================
BLT Product Config 24
Bandwidth : 200MHz
#Channel : 2
Board Rev : FPR
Clk Gating : Baldwin
Sample Rate : 4GSa
LAN PHY : No
BLT Module Config 02
Rev : LP3
Sample Rate : 5GSa/s
=========================================
BLT_PRODUCT_CONFIG_0, 1.251v, ID4
BLT_PRODUCT_CONFIG_1, 0.692v, ID2
BLT_MODULE_CONFIG_0, 0.687v, ID2
BLT_MODULE_CONFIG_1, 0.005v, ID0
CANINE_BOARD_REV, 0.002v, ID0
CANINE_MODEL_NAME: MARSUPIAL, 1.738v, ID6, MARSUPIAL
CANINE_EXTMODULE, 2.488v, ID8, SWID8
CANINE_MSO_REV, 0.628v, ID2, SWID2
SHIM DLL, LoadRealDll [PalSStorage.dll] for [AgilentPalSStorage.dll]
SHIM [AgilentPalSStorage.dll] Get Process Addresses
Released build, Sep 28 2016, 00:17:51
Initializing FPGA...
************************************
FPGA Type: Marsupial
Ver: 1.067 Released
Build Time: Tue Jun 14 17:13:42 2016
Build Machine: 2UA5461ZWH
************************************
cMarsupialCalMgr::cMarsupialUserCalFactors::cMarsupialUserCalFactors size 146412
cMarsupialCalMgr::cMarsupialServiceCalFactors::cMarsupialServiceCalFactors size 704
cMarsupialCalMgr::cMarsupialFactoryCalFactors::cMarsupialFactoryCalFactors size 896
Calibration mode User
Recall \Secure\cal\FactoryCal2.dat - ok
Recall \Secure\cal\ServiceCal1.dat - ok
Recall \Secure\cal\UserCal8.dat - ok
Cal Date Sun Sep 25 15:11:58 2016
will do USB phy workaround: CheckCRC
Startup sequence is complete.
System has been running 16.841095 seconds
Start Up Sequence 7.470958
Memory Load 50%
System Physical Memory 36.441 / 73.465 MB
Process Virtual Memory 46.938 / 1024.000 MB
-----> InfiniiVision is running <-----
-
Where we find the photo of the early non production model?
-
Is this Keysight trying to do a Rigol? An unauthorised yet acceptable hack?
-
I've found the other product set resistors, playing now... :)
-
You just know that a letter from their legal team is inbound now...
Well done :)
-
Is this Keysight trying to do a Rigol? An unauthorised yet acceptable hack?
This wouldn't be the first time a Keysight InfiniiVision scope has been hacked. In the past it's been a "at your own risk" and "for your use only" activity, anyone trying to sell hacked units got a nice letter from the legal folks.
In no way are we leaking info for or sponsoring a Keysight hackathon scenario.
But :popcorn:
-
I've found the other product set resistors, playing now... :)
Huge progress, stay tuned!
-
:D
Wouuah so nice!
As i see in video, changing resistor values change specification, seems a little dumb question but this kind of change can really have an impact on measuring values?
Is hardware not define the specs like acquisition speed or anything?
I really want to seeee mooreeee, can't wait :D
SER_Init, dwIndex:2
SER2 got sysintr:0x00000017
SER2 Serial Port, new baud rate:0x1c200 (UARTCLK:48000000 IBRD:0x1a FBRD:0x2)
Another stupid question concerning the pretending 2nd rs232, do you think that also define by values of resistors?
like if scope load a generic image and adapt it in resistor's value?
-
I've found the other product set resistors, playing now... :)
Huge progress, stay tuned!
This ain't no 100MHz bandwidth scope ;D
-
No review published yet, only a teardown.
But seems to be hacked very soon... :o
WOW! That was fast!
-
No review published yet, only a teardown.
I've shot some review footage, but good reviews are a lot of work.
I more excited about the hacking at present.
I can currently change the bandwidth and max sample rate ;D
-
I now have a 220MHz bandwidth scope :-+
-
Making quick work of it
Sent from my SM-G935V using Tapatalk
-
It seem like the resistors will change the configuration, but if they sell upgrades there must be data in ROM that can override those settings. That said, they must only be able to upgrade via software, but not downgrade below the configuration set by the resistors or your resistor mod would have no affect.
Sent from my SM-G935V using Tapatalk
-
I now have a 220MHz bandwidth scope :-+
How exciting, cant wait to get mine!
What are you getting for sample rates?
-
It seem like the resistors will change the configuration, but if they sell upgrades there must be data in ROM that can override those settings. That said, they must only be able to upgrade via software, but not downgrade below the configuration set by the resistors or your resistor mod would have no affect.
It seems weird that they would have both. :popcorn:
How does software upgrade work? By entering a code like on Rigols?
(ie. is there a menu to enter option codes?)
-
No review published yet, only a teardown.
I've shot some review footage, but good reviews are a lot of work.
Sorry. Really: No offense intended. (English isn´t my first language...)
I more excited about the hacking at present.
Who isn´t? :popcorn:
I can currently change the bandwidth and max sample rate ;D
I now have a 220MHz bandwidth scope :-+
Again: WOW! That was fast! :clap: :-+
-
How does software upgrade work? By entering a code like on Rigols?
(ie. is there a menu to enter option codes?)
That's what it sounded like. Dave mentioned purchasing licenses, which keysight has done in the past for other scopes
Sent from my SM-G935V using Tapatalk
-
I now have a 220MHz bandwidth scope :-+
Told ya!!!
-
Very cool! Might see a new oscilloscope on my desk soon... :-+
-
Keysight oscilloscope dept.:
"He's almost got it!"
"Really, so soon?"
"Yeah, pretty close. Get ready for sales numbers to shoot up on these babies."
-
Keysight oscilloscope dept.:
"He's almost got it!"
"Really, so soon?"
"Yeah, pretty close. Get ready for sales numbers to shoot up on these babies."
True story.
Unfortunately it is a Danaher. Even worse, it is a bottom of the barrel crippled Danaher running...Windows, so paying actual cash is for it is kinda...not very clever. Lucky for the guys who got it for free though.
-
Keysight oscilloscope dept.:
"He's almost got it!"
"Really, so soon?"
"Yeah, pretty close. Get ready for sales numbers to shoot up on these babies."
True story.
Unfortunately it is a Danaher. Even worse, it is a bottom of the barrel crippled Danaher running...Windows, so paying actual cash is for it is kinda...not very clever. Lucky for the guys who got it for free though.
Umm, no. Keysight is Keysight. Danaher owns Tektronix.
-
Keysight oscilloscope dept.:
"He's almost got it!"
"Really, so soon?"
"Yeah, pretty close. Get ready for sales numbers to shoot up on these babies."
Not if you have to solder tiny resistors to do it. :popcorn:
Sales will shoot up after the keygen appears.
-
Maybe the resistors sets up the default configuration and it can still be modified via software. :-+
-
Oh my. History repeating itself!Keysight know about this, its an early sales ploy. The hardware hack and eventual software hack will eventually be blocked. Meanwhile people will buy the scopes and give early great sales figures. People like thinking they are getting something for nothing. Otherwise why would Keysight send out new scopes to the likes of Dave(EEVBLOG) and Julian Illett and others for free. Vloggers in Electronics are awash with new Keysight kit.
-
Ben Heck has got a new Keysight Scope too :) Imagine :)
-
No need to imagine. Brand marketing via giving vloggers free products has worked before and will work again and again.
-
Keygen will take a while unless you can pull the image through the debug. It's an arm architecture, so I'm sure it could be decoded
Sent from my SM-G935V using Tapatalk
-
I just want to say this was one of your best videos in awhile. My only hope of getting this scope is the contest. My recent 1054z is was barely gotten past my wife! But watching this kind of hands on stuff is you at your best.
Sent from my E6830 using Tapatalk
-
Not if you have to solder tiny resistors to do it. :popcorn:
Sales will shoot up after the keygen appears.
I suspect that a Keygen won't be enough.
There is likely some way to override the config resistor in the boot code but that's a different software hack. If no one does that then modding resistors might be the only way. Especially if you want the 200MHz.
-
I don't see there ever being a keygen for this scope, and I hope there isn't. If there is a keygen for the 1000 scope it would likely be usable with the 2000/3000 series as well. The dollar value of the options is just too high for there to be a permanent way to enable all software options - Keysight would have to respond. Right now there are software hacks for the 2000/3000 series but you can always tell at boot or on the system info screen, the hacking can't be hidden.
Changing some jumpers to get more bandwidth is all good in my book though!
-
The ethics police will be here soon with their stock moral bankruptcy thing.
-
Ethics police were already headed off at the pass. Daniel from Keysight basically have the green light earlier in the thread.
Sent from my E6830 using Tapatalk
-
I now have a 220MHz bandwidth scope :-+
Would it now be fairer to compare the feature/price of the 1000X vs Rigol's DS2000 series instead of the 1054Z?
-
Maybe the resistors sets up the default configuration and it can still be modified via software. :-+
My thoughts exactly, a user buys, say, the 70MHz version but upgrades it with keys to 100MHz (if that's an upgrade path that Keysight offer), somehwere down the line the 'EEPROM' goes corrupt or the user does a factory reset, the resistors set the 'scope back to 70MHz so the keys have to be input again.
At a guess I'd say the software will be broken at some point but Windows CE is closed source so Keysight have made it that bit more difficult over a Linux based product where they have to make at least some of their source available.
All in, I think it's a pretty damn impressive 'scope, I'd like one for my first digital 'scope so I'm hoping I am incredibly lucky and win one.
If not, I've got to find some (very rare) overtime and some serious saving to do.
Maybe a paper round...
-
Hello everybody
Here is TME.EU price comparison (excluding VAT):
DSOX1102A: 70 MHz 2 Analog Channels 1 Mpts 2 GSa/s 50,000 wfms/s 630 USD
DSOX1102G: 70 MHz 2 Analog Channels 1 Mpts 2 GSa/s 50,000 wfms/s 823 USD
EDUX1002A: 50 MHz 2 Analog Channels 100 kpts 1 GSa/s 50,000 wfms/s 436 USD
EDUX1002G: 50 MHz 2 Analog Channels 100 kpts 1 GSa/s 50,000 wfms/s 630 USD
Available upgrades:
DSOX1B7T102 70 Mhz > 100 MHz (for DSOX only) 224 USD
EDUX1EMBD I2C, UART/RS-232 (for EDUX only) 147 USD
DSOX1EMBD I2C, UART/RS-232 (for DSOX only) 147 USD
DSOX1AUTO CAN, LIN (for DSOX only) 147 USD
DSOX2022A: 200 MHz 2 Analog Channels 1 Mpts 2 GSa/s 50,000 wfms/s 2227 USD
-
Maybe the resistors sets up the default configuration and it can still be modified via software. :-+
My thoughts exactly, a user buys, say, the 70MHz version but upgrades it with keys to 100MHz (if that's an upgrade path that Keysight offer), somehwere down the line the 'EEPROM' goes corrupt or the user does a factory reset, the resistors set the 'scope back to 70MHz so the keys have to be input again.
The software will always be able to override the resistors, because it's the same software that reads the resistor voltage.
But as it stands I have a 200MHz 1000X on my bench now. I can even get it to 2.5GS/s with some issues that I'm reasonably confident are solvable.
Keysight don't sell a 200MHz 1000X series, so I've got extra performance thanks to a soldering iron ;D
Warranty definitely void!
I can set it to 50MHz, 100MHz, and 200MHz analog bandwidth and either 1GS or 2GS by twiddling resistor values. Haven't found 70MHz yet, although I found the boot option that displays that value. Video rendering tonight.
All that's needed for confirmation is to repeat the hack using the EDUX1102G
If you can get a US$650 2CH 200MHz bandwidth 2GS 1M scope with function gen for that price then it's going to be very popular.
-
If you can get a US$650 2CH 200MHz bandwidth 2GS 1M scope with function gen for that price then it's going to be very popular.
Quite possibly but you don't have to hack a SDS1202X+ @ $ 765 on promo with Decoders thrown in.
13M more memory depth too.
-
Oh my. History repeating itself!Keysight know about this, its an early sales ploy. The hardware hack and eventual software hack will eventually be blocked. Meanwhile people will buy the scopes and give early great sales figures. People like thinking they are getting something for nothing. Otherwise why would Keysight send out new scopes to the likes of Dave(EEVBLOG) and Julian Illett and others for free. Vloggers in Electronics are awash with new Keysight kit.
Because it's CHEAP advertising !!
3DB
-
If you can get a US$650 2CH 200MHz bandwidth 2GS 1M scope with function gen for that price then it's going to be very popular.
Quite possibly but you don't have to hack a SDS1202X+ @ $ 765 on promo with Decoders thrown in.
13M more memory depth too.
Damn, ok, that's really great value.
-
All that's needed for confirmation is to repeat the hack using the EDUX1102G
Also is it possible to switch on wave generator in EDUX1002A.
-
All that's needed for confirmation is to repeat the hack using the EDUX1102G
Also is it possible to switch on wave generator in EDUX1102A.
No, it does not physically have the BNC
(http://www.meilhaus.de/default/pix/a/n/EDUX1002A.2.jpg)
-
Yah... but I got drill and soldering iron ;)
-
Yah... but I got drill and soldering iron ;)
I greatly doubt they include the components on the PCB. There is a lot of stuff there to add if the footprints are there.
-
Vloggers in Electronics are awash with new Keysight kit.
If the consider the manufacturing cost of these devices and then compare it to the cost of advertising then it is an absolute no brainer to try and get these as visible as possible. I've seen them all over youtube so I feel targeted! However, I'm not sure how worthwhile the exercise actually is since as a hobbyist my budget is below these for a 2-channel scope, my Rigol works fine. (My next upgrade, if I ever do, will be to 4 channels). The result of the viewer survey will be interesting... I imagine the vast majority of the audience of the EEVBlog channel aren't in the market for this device, either being non-scope users, cheap scope users or at the other end of the spectrum being professionals (who would look for something with more channels/functions etc). I have seen these also on less technical channels where they seem ridiculously out of place but the economics of giving them away to get exposure can't be faulted... they probably only have to sell a handful more to get their money back and there will be some pro-sumer types out there with the necessary $$$.
It would be nice to see the features on this scope that I don't get in my cheapo Rigol just for comparison. I don't own a Ferrari but it doesn't mean I don't admire them when I see one. :)
On the hacking front... The serial debug is interesting... suggests that the structure is very like the 2000/3000 series discussed elsewhere... looks like a firmware mod via USB or a direct approach to the internal FAT file system in the NAND might be more the way to go. I think Keysight use FlexLM type licencing so the .dll that validates those licences might be the way to go.... but it hasn't got 4-CH so not interesting to me.
-
Electronics hobbyists are a right bunch of cheapskates, complaining about spending £500 on a new oscilloscope! One of my (amateur) musician friends has just spent £4,500 on a second-hand concertina, which will need a ~£350 overhaul to make it properly playable.
-
Electronics hobbyists are a right bunch of cheapskates, complaining about spending £500 on a new oscilloscope! One of my (amateur) musician friends has just spent £4,500 on a second-hand concertina, which will need a ~£350 overhaul to make it properly playable.
I can only talk from personal experience... but yes there are moths in my wallet. However... if your requirement is to see some waveforms once in a blue moon to either diagnose some development or fix something and for the majority of the time the equipment ends up turned off it is difficult to justify £££££ when £££ meets the requirement. If their new musical instrument actually sounds better then maybe they can justify the extra cost but in the case of a scope then I can't imagine the trace on a £££ scope looks much different from a £££££ scope within certain criteria... i.e. when you go to higher frequencies etc then you end up having to spend the £££££ or deciding not to do the project. I would like SPI decoding... just not sure how ££ much... If I used my scope everyday then I would definitely spend more.
-
Yah... but I got drill and soldering iron ;)
I greatly doubt they include the components on the PCB. There is a lot of stuff there to add if the footprints are there.
Of course you are right. I watched your teardown video, there must be two deferent MB version for G and A. Even if it is possible to populate all that stuff in wave gene circuit ... it could be more fun to build own generator.
-
Electronics hobbyists are a right bunch of cheapskates, complaining about spending £500 on a new oscilloscope! One of my (amateur) musician friends has just spent £4,500 on a second-hand concertina, which will need a ~£350 overhaul to make it properly playable.
Some are definitely cheapskates,by choice or necessity, it's going to take me two years to save for one of these, having kids and an ex partner isn't cheap so I have to be very cheap when it comes to my hobby.
-
Interesting, especially to get that boot log out of it.
But it never ceases to amaze me seeing Dave use this huge soldering iron tip on small board items (me, I prefer the small tips for that ! I guess it's an Australian thing, like the butcher knife ... :)).
-
I can set it to 50MHz, 100MHz, and 200MHz analog bandwidth and either 1GS or 2GS by twiddling resistor values. Haven't found 70MHz yet, although I found the boot option that displays that value. Video rendering tonight.
That is very impressive, in such short amount of time! :-+
Also you might want to fiddle more with UART2 if you run out of other options to try. It seems very easy to trace the signals, since they use a very straightforward BGA fanout pattern (straight outwards from each quadrant). From those vias you can access the signals directly or trace them to the side connector and probe them over there. Maybe the UART2 doesnt output anything by default, but it might be capable of accepting input? Like a standard console with help functionality perhaps?
UART2 seems to operate at 115k2, as indicated by the initialization string:
SER2 Serial Port, new baud rate:0x1c200 (UARTCLK:48000000 IBRD:0x1a FBRD:0x2)0x1c200 = 115200
It must be initialized for a reason i suspect...
-
Electronics hobbyists are a right bunch of cheapskates, complaining about spending £500 on a new oscilloscope! One of my (amateur) musician friends has just spent £4,500 on a second-hand concertina, which will need a ~£350 overhaul to make it properly playable.
Sounds like your friend has a lot more cash to burn than most electronics hobbyists.
-
Also you might want to fiddle more with UART2 if you run out of other options to try. It seems very easy to trace the signals, since they use a very straightforward BGA fanout pattern (straight outwards from each quadrant). From those vias you can access the signals directly or trace them to the side connector and probe them over there. Maybe the UART2 doesnt output anything by default, but it might be capable of accepting input? Like a standard console with help functionality perhaps?
I think Mike said he xrayed the board and didn't find anything?
-
I can only assume the UART2 pins are part of the BGA fanout, right? And if so it must be accessible, if only from those vias alone.
So we have an actual xray of the board as well? Would be interesting to see 8)
-
I think Mike said he xrayed the board and didn't find anything?
Will those images be posted any time? What are people using to do xrays on boards; I'm guessing part of a BGA rework setup?
-
I can set it to 50MHz, 100MHz, and 200MHz analog bandwidth and either 1GS or 2GS by twiddling resistor values. Haven't found 70MHz yet, although I found the boot option that displays that value. Video rendering tonight.
All that's needed for confirmation is to repeat the hack using the EDUX1102G
If you can get a US$650 2CH 200MHz bandwidth 2GS 1M scope with function gen for that price then it's going to be very popular.
Wow! Just wow!
If a resistor twiddle made a EDUX1002A into 200MHz then that would be a very interesting proposition!
-
I think Mike said he xrayed the board and didn't find anything?
Will those images be posted any time? What are people using to do xrays on boards; I'm guessing part of a BGA rework setup?
Mike uses a Faxitron MX-20:
https://www.youtube.com/watch?v=mYrjOIiJv88 (https://www.youtube.com/watch?v=mYrjOIiJv88)
-
I can set it to 50MHz, 100MHz, and 200MHz analog bandwidth and either 1GS or 2GS by twiddling resistor values. Haven't found 70MHz yet, although I found the boot option that displays that value. Video rendering tonight.
All that's needed for confirmation is to repeat the hack using the EDUX1102G
If you can get a US$650 2CH 200MHz bandwidth 2GS 1M scope with function gen for that price then it's going to be very popular.
Wow! Just wow!
If a resistor twiddle made a EDUX1002A into 200MHz then that would be a very interesting proposition!
unlocking memory is more important imho
-
At a guess I'd say the software will be broken at some point but Windows CE is closed source so Keysight have made it that bit more difficult over a Linux based product where they have to make at least some of their source available.
On that note, where's the u-boot source?
-
Ethics police were already headed off at the pass. Daniel from Keysight basically have the green light earlier in the thread.
It was not about Daniel, it was about the forum's resident voluntary ethics police task force.
-
Nice point missage :palm:
-
If you can get a US$650 2CH 200MHz bandwidth 2GS 1M scope with function gen for that price then it's going to be very popular.
Quite possibly but you don't have to hack a SDS1202X+ @ $ 765 on promo with Decoders thrown in.
13M more memory depth too.
Damn, ok, that's really great value.
Yep.
Forgot to mention it's got AWG too and it's the MSO version but you have to buy the 16ch probe set and activation.
-
I think Mike said he xrayed the board and didn't find anything?
Will those images be posted any time? What are people using to do xrays on boards; I'm guessing part of a BGA rework setup?
Mike bought an XRAY machine years ago.
3DB
-
I can set it to 50MHz, 100MHz, and 200MHz analog bandwidth and either 1GS or 2GS by twiddling resistor values. Haven't found 70MHz yet, although I found the boot option that displays that value. Video rendering tonight.
That is very impressive, in such short amount of time! :-+
Also you might want to fiddle more with UART2 if you run out of other options to try. It seems very easy to trace the signals, since they use a very straightforward BGA fanout pattern (straight outwards from each quadrant). From those vias you can access the signals directly or trace them to the side connector and probe them over there. Maybe the UART2 doesnt output anything by default, but it might be capable of accepting input? Like a standard console with help functionality perhaps?
UART2 seems to operate at 115k2, as indicated by the initialization string:
SER2 Serial Port, new baud rate:0x1c200 (UARTCLK:48000000 IBRD:0x1a FBRD:0x2)0x1c200 = 115200
It must be initialized for a reason i suspect...
I tried sending <CR> and other characters during boot with no obvious effect
I suspect the initialisation thing is simply that part of the boot process setting up the UART, despite it previously having been initialised by the earlier boot process. UART2 is the one connected to the connector pads.
-
uboot can likely be interrupted with the space bar.
-
Ethics police were already headed off at the pass. Daniel from Keysight basically have the green light earlier in the thread.
It was not about Daniel, it was about the forum's resident voluntary ethics police task force.
Yes, and those ethics police have nothing to get in a knot about, for the reasons I said.
Sent from my E6830 using Tapatalk
-
https://www.youtube.com/watch?v=eeds2QsUa_w (https://www.youtube.com/watch?v=eeds2QsUa_w)
-
This is hilarious! :-DD only 9 days after launch...
-
Might have been useful to list the resistor values for the 200MHz "working" configuration...
There seemed to be some other fairly obvious config/build version resistors, two sets where only one of two R's was populated.
It would be interesting to see what, if any, differences you see in the outputs of the 74HC595 near the front-end.
I had a brief look, and there is a mux in there so it could be it's selecting between full and limited-bandwidth paths.
Didn't see anything that looked like a Rigol style varicap,
-
Thanks for the work Dave! Now I just need the money to buy one. :-)
-
Regarding the "Revisions"
LP1 = Lab Prototype 1 (normal first prototype build with final design)
LP2 = Lab Prototype 2 (second interation)
PP = Production Prototype (Final production design to do tests with, dropping, climate chamber, EMC and such)
put those bad emissions on frequencies of the nearby radio station next to the testlab! So no one will know ;)
-
Great videos, Dave.
Thanks
-
This is hilarious! :-DD only 9 days after launch...
you are pretending this wasn't the plan all along
-
Regarding the "Revisions"
LP1 = Lab Prototype 1 (normal first prototype build with final design)
LP2 = Lab Prototype 2 (second interation)
PP = Production Prototype (Final production design to do tests with, dropping, climate chamber, EMC and such)
put those bad emissions on frequencies of the nearby radio station next to the testlab! So no one will know ;)
Sounds reasonable, except these aren't prototype units.
-
Regarding the "Revisions"
LP1 = Lab Prototype 1 (normal first prototype build with final design)
LP2 = Lab Prototype 2 (second interation)
PP = Production Prototype (Final production design to do tests with, dropping, climate chamber, EMC and such)
put those bad emissions on frequencies of the nearby radio station next to the testlab! So no one will know ;)
Sounds reasonable, except these aren't prototype units.
Yes, but you're inserting much lower values than your production unit started with. You originally had a product config of 24, with a revision of FPR.
-
Regarding the "Revisions"
LP1 = Lab Prototype 1 (normal first prototype build with final design)
LP2 = Lab Prototype 2 (second interation)
PP = Production Prototype (Final production design to do tests with, dropping, climate chamber, EMC and such)
put those bad emissions on frequencies of the nearby radio station next to the testlab! So no one will know ;)
Sounds reasonable, except these aren't prototype units.
Yes, but you're inserting much lower values than your production unit started with. You originally had a product config of 24, with a revision of FPR.
Yes, just some leftover identifiers in the firmware images that haven't been cleaned out. Exactly the sort of thing that can get invalidated by a new firmware update.
-
You can calculate the voltage needed for a given ID by this equation.
x=ID#
5/1024*64*x=Voltage
-
Yes, but you're inserting much lower values than your production unit started with. You originally had a product config of 24, with a revision of FPR.
Right.
FPR=Final Production Revision?
-
But it never ceases to amaze me seeing Dave use this huge soldering iron tip on small board items (me, I prefer the small tips for that ! I guess it's an Australian thing, like the butcher knife ... :)).
I reckon it might be a genetic thing from British ancestry, my go to Iron is a Weller W60D with a 3.2mm tip and it gets used for *everything* down to and including rework on stuff like this BL1551 (which is in a smaller package than the SOT363 and yes, I did catch the plastic on the connector but replaced it afterwards for cosmetic reasons).
For really small stuff I might use a smaller iron tip.
-
Yes, but you're inserting much lower values than your production unit started with. You originally had a product config of 24, with a revision of FPR.
Right.
FPR=Final Production Revision?
Yep it´s "Production Run"
L* is normally not produced by the production P* is produced on the production line, this is especially relevant if the production site is not the same site as the development site IMHO..
Most of the time the serial numbers gives away the country of origin, so US* is produced in US (at least assembled and tested) as far as i know.
-
I'm surprised no one has put a set of digital potentiometers, wacked in a relay, and automated the configuration testing
Sent from my SM-G935V using Tapatalk
-
Actually using a row of d-pots you can automate the testing process, and then you can select the model you want before boot through an Arduino-based interface, setting the d-pots to the appropriate values.
-
Does someone have an image of the AWG section from a NON-AWG version?
As Dave brillantly pointed out, that option seems to be enabled by those ID resistors.
I'm really interested to know if the parts are fully unpopulated or simply missing the BNC.
As the option brings the price of the scope up by about 200$US, a "solder yourself" part list would be a great aftermarket warranty-voiding option!
Thanks!
-
Great news that the hack is working on Dave's unit. But remember that he has the full list of software keys enabled.
It might be that the resistors allow the system to know the capabilities of the scope's hardware, but the final decision of enabling and disabling an upgradable feature could very well still be up to software licence keys. That would be at least how i would design such a product feature.
So perhaps Dave's scope is not the best scope to verify all these upgrades on... But still good news that a 100MHz enabled bandwidth scope can be upgraded to a 200MHz+ model :)
-
I wonder why they even do it that way (configuration resistors).. So they have to keep boards with different part numbers in their warehouse for the different configurations... Otherwise production could just assemble the units, whack on a sticker with the correct model number they are currently producing and flash it to the right Bandwidth / Samplerate setting via Software.. So one Board version instead of X...
The BNC Connector + analog circuits could be put on a daughterboard which is only installed once someone buys the option in the models with that option.. So you can mass produce the base boards and use them in all productversion instead of doing a specific board for each version...
-
It could be that the resistors Dave changed are only the "pullup" resistors (or better said the fixed part of the divider), and that the config resistors are on the other board. Which makes more sense.
-
resistors are generally to tell the software what build variant the hardware is, so there will be other differences spart from the R's
-
Just spotted this in the datasheet, implying that at least some of the wavegen hardware is fitted as standard.
All models come standard with built-in training signals
-
One other thing,
The EDU models have very limited memory depth: 100kpts vs 1Mpts for the non EDU.
I'm wondering if this is easily verifiable to check if a hacked scope will get more of those sweet pts'es.
-
I think someone needs to go buy an EDUX...
-
I think someone needs to go buy an EDUX...
You think anyone round here's going to buy one before the end of the month? ;)
-
There is more difference:
Trigger types: edge, pulse width, and video on EDUX1000-Series models.
DSOX1000-Series models add: pattern, rise/fall time, and setup and hold.
but this seems to be only software modes.
-
I think someone needs to go buy an EDUX...
Agreed!
-
Does someone have an image of the AWG section from a NON-AWG version?
I bought the 70MHz version without AWG (DSOX1102A). Here are pics of the main board.
-
So that answers the question about population - not only the function gen outputs not fitted but also some PSU components near the power-in connector.
Is the PSU the same ?
-
15 and 18 volt supplies for the Wavegen I guess.
-
Is the PSU the same ?
Here's the power supply. Looks the same to me as the one in Dave's teardown. I'm happy to take other pictures of the scope if anyone would find them useful.
-
I wonder, if you do the mod described, if you would get an error for missing components.
Sent from my SM-G935V using Tapatalk
-
I wonder, if you do the mod described, if you would get an error for missing components.
Sent from my SM-G935V using Tapatalk
As it's just output control, filtering etc. I doubt it would know.
But there will certainly be an option resistor somewhere to let the software know.
RossS - any chance you could dump the startup messages to see what the ID values are ?
-
Of course instead of adding the parts to the main PCB, a more warranty-friendly option would be to just take the signals off onto a piggyback PCB with all the parts on
-
I'm impressed.
But i admit that i would not modify any Keysight-Scope in the warranty-time.
After that ... maybe ;)
-
Does someone have an image of the AWG section from a NON-AWG version?
I bought the 70MHz version without AWG (DSOX1102A). Here are pics of the main board.
Thanks
(https://www.eevblog.com/forum/blog/eevblog-978-keysight-1000x-hacking/?action=dlattach;attach=298270;image)
So they only fit the parts needed for the demo output. Same PCB as expected.
-
Is the PSU the same ?
Here's the power supply. Looks the same to me as the one in Dave's teardown. I'm happy to take other pictures of the scope if anyone would find them useful.
70MHz No Gen
(https://www.eevblog.com/forum/blog/eevblog-978-keysight-1000x-hacking/?action=dlattach;attach=298277;image)
100MHz
(https://c1.staticflickr.com/1/769/32365818313_a1219843b6_c.jpg) (https://flic.kr/p/Rj4hbe)Keysight 1000 X-Series Oscilloscope Teardown (https://flic.kr/p/Rj4hbe) by Dave Jones (https://www.flickr.com/photos/eevblog/), on Flickr
-
Is the whole batch of those black-and-gold-marking caps on the primary, ever so slightly bulged? The one in the teardown video definitely was (as confirmed by Dave himself, in the comments) :-//
Not like i'd trust Aishi / Asia-X / Xunda / OKCAP ( :scared: ) in any of my gear anyway... :-BROKE
The only two missing are CapXon and Fuhjyyu :palm:
That being said, "of course" it's the same 5-10$ power supply - would you really expect them to spec different models for the with / without wavegen models? :)
Economies of scale ::)
-
RossS - any chance you could dump the startup messages to see what the ID values are ?
Sure, no harm in holding a probe up to the right via. Looks like the dump is the same as Dave's, except I've got BLT Product Config 23 instead of his 24.
My DSOX1102A:
BLT Product Config 23
Bandwidth : 200MHz
#Channel : 2
Board Rev : FPR
Clk Gating : Baldwin
Sample Rate : 4GSa
LAN PHY : No
BLT Module Config 02
Rev : LP3
Sample Rate : 5GSa/s
=========================================
BLT_PRODUCT_CONFIG_0, 0.985v, ID3
BLT_PRODUCT_CONFIG_1, 0.692v, ID2
BLT_MODULE_CONFIG_0, 0.687v, ID2
BLT_MODULE_CONFIG_1, 0.010v, ID0
Dave's DSOX1102G (https://www.eevblog.com/forum/blog/eevblog-978-keysight-1000x-hacking/msg1154965/#msg1154965 (https://www.eevblog.com/forum/blog/eevblog-978-keysight-1000x-hacking/msg1154965/#msg1154965)):
BLT Product Config 24
Bandwidth : 200MHz
#Channel : 2
Board Rev : FPR
Clk Gating : Baldwin
Sample Rate : 4GSa
LAN PHY : No
BLT Module Config 02
Rev : LP3
Sample Rate : 5GSa/s
=========================================
BLT_PRODUCT_CONFIG_0, 1.251v, ID4
BLT_PRODUCT_CONFIG_1, 0.692v, ID2
BLT_MODULE_CONFIG_0, 0.687v, ID2
BLT_MODULE_CONFIG_1, 0.005v, ID0
Full dump from my DSOX1102A:
U-Boot 2010.03 (Oct 18 2011 - 14:28:06)Agilent P500
CPU: SPEAr600
DRAM: 128 MiB
Flash: 512 KiB
NAND: internal ecc 128 MiB
Debug serial initialized ........OK
RTC: 2024-17-3 7:102:37.47 UTC
Microsoft Windows CE Bootloader Common Library Version 1.4 Built May 7 2015 01:38:03
Microsoft Windows CE 6.0 Ethernet Bootloader for the Agilent P500 board
Adaptation performed by Agilent Technologies (c) 2008
PHY not found.
System ready!
Preparing for download...
RTC: 2024-17-3 7:102:37.47 UTC
Loading image 1 from memory at 0xD0600000
O
BL_IMAGE_TYPE_BIN
X
XXXXOOOOXXOOOOOOOOXOXOOOOOOOOXOOOXOOOOXXOOOOOOOOOXOOOOXOXXOXOXXOXOXOXOXXXXOOXXXOOOOOOXXOXXOXXXXXXOOOXXXOXXOOOXXXOXXOOOOXOOXXOOOXOOOOXOXOOOOOXOOOXOOXOXXOXOXXXXXXOXXXXOOOXOOOXOXOOOOXOOOOXOXOXOOOOOOXX
OOOXOOXOOOOXOOOOXOOXXOOXOOOOOOOOOXOOOOXOOOOOOXOXOOOOXOXOOOOOOOXXOOXOOXOXOOOXOOOXOOXXOXOXOOOXOXXXXXOXOXXXOXXXXOXOXXOOOXXXXOXXXXOXXXXXXXOXXXXXXOXXOXXOXXOOXXOXXXOXXXXOOOXXX
OOOXXXOXXOOXOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOXXOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOXXXXXOOOXOXOOXOOXXXXXXXXXXXXXrom_offset=0x0.
XXImageStart = 0x80361000, ImageLength = 0x1A80C40, LaunchAddr = 0x80362000
Completed file(s):
-------------------------------------------------------------------------------
[0]: Address=0x80361000 Length=0x1A80C40 Name="" Target=RAM
Loading image 1 succeeded.
ROMHDR at Address 80361044h
Preparing launch...
RTC: 2024-17-3 7:102:37.50 UTC
Launching windows CE image by jumping at address 0x 362000
Windows CE Kernel for ARM (Thumb Enabled) Built on Mar 8 2013 at 17:05:33
Setting up for a Cold Reboot
Done Setting up for a Cold Reboot
Windows CE Firmware Init
BSP 1.0.0 for the SPEARHEAD600AB board (built Sep 28 2016)
Adaptation performed by ADENEO (c) 2005
+OALIntrInit
-OALIntrInit(rc = 1)
Initialize driver globals Zeros area...
pDrvGlobalArea 0xa0060000 size 0x800 (0xa0060800 -0xa0060000)
Initialize driver globals Zeros area...done
OALKitlStart
Firmware Init Done.
OALIoctlHalEnterI2cCriticalSection init i2c cs
++SER_Init: context Drivers\Active\14
SER_Init, dwIndex:2
SER2 got sysintr:0x00000017
SER2 Serial Port, new baud rate:0x1c200 (UARTCLK:48000000 IBRD:0x1a FBRD:0x2)
OHCI\system.c, GCFG_USBH1_SW_RST
OHCI\system.c, GCFG_USBH2_SW_RST
LAN PHY NOT detected.
DeleteP500EnetRegistry:
\Comm\GMAC 0x0
\Comm\GMAC1 0x0
\Comm\Tcpip\Linkage 0x0
\Drivers\Virtual 0x0
\Drivers\BuiltIn\LIN 0x5
LIN: Data Valid
BALDWIN_DDI: cBaldwinHwIf::Init: Initializing...
BALDWIN_DDI: cBaldwinHwIf::Init: Scope successfully identified.
BALDWIN_DDI: cBaldwinHwIf::Init: Success!
Device load time:
NANDFLASH: 1 ms
SNANDFLASH: 1 ms
SHIM DLL, LoadRealDll [PalIO.dll] for [AgilentPalIO.dll]
SHIM [AgilentPalIO.dll] Get Process Addresses
LaunchInfiniiVision:
=========================================
BLT Product Config 23
Bandwidth : 200MHz
#Channel : 2
Board Rev : FPR
Clk Gating : Baldwin
Sample Rate : 4GSa
LAN PHY : No
BLT Module Config 02
Rev : LP3
Sample Rate : 5GSa/s
=========================================
BLT_PRODUCT_CONFIG_0, 0.985v, ID3
BLT_PRODUCT_CONFIG_1, 0.692v, ID2
BLT_MODULE_CONFIG_0, 0.687v, ID2
BLT_MODULE_CONFIG_1, 0.010v, ID0
CANINE_BOARD_REV, 0.002v, ID0
CANINE_MODEL_NAME: MARSUPIAL, 1.740v, ID6, MARSUPIAL
CANINE_EXTMODULE, 2.488v, ID8, SWID8
CANINE_MSO_REV, 0.630v, ID2, SWID2
SHIM DLL, LoadRealDll [PalSStorage.dll] for [AgilentPalSStorage.dll]
SHIM [AgilentPalSStorage.dll] Get Process Addresses
Released build, Sep 28 2016, 00:17:51
Initializing FPGA...
************************************
FPGA Type: Marsupial
Ver: 1.067 Released
Build Time: Tue Jun 14 17:13:42 2016
Build Machine: 2UA5461ZWH
************************************
cMarsupialCalMgr::cMarsupialUserCalFactors::cMarsupialUserCalFactors size 146412
cMarsupialCalMgr::cMarsupialServiceCalFactors::cMarsupialServiceCalFactors size 704
cMarsupialCalMgr::cMarsupialFactoryCalFactors::cMarsupialFactoryCalFactors size 896
Calibration mode User
Recall \Secure\cal\FactoryCal2.dat - ok
Recall \Secure\cal\ServiceCal1.dat - ok
Recall \Secure\cal\UserCal8.dat - ok
Cal Date Wed Dec 14 11:24:30 2016
will do USB phy workaround: CheckCRC
Startup sequence is complete.
System has been running 14.642057 seconds
Start Up Sequence 5.924234
Memory Load 48%
System Physical Memory 34.906 / 73.465 MB
Process Virtual Memory 44.500 / 1024.000 MB
-----> InfiniiVision is running <-----
-
Is the whole batch of those black-and-gold-marking caps on the primary, ever so slightly bulged? The one in the teardown video definitely was (as confirmed by Dave himself, in the comments) :-//
The one on my scope definitely is as well. :-\
-
Is the whole batch of those black-and-gold-marking caps on the primary, ever so slightly bulged? The one in the teardown video definitely was (as confirmed by Dave himself, in the comments) :-//
The one on my scope definitely is as well. :-\
Pre-bulged caps? Maybe they do some sort of burn-in on the power supply boards before installation.
Weed out the really bad ones. :-+
-
@RossS
You probably don't want to hack into your new scope, but I see that your BLT_PRODUCT_CONFIG_0, 0.985v, ID3 while Dave's (G) version is ID4 (1.25V). Would the wavegen appear as enabled/present on yours if you changed that ID I wonder?
-
That is precisely what I was thinking. If you could enable it, buy or roll your own front end
Sent from my SM-G935V using Tapatalk
-
Wonder what the portion of the dumps with X and O is for? If binary, why not just use ASCII?
Sent from my SM-G935V using Tapatalk
-
For what it's worth, I was able to interrupt the boot process by sending a space over UART1 immediately after power on:
P500 Boot Loader Configuration :
Mac address .......... (00:03:D3:04:10:00)
Ip address ........... (192.168.1.100)
Subnet Mask address .. (255.255.255.0)
DHCP ................. (Enabled)
Boot delay (seconds).. (0)
Load image 1 at startup
Image addresses. (0xdxxxxxxx for NAND, 0x8xxxxxxx for RAM)
1 (0xd0600000)
2 (0xd1e00000)
1) Load memory resident image 1 now
2) Load memory resident image 2 now
3) Load memory resident image 3 now
d) Download from platform builder now
u) Start u-boot by resetting
v) Verify Images
>
Image 1 is what's loaded by default. I'm curious to know what image 2 is (maybe a factory reset / backup image?), though I didn't want to try booting from it.
I also buzzed out the UART2 pins and found them routed to one of the main board connectors, but the traces appear to stop at that point. I tried connecting to it, but nothing is transmitted (confirmed on a scope that TX just stays high after power on), and nothing I sent at 115.2k baud seemed to do anything. Oh well.
-
@RossS
You probably don't want to hack into your new scope, but I see that your BLT_PRODUCT_CONFIG_0, 0.985v, ID3 while Dave's (G) version is ID4 (1.25V). Would the wavegen appear as enabled/present on yours if you changed that ID I wonder?
Ok, why not. :p I changed that config resistor to match Dave's G version scope, and now I get the same product config as he had (ID4, and overall config 24).
It looks like that enabled the wavegen license (see picture), but then I realized the front bezel has no wavegen button, so I couldn't easily continue poking. You'd have to hack that in too along with the output bnc and all the other missing components. Seems like a lot of effort at this point to get free (well, parts cost only) wavegen.
-
Hacking in a membrane button and adding all the components might not be worth it, but you could try to verify that the wavegen functionality is present by improvising a button while powering the scope without the front panel? Any conductive material over the pads should do it.
-
Hacking in a membrane button and adding all the components might not be worth it, but you could try to verify that the wavegen functionality is present by improvising a button while powering the scope without the front panel? Any conductive material over the pads should do it.
I think it's fairly clear the functionality is there. As more evidence, I can select wavegen as a trigger source now where it previously wasn't an option. I'm not personally interested in the wavegen support and it's a bit of a pain to get access to the front of the keyboard pcb, so I'd rather hold off on further tests for now.
-
You can plug in a USB keyboard for text entry. I wonder if there are key aliases for the front-panel buttons.
-
Anyone tried to hook the scope up to a PC and control it with BenchVue? .. never mind, the 1000X series is not on the support list http://www.keysight.com/main/editorial.jspx?cc=NO&lc=eng&ckey=2418722&nid=-32133.0.08&id=2418722 (http://www.keysight.com/main/editorial.jspx?cc=NO&lc=eng&ckey=2418722&nid=-32133.0.08&id=2418722)
Do Keysight not plan to support this for 1000X series?
-
Anyone tried to hook the scope up to a PC and control it with BenchVue? .. never mind, the 1000X series is not on the support list http://www.keysight.com/main/editorial.jspx?cc=NO&lc=eng&ckey=2418722&nid=-32133.0.08&id=2418722 (http://www.keysight.com/main/editorial.jspx?cc=NO&lc=eng&ckey=2418722&nid=-32133.0.08&id=2418722)
Do Keysight not plan to support this for 1000X series?
I'm sure they will, but probably not top priority at the moment.
-
You can plug in a USB keyboard for text entry. I wonder if there are key aliases for the front-panel buttons.
Any luck with a USB to network adapter? I've been pondering if they happened to support one since it first came out. If it does support one I imagine it may be one specific model though.
-
Hi,
I am just wondering what the current state of the hack is?
I believe:
1) The bandwidth can be increased by changing the ID resistors.
2) The max sampling rate can be changed also with the ID resistors.
3) The memory depth can be changed
4) The Wavegen can be turned on in the software, but this is not so useful, because a significant piece of circuitry is missing from the main board. Mikeselectricstuff suggested that this could be addressed with an add in board to replace the missing parts. But if you do this you are left with the missing button on the front panel.
So this suggests that if you want the Wavegen you need to buy the minimum configuration with the Wavegen hardware installed.
At this time the Embedded serial triggering and analysis for I²C, SPI, UART/RS-232 (DSOX1EMBD), for I²C, UART/RS-232 (EDUX1EMBD) has not been hacked?
This might be the most useful hack.
Did I get it right?
I think that's correct, though I've not yet seen specific info on resistor values to get the "optimum" functionality - bit of a major omission from Dave's video.
The main thing we don't know is what features (if any) are disabled by license in the EDUX version, and if any of the links are equivalent to the 70->100MHz upgrade.
(https://www.eevblog.com/forum/blog/eevblog-978-keysight-1000x-hacking/?action=dlattach;attach=298583;image)
I am tempted to buy one of the DSOX 1000 scope just to get the Bode plot function. I do a lot of work with power supply control loops so the FRA would really useful. It is cheaper to buy a DSOX-1000 scope than but the software option for a DSOX-3000T scope. But the limited (coarse) granularity of the FRA is a show stopper at the moment.
Regards,
Jay_Diddy_B
-
Well, even so, "just" with the already-confirmed(?) hacks, you can turn a 600$-ish 50MHz educational-wavegen one into a 1000$-ish >200MHz fully-fledged one... Which isn't too shabby in itself, imho.
Well, that is, assuming the issue Mike pointed out in his video from today, gets taken care of in the near future, of course :-+
I'm getting very tempted :scared:
PS: What're the odds this has the same front-end as the DSOX2000 series? That might sort of explain the >200MHz capability, methinks...
-
I think that's correct, though I've not yet seen specific info on resistor values to get the "optimum" functionality - bit of a major omission from Dave's video.
The main thing we don't know is what features (if any) are disabled by license in the EDUX version, and if any of the links are equivalent to the 70->100MHz upgrade.
-
You can plug in a USB keyboard for text entry. I wonder if there are key aliases for the front-panel buttons.
Any luck with a USB to network adapter? I've been pondering if they happened to support one since it first came out. If it does support one I imagine it may be one specific model though.
Not the one I tried. As AFAIK there is no "generic" USB-ethernet adapter, it would have to be something that is explicitly supported by the build of WinCE, and would also need to be supported by the Keysight application.
Seems unlikely, and not hugely useful. The only thing I've ever used network connectivity for on any scope is pulling screen images without having to plug in a USB stick
It does have SCPI support over USB, so that would cover a lot of use cases.
-
Hacking in a membrane button and adding all the components might not be worth it, but you could try to verify that the wavegen functionality is present by improvising a button while powering the scope without the front panel? Any conductive material over the pads should do it.
I think it's fairly clear the functionality is there. As more evidence, I can select wavegen as a trigger source now where it previously wasn't an option. I'm not personally interested in the wavegen support and it's a bit of a pain to get access to the front of the keyboard pcb, so I'd rather hold off on further tests for now.
It is really academic, because such a large part of the hardware is missing, but can you access the FRA or the Bode function?
Thanks,
Jay_Diddy_B_G ( I was hacked !!)
-
This scope, it's distribution to various video bloggers and it's quickly uncovered hackability is clearly a direct response to the success of the Rigol DS series.
It looks like a consumer grade hackable scope race is on!
My guess is the next generation of Chinese branded scopes offers better specs, is also widely distributed to bloggers and wink, wink, nod - is easily hacked.
-
This scope, it's distribution to various video bloggers and it's quickly uncovered hackability is clearly a direct response to the success of the Rigol DS series.
It looks like a consumer grade hackable scope race is on!
My guess is the next generation of Chinese branded scopes offers better specs, is also widely distributed to bloggers and wink, wink, nod - is easily hacked.
It is a great success in terms of how much interest it has generated. In some ways I think Keysight has won.
You can do some upgrades by hacking such as bandwidth and memory depth, but the really useful stuff like the Wavegen is still locked by the absent hardware. The serial decode SPI, CAN, I2C would be useful, but this has not been hacked (yet).
Regards,
Jay_Diddy_B
-
It is really academic, because such a large part of the hardware is missing, but can you access the FRA or the Bode function?
Yup, FRA "works". (It gives an error about voltage overload on the gen out bnc.)
You can plug in a USB keyboard for text entry. I wonder if there are key aliases for the front-panel buttons.
Looks like there are some key combinations (control-a for analyze, control-l for label, etc.), though I didn't find anything mapped to the wavegen function.
-
You can plug in a USB keyboard for text entry. I wonder if there are key aliases for the front-panel buttons.
Any luck with a USB to network adapter? I've been pondering if they happened to support one since it first came out. If it does support one I imagine it may be one specific model though.
Not the one I tried. As AFAIK there is no "generic" USB-ethernet adapter, it would have to be something that is explicitly supported by the build of WinCE, and would also need to be supported by the Keysight application.
Seems unlikely, and not hugely useful. The only thing I've ever used network connectivity for on any scope is pulling screen images without having to plug in a USB stick
It does have SCPI support over USB, so that would cover a lot of use cases.
Network could mean telnet access like the X2000/X3000 series - which to this point has been the key to "enabling" software licenses.
-
You can plug in a USB keyboard for text entry. I wonder if there are key aliases for the front-panel buttons.
Any luck with a USB to network adapter? I've been pondering if they happened to support one since it first came out. If it does support one I imagine it may be one specific model though.
Not the one I tried. As AFAIK there is no "generic" USB-ethernet adapter, it would have to be something that is explicitly supported by the build of WinCE, and would also need to be supported by the Keysight application.
Seems unlikely, and not hugely useful. The only thing I've ever used network connectivity for on any scope is pulling screen images without having to plug in a USB stick
It does have SCPI support over USB, so that would cover a lot of use cases.
Network could mean telnet access like the X2000/X3000 series - which to this point has been the key to "enabling" software licenses.
I wonder if the WinCE build includes RNDIS support. ;)
-
My guess is the next generation of Chinese branded scopes offers better specs, is also widely distributed to bloggers and wink, wink, nod - is easily hacked.
I doubt the Chinese are that smart. They're still rubbing numbers off chips FFS :-DD
-
Well, even so, "just" with the already-confirmed(?) hacks, you can turn a 600$-ish 50MHz educational-wavegen one into a 1000$-ish >200MHz fully-fledged one... Which isn't too shabby in itself, imho.
Well, that is, assuming the issue Mike pointed out in his video from today, gets taken care of in the near future, of course :-+
I'm getting very tempted :scared:
PS: What're the odds this has the same front-end as the DSOX2000 series? That might sort of explain the >200MHz capability, methinks...
The DSOX1000 series has a much "lower buck" front end then the X2000/X3000 series. Both the X2000/X3000 series have a front end processor capable of 1 GHz(actually should be 1.5 GHz).
-
I meant the analog front-end, not the ADC :)
At least Farnell "only" have 70 / 100 / 200MHz 2000X-series scopes, hence my hunch.
Well, even so, "just" with the already-confirmed(?) hacks, you can turn a 600$-ish 50MHz educational-wavegen one into a 1000$-ish >200MHz fully-fledged one... Which isn't too shabby in itself, imho.
Well, that is, assuming the issue Mike pointed out in his video from today, gets taken care of in the near future, of course :-+
I'm getting very tempted :scared:
PS: What're the odds this has the same front-end as the DSOX2000 series? That might sort of explain the >200MHz capability, methinks...
The DSOX1000 series has a much "lower buck" front end then the X2000/X3000 series. Both the X2000/X3000 series have a front end processor capable of 1 GHz(actually should be 1.5 GHz).
-
I am talking about the analog front end and not the ADC. The 2000/3000 series use a custom ASIC in the analog front end that is not present in the 1000X series. The 2000X series is limited to 200 MHz but that simply a choice Keysight has made.
I meant the analog front-end, not the ADC :)
At least Farnell "only" have 70 / 100 / 200MHz 2000X-series scopes, hence my hunch.
Well, even so, "just" with the already-confirmed(?) hacks, you can turn a 600$-ish 50MHz educational-wavegen one into a 1000$-ish >200MHz fully-fledged one... Which isn't too shabby in itself, imho.
Well, that is, assuming the issue Mike pointed out in his video from today, gets taken care of in the near future, of course :-+
I'm getting very tempted :scared:
PS: What're the odds this has the same front-end as the DSOX2000 series? That might sort of explain the >200MHz capability, methinks...
The DSOX1000 series has a much "lower buck" front end then the X2000/X3000 series. Both the X2000/X3000 series have a front end processor capable of 1 GHz(actually should be 1.5 GHz).
-
So given where this is going would you even bother going and buying a Rigol now?
-
So given where this is going would you even bother going and buying a Rigol now?
There are several other new scopes coming it seems, so waiting a little might make sense. Also the 1000X series doesn't have the software licenses hacked and I doubt that will happen anytime soon. For many people the DS1054Z may still be tough to beat - unless they prefer to see a higher end brand name on the bench(and who doesn't?).
-
- unless they prefer to see a higher end brand name on the bench(and who doesn't?).
..and a nice, responsive UI, proven firmware, support etc. etc....
Price isn't everything - some people just like to have nice things
-
For the record, I love how they were nice enough to give Dave a bunch of free scopes and he repaid them by hacking the crap out of it on YouTube like a week later.
-
For the record, I love how they were nice enough to give Dave a bunch of free scopes and he repaid them by hacking the crap out of it on YouTube like a week later.
I've no doubt that Dave had tacit permission from Keysight to do this. In fact I wouldn't be surprised if they encouraged it.
-
Dave stated under the youtube video that keysight did not give him permission to hack the scope, neither did they know he would do it.
-
Dave stated under the youtube video that keysight did not give him permission to hack the scope, neither did they know he would do it.
Of course he did. He's no fool and I'm sure the lawyers wouldn't have it any other way. That is why I said TACIT approval.
See post #6 in this thread from Daniel from Keysight and read between the lines...
-
For the record, I love how they were nice enough to give Dave a bunch of free scopes and he repaid them by hacking the crap out of it on YouTube like a week later.
I've no doubt that Dave had tacit permission from Keysight to do this. In fact I wouldn't be surprised if they encouraged it.
Or even provided some hints on how to get started. Dave? Care to comment
-
So given where this is going would you even bother going and buying a Rigol now?
There are several other new scopes coming it seems, so waiting a little might make sense. Also the 1000X series doesn't have the software licenses hacked and I doubt that will happen anytime soon. For many people the DS1054Z may still be tough to beat - unless they prefer to see a higher end brand name on the bench(and who doesn't?).
What 'software' licences are you talking about specifically?
-
The serial decode options - that's pretty much all that's left.
-
So given where this is going would you even bother going and buying a Rigol now?
There are several other new scopes coming it seems, so waiting a little might make sense. Also the 1000X series doesn't have the software licenses hacked and I doubt that will happen anytime soon. For many people the DS1054Z may still be tough to beat - unless they prefer to see a higher end brand name on the bench(and who doesn't?).
What 'software' licences are you talking about specifically?
DSOX1EMBD which is I2C, SPI, UART
DSOX1AUTO which is CAN/LIN
EDUX1EMBD which is I2C, UART for EDU models.
There are also software bandwidth upgrades(so far only to 100 MHz that we know of) which could mean easier upgrades without having to open the case of the scope.
Keysight can also easily disable any/all 200 MHz performance in firmware in the future if they want no matter the jumper settings.
-
For the record, I love how they were nice enough to give Dave a bunch of free scopes and he repaid them by hacking the crap out of it on YouTube like a week later.
I've no doubt that Dave had tacit permission from Keysight to do this. In fact I wouldn't be surprised if they encouraged it.
Or even provided some hints on how to get started. Dave? Care to comment
IF this were even remotely true, I would not expect Dave to make any comment - and if he did, I can't see him offering anything other than denial.
As for Daniel's comment, he simply indicated that whatever a person does with their own scope is up to them. After all, what they do in their own lab would be impossible to police.
Their legal department would start taking an active interest if someone was trying to sell hacked scopes. I would think that is pretty obvious - as this would directly impact Keysight's sales.
-
For the record, I love how they were nice enough to give Dave a bunch of free scopes and he repaid them by hacking the crap out of it on YouTube like a week later.
I've no doubt that Dave had tacit permission from Keysight to do this. In fact I wouldn't be surprised if they encouraged it.
Or even provided some hints on how to get started. Dave? Care to comment
IF this were even remotely true, I would not expect Dave to make any comment - and if he did, I can't see him offering anything other than denial.
As for Daniel's comment, he simply indicated that whatever a person does with their own scope is up to them. After all, what they do in their own lab would be impossible to police.
Their legal department would start taking an active interest if someone was trying to sell hacked scopes. I would think that is pretty obvious - as this would directly impact Keysight's sales.
Yes, this would be the case. Legally speaking, it is your property. Legal from Keysight would nail anyone redistributing scopes that were hacked, the same as they would nail anyone selling knockoffs rebranded as Keysight.
Sent from my SM-G935V using Tapatalk
-
The serial decode options - that's pretty much all that's left.
Which is of not a lot of interest to me. Thats so easy to do with a Logic Analyser and a PC..
-
Their legal department would start taking an active interest if someone was trying to sell hacked scopes. I would think that is pretty obvious - as this would directly impact Keysight's sales.
[/quote]
Yes, this would be the case. Legally speaking, it is your property. Legal from Keysight would nail anyone redistributing scopes that were hacked, the same as they would nail anyone selling knockoffs rebranded as Keysight.
Sent from my SM-G935V using Tapatalk
[/quote]
If i took a 'red led flasher' and replaced the led with a green led and then resold it. ( it was my property, i am allowed to sell it ), would i be breaking any law? Is the situation not the same with this scope? Its your property, you can do what you want with it, change it, paint it, etc etc.
What law would you be breaching.. Your not hacking any code. Your just using the scope in a way it was'tn possibly intended to be done.
Note: I'm not even contemplaing becoming a scope mod resale shp.. but thats not the point.
-
IANAL. The Keysight legal department would be the people to ask.
-
IANAL. The Keysight legal department would be the people to ask.
I doubt you would get an unbiased view from Keysights legal department!
-
Why would you need an unbiased view?
I would have thought their view would be EXACTLY the view that would be of interest.
-
Because their view will be tainted by the fact they want you to belive that they have all the power.
What i want to know is what law would be broken, by swapping some resistors and reselling something you own.
Again i repeat i'm not at all interested in doing this. Its not worth the drama but it is interesting
Now back to our normal programming.
-
What i want to know is what law would be broken, by swapping some resistors and reselling something you own.
I'm not a lawyer, but I like to theorize. I don't think you'll break a law, but you might break a license or publish trade secrets. Now, if the resistor values are generally known, like published on an Internet forum, I think you could sell an "original" scope and offer to do the modifications for the buyer. Once. If you start making money doing that, then a whole lot of other laws ( country dependent, of course) about what are acceptable business practices come to play. I'd guess you'd lose that.
I wouldn't do that either, but I might buy a Keysight, if my trusty HP ever dies.
-
I am tempted to buy one of the DSOX 1000 scope just to get the Bode plot function.
Have you seen the bode plot?
https://www.eevblog.com/forum/testgear/new-keysight-scope-1st-march-2017/msg1153443/#msg1153443 (https://www.eevblog.com/forum/testgear/new-keysight-scope-1st-march-2017/msg1153443/#msg1153443)
-
What i want to know is what law would be broken, by swapping some resistors and reselling something you own.
I'm not a lawyer, but I like to theorize. I don't think you'll break a law, but you might break a license
You can only break a license if you have agreed to it. There is an EULA in the box but unless you admit to have read it, it's highly unlikely to be enforceable.
or publish trade secrets.
That is only an issue if you publish "inside" information, e.g. if you are an employee or came by info under NDA.
-
I am tempted to buy one of the DSOX 1000 scope just to get the Bode plot function.
Have you seen the bode plot?
https://www.eevblog.com/forum/testgear/new-keysight-scope-1st-march-2017/msg1153443/#msg1153443 (https://www.eevblog.com/forum/testgear/new-keysight-scope-1st-march-2017/msg1153443/#msg1153443)
Wait & see if they will improve the resolution. in its present form it's near-useless.
You can do frequency response plots using the wavegen ( FM modulation with ramp ,100% symmetry, trigger from wavegen modulation)
-
So given where this is going would you even bother going and buying a Rigol now?
The Fat Lady hasn't sung yet, and:
* Rigol hacking doesn't require taking it apart and soldering microscopic resistors. A lot of people aren't up for that
* Software hacking this hasn't even started yet and might prove difficult (eg. take it apart and use a JTAG programmer)
* It still costs 50% more than a Rigol and has less features (eg. less channels, less memory, no Ethernet)
But ... if an easy software hack appears for this it would be a very attractive option, yes.
-
Well, even so, "just" with the already-confirmed(?) hacks, you can turn a 600$-ish 50MHz educational-wavegen one into a 1000$-ish >200MHz fully-fledged one... Which isn't too shabby in itself, imho.
Hang on, have I missed something? Has anyone confirmed that the resistor hack works using the 50MHz EDUX version as the starting point??
-
Well, even so, "just" with the already-confirmed(?) hacks, you can turn a 600$-ish 50MHz educational-wavegen one into a 1000$-ish >200MHz fully-fledged one... Which isn't too shabby in itself, imho.
Hang on, have I missed something? Has anyone confirmed that the resistor hack works using the 50MHz EDUX version as the starting point??
No.
Bear in mind it's possible there are hardware differences in the front end, as there isn't an official upgrade path for that model.
-
What i want to know is what law would be broken, by swapping some resistors and reselling something you own.
No law has been broken unless that's what a judge rules at the end of a court case.
The problem with cases like this are:
a) They are so rare that there is very little existing case law
b) Cases are always different and highly reliant upon technical detail an interpretation of existing laws that almost never cover that exact circumstance
c) They can be very often international in nature which complicates things enormously
d) They are very extensive and costly, and because they often have a broad reaching public interest nature, often go to the highest court in the land. They often become landmark trials so to speak if defended far enough.
-
So given where this is going would you even bother going and buying a Rigol now?
There are several other new scopes coming it seems, so waiting a little might make sense. Also the 1000X series doesn't have the software licenses hacked and I doubt that will happen anytime soon. For many people the DS1054Z may still be tough to beat - unless they prefer to see a higher end brand name on the bench(and who doesn't?).
And also, the Rigol is a full 4-channel scope, while the 1000X is... less than 3?
-
So given where this is going would you even bother going and buying a Rigol now?
There are several other new scopes coming it seems, so waiting a little might make sense. Also the 1000X series doesn't have the software licenses hacked and I doubt that will happen anytime soon. For many people the DS1054Z may still be tough to beat - unless they prefer to see a higher end brand name on the bench(and who doesn't?).
And also, the Rigol is a full 4-channel scope, while the 1000X is... less than 3?
I will have my hands on a new budget 2CH scope on Wed.
It's kinda weird in that there doesn't seem to be any date embargo with it, and the exchange will take place with trenchcoats outside the dumpster room at midnight.
-
Intriguing. 8)
-
So given where this is going would you even bother going and buying a Rigol now?
There are several other new scopes coming it seems, so waiting a little might make sense.
Wait a couple of weeks and see where this hacking goes. Be aware that the Keysight costs 50% more, has less features, and resistor hacking will almost certainly void the warranty. Even if you restore the original resistors it will probably be obvious that they're hand soldered.
(Rigol hacks can be removed in seconds with telnet and an Ethernet cable).
-
Even if you restore the original resistors it will probably be obvious that they're hand soldered.
Piggyback resistor with z-axis tape perhaps.
-
I don;t believe it is illegal to resale "improved" hardware, if you don't sale the way to mod it. If that was the case a chip tuned car would be impossible to sale.
Alexander.
-
Poking around the front end, it appears the bandwidth is limited in the ADC/ASIC.
In 5V/div & up ranges it's actually good to about 350MHz.
-
Most useful I found for an 1102G is 03, which gives 200MHz and 2GSps.
config 03 appears to have some subtle issues - CH2 edge trigger stops working when serial bus is enabled.
-
So given where this is going would you even bother going and buying a Rigol now?
Now? Well, there may be a dilemma, but two years ago when I wanted a scope, DS1054Z was all the rage. I bought it because it has 4 channels (2 is nice, but 4 is more), hackable and affordable (or at least, within my purchasing power; I was asked by family members "How much did it cost? Do you really need that? What is it, anyway?" "A lot. No. An oscilloscope.").
If I was buying a scope today, perhaps I would choose some other brand and model, but two years ago, it was a good deal. Now I have a scope and honestly don't see a need for another one. This one is perfectly fine.
At this moment, even if Keysight was the same price as this Rigol, and had better features, I still wouldn't buy it for one simple reason - I already have a scope. Keysight was late to the party. I suspect I am not the only amateur hobbyist tinkerer that made the same decision.
-
Well, even so, "just" with the already-confirmed(?) hacks, you can turn a 600$-ish 50MHz educational-wavegen one into a 1000$-ish >200MHz fully-fledged one... Which isn't too shabby in itself, imho.
Hang on, have I missed something? Has anyone confirmed that the resistor hack works using the 50MHz EDUX version as the starting point??
EDU models come with 75Mhz probes... Highly unlikely EDU models will get to 200Mhz as the DSOXs.
Hope to be wrong though!
(http://i.imgur.com/ngEIjAN.jpg)
-
What i want to know is what law would be broken, by swapping some resistors and reselling something you own.
I'm not a lawyer, but I like to theorize. I don't think you'll break a law, but you might break a license or publish trade secrets. Now, if the resistor values are generally known, like published on an Internet forum, I think you could sell an "original" scope and offer to do the modifications for the buyer. Once. If you start making money doing that, then a whole lot of other laws ( country dependent, of course) about what are acceptable business practices come to play. I'd guess you'd lose that.
I wouldn't do that either, but I might buy a Keysight, if my trusty HP ever dies.
Is it ethical.. well thats a different discussion..
-
So given where this is going would you even bother going and buying a Rigol now?
There are several other new scopes coming it seems, so waiting a little might make sense. Also the 1000X series doesn't have the software licenses hacked and I doubt that will happen anytime soon. For many people the DS1054Z may still be tough to beat - unless they prefer to see a higher end brand name on the bench(and who doesn't?).
And also, the Rigol is a full 4-channel scope, while the 1000X is... less than 3?
I will have my hands on a new budget 2CH scope on Wed.
It's kinda weird in that there doesn't seem to be any date embargo with it, and the exchange will take place with trenchcoats outside the dumpster room at midnight.
The one mentioned here?
https://www.eevblog.com/forum/testgear/scope-wait-for-new-models/msg1090385/#msg1090385 (https://www.eevblog.com/forum/testgear/scope-wait-for-new-models/msg1090385/#msg1090385)
-
Is it ethical.. well thats a different discussion..
Well, this was not hard to predict
The ethics police will be here soon with their stock moral bankruptcy thing.
-
Is it ethical.. well thats a different discussion..
Well, this was not hard to predict
The ethics police will be here soon with their stock moral bankruptcy thing.
Lets not have the ethics discussion here.. you can have it over there ---->
-
So given where this is going would you even bother going and buying a Rigol now?
If I was buying a scope today, perhaps I would choose some other brand and model, but two years ago, it was a good deal.
It's still a good deal. You won't get more value for $400 than a hacked DS1054Z. Not even close.
You might be able to get something 'nicer' if you're prepared to give up some features but in general terms it still kicks everybody else's ass.
(And it still will even when this Keysight hits the streets - the Keysight is at least 50% more expensive for less channels, less memory, etc.)
-
So given where this is going would you even bother going and buying a Rigol now?
If I was buying a scope today, perhaps I would choose some other brand and model, but two years ago, it was a good deal.
It's still a good deal. You won't get more value for $400 than a hacked DS1054Z. Not even close.
::)
By the time the community has finished with these new Keysights they'll blow the socks off a 54Z.
-
So given where this is going would you even bother going and buying a Rigol now?
If I was buying a scope today, perhaps I would choose some other brand and model, but two years ago, it was a good deal.
It's still a good deal. You won't get more value for $400 than a hacked DS1054Z. Not even close.
You might be able to get something 'nicer' if you're prepared to give up some features but in general terms it still kicks everybody else's ass.
(And it still will even when this Keysight hits the streets - the Keysight is at least 50% more expensive for less channels, less memory, etc.)
with canbus and lin,
signal generator,
test signals (apparently for training but i could use them to simulate problems in communications)
much more bandwidth, higher samplerate
much better for the advanced hobbyist
-
i have two more workstations to setup for work..
Scope, 2 multimeters, 2 power supplys are the basic test tools on the bench. the idea is that these tools stay at that workbench.
-
i have two more workstations to setup for work..
Scope, 2 multimeters, 2 power supplys are the basic test tools on the bench. the idea is that these tools stay at that workbench.
Once nice thing about the KS range for places with multiple scopes is you have basically the same UI on the lowest and high-end ( barring some button locations)
-
Daniel's response....
https://youtu.be/GerxUs3gfls?t=756
-
By the time the community has finished with these new Keysights they'll blow the socks off a 54Z.
It seems to me that this Keysight scope that Dave hacks in the video (the DS1102G) is not designed to compete with the Rigol DX1054Z series scopes. Those are 1GS/S 4 channel scopes at the bottom end of their line. At <$400 they are an incredible value but they have several limitations. The new Keysight EDUX scopes are more in line with the Rigol DX1054Z class scopes at 1GS/S and nearer the $400 price point. But even if they prove easily hackable beyond their 50 MHz spec to compete with the low end Rigols, they will still be limited by fewer channels and perhaps only 100 kpts memory..
The Keysight 1102x series is more in line to compete with the Rigol DS2072 series of scopes. Both 2 channel, 2GS/S scopes and closer in price point.
-
Daniel's response....
https://youtu.be/GerxUs3gfls?t=756
Not only did he not discourage hacking in any way, he advertised that in doing so you can more than double the BW. :-+
-
Daniel's response....
https://youtu.be/GerxUs3gfls?t=756
Not only did he not discourage hacking in any way, he advertised that in doing so you can more than double the BW. :-+
The fact thet he even mentioned it was a surprise - this is the sort of thing that companies, especially big ones, rarely comment on, whatever their official or unofficial attitude is.
-
Daniel's response....
https://youtu.be/GerxUs3gfls?t=756
Not only did he not discourage hacking in any way, he advertised that in doing so you can more than double the BW. :-+
And he almost seemed giddy about that fact that it was hacked already. Yep, it appears Keysight is just fine with the hack.
-
Yeah, I was already surprised when he first mentioned on the forum some time ago that hacking for personal use is OK. Most companies wouldn't say anything, anywhere, even remotely close to that.
This openness and the great support I've received on their DMMs and power supplies (both new and old) keep them on my "good" list. Sure, sometimes there may be a mixup or other snafu, like any company, but overall they've been great to work with.
-
It's still a good deal. (DS1054Z)
signal generator,
test signals (apparently for training but i could use them to simulate problems in communications)
much more bandwidth, higher samplerate
much better for the advanced hobbyist
The base model doesn't even have the connectors/buttons for those things. If you're saying that something twice as expensive as a DS1054Z can be better than the DS1054Z after a lot of hardware hacking, then... I guess so. :-//
-
actually only the signal generator is not present. test signals are available from the probe compensation port.
How convenient, trimming the messages. you forgot that i also said
CANBUS
you can't hack it on the 1054z, i'm sooo sorry.
also you forgot that i said "higher bandwidth/samplerate"
AFAIK in this pricerange besides the keysight only the sds2000x comes with 2 -> 1 GS/s
yup. i need the samplerate, that's why i haven't already got the sds1000x+
remember that i said "the advanced hobbyist"? one whose needs aren't satisfied by the 1054z?
And i haven't already got this one keysight because march ain't over yet.
-
And he almost seemed giddy about that fact that it was hacked already. Yep, it appears Keysight is just fine with the hack.
It might actually work in Keysight's favour.
The only real reason for Keysight to worry is if selling a 1000X which was subsequently hacked robs them of the sale of a more expensive 'scope.
By and large this is not going to happen. Almost no-one who buys a 'scope commercially will hack it, and a hobbyist probably isn't in the market for the high end stuff anyway.
So it will probably attract business which is no bad thing and hacking the 'scope will void the warranty which is even better from Keysight's point of view as they get a sale without the potential cost of support.
-
makes me wonder can a 3000 series be upgrade from 100Mhz to 1Ghz?
-
1 GHz is significantly higher than 100 MHz. In general, you can get to a 200 MHz with fairly standard off-the-shelf components. But, pushing beyond that starts to require more custom work.
Somewhere on this thread people are doing hardware hacks to change their 3000 X-Series scopes, but it looks pretty hands-on and is definitely not recommended.
I'll also reiterate again that neither I, nor anyone else in Keysight, gave info to Dave about board IDs, hacking, etc.
Also, LP stands for "Lab Prototype" :-/O
-
also you forgot that i said "higher bandwidth/samplerate"
AFAIK in this pricerange besides the keysight only the sds2000x comes with 2 -> 1 GS/s
yup. i need the samplerate, that's why i haven't already got the sds1000x+
The Rigol DS2072 series of scopes have 2GS/s sample rate and prices start at $839 versus $877 for the least expensive of the new Keysight scopes with 2GS/s.
-
I will have my hands on a new budget 2CH scope on Wed.
It's kinda weird in that there doesn't seem to be any date embargo with it, and the exchange will take place with trenchcoats outside the dumpster room at midnight.
Why would a scope be wearing a trenchcoat ?
-
also you forgot that i said "higher bandwidth/samplerate"
AFAIK in this pricerange besides the keysight only the sds2000x comes with 2 -> 1 GS/s
yup. i need the samplerate, that's why i haven't already got the sds1000x+
The Rigol DS2072 series of scopes have 2GS/s sample rate and prices start at $839 versus $877 for the least expensive of the new Keysight scopes with 2GS/s.
$38 doesn't seem like much to pay for a stable clock circuit.
-
No law has been broken unless that's what a judge rules at the end of a court case.
Clearly some cases (like killing someone) will have an obvious outcome in tial, even if not tried.
It seems to me that hardware mods, whatever beneficial effect they may have (except copyright infringement, at least in the part of the globe where I live) can not be illegal. If the better specs are already locked up in the box, you should be free to release them.
-
makes me wonder can a 3000 series be upgrade from 100Mhz to 1Ghz?
3000A can be upgraded to 500 MHz
3000T can almost certainly be upgraded to 1 GHz (The mod is in progress, I'll have more info in another week or two)
Edit - I should add both of these mods require hardware changes.
-
also you forgot that i said "higher bandwidth/samplerate"
AFAIK in this pricerange besides the keysight only the sds2000x comes with 2 -> 1 GS/s
yup. i need the samplerate, that's why i haven't already got the sds1000x+
The Rigol DS2072 series of scopes have 2GS/s sample rate and prices start at $839 versus $877 for the least expensive of the new Keysight scopes with 2GS/s.
$38 doesn't seem like much to pay for a stable clock circuit.
Oh, for sure. My point was that the fair comparison should be between the DS1102G and the Rigol DS 2072 (not the DX1054Z). Some might say that 56 Mpts memory in the Rigol is killer advantage.
Also, keep in mind that the few bugs (including the clock jitter) in the Rigol DS scopes were not discovered until long after they had been introduced and used quite happily by many customers. Who knows what bugs are waiting to be discovered in the new Keysight scopes?. Regardless - they are excellent scopes for the price (as are the Rigols IMO) and this new "arms race" in scopes in the lower price ranges is a good thing for consumers. :)
-
Also, keep in mind that the few bugs (including the clock jitter) in the Rigol DS scopes were not discovered until long after they had been introduced and used quite happily by many customers. Who knows what bugs are waiting to be discovered in the new Keysight scopes?.
Except that most of the software and hardware has been proven over many years (SPI decode issue notwithstanding!) in the 2/3000, and you can expect updates from Keysight, whereas updates from Chinese manufacturers have been slow or nonexistent.
-
Also, keep in mind that the few bugs (including the clock jitter) in the Rigol DS scopes were not discovered until long after they had been introduced and used quite happily by many customers. Who knows what bugs are waiting to be discovered in the new Keysight scopes?.
Except that most of the software and hardware has been proven over many years (SPI decode issue notwithstanding!) in the 2/3000, and you can expect updates from Keysight, whereas updates from Chinese manufacturers have been slow or nonexistent.
Good point. But are you referring to firmware updates? Because Rigol has been releasing regular firmware updates with bug fixes on the DS2000 series scopes ever since their introduction (and 1 hardware update as well). A total of 6 updates in 4 years I believe.
-
also you forgot that i said "higher bandwidth/samplerate"
AFAIK in this pricerange besides the keysight only the sds2000x comes with 2 -> 1 GS/s
yup. i need the samplerate, that's why i haven't already got the sds1000x+
The Rigol DS2072 series of scopes have 2GS/s sample rate and prices start at $839 versus $877 for the least expensive of the new Keysight scopes with 2GS/s.
No rigol scope will be on my bench ever again. i'm done with chinese crap
i don't care if the 2000 series is better than the 1054z that fungus is always trying to push, i want to pay a premium and give my money to a brand that will be able to help me, listen and actually correct bugs
the rigol you state also doesn't have the signal generator. according to rigolna, DS2072A-S is 1189$
i'd still rather give my money to keysight, dso1000g 70 MHz + decode options is less than rigol if you want to put it that way
also, i don't care about deep memory.
-
also you forgot that i said "higher bandwidth/samplerate"
AFAIK in this pricerange besides the keysight only the sds2000x comes with 2 -> 1 GS/s
yup. i need the samplerate, that's why i haven't already got the sds1000x+
The Rigol DS2072 series of scopes have 2GS/s sample rate and prices start at $839 versus $877 for the least expensive of the new Keysight scopes with 2GS/s.
No rigol scope will be on my bench ever again. i'm done with chinese crap
i don't care if the 2000 series is better than the 1054z that fungus is always trying to push, i want to pay a premium and give my money to a brand that will be able to help me, listen and actually correct bugs
the rigol you state also doesn't have the signal generator. according to rigolna, DS2072A-S is 1189$
i'd still rather give my money to keysight, dso1000g 70 MHz + decode options is less than rigol if you want to put it that way
also, i don't care about deep memory.
Well that's a lot of emotion and opinion. Nothing wrong with that but all I was posting was some facts and clarifying the comparison. I have no opinion as to which is "better" which I think just comes down to personal preference as to which features are most important to a particular user. They both look good to me - as do some of the other manufacturer's scopes in this price range. But I'm sure there will be plenty of emotional, opinionated and passionate debate here for months to come about which scope in this price range is "better". ::)
Also FWIW, the new Keysight scopes are made in China and the Keysight model with the signal gen included (1102G) costs $1077,.
-
Also FWIW, the new Keysight scopes are made in China
But the firmware isn't
-
makes me wonder can a 3000 series be upgrade from 100Mhz to 1Ghz?
3000A can be upgraded to 500 MHz
3000T can almost certainly be upgraded to 1 GHz (The mod is in progress, I'll have more info in another week or two)
Edit - I should add both of these mods require hardware changes.
What level of 'hardware'mods are you anticipating for this? I see right now that Keysight is giving away a 1000x when you buy a 3000x. That would be good. the 1000x could live on a 'workstation' and the 3000 could be our high end scope for specific jobs where the increased bandwidth is required.
Thanks.. I see a DSOX3014T is around $USD4000.. a 4 channel 1Ghz scope for that bang for buck would be superb!
-
I've been looking at the specifications on this range of scopes - and I would like to propose a development path...
1. 2000X
2. 4000X
3. 6000X
After that, I believe they would have looked to leverage their efforts for greater market appeal, offering:
4. 3000X
and then
5. 1000X
by the usual nobbling.
Somewhere along the line, I expect they may have had a look at rolling a 5000X model, but that would have probably been abandoned because there would not have been sufficient differentiation at that end of the market.
This is my inspiration:
(https://www.eevblog.com/forum/blog/eevblog-978-keysight-1000x-hacking/?action=dlattach;attach=299171;image)
I suspect hacks would follow paths from 1000X to 2000X and from 3000X to 4000X .... or something along those lines.
-
Also FWIW, the new Keysight scopes are made in China
But the firmware isn't
this.
the ECU in my car is definetly made in china, the firmware isn't. i believe you don't see the analogy?
Also FWIW, the new Keysight scopes are made in China and the Keysight model with the signal gen included (1102G) costs $1077,.
http://it.farnell.com/keysight-technologies/dsox1102g/digital-storage-osc-70mhz-2-ch/dp/2690193 (http://it.farnell.com/keysight-technologies/dsox1102g/digital-storage-osc-70mhz-2-ch/dp/2690193)
http://www.batronix.com/shop/oscilloscopes/Rigol-DS2072A-S.html (http://www.batronix.com/shop/oscilloscopes/Rigol-DS2072A-S.html)
that's a cool hundy less for the keysight before tax
-
Is the whole batch of those black-and-gold-marking caps on the primary, ever so slightly bulged? The one in the teardown video definitely was (as confirmed by Dave himself, in the comments) :-//
The one on my scope definitely is as well. :-\
Pre-bulged caps? Maybe they do some sort of burn-in on the power supply boards before installation.
Weed out the really bad ones. :-+
Pre-bulged caps? are those anything like pre-exploded power strips?https://www.youtube.com/watch?v=pnJml7Rz3sQ (https://www.youtube.com/watch?v=pnJml7Rz3sQ)
-
Config 03 appears to have some subtle issues - Ch2 trigger stops working when serial bus enabled :(
-
Good point. But are you referring to firmware updates? Because Rigol has been releasing regular firmware updates with bug fixes on the DS2000 series scopes ever since their introduction (and 1 hardware update as well). A total of 6 updates in 4 years I believe.
I wouldn't call 6 updates in 4 years regular or adequate. Quite the opposite!
-
i want to pay a premium and give my money
also, i don't care about deep memory.
Well, that's you... :horse:
-
=PLEASE=
If it's not about this sweet DSOX1000 hacking, get your own topic.
Also, use the search feature for "rigol vs keysight" to find the proper arguing topic to fancy your taste instead of creating new ones.
Everyone here have a tough or two about how the market is changing, and where each products fit in (or not), but we are polite enough to argue about it in the proper channel and leave this thread to the people interested by the topic written on top of the page.
-
Good point. But are you referring to firmware updates? Because Rigol has been releasing regular firmware updates with bug fixes on the DS2000 series scopes ever since their introduction (and 1 hardware update as well). A total of 6 updates in 4 years I believe.
I wouldn't call 6 updates in 4 years regular or adequate. Quite the opposite!
Well, I guess it's relative and depends on perspective and personal preference. How many updates a year has Keysight been doing on their scopes?
I think relative to some other test equipment manufacturers, Rigol has been pretty good about updating firmware and addressing bugs.
Personally, unless there's a critical bug impacting what I do with a tool, I'd rather not be bothered to update the firmware more than once or twice a year. I realize that those in a professional setting may be in a different position.
Lots of opinions about what's best and who's better, etc, etc. My only point really is that blanket statements about Chinese TE manufacturer's manufacturing quality or firmware support/ bug fixes are not really justified IMO. They may have been in the past - but things have changed. The very fact that Rigol's affordable, consumer grade scopes have become so widely adopted and have so many satisfied users that Keysight (and other) "top tier" manufacturer's feel the need to release similar priced scopes proves the point I think.
IMHO it's too soon to know if Keysght (or R&S or others) will be able to compete with Rigol (or Siglent or GW Instek) on a price/performance basis at this end of the market.
No matter what - I think it's a good thing for consumers that they're trying and it will be fun to watch. :popcorn:
-
=PLEASE=
[..]
If it's not about this sweet DSOX1000 hacking, get your own topic.
[..]
will gladly try and get back in topic. I re-watched episode #979
dave measured 220MHz bandwidth in both configuration 02 and 03
but then mike said
Config 03 appears to have some subtle issues - Ch2 trigger stops working when serial bus enabled :(
asking because i can't do anything else at the moment :( : what has config 03 that 02 hasn't?
More memory?
If memory (huh) serves me right the megazoom asic here should have 4 Meg so in theory it could be possible to enable the full memory.... unless it's Partitioned as such:
halve it because 2 channels: 2Meg per channel (theoric)
halve it because it stores previous and current acquisition: 1Meg per channel (effective)
-
Is there a poor man's way of measuring the bandwidth of an oscilloscope like this? Not everyone has a >200 MHz signal generator with specified amplitude!
-
Just made something to simplify things...
dial-an-option!
-
what has config 03 that 02 hasn't?
From memory alternate option numbers tended to disable the wavegen. I've yet to see an obvious pattern/encoding though.
-
dial-an-option!
Brillant :-DD
From memory alternate option numbers tended to disable the wavegen. I've yet to see an obvious pattern/encoding though.
makes sense
-
Is there a poor man's way of measuring the bandwidth of an oscilloscope like this? Not everyone has a >200 MHz signal generator with specified amplitude!
You can calculate bandwidth from a single rising/falling edge. Pull a piece of wire low with a resistor, make it go high with a mechanical switch. :popcorn:
To minimize effects of inductance you should put a small ceramic capacitor or two between VCC&GND near the switch. Should be good enough for low frequencies like 200MHz.
I'm sure there's lots of articles on this if you google it.
-
Just made something to simplify things...
dial-an-option!
Nicely done, Mike!
-
OK folks bad news.
I've run through all the codes on the two links Dave played with.
12-18,28-88 and 04 give clock errors.
Some codes show offsets on the Y traces, and also time offsets between trigger event and trigger point on screen.
03 is the only code that gives 200MHz and apparently plausible operation, but it does have problems.
DC offsets on some Y ranges - difefrent between channels - possibly calibration related?
Enabling serial bus decode prevents Ch2 trigger working ( possibly offset related) .
I tried a user cal and it thought there were still signals connected.
Could be there is some scope by tweaking other links but I'm done with this - I'll leave it to others to play some more.
I returned to factory 24 config and did a user cal. I Just happened to still have terminal open when doing user cal and saw this :
Performing USER calibraion
######################## Channel 1 ########################
**** Baldwin Interpolator ****
fiPreDelay = 0x10
fiCalResult = 180
fiWide = 316
Final Cal Factor = 0x10
**** CAL PASSED **** Time: 1 seconds
**** Talon Calibrator ****
Calibrate AC Signal
Channel 1: Offset 0x20400 GainIndex 7 GainVern 0x1db0
Channel 2: Offset 0x20400 GainIndex 7 GainVern 0x1db0
Calibrate DC Signal
# Pts (out of 20): 20 B1 = 173657.888115 B0 = 126614.320739
# Pts (out of 20): 20 B1 = 170768.501484 B0 = 124845.623921
Testing...
Vin = -0.200000 AvgQLvl = 29.000000 VinActual = -0.193359
Vin = 0.000000 AvgQLvl = 131.500000 VinActual = 0.006836
Vin = 0.200000 AvgQLvl = 234.500000 VinActual = 0.208008
**** CAL PASSED **** Time: 2 seconds
**** Talon ****
**Talon Init Cal**
Slice Offset = 20
Slice offset correction successful
Using all slices for calibration
**Talon Dac Cal**
Gain Dac Iteration 1: Deltas 10 | Max 1 | Min -1
Gain Dac Iteration 2: Deltas 9 | Max 1 | Min -1
Gain Dac Iteration 3: Deltas 8 | Max 1 | Min -1
Offset Dac Iteration 1: Deltas 37 | Max 3 | Min -3
Offset Dac Iteration 2: Deltas 3 | Max 3 | Min -3
**Talon Pipeline Cal**
*** Talon pipeline cal ***
# pts not used = 0
Offset Adjustment = -25.965942
Gain Adjustment = 1.009946
**Talon4 Timing Cal**
Freq: 39.999963MHz
QMax 0xbd QMin 0x3c
Min Per: 2.490246e-008 Max Per: 2.509196e-008
Harmonic Used: 1
MajorPass 1 | Deltas 11 | Max Dac 4 | Min Dac -4
MajorPass 2 | Deltas 5 | Max Dac 5 | Min Dac -5
MajorPass 3 | Deltas 4 | Max Dac 4 | Min Dac -5
MinorPass 1 | Deltas 177 | Max Dac 25 | Min Dac -26
Minor Timing Vernier is clipped
MinorPass 2 | Deltas 80 | Max Dac 34 | Min Dac -37
**Talon Pipeline Cal**
*** Talon pipeline cal ***
# pts not used = 0
Offset Adjustment = -27.887817
Gain Adjustment = 1.010676
Using partial slices for calibration
**Talon Dac Cal**
Gain Dac Iteration 1: Deltas 0 | Max 1 | Min 0
Gain Dac Iteration 2: Deltas 0 | Max 1 | Min 0
Gain Dac Iteration 3: Deltas 0 | Max 1 | Min 0
Offset Dac Iteration 1: Deltas 0 | Max 3 | Min -2
Offset Dac Iteration 2: Deltas 0 | Max 3 | Min -2
**Talon Pipeline Cal**
*** Talon pipeline cal ***
# pts not used = 0
**** CAL PASSED **** Time: 112 seconds
**** DC Gain ****
28000, 0.812299 : -4418816.035018, 3617399.771942
28400, 0.812208 : -25035.786492 , 48734.277620
28800, 0.796231 : -4304.740688 , 32227.569411
29200, 0.703311 : -4761.655513 , 32548.922414
29600, 0.619306 : -4951.054696 , 32666.218487
30000, 0.538515 : -6040.760514 , 33253.041695
30400, 0.472298 : -6659.858803 , 33545.440844
30800, 0.412237 : -7267.789993 , 33796.052632
31200, 0.357200 : -9472.275061 , 34583.494105
31600, 0.314971 : -9543.879732 , 34606.047516
32000, 0.273060 : -11894.525749 , 35247.913863
32400, 0.239431 : -13151.239035 , 35548.809524
32800, 0.209015 : -14370.134360 , 35803.577236
33200, 0.181180 : -18566.455108 , 36563.865546
33600, 0.159636 : -18803.473684 , 36601.702128
34000, 0.138363 : -22895.421325 , 37167.875648
34400, 0.120892 : -25916.811236 , 37533.137830
34800, 0.105458 : -27704.177528 , 37721.630094
35200, 0.091020 : -36823.469298 , 38551.666667
35600, 0.080157 : -37929.753784 , 38640.343348
36000, 0.069611 : -45089.962406 , 39138.775510
36400, 0.060740 : -59312.970682 , 40002.684564
36800, 0.053996 : -285084.923599, 52193.548387
37200, 0.052593 : 0.000000 , 0.000000
Reference range = 0.472V
Coarse gain ratio
0.1x = 0.357 (1.324V)
0.4x = 1.000 (0.472V)
0.8x = 2.828 (0.167V)
2.0x = 7.846 (0.060V)
Gain# MIN MAX %OL
0 0.006703 0.103532
1 0.018598 0.287243
2 0.052593 0.812299
3 0.147422 2.276928
4 0.302873 4.677844
5 0.840301 12.978381
6 2.376298 36.701735
7 6.660921 102.877407
ADC half speed gain ratio = 0.991 (0.477V)
**** CAL PASSED **** Time: 15 seconds
**** Offset Error ****
AC Coupling
Gain# 0 [29487 (0.006703V) - 37407 (0.080000V), 45pts]
Gain# 1 [29614 (0.080000V) - 32629 (0.216000V), 45pts]
Gain# 2 [29559 (0.216000V) - 32754 (0.624000V), 45pts]
Gain# 3 [29826 (0.624000V) - 32661 (1.600000V), 45pts]
Gain# 4 [29617 (1.600000V) - 32002 (3.520000V), 45pts]
Gain# 5 [29677 (3.520000V) - 32692 (9.600000V), 45pts]
Gain# 6 [29569 (9.600000V) - 32809 (28.000000V), 45pts]
Gain# 7 [29497 (28.000000V) - 32692 (80.500000V), 45pts]
DC Coupling
Gain# 0 [29487 (0.006703V) - 37407 (0.080000V), 45pts]
Gain# 4 [29617 (1.600000V) - 32002 (3.520000V), 45pts]
AC Coupling
Gain# 0 [29487 (0.006703V) - 37407 (0.080000V), 45pts]
Gain# 1 [29614 (0.080000V) - 32629 (0.216000V), 45pts]
Gain# 2 [29559 (0.216000V) - 32754 (0.624000V), 45pts]
Gain# 3 [29826 (0.624000V) - 32661 (1.600000V), 45pts]
Gain# 4 [29617 (1.600000V) - 32002 (3.520000V), 45pts]
Gain# 5 [29677 (3.520000V) - 32692 (9.600000V), 45pts]
Gain# 6 [29569 (9.600000V) - 32809 (28.000000V), 45pts]
Gain# 7 [29497 (28.000000V) - 32692 (80.500000V), 45pts]
DC Coupling
Gain# 0 [29487 (0.006703V) - 37407 (0.080000V), 45pts]
Gain# 4 [29617 (1.600000V) - 32002 (3.520000V), 45pts]
0 retry out of 920 offset searched
**** CAL PASSED **** Time: 21 seconds
**** Trigger Level ****
div -3, pos slope dac = 0x95C3, neg slope dac = 0x94FD, avg = 38240.000
div -2, pos slope dac = 0x9341, neg slope dac = 0x9275, avg = 37595.000
div -1, pos slope dac = 0x90BB, neg slope dac = 0x8FF3, avg = 36951.000
div 0, pos slope dac = 0x8E37, neg slope dac = 0x8D6F, avg = 36307.000
div 1, pos slope dac = 0x8BB5, neg slope dac = 0x8AE7, avg = 35662.000
div 2, pos slope dac = 0x8931, neg slope dac = 0x8869, avg = 35021.000
div 3, pos slope dac = 0x86AB, neg slope dac = 0x85E3, avg = 34375.000
Trig 1 B1 = -644.000, B0 = 36307.286
div -3, pos slope dac = 0x959D, neg slope dac = 0x94DF, avg = 38206.000
div -2, pos slope dac = 0x9317, neg slope dac = 0x925B, avg = 37561.000
div -1, pos slope dac = 0x9095, neg slope dac = 0x8FD7, avg = 36918.000
div 0, pos slope dac = 0x8E0D, neg slope dac = 0x8D4F, avg = 36270.000
div 1, pos slope dac = 0x8B89, neg slope dac = 0x8ACB, avg = 35626.000
div 2, pos slope dac = 0x8905, neg slope dac = 0x8843, avg = 34980.000
div 3, pos slope dac = 0x8681, neg slope dac = 0x85C3, avg = 34338.000
Trig 2 B1 = -644.929, B0 = 36271.286
div -3, pos slope dac = 0x959B, neg slope dac = 0x94E1, avg = 38206.000
div -2, pos slope dac = 0x9315, neg slope dac = 0x925D, avg = 37561.000
div -1, pos slope dac = 0x9091, neg slope dac = 0x8FD9, avg = 36917.000
div 0, pos slope dac = 0x8E0B, neg slope dac = 0x8D4F, avg = 36269.000
div 1, pos slope dac = 0x8B89, neg slope dac = 0x8ACB, avg = 35626.000
div 2, pos slope dac = 0x8903, neg slope dac = 0x8847, avg = 34981.000
div 3, pos slope dac = 0x867F, neg slope dac = 0x85BF, avg = 34335.000
Trig 3 B1 = -645.143, B0 = 36270.714
Trig 1 - AC offset -47.285714
Trig 2 - AC offset -46.285714
Trig 1 - LF Rej offset -46.285714
Trig 2 - LF Rej offset -46.285714
Trig 1 - HF_Rej offset -1.285714
Trig 2 - HF_Rej offset -1.285714
Trig 1 - AC_HF_REJ offset -47.285714
Trig 2 - AC_HF_REJ offset -46.285714
**** CAL PASSED **** Time: 29 seconds
**** Trigger Hysteresis ****
Hyst dac = 12288, pos slope dac = 0x8E27, neg slope dac = 0x8D79, range = 174, div = 0.270 +
Hyst dac = 14336, pos slope dac = 0x8E49, neg slope dac = 0x8D5B, range = 238, div = 0.370 +
Hyst dac = 16384, pos slope dac = 0x8E67, neg slope dac = 0x8D39, range = 302, div = 0.469 +
Hyst dac = 18432, pos slope dac = 0x8E87, neg slope dac = 0x8D17, range = 368, div = 0.571 +
Hyst dac = 20480, pos slope dac = 0x8EA9, neg slope dac = 0x8CF9, range = 432, div = 0.671 +
Hyst dac = 22528, pos slope dac = 0x8ECB, neg slope dac = 0x8CD5, range = 502, div = 0.780 +
Hyst dac = 24576, pos slope dac = 0x8EED, neg slope dac = 0x8CB9, range = 564, div = 0.876 +
Hyst dac = 26624, pos slope dac = 0x8F0D, neg slope dac = 0x8C8F, range = 638, div = 0.991 +
Hyst dac = 28672, pos slope dac = 0x8F33, neg slope dac = 0x8C71, range = 706, div = 1.096 +
Hyst dac = 30720, pos slope dac = 0x8F57, neg slope dac = 0x8C4D, range = 778, div = 1.208 +
Hyst dac = 32768, pos slope dac = 0x8F7D, neg slope dac = 0x8C25, range = 856, div = 1.329 +
Hyst dac = 34816, pos slope dac = 0x8F9F, neg slope dac = 0x8BFF, range = 928, div = 1.441 +
Hyst dac = 36864, pos slope dac = 0x8FC7, neg slope dac = 0x8BD9, range = 1006, div = 1.562 +
Trig Hyst B1 = 19074.498, B0 = 7506.466
**** CAL PASSED **** Time: 13 seconds
**** External Trigger Level ****
/1 Trig B1 = 5303.000, B0 = 35846.000
/5 Trig B1 = 1071.000, B0 = 35846.000
/1 Trig 2 B1 = 17283.000, B0 = 28351.000
/5 Trig 2 B1 = 3492.000, B0 = 28351.000
**** CAL PASSED **** Time: 2 seconds
**** Wave Gen ****
[calibrator] = 0x3fb22 Q | -52958.38 Q/V
[0: DIV1 + DIV1 ] = 0x1e4f0 Q | 10141.20 Q/V | (calV=2.490125V) 33.965306 V
[1: DIV4 + DIV1 ] = 0x1f948 Q | 10141.60 Q/V | (calV=2.499812V) 8.412196 V
[2: DIV16 + DIV1 ] = 0x1fde1 Q | 10140.40 Q/V | (calV=0.640975V) 2.122063 V
[3: DIV64 + DIV1 ] = 0x1fec1 Q | 10141.20 Q/V | (calV=0.159956V) 0.547273 V
[4: DIV1 + DIV23] = 0x1e4f4 Q | 236185.00 Q/V | (calV=0.451354V) 1.447447 V
[5: DIV4 + DIV23] = 0x1f941 Q | 236197.50 Q/V | (calV=0.109916V) 0.361558 V
[6: DIV16 + DIV23] = 0x1fdd5 Q | 236200.00 Q/V | (calV=0.024963V) 0.090880 V
[7: DIV64 + DIV23] = 0x1feb7 Q | 236202.50 Q/V | (calV=0.006987V) 0.023434 V
[0: DIV1 + DIV1 ] = 33.677039 V (overwrite)
**** CAL PASSED **** Time: 62 seconds
**** Wavegen Trigger Level Offset ****
Wavegen Trig Offset = 0x8C11
**** CAL PASSED **** Time: 1 seconds
**** Baldwin Trig Time Qual ****
Set CalConfigScope range 1.000000E-005, delay -1.000000E-006
Top : 1.859297
Base : -29.497488
Vert Scale : 80.000000
Vert Offset: -14.748744
Trig Level : -14.748744
Horz Range : 1.000000e-007
Horz Delay : 1.500000e-008
CalConfigScope range 1.000000E-007, delay 1.500000E-008
--- Internal Timer ---
tVolt for Edge Trigger = 1.722706 ns
Zero Time = 1.722706 ns
*Int Osc Freq*
Oscillator Freq: 368.472722 MHz
Set CalConfigScope range 5.000000E-008, delay -5.000000E-009
CalConfigScope range 5.000000E-008, delay 1.000000E-008
*Int Find Min Time*
Zero Time Timer 0 : 1348.106337 ps
Zero Time Timer 1 : 1308.042235 ps
*Int Find Min Time*
Timer 0:
Dac 0 Time 1366.135183 ps
Dac 31 Time 2501.899775 ps
Dac 62 Time 3637.720940 ps
Dac 93 Time 4759.564671 ps
Dac 124 Time 5929.436465 ps
Fine Dac Gain 36.723443 ps/DacCode
Timer 1:
Dac 0 Time 1338.248459 ps
Dac 31 Time 2500.144721 ps
Dac 62 Time 3620.320828 ps
Dac 93 Time 4759.815071 ps
Dac 124 Time 5904.346321 ps
Fine Dac Gain 36.747955 ps/DacCode
*Int Fast Path*
Fast Dac Zero Time 951.735301 ps
Dac 0 Time 978.348057 ps
Dac 31 Time 1767.935959 ps
Dac 62 Time 2945.978723 ps
Dac 93 Time 4102.513389 ps
Dac 124 Time 5264.372363 ps
Fine Dac Gain 35.182665 ps/DacCode
--- Sync Timer ---
Set CalConfigScope range 5.000000E-007, delay -5.000000E-008
MClk Frequency = 200006501.105188
*Calibrating PdSel*
PdSel 0 : Min 62 Max 117
PdSel = 0
Min Fine Dac = 133
*Fine Dac*
Sync Timer minimum Time : 2.183431e-008
Dac 133 Val: -2.177687e-008
Dac 227 Val: -2.624178e-008
Dac 321 Val: -3.057086e-008
Dac 415 Val: -3.495388e-008
Dac 509 Val: -3.939129e-008
Fine Dac Gain: 2.139190e+010 DacCode/second
Fine Dac Gain: 46.746673 ps/DacCode
**** CAL PASSED **** Time: 2 seconds
**** Baldwin Setup and Hold ****
--- Vertical Settings ---
Set CalConfigScope range 1.000000E-005, delay -1.000000E-006
Top : 1.934667
Base : -29.422117
Vert Scale : 80.000000
Vert Offset: -14.711058
Trig Level : -14.711058
Horz Range : 1.000000e-007
Horz Delay : 1.500000e-008
CalConfigScope range 1.000000E-007, delay 1.500000E-008
*Clk Path*
Long Delay Dac 0 Time 1116.976351 ps
Long Delay Dac 31 Time -8571.428571 ps
Long Delay Dac 62 Time -18325.591216 ps
Long Delay Dac 93 Time -28122.970779 ps
Long Delay Dac 124 Time -37865.953947 ps
Zero Pt with long delay : 1149.686928 ps
Long Delay Gain : 314.572267 ps / daccode
Trombone Delay Gain : 73.889024 ps / daccode
*Data Path*
Min TVolt = -8437.500000ps
Max TVolt = -2187.500000ps
DataPath Offset = 1250.000000ps
ClockPath Offset = 3337.186928ps
**** CAL PASSED **** Time: 3 seconds
**** Baldwin Pattern Trig ****
**Pattern Delay Cal**
Set CalConfigScope range 1.000000E-005, delay -1.000000E-006
Top : 1.972417
Base : -29.384367
Vert Scale : 80.000000
Vert Offset: -14.692184
Trig Level : -14.692184
Horz Range : 1.000000e-007
Horz Delay : 1.500000e-008
CalConfigScope range 1.000000E-007, delay 1.500000E-008
Zero Time = 1.808594ns
DeltaT = 1 : Time Delta = 3.028106ns
DeltaT = 2 : Time Delta = 6.002006ns
DeltaT = 3 : Time Delta = 9.006373ns
DeltaT Gain : 2.999302ns/code
DelatT Offset: 0.010168ns
TBone = 1 : Time Delta = 0.100123ns
TBone = 9 : Time Delta = 0.716955ns
TBone = 17 : Time Delta = 1.277744ns
TBone = 25 : Time Delta = 1.859992ns
TBone = 33 : Time Delta = 2.466146ns
TBone = 41 : Time Delta = 3.054371ns
TBone = 49 : Time Delta = 3.621916ns
TBone = 57 : Time Delta = 4.172903ns
TBone Gain : 2.999302ns/code
TBone Offset: 0.010168ns
Compensation of 1.750000ns:
DeltaT: 0
Tbone : 23
**Xtrig Delay Cal**
Final Qual Delay Setting: 5
**** CAL PASSED **** Time: 1 seconds
######################## Channel 2 ########################
**** DC Gain ****
28400, 0.797058 : -25330.306767 , 48589.714286
28800, 0.781266 : -4127.377732 , 32024.581006
29200, 0.684352 : -4787.045015 , 32476.025918
29600, 0.600794 : -5321.493018 , 32797.118848
30000, 0.525627 : -6043.358806 , 33176.550784
30400, 0.459438 : -7115.254710 , 33669.020867
30800, 0.403221 : -7662.581995 , 33889.714780
31200, 0.351019 : -9293.089485 , 34462.054507
31600, 0.307977 : -10178.653695 , 34734.787600
32000, 0.268679 : -11665.272853 , 35134.210526
32400, 0.234389 : -13702.638900 , 35611.746522
32800, 0.205197 : -14875.180148 , 35852.348993
33200, 0.178307 : -18279.602821 , 36459.381443
33600, 0.156425 : -20287.431049 , 36773.455378
34000, 0.136708 : -22732.326586 , 37107.692308
34400, 0.119112 : -26947.134858 , 37609.726444
34800, 0.104268 : -28415.408232 , 37762.820513
35200, 0.090191 : -36634.741192 , 38504.132231
35600, 0.079273 : -39935.168326 , 38765.765766
36000, 0.069256 : -43246.865212 , 38995.121951
36400, 0.060007 : -57945.146199 , 39877.124183
36800, 0.053104 : -277050.230264, 51512.500000
37200, 0.051660 : 0.000000 , 0.000000
Reference range = 0.459V
Coarse gain ratio
0.1x = 0.357 (1.287V)
0.4x = 1.000 (0.459V)
0.8x = 2.824 (0.163V)
2.0x = 7.791 (0.059V)
Gain# MIN MAX %OL
0 0.006631 0.102303
1 0.018294 0.282254
2 0.051660 0.797058
3 0.144698 2.232513
4 0.299557 4.621817
5 0.826476 12.751548
6 2.333889 36.009154
7 6.537089 100.859579
ADC half speed gain ratio = 0.990 (0.464V)
**** CAL PASSED **** Time: 15 seconds
**** Offset Error ****
AC Coupling
Gain# 0 [29409 (0.006631V) - 37419 (0.080000V), 45pts]
Gain# 1 [29544 (0.080000V) - 32559 (0.216000V), 45pts]
Gain# 2 [29465 (0.216000V) - 32705 (0.624000V), 45pts]
Gain# 3 [29733 (0.624000V) - 32613 (1.600000V), 45pts]
Gain# 4 [29547 (1.600000V) - 31977 (3.520000V), 45pts]
Gain# 5 [29585 (3.520000V) - 32645 (9.600000V), 45pts]
Gain# 6 [29476 (9.600000V) - 32761 (28.000000V), 45pts]
Gain# 7 [29400 (28.000000V) - 32640 (80.500000V), 45pts]
DC Coupling
Gain# 0 [29409 (0.006631V) - 37419 (0.080000V), 45pts]
Gain# 4 [29547 (1.600000V) - 31977 (3.520000V), 45pts]
AC Coupling
Gain# 0 [29409 (0.006631V) - 37419 (0.080000V), 45pts]
Gain# 1 [29544 (0.080000V) - 32559 (0.216000V), 45pts]
Gain# 2 [29465 (0.216000V) - 32705 (0.624000V), 45pts]
Gain# 3 [29733 (0.624000V) - 32613 (1.600000V), 45pts]
Gain# 4 [29547 (1.600000V) - 31977 (3.520000V), 45pts]
Gain# 5 [29585 (3.520000V) - 32645 (9.600000V), 45pts]
Gain# 6 [29476 (9.600000V) - 32761 (28.000000V), 45pts]
Gain# 7 [29400 (28.000000V) - 32640 (80.500000V), 45pts]
DC Coupling
Gain# 0 [29409 (0.006631V) - 37419 (0.080000V), 45pts]
Gain# 4 [29547 (1.600000V) - 31977 (3.520000V), 45pts]
0 retry out of 920 offset searched
**** CAL PASSED **** Time: 21 seconds
**** Trigger Level ****
div -3, pos slope dac = 0x959B, neg slope dac = 0x94D1, avg = 38198.000
div -2, pos slope dac = 0x9315, neg slope dac = 0x924B, avg = 37552.000
div -1, pos slope dac = 0x9093, neg slope dac = 0x8FC9, avg = 36910.000
div 0, pos slope dac = 0x8E0F, neg slope dac = 0x8D47, avg = 36267.000
div 1, pos slope dac = 0x8B8D, neg slope dac = 0x8ABF, avg = 35622.000
div 2, pos slope dac = 0x890B, neg slope dac = 0x883F, avg = 34981.000
div 3, pos slope dac = 0x8683, neg slope dac = 0x85BB, avg = 34335.000
Trig 1 B1 = -643.536, B0 = 36266.429
div -3, pos slope dac = 0x9573, neg slope dac = 0x94B3, avg = 38163.000
div -2, pos slope dac = 0x92F1, neg slope dac = 0x922F, avg = 37520.000
div -1, pos slope dac = 0x906D, neg slope dac = 0x8FA9, avg = 36875.000
div 0, pos slope dac = 0x8DE3, neg slope dac = 0x8D25, avg = 36228.000
div 1, pos slope dac = 0x8B63, neg slope dac = 0x8AA1, avg = 35586.000
div 2, pos slope dac = 0x88DD, neg slope dac = 0x881D, avg = 34941.000
div 3, pos slope dac = 0x8659, neg slope dac = 0x8597, avg = 34296.000
Trig 2 B1 = -644.571, B0 = 36229.857
div -3, pos slope dac = 0x95F1, neg slope dac = 0x9539, avg = 38293.000
div -2, pos slope dac = 0x936D, neg slope dac = 0x92B7, avg = 37650.000
div -1, pos slope dac = 0x90E9, neg slope dac = 0x902B, avg = 37002.000
div 0, pos slope dac = 0x8E5F, neg slope dac = 0x8DA3, avg = 36353.000
div 1, pos slope dac = 0x8BD7, neg slope dac = 0x8B1F, avg = 35707.000
div 2, pos slope dac = 0x8951, neg slope dac = 0x8897, avg = 35060.000
div 3, pos slope dac = 0x86CD, neg slope dac = 0x8611, avg = 34415.000
Trig 3 B1 = -646.750, B0 = 36354.286
Trig 1 - AC offset -5.428571
Trig 2 - AC offset -5.857143
Trig 1 - LF Rej offset -5.428571
Trig 2 - LF Rej offset -3.857143
Trig 1 - HF_Rej offset -3.428571
Trig 2 - HF_Rej offset -1.857143
Trig 1 - AC_HF_REJ offset -5.428571
Trig 2 - AC_HF_REJ offset -3.857143
**** CAL PASSED **** Time: 29 seconds
**** Trigger Hysteresis ****
Hyst dac = 12288, pos slope dac = 0x8E01, neg slope dac = 0x8D51, range = 176, div = 0.273 +
Hyst dac = 14336, pos slope dac = 0x8E21, neg slope dac = 0x8D2F, range = 242, div = 0.376 +
Hyst dac = 16384, pos slope dac = 0x8E3F, neg slope dac = 0x8D11, range = 302, div = 0.469 +
Hyst dac = 18432, pos slope dac = 0x8E61, neg slope dac = 0x8CF1, range = 368, div = 0.572 +
Hyst dac = 20480, pos slope dac = 0x8E7F, neg slope dac = 0x8CCD, range = 434, div = 0.674 +
Hyst dac = 22528, pos slope dac = 0x8EA1, neg slope dac = 0x8CAF, range = 498, div = 0.774 +
Hyst dac = 24576, pos slope dac = 0x8EC5, neg slope dac = 0x8C89, range = 572, div = 0.889 +
Hyst dac = 26624, pos slope dac = 0x8EE7, neg slope dac = 0x8C69, range = 638, div = 0.991 +
Hyst dac = 28672, pos slope dac = 0x8F0B, neg slope dac = 0x8C47, range = 708, div = 1.100 +
Hyst dac = 30720, pos slope dac = 0x8F2F, neg slope dac = 0x8C21, range = 782, div = 1.215 +
Hyst dac = 32768, pos slope dac = 0x8F51, neg slope dac = 0x8BFF, range = 850, div = 1.321 +
Hyst dac = 34816, pos slope dac = 0x8F79, neg slope dac = 0x8BD9, range = 928, div = 1.442 +
Hyst dac = 36864, pos slope dac = 0x8FA1, neg slope dac = 0x8BB3, range = 1006, div = 1.563 +
Trig Hyst B1 = 19122.640, B0 = 7423.609
Hyst dac = 12288, pos slope dac = 0x8E51, neg slope dac = 0x8DAD, range = 164, div = 0.254 +
Hyst dac = 14336, pos slope dac = 0x8E71, neg slope dac = 0x8D93, range = 222, div = 0.343 +
Hyst dac = 16384, pos slope dac = 0x8E8D, neg slope dac = 0x8D75, range = 280, div = 0.433 +
Hyst dac = 18432, pos slope dac = 0x8EAD, neg slope dac = 0x8D57, range = 342, div = 0.529 +
Hyst dac = 20480, pos slope dac = 0x8ECD, neg slope dac = 0x8D2F, range = 414, div = 0.640 +
Hyst dac = 22528, pos slope dac = 0x8EF1, neg slope dac = 0x8D13, range = 478, div = 0.739 +
Hyst dac = 24576, pos slope dac = 0x8F15, neg slope dac = 0x8CF5, range = 544, div = 0.841 +
Hyst dac = 26624, pos slope dac = 0x8F33, neg slope dac = 0x8CCB, range = 616, div = 0.952 +
Hyst dac = 28672, pos slope dac = 0x8F57, neg slope dac = 0x8CA7, range = 688, div = 1.064 +
Hyst dac = 30720, pos slope dac = 0x8F79, neg slope dac = 0x8C87, range = 754, div = 1.166 +
Hyst dac = 32768, pos slope dac = 0x8F9F, neg slope dac = 0x8C65, range = 826, div = 1.277 +
Hyst dac = 34816, pos slope dac = 0x8FBF, neg slope dac = 0x8C3F, range = 896, div = 1.385 +
Hyst dac = 36864, pos slope dac = 0x8FE9, neg slope dac = 0x8C19, range = 976, div = 1.509 +
Trig Hyst (2) B1 = 19258.151, B0 = 7693.144
**** CAL PASSED **** Time: 26 seconds
**** Channel Delays ****
--- Vertical Settings ---
Top : 0.251256
Base : -29.497488
Final Scale : 80.000000
Final Offset (POS_SLOPE): -14.748744
Final Offset (NEG_SLOPE): -14.748744
edge trigger delay factors
iteration: 0
analog trigger channel : 1
pos polarity path delay adjustment (Sec) : 1.76809211e-009
pos edge, bi edge delay factor (312.5e-15 Sec counts): -3342
neg edge delay factor (312.5e-15 Sec counts): -3342
analog trigger channel : 2
pos polarity path delay adjustment (Sec) : 1.00390625e-009
pos edge, bi edge delay factor (312.5e-15 Sec counts): -5787
neg edge delay factor (312.5e-15 Sec counts): -5787
analog trigger channel : 2
pos polarity path delay adjustment (Sec) : 6.2099359e-010
Chan2 TC2 pos edge, bi edge delay factor (312.5e-15 Sec counts): -9513
Chan2 TC2 neg edge delay factor (312.5e-15 Sec counts): -9513
external trigger channel
pos edge, bi edge delay factor (312.5e-15 Sec counts): -595
neg edge delay factor (312.5e-15 Sec counts): -595
iteration: 1
analog trigger channel : 1
pos polarity path delay adjustment (Sec) : -6.16776316e-012
pos edge, bi edge delay factor (312.5e-15 Sec counts): -3361
neg edge delay factor (312.5e-15 Sec counts): -3361
analog trigger channel : 2
pos polarity path delay adjustment (Sec) : -1.6025641e-011
pos edge, bi edge delay factor (312.5e-15 Sec counts): -5837
neg edge delay factor (312.5e-15 Sec counts): -5837
analog trigger channel : 2
pos polarity path delay adjustment (Sec) : 2.00320513e-012
Chan2 TC2 pos edge, bi edge delay factor (312.5e-15 Sec counts): -9507
Chan2 TC2 neg edge delay factor (312.5e-15 Sec counts): -9507
external trigger channel
pos edge, bi edge delay factor (312.5e-15 Sec counts): -630
neg edge delay factor (312.5e-15 Sec counts): -630
timeout trigger delay factors
iteration: 0
analog trigger channel : 1
pos polarity path delay adjustment (Sec) : 3.03285256e-009
pos edge, bi edge delay factor (312.5e-15 Sec counts): -2495
neg edge delay factor (312.5e-15 Sec counts): -2495
analog trigger channel : 2
pos polarity path delay adjustment (Sec) : 8.05288462e-010
pos edge, bi edge delay factor (312.5e-15 Sec counts): -9623
neg edge delay factor (312.5e-15 Sec counts): -9623
external trigger channel
pos edge, bi edge delay factor (312.5e-15 Sec counts): -6058
neg edge delay factor (312.5e-15 Sec counts): -6058
iteration: 1
analog trigger channel : 1
pos polarity path delay adjustment (Sec) : 0
pos edge, bi edge delay factor (312.5e-15 Sec counts): -2495
neg edge delay factor (312.5e-15 Sec counts): -2495
analog trigger channel : 2
pos polarity path delay adjustment (Sec) : -2.00320513e-012
pos edge, bi edge delay factor (312.5e-15 Sec counts): -9628
neg edge delay factor (312.5e-15 Sec counts): -9628
external trigger channel
pos edge, bi edge delay factor (312.5e-15 Sec counts): -6061
neg edge delay factor (312.5e-15 Sec counts): -6061
setup & hold trigger delay factors
iteration: 0
S&H Delay, pos slope (Sec): 1.15748355e-009
S&H Delay, pos slope factor (312.5e-15 Sec counts): -4796
S&H Delay, neg slope factor (312.5e-15 Sec counts): -4796
iteration: 1
S&H Delay, pos slope (Sec): 2.00320513e-012
S&H Delay, pos slope factor (312.5e-15 Sec counts): -4790
S&H Delay, neg slope factor (312.5e-15 Sec counts): -4790
multi-channel delay factors
iteration: 0
Ch 1 Pattern Delay, pos slope (Sec): 1.07524671e-009
(chan1PattDly[POS_SLOPE]) Ch 1 Pattern Delay, pos slope factor (312.5e-15 Sec counts): -2959
(chan1PattDly[NEG_SLOPE]) Ch 1 Pattern Delay, neg slope factor (312.5e-15 Sec counts): -2959
Ch 1 Pattern Delay, mixed, pos slope delay (Sec): 1.19391026e-009
(chan1PattDlyMixed[POS_SLOPE]) Ch 1 Pattern Delay, mixed, pos slope factor (312.5e-15 Sec counts): -8179
(chan1PattDlyMixed[NEG_SLOPE]) Ch 1 Pattern Delay, mixed, neg slope factor (312.5e-15 Sec counts): -8179
Ch 1 State Delay, pos slope (Sec): 1.06570513e-009
(chan1StateDly[POS_SLOPE]) Ch 1 State Delay, pos slope factor (312.5e-15 Sec counts): -2890
(chan1StateDly[NEG_SLOPE]) Ch 1 State Delay, neg slope factor (312.5e-15 Sec counts): -2890
Ch 1 Timer Delay, mixed, pos slope (Sec): 1.328125e-009
(chan1TimerDlyMixed[POS_SLOPE]) Ch 1 Timer Delay, mixed, pos slope factor (312.5e-15 Sec counts): -10750
(chan1TimerDlyMixed[NEG_SLOPE]) Ch 1 Timer Delay, mixed, neg slope factor (312.5e-15 Sec counts): -10750
iteration: 1
Ch 1 Pattern Delay, pos slope (Sec): -4.00641026e-012
(chan1PattDly[POS_SLOPE]) Ch 1 Pattern Delay, pos slope factor (312.5e-15 Sec counts): -2971
(chan1PattDly[NEG_SLOPE]) Ch 1 Pattern Delay, neg slope factor (312.5e-15 Sec counts): -2971
Ch 1 Pattern Delay, mixed, pos slope delay (Sec): 2.00320513e-012
(chan1PattDlyMixed[POS_SLOPE]) Ch 1 Pattern Delay, mixed, pos slope factor (312.5e-15 Sec counts): -8173
(chan1PattDlyMixed[NEG_SLOPE]) Ch 1 Pattern Delay, mixed, neg slope factor (312.5e-15 Sec counts): -8173
Ch 1 State Delay, pos slope (Sec): 4.00641026e-012
(chan1StateDly[POS_SLOPE]) Ch 1 State Delay, pos slope factor (312.5e-15 Sec counts): -2877
(chan1StateDly[NEG_SLOPE]) Ch 1 State Delay, neg slope factor (312.5e-15 Sec counts): -2877
Ch 1 Timer Delay, mixed, pos slope (Sec): -4.11184211e-012
(chan1TimerDlyMixed[POS_SLOPE]) Ch 1 Timer Delay, mixed, pos slope factor (312.5e-15 Sec counts): -10762
(chan1TimerDlyMixed[NEG_SLOPE]) Ch 1 Timer Delay, mixed, neg slope factor (312.5e-15 Sec counts): -10762
**** CAL PASSED **** Time: 4 seconds
**** Analog Channel Skews ****
--- Vertical Settings ---
Top : 0.251256
Base : -29.497488
Final Scale : 80.000000
Final Offset (POS_SLOPE): -14.748744
Final Offset (NEG_SLOPE): -14.748744
skew for channel: 2
adjustment (Sec) =: -3.4375e-010
2Gsa/s factor in 312.5e-15 Sec counts: -1099
skew for channel: 2
adjustment (Sec) =: 4.00641026e-012
2Gsa/s factor in 312.5e-15 Sec counts: -1086
skew for channel: 1
adjustment (Sec) =: -1.30208333e-010
1GSa/s factor in 312.5e-15 Sec counts: -416
skew for channel: 2
adjustment (Sec) =: -9.7265625e-010
1GSa/s factor in 312.5e-15 Sec counts: -3111
skew for channel: 1
adjustment (Sec) =: -1.32211538e-010
1GSa/s factor in 312.5e-15 Sec counts: -838
skew for channel: 2
adjustment (Sec) =: -1.328125e-010
1GSa/s factor in 312.5e-15 Sec counts: -3535
**** CAL PASSED **** Time: 1 seconds
-----< Memory Status >-----
Memory Load 50% -> 53%: 3%
Physical Used (MB) 36.496 -> 38.297: 1.801
Total Calibration Time: 361
Lowest Frame Temp : 19.750000
Highest Frame Temp: 20.750000
Update Cal Header
Factory Cal Mode
Revision : 2
Cal Mode : Factory
Cal Satus : CAL_OK
Firmware Ver : 01.00.2016091301
Cal Temp : 18.750000 C
Cal Date : Tue Sep 27 16:54:25 2016
Cal Duration : 410s
Service Cal Mode
Revision : 1
Cal Mode : Service
Cal Satus : CAL_OK
Firmware Ver : 01.00.2016091301
Cal Temp : 19.500000 C
Cal Date : Tue Sep 27 16:54:24 2016
Cal Duration : 410s
User Cal Mode
Revision : 8
Cal Mode : User
Cal Satus : CAL_OK
Firmware Ver : 01.01.2016092800
Cal Temp : 20.250000 C
Cal Date : Tue Mar 14 20:43:37 2017
Cal Duration : 361s
**********************************
Calibration PASSED
Board: 0
Inst: CN56396387
Date: Tue Mar 14 20:43:38 2017
Duration: 6.0 minutes
Inst Temp: 20.3 degrees C
**********************************
Hardware selftest does this
** self test: PASSED : DDR Mem Bus
** self test: PASSED : Acquisition Memory
** self test: PASSED : ADC
** self test: PASSED : MegaZoom SIPO
** self test: PASSED : TrigComp & Mux
** self test: PASSED : FirmwareStatus
-
What happens if you use one of the config codes that almost works, but not quite, and then run a self cal?
-
What happens if you use one of the config codes that almost works, but not quite, and then run a self cal?
03 is the only code that gives 200MHz and apparently plausible operation, but it does have problems.
DC offsets on some Y ranges - difefrent between channels - possibly calibration related?
Enabling serial bus decode prevents Ch2 trigger working ( possibly offset related) .
I tried a user cal and it thought there were still signals connected.
-
Also, keep in mind that the few bugs (including the clock jitter) in the Rigol DS scopes were not discovered until long after they had been introduced and used quite happily by many customers. Who knows what bugs are waiting to be discovered in the new Keysight scopes?.
Except that most of the software and hardware has been proven over many years (SPI decode issue notwithstanding!) in the 2/3000, and you can expect updates from Keysight, whereas updates from Chinese manufacturers have been slow or nonexistent.
Really ? :-//
So what are these 8 pages full of on the Siglent website ?
http://siglentamerica.com/support_software_15 (http://siglentamerica.com/support_software_15)
I can tell you for real, they're not all bug fixes, there's been a good # that have included UI mods and improvements that have been put forward by forum members. :clap:
The fastest that I'm aware of was a member's suggestion that was included in new FW within 2 weeks. :P
-
Also, keep in mind that the few bugs (including the clock jitter) in the Rigol DS scopes were not discovered until long after they had been introduced and used quite happily by many customers. Who knows what bugs are waiting to be discovered in the new Keysight scopes?.
Except that most of the software and hardware has been proven over many years (SPI decode issue notwithstanding!) in the 2/3000, and you can expect updates from Keysight, whereas updates from Chinese manufacturers have been slow or nonexistent.
Really ? :-//
So what are these 8 pages full of on the Siglent website ?
http://siglentamerica.com/support_software_15 (http://siglentamerica.com/support_software_15)
I can tell you for real, they're not all bug fixes, there's been a good # that have included UI mods and improvements that have been put forward by forum members. :clap:
The fastest that I'm aware of was a member's suggestion that was included in new FW within 2 weeks. :P
Wasn't aware of that - seems some Chinese manufacturers are paying more attention to software - about time!
-
Hi Mike!
You may have said this but I missed it, could you please tell me which scope are you playing with?The 70MHz with signal gen?How much memory is enabled per channnel with the "03" hack?
And when you say
"Enabling serial bus decode prevents Ch2 trigger working ( possibly offset related) ."
I understand you have the ability to decode i2c spi rs232? Is this a software option you paid for?Is there a chance this could be enabled in hardware, I mean, can you buy the scope with the option already enabled without the need to make a software update or enter a licence key?
To begin to consider beeing interested in this scope,I would like to see this enabled at the lower prices...(which are already on the high side for my budget anyway, but who knows)
By the way, I look at your stuff from times to time since a few years and I love them!
Cheers from a french tech working for a french mid-sized ems in Brittany, testing and repairing boards (and sometimes psu) for a living! :)
-
Wasn't aware of that - seems some Chinese manufacturers are paying more attention to software - about time!
I'm old enough [sigh] to remember how the first Japanese cars were laughed at when they arrived in North America in the 60's. Nobody's laughing now... but many more of us are driving nice cars! That seems a lot like what is happening in the scope market now.
-
Mine is 1102g with 100Mhz and all options
-
Wasn't aware of that - seems some Chinese manufacturers are paying more attention to software - about time!
I'm old enough [sigh] to remember how the first Japanese cars were laughed at when they arrived in North America in the 60's. Nobody's laughing now... but many more of us are driving nice cars! That seems a lot like what is happening in the scope market now.
i know a guy who have to deal with chinese made cars, he doesn't want to laugh, at all. quite the opposite
(note the difference)
-
OK folks bad news.
I've run through all the codes on the two links Dave played with.
12-18,28-88 and 04 give clock errors.
Some codes show offsets on the Y traces, and also time offsets between trigger event and trigger point on screen.
03 is the only code that gives 200MHz and apparently plausible operation, but it does have problems.
In no way are we leaking info for or sponsoring a Keysight hackathon scenario.
But :popcorn:
(http://i67.tinypic.com/ielc7m.gif)
Hmm, what does Daniel know? He seemed so impressed Dave hacked it to 200MHz that quickly. ;)
-
Also, keep in mind that the few bugs (including the clock jitter) in the Rigol DS scopes were not discovered until long after they had been introduced and used quite happily by many customers. Who knows what bugs are waiting to be discovered in the new Keysight scopes?.
Except that most of the software and hardware has been proven over many years (SPI decode issue notwithstanding!) in the 2/3000, and you can expect updates from Keysight, whereas updates from Chinese manufacturers have been slow or nonexistent.
Granted that the Agilent 2000/3000 don't have many bugs, but Keysight is no angel either when it comes to updates. For example, they haven't put out an update for X2000A/X3000A scopes for 1.5 years (latest = 2.41, 2015-11-02). I don't think that should be interpreted as the firmware reaching perfection.
I'd like to be proven wrong, but it seems once they've turned their attention to the latest and greatest, it's a slim chance any new features or bug fixes will trickle down to the older models (even though they're still being sold).
-
1 GHz is significantly higher than 100 MHz. In general, you can get to a 200 MHz with fairly standard off-the-shelf components. But, pushing beyond that starts to require more custom work.
Somewhere on this thread people are doing hardware hacks to change their 3000 X-Series scopes, but it looks pretty hands-on and is definitely not recommended.
I'll also reiterate again that neither I, nor anyone else in Keysight, gave info to Dave about board IDs, hacking, etc.
Also, LP stands for "Lab Prototype" :-/O
Hi Daniel, seems that R&S really wanted to upstage to. I was about to buy a 3000X because i wanted a bit more bandwidth than these 1000'x offfered.. Their new scope they are offering for $2000 or so changed the landscape a bit.. What do you have that matches those features at that price point.
-
I've got a brand new EDUX1002G here - when I have the courage to void the warranty, I'll open it up and see what we have in comparison to the other models. If I've read this thread right, no-one has categorically proven that the base model can be hacked up to 70/100/200MHz, or the serial functions can be hack-enabled, right?
-
If I've read this thread right, no-one has categorically proven that the base model can be hacked up to 70/100/200MHz, or the serial functions can be hack-enabled, right?
I would go further than that. If I have read the thread right (especially Mike's posts, describing his systematic analysis of the various resistor settings using his neat BCD encoder), nobody has shown that any of the models can be hacked to higher bandwidth without unwanted side effects. Right?
-
If I've read this thread right, no-one has categorically proven that the base model can be hacked up to 70/100/200MHz, or the serial functions can be hack-enabled, right?
I would go further than that. If I have read the thread right (especially Mike's posts, describing his systematic analysis of the various resistor settings using his neat BCD encoder), nobody has shown that any of the models can be hacked to higher bandwidth without unwanted side effects. Right?
Correct, but there is a lot of ID space still to explore.
Despite the issues, info from an EDU would be very useful, in particular the boot text to see the ID settings, and trying ID03 to see what effect licensing differences have on behaviour.
-
Yeah, I'm not particularly greedy to be honest, an upgrade to 70MHz is still a nice freebie - but the serial decode functions are more likely to be of use to me than bandwidth and samples. I need to have a root around for something to do the serial I/O, I think I have an old Atmel dev board I could use with a quick bit of coding... leave it with me but don't expect "fast response" here ;) :D
EDIT: Ahhh, who am I kidding, I can't wait to rip it apaaaaart (in best Dave voice!). Here's some high res pics but, from what I can make out with my admittedly-somewhat-crippled eyes, this looks absolutely identical to the innards of Dave's top of the line scope (EDIT: It's not; there are differences at the top area of the front ends, just where it is exposed above the shielding, and on the external trigger :( ). For clarity, it's an EDUX1002G. Apologies for the size, I figured you guys would want to see the detail - and I can't see a "spoiler" tag/feature to wrap it with...
(https://lh3.googleusercontent.com/BWsSOcmtQ7QwOnkr3jLkskMfoTqS1YvAAILrSPxyJ5VvFhxyW9Mh6KAvsQ7z_d4Z8CJHfOkiUwD5FyYG5EXJzOt6Ny-QKxeGaKLFzLwt8dbFwDC2yzsaabxqp8NAf6QZzjBrXkiII5GP-6RLjoFfEys2TQMXouKRB8D92kK1YA0c2KlWeBwPVadIT_PrWWIszjvfVApD3XkOONSlKT-updpwJtbFXQI6BHnvC14Ym-DQ8hp-hIjWC15Mz9h2Wd7JNPe50Rz81PVFT-q72ArFib1eD0LJF07RYu2j-6hAPZ7AVVlAHGw9atSC6aYO91yljlF_kUeK-zyDZ2YJPaggo6EwqJwvhf6ZbLqFzju-LHRcCREwyOhbYs4YuD0EyS46BHryFNz-B32JZlY56CH7iqgWjsWc8wRojCXs4T4SeeTfikosp-fD7JK2EMjxUN4u2srxfesAnYXu_Aq16wg5RyLht448NOFZMi6O3SiFCK3v4ls188oby-tMsTQYEe5ajHJoGsblU2yJWAWp_TY_yeFm5dfC9PGItSxuRw92441OqQM0Z3_fkHZr6_zy6xtXTVVMMyUTpybQUpEN6yY5dL5vHgVAu2J8dj2wTlcIvQklwxzaBicv=w1383-h922-no-tmp.jpg) (https://photos.google.com/album/AF1QipMfTrc20x751C2HAK29ClorrERhxSjPFWGapIFh/photo/AF1QipPPOuFtoNwYDk25blIXCGiufuuIxowHetavlRnf?key=COzw8JaLjsSc3wE)
(https://lh3.googleusercontent.com/79zjiP5EExHLEkEJjJg3Ug13cIp1we_62kCMaMwIoR2CuNcsS4eIMbxFMkL6IpjasUbyAPJAiaugJBeob6IstYd3yT6SRhd_uZZ4BS31OHi7PLVJ0RUqq4J5LQZud1ETjPI2RCgHpdLrkuyPgbWRgpkZcrge0qVumPjSmVcWtnRwYI5nKngb3kaOwG9ZcbmnAAc__pPKE4hwKTdNtK0WB7yAD2zhjMp73ztjjogil2728e2oROX8wyuoX87mPI-HCVwja0gCpGUn8y79ICx_Au-xKkpDxP0xXKIg6O-iy2-1XA-sbQtixhc8yiCMONbvUVVZ4zLfU9n0DTFdPUVB7neVeyZA-oQaB0FshuN0yb06q655x2Z3V8xz0mzXF5gtkqcrbqhXDVgTUh6Z77k8km7cfaszq4d55_SnpAtZNhpsHh_SoZU4QQf-o2t-lGSIedQOgccJoG8YRg-e_dTCRpscRs2-EYZH8AberW6EkJfrmacVkTXC4C6xhekiQDTA1Eqguh3giYoYMzLMUpWIYxn2qjVNZv-v4dJPTUsOgQODHGS9OJnxrYbobca7NAZ3hPNOtmO9GbHYrtpqwz4HvubPDuBg3DDjGsxoahRWfhr_XZHwJSzN=w1383-h922-no-tmp.jpg) (https://photos.google.com/album/AF1QipMfTrc20x751C2HAK29ClorrERhxSjPFWGapIFh/photo/AF1QipN3BAewJN8rahZ29gRqGlONvYhFg9AFdYPmTXSW)
(https://lh3.googleusercontent.com/RUTfbtB_mZbx0VgpN4elmS9616Y2ad1jP3HhRX_089h9LqhctLtd8jWySirYIxaH7bbksqXtg4V7U8Yl4Kw6DKnR3P49DjtS993lkgZXwjOve1DjcNbxw4ziNYYmGPrvs2c19QQHFCQv8OF87RIT0y7rw_aieCbdoWA0aEqzr2H7P2kvRpqpMBj0P3s8CE5qcKw617zV3LzvulXyAQLcbva31bBsCOP8wdIfQ4IQTQ3hizSHIhqY7HT80gle1Cj8LT2HRQsbh3t_JYZAqQeMP_apV71knMVqZ-kF-Q0OvJdnzjKC75IYbWj7bpP_79Q1CjfRDfFnrCFtBnNMdnSGA311-xIIw9sNdHi3qs4FbXIEcW6orqNesbuSTkyKtnyB_axaK71QNXDBOW6uHJFHn1X7d8bicBli16vuY1Fs2pjq1j3eSC1Pzfuge0v9_fEScKkQ0FvljUsnAE2rNsW3gC-NDa2MWIQpEIWY0zELFIrMl4KJiqzruQ6jbGDwkgQA7BPngS51YvdN6dxzeVfUxsDE3JTqzml2twJH0_RSGQYg15Mq5VX1rEjOu54HUohZGGLwiirvucxheG9RLSWz0U0FeY7GsNTMC9yXuBmzf1vmR00Ubzt-=w1383-h922-no-tmp.jpg) (https://photos.google.com/album/AF1QipMfTrc20x751C2HAK29ClorrERhxSjPFWGapIFh/photo/AF1QipNUijDPaPaW93q4z-yX9JrJL9-dz8dn-FmHW_Ef)
(https://lh3.googleusercontent.com/qZISFZcfBT3eAZFoMRFoVw0-qqQziicNO4jc2WAlhl88UmwJJD0WS9iGCmeXlmfklGE-ZcyQtUxjY9cBSl7DFT3FuhLZeuPIugJsjRUgclzpL_KIGgrT8iM0HYaqCUb_J7S3H4gRNpy6sAywHZjos-fg-pa5B6id_FHwPG6qOZCrNvINcG-jfT8ClKTgcW3NMfekIN6VjJEQQ6zE6OBisJDbL7G6hBx2Zro2P4Ejtdmrr2FN1v_jyXBgSZmeMwfj0_IMRGTqNvlU8nDn35fp2qwaPZZ99kjpH2yul2UWTuRWhY3Dab8DOkWpa4aQuKoMjebWl5u03Y0GsZjkLLDreKFiK94v01JD5iUr2ZVYt8ebx1TUcjPXW-283coCw0lN6BDRcNbpc8NX1RLoTsRQBNMuZsBRxQrCUvDRxmQCOV_fpW45zcCXS0cVMSyvLQM_roYNeTcAsVSBsM3xosKIz-csgd4pAa-OdwyFm8qnRRTr8XL3JnyFIir3dieWGEueUB8JC2Bz118_tiaCvvZzrp63mzwIkcXoBYcCf82ZEz7c2QIcNAcu4tPkD7Jj7Ls4hvPRri6gb7cl3XUPjrxU7jUWEoRQVQlh0oKh6GxZjL1LGMafdDFG=w1383-h922-no-tmp.jpg) (https://photos.google.com/album/AF1QipMfTrc20x751C2HAK29ClorrERhxSjPFWGapIFh/photo/AF1QipPh4zI2WSXkTH-f83FUibVRZEdlk8lJTnseHxTt)
(https://lh3.googleusercontent.com/oMsHwb5I2J54pLX2svGR3vcJ9cgCR4cC03VQ49gM2WgbEn2DpOfDaYYGV7TDOQ49fY2NvjE9e8ffqrShPeLWDXtcosHNunVnUkYaBSLAGaPWBR8PHTfD7x-G93FiIIZ0-4shlPtL6J1wUYjQL_22u_Xz8L4Bpb5U1wfX6CIZbXRlHK4rg28z2K4OVYa8on8FwaW67ActCp-YWdaRX59jytB0UWMrvGWDh4iOhl4MEPyr2SEcMfq9-gRez5H9R_DBPezcBMg4OVEdQBLnom_FcTS68Uz5nLxY3iYbVCOYrKztm4-EKZR1MascN4pdowI7yGj5PHauGGNkpD9WwET-6T375phP_3VbMH6PG6weC-femXscVReIbMzFRxeoykEQBxAJnhJHyD1-xid4alLnfZt6FxEfmikfZUGw1UBUSB_mRys-JId_HrwfFicXTz8KMS4ddwzdYHRCSrSZowbF0RPNzniMZCAbj-B8luDdnRyqu307M1jiXoGmLBLFCt3emJzQ2IJv9b0QkbmGER-
UAP4-maccoB_upnlQgwdJcA9BJYN2uoF5p9E0ita1E2RwgZDTfSdQGJugT_NmKFkeGCLcWrpJHACcYVESd39l4DXhzepe8083=w1383-h922-no-tmp.jpg) (https://photos.google.com/album/AF1QipMfTrc20x751C2HAK29ClorrERhxSjPFWGapIFh/photo/AF1QipM38MjIXQbVx66Uoih7NjEe06hw8gSBuA2exeGA)
-
Interesting that it looks as if the input stage shields were intended at one stage to cover the differential driver stage (if that's what it is) as well. More value engineering?
-
Interesting that it looks as if the input stage shields were intended at one stage to cover the differential driver stage (if that's what it is) as well. More value engineering?
Probably just a precaution - easier to design in and not fit than vice versa
I wouldn't expect any HW difference between DSOX and EDUX as all differences are in options.
Probably not even any difference in option links, but worth looking to check though - a few are under the sub-PCB
-
Aye, just for completeness, the underside of the processor board looks no different - obviously I expect/hope the resistor values are different, but probing will have to wait to another time... day job and all that :)
(http://www.brumster.com/pics/EDUX1002G_006.jpg)
-
Aye, just for completeness, the underside of the processor board looks no different - obviously I expect/hope the resistor values are different, but probing will have to wait to another time... day job and all that :)
(http://www.brumster.com/pics/EDUX1002G_006.jpg)
I meant on the main PCB, under the sub-board
-
Sorry, apologies! Leave it with me ;)
EDIT: Ok, yep, they're on there in same positions.... link (http://www.brumster.com/pics/EDUX1002G_007.jpg) and link (http://www.brumster.com/pics/EDUX1002G_008.jpg).
Different values to the ones in Dave's video, obviously. The top 2 are 12k, the bottom two are 4.64K on mine, whereas the 100MHz factory one in Dave's video had 10K/12K on top row, and 10K/4.64K on bottom, I think. I'm not up on SMD resistor codes so I used an online calculator :)
EDIT2: Just working those out, it all rings true, if you work out those voltage dividers then that gives a product config setting of 22 on the EDU model, as opposed to 24 on the reviewed model. The left-hand pair of resistors are config 0 divider, the right hand ones are config 1.
-
I wouldn't expect any HW difference between DSOX and EDUX as all differences are in options.
I noticed some differences in some components between the EDU and DSO models. EDU has missing components on the EXT TRIG input section (missing RELAY, Analog comparator with resistors and caps) and EDU has additional components on both input sections compared to the DSO model.
Changing the ID from 22 (default ID for EDUX1002G) to 24 (default ID for DSOX1102G) activates Segmented Memory, Additional Trigger modes, BW to 70MHz, 2GSa/s and most of the features available with DSOX1102G, but fails self test (Comparator & Mux error) and does not pass User Calibration (probably due to missing components on EXT TRIG input section).
-
Upon looking to see the component differences on the ext trig, i also noticed the extra components on the two channels. Oddly enough, these are replaced by a "000" jumper on the DSO model.
What're the odds that's an active 50MHz low-pass? ::)
I wouldn't expect any HW difference between DSOX and EDUX as all differences are in options.
I noticed some differences in some components between the EDU and DSO models. EDU has missing components on the EXT TRIG input section (missing RELAY, Analog comparator with resistors and caps) and EDU has additional components on both input sections compared to the DSO model.
Changing the ID from 22 (default ID for EDUX1002G) to 24 (default ID for DSOX1102G) activates Segmented Memory, Additional Trigger modes, BW to 70MHz, 2GSa/s and most of the features available with DSOX1102G, but fails self test (Comparator & Mux error) and does not pass User Calibration (probably due to missing components on EXT TRIG input section).
-
The probes included with the EDU model are 75MHz and not 200MHz
-
I do not think 75MHz probes prove anything. If they exist why to include 200MHz probes with a 50MHz scope.
-
Upon looking to see the component differences on the ext trig, i also noticed the extra components on the two channels. Oddly enough, these are replaced by a "000" jumper on the DSO model.
What're the odds that's an active 50MHz low-pass? ::)
I measured the input level and it gets attenuated below -3dB after 70MHz, and Scope About screen shows "70MHz" (Product ID 24).
-
Upon looking to see the component differences on the ext trig, i also noticed the extra components on the two channels. Oddly enough, these are replaced by a "000" jumper on the DSO model.
What're the odds that's an active 50MHz low-pass? ::)
Looks like the chip is EL5166ISZ current feedback amplifier.
-
I think that the missing SOT23-5 component in the EXT TRG part is the comparator TI LMV7219.
The picture is not clear enough, but I can recognize mark C14A which is LMV7219M5 component.
The wide body tssop 8 pin below probably is the dual op-amp TI TLC272 with marking P272C.
-
The lower bandwidth EDU has extra parts? That's interesting...
An extra hardware filter?
(https://www.eevblog.com/forum/blog/eevblog-978-keysight-1000x-hacking/?action=dlattach;attach=300069;image)
(https://www.eevblog.com/forum/blog/eevblog-978-keysight-1000x-hacking/?action=dlattach;attach=300071;image)
-
I do not think 75MHz probes prove anything. If they exist why to include 200MHz probes with a 50MHz scope.
Because the DSO model has a 100MHz software upgrade option, and demonstrably a 200MHz front end. Makes sense to include 200MHz probes with that.
Cheaper 50MHz probes with the EDU makes sense. No software upgrade option on that.
-
The lower bandwidth EDU has extra parts? That's interesting...
An extra hardware filter?
Not software switchable...no hacking!
-
The lower bandwidth EDU has extra parts? That's interesting...
An extra hardware filter?
(https://www.eevblog.com/forum/blog/eevblog-978-keysight-1000x-hacking/?action=dlattach;attach=300069;image)
(https://www.eevblog.com/forum/blog/eevblog-978-keysight-1000x-hacking/?action=dlattach;attach=300071;image)
It looks like the ADC/ASIC does the bandwidth limiting, and will probably only do 70MHz - there isn't a 50MHz DSOX2000 model. So this being a 50MHz bandwidth limiter makes sense if Marketing decides that they need a 50Mhz model to avoid competing with the DSOX product.
-
I suppose the obvious question is, can it be ripped off to release the full potential? Looks like there's a few passives to add on as well... but is there a further hardware limitation somewhere? Not too worried about the probes - as has been said, makes sense to only ship 75MHz ones rather than 200's for a model marketed as a 50 meg scope.
(Looks around the room - fears he's the guinea pig here)
-
It looks as if the only upgrades that don't require hardware changes are the ones Keysight sell licenses for. They seem to have taken care to make the hardware different enough to cause 'issues' if you try to fool it. That doesn't mean it won't be possible to hack, if you are prepared to get all hot with a soldering iron, though!
-
The lower bandwidth EDU has extra parts? That's interesting...
An extra hardware filter?
(https://www.eevblog.com/forum/blog/eevblog-978-keysight-1000x-hacking/?action=dlattach;attach=300069;image)
(https://www.eevblog.com/forum/blog/eevblog-978-keysight-1000x-hacking/?action=dlattach;attach=300071;image)
It looks like the ADC/ASIC does the bandwidth limiting, and will probably only do 70MHz - there isn't a 50MHz DSOX2000 model. So this being a 50MHz bandwidth limiter makes sense if Marketing decides that they need a 50Mhz model to avoid competing with the DSOX product.
Its likely that's just a simple opamp front end for the low end product, and although having the extra parts visible it's then missing all the discrete front end under the can.
-
The lower bandwidth EDU has extra parts? That's interesting...
An extra hardware filter?
(https://www.eevblog.com/forum/blog/eevblog-978-keysight-1000x-hacking/?action=dlattach;attach=300069;image)
(https://www.eevblog.com/forum/blog/eevblog-978-keysight-1000x-hacking/?action=dlattach;attach=300071;image)
It looks like the ADC/ASIC does the bandwidth limiting, and will probably only do 70MHz - there isn't a 50MHz DSOX2000 model. So this being a 50MHz bandwidth limiter makes sense if Marketing decides that they need a 50Mhz model to avoid competing with the DSOX product.
Its likely that's just a simple opamp front end for the low end product, and although having the extra parts visible it's then missing all the discrete front end under the can.
That's a good point - can we see under the can of the EDUX please?
-
can we see under the can of the EDUX please?
EDUX1002G Input Channel 2
-
I noticed some differences in some components between the EDU and DSO models. EDU has missing components on the EXT TRIG input section (missing RELAY, Analog comparator with resistors and caps) and EDU has additional components on both input sections compared to the DSO model.
EDUX only has a single range for the EXT input, hence no relay
-
What is the name of the 8 pin square chip in center right? Can be a band limiting amplifier.
-
What is the name of the 8 pin square chip in center right? Can be a band limiting amplifier.
The 8 pin square chip is HMC626ALP5E 0.5 dB LSB GaAs MMIC 6-BIT DIGITAL VARIABLE GAIN AMPLIFIER, DC - 1 GHz (same chip on both EDUX and DSOX)
The 14 pin U40 chip is OPA4872 4:1 High-Speed Multiplexer (On Dave's DSOX1102G unit it is LMH6574MA)
-
What is the name of the 8 pin square chip in center right? Can be a band limiting amplifier.
The 8 pin square chip is HMC626ALP5E 0.5 dB LSB GaAs MMIC 6-BIT DIGITAL VARIABLE GAIN AMPLIFIER, DC - 1 GHz (same chip on both EDUX and DSOX)
Don't think so - HMC626 is a 32 pin QFN
The 14 pin U40 chip is OPA4872 4:1 High-Speed Multiplexer (On Dave's DSOX1102G unit it is LMH6574MA)
Weird - comparing Digikey pricing, looks like they're spending more on the 50MHz front-end than the 200MHz one!
-
What is the name of the 8 pin square chip in center right? Can be a band limiting amplifier.
The 8 pin square chip is HMC626ALP5E 0.5 dB LSB GaAs MMIC 6-BIT DIGITAL VARIABLE GAIN AMPLIFIER, DC - 1 GHz (same chip on both EDUX and DSOX)
Don't think so - HMC626 is a 32 pin QFN
You are right... I took it from Dave's teardown video: https://www.youtube.com/watch?v=9KcOQsVxtoU (https://www.youtube.com/watch?v=9KcOQsVxtoU) @ 22:59
The marking on the package is HVB #626
-
The 14 pin U40 chip is OPA4872 4:1 High-Speed Multiplexer (On Dave's DSOX1102G unit it is LMH6574MA)
Weird - comparing Digikey pricing, looks like they're spending more on the 50MHz front-end than the 200MHz one!
The 50MHz front-end is definitely more expensive if you add the EL5166ISZ current feedback amplifier on each channel
-
The missing EL5166ISZ opamp could just be a production optimisation once they were comfortable enough with leaving it off(they decided it wasn't needed). Same for the different mux manufacturers, the boards probably have different manufacturing dates.
-
So Dave's guess was incorrect, the small square chip is not HMC626a. This is also obvious from the pinout. The output of the IC on the board is pin 1. What is it then...?
-
The 14 pin U40 chip is OPA4872 4:1 High-Speed Multiplexer (On Dave's DSOX1102G unit it is LMH6574MA)
Weird - comparing Digikey pricing, looks like they're spending more on the 50MHz front-end than the 200MHz one!
I don't think they're doing it to save on the BOM.
-
So Dave's guess was incorrect, the small square chip is not HMC626a. This is also obvious from the pinout. The output of the IC on the board is pin 1. What is it then...?
Probably a single-ended to differential buffer for the ADC
-
In that case the additional amplifier IC on the 50MHz model would ruin symmetry of the differential connection between that chip and LMH6552. The additional IC has voltage gain of 4. So no, unlikely the small chip is a single to differential converter.
Looking at the resistor values, the combined gain between the small IC and output of LMH6552 is twice as high for 50 MHz model as that of 100/200MHz one. Makes me wonder why they had to boost it for 50 MHz model.
-
From memory, Dave has an earlier prototype from last year, as well as the newer dumpster scopes. I am not sure which he took appart and photoed, but I know he said they had different rev numbers on the boards.
Dave are the front ends the same on both versions?
-
I suppose the obvious question is, can it be ripped off to release the full potential?
Very likely.
-
From memory, Dave has an earlier prototype from last year, as well as the newer dumpster scopes. I am not sure which he took appart and photoed, but I know he said they had different rev numbers on the boards.
Dave are the front ends the same on both versions?
That top part seems to be. My videos were on the production unit.
-
Don't forget I have hires teardown photos:
https://flic.kr/s/aHskPVQpFq
-
I was able to get 100MHz on EDUX using Product ID 03 (it has the same issues with Channel 2 as described previously), but could not get 200MHz, so there must be some differences in the front end (the extra EL5166ISZ opamp?)
Going back to Product ID 24 as 03 has many issues.
-
It looks as if the only upgrades that don't require hardware changes are the ones Keysight sell licenses for. They seem to have taken care to make the hardware different enough to cause 'issues' if you try to fool it. That doesn't mean it won't be possible to hack, if you are prepared to get all hot with a soldering iron, though!
The continuous assumption in this whole discussion (correct me if I'm wrong) is that all of the identity of the machine is in the hardware. It need not be. There might be a bunch of hidden data bits somewhere that say 'I'm model xxx' (programmed anti-fuses in some chip, or an OTP part of a ROM). No amount of hardware hacking will be enough, then, to fool the main software into concluding it runs on model yyy, unless you find out all about the ID bits.
-
I was able to get 100MHz on EDUX using Product ID 03 (it has the same issues with Channel 2 as described previously), but could not get 200MHz, so there must be some differences in the front end (the extra EL5166ISZ
Can you measure the bandwidth of the front end? Source signal to the scope input and measure the output of the lmh6552 on one shoulder.
-
It looks as if the only upgrades that don't require hardware changes are the ones Keysight sell licenses for. They seem to have taken care to make the hardware different enough to cause 'issues' if you try to fool it. That doesn't mean it won't be possible to hack, if you are prepared to get all hot with a soldering iron, though!
The continuous assumption in this whole discussion (correct me if I'm wrong) is that all of the identity of the machine is in the hardware. It need not be. There might be a bunch of hidden data bits somewhere that say 'I'm model xxx' (programmed anti-fuses in some chip, or an OTP part of a ROM). No amount of hardware hacking will be enough, then, to fool the main software into concluding it runs on model yyy, unless you find out all about the ID bits.
This is certainly possible but going by how the DSOX2000/3000 series operates it seems most things are set by jumper.
-
It looks as if the only upgrades that don't require hardware changes are the ones Keysight sell licenses for. They seem to have taken care to make the hardware different enough to cause 'issues' if you try to fool it. That doesn't mean it won't be possible to hack, if you are prepared to get all hot with a soldering iron, though!
The continuous assumption in this whole discussion (correct me if I'm wrong) is that all of the identity of the machine is in the hardware. It need not be. There might be a bunch of hidden data bits somewhere that say 'I'm model xxx' (programmed anti-fuses in some chip, or an OTP part of a ROM). No amount of hardware hacking will be enough, then, to fool the main software into concluding it runs on model yyy, unless you find out all about the ID bits.
It is certain that you cannot go from the model without signal generator to the G model, and from EDUX to DSOX without adding the missing hardware components.
-
I was able to get 100MHz on EDUX using Product ID 03 (it has the same issues with Channel 2 as described previously), but could not get 200MHz, so there must be some differences in the front end (the extra EL5166ISZ
Can you measure the bandwidth of the front end? Source signal to the scope input and measure the output of the lmh6552 on one shoulder.
There is another difference in the front end. The EDUX model has a chip marked 6335 AL 1A instead of the LMH6552. I am trying to find the part pinout.
-
LMH6550 has marking AL1A and it is differential amplifier, but there is no 6335 code mark in the datasheet.
Both components have the same pin-out.
LMH6550 has 90 MHz 0.1-dB Bandwidth, LMH6552 has 450-MHz 0.1 dB.
-
Without wanting to side-track the discussion of getting an EDUX up to 100MHz and beyond - has anyone found the isolated product or module config that enables the serial decode (if it even exists on the resistors so far exposed)? I've not seen anything in the video or the forum posts that really explains which part of the code - if any - relates to the software features? I know Dave spotted in the video that some features got disabled during his investigations, but has anyone categorically discovered what enables it - effectively an EDUX with the serial decode enabled?
The reason I ask is because I'm wondering if it's not something that's possible - because when ordering, the serial decode upgrade was a license option that you had to purchase along with the product; it wasn't a separately listed "hardware" product (despite the naming convention of "EDUX1EMBD") . Which makes me think serial decode - at least on the EDUX model - is not something hackable? Apologies if I "missed a memo" :D
-
All decodes will be enabled by software licenses, but there may be additional qualification/enable based on model links. When fiddling with the links I saw various permutations of licenses appearing and disappearing.
-
makes me think serial decode - at least on the EDUX model - is not something hackable?
You can purchase it separately later so it's not a hardware hack, it's a software hack. AFAIK nobody's looked into software hacks yet.
(it might not even be possible, there's not actually many 'scopes on the market that can be software hacked to enable options).
-
Is there also a hardware requirement for the serial decode? The EDUX doesn't have the same number of protocols supported that the DSOX does.
-
Is there also a hardware requirement for the serial decode? The EDUX doesn't have the same number of protocols supported that the DSOX does.
My guess is that SPI decoding is missing on the EDUX because it requires the use of EXT TRIG input as 3rd channel, and EDUX has limited capabilities on this input compared to the DSOX. But keysight charges the same $$$ for serial decode for EDUX and DSOX even when SPI is missing on EDUX.
-
Ah, yes, that makes sense.
-
Is there also a hardware requirement for the serial decode? The EDUX doesn't have the same number of protocols supported that the DSOX does.
My guess is that SPI decoding is missing on the EDUX because it requires the use of EXT TRIG input as 3rd channel, and EDUX has limited capabilities on this input compared to the DSOX. But keysight charges the same $$$ for serial decode for EDUX and DSOX even when SPI is missing on EDUX.
is there any limitation other than voltage range, which isn't a problem for SPI ?
-
Is there also a hardware requirement for the serial decode? The EDUX doesn't have the same number of protocols supported that the DSOX does.
My guess is that SPI decoding is missing on the EDUX because it requires the use of EXT TRIG input as 3rd channel, and EDUX has limited capabilities on this input compared to the DSOX. But keysight charges the same $$$ for serial decode for EDUX and DSOX even when SPI is missing on EDUX.
is there any limitation other than voltage range, which isn't a problem for SPI ?
In EDUX mode (Product ID 22) Bus function does not allow user to select EXT as a signal for the BUS. You can only select CH1 and CH2. In DSOX mode (Product ID 24) you can add all 3 inputs to a BUS. Even when the manual says that EXT TRIG input has only 1 voltage range, you can change the probe attenuation and it automatically changes the voltage range. i.e. with probe 1:1 voltage range goes up to 8V. If you change probe to 10:1, voltage range goes up to 80V. I have not tested other probe attenuation values.
Unless triggering from EXT, the button is disabled and if you press it, the scope says: The external trigger view (the signal's digital waveform) is not available in EDUX1000-Series oscilloscopes when the trigger source is not 'EXT' or when the serial bus decode is enabled.
Unfortunately I don't have the decode option to test if SPI gets enabled in EDUX scopes with Product ID 24.
I am about to populate the missing components on the EXT Trig input section to see if the self test error goes away.
-
how it progressing?
makes me wonder can a 3000 series be upgrade from 100Mhz to 1Ghz?
3000A can be upgraded to 500 MHz
3000T can almost certainly be upgraded to 1 GHz (The mod is in progress, I'll have more info in another week or two)
Edit - I should add both of these mods require hardware changes.
-
I am about to populate the missing components on the EXT Trig input section to see if the self test error goes away.
Interesting hack TK :-+
-
Without wanting to side-track the discussion of getting an EDUX up to 100MHz and beyond - has anyone found the isolated product or module config that enables the serial decode (if it even exists on the resistors so far exposed)? I've not seen anything in the video or the forum posts that really explains which part of the code - if any - relates to the software features? I know Dave spotted in the video that some features got disabled during his investigations, but has anyone categorically discovered what enables it - effectively an EDUX with the serial decode enabled?
It seems to be an AND function.
The scope needs to be in a certain config mode (set by the resistors, e.g. Mode "24") and by the license keys.
If you lack one or the other then the functionality disappears.
-
I am about to populate the missing components on the EXT Trig input section to see if the self test error goes away.
Interesting hack TK :-+
I soldered all the components on the EXT trig input section. Self test passes, but still getting user calibration error. It advances a lot more, but it finally fails. The user calibration algorithm implemented for DSOX does not like the EDUX hardware.
I am closing the scope for now
-
I am about to populate the missing components on the EXT Trig input section to see if the self test error goes away.
Interesting hack TK :-+
I soldered all the components on the EXT trig input section. Self test passes, but still getting user calibration error. It advances a lot more, but it finally fails. The user calibration algorithm implemented for DSOX does not like the EDUX hardware.
I am closing the scope for now
remember you can get some selfcal diags from the serial port which may give some clues
-
@TK
Thanks for your time and effort. :)
-
I am about to populate the missing components on the EXT Trig input section to see if the self test error goes away.
Interesting hack TK :-+
I soldered all the components on the EXT trig input section. Self test passes, but still getting user calibration error. It advances a lot more, but it finally fails. The user calibration algorithm implemented for DSOX does not like the EDUX hardware.
I am closing the scope for now
remember you can get some selfcal diags from the serial port which may give some clues
EDUX1002G Product ID 22 (factory) complete log: BOOT, Hardware Self Test (PASS), User Calibration (PASS)
U-Boot 2010.03 (Oct 18 2011 - 14:28:06)Agilent P500
CPU: SPEAr600
DRAM: 128 MiB
Flash: 512 KiB
NAND: internal ecc 128 MiB
Debug serial initialized ........OK
RTC: 2024-17-3 4:100:43.58 UTC
Microsoft Windows CE Bootloader Common Library Version 1.4 Built May 7 2015 01:38:03
Microsoft Windows CE 6.0 Ethernet Bootloader for the Agilent P500 board
Adaptation performed by Agilent Technologies (c) 2008
PHY not found.
System ready!
Preparing for download...
RTC: 2024-17-3 4:100:43.58 UTC
Loading image 1 from memory at 0xD0600000
O
BL_IMAGE_TYPE_BIN
X
XXXXOOOOXXOOOOOOOOXOXOOOOOOOOXOOOXOOOOXXOOOOOOOOOXOOOOXOXXOXOXXOXOXOXOXXXXOOXXXOOOOOOXXOXXOXXXXXXOOOXXXOXXOOOXXXOXXOOOOXOOXXOOOXOOOOXOXOOOOOXOOOXOOXOXXOXOXXXXXXOXXXXOOOXOOOXOXOOOOXOOOOXOXOXOOOOOOXX
OOOXOOXOOOOXOOOOXOOXXOOXOOOOOOOOOXOOOOXOOOOOOXOXOOOOXOXOOOOOOOXXOOXOOXOXOOOXOOOXOOXXOXOXOOOXOXXXXXOXOXXXOXXXXOXOXXOOOXXXXOXXXXOXXXXXXXOXXXXXXOXXOXXOXXOOXXOXXXOXXXXOOOXXX
OOOXXXOXXOOXOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOXXOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOXXXXXOOOXOXOOXOOXXXXXXXXXXXXXrom_offset=0x0.
XXImageStart = 0x80361000, ImageLength = 0x1A80C40, LaunchAddr = 0x80362000
Completed file(s):
-------------------------------------------------------------------------------
[0]: Address=0x80361000 Length=0x1A80C40 Name="" Target=RAM
Loading image 1 succeeded.
ROMHDR at Address 80361044h
Preparing launch...
RTC: 2024-17-3 4:100:44.1 UTC
Launching windows CE image by jumping at address 0x 362000
Windows CE Kernel for ARM (Thumb Enabled) Built on Mar 8 2013 at 17:05:33
Setting up for a Cold Reboot
Done Setting up for a Cold Reboot
Windows CE Firmware Init
BSP 1.0.0 for the SPEARHEAD600AB board (built Sep 28 2016)
Adaptation performed by ADENEO (c) 2005
+OALIntrInit
-OALIntrInit(rc = 1)
Initialize driver globals Zeros area...
pDrvGlobalArea 0xa0060000 size 0x800 (0xa0060800 -0xa0060000)
Initialize driver globals Zeros area...done
OALKitlStart
Firmware Init Done.
OALIoctlHalEnterI2cCriticalSection init i2c cs
++SER_Init: context Drivers\Active\14
SER_Init, dwIndex:2
SER2 got sysintr:0x00000017
SER2 Serial Port, new baud rate:0x1c200 (UARTCLK:48000000 IBRD:0x1a FBRD:0x2)
OHCI\system.c, GCFG_USBH1_SW_RST
OHCI\system.c, GCFG_USBH2_SW_RST
LAN PHY NOT detected.
DeleteP500EnetRegistry:
\Comm\GMAC 0x0
\Comm\GMAC1 0x0
\Comm\Tcpip\Linkage 0x0
\Drivers\Virtual 0x0
\Drivers\BuiltIn\LIN 0x5
LIN: Data Valid
BALDWIN_DDI: cBaldwinHwIf::Init: Initializing...
BALDWIN_DDI: cBaldwinHwIf::Init: Scope successfully identified.
BALDWIN_DDI: cBaldwinHwIf::Init: Success!
Device load time:
NANDFLASH: 0 ms
SNANDFLASH: 0 ms
SHIM DLL, LoadRealDll [PalIO.dll] for [AgilentPalIO.dll]
SHIM [AgilentPalIO.dll] Get Process Addresses
LaunchInfiniiVision:
=========================================
BLT Product Config 22
Bandwidth : 70MHz
#Channel : 2
Board Rev : FPR
Clk Gating : Baldwin
Sample Rate : 4GSa
LAN PHY : No
BLT Module Config 02
Rev : LP3
Sample Rate : 5GSa/s
=========================================
BLT_PRODUCT_CONFIG_0, 0.689v, ID2
BLT_PRODUCT_CONFIG_1, 0.694v, ID2
BLT_MODULE_CONFIG_0, 0.689v, ID2
BLT_MODULE_CONFIG_1, 0.007v, ID0
CANINE_BOARD_REV, 0.002v, ID0
CANINE_MODEL_NAME: MARSUPIAL, 1.740v, ID6, MARSUPIAL
CANINE_EXTMODULE, 2.485v, ID8, SWID8
CANINE_MSO_REV, 0.645v, ID2, SWID2
SHIM DLL, LoadRealDll [PalSStorage.dll] for [AgilentPalSStorage.dll]
SHIM [AgilentPalSStorage.dll] Get Process Addresses
Released build, Sep 28 2016, 00:17:51
Initializing FPGA...
************************************
FPGA Type: Marsupial
Ver: 1.067 Released
Build Time: Tue Jun 14 17:13:42 2016
Build Machine: 2UA5461ZWH
************************************
cMarsupialCalMgr::cMarsupialUserCalFactors::cMarsupialUserCalFactors size 146412
cMarsupialCalMgr::cMarsupialServiceCalFactors::cMarsupialServiceCalFactors size 704
cMarsupialCalMgr::cMarsupialFactoryCalFactors::cMarsupialFactoryCalFactors size 896
Calibration mode User
Recall \Secure\cal\FactoryCal2.dat - ok
Recall \Secure\cal\ServiceCal1.dat - ok
Recall \Secure\cal\UserCal8.dat - ok
Cal Date Wed Mar 22 20:32:43 2017
will do USB phy workaround: CheckCRC
Startup sequence is complete.
System has been running 15.272385 seconds
Start Up Sequence 5.643599
Memory Load 50%
System Physical Memory 36.191 / 73.465 MB
Process Virtual Memory 44.500 / 1024.000 MB
-----> InfiniiVision is running <-----
** self test: PASSED : DDR Mem Bus
** self test: PASSED : Acquisition Memory
** self test: PASSED : ADC
** self test: PASSED : MegaZoom SIPO
** self test: PASSED : TrigComp & Mux
** self test: PASSED : FirmwareStatus
Performing USER calibraion
######################## Channel 1 ########################
**** Baldwin Interpolator ****
fiPreDelay = 0x10
fiCalResult = 192
fiWide = 359
Final Cal Factor = 0x10
**** CAL PASSED **** Time: 1 seconds
**** Talon Calibrator ****
Calibrate AC Signal
Channel 1: Offset 0x20400 GainIndex 7 GainVern 0x1db0
Channel 2: Offset 0x20400 GainIndex 7 GainVern 0x1db0
Calibrate DC Signal
# Pts (out of 20): 20 B1 = 164566.442655 B0 = 127787.527900
# Pts (out of 20): 20 B1 = 164413.595754 B0 = 128047.469140
Testing...
Vin = -0.200000 AvgQLvl = 25.500000 VinActual = -0.200195
Vin = 0.000000 AvgQLvl = 129.750000 VinActual = 0.003418
Vin = 0.200000 AvgQLvl = 233.500000 VinActual = 0.206055
**** CAL PASSED **** Time: 2 seconds
**** Talon ****
**Talon Init Cal**
Slice Offset = 20
Slice offset correction successful
Using all slices for calibration
**Talon Dac Cal**
Gain Dac Iteration 1: Deltas 14 | Max 1 | Min -1
Gain Dac Iteration 2: Deltas 4 | Max 1 | Min -1
Gain Dac Iteration 3: Deltas 4 | Max 1 | Min -1
Offset Dac Iteration 1: Deltas 39 | Max 3 | Min -3
Offset Dac Iteration 2: Deltas 6 | Max 3 | Min -3
**Talon Pipeline Cal**
*** Talon pipeline cal ***
# pts not used = 0
Offset Adjustment = -29.031982
Gain Adjustment = 1.018970
**Talon4 Timing Cal**
Freq: 39.999902MHz
QMax 0xb4 QMin 0x4b
Min Per: 2.486970e-008 Max Per: 2.514583e-008
Harmonic Used: 1
MajorPass 1 | Deltas 24 | Max Dac 8 | Min Dac -8
MajorPass 2 | Deltas 5 | Max Dac 9 | Min Dac -10
MajorPass 3 | Deltas 3 | Max Dac 8 | Min Dac -10
MinorPass 1 | Deltas 120 | Max Dac 23 | Min Dac -23
Minor Timing Vernier is clipped
MinorPass 2 | Deltas 103 | Max Dac 37 | Min Dac -34
**Talon Pipeline Cal**
*** Talon pipeline cal ***
# pts not used = 0
Offset Adjustment = -46.060181
Gain Adjustment = 1.036238
Using partial slices for calibration
**Talon Dac Cal**
Gain Dac Iteration 1: Deltas 0 | Max 1 | Min 0
Gain Dac Iteration 2: Deltas 0 | Max 1 | Min 0
Gain Dac Iteration 3: Deltas 0 | Max 1 | Min 0
Offset Dac Iteration 1: Deltas 0 | Max 2 | Min -3
Offset Dac Iteration 2: Deltas 0 | Max 2 | Min -3
**Talon Pipeline Cal**
*** Talon pipeline cal ***
# pts not used = 0
Offset Adjustment = -0.911255
**** CAL PASSED **** Time: 113 seconds
**** DC Gain ****
28400, 0.758482 : -30827.981533 , 51782.456140
28800, 0.745506 : -4489.511874 , 32146.959632
29200, 0.656410 : -4969.442724 , 32461.990950
29600, 0.575918 : -5494.668378 , 32764.477799
30000, 0.503120 : -6325.395779 , 33182.433405
30400, 0.439883 : -7364.605815 , 33639.564124
30800, 0.385569 : -7972.753845 , 33874.047187
31200, 0.335398 : -9751.359308 , 34470.588235
31600, 0.294378 : -10675.546460 , 34742.648846
32000, 0.256909 : -12236.733617 , 35143.732591
32400, 0.224221 : -14216.787600 , 35587.702265
32800, 0.196085 : -15441.080381 , 35827.768014
33200, 0.170180 : -19225.327652 , 36471.772429
33600, 0.149374 : -21069.483781 , 36747.242206
34000, 0.130390 : -23810.229639 , 37104.607046
34400, 0.113590 : -27891.983292 , 37568.253968
34800, 0.099249 : -30613.152393 , 37838.327526
35200, 0.086183 : -37870.580762 , 38463.793103
35600, 0.075621 : -42038.156636 , 38778.947368
36000, 0.066105 : -46241.972299 , 39056.842105
36400, 0.057455 : -59364.694168 , 39810.810811
36800, 0.050717 : -266241.658692, 50303.030303
37200, 0.049215 : 0.000000 , 0.000000
Reference range = 0.440V
Coarse gain ratio
0.1x = 0.359 (1.227V)
0.4x = 1.000 (0.440V)
0.8x = 2.833 (0.155V)
2.0x = 7.823 (0.056V)
Gain# MIN MAX %OL
0 0.006291 0.096949
1 0.017369 0.267690
2 0.049215 0.758482
3 0.137233 2.114988
4 0.284519 4.384904
5 0.785594 12.107306
6 2.225927 34.305218
7 6.206885 95.658372
ADC half speed gain ratio = 0.965 (0.456V)
**** CAL PASSED **** Time: 15 seconds
**** Offset Error ****
AC Coupling
Gain# 0 [29278 (0.006291V) - 37738 (0.080000V), 45pts]
Gain# 1 [29398 (0.080000V) - 32503 (0.216000V), 45pts]
Gain# 2 [29329 (0.216000V) - 32659 (0.624000V), 45pts]
Gain# 3 [29581 (0.624000V) - 32551 (1.600000V), 45pts]
Gain# 4 [29427 (1.600000V) - 31902 (3.520000V), 45pts]
Gain# 5 [29444 (3.520000V) - 32594 (9.600000V), 45pts]
Gain# 6 [29367 (9.600000V) - 32697 (28.000000V), 45pts]
Gain# 7 [29274 (28.000000V) - 32559 (80.500000V), 45pts]
DC Coupling
Gain# 0 [29278 (0.006291V) - 37738 (0.080000V), 45pts]
Gain# 4 [29427 (1.600000V) - 31902 (3.520000V), 45pts]
AC Coupling
Gain# 0 [29278 (0.006291V) - 37738 (0.080000V), 45pts]
Gain# 1 [29398 (0.080000V) - 32503 (0.216000V), 45pts]
Gain# 2 [29329 (0.216000V) - 32659 (0.624000V), 45pts]
Gain# 3 [29581 (0.624000V) - 32551 (1.600000V), 45pts]
Gain# 4 [29427 (1.600000V) - 31902 (3.520000V), 45pts]
Gain# 5 [29444 (3.520000V) - 32594 (9.600000V), 45pts]
Gain# 6 [29367 (9.600000V) - 32697 (28.000000V), 45pts]
Gain# 7 [29274 (28.000000V) - 32559 (80.500000V), 45pts]
DC Coupling
Gain# 0 [29278 (0.006291V) - 37738 (0.080000V), 45pts]
Gain# 4 [29427 (1.600000V) - 31902 (3.520000V), 45pts]
0 retry out of 920 offset searched
**** CAL PASSED **** Time: 21 seconds
**** Trigger Level ****
div -3, pos slope dac = 0x94B5, neg slope dac = 0x93C7, avg = 37950.000
div -2, pos slope dac = 0x9243, neg slope dac = 0x9155, avg = 37324.000
div -1, pos slope dac = 0x8FD5, neg slope dac = 0x8EE1, avg = 36699.000
div 0, pos slope dac = 0x8D63, neg slope dac = 0x8C73, avg = 36075.000
div 1, pos slope dac = 0x8AEB, neg slope dac = 0x89FF, avg = 35445.000
div 2, pos slope dac = 0x887F, neg slope dac = 0x8791, avg = 34824.000
div 3, pos slope dac = 0x860B, neg slope dac = 0x851B, avg = 34195.000
Trig 1 B1 = -625.679, B0 = 36073.143
div -3, pos slope dac = 0x9537, neg slope dac = 0x9457, avg = 38087.000
div -2, pos slope dac = 0x92CF, neg slope dac = 0x91EB, avg = 37469.000
div -1, pos slope dac = 0x905F, neg slope dac = 0x8F7D, avg = 36846.000
div 0, pos slope dac = 0x8DF1, neg slope dac = 0x8D0D, avg = 36223.000
div 1, pos slope dac = 0x8B85, neg slope dac = 0x8AA1, avg = 35603.000
div 2, pos slope dac = 0x8915, neg slope dac = 0x882F, avg = 34978.000
div 3, pos slope dac = 0x86A5, neg slope dac = 0x85C1, avg = 34355.000
Trig 2 B1 = -622.179, B0 = 36223.000
div -3, pos slope dac = 0x953D, neg slope dac = 0x9457, avg = 38090.000
div -2, pos slope dac = 0x92CF, neg slope dac = 0x91EB, avg = 37469.000
div -1, pos slope dac = 0x905F, neg slope dac = 0x8F7D, avg = 36846.000
div 0, pos slope dac = 0x8DEF, neg slope dac = 0x8D0D, avg = 36222.000
div 1, pos slope dac = 0x8B81, neg slope dac = 0x8A9F, avg = 35600.000
div 2, pos slope dac = 0x8913, neg slope dac = 0x8831, avg = 34978.000
div 3, pos slope dac = 0x86A9, neg slope dac = 0x85C3, avg = 34358.000
Trig 3 B1 = -622.286, B0 = 36223.286
Trig 1 - AC offset 30.857143
Trig 2 - AC offset 34.000000
Trig 1 - LF Rej offset 30.857143
Trig 2 - LF Rej offset 31.000000
Trig 1 - HF_Rej offset -2.142857
Trig 2 - HF_Rej offset -2.000000
Trig 1 - AC_HF_REJ offset 29.857143
Trig 2 - AC_HF_REJ offset 31.000000
**** CAL PASSED **** Time: 29 seconds
**** Trigger Hysteresis ****
Hyst dac = 12288, pos slope dac = 0x8D43, neg slope dac = 0x8C8F, range = 180, div = 0.288 +
Hyst dac = 14336, pos slope dac = 0x8D5F, neg slope dac = 0x8C71, range = 238, div = 0.380 +
Hyst dac = 16384, pos slope dac = 0x8D7F, neg slope dac = 0x8C55, range = 298, div = 0.476 +
Hyst dac = 18432, pos slope dac = 0x8D9F, neg slope dac = 0x8C35, range = 362, div = 0.579 +
Hyst dac = 20480, pos slope dac = 0x8DBD, neg slope dac = 0x8C13, range = 426, div = 0.681 +
Hyst dac = 22528, pos slope dac = 0x8DDD, neg slope dac = 0x8BF3, range = 490, div = 0.783 +
Hyst dac = 24576, pos slope dac = 0x8DFD, neg slope dac = 0x8BD1, range = 556, div = 0.889 +
Hyst dac = 26624, pos slope dac = 0x8E1F, neg slope dac = 0x8BB1, range = 622, div = 0.994 +
Hyst dac = 28672, pos slope dac = 0x8E3F, neg slope dac = 0x8B8B, range = 692, div = 1.106 +
Hyst dac = 30720, pos slope dac = 0x8E63, neg slope dac = 0x8B69, range = 762, div = 1.218 +
Hyst dac = 32768, pos slope dac = 0x8E87, neg slope dac = 0x8B45, range = 834, div = 1.333 +
Hyst dac = 34816, pos slope dac = 0x8EA9, neg slope dac = 0x8B23, range = 902, div = 1.442 +
Hyst dac = 36864, pos slope dac = 0x8ECD, neg slope dac = 0x8B01, range = 972, div = 1.554 +
Trig Hyst B1 = 19290.253, B0 = 7182.611
**** CAL PASSED **** Time: 13 seconds
**** External Trigger Level ****
/5 Trig B1 = 1071.000, B0 = 35562.000
**** CAL PASSED **** Time: 1 seconds
**** Wave Gen ****
[calibrator] = 0x3fb46 Q | -52958.38 Q/V
[0: DIV1 + DIV1 ] = 0x1eb85 Q | 10128.80 Q/V | (calV=2.523585V) 33.527634 V
[1: DIV4 + DIV1 ] = 0x1fa87 Q | 10132.80 Q/V | (calV=2.500246V) 8.304389 V
[2: DIV16 + DIV1 ] = 0x1ffd4 Q | 10131.60 Q/V | (calV=0.640371V) 2.092969 V
[3: DIV64 + DIV1 ] = 0x1fff1 Q | 10131.60 Q/V | (calV=0.159918V) 0.541709 V
[4: DIV1 + DIV23] = 0x1eb7e Q | 235835.00 Q/V | (calV=0.448673V) 1.429883 V
[5: DIV4 + DIV23] = 0x1fa79 Q | 235895.00 Q/V | (calV=0.109935V) 0.357028 V
[6: DIV16 + DIV23] = 0x1ffc4 Q | 235900.00 Q/V | (calV=0.025001V) 0.089740 V
[7: DIV64 + DIV23] = 0x1ffe1 Q | 235900.00 Q/V | (calV=0.006987V) 0.023281 V
[0: DIV1 + DIV1 ] = 33.258736 V (overwrite)
**** CAL PASSED **** Time: 62 seconds
**** Wavegen Trigger Level Offset ****
Wavegen Trig Offset = 0x8BC8
**** CAL PASSED **** Time: 1 seconds
**** Baldwin Trig Time Qual ****
Set CalConfigScope range 1.000000E-005, delay -1.000000E-006
Top : 1.055276
Base : -21.055276
Vert Scale : 80.000000
Vert Offset: -10.527638
Trig Level : -10.527638
Horz Range : 1.000000e-007
Horz Delay : 1.500000e-008
CalConfigScope range 1.000000E-007, delay 1.500000E-008
--- Internal Timer ---
tVolt for Edge Trigger = 3.469388 ns
Zero Time = 3.469388 ns
*Int Osc Freq*
Oscillator Freq: 385.830187 MHz
Set CalConfigScope range 5.000000E-008, delay -5.000000E-009
CalConfigScope range 5.000000E-008, delay 1.000000E-008
*Int Find Min Time*
Zero Time Timer 0 : 1322.512755 ps
Zero Time Timer 1 : 1335.012755 ps
*Int Find Min Time*
Timer 0:
Dac 0 Time 1314.439838 ps
Dac 31 Time 2438.738717 ps
Dac 62 Time 3554.023172 ps
Dac 93 Time 4597.512755 ps
Dac 124 Time 5794.387755 ps
Fine Dac Gain 35.866677 ps/DacCode
Timer 1:
Dac 0 Time 1333.971088 ps
Dac 31 Time 2447.252338 ps
Dac 62 Time 3547.512755 ps
Dac 93 Time 4638.007547 ps
Dac 124 Time 5725.637755 ps
Fine Dac Gain 35.400286 ps/DacCode
*Int Fast Path*
Fast Dac Zero Time 924.315640 ps
Dac 0 Time 962.877338 ps
Dac 31 Time 1726.599294 ps
Dac 62 Time 2838.378140 ps
Dac 93 Time 3944.387755 ps
Dac 124 Time 5041.262755 ps
Fine Dac Gain 33.466320 ps/DacCode
--- Sync Timer ---
Set CalConfigScope range 5.000000E-007, delay -5.000000E-008
MClk Frequency = 199988766.929841
*Calibrating PdSel*
PdSel 0 : Min 68 Max 126
PdSel = 0
Min Fine Dac = 142
*Fine Dac*
Sync Timer minimum Time : 2.180598e-008
Dac 142 Val: -2.180064e-008
Dac 234 Val: -2.590689e-008
Dac 326 Val: -2.996173e-008
Dac 418 Val: -3.413265e-008
Dac 510 Val: -3.825799e-008
Fine Dac Gain: 2.236198e+010 DacCode/second
Fine Dac Gain: 44.718762 ps/DacCode
**** CAL PASSED **** Time: 2 seconds
######################## Channel 2 ########################
**** DC Gain ****
28400, 0.755586 : -35017.815055 , 54858.964143
28800, 0.744163 : -4604.228171 , 32226.296490
29200, 0.657286 : -4977.050724 , 32471.347678
29600, 0.576918 : -5372.537640 , 32699.511002
30000, 0.502465 : -6337.037908 , 33184.138428
30400, 0.439344 : -7330.668540 , 33620.683903
30800, 0.384779 : -7875.870590 , 33830.465950
31200, 0.333990 : -9976.698728 , 34532.122588
31600, 0.293897 : -10538.934747 , 34697.362110
32000, 0.255943 : -12327.449620 , 35155.119215
32400, 0.223495 : -14222.445921 , 35578.640777
32800, 0.195370 : -15420.125577 , 35812.631579
33200, 0.169430 : -19402.807018 , 36487.417219
33600, 0.148814 : -20536.148549 , 36656.074766
34000, 0.129337 : -23949.513839 , 37097.547684
34400, 0.112635 : -28537.245386 , 37614.285714
34800, 0.098618 : -30518.998538 , 37809.722222
35200, 0.085511 : -38215.093821 , 38467.826087
35600, 0.075044 : -40691.998051 , 38653.703704
36000, 0.065214 : -47002.521813 , 39065.240642
36400, 0.056704 : -62336.677865 , 39934.751773
36800, 0.050287 : -266347.623604, 50193.939394
37200, 0.048786 : 0.000000 , 0.000000
Reference range = 0.439V
Coarse gain ratio
0.1x = 0.357 (1.229V)
0.4x = 1.000 (0.439V)
0.8x = 2.832 (0.155V)
2.0x = 7.836 (0.056V)
Gain# MIN MAX %OL
0 0.006226 0.096424
1 0.017227 0.266811
2 0.048786 0.755586
3 0.136493 2.113981
4 0.281521 4.360160
5 0.778981 12.064762
6 2.206009 34.166386
7 6.171981 95.590852
ADC half speed gain ratio = 0.967 (0.454V)
**** CAL PASSED **** Time: 15 seconds
**** Offset Error ****
AC Coupling
Gain# 0 [29262 (0.006226V) - 37722 (0.080000V), 45pts]
Gain# 1 [29393 (0.080000V) - 32498 (0.216000V), 45pts]
Gain# 2 [29345 (0.216000V) - 32630 (0.624000V), 45pts]
Gain# 3 [29607 (0.624000V) - 32532 (1.600000V), 45pts]
Gain# 4 [29417 (1.600000V) - 31892 (3.520000V), 45pts]
Gain# 5 [29461 (3.520000V) - 32566 (9.600000V), 45pts]
Gain# 6 [29360 (9.600000V) - 32690 (28.000000V), 45pts]
Gain# 7 [29278 (28.000000V) - 32563 (80.500000V), 45pts]
DC Coupling
Gain# 0 [29262 (0.006226V) - 37722 (0.080000V), 45pts]
Gain# 4 [29417 (1.600000V) - 31892 (3.520000V), 45pts]
AC Coupling
Gain# 0 [29262 (0.006226V) - 37722 (0.080000V), 45pts]
Gain# 1 [29393 (0.080000V) - 32498 (0.216000V), 45pts]
Gain# 2 [29345 (0.216000V) - 32630 (0.624000V), 45pts]
Gain# 3 [29607 (0.624000V) - 32532 (1.600000V), 45pts]
Gain# 4 [29417 (1.600000V) - 31892 (3.520000V), 45pts]
Gain# 5 [29461 (3.520000V) - 32566 (9.600000V), 45pts]
Gain# 6 [29360 (9.600000V) - 32690 (28.000000V), 45pts]
Gain# 7 [29278 (28.000000V) - 32563 (80.500000V), 45pts]
DC Coupling
Gain# 0 [29262 (0.006226V) - 37722 (0.080000V), 45pts]
Gain# 4 [29417 (1.600000V) - 31892 (3.520000V), 45pts]
0 retry out of 920 offset searched
**** CAL PASSED **** Time: 23 seconds
**** Trigger Level ****
div -3, pos slope dac = 0x94B1, neg slope dac = 0x93C3, avg = 37946.000
div -2, pos slope dac = 0x9243, neg slope dac = 0x9153, avg = 37323.000
div -1, pos slope dac = 0x8FD7, neg slope dac = 0x8EE5, avg = 36702.000
div 0, pos slope dac = 0x8D67, neg slope dac = 0x8C7D, avg = 36082.000
div 1, pos slope dac = 0x8AF9, neg slope dac = 0x8A0B, avg = 35458.000
div 2, pos slope dac = 0x888F, neg slope dac = 0x879F, avg = 34839.000
div 3, pos slope dac = 0x861F, neg slope dac = 0x8531, avg = 34216.000
Trig 1 B1 = -621.500, B0 = 36080.857
div -3, pos slope dac = 0x9535, neg slope dac = 0x9453, avg = 38084.000
div -2, pos slope dac = 0x92D1, neg slope dac = 0x91E9, avg = 37469.000
div -1, pos slope dac = 0x9061, neg slope dac = 0x8F81, avg = 36849.000
div 0, pos slope dac = 0x8DF9, neg slope dac = 0x8D15, avg = 36231.000
div 1, pos slope dac = 0x8B8B, neg slope dac = 0x8AAD, avg = 35612.000
div 2, pos slope dac = 0x8921, neg slope dac = 0x883F, avg = 34992.000
div 3, pos slope dac = 0x86B9, neg slope dac = 0x85D5, avg = 34375.000
Trig 2 B1 = -618.500, B0 = 36230.286
div -3, pos slope dac = 0x958B, neg slope dac = 0x94B1, avg = 38174.000
div -2, pos slope dac = 0x9323, neg slope dac = 0x9247, avg = 37557.000
div -1, pos slope dac = 0x90B3, neg slope dac = 0x8FDD, avg = 36936.000
div 0, pos slope dac = 0x8E4B, neg slope dac = 0x8D6D, avg = 36316.000
div 1, pos slope dac = 0x8BDF, neg slope dac = 0x8B03, avg = 35697.000
div 2, pos slope dac = 0x8973, neg slope dac = 0x8899, avg = 35078.000
div 3, pos slope dac = 0x8707, neg slope dac = 0x862D, avg = 34458.000
Trig 3 B1 = -619.464, B0 = 36316.571
Trig 1 - AC offset 24.142857
Trig 2 - AC offset 21.714286
Trig 1 - LF Rej offset 24.142857
Trig 2 - LF Rej offset 23.714286
Trig 1 - HF_Rej offset -0.857143
Trig 2 - HF_Rej offset -0.285714
Trig 1 - AC_HF_REJ offset 22.142857
Trig 2 - AC_HF_REJ offset 22.714286
**** CAL PASSED **** Time: 29 seconds
**** Trigger Hysteresis ****
Hyst dac = 12288, pos slope dac = 0x8D47, neg slope dac = 0x8C97, range = 176, div = 0.283 +
Hyst dac = 14336, pos slope dac = 0x8D67, neg slope dac = 0x8C7B, range = 236, div = 0.380 +
Hyst dac = 16384, pos slope dac = 0x8D87, neg slope dac = 0x8C57, range = 304, div = 0.489 +
Hyst dac = 18432, pos slope dac = 0x8DA5, neg slope dac = 0x8C39, range = 364, div = 0.586 +
Hyst dac = 20480, pos slope dac = 0x8DC3, neg slope dac = 0x8C1D, range = 422, div = 0.679 +
Hyst dac = 22528, pos slope dac = 0x8DE5, neg slope dac = 0x8BFB, range = 490, div = 0.788 +
Hyst dac = 24576, pos slope dac = 0x8E05, neg slope dac = 0x8BD9, range = 556, div = 0.895 +
Hyst dac = 26624, pos slope dac = 0x8E27, neg slope dac = 0x8BB7, range = 624, div = 1.004 +
Hyst dac = 28672, pos slope dac = 0x8E45, neg slope dac = 0x8B95, range = 688, div = 1.107 +
Hyst dac = 30720, pos slope dac = 0x8E69, neg slope dac = 0x8B71, range = 760, div = 1.223 +
Hyst dac = 32768, pos slope dac = 0x8E8D, neg slope dac = 0x8B4F, range = 830, div = 1.335 +
Hyst dac = 34816, pos slope dac = 0x8EAF, neg slope dac = 0x8B29, range = 902, div = 1.451 +
Hyst dac = 36864, pos slope dac = 0x8ED5, neg slope dac = 0x8B03, range = 978, div = 1.574 +
Trig Hyst B1 = 19126.789, B0 = 7223.520
Hyst dac = 12288, pos slope dac = 0x8E2B, neg slope dac = 0x8D89, range = 162, div = 0.262 +
Hyst dac = 14336, pos slope dac = 0x8E4F, neg slope dac = 0x8D6D, range = 226, div = 0.365 +
Hyst dac = 16384, pos slope dac = 0x8E69, neg slope dac = 0x8D4F, range = 282, div = 0.455 +
Hyst dac = 18432, pos slope dac = 0x8E89, neg slope dac = 0x8D2F, range = 346, div = 0.559 +
Hyst dac = 20480, pos slope dac = 0x8EA9, neg slope dac = 0x8D0F, range = 410, div = 0.662 +
Hyst dac = 22528, pos slope dac = 0x8EC7, neg slope dac = 0x8CF1, range = 470, div = 0.759 +
Hyst dac = 24576, pos slope dac = 0x8EE7, neg slope dac = 0x8CD1, range = 534, div = 0.862 +
Hyst dac = 26624, pos slope dac = 0x8F05, neg slope dac = 0x8CB1, range = 596, div = 0.962 +
Hyst dac = 28672, pos slope dac = 0x8F2B, neg slope dac = 0x8C8B, range = 672, div = 1.085 +
Hyst dac = 30720, pos slope dac = 0x8F4D, neg slope dac = 0x8C6D, range = 736, div = 1.188 +
Hyst dac = 32768, pos slope dac = 0x8F71, neg slope dac = 0x8C47, range = 810, div = 1.308 +
Hyst dac = 34816, pos slope dac = 0x8F8F, neg slope dac = 0x8C25, range = 874, div = 1.411 +
Hyst dac = 36864, pos slope dac = 0x8FB3, neg slope dac = 0x8BFD, range = 950, div = 1.534 +
Trig Hyst (2) B1 = 19226.804, B0 = 7416.887
**** CAL PASSED **** Time: 26 seconds
**** Channel Delays ****
--- Vertical Settings ---
Top : 0.389447
Base : -20.917085
Final Scale : 80.000000
Final Offset (POS_SLOPE): -10.458543
Final Offset (NEG_SLOPE): -10.458543
edge trigger delay factors
iteration: 0
analog trigger channel : 1
pos polarity path delay adjustment (Sec) : 3.540625e-009
pos edge, bi edge delay factor (312.5e-15 Sec counts): 2330
neg edge delay factor (312.5e-15 Sec counts): 2330
analog trigger channel : 2
pos polarity path delay adjustment (Sec) : 2.70432692e-009
pos edge, bi edge delay factor (312.5e-15 Sec counts): -346
neg edge delay factor (312.5e-15 Sec counts): -346
analog trigger channel : 2
pos polarity path delay adjustment (Sec) : 2.01622596e-009
Chan2 TC2 pos edge, bi edge delay factor (312.5e-15 Sec counts): -5048
Chan2 TC2 neg edge delay factor (312.5e-15 Sec counts): -5048
external trigger channel
pos edge, bi edge delay factor (312.5e-15 Sec counts): 3040
neg edge delay factor (312.5e-15 Sec counts): 3040
iteration: 1
analog trigger channel : 1
pos polarity path delay adjustment (Sec) : 0
pos edge, bi edge delay factor (312.5e-15 Sec counts): 2330
neg edge delay factor (312.5e-15 Sec counts): 2330
analog trigger channel : 2
pos polarity path delay adjustment (Sec) : 0
pos edge, bi edge delay factor (312.5e-15 Sec counts): -346
neg edge delay factor (312.5e-15 Sec counts): -346
analog trigger channel : 2
pos polarity path delay adjustment (Sec) : 2.89351852e-012
Chan2 TC2 pos edge, bi edge delay factor (312.5e-15 Sec counts): -5039
Chan2 TC2 neg edge delay factor (312.5e-15 Sec counts): -5039
external trigger channel
pos edge, bi edge delay factor (312.5e-15 Sec counts): 3040
neg edge delay factor (312.5e-15 Sec counts): 3040
**** CAL PASSED **** Time: 2 seconds
**** Analog Channel Skews ****
--- Vertical Settings ---
Top : 0.389447
Base : -20.917085
Final Scale : 80.000000
Final Offset (POS_SLOPE): -10.458543
Final Offset (NEG_SLOPE): -10.458543
skew for channel: 2
adjustment (Sec) =: -3.57572115e-010
2Gsa/s factor in 312.5e-15 Sec counts: -1143
skew for channel: 2
adjustment (Sec) =: 3.00480769e-012
2Gsa/s factor in 312.5e-15 Sec counts: -1133
skew for channel: 1
adjustment (Sec) =: -8.83152174e-011
1GSa/s factor in 312.5e-15 Sec counts: -282
skew for channel: 2
adjustment (Sec) =: -9.53125e-010
1GSa/s factor in 312.5e-15 Sec counts: -3049
skew for channel: 1
adjustment (Sec) =: -8.7890625e-011
1GSa/s factor in 312.5e-15 Sec counts: -562
skew for channel: 2
adjustment (Sec) =: -8.125e-011
1GSa/s factor in 312.5e-15 Sec counts: -3308
**** CAL PASSED **** Time: 1 seconds
-----< Memory Status >-----
Memory Load 48% -> 51%: 3%
Physical Used (MB) 35.105 -> 36.965: 1.859
Total Calibration Time: 357
Lowest Frame Temp : 17.500000
Highest Frame Temp: 19.250000
Update Cal Header
Factory Cal Mode
Revision : 2
Cal Mode : Factory
Cal Satus : CAL_OK
Firmware Ver : 01.00.2016091301
Cal Temp : 29.250000 C
Cal Date : Thu Sep 29 13:36:40 2016
Cal Duration : 413s
Service Cal Mode
Revision : 1
Cal Mode : Service
Cal Satus : CAL_OK
Firmware Ver : 01.00.2016091301
Cal Temp : 24.500000 C
Cal Date : Thu Sep 29 13:48:43 2016
Cal Duration : 363s
User Cal Mode
Revision : 8
Cal Mode : User
Cal Satus : CAL_OK
Firmware Ver : 01.01.2016092800
Cal Temp : 17.750000 C
Cal Date : Wed Mar 22 20:50:48 2017
Cal Duration : 357s
**********************************
Calibration PASSED
Board: 0
Inst: CNXXXXXXXX
Date: Wed Mar 22 20:50:49 2017
Duration: 6.0 minutes
Inst Temp: 18.8 degrees C
**********************************
EDUX1002G Product ID 24 (hack) complete log: BOOT, Hardware Self Test (PASS), User Calibration (FAIL)
U-Boot 2010.03 (Oct 18 2011 - 14:28:06)Agilent P500
CPU: SPEAr600
DRAM: 128 MiB
Flash: 512 KiB
NAND: internal ecc 128 MiB
Debug serial initialized ........OK
RTC: 2024-17-3 4:100:2.12 UTC
Microsoft Windows CE Bootloader Common Library Version 1.4 Built May 7 2015 01:38:03
Microsoft Windows CE 6.0 Ethernet Bootloader for the Agilent P500 board
Adaptation performed by Agilent Technologies (c) 2008
PHY not found.
System ready!
Preparing for download...
RTC: 2024-17-3 4:100:2.12 UTC
Loading image 1 from memory at 0xD0600000
O
BL_IMAGE_TYPE_BIN
X
XXXXOOOOXXOOOOOOOOXOXOOOOOOOOXOOOXOOOOXXOOOOOOOOOXOOOOXOXXOXOXXOXOXOXOXXXXOOXXXOOOOOOXXOXXOXXXXXXOOOXXXOXXOOOXXXOXXOOOOXOOXXOOOXOOOOXOXOOOOOXOOOXOOXOXXOXOXXXXXXOXXXXOOOXOOOXOXOOOOXOOOOXOXOXOOOOOOXX
OOOXOOXOOOOXOOOOXOOXXOOXOOOOOOOOOXOOOOXOOOOOOXOXOOOOXOXOOOOOOOXXOOXOOXOXOOOXOOOXOOXXOXOXOOOXOXXXXXOXOXXXOXXXXOXOXXOOOXXXXOXXXXOXXXXXXXOXXXXXXOXXOXXOXXOOXXOXXXOXXXXOOOXXX
OOOXXXOXXOOXOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOXXOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOXXXXXOOOXOXOOXOOXXXXXXXXXXXXXrom_offset=0x0.
XXImageStart = 0x80361000, ImageLength = 0x1A80C40, LaunchAddr = 0x80362000
Completed file(s):
-------------------------------------------------------------------------------
[0]: Address=0x80361000 Length=0x1A80C40 Name="" Target=RAM
Loading image 1 succeeded.
ROMHDR at Address 80361044h
Preparing launch...
RTC: 2024-17-3 4:100:27.22 UTC
Launching windows CE image by jumping at address 0x 362000
Windows CE Kernel for ARM (Thumb Enabled) Built on Mar 8 2013 at 17:05:33
Setting up for a Cold Reboot
Done Setting up for a Cold Reboot
Windows CE Firmware Init
BSP 1.0.0 for the SPEARHEAD600AB board (built Sep 28 2016)
Adaptation performed by ADENEO (c) 2005
+OALIntrInit
-OALIntrInit(rc = 1)
Initialize driver globals Zeros area...
pDrvGlobalArea 0xa0060000 size 0x800 (0xa0060800 -0xa0060000)
Initialize driver globals Zeros area...done
OALKitlStart
Firmware Init Done.
OALIoctlHalEnterI2cCriticalSection init i2c cs
++SER_Init: context Drivers\Active\14
SER_Init, dwIndex:2
SER2 got sysintr:0x00000017
SER2 Serial Port, new baud rate:0x1c200 (UARTCLK:48000000 IBRD:0x1a FBRD:0x2)
OHCI\system.c, GCFG_USBH1_SW_RST
OHCI\system.c, GCFG_USBH2_SW_RST
LAN PHY NOT detected.
DeleteP500EnetRegistry:
\Comm\GMAC 0x0
\Comm\GMAC1 0x0
\Comm\Tcpip\Linkage 0x0
\Drivers\Virtual 0x0
\Drivers\BuiltIn\LIN 0x5
LIN: Data Valid
BALDWIN_DDI: cBaldwinHwIf::Init: Initializing...
BALDWIN_DDI: cBaldwinHwIf::Init: Scope successfully identified.
BALDWIN_DDI: cBaldwinHwIf::Init: Success!
Device load time:
NANDFLASH: 0 ms
SNANDFLASH: 0 ms
SHIM DLL, LoadRealDll [PalIO.dll] for [AgilentPalIO.dll]
SHIM [AgilentPalIO.dll] Get Process Addresses
LaunchInfiniiVision:
=========================================
BLT Product Config 24
Bandwidth : 200MHz
#Channel : 2
Board Rev : FPR
Clk Gating : Baldwin
Sample Rate : 4GSa
LAN PHY : No
BLT Module Config 02
Rev : LP3
Sample Rate : 5GSa/s
=========================================
BLT_PRODUCT_CONFIG_0, 1.249v, ID4
BLT_PRODUCT_CONFIG_1, 0.699v, ID2
BLT_MODULE_CONFIG_0, 0.689v, ID2
BLT_MODULE_CONFIG_1, 0.010v, ID0
CANINE_BOARD_REV, 0.002v, ID0
CANINE_MODEL_NAME: MARSUPIAL, 1.738v, ID6, MARSUPIAL
CANINE_EXTMODULE, 2.488v, ID8, SWID8
CANINE_MSO_REV, 0.650v, ID2, SWID2
SHIM DLL, LoadRealDll [PalSStorage.dll] for [AgilentPalSStorage.dll]
SHIM [AgilentPalSStorage.dll] Get Process Addresses
Released build, Sep 28 2016, 00:17:51
Initializing FPGA...
************************************
FPGA Type: Marsupial
Ver: 1.067 Released
Build Time: Tue Jun 14 17:13:42 2016
Build Machine: 2UA5461ZWH
************************************
cMarsupialCalMgr::cMarsupialUserCalFactors::cMarsupialUserCalFactors size 146412
cMarsupialCalMgr::cMarsupialServiceCalFactors::cMarsupialServiceCalFactors size 704
cMarsupialCalMgr::cMarsupialFactoryCalFactors::cMarsupialFactoryCalFactors size 896
Calibration mode User
Recall \Secure\cal\FactoryCal2.dat - ok
Recall \Secure\cal\ServiceCal1.dat - ok
Recall \Secure\cal\UserCal8.dat - ok
Cal Date Wed Mar 22 09:18:21 2017
will do USB phy workaround: CheckCRC
Startup sequence is complete.
System has been running 15.415766 seconds
Start Up Sequence 5.853515
Memory Load 50%
System Physical Memory 36.234 / 73.465 MB
Process Virtual Memory 44.500 / 1024.000 MB
-----> InfiniiVision is running <-----
** self test: PASSED : DDR Mem Bus
** self test: PASSED : Acquisition Memory
** self test: PASSED : ADC
** self test: PASSED : MegaZoom SIPO
** self test: PASSED : TrigComp & Mux
** self test: PASSED : FirmwareStatus
Performing USER calibraion
######################## Channel 1 ########################
**** Baldwin Interpolator ****
fiPreDelay = 0x10
fiCalResult = 192
fiWide = 359
Final Cal Factor = 0x10
**** CAL PASSED **** Time: 1 seconds
**** Talon Calibrator ****
Calibrate AC Signal
Channel 1: Offset 0x20400 GainIndex 7 GainVern 0x1db0
Channel 2: Offset 0x20400 GainIndex 7 GainVern 0x1db0
Calibrate DC Signal
# Pts (out of 20): 20 B1 = 164635.035055 B0 = 127786.161411
# Pts (out of 20): 20 B1 = 163868.032391 B0 = 128081.489449
Testing...
Vin = -0.200000 AvgQLvl = 26.750000 VinActual = -0.197754
Vin = 0.000000 AvgQLvl = 129.250000 VinActual = 0.002441
Vin = 0.200000 AvgQLvl = 233.250000 VinActual = 0.205566
**** CAL PASSED **** Time: 2 seconds
**** Talon ****
**Talon Init Cal**
Slice Offset = 20
Slice offset correction successful
Using all slices for calibration
**Talon Dac Cal**
Gain Dac Iteration 1: Deltas 16 | Max 1 | Min -1
Gain Dac Iteration 2: Deltas 7 | Max 1 | Min -1
Gain Dac Iteration 3: Deltas 6 | Max 1 | Min -1
Offset Dac Iteration 1: Deltas 36 | Max 3 | Min -3
Offset Dac Iteration 2: Deltas 9 | Max 3 | Min -4
**Talon Pipeline Cal**
*** Talon pipeline cal ***
# pts not used = 0
Offset Adjustment = -39.444336
Gain Adjustment = 1.022831
**Talon4 Timing Cal**
Freq: 39.999870MHz
QMax 0xb3 QMin 0x4b
Min Per: 2.483829e-008 Max Per: 2.514962e-008
Harmonic Used: 1
MajorPass 1 | Deltas 26 | Max Dac 9 | Min Dac -10
MajorPass 2 | Deltas 11 | Max Dac 6 | Min Dac -10
MajorPass 3 | Deltas 5 | Max Dac 8 | Min Dac -11
MinorPass 1 | Deltas 141 | Max Dac 30 | Min Dac -31
MinorPass 2 | Deltas 60 | Max Dac 21 | Min Dac -24
MinorPass 3 | Deltas 122 | Max Dac 26 | Min Dac -30
**Talon Pipeline Cal**
*** Talon pipeline cal ***
# pts not used = 0
Offset Adjustment = -45.454102
Gain Adjustment = 1.044315
Using partial slices for calibration
**Talon Dac Cal**
Gain Dac Iteration 1: Deltas 0 | Max 1 | Min 0
Gain Dac Iteration 2: Deltas 0 | Max 1 | Min 0
Gain Dac Iteration 3: Deltas 0 | Max 1 | Min 0
Offset Dac Iteration 1: Deltas 0 | Max 2 | Min -3
Offset Dac Iteration 2: Deltas 0 | Max 2 | Min -3
**Talon Pipeline Cal**
*** Talon pipeline cal ***
# pts not used = 0
Offset Adjustment = -4.397644
**** CAL PASSED **** Time: 115 seconds
**** DC Gain ****
28400, 0.753064 : -31378.481203 , 52030.000000
28800, 0.740316 : -4547.605971 , 32166.666667
29200, 0.652358 : -4969.442724 , 32441.855204
29600, 0.571866 : -5522.297132 , 32758.013828
30000, 0.499432 : -6357.434687 , 33175.108538
30400, 0.436514 : -7452.056605 , 33652.926209
30800, 0.382837 : -8023.721221 , 33871.780822
31200, 0.332985 : -9882.986206 , 34490.888639
31600, 0.292512 : -10701.552664 , 34730.328867
32000, 0.255134 : -12305.286746 , 35139.495798
32400, 0.222628 : -14403.237274 , 35606.557377
32800, 0.194856 : -15468.265382 , 35814.084507
33200, 0.168997 : -19481.096977 , 36492.239468
33600, 0.148464 : -20968.913453 , 36713.126492
34000, 0.129388 : -24071.163663 , 37114.520548
34400, 0.112771 : -28250.722627 , 37585.852090
34800, 0.098612 : -30506.856725 , 37808.333333
35200, 0.085500 : -38034.522670 , 38451.948052
35600, 0.074983 : -42038.156636 , 38752.153110
36000, 0.065468 : -46733.908175 , 39059.574468
36400, 0.056909 : -61873.061527 , 39921.126761
36800, 0.050444 : -266241.658692, 50230.303030
37200, 0.048942 : 0.000000 , 0.000000
Reference range = 0.437V
Coarse gain ratio
0.1x = 0.359 (1.218V)
0.4x = 1.000 (0.437V)
0.8x = 2.831 (0.154V)
2.0x = 7.833 (0.056V)
Gain# MIN MAX %OL
0 0.006248 0.096136
1 0.017289 0.266023
2 0.048942 0.753064
3 0.136514 2.100536
4 0.282584 4.348108
5 0.781953 12.031897
6 2.213572 34.060181
7 6.174361 95.004743
ADC half speed gain ratio = 0.958 (0.456V)
**** CAL PASSED **** Time: 15 seconds
**** Offset Error ****
AC Coupling
Gain# 0 [29243 (0.006248V) - 37838 (0.080000V), 45pts]
Gain# 1 [29368 (0.080000V) - 32518 (0.216000V), 45pts]
Gain# 2 [29320 (0.216000V) - 32650 (0.624000V), 45pts]
Gain# 3 [29571 (0.624000V) - 32541 (1.600000V), 45pts]
Gain# 4 [29392 (1.600000V) - 31912 (3.520000V), 45pts]
Gain# 5 [29437 (3.520000V) - 32587 (9.600000V), 45pts]
Gain# 6 [29335 (9.600000V) - 32710 (28.000000V), 45pts]
Gain# 7 [29244 (28.000000V) - 32574 (80.500000V), 45pts]
DC Coupling
Gain# 0 [29243 (0.006248V) - 37838 (0.080000V), 45pts]
Gain# 4 [29392 (1.600000V) - 31912 (3.520000V), 45pts]
AC Coupling
Gain# 0 [29243 (0.006248V) - 37838 (0.080000V), 45pts]
Gain# 1 [29368 (0.080000V) - 32518 (0.216000V), 45pts]
Gain# 2 [29320 (0.216000V) - 32650 (0.624000V), 45pts]
Gain# 3 [29571 (0.624000V) - 32541 (1.600000V), 45pts]
Gain# 4 [29392 (1.600000V) - 31912 (3.520000V), 45pts]
Gain# 5 [29437 (3.520000V) - 32587 (9.600000V), 45pts]
Gain# 6 [29335 (9.600000V) - 32710 (28.000000V), 45pts]
Gain# 7 [29244 (28.000000V) - 32574 (80.500000V), 45pts]
DC Coupling
Gain# 0 [29243 (0.006248V) - 37838 (0.080000V), 45pts]
Gain# 4 [29392 (1.600000V) - 31912 (3.520000V), 45pts]
0 retry out of 920 offset searched
**** CAL PASSED **** Time: 21 seconds
**** Trigger Level ****
div -3, pos slope dac = 0x9481, neg slope dac = 0x93AD, avg = 37911.000
div -2, pos slope dac = 0x920F, neg slope dac = 0x913F, avg = 37287.000
div -1, pos slope dac = 0x8FA9, neg slope dac = 0x8ED1, avg = 36669.000
div 0, pos slope dac = 0x8D39, neg slope dac = 0x8C65, avg = 36047.000
div 1, pos slope dac = 0x8ACD, neg slope dac = 0x89F5, avg = 35425.000
div 2, pos slope dac = 0x885F, neg slope dac = 0x878B, avg = 34805.000
div 3, pos slope dac = 0x85EF, neg slope dac = 0x851B, avg = 34181.000
Trig 1 B1 = -621.357, B0 = 36046.429
div -3, pos slope dac = 0x9509, neg slope dac = 0x943F, avg = 38052.000
div -2, pos slope dac = 0x929D, neg slope dac = 0x91D5, avg = 37433.000
div -1, pos slope dac = 0x9033, neg slope dac = 0x8F6D, avg = 36816.000
div 0, pos slope dac = 0x8DCB, neg slope dac = 0x8CFF, avg = 36197.000
div 1, pos slope dac = 0x8B5D, neg slope dac = 0x8A99, avg = 35579.000
div 2, pos slope dac = 0x88F3, neg slope dac = 0x882D, avg = 34960.000
div 3, pos slope dac = 0x8687, neg slope dac = 0x85C3, avg = 34341.000
Trig 2 B1 = -618.429, B0 = 36196.857
div -3, pos slope dac = 0x9509, neg slope dac = 0x943D, avg = 38051.000
div -2, pos slope dac = 0x929D, neg slope dac = 0x91D7, avg = 37434.000
div -1, pos slope dac = 0x9035, neg slope dac = 0x8F6F, avg = 36818.000
div 0, pos slope dac = 0x8DC7, neg slope dac = 0x8CFF, avg = 36195.000
div 1, pos slope dac = 0x8B5D, neg slope dac = 0x8A95, avg = 35577.000
div 2, pos slope dac = 0x88EF, neg slope dac = 0x882D, avg = 34958.000
div 3, pos slope dac = 0x868B, neg slope dac = 0x85C3, avg = 34343.000
Trig 3 B1 = -618.464, B0 = 36196.571
Trig 1 - AC offset 56.571429
Trig 2 - AC offset 57.142857
Trig 1 - LF Rej offset 56.571429
Trig 2 - LF Rej offset 55.142857
Trig 1 - HF_Rej offset -0.428571
Trig 2 - HF_Rej offset 0.142857
Trig 1 - AC_HF_REJ offset 55.571429
Trig 2 - AC_HF_REJ offset 55.142857
**** CAL PASSED **** Time: 29 seconds
**** Trigger Hysteresis ****
Hyst dac = 12288, pos slope dac = 0x8D29, neg slope dac = 0x8C71, range = 184, div = 0.296 +
Hyst dac = 14336, pos slope dac = 0x8D49, neg slope dac = 0x8C53, range = 246, div = 0.396 +
Hyst dac = 16384, pos slope dac = 0x8D65, neg slope dac = 0x8C35, range = 304, div = 0.489 +
Hyst dac = 18432, pos slope dac = 0x8D85, neg slope dac = 0x8C17, range = 366, div = 0.589 +
Hyst dac = 20480, pos slope dac = 0x8DA3, neg slope dac = 0x8BF5, range = 430, div = 0.692 +
Hyst dac = 22528, pos slope dac = 0x8DC5, neg slope dac = 0x8BD5, range = 496, div = 0.798 +
Hyst dac = 24576, pos slope dac = 0x8DE3, neg slope dac = 0x8BB3, range = 560, div = 0.901 +
Hyst dac = 26624, pos slope dac = 0x8E05, neg slope dac = 0x8B91, range = 628, div = 1.011 +
Hyst dac = 28672, pos slope dac = 0x8E27, neg slope dac = 0x8B6F, range = 696, div = 1.120 +
Hyst dac = 30720, pos slope dac = 0x8E49, neg slope dac = 0x8B4B, range = 766, div = 1.233 +
Hyst dac = 32768, pos slope dac = 0x8E6D, neg slope dac = 0x8B29, range = 836, div = 1.345 +
Hyst dac = 34816, pos slope dac = 0x8E8F, neg slope dac = 0x8B05, range = 906, div = 1.458 +
Hyst dac = 36864, pos slope dac = 0x8EB5, neg slope dac = 0x8AE3, range = 978, div = 1.574 +
Trig Hyst B1 = 19194.518, B0 = 7001.237
**** CAL PASSED **** Time: 13 seconds
**** External Trigger Level ****
/1 Trig B1 = 5303.000, B0 = 35552.000
/5 Trig B1 = 1071.000, B0 = 35552.000
**** CAL FAILED ****
Recall \Secure\cal\FactoryCal2.dat - ok
Recall \Secure\cal\ServiceCal1.dat - ok
Recall \Secure\cal\UserCal8.dat - ok
Cal Date Wed Mar 22 09:18:21 2017
Update Cal Failed Header
Factory Cal Mode
Revision : 2
Cal Mode : Factory
Cal Satus : CAL_OK
Firmware Ver : 01.00.2016091301
Cal Temp : 29.250000 C
Cal Date : Thu Sep 29 13:36:40 2016
Cal Duration : 413s
Service Cal Mode
Revision : 1
Cal Mode : Service
Cal Satus : CAL_OK
Firmware Ver : 01.00.2016091301
Cal Temp : 24.500000 C
Cal Date : Thu Sep 29 13:48:43 2016
Cal Duration : 363s
User Cal Mode
Revision : 8
Cal Mode : User
Cal Satus : CAL_FAILED
Firmware Ver : 01.01.2016092800
Cal Temp : 17.250000 C
Cal Date : Wed Mar 22 20:32:43 2017
Cal Duration : 290s
**********************************
Calibration FAILED
Board: 0
Inst: CNXXXXXXXX
Date: Wed Mar 22 20:32:44 2017
Duration: 4.8 minutes
Inst Temp: 17.3 degrees C
**********************************
Before and after pictures to follow
-
I am about to populate the missing components on the EXT Trig input section to see if the self test error goes away.
Interesting hack TK :-+
I soldered all the components on the EXT trig input section. Self test passes, but still getting user calibration error. It advances a lot more, but it finally fails. The user calibration algorithm implemented for DSOX does not like the EDUX hardware.
I am closing the scope for now
remember you can get some selfcal diags from the serial port which may give some clues
Before and After pictures. I don't have the values for the capacitors in "After2". I used 1uF ceramic for decoupling and filtering 5V supply and 100nF for the other 2 caps.
-
I am about to populate the missing components on the EXT Trig input section to see if the self test error goes away.
Interesting hack TK :-+
I soldered all the components on the EXT trig input section. Self test passes, but still getting user calibration error. It advances a lot more, but it finally fails. The user calibration algorithm implemented for DSOX does not like the EDUX hardware.
I am closing the scope for now
remember you can get some selfcal diags from the serial port which may give some clues
Log from mikeselectricstuff's DSOX1102G
**** External Trigger Level ****
/1 Trig B1 = 5303.000, B0 = 35846.000
/5 Trig B1 = 1071.000, B0 = 35846.000
/1 Trig 2 B1 = 17283.000, B0 = 28351.000
/5 Trig 2 B1 = 3492.000, B0 = 28351.000
**** CAL PASSED **** Time: 2 seconds
Log from EDUX1002G with Product ID 22 (original)
**** External Trigger Level ****
/5 Trig B1 = 1071.000, B0 = 35562.000
**** CAL PASSED **** Time: 1 seconds
Log from EDUX1002G with Product ID 24 (hacked)
**** External Trigger Level ****
/1 Trig B1 = 5303.000, B0 = 35552.000
/5 Trig B1 = 1071.000, B0 = 35552.000
**** CAL FAILED ****
I noticed EDUX user calibration is not doing "Trig 2"
-
maybe trig 2 is with other range?
-
maybe trig 2 is with other range?
According the datasheet, EDUX model has only +/- 8V range, DSOX has additionally +/- 1.6V.
This is ratio 5.
"/1" or "/5" probably means 1.6V and 8V range respectively (More logical to be opposite, but log data shows only /5 for EDUX, which have 8V range only).
In the DSOX log, there are two lines for Trig2 which contain both ranges (/1 and /5), so Trig2 is not related to the second range.
B1 and B0 are gain/offset coefficients (but I have no idea, which one is the gain or the offset).
-
Dave, while watching your videos, i noted that the scope showed a date of October 2016... Does the scope need to have its clock set or was this as a result of the hacks..
-
maybe trig 2 is with other range?
According the datasheet, EDUX model has only +/- 8V range, DSOX has additionally +/- 1.6V.
This is ratio 5.
"/1" or "/5" probably means 1.6V and 8V range respectively (More logical to be opposite, but log data shows only /5 for EDUX, which have 8V range only).
In the DSOX log, there are two lines for Trig2 which contain both ranges (/1 and /5), so Trig2 is not related to the second range.
B1 and B0 are gain/offset coefficients (but I have no idea, which one is the gain or the offset).
I spotted one additional hardware difference between EDUX and DSOX regarding the External Input.
There are 2 resistors to the right of the LEFT CPU board socket. The DSOX has only the lower resistor populated with value 30.1 ohms (marking 47X) and the EDUX has only the upper resistor populated with a 0 ohm jumper (marking 000). When I switched the resistors to the correct DSOX configuration, I was able to get a very consistent digital trace for the External Input. The resistor seems to be related to the EXT_VIEW signal that comes from the Analog comparator on the EXT INPUT section. Before switching this resistor, the trace was fluctuating rapidly between logic 0 and 1 unless triggering from External Input. Now I see a nice digital trace when triggering on CH1 or CH2 and I can even use EXT INPUT to create an Analog Bus and get bus values in HEX (only 1-3 bit bus).
But still User Calibration FAILS... |O
-
That is some good progress TK, thanks for your effort, the calibration error messages stays the same.?
-
That is some good progress TK, thanks for your effort, the calibration error messages stays the same.?
Yes, it fails at the same point.
-
I wonder if the Keysight designers are following this and having a chuckle every now and then - or maybe wondering how much will be unveiled....?
-
Bear in mind that the EDU and DSO will have different factory cal procedures, so if you upgrade it, there may be factory cal data missing for "enhanced" hardware features.
-
maybe trig 2 is with other range?
According the datasheet, EDUX model has only +/- 8V range, DSOX has additionally +/- 1.6V.
This is ratio 5.
"/1" or "/5" probably means 1.6V and 8V range respectively (More logical to be opposite, but log data shows only /5 for EDUX, which have 8V range only).
In the DSOX log, there are two lines for Trig2 which contain both ranges (/1 and /5), so Trig2 is not related to the second range.
B1 and B0 are gain/offset coefficients (but I have no idea, which one is the gain or the offset).
I spotted one additional hardware difference between EDUX and DSOX regarding the External Input.
There are 2 resistors to the right of the LEFT CPU board socket. The DSOX has only the lower resistor populated with value 30.1 ohms (marking 47X) and the EDUX has only the upper resistor populated with a 0 ohm jumper (marking 000). When I switched the resistors to the correct DSOX configuration, I was able to get a very consistent digital trace for the External Input. The resistor seems to be related to the EXT_VIEW signal that comes from the Analog comparator on the EXT INPUT section. Before switching this resistor, the trace was fluctuating rapidly between logic 0 and 1 unless triggering from External Input. Now I see a nice digital trace when triggering on CH1 or CH2 and I can even use EXT INPUT to create an Analog Bus and get bus values in HEX (only 1-3 bit bus).
But still User Calibration FAILS... |O
There must be more hidden hardware switches around... When I switched these 2 resistors and went back to Product ID 22 (EDUX1002G) to reset the User Calibration status to PASS, the external switch is offering additional functions similar to DSOX without the dual range (1.6V and 8V), but now I can add EXTERNAL to the analog bus when before it was not possible or my EDUX is having double personality issues after switching from EDUX to DSOX and back so many times...
Can any EDUX user try if EXTERNAL INPUT can be added to the Analog Bus?
-
Can any EDUX user try if EXTERNAL INPUT can be added to the Analog Bus?
Yep. I select external as the trigger, then in the Bus menu I can choose Analog and select the EXT input fine. edit: that's "factory"; no hack in place whatsoever
-
I wonder if the Keysight designers are following this and having a chuckle every now and then - or maybe wondering how much will be unveiled....?
If it was my product being hacked here, I'd certainly be following with interest. It would be fun to be a fly on the wall at Keysight.
-
I wonder if the Keysight designers are following this and having a chuckle every now and then - or maybe wondering how much will be unveiled....?
Either they made it easy (basically just looking at the hardware and matching differences, as is attempted in this thread as far as I can see), and hence they don't really care, or they made it deceptively easy or hard (i.e. requiring deep software hacks as well), and they most certainly will have a chuckle now and then. :-DD
-
They could become heros and just publish the hack.
-
They could become heros and just publish the hack.
They could also give me the capacitor values needed to mod a 3000t scope to 1 GHz, but that seems unlikely.
-
They could become heros and just publish the hack.
They could also give me the capacitor values needed to mod a 3000t scope to 1 GHz, but that seems unlikely.
How are you going with that hack? This is somethign i'd love to do.
-
They could become heros and just publish the hack.
They could also give me the capacitor values needed to mod a 3000t scope to 1 GHz, but that seems unlikely.
How are you going with that hack? This is somethign i'd love to do.
Sadly it is at a stand still. Ran into a road block getting the needed capacitor values, we have everything else.
-
Are the smart tweezers any good? If someone could get them off a 1Ghz...
http://www.smarttweezers.ca/ (http://www.smarttweezers.ca/)
Sadly it is at a stand still. Ran into a road block getting the needed capacitor values, we have everything else.
-
Are the smart tweezers any good? If someone could get them off a 1Ghz...
http://www.smarttweezers.ca/ (http://www.smarttweezers.ca/)
Sadly it is at a stand still. Ran into a road block getting the needed capacitor values, we have everything else.
Those might give us accurate enough readings but the parts would still need to be removed to measure them - and that is the biggest challenge. We need to find someone who not only has a 1 GHz scope but has the skill and tools to remove, measure and reinstall the parts successfully.
-
How about measure the caps on the 500mhz variant, and cut them in half? t=RC
-
what part of the system are caps being used? I'm assuming that these are not for selection of 'personality'..
-
Anyone interested in the possible upgrade of the 3000T series to 1 GHz should look at this post here:
https://www.eevblog.com/forum/testgear/dsox2000-and-3000-series-licence-have-anyone-tried-to-hack-that-scope/msg1147361/#msg1147361 (https://www.eevblog.com/forum/testgear/dsox2000-and-3000-series-licence-have-anyone-tried-to-hack-that-scope/msg1147361/#msg1147361)
As you can see the parts that need to be changed are critical (balanced front end filter etc) and shouldn't be guessed.
We do know most of the values used in the 100/200 MHz model and the 350/500 MHz model - it may be possible to extrapolate possible values for the 1 GHz mod for most parts but the 1 GHz model has additional components and a different 50 ohm input path.
Anyway, further discussion should probably be moved over to the 2000/3000 hacking thread as it is totally different then the 1000x.
-
Does anyone have the download link for the 1000X series scope firmware?
-
Does anyone have the download link for the 1000X series scope firmware?
I don't think it exists, or is available (yet). I had a scour for it when I received my scope, and I've also looked back at Keysight's website just now, and there's only "purchase" links for the upgraded features like serial decode and 70->100 bandwidth upgrades. I am guessing we'd have to wait until there's some patch or update issued, but at the moment products are shipping with the first firmware release and until there's a new issue, nothing will be forthcoming?
-
Does anyone have the download link for the 1000X series scope firmware?
I don't think it exists, or is available (yet). I had a scour for it when I received my scope, and I've also looked back at Keysight's website just now, and there's only "purchase" links for the upgraded features like serial decode and 70->100 bandwidth upgrades. I am guessing we'd have to wait until there's some patch or update issued, but at the moment products are shipping with the first firmware release and until there's a new issue, nothing will be forthcoming?
How do you like your scope?
-
Yeah, it's OK, I'm happy with it. To be totally honest, I loved (and still have) my Picoscope USB scope but needed something with more bandwidth at a cost-effective price, and this ticked the boxes. The only thing that disappoints me is the lack of decode functions (i2c, CAN, etc) without spending more $$$, but I kept the Picoscope for that anyway.
I think anyone jumping out and buying one of these thinking they are going to hack their way to a higher-end scope, though, is going to be disappointed. As can be seen from the conversation here, it's not really as simple or effective as it has maybe been made out. Keysight achieved what they wanted though, got some sales out of it I bet! Maybe with time it'll open up some more.
It also annoyed me that the USB connectivity, touted as part of the product, is actually a pay-to-use feature and the software installation needed on your PC is very heavyweight and convoluted, as it's generic for all Keysight products. So my hope of logging out to a PC is dead in the water, and that bugs me as I had high hopes of using that feature.
Build quality, useability, features - they are all great. No issues there.
Overall, a thumbs up, great little scope.
-
Sales will definitely go up again if the decode options are "liberated". What would really steal sales from the DS1054Z in my opinion would be if Keysight decided to open up the API for writing third party decoder plugins. How easy or practical this would be given their software architecture, I have no idea.
-
Some interesting update. It looks like on 1000X the recipe.xml file was renamed install.xml (Thanks Daniel for posting the FRA patch). Regenerated the .ksx file using makecab on windows and I was able to install the infiniiVision.lnk file from USB (Using v241_link_install.cab hack method). The only problem is that it activates 200MHz but does not take any other option like the 2000X / 3000X. I tried -l DIS, -l ALL, -l EMBD, -l COMP, -l AUTO... and I cannot enable serial decode. I even removed -l BW10 and still get 200MHz activated (but I think it is limited by hardware to 70-100MHz... I have a modded EDUX1002G).
It adds an interesting Attenuation Compensation Test to the Service Menu (picture attached)
Note: I posted the same information on the DSOX2000 / DSOX3000 hack thread
-
More tests... Hardware self test fails, but it is not an issue because the hack can be uninstalled very easily using modified v421_link_uninstall.cab (for the 1000X) if you need to run this test.
NOTE: hardware self test fails because of the EDUX to DSOX hardware mod, not the software hack.
Edited 10/19/17: Self test passes on hacked EDUX with the 10K resistor soldered on the back of the PCB, as found by this post: https://www.eevblog.com/forum/blog/eevblog-978-keysight-1000x-hacking/msg1327551/#msg1327551 (https://www.eevblog.com/forum/blog/eevblog-978-keysight-1000x-hacking/msg1327551/#msg1327551)
-
Thanks for posting the info, have you tried using a custom cab to dump the entire filesystem to a flash drive?
-
Thanks for posting the info, have you tried using a custom cab to dump the entire filesystem to a flash drive?
I tried copying some files from the internal flash to a USB drive... text files are OK to copy, but DLL files do not get copied to USB drive. Maybe they added some sort of protection to avoid this operation.
Does anyone know where the valid options for infiniiVisionLauncher.exe are stored?
-
What would really steal sales from the DS1054Z in my opinion would be if Keysight decided to open up the API for writing third party decoder plugins. How easy or practical this would be given their software architecture, I have no idea.
I agree this would be super-useful. It's something I have (and will continue to) pitch, but it's a tricky thing to do without giving away our secret sauce.
-
how about setting up a scripting languange? at the simplest, once you've set up logic levels you have state,timestep, time at each transition. User only writes the script
maybe slower than direct access but no need to give away secret sauce i think
Then to more complex stuff, like events (start/stop frame) and "higher level" decode: if i wanted to decode MIDI all i needed to do is to use UART decode but display the corresponding event in the table, along with the decoded byte
-
As the software hack at least released the 200MHz option (no serial decode liberated yet), I am going to do the MOD on the front end. Right now, I am only getting around 90MHz and it drops significantly at 100MHz and up. Need to remove one IC, remove some SMD resistors and caps, swap some resistor values and replace the LMH6550 for LMH6552.
Just as an exercise, I might do all the mod except for replacing the differential amplifier and see if the chip specification really matters.
EDITED: when running with the hacked software, it looses all the installed options. And if you try to install a new license, it fails complaining about the date being wrong.
-
Thanks for posting the info, have you tried using a custom cab to dump the entire filesystem to a flash drive?
I tried the copy again, this time killing the scope application first... same result. It does not allow copying the DLLs. I was able to copy TXT files and some EXE as well.
-
I agree this would be super-useful. It's something I have (and will continue to) pitch, but it's a tricky thing to do without giving away our secret sauce.
You could expose some well defined .NET API (you are using .NET framework on the WinCE equipment, right?), so people can write dll plugins in, let's say C#. Some sandboxing would be needed to prevent people from bricking the scope with bad code.
I don't know how much sense it makes in Keysight's case, as a lot of hard work is done in the ASIC and I guess the scope design is oriented this way. If you need some inspiration check LeCroy's XDEV option that allows implementing custom measurements, waveform processing and even UI elements with various tools: http://cdn.teledynelecroy.com/files/pdf/xdev_datasheet.pdf (http://cdn.teledynelecroy.com/files/pdf/xdev_datasheet.pdf)
But yeah, in LeCroy's case the scope is designed with PC and CPU processing in mind, so such feature is almost for free.
-
What would really steal sales from the DS1054Z in my opinion would be if Keysight decided to open up the API for writing third party decoder plugins. How easy or practical this would be given their software architecture, I have no idea.
I agree this would be super-useful. It's something I have (and will continue to) pitch, but it's a tricky thing to do without giving away our secret sauce.
But the decoders are built into the Megazoom IV ASIC. Does the scope do any sort of decoding in application software?
-
There's also an FPGA.I wouldn't expect decode functionality to be nailed into an ASIC,except maybe display support.
They wouldn't want to exclude the possibilty of adding new decodes in future.
-
You are right, Mike. According to Keysight's application engineers:
I agree the DSOX1000 has enough channels to capture the SPI Clock, MOSI, and MISO. However the FPGA that performs the decode within the scope has only one decoder path. A big benefit of using the FPGA to perform hardware-based decode is that it can decode in real time, capturing rare events as they happen. With this hardware limitation it means that the number of decoded buses cannot be easily expanded in the scope. The scope supports decode of only 1 bus at a time. MOSI and MISO would have to be treated as two separate buses.
which I can totally understand. However, in that case, shouldn't UART's TX/ RX data line be affected as well? Well not really because obviously TX/RX can be decoded at the same time. And the answer to that is:
My description was an over simplification. The oscilloscope can decode both directions of UART, both TX and RX, at the same time. With the UART protocol there are no other signal qualifiers so it requires fewer resources. Decode can be performed with only TX and RX signals. The minimum for SPI is the Clock and either MOSI or MISO, with CS being optional.
:blah:
which makes me doubt about the only one decoder path thing. I understand SPI involves additionnal signals but those does not need decoding, only triggering!
-
It's probably about total FPGA resorces, assuming it isn't loading a protocol-specific bitstream. If it was, then I wouldn't expect there to be a limitation unless it's extremely full. SPI has stuff like an edge counter, which may account for it using more resources than uart.
ISTR the1000 uses a smaller FPGA than the 3000, not sure about the 2000
-
Again, according to Keysight's application engineers
I hope you’ll consider the Keysight DSOX2004A 70MHz oscilloscope or DSOX2014A 100MHz oscilloscope. These 4-channel oscilloscopes have twice the FPGA resources so they can decode the full 4-wire SPI, both the MISO and MOSI, at the same time.
So, it seems that the 4-wire SPI decoding is not even available on a two channel 2000x. I've seen the Dave's 2000x 4-channel teardown but not a 2-channel, so I cannot tell about that. :-//
Besides, it looks like the 2000x product webpage / datasheet is still very unclear about what is supported on what model, regarding the SPI decoding capacities of the scopes, as Mike already mentionned in one of his videos on the 1000x series (from post https://www.eevblog.com/forum/testgear/dsox2000-and-3000-series-licence-have-anyone-tried-to-hack-that-scope/msg913919/#msg913919 (https://www.eevblog.com/forum/testgear/dsox2000-and-3000-series-licence-have-anyone-tried-to-hack-that-scope/msg913919/#msg913919)). As a plus, it seems that Daniel had followed that thread. Still, one year later, nothing changed? :--
-
Well, at least keep this on topic rather than "my scope's better than yours".
-
Thread being locked as this has become a slanging match between scope manufacturers!
-
Thread unlocked after what I hope is a clean up. Please stop hitting each other over the head with your favourite scope brand or I'll just start banning, this thread is about the technical detail of one scope not how it compares to anything else.
-
It's probably about total FPGA resorces, assuming it isn't loading a protocol-specific bitstream. If it was, then I wouldn't expect there to be a limitation unless it's extremely full. SPI has stuff like an edge counter, which may account for it using more resources than uart.
ISTR the1000 uses a smaller FPGA than the 3000, not sure about the 2000
AFAIK Keysight does decoding in the megazoom Asic and the 2000 doesn't have enough of these to do both decoding and digital channels. I think it was Daniel from Keysight who has explained this.
-
EDUX front end mod to DSOX partial results.
I did the following mod to see if I can get 200MHz modding the front end on the EDUX to mimic the DSOX front end.
I worked on CH2 and the result is partial because I was not able to replace the LMH6550 to LMH6552 because it requires a package change from VSSOP to WSON. The PCB has the footprint for both package types.
First picture shows the table of Vpp, Vmax and VRMS measurements of the different stages of the mod compared to the micsig TO1104 (just as validation of values).
The EDUX with just the resistor swap to make it think it is a DSOX: you get 70MHz, as is indicated on the utility/service/about this scope screen.
The EDUX with the resistor swap + the software hack (infiniiVisionLauncher.exe from /Secure): you get 120MHz, but utility/service/about this scope screen shows 200MHz.
The EDUX with the resistor swap + the software hack + the partial front end mod: you get less than 50MHz, as the front end mod removes the additional OPAMP that was added to the EDUX in the front end, and as it does not have the LMH6552 yet, it cannot get to 200MHz.
Second picture shows the hardware mod of the front end. The hardware mod is partial because I am waiting for the solder paste to arrive to be able to solder the WSON Package
Third picture is the original DSOX (From Dave's Teardown)
-
There's also an FPGA.I wouldn't expect decode functionality to be nailed into an ASIC,except maybe display support.
They wouldn't want to exclude the possibilty of adding new decodes in future.
It's built into the ASIC:
(http://www.triotest.com.au/shop/images/2015-01-08_1030.png)
-
There's also an FPGA.I wouldn't expect decode functionality to be nailed into an ASIC,except maybe display support.
They wouldn't want to exclude the possibilty of adding new decodes in future.
It's built into the ASIC:
Excellent.
Just because I questioned a members view on this and he took exception we got this:
Thread being locked as this has become a slanging match between scope manufacturers!
:-//
-
^^^ That post should have stopped at the word "Excellent" ^^^
-
EDUX front end mod to DSOX partial results.
<snip>
Looking forward to further results on this!
-
With the actual hack/ mod knowledge, what can I expect from a Keysight Edux 1000X hacked/moded
How a 30 Mhz SPI signal with regular probes appear on the Edux screen
Here a reference for the same signal on Rigol 1054Z hacked with regular probes ( not spring ) based on ESP32 generating a counting SPI
(https://electronicmaker.files.wordpress.com/2017/03/ds1z_quickprint12.png)
-
Second picture shows the hardware mod of the front end. The hardware mod is partial because I am waiting for the solder paste to arrive to be able to solder the WSON Package
You don't need solder paste for that ;)
Flux and tin the pads with a soldering iron (and optionally wick off the excess), do the same on the LMH6552, dab a bit more flux on the board, and hot-air it into place.
-
With the actual hack/ mod knowledge, what can I expect from a Keysight Edux 1000X hacked/moded
How a 30 Mhz SPI signal with regular probes appear on the Edux screen
Here a reference for the same signal on Rigol 1054Z hacked with regular probes ( not spring ) based on ESP32 generating a counting SPI
There isn't anything special about that picture and I'm very sure the 100MHz version of the 1000X will show exactly the same. BTW I could post a picture from a 125MHz SPI bus with decoding from another Asian scope but this isn't the right thread to do that.
-
With the actual hack/ mod knowledge, what can I expect from a Keysight Edux 1000X hacked/moded
How a 30 Mhz SPI signal with regular probes appear on the Edux screen
Here a reference for the same signal on Rigol 1054Z hacked with regular probes ( not spring ) based on ESP32 generating a counting SPI
(https://electronicmaker.files.wordpress.com/2017/03/ds1z_quickprint12.png)
I am getting the ESP32 board to replicate your experiment on various scopes I have, including the EDUX1002G modded to DSOX + software hack to 200MHz and front end mod to match the actual DSOX. I will post the results next week.
-
Second picture shows the hardware mod of the front end. The hardware mod is partial because I am waiting for the solder paste to arrive to be able to solder the WSON Package
You don't need solder paste for that ;)
Flux and tin the pads with a soldering iron (and optionally wick off the excess), do the same on the LMH6552, dab a bit more flux on the board, and hot-air it into place.
I tried with a flux pen (liquid that evaporates very quickly) and it didn't work well. I did not have a lot of time to do it, so I can repeat today. I ordered flux paste as I expect it to work better than the liquid flux pen for this type of application.
Thanks for the suggestion.
-
Without flux, in a pinch, you can even try that with rosin-cored solder :) The flux is just to help the solder flow onto / wet the pads.
Where there's a will, there's a way...
Second picture shows the hardware mod of the front end. The hardware mod is partial because I am waiting for the solder paste to arrive to be able to solder the WSON Package
You don't need solder paste for that ;)
Flux and tin the pads with a soldering iron (and optionally wick off the excess), do the same on the LMH6552, dab a bit more flux on the board, and hot-air it into place.
I tried with a flux pen (liquid that evaporates very quickly) and it didn't work well. I did not have a lot of time to do it, so I can repeat today. I ordered flux paste as I expect it to work better than the liquid flux pen for this type of application.
Thanks for the suggestion.
-
There's also an FPGA.I wouldn't expect decode functionality to be nailed into an ASIC,except maybe display support.
They wouldn't want to exclude the possibilty of adding new decodes in future.
It's built into the ASIC:
(http://www.triotest.com.au/shop/images/2015-01-08_1030.png)
Yes,but I can't imagine they'd have committed to an ASIC with no way to add new protocols. For example the latest 3000T firmware has added a manchester/biphase decode, seem unlikely that was just sitting in there all these years just waiting to be turned on.
At the very least I'd expect it's some sort of very configurable decoding engine, but for maximum flexibilty I'd imagine there would be some way to have it helped by software and/or FPGA
-
At the very least I'd expect it's some sort of very configurable decoding engine, but for maximum flexibilty I'd imagine there would be some way to have it helped by software and/or FPGA
Yes it could be a very configurable decode block(s), but I'm told the actual decoding is all done within the ASIC, no outside help. Stuff like the event table might be shunted off to the GUI processor though.
-
There's also an FPGA.I wouldn't expect decode functionality to be nailed into an ASIC,except maybe display support.
They wouldn't want to exclude the possibilty of adding new decodes in future.
It's built into the ASIC:
(http://www.triotest.com.au/shop/images/2015-01-08_1030.png)
Yes,but I can't imagine they'd have committed to an ASIC with no way to add new protocols. For example the latest 3000T firmware has added a manchester/biphase decode, seem unlikely that was just sitting in there all these years just waiting to be turned on.
At the very least I'd expect it's some sort of very configurable decoding engine, but for maximum flexibilty I'd imagine there would be some way to have it helped by software and/or FPGA
Maybe it is more a SoC than 100% fixed logic ASIC and has some configurability like an FPGA
-
Without flux, in a pinch, you can even try that with rosin-cored solder :) The flux is just to help the solder flow onto / wet the pads.
Where there's a will, there's a way...
Second picture shows the hardware mod of the front end. The hardware mod is partial because I am waiting for the solder paste to arrive to be able to solder the WSON Package
You don't need solder paste for that ;)
Flux and tin the pads with a soldering iron (and optionally wick off the excess), do the same on the LMH6552, dab a bit more flux on the board, and hot-air it into place.
I tried with a flux pen (liquid that evaporates very quickly) and it didn't work well. I did not have a lot of time to do it, so I can repeat today. I ordered flux paste as I expect it to work better than the liquid flux pen for this type of application.
Thanks for the suggestion.
Well, I managed to solder the LMH6552. The result is amusing me... CH1 is unmodified, CH2 has been matched to the DSOX including the LMH6552. I put the same signal on both CH1 and CH2 and what I notice is that CH1 starts attenuating the signal starting around 25MHz, but around 100MHz it recovers the original level. CH2 does not attenuate the signal all the way up to 100MHz. Then after 100MHz, both CH1 (unmodded) and CH2 (modded) attenuates at the same level until 125MHz and up... the scope can measure frequency (COUNTER) up to 200MHz or more with signal considerably attenuated.
So I think the extra opamp on the EDUX front end is acting like an inverse bandpass filter (attenuates from around 25MHz to 100MHz), I don't know the reason.
But anyway, with CH2 matched to the DSOX, I cannot get near 220MHz as Dave in the original DSOX...
-
Are you testing bandwidth with a good 50 ohm pass-through terminator?
-
Are you testing bandwidth with a good 50 ohm pass-through terminator?
I am using 50 ohm cables with BNC and BNC T connector and 50 ohm terminator. I don't have a 50 ohm pass-through
-
Hopefully that is good enough to get accurate measurements, without good termination the levels can easily show double the true value.
So with the DSOX modified channel and using your hack to enable 200 MHz of bandwidth the bandwidth still remains around 100 MHz?
-
Hopefully that is good enough to get accurate measurements, without good termination the levels can easily show double the true value.
So with the DSOX modified channel and using your hack to enable 200 MHz of bandwidth the bandwidth still remains around 100 MHz?
Yes, still remains around 100MHz. Better the modified channel than the original, but just by a little. I am using scope mode 24 (DSOX1102G), I have not tried the other modes where Dave and Mike got 200MHz. I was hopping the hacked software, that shows 200MHz in about screen, would enable it, but I think it is still controlled by the scope mode that can be changed using the 4 resistors.
-
Are you testing bandwidth with a good 50 ohm pass-through terminator?
I am using 50 ohm cables with BNC and BNC T connector and 50 ohm terminator. I don't have a 50 ohm pass-through
What point are your measuring ?
-
Are you testing bandwidth with a good 50 ohm pass-through terminator?
I am using 50 ohm cables with BNC and BNC T connector and 50 ohm terminator. I don't have a 50 ohm pass-through
What point are your measuring ?
Do you mean frequencies?
-
There might be a 100 MHz mode set by jumper that will allow the bandwidth to be upgraded to 200 MHz by the firmware. In the 2000/3000 the hardware bandwidth jumper has a higher priority then the software license.
-
There might be a 100 MHz mode set by jumper that will allow the bandwidth to be upgraded to 200 MHz by the firmware. In the 2000/3000 the hardware bandwidth jumper has a higher priority then the software license.
I think scope mode 24 is 70MHz HW setting. Dave's scope has this mode by default + BW10 software enabled option. I will try the other modes by switching the resistor values tomorrow.
Thanks
-
The default mode from Dave's scope is likely the best combo to try. If they planned for the future they could just sell a 200 MHz license.
-
Are you testing bandwidth with a good 50 ohm pass-through terminator?
I am using 50 ohm cables with BNC and BNC T connector and 50 ohm terminator. I don't have a 50 ohm pass-through
What point are your measuring ?
Do you mean frequencies?
Where do you connect your scope probe ? I read a few pages back and could not see what test point in the circuit you are measuring.
EDIT: I assumed you are using an external oscilloscope , but perhaps your simply reading the voltage from the screen of this DUT scope ?
-
You have to measure/compare these components, this is a low pass filter. Bets are the component values are different in EDU model.
-
Are you testing bandwidth with a good 50 ohm pass-through terminator?
I am using 50 ohm cables with BNC and BNC T connector and 50 ohm terminator. I don't have a 50 ohm pass-through
What point are your measuring ?
Do you mean frequencies?
Where do you connect your scope probe ? I read a few pages back and could not see what test point in the circuit you are measuring.
EDIT: I assumed you are using an external oscilloscope , but perhaps your simply reading the voltage from the screen of this DUT scope ?
I only have 100MHz scopes, so I was using the measurement tool in the EDUX itself.
-
You have to measure/compare these components, this is a low pass filter. Bets are the component values are different in EDU model.
I don't have a DSOX to compare the values of these components. What I can do is to bypass it... what can happen if high frequency noise is injected into the ADC? I will remove them and measure the values.
-
Nothing is going to blow up. Perhaps you will see some waveform distortions , but the bandwidth will still be limited by the rest of the frontend circuit. Should give you a qualitative indication if this filter is what is choking your scope at 100MHz.
-
I don't have a DSOX to compare the values of these components.
I'd think there should be plenty of people here that have one including the forum owner. Try asking. Worst case it can be modeled and new values found. Could be just the caps.
-
I tried scope mode 03 reported by Mike to get 200MHz with some triggering issues when serial decode is active. I don't get 200MHz, I am stuck at the same level, so it is being filtered by HW in the frontend.
Does the schematics (picture 1) I draw make any sense? I tested 150MHz and 200MHz signal on both channels (modded and unmodded) right outside the positive output of the differential opamp and measured with the micsig TO1104.
Picture 2: 150MHz modded
Picture 3: 150MHz unmodded
Picture 4: 200MHz modded
Picture 5: 200MHz unmodded
-
Does the schematics (picture 1) I draw make any sense?
Not quite, connection to the ADC is on the right side of the inductors.
EDIT: how much signal do you apply to the input ?
-
Does the schematics (picture 1) I draw make any sense?
Not quite, connection to the ADC is on the right side of the inductors.
EDIT: how much signal do you apply to the input ?
I will check the schematics again. I am applying 630mVpp. The pictures are just to compare the modded vs unmodded channels, I don't have any scope that can do more than 100MHz, so the voltage I am measuring is not accurate.
-
I'd measure the values in the front end and simulate using LTSpice. That should show where things go wrong. I gues a capacitor to ground has a different value.
-
I'd say go ahead with measuring the filter component values, i'd be surprised if it is of any higher bandwidth than 100Mhz.
-
At the very least I'd expect it's some sort of very configurable decoding engine, but for maximum flexibilty I'd imagine there would be some way to have it helped by software and/or FPGA
Yes it could be a very configurable decode block(s), but I'm told the actual decoding is all done within the ASIC, no outside help. Stuff like the event table might be shunted off to the GUI processor though.
Yes, we have configurable decoder blocks built in and some standard set-logic decoders. The event table is an ASIC thing, too.
-
I may have solved the EDUX ADC buffer amplifier topology riddle.
As we know, EDUX has an additional amplifier stage (Intersil EL5166) in front of the ADC differential buffer amplifier. Looking at the resistor values, voltage gain can be calculated for each scope model and each gain stage. The following simplified schematic shows the topology and gain figures for each scope model. It can be seen the overall gain for each scope model is the same, Av=8.46.
(https://www.eevblog.com/forum/blog/eevblog-978-keysight-1000x-hacking/?action=dlattach;attach=323793;image)
So why in EDUX model the second stage has gain of only 2 , whereas in DSOX it is 8.46 ? Well, I am glad you asked. Assuming the second gain stage IC in EDUX is LMH6550 (vs LMH6552 in DSOX 1000X), which is a 90MHz bandwidth amplifier, we check the datasheet (we are not rigol employees, so we always check datasheets) and find a gain/bandwidth chart that shows most of the bandwidth is utilized with Gain=2.
(https://www.eevblog.com/forum/blog/eevblog-978-keysight-1000x-hacking/?action=dlattach;attach=323795;image)
Now, in order to maintain the ADC input level, we need to boost the signal to the same level as in DSOX. Additional gain that is required for that is 8.46/2=4.23. So there has to be a pre-amp and that is what the EL5166 must be doing in EDUX. Looking at its voltage gain figure - you guessed it - it is 4.23.
So the combilned gain in the dual stage EDUX buffer amplifier is exactly the same as in DSOX single stage one. The DSOX just achieves it with a single LMH6552 wideband amplifier. In EDUX the lower bandwidth amplifier ICs are used to help limit the bandwidth. Looking at the EL5166 datasheet (we are not rigol employees, we always check datasheets) it can be seen the bandwidth pretty much mirrors LMH6552 bandwidth when the latter is set to gain=2. Both start rolling off after 50MHz.
(https://www.eevblog.com/forum/blog/eevblog-978-keysight-1000x-hacking/?action=dlattach;attach=323797;image)
So there you go. The buffer amplifier in EDUX is a limited bandwidth component and certainly has to be replaced with that of DSOX as user TK has done in order to extend the front end bandwidth in addition to straping and software options. Also, the bandpass filter at the output of the buffer amplifier must be measured and adjusted as required to support the extended front end bandwidth.
Weird - comparing Digikey pricing, looks like they're spending more on the 50MHz front-end than the 200MHz one!
A quick pricing check at Digikey showed that price of EDUX's 2-stage EL5166+LMH6550 and DSOX single LMH6552 is pretty much the same. So no, does not seem they are spending more on the EDUX front-end.
-
Thank you Bud.
More tests results: CH1 (yellow) is unmodded, CH2 (green) is modded, now with bypassed low pass filter outside LMH6552.
Tested 1MHz, 50MHz, 100MHz, 200MHz and 250MHz. Then 1MHz -40dBm signal using 2mV/div setting on the scope.
I think the delay between CH1 and CH2 is because of the elimination of the extra opamp before the differential path.
(https://www.eevblog.com/forum/blog/eevblog-978-keysight-1000x-hacking/?action=dlattach;attach=323960;image)
(https://www.eevblog.com/forum/blog/eevblog-978-keysight-1000x-hacking/?action=dlattach;attach=323962;image)
(https://www.eevblog.com/forum/blog/eevblog-978-keysight-1000x-hacking/?action=dlattach;attach=323964;image)
(https://www.eevblog.com/forum/blog/eevblog-978-keysight-1000x-hacking/?action=dlattach;attach=323972;image)
(https://www.eevblog.com/forum/blog/eevblog-978-keysight-1000x-hacking/?action=dlattach;attach=323974;image)
(https://www.eevblog.com/forum/blog/eevblog-978-keysight-1000x-hacking/?action=dlattach;attach=323976;image)
I was not able to measure the values of the caps and inductors... I don't have the appropriate instrument.
-
So this is the best result so far, isn't it. After removing the LPF you are getting what, maybe 170MHZ 3dB bandwidth or something. Can you find someone to help you measure the LPF components?
Also try 200MHz 16mV p-p at 2mV/ to exlude the attenuator from the path, to see if some of the roll-off is because of the attenuator.
Looks this puppy may be a great buy, providing everything else works with this hack.
-
So this is the best result so far, isn't it. After removing the LPF you are getting what, maybe 170MHZ 3dB bandwidth or something. Can you find someone to help you measure the LPF components?
Also try 200MHz 16mV p-p at 2mV/ to exlude the attenuator from the path, to see if some of the roll-off is because of the attenuator.
Looks this puppy may be a great buy, providing everything else works with this hack.
I need to find the values and make the substitution, CH2 is noisy without the LPF, but the hack looks promising
-
The DSOX3000 200MHz scope has C1,C2 = 4.7pF and L2,L3 = 47nH in the LPF outside the differential opamp. If I use the same values in my 1000X, I should get a LPF with cutoff frequency above 200MHz, right?
https://www.eevblog.com/forum/testgear/dsox2000-and-3000-series-licence-have-anyone-tried-to-hack-that-scope/msg987126/#msg987126 (https://www.eevblog.com/forum/testgear/dsox2000-and-3000-series-licence-have-anyone-tried-to-hack-that-scope/msg987126/#msg987126)
Ordered the parts from mouser... next week I will post the results.
-
I am not sure if the inductors in the 200 MHz version of the scope are really 47 nH, they might be 30 nH.
-
What can happen if I use the values of the 500MHz frontend LPF?
Ordered more parts from mouser to try, I will also test 30nH
-
I'll do my best to measure one of the inductors from a 200 MHz front end tomorrow. I have the gear but need to build a jig to connect the 0603 sized part to my VNA.
I doubt you'll get to 500 MHz with the 1000 - aiming for 200 MHz is a good target.
So nobody with a stock DSOX1102 has wanted to try enabling the 200 MHz license to see what happens?
-
I am not sure if the inductors in the 200 MHz version of the scope are really 47 nH, they might be 30 nH.
30nH seems to be too small, a sim shows the filter 3dB BW almost at 400MHz. 47nH looks OK.
-
I doubt you'll get to 500 MHz with the 1000 - aiming for 200 MHz is a good target.
It already rolls off too much at 200, perhaps being limited by what is in front of the buffer amplifier, or by non optimal PCB tracks layout for that frequency range.
Even with 200 it looks a good value for the money.
-
Sorry for the confusion, I just wanted to ask what the side effects could be by using the LPF components of the 500MHz front end, as they are the only known and confirmed values.
-
A noisier trace, because of the wider noise bandwidth.
-
Just wanted to confirm the 200 MHz low pass filter in the DSOX3000 series of scopes uses a 47nH inductor. I tried like heck to get a better focus on the jig itself without success. It is an SMA jack with a tiny pogo pin that will hold 0603 sized parts.
edit - added the capacitor as well which does appear to be 4.7 pF.
-
Just wanted to confirm the 200 MHz low pass filter in the DSOX3000 series of scopes uses a 47nH inductor. I tried like heck to get a better focus on the jig itself without success. It is an SMA jack with a tiny pogo pin that will hold 0603 sized parts.
edit - added the capacitor as well which does appear to be 4.7 pF.
Thank you for measuring the components. Nice fixture for the Network Analyzer!!!
-
I've been working with TK on the software unlocks side of things, and it looks like the 1000x series is in the same spot as the 3000T. However, we don't yet have an unlocked infiniivisionlauncher.exe (maybe in the first firmware update?) to look through. I'm going to investigate the new 3000T one and see what differences we can find there. We've been proceeding carefully because without a Lan port unbricking the scope looks to be difficult to impossible. Additionally, we can't fake the installed licenses on the scope without finding the key and algorithm used to generate the signatures, each stored license is signed.
I can't test the 200Mhz performance from the software unlock we have currently on my DSOX, so if someone with a 100Mhz DSOX and the ability to test the 200Mhz performance wants to try it out and help us see what the hardware limitations are on the DSOX line please PM me.
-
I tested rise time on the unmodded (CH1 yellow) and modded (CH2 green no LPF after differential opamp) channels. Signal is eMMC clock signal from BeagleBone Green board.
(https://www.eevblog.com/forum/blog/eevblog-978-keysight-1000x-hacking/?action=dlattach;attach=324710;image)
(https://www.eevblog.com/forum/blog/eevblog-978-keysight-1000x-hacking/?action=dlattach;attach=324712;image)
As a comparison, I only get 6.5ns rise time on the micsic TO1104 (1GSa/s 4 channel table scope). Actually, to be fair to the micsig, I would like to comment that the EDUX I have has the personality set to DSOX and it has the software hack that enabled 200MHz. I am using the same 200MHz probes on both tests.
(https://www.eevblog.com/forum/blog/eevblog-978-keysight-1000x-hacking/?action=dlattach;attach=324720;image)
-
So with some raspberry pi jankiness I can generate a 200Mhz signalTM. This is really the limit of what you can get out of the GPIO pins on a raspberry pi, so things are a lot wonky...
However, if we only look at the voltage measurements on my DSOX1102G - 200Hz signal gives us 4.5 volts.
Things get really wonky at high frequencies - the raspberry pi really doesn't like generating this signal... But, we can see some interesting voltages:
Stock Firmware: 2.38V -- That's a loss of ~5.5dB
Unlocked Firmware: 3.43V -- That's a loss of ~2.4dB
So it looks like the DSOX line can natively do over 200Mhz with only software tweaks - no hardware mods needed... We just need to figure out unlocking 200Mhz while retaining access to licenses - modded software removes all licensed options and can't install any new ones (reverting to stock software re-enables these). Additionally - the modded software removes the limits on the wave gen (Can set crazy values like 200Mhz pulse) - but doesn't actually output any signal :(
-
Hardware mod for CH2 is done. 200MHz using the software hack infiniivisionLauncher.exe from Secure. It can get comfortably up to 200MHz and 215MHz is kind of the absolute max regarding frequency measurement.
I got an MSOX2004A the other day and I compared the modded EDUX to the MSOX2004A (software hacked to 200MHz). The MSOX2004A can get up to around 350MHz.
In the pictures CH1 (yellow) is the unmodded channel, CH2 (green) is the modded channel.
(https://www.eevblog.com/forum/blog/eevblog-978-keysight-1000x-hacking/?action=dlattach;attach=326419;image)
(https://www.eevblog.com/forum/blog/eevblog-978-keysight-1000x-hacking/?action=dlattach;attach=326421;image)
(https://www.eevblog.com/forum/blog/eevblog-978-keysight-1000x-hacking/?action=dlattach;attach=326423;image)
(https://www.eevblog.com/forum/blog/eevblog-978-keysight-1000x-hacking/?action=dlattach;attach=326425;image)
(https://www.eevblog.com/forum/blog/eevblog-978-keysight-1000x-hacking/?action=dlattach;attach=326427;image)
(https://www.eevblog.com/forum/blog/eevblog-978-keysight-1000x-hacking/?action=dlattach;attach=326429;image)
(https://www.eevblog.com/forum/blog/eevblog-978-keysight-1000x-hacking/?action=dlattach;attach=326431;image)
(https://www.eevblog.com/forum/blog/eevblog-978-keysight-1000x-hacking/?action=dlattach;attach=326433;image)
(https://www.eevblog.com/forum/blog/eevblog-978-keysight-1000x-hacking/?action=dlattach;attach=326435;image)
(https://www.eevblog.com/forum/blog/eevblog-978-keysight-1000x-hacking/?action=dlattach;attach=326437;image)
(https://www.eevblog.com/forum/blog/eevblog-978-keysight-1000x-hacking/?action=dlattach;attach=326439;image)
-
Hardware mod for CH2 is done. 200MHz using the software hack infiniivisionLauncher.exe from Secure. It can get comfortably up to 200MHz and 215MHz is kind of the absolute max regarding frequency measurement.
I got an MSOX2004A the other day and I compared the modded EDUX to the MSOX2004A (software hacked to 200MHz). The MSOX2004A can get up to around 350MHz.
What is is most important is the -3 dB point or the scopes rise time. The MSOX2004A should have a -3 dB point around 230 MHz.
Can you measure that on both? Feed in 1 Vpp with a 50 ohm termination and increase the frequency until you you get to .707 Vpp. The amplitude should also remain quite flat as the frequency is increased with no sudden peaks or drops.
edit - I should add that I believe it may be possible to get the MSOX2004A up to 500 MHz bw with some part swaps, this isn't confirmed though.
-
200MHz using the software hack infiniivisionLauncher.exe from Secure.
While you are fresh at it, can you post a link to the software hack procedure ?
-
Yes, BenchVue with EDUX works great. Test Flow will allow you to program, for example, sweep (https://community.keysight.com/thread/25100). You need a license or 30-day trial.
-
200MHz using the software hack infiniivisionLauncher.exe from Secure.
While you are fresh at it, can you post a link to the software hack procedure ?
I detailed the procedure here: https://www.eevblog.com/forum/blog/eevblog-978-keysight-1000x-hacking/msg1224021/#msg1224021 (https://www.eevblog.com/forum/blog/eevblog-978-keysight-1000x-hacking/msg1224021/#msg1224021)
This is the makecab configuration file I used:
.OPTION EXPLICIT
; CabinetNameTemplate is the name of the output CAB file:
.Set CabinetNameTemplate=1000X.link.install.ksx
.Set DiskDirectory1=.
.Set CompressionType=MSZIP
.Set Cabinet=on
.Set Compress=on
.Set CabinetFileCountThreshold=0
.Set FolderFileCountThreshold=0
.Set FolderSizeThreshold=0
.Set MaxCabinetSize=0
.Set MaxDiskFileCount=0
.Set MaxDiskSize=0
1000X.link.install\infiniiVisionSetup.cab
1000X.link.install\install.xml
I started with the V421_link_install method, renaming and modifying recipe.xml to install.xml
The infiniivision.lnk file content I used:
62#\Secure\infiniiVision\infiniivisionLauncher.exe -l DIS -l BW10
But it is not taking the options. Even with BW10 it activates 200MHz but no other software option and you lose the official licenses while you are in hacked mode.
-
Why 62 # and not 63 #?
LEN("#\Secure\infiniiVision\infiniivisionLauncher.exe -l DIS -l BW10") = 63
Opinions counting # differ... :(
Thanks
-
You must count the characters AFTER #
-
Additionally - the modded software removes the limits on the wave gen (Can set crazy values like 200Mhz pulse) - but doesn't actually output any signal :(
It's not unreasonable to get extra capabilities out of the WaveGen, we limit it now to match specs. But, you theoretically could get a "souped-up" WaveGen that has questionable specs. For example, it's probably trying to do the pulse you described but can't get there. But, you could likely push it beyond current as-shipped limits.
-
That sounds like classic HP gear. You can push them beyond the specified limits, but there's no guarantee they'll deliver the stated accuracy when doing so.
-
But, you theoretically could get a "souped-up" WaveGen that has questionable specs.
This is an example of why I get a little hesitant about any field hacks.
I know the effort here is to try them out and characterize the result, but I always get a niggle in the back of my head that something unexpected will surface at a most inopportune time - and that it might not be obvious if it does.
Kudos to those making the effort, though. It is really interesting and very educational about contemporary circuit design of such equipment.
-
Maybe not directly related to the topic of this thread, but at least scope hacking related: Has anyone ever tried or investigated what it takes to get Linux working on this or any other Keysight scope? I couldn't find anything yet. The ARM chip should run linux no problem, of course there aren't any drivers for the ASIC etc. The usefulness could be questioned for sure, but at least it could be a fun project for us Linux fanboys.
-
Hardware mod for CH2 is done. 200MHz using the software hack infiniivisionLauncher.exe from Secure. It can get comfortably up to 200MHz and 215MHz is kind of the absolute max regarding frequency measurement.
I got an MSOX2004A the other day and I compared the modded EDUX to the MSOX2004A (software hacked to 200MHz). The MSOX2004A can get up to around 350MHz.
What is is most important is the -3 dB point or the scopes rise time. The MSOX2004A should have a -3 dB point around 230 MHz.
Can you measure that on both? Feed in 1 Vpp with a 50 ohm termination and increase the frequency until you you get to .707 Vpp. The amplitude should also remain quite flat as the frequency is increased with no sudden peaks or drops.
edit - I should add that I believe it may be possible to get the MSOX2004A up to 500 MHz bw with some part swaps, this isn't confirmed though.
The EDUX with the DSOX1102G mods + software hack has the -3 dB point @ 220MHz. It is not flat, after 100MHz amplitude increases slightly and the goes down slowly up to -3dB point
-
Im too much lazy to follow the entire post about this ,however my question is :
If i will hack my own x1000 scope ,then after this operation, the calibration would be alive in my scope or i will be obligated to re-calibrate it again ?
-
Im too much lazy to follow the entire post about this ,however my question is :
If i will hack my own x1000 scope ,then after this operation, the calibration would be alive in my scope or i will be obligated to re-calibrate it again ?
Factory or last user calibration will be OK. But if for any of the reasons recommended by Keysight you need to perform self test or user calibration, you need to set the scope to EDUX mode (revert the 2 SMD resistors back to original values as shipped from Factory), then calibrate and reinstall the DSOX hack
-
Hi,
Is any difference in ADC's used in 1000 X series? In datasheet EDUX have 1GSPS and DSOX have 2Gsps. I don't found any information about used ADC IC.
-
EDUX and DSOX use the same ADC. The EDUX hacked to DOSX can do 2GSa/s. The front end is slightly different (70MHz limitation on the EDUX, +200MHz on the DSOX)
-
What is the name of the 8 pin square chip in center right? Can be a band limiting amplifier.
The 8 pin square chip is HMC626ALP5E 0.5 dB LSB GaAs MMIC 6-BIT DIGITAL VARIABLE GAIN AMPLIFIER, DC - 1 GHz (same chip on both EDUX and DSOX)
Don't think so - HMC626 is a 32 pin QFN
You are right... I took it from Dave's teardown video: https://www.youtube.com/watch?v=9KcOQsVxtoU (https://www.youtube.com/watch?v=9KcOQsVxtoU) @ 22:59
The marking on the package is HVB #626
HVB is AD8337 and is variable gain amplifier. Probably this part limit bandwidth. I have idea (maybe crazy) to design 500MHz analog front-end for this scope. With 2GSPS it can be possible, but minimal time base 5ns can be a problem. What about memory depth after hacking - is 1 Mpts available?
-
After EDUX to DSOX resistor hacking you get 1Mpts memory depth. If you add the software hack, you get 200MHz (2ns time base) but gets limited by the EDUX front end, unless you make the changes to match the DSOX front end.
-
Hello,
now i use the Cab Hack for my DSOX1102A, for extend the Bandwidth with -l BW10, thats works....
now, i want to use EMBD, AUTO and other, but this doesn't work, when i launch the install, the DSO reboots, and the Licenses are by default....
Can any one help me?
-
AFAIK there is no hack to enable any option on the 1000X series. Just by running the hacked launcher without any options will enable 200MHz but nothing else.
-
Hum okay....
Now i tested any options on my DSO, and i take a userroots.p7b Certificateroot, the Certificates in this Certificate Roots, are all expired, i wonder..... o.O
Copy the infiniiCore.dll is not possible... i try any bugs on CE 6.0, to get root righs on the file system...
-
Will someone share me a schematic (can be without capacitors and inductors values) of analog frontend and trigger circuit in this scope. I want buy one, but delivery time is 6 weeks. :( Maybe someone can make x-ray photos of inner layers?
-
Part of the front end was discussed here: https://www.eevblog.com/forum/blog/eevblog-978-keysight-1000x-hacking/msg1233118/#msg1233118 (https://www.eevblog.com/forum/blog/eevblog-978-keysight-1000x-hacking/msg1233118/#msg1233118).
-
Hello,
Now i am Trying to read the NAND Flash from my oszi, with wich, Clocks / MHZ Runs the SPEAR600?
From the Data pdf, goes this CPU up to 333 MHZ, now i need the JTAG Clock divider for the JTAG, now i found no Datasheet for the Micron NAND and DRAM?
Thanks guys
-
Extracted from the Scope's NAND via JTAG:
https://www.dropbox.com/s/ehzetadm7xibs13/1000XSeries.01.01.2016092801.ksx?dl=0 (https://www.dropbox.com/s/ehzetadm7xibs13/1000XSeries.01.01.2016092801.ksx?dl=0)
-
D9LHT is MT47H64M16HR-25E:H - datasheet at https://www.micron.com/parts/dram/ddr2-sdram/mt47h64m16hr-25e (https://www.micron.com/parts/dram/ddr2-sdram/mt47h64m16hr-25e) - SDRAM 1GB
NQ432 is MT29F1G08ABADAH4-ITX:D - datasheet at https://www.micron.com/parts/nand-flash/mass-storage/mt29f1g08abadah4-itx (https://www.micron.com/parts/nand-flash/mass-storage/mt29f1g08abadah4-itx) - NAND 1GB
D9SBJ is MT47H32M16NF-25E:H - datasheet at https://www.micron.com/parts/dram/ddr2-sdram/mt47h32m16nf-25e (https://www.micron.com/parts/dram/ddr2-sdram/mt47h32m16nf-25e) SDRAM 512MB
I seen this post with schematics with part of analog frontend. I'm looking for full schematic. It is not possible to make it only from teardown pictures :(
Thanks for NAND copy. It looks like main processor is programmer for FPGA. Maybe is it possible to make reverse engineering of FGPA internal configuration. I try to check it out.
-
Hey guys, I just got a DSOX1102G. Went through the entire thread and Dave's hacking video.
Anyone figured out the combinations that enable serial comm (DSOX1EMBD) and automotive packages (DSOX1AUTO) using the BLT_MODULE_CONFIG_0/1?
Also, from Dave's video, it seems that there are 2 pairs of resistors providing 2 voltage values to the BLT_PRODUCT_CONFIGs. Where are the resistors for BLT_MODULE_CONFIG?
-
If you watch the video again, I think Dave tries first hacking the module and there are additional resistors on the CPU module... or maybe it was in a previous video, I don't remember now.
I think there are no MODULE configuration options to enable serial decode, unless you hack the software.
You can request the serial decode trial to Keysight and change the date on the scope after 1 month to reactivate it, as discussed on this thread: https://www.eevblog.com/forum/testgear/problems-registering-promotional-dsox1102g/msg1257164/#msg1257164 (https://www.eevblog.com/forum/testgear/problems-registering-promotional-dsox1102g/msg1257164/#msg1257164)
-
I bought EDUX1002A and I have few questions about mods if I do understand right
I need to change model from EDUX to DSOX to get some extra features I think I will ok with 70Mz or 100MHz so proppably SW mod wont needed
just front end mod and EXT trig mod but does Trial Lics or bought lics for DSOX1AUTO work with that then? ar can they even bought.
-
maybe trig 2 is with other range?
According the datasheet, EDUX model has only +/- 8V range, DSOX has additionally +/- 1.6V.
This is ratio 5.
"/1" or "/5" probably means 1.6V and 8V range respectively (More logical to be opposite, but log data shows only /5 for EDUX, which have 8V range only).
In the DSOX log, there are two lines for Trig2 which contain both ranges (/1 and /5), so Trig2 is not related to the second range.
B1 and B0 are gain/offset coefficients (but I have no idea, which one is the gain or the offset).
I spotted one additional hardware difference between EDUX and DSOX regarding the External Input.
There are 2 resistors to the right of the LEFT CPU board socket. The DSOX has only the lower resistor populated with value 30.1 ohms (marking 47X) and the EDUX has only the upper resistor populated with a 0 ohm jumper (marking 000). When I switched the resistors to the correct DSOX configuration, I was able to get a very consistent digital trace for the External Input. The resistor seems to be related to the EXT_VIEW signal that comes from the Analog comparator on the EXT INPUT section. Before switching this resistor, the trace was fluctuating rapidly between logic 0 and 1 unless triggering from External Input. Now I see a nice digital trace when triggering on CH1 or CH2 and I can even use EXT INPUT to create an Analog Bus and get bus values in HEX (only 1-3 bit bus).
But still User Calibration FAILS... |O
Did you add 10kOhm resistor on the bottom side of PCB? It is connecting external trigger components (not mounted in edu version and ADC board). Photo comes from Dave teardown.
In my scope are OPA4872 are replacing LMH6574 in older version. This amplifiers are in trigger circuit and in analog frontends. My PCB is REV A005
-
maybe trig 2 is with other range?
According the datasheet, EDUX model has only +/- 8V range, DSOX has additionally +/- 1.6V.
This is ratio 5.
"/1" or "/5" probably means 1.6V and 8V range respectively (More logical to be opposite, but log data shows only /5 for EDUX, which have 8V range only).
In the DSOX log, there are two lines for Trig2 which contain both ranges (/1 and /5), so Trig2 is not related to the second range.
B1 and B0 are gain/offset coefficients (but I have no idea, which one is the gain or the offset).
I spotted one additional hardware difference between EDUX and DSOX regarding the External Input.
There are 2 resistors to the right of the LEFT CPU board socket. The DSOX has only the lower resistor populated with value 30.1 ohms (marking 47X) and the EDUX has only the upper resistor populated with a 0 ohm jumper (marking 000). When I switched the resistors to the correct DSOX configuration, I was able to get a very consistent digital trace for the External Input. The resistor seems to be related to the EXT_VIEW signal that comes from the Analog comparator on the EXT INPUT section. Before switching this resistor, the trace was fluctuating rapidly between logic 0 and 1 unless triggering from External Input. Now I see a nice digital trace when triggering on CH1 or CH2 and I can even use EXT INPUT to create an Analog Bus and get bus values in HEX (only 1-3 bit bus).
But still User Calibration FAILS... |O
Did you add 10kOhm resistor on the bottom side of PCB? It is connecting external trigger components (not mounted in edu version and ADC board). Photo comes from Dave teardown.
In my scope are OPA4872 are replacing LMH6574 in older version. This amplifiers are in trigger circuit and in analog frontends. My PCB is REV A005
Can you post a picture of the PCB where you added the 10K resistor?
-
I bought EDUX1002A and I have few questions about mods if I do understand right
I need to change model from EDUX to DSOX to get some extra features I think I will ok with 70Mz or 100MHz so proppably SW mod wont needed
just front end mod and EXT trig mod but does Trial Lics or bought lics for DSOX1AUTO work with that then? ar can they even bought.
All trial license will work if you just change the resistors to make it DSOX. It stops working when you make the SW mod.
-
Here it is. Value is 10k 1% Do you know what is part name of BNC connector? I searched in Digikey, Mouser, Farnell and I didn't found it. It have smaller footprint than standard connectors. I want to add generator to my scope. Also capacitors and inductors (from long RL filter) values will be helpful.
-
In my scope are OPA4872 are replacing LMH6574 in older version. This amplifiers are in trigger circuit and in analog frontends. My PCB is REV A005
My scope has PCB REV A004
-
I bought EDUX1002A and I have few questions about mods if I do understand right
I need to change model from EDUX to DSOX to get some extra features I think I will ok with 70Mz or 100MHz so proppably SW mod wont needed
just front end mod and EXT trig mod but does Trial Lics or bought lics for DSOX1AUTO work with that then? ar can they even bought.
Nice I need to figure out what resistor(s) I need to change to get it to DSOX mode (I assume that its config 23)
-
In my scope are OPA4872 are replacing LMH6574 in older version. This amplifiers are in trigger circuit and in analog frontends. My PCB is REV A005
My scope has PCB REV A004
Which one multiplexer amplifier do you have in scope? I'm not sure. Maybe edux have OPA4872 and dsox have LMH6574.
-
In my scope are OPA4872 are replacing LMH6574 in older version. This amplifiers are in trigger circuit and in analog frontends. My PCB is REV A005
My scope has PCB REV A004
Which one multiplexer amplifier do you have in scope? I'm not sure. Maybe edux have OPA4872 and dsox have LMH6574.
My EDUX have OPA4872 multiplexer amplifiers. Dave's teardown pictures of the DSOX shows LMH6574. Cost is similar.
OPA4872 has 0.1 dB Gain Flatness to 120MHz
LMH6574 has 0.1 dB Gain Flatness to 150MHz
I did not notice this difference before... time to go back and check all the components.
-
On BLT (ADC) board was also changes between rev 002 and 003. D9LHT is replaced by D9RZH in rev 003. All 0201 resistors dividers around memory are connected with memory pins. Maybe some bias on digital lines.
-
Here it is. Value is 10k 1% Do you know what is part name of BNC connector? I searched in Digikey, Mouser, Farnell and I didn't found it. It have smaller footprint than standard connectors. I want to add generator to my scope. Also capacitors and inductors (from long RL filter) values will be helpful.
OK, I soldered this missing 10K resistor and external digital input seems to work more reliably and self test passes. User calibration still fails, but it can be calibrated going back to EDUX mode, then back to DSOX for normal use.
I took the scope apart one more time to solder the 10K resistor... I am amazed at the construction quality of this instrument. It is very resilient and a pleasure to tear down and reassemble.
-
I found another missing resistor in EDUX. Marking 13A - 133Ohm. Here it is. Photo again comes from Dave's teardown.
-
My EDUX has the 133Ohm resistor. Maybe it is not needed.
-
My EDUX has the 133Ohm resistor. Maybe it is not needed.
That is interesting. Do you have version with generator?
-
Yes, I have the EDUX with wavegen (EDUX1002G)
-
I starts reverse engineering of my scope. I found another difference between my scope and Dave's photos. It is U29 In DSOX it is R4PC in sot23-5. In EDUX it is R30E in sot23-3. It is very hard to see this difference ;) This part is in self cal area (located between generator stuff and ch1 analog front end).
-
I starts reverse engineering of my scope. I found another difference between my scope and Dave's photos. It is U29 In DSOX it is R4PC in sot23-6. In EDUX it is R30E in sot23-3. It is very hard to see this difference ;) This part is in self cal area (located between generator stuff and ch1 analog front end).
Nice catch, I hope it is the reason why self calibration fails on the EDUX when converted to DSOX.
R30E is a CMOS Voltage Reference in SOT-23-3 package. It is specifically REF3040AIDBZR: 4.096V reference. Still looking for R4PC, it should be a voltage reference as well.
EDIT: I think it is R4FC, TI LM4132CMFX-4.1. Also 4.096V voltage reference in SOT-23-5 package... similar to REF3040AIDBZR but it has enable pin
-
Sorry. I look closer to photos and it looks like R4FC not R4PC. R4FC is LM4132CMF-4.1/NOPB http://www.ti.com/lit/ds/symlink/lm4132.pdf (http://www.ti.com/lit/ds/symlink/lm4132.pdf) Pin out is matching. But it also is 4.096V ref and enable pin is shorted with vin, so it is no difference in use between these two components :(
-
I have almost complete schematic of main PCB. I don't found more hardware differences. I add missing trigger and generator components and it is work. I change resistor divider on main board to have ID 24. I don't change resistor dividers on BLT board, so I have DSOX1002G with 70MHz bandwith. Scope passing user calibration.
**** External Trigger Level ****
/1 Trig B1 = 5303.000, B0 = 35789.000
/5 Trig B1 = 1071.000, B0 = 35789.000
/1 Trig 2 B1 = 17283.000, B0 = 28593.000
/5 Trig 2 B1 = 3492.000, B0 = 28593.000
**** CAL PASSED **** Time: 2 seconds
I'm going to make some test with wave gen, because I don't know the right values of capacitors and inductors.
-
I need to check the ext trigger input on my hack... as yours passes the user calibration. How did you find out the capacitor values (100nF, 33nF)?
-
Pin 5 of LMV7219 is positive supply voltage and have decoupling capacitor do ground. Typical decoupling capacitor value is 100nF. Pin 4 of LMV7219 is inverting input and these components looks like RC filter. One of these capacitor have same color like capacitor near pin 5. So it's probably 100nF and reasonable value for second one is something smaller then 100n, so i chose 33n. On other PCB side is also 10kohm resistor connected with these components (missing in EDUX version). I guess it is RC filter array making DC from PWM.
-
Can some one tell me working values to ID 23 I got my edux go to 70MHz 2GSa SGM etc but I cant get signal at all
I had 12k on top and 33k on bottom on left side set when connector is up of them so it should get 0.91V
EDIT: that were wrong but bith 15k and 15k I should get ID 24 and no signbal at all also trtied 12k and 8k but no signal either it was 0.98V
-
Before removing everything to get to the back of my PCB... Is the 10K resistor on the back of the PCB the same that you identified in a previous post? I checked the values on my hack, changed the capacitor from 100nF to 10nF (I don't have 33nF on hand) and still does not pass the user calibration.
-
Can some one tell me working values to ID 23 I got my edux go to 70MHz 2GSa SGM etc but I cant get signal at all
I had 12k on top and 33k on bottom on left side set when connector is up of them so it should get 0.91V
EDIT: that were wrong but bith 15k and 15k I should get ID 24 and no signbal at all also trtied 12k and 8k but no signal either it was 0.98V
Try use values from post below. It is about 2000x and 3000x series, but should work. Other resistor values are in Dave videos about 1000x scope.
Here is 3000 series board strapping info. 2000 series and 4000 series are pretty much the same. Pin strapping is done with 8 pairs of resistors. Each pair encode an integer value in 0 to 8 range.
Attached photos were annotated with strap resistor positions. Ln stands for Low (GND) side resistor and Hn is High (2V5) side resistor.
Based on analysis of Dave's teardown photos and my own board I've filled full resistor encoding table and believe it to be correct.
Note the L7 resistor is missing. I think it's routed to external module connector and it's encoding is fixed with 10k ohm high side on the main board.
You can't upgrade your scope just by altering these settings! Strapping represents the real difference in hardware!
Strapping resistor encoding
Value - Voltage - Lr/Hr
0 - 0.00V - 10k / none
1 - 0.23V - 10k / 100k
2 - 0.69V - 46,4k / 121k
3 - 0.98V - 64,9k / 100k
4 - 1.25V - 100k / 100k
5 - 1.52V - 100k / 64,9k
6 - 1.81V - 121k / 46,4k
7 - 2.27V - 10k / 100k
8 - 2.50V - none / 10k
Incomplete table of strap functions:
Strap 0 (CH 0) Channels:
0 - 2 Channels
1 - 4 Channels
Strap 1 (CH 1) Bandwidth
0 - 100MHz
1 - 200MHz
2 - 500MHz
3 - 1GHz
4 - 1.5GHz (4000 series only)
Strap 2 (CH 2) Sample Rate:
0 - 5GSa
1 - 4GSa
Strap 3 (CH 3) Gating ?
Strap 4 (CH 4) Board Revision ?
Strap 5 (CH 5) Family:
1 - 3000 series
2 - 4000 series
3 - 2000 series
Strap 6 (CH 7) MSO revision ? - not for 4000 series
Strap 7 (CH 6) External module - not for 4000 series:
0 - LAN
1 - GPIB
8 - No External Module
On external module 0 Ohm to GND should set LAN module (pin short on the DIY LAN may be for this strap) and 1k should be for GPIB module.
For experiments you only want to alter Strap 1 and Strap 2 to update the Sample Rate and Bandwidth.
Have fun!
Yes It is these same resistor from my previous post. I start user calibration after hardware RTC reset - on default clock settings. Maybe here is goal. I start reverse engineering of BLT PCB. I found some pins for Ethernet and next USB Host on unmounted connector. Maybe it is possible to add Ethernet module with PHY and play with licenses hacking :)
-
Yes It is these same resistor from my previous post. I start user calibration after hardware RTC reset - on default clock settings. Maybe here is goal. I start reverse engineering of BLT PCB. I found some pins for Ethernet and next USB Host on unmounted connector. Maybe it is possible to add Ethernet module with PHY and play with licenses hacking :)
Do you think the RTC reset is important? Can you please test user calibration without the hardware RTC reset? If I change the scope hack back to EDUX, user calibration passes, without any RTC reset.
-
Can some one tell me working values to ID 23 I got my edux go to 70MHz 2GSa SGM etc but I cant get signal at all
I had 12k on top and 33k on bottom on left side set when connector is up of them so it should get 0.91V
EDIT: that were wrong but bith 15k and 15k I should get ID 24 and no signbal at all also trtied 12k and 8k but no signal either it was 0.98V
Thanks a lot I ll try those also it does put me think if I did actually change wrong resistor set since I didnt find pic what would say which one is ID0 and which one is ID1 but when I did look those values
maybe my 12k vas actually 121k so i did change wrong id bit.
-
It pass user calibration even with normal RTC time. I don't have more ideas. Maybe one of yours components is broken. I used https://pl.mouser.com/Search/ProductDetail.aspx?R=LMV7219M5%2fNOPBvirtualkey59500000virtualkey926-LMV7219M5%2fNOPB and 1% resistors also from Mouser. I my hacking I use 5V coil relay instead of 4.5V (was out of stock, but it is powered from 595 shift register, so it isn't big difference) and I use ferrit bead (600ohm at 100MHz) instead of 10ohm (01x) resistor on power supply line of comparator) all other components are same like in Dave photos.
-
My unit used to pass user calibration if set back to EDUX mode, but now it does not. I guess is the front end modification I made and not the external trigger input circuit.
-
I don't think so. It looks like user calibration stops at first detected error. I also replaced components on frontends. I don't change U40, U35 and U401. Below is photo of my hack. Resistors without making code are 16.2ohm.
-
You are missing a resistor marked 17B near U39. Did you miss it on purpose?
-
You are right. Thanks. I miss these resistors. I add it and it pass calibration again.
-
I don't think so. It looks like user calibration stops at first detected error. I also replaced components on frontends. I don't change U40, U35 and U401. Below is photo of my hack. Resistors without making code are 16.2ohm.
Can you indicate which components did you change in the front end section?
-
I made hack using yours tutorial - photos attached to quoted post :P I left on board decoupling capacitors and ferite beads from removed amplifier.
EDUX front end mod to DSOX partial results.
I did the following mod to see if I can get 200MHz modding the front end on the EDUX to mimic the DSOX front end.
I worked on CH2 and the result is partial because I was not able to replace the LMH6550 to LMH6552 because it requires a package change from VSSOP to WSON. The PCB has the footprint for both package types.
First picture shows the table of Vpp, Vmax and VRMS measurements of the different stages of the mod compared to the micsig TO1104 (just as validation of values).
The EDUX with just the resistor swap to make it think it is a DSOX: you get 70MHz, as is indicated on the utility/service/about this scope screen.
The EDUX with the resistor swap + the software hack (infiniiVisionLauncher.exe from /Secure): you get 120MHz, but utility/service/about this scope screen shows 200MHz.
The EDUX with the resistor swap + the software hack + the partial front end mod: you get less than 50MHz, as the front end mod removes the additional OPAMP that was added to the EDUX in the front end, and as it does not have the LMH6552 yet, it cannot get to 200MHz.
Second picture shows the hardware mod of the front end. The hardware mod is partial because I am waiting for the solder paste to arrive to be able to solder the WSON Package
Third picture is the original DSOX (From Dave's Teardown)
-
Can some one tell me working values to ID 23 I got my edux go to 70MHz 2GSa SGM etc but I cant get signal at all
I had 12k on top and 33k on bottom on left side set when connector is up of them so it should get 0.91V
EDIT: that were wrong but bith 15k and 15k I should get ID 24 and no signbal at all also trtied 12k and 8k but no signal either it was 0.98V
Thanks a lot I ll try those also it does put me think if I did actually change wrong resistor set since I didnt find pic what would say which one is ID0 and which one is ID1 but when I did look those values
maybe my 12k vas actually 121k so i did change wrong id bit.
Yes that was the fault it works at 70MHz 2Gsa now thanks sadly its still edux so no CAN/LIN trial
-
I have almost complete schematic of main PCB. I don't found more hardware differences. I add missing trigger and generator components and it is work. I change resistor divider on main board to have ID 24. I don't change resistor dividers on BLT board, so I have DSOX1002G with 70MHz bandwith. Scope passing user calibration.
**** External Trigger Level ****
/1 Trig B1 = 5303.000, B0 = 35789.000
/5 Trig B1 = 1071.000, B0 = 35789.000
/1 Trig 2 B1 = 17283.000, B0 = 28593.000
/5 Trig 2 B1 = 3492.000, B0 = 28593.000
**** CAL PASSED **** Time: 2 seconds
I'm going to make some test with wave gen, because I don't know the right values of capacitors and inductors.
Do you mind posting the full calibration output? My unit is failing user calibration but at a different point during the test as before. Before it was failing during External Trigger Level calibration.
-
XXXXXXXXXXXrom_offset=0x0.
XXImageStart = 0x80361000, ImageLength = 0x1A80C40, LaunchAddr = 0x80362000
Completed file(s):
-------------------------------------------------------------------------------
[0]: Address=0x80361000 Length=0x1A80C40 Name="" Target=RAM
Loading image 1 succeeded.
ROMHDR at Address 80361044h
Preparing launch...
RTC: 2080-73-25 7:165:123.3 UTC
Launching windows CE image by jumping at address 0x 362000
Windows CE Kernel for ARM (Thumb Enabled) Built on Mar 8 2013 at 17:05:33
Setting up for a Cold Reboot
Done Setting up for a Cold Reboot
Windows CE Firmware Init
BSP 1.0.0 for the SPEARHEAD600AB board (built Sep 28 2016)
Adaptation performed by ADENEO (c) 2005
+OALIntrInit
-OALIntrInit(rc = 1)
Initialize driver globals Zeros area...
pDrvGlobalArea 0xa0060000 size 0x800 (0xa0060800 -0xa0060000)
Initialize driver globals Zeros area...done
OALKitlStart
Firmware Init Done.
OALIoctlHalEnterI2cCriticalSection init i2c cs
++SER_Init: context Drivers\Active\14
SER_Init, dwIndex:2
SER2 got sysintr:0x00000017
SER2 Serial Port, new baud rate:0x1c200 (UARTCLK:48000000 IBRD:0x1a FBRD:0x2)
OHCI\system.c, GCFG_USBH1_SW_RST
OHCI\system.c, GCFG_USBH2_SW_RST
LAN PHY NOT detected.
DeleteP500EnetRegistry:
\Comm\GMAC 0x0
\Comm\GMAC1 0x0
\Comm\Tcpip\Linkage 0x0
\Drivers\Virtual 0x0
\Drivers\BuiltIn\LIN 0x5
LIN: Data Valid
BALDWIN_DDI: cBaldwinHwIf::Init: Initializing...
BALDWIN_DDI: cBaldwinHwIf::Init: Scope successfully identified.
BALDWIN_DDI: cBaldwinHwIf::Init: Success!
Device load time:
NANDFLASH: 0 ms
SNANDFLASH: 0 ms
SHIM DLL, LoadRealDll [PalIO.dll] for [AgilentPalIO.dll]
SHIM [AgilentPalIO.dll] Get Process Addresses
LaunchInfiniiVision:
BLT Module Config 03 - UNKNOWN
=========================================
BLT Product Config 24
Bandwidth : 200MHz
#Channel : 2
Board Rev : FPR
Clk Gating : Baldwin
Sample Rate : 4GSa
LAN PHY : No
BLT Module Config 03
Rev : LP0
Sample Rate : 0GSa/s
=========================================
BLT_PRODUCT_CONFIG_0, 1.249v, ID4
BLT_PRODUCT_CONFIG_1, 0.699v, ID2
BLT_MODULE_CONFIG_0, 0.953v, ID3
BLT_MODULE_CONFIG_1, 0.010v, ID0
CANINE_BOARD_REV, 0.005v, ID0
CANINE_MODEL_NAME: MARSUPIAL, 1.742v, ID6, MARSUPIAL
CANINE_EXTMODULE, 2.485v, ID8, SWID8
CANINE_MSO_REV, 0.648v, ID2, SWID2
SHIM DLL, LoadRealDll [PalSStorage.dll] for [AgilentPalSStorage.dll]
SHIM [AgilentPalSStorage.dll] Get Process Addresses
Released build, Sep 28 2016, 00:17:51
Initializing FPGA...
************************************
FPGA Type: Marsupial
Ver: 1.067 Released
Build Time: Tue Jun 14 17:13:42 2016
Build Machine: 2UA5461ZWH
************************************
cMarsupialCalMgr::cMarsupialUserCalFactors::cMarsupialUserCalFactors size 146412
cMarsupialCalMgr::cMarsupialServiceCalFactors::cMarsupialServiceCalFactors size 704
cMarsupialCalMgr::cMarsupialFactoryCalFactors::cMarsupialFactoryCalFactors size 896
Calibration mode User
Recall \Secure\cal\FactoryCal2.dat - ok
Recall \Secure\cal\ServiceCal1.dat - ok
Recall \Secure\cal\UserCal8.dat - ok
Cal Date Wed Sep 28 21:00:56 2016
will do USB phy workaround: CheckCRC
Startup sequence is complete.
Saved configuration invalid
System has been running 15.505870 seconds
Start Up Sequence 6.783193
Memory Load 52%
System Physical Memory 37.957 / 73.465 MB
Process Virtual Memory 47.125 / 1024.000 MB
-----> InfiniiVision is running <-----
Performing USER calibraion
######################## Channel 1 ########################
**** Baldwin Interpolator ****
fiPreDelay = 0x10
fiCalResult = 186
fiWide = 319
Final Cal Factor = 0x10
**** CAL PASSED **** Time: 1 seconds
**** Talon Calibrator ****
Calibrate AC Signal
Channel 1: Offset 0x20800 GainIndex 7 GainVern 0x1db0
Channel 2: Offset 0x20800 GainIndex 7 GainVern 0x1db0
Calibrate DC Signal
# Pts (out of 20): 20 B1 = 174796.670513 B0 = 126533.918357
# Pts (out of 20): 20 B1 = 175067.254517 B0 = 127236.403807
Testing...
Vin = -0.200000 AvgQLvl = 29.500000 VinActual = -0.192383
Vin = 0.000000 AvgQLvl = 135.750000 VinActual = 0.015137
Vin = 0.200000 AvgQLvl = 237.750000 VinActual = 0.214355
**** CAL PASSED **** Time: 1 seconds
**** Talon ****
**Talon Init Cal**
Slice Offset = 20
Slice offset correction successful
Using all slices for calibration
**Talon Dac Cal**
Gain Dac Iteration 1: Deltas 17 | Max 1 | Min -1
Gain Dac Iteration 2: Deltas 15 | Max 1 | Min -1
Gain Dac Iteration 3: Deltas 10 | Max 1 | Min -1
Offset Dac Iteration 1: Deltas 46 | Max 4 | Min -4
Offset Dac Iteration 2: Deltas 3 | Max 4 | Min -3
**Talon Pipeline Cal**
*** Talon pipeline cal ***
# pts not used = 0
Offset Adjustment = -26.950562
Gain Adjustment = 1.012901
**Talon4 Timing Cal**
Freq: 39.999510MHz
QMax 0xb0 QMin 0x4c
Min Per: 2.476667e-008 Max Per: 2.521667e-008
Harmonic Used: 1
MajorPass 1 | Deltas 13 | Max Dac 8 | Min Dac -8
MajorPass 2 | Deltas 5 | Max Dac 10 | Min Dac -11
MajorPass 3 | Deltas 3 | Max Dac 10 | Min Dac -12
MinorPass 1 | Deltas 158 | Max Dac 30 | Min Dac -30
MinorPass 2 | Deltas 108 | Max Dac 27 | Min Dac -27
Minor Timing Vernier is clipped
MinorPass 3 | Deltas 118 | Max Dac 45 | Min Dac -36
**Talon Pipeline Cal**
*** Talon pipeline cal ***
# pts not used = 0
Offset Adjustment = -42.678711
Gain Adjustment = 1.035890
Using partial slices for calibration
**Talon Dac Cal**
Gain Dac Iteration 1: Deltas 2 | Max 1 | Min -1
Gain Dac Iteration 2: Deltas 2 | Max 1 | Min 0
Gain Dac Iteration 3: Deltas 1 | Max 1 | Min -1
Offset Dac Iteration 1: Deltas 0 | Max 4 | Min -2
Offset Dac Iteration 2: Deltas 0 | Max 4 | Min -2
**Talon Pipeline Cal**
*** Talon pipeline cal ***
# pts not used = 0
**** CAL PASSED **** Time: 115 seconds
**** DC Gain ****
28000, 0.803184 : -2198997.135356, 1794200.024167
28400, 0.803002 : -29029.664756 , 51710.891089
28800, 0.789223 : -4200.567536 , 32115.186246
29200, 0.693998 : -4646.586593 , 32424.722662
29600, 0.607913 : -5128.856222 , 32717.900875
30000, 0.529923 : -5979.597839 , 33168.728756
30400, 0.463029 : -6986.488023 , 33634.948372
30800, 0.405776 : -7563.188668 , 33868.959587
31200, 0.352888 : -9357.434490 , 34502.127660
31600, 0.310141 : -9687.211917 , 34604.405286
32000, 0.268850 : -11759.342809 , 35161.497326
32400, 0.234834 : -13786.815707 , 35637.617555
32800, 0.205821 : -14908.454951 , 35868.474576
33200, 0.178991 : -18061.577867 , 36432.854209
33600, 0.156844 : -19163.373466 , 36605.664488
34000, 0.135971 : -23393.586226 , 37180.851064
34400, 0.118872 : -26654.510367 , 37568.484848
34800, 0.103866 : -29222.552894 , 37835.215947
35200, 0.090177 : -35467.695246 , 38398.387097
35600, 0.078900 : -39981.765550 , 38754.545455
36000, 0.068895 : -43979.942105 , 39030.000000
36400, 0.059800 : -59432.354196 , 39954.054054
36800, 0.053070 : -382434.279177, 57095.652174
37200, 0.052024 : 0.000000 , 0.000000
Reference range = 0.463V
Coarse gain ratio
0.1x = 0.357 (1.296V)
0.4x = 1.000 (0.463V)
0.8x = 2.826 (0.164V)
2.0x = 7.838 (0.059V)
Gain# MIN MAX %OL
0 0.006637 0.102469
1 0.018409 0.284215
2 0.052024 0.803184
3 0.145566 2.247370
4 0.299542 4.624569
5 0.830831 12.827039
6 2.347910 36.248934
7 6.569627 101.427236
ADC half speed gain ratio = 0.965 (0.480V)
**** CAL PASSED **** Time: 15 seconds
**** Offset Error ****
AC Coupling
Gain# 0 [29428 (0.006637V) - 37978 (0.080000V), 45pts]
Gain# 1 [29556 (0.080000V) - 32661 (0.216000V), 45pts]
Gain# 2 [29502 (0.216000V) - 32787 (0.624000V), 45pts]
Gain# 3 [29765 (0.624000V) - 32690 (1.600000V), 45pts]
Gain# 4 [29559 (1.600000V) - 32034 (3.520000V), 45pts]
Gain# 5 [29618 (3.520000V) - 32723 (9.600000V), 45pts]
Gain# 6 [29510 (9.600000V) - 32840 (28.000000V), 45pts]
Gain# 7 [29433 (28.000000V) - 32718 (80.500000V), 45pts]
DC Coupling
Gain# 0 [29428 (0.006637V) - 37978 (0.080000V), 45pts]
Gain# 4 [29559 (1.600000V) - 32034 (3.520000V), 45pts]
AC Coupling
Gain# 0 [29428 (0.006637V) - 37978 (0.080000V), 45pts]
Gain# 1 [29556 (0.080000V) - 32661 (0.216000V), 45pts]
Gain# 2 [29502 (0.216000V) - 32787 (0.624000V), 45pts]
Gain# 3 [29765 (0.624000V) - 32690 (1.600000V), 45pts]
Gain# 4 [29559 (1.600000V) - 32034 (3.520000V), 45pts]
Gain# 5 [29618 (3.520000V) - 32723 (9.600000V), 45pts]
Gain# 6 [29510 (9.600000V) - 32840 (28.000000V), 45pts]
Gain# 7 [29433 (28.000000V) - 32718 (80.500000V), 45pts]
DC Coupling
Gain# 0 [29428 (0.006637V) - 37978 (0.080000V), 45pts]
Gain# 4 [29559 (1.600000V) - 32034 (3.520000V), 45pts]
0 retry out of 920 offset searched
**** CAL PASSED **** Time: 22 seconds
**** Trigger Level ****
div -3, pos slope dac = 0x956D, neg slope dac = 0x94C1, avg = 38167.000
div -2, pos slope dac = 0x92E7, neg slope dac = 0x923B, avg = 37521.000
div -1, pos slope dac = 0x9065, neg slope dac = 0x8FB7, avg = 36878.000
div 0, pos slope dac = 0x8DDD, neg slope dac = 0x8D31, avg = 36231.000
div 1, pos slope dac = 0x8B59, neg slope dac = 0x8AAD, avg = 35587.000
div 2, pos slope dac = 0x88D5, neg slope dac = 0x8827, avg = 34942.000
div 3, pos slope dac = 0x8651, neg slope dac = 0x85A3, avg = 34298.000
Trig 1 B1 = -644.857, B0 = 36232.000
div -3, pos slope dac = 0x9563, neg slope dac = 0x94C5, avg = 38164.000
div -2, pos slope dac = 0x92DD, neg slope dac = 0x9241, avg = 37519.000
div -1, pos slope dac = 0x905B, neg slope dac = 0x8FBB, avg = 36875.000
div 0, pos slope dac = 0x8DD3, neg slope dac = 0x8D35, avg = 36228.000
div 1, pos slope dac = 0x8B4F, neg slope dac = 0x8AB3, avg = 35585.000
div 2, pos slope dac = 0x88CB, neg slope dac = 0x882D, avg = 34940.000
div 3, pos slope dac = 0x8645, neg slope dac = 0x85A7, avg = 34294.000
Trig 2 B1 = -644.929, B0 = 36229.286
div -3, pos slope dac = 0x9561, neg slope dac = 0x94C5, avg = 38163.000
div -2, pos slope dac = 0x92DD, neg slope dac = 0x9243, avg = 37520.000
div -1, pos slope dac = 0x905B, neg slope dac = 0x8FBD, avg = 36876.000
div 0, pos slope dac = 0x8DD1, neg slope dac = 0x8D39, avg = 36229.000
div 1, pos slope dac = 0x8B51, neg slope dac = 0x8AB5, avg = 35587.000
div 2, pos slope dac = 0x88CB, neg slope dac = 0x882D, avg = 34940.000
div 3, pos slope dac = 0x8647, neg slope dac = 0x85AD, avg = 34298.000
Trig 3 B1 = -644.429, B0 = 36230.429
Trig 1 - AC offset 18.000000
Trig 2 - AC offset 24.714286
Trig 1 - LF Rej offset 19.000000
Trig 2 - LF Rej offset 23.714286
Trig 1 - HF_Rej offset -5.000000
Trig 2 - HF_Rej offset 1.714286
Trig 1 - AC_HF_REJ offset 17.000000
Trig 2 - AC_HF_REJ offset 23.714286
**** CAL PASSED **** Time: 29 seconds
**** Trigger Hysteresis ****
Hyst dac = 12288, pos slope dac = 0x8DCF, neg slope dac = 0x8D39, range = 150, div = 0.233
Hyst dac = 14336, pos slope dac = 0x8DE9, neg slope dac = 0x8D1F, range = 202, div = 0.313 +
Hyst dac = 16384, pos slope dac = 0x8E07, neg slope dac = 0x8D01, range = 262, div = 0.406 +
Hyst dac = 18432, pos slope dac = 0x8E23, neg slope dac = 0x8CE7, range = 316, div = 0.490 +
Hyst dac = 20480, pos slope dac = 0x8E41, neg slope dac = 0x8CC9, range = 376, div = 0.583 +
Hyst dac = 22528, pos slope dac = 0x8E5D, neg slope dac = 0x8CA9, range = 436, div = 0.676 +
Hyst dac = 24576, pos slope dac = 0x8E77, neg slope dac = 0x8C8B, range = 492, div = 0.763 +
Hyst dac = 26624, pos slope dac = 0x8E97, neg slope dac = 0x8C6F, range = 552, div = 0.856 +
Hyst dac = 28672, pos slope dac = 0x8EB7, neg slope dac = 0x8C4F, range = 616, div = 0.955 +
Hyst dac = 30720, pos slope dac = 0x8ED9, neg slope dac = 0x8C33, range = 678, div = 1.051 +
Hyst dac = 32768, pos slope dac = 0x8EF5, neg slope dac = 0x8C0F, range = 742, div = 1.151 +
Hyst dac = 34816, pos slope dac = 0x8F1B, neg slope dac = 0x8BF1, range = 810, div = 1.256 +
Hyst dac = 36864, pos slope dac = 0x8F3B, neg slope dac = 0x8BD1, range = 874, div = 1.355 +
Hyst dac = 38912, pos slope dac = 0x8F5B, neg slope dac = 0x8BAF, range = 940, div = 1.458 +
Hyst dac = 40960, pos slope dac = 0x8F81, neg slope dac = 0x8B89, range = 1016, div = 1.576 +
Trig Hyst B1 = 21244.935, B0 = 8087.976
**** CAL PASSED **** Time: 15 seconds
**** External Trigger Level ****
/1 Trig B1 = 5303.000, B0 = 35789.000
/5 Trig B1 = 1071.000, B0 = 35789.000
/1 Trig 2 B1 = 17283.000, B0 = 28593.000
/5 Trig 2 B1 = 3492.000, B0 = 28593.000
**** CAL PASSED **** Time: 2 seconds
**** Wave Gen ****
[calibrator] = 0x3fb40 Q | -52958.38 Q/V
[0: DIV1 + DIV1 ] = 0x1ef83 Q | 10182.00 Q/V | (calV=2.481175V) 34.770434 V
[1: DIV4 + DIV1 ] = 0x1fbf0 Q | 10180.80 Q/V | (calV=2.501644V) 8.559135 V
[2: DIV16 + DIV1 ] = 0x1fedd Q | 10181.20 Q/V | (calV=0.638709V) 2.156434 V
[3: DIV64 + DIV1 ] = 0x1ffac Q | 10181.60 Q/V | (calV=0.159427V) 0.556634 V
[4: DIV1 + DIV23] = 0x1ef5e Q | 237355.00 Q/V | (calV=0.449561V) 1.478780 V
[5: DIV4 + DIV23] = 0x1fbd1 Q | 237300.00 Q/V | (calV=0.110313V) 0.367590 V
[6: DIV16 + DIV23] = 0x1fec1 Q | 237302.50 Q/V | (calV=0.025020V) 0.092401 V
[7: DIV64 + DIV23] = 0x1ff8f Q | 237305.00 Q/V | (calV=0.006930V) 0.023951 V
[0: DIV1 + DIV1 ] = 34.432553 V (overwrite)
**** CAL PASSED **** Time: 62 seconds
**** Wavegen Trigger Level Offset ****
Wavegen Trig Offset = 0x8BDC
**** CAL PASSED **** Time: 1 seconds
**** Baldwin Trig Time Qual ****
Set CalConfigScope range 1.000000E-005, delay -1.000000E-006
Top : 2.663317
Base : -29.095478
Vert Scale : 80.000000
Vert Offset: -14.547739
Trig Level : -14.547739
Horz Range : 1.000000e-007
Horz Delay : 1.500000e-008
CalConfigScope range 1.000000E-007, delay 1.500000E-008
--- Internal Timer ---
tVolt for Edge Trigger = 2.321820 ns
Zero Time = 2.321820 ns
*Int Osc Freq*
Oscillator Freq: 365.431424 MHz
Set CalConfigScope range 5.000000E-008, delay -5.000000E-009
CalConfigScope range 5.000000E-008, delay 1.000000E-008
*Int Find Min Time*
Zero Time Timer 0 : 1425.986842 ps
Zero Time Timer 1 : 1435.505520 ps
*Int Find Min Time*
Timer 0:
Dac 0 Time 1495.927318 ps
Dac 31 Time 2612.768451 ps
Dac 62 Time 3728.070175 ps
Dac 93 Time 4937.560916 ps
Dac 124 Time 6082.236842 ps
Fine Dac Gain 37.088424 ps/DacCode
Timer 1:
Dac 0 Time 1360.882675 ps
Dac 31 Time 2612.768451 ps
Dac 62 Time 3771.173624 ps
Dac 93 Time 4899.945175 ps
Dac 124 Time 6066.611842 ps
Fine Dac Gain 37.737532 ps/DacCode
*Int Fast Path*
Fast Dac Zero Time 1058.799342 ps
Dac 0 Time 993.695175 ps
Dac 31 Time 1855.764141 ps
Dac 62 Time 3027.639141 ps
Dac 93 Time 4229.147762 ps
Dac 124 Time 5376.777072 ps
Fine Dac Gain 35.934024 ps/DacCode
--- Sync Timer ---
Set CalConfigScope range 5.000000E-007, delay -5.000000E-008
MClk Frequency = 200003217.296184
*Calibrating PdSel*
PdSel 0 : Min 61 Max 117
PdSel = 0
Min Fine Dac = 133
*Fine Dac*
Sync Timer minimum Time : 2.197807e-008
Dac 133 Val: -2.187226e-008
Dac 227 Val: -2.645236e-008
Dac 321 Val: -3.072026e-008
Dac 415 Val: -3.511049e-008
Dac 509 Val: -3.963172e-008
Fine Dac Gain: 2.127560e+010 DacCode/second
Fine Dac Gain: 47.002201 ps/DacCode
**** CAL PASSED **** Time: 2 seconds
**** Baldwin Setup and Hold ****
--- Vertical Settings ---
Set CalConfigScope range 1.000000E-005, delay -1.000000E-006
Top : 2.537677
Base : -28.819107
Vert Scale : 80.000000
Vert Offset: -14.409554
Trig Level : -14.409554
Horz Range : 1.000000e-007
Horz Delay : 1.500000e-008
CalConfigScope range 1.000000E-007, delay 1.500000E-008
*Clk Path*
Long Delay Dac 0 Time 1713.267544 ps
Long Delay Dac 31 Time -8185.911017 ps
Long Delay Dac 62 Time -18179.824561 ps
Long Delay Dac 93 Time -28031.250000 ps
Long Delay Dac 124 Time -38019.067797 ps
Zero Pt with long delay : 1721.444767 ps
Long Delay Gain : 320.354870 ps / daccode
Trombone Delay Gain : 75.315361 ps / daccode
*Data Path*
Min TVolt = -7812.500000ps
Max TVolt = -1718.750000ps
DataPath Offset = 1093.750000ps
ClockPath Offset = 3440.194767ps
**** CAL PASSED **** Time: 3 seconds
**** Baldwin Pattern Trig ****
**Pattern Delay Cal**
Set CalConfigScope range 1.000000E-005, delay -1.000000E-006
Top : 2.675927
Base : -29.082867
Vert Scale : 80.000000
Vert Offset: -14.541434
Trig Level : -14.541434
Horz Range : 1.000000e-007
Horz Delay : 1.500000e-008
CalConfigScope range 1.000000E-007, delay 1.500000E-008
Zero Time = 2.322917ns
DeltaT = 1 : Time Delta = 3.074533ns
DeltaT = 2 : Time Delta = 6.132184ns
DeltaT = 3 : Time Delta = 9.174479ns
DeltaT Gain : 3.058109ns/code
DelatT Offset: 0.008136ns
TBone = 1 : Time Delta = 0.060082ns
TBone = 9 : Time Delta = 0.704613ns
TBone = 17 : Time Delta = 1.247396ns
TBone = 25 : Time Delta = 1.881106ns
TBone = 33 : Time Delta = 2.540551ns
TBone = 41 : Time Delta = 3.161458ns
TBone = 49 : Time Delta = 3.713003ns
TBone = 57 : Time Delta = 4.313757ns
TBone Gain : 3.058109ns/code
TBone Offset: 0.008136ns
Compensation of 1.750000ns:
DeltaT: 0
Tbone : 22
**Xtrig Delay Cal**
Final Qual Delay Setting: 5
**** CAL PASSED **** Time: 1 seconds
######################## Channel 2 ########################
**** DC Gain ****
28400, 0.805823 : -30996.983448 , 53378.091873
28800, 0.792919 : -4179.202628 , 32113.768461
29200, 0.697207 : -4678.478035 , 32461.866667
29600, 0.611709 : -5175.307561 , 32765.781711
30000, 0.534419 : -5899.224153 , 33152.656355
30400, 0.466613 : -6978.636687 , 33656.324582
30800, 0.409295 : -7536.208175 , 33884.536082
31200, 0.356218 : -9263.090091 , 34499.683210
31600, 0.313036 : -9912.029735 , 34702.824859
32000, 0.272681 : -11481.866905 , 35130.890052
32400, 0.237844 : -13579.173863 , 35629.721362
32800, 0.208387 : -14595.917331 , 35841.597338
33200, 0.180982 : -17902.339420 , 36440.000000
33600, 0.158638 : -19801.684686 , 36741.309255
34000, 0.138438 : -22264.330751 , 37082.233503
34400, 0.120472 : -26422.127457 , 37583.132530
34800, 0.105333 : -29338.281993 , 37890.301003
35200, 0.091699 : -34948.790103 , 38404.780876
35600, 0.080254 : -38814.806707 , 38715.044248
36000, 0.069949 : -43860.731579 , 39068.000000
36400, 0.060829 : -54825.914474 , 39735.000000
36800, 0.053533 : -337390.242914, 54861.538461
37200, 0.052348 : 0.000000 , 0.000000
Reference range = 0.467V
Coarse gain ratio
0.1x = 0.358 (1.305V)
0.4x = 1.000 (0.467V)
0.8x = 2.824 (0.165V)
2.0x = 7.853 (0.059V)
Gain# MIN MAX %OL
0 0.006666 0.102608
1 0.018534 0.285302
2 0.052348 0.805823
3 0.146377 2.253281
4 0.300765 4.629898
5 0.836280 12.873463
6 2.362034 36.360515
7 6.604833 101.672997
ADC half speed gain ratio = 0.962 (0.485V)
**** CAL PASSED **** Time: 15 seconds
**** Offset Error ****
AC Coupling
Gain# 0 [29441 (0.006666V) - 37946 (0.080000V), 45pts]
Gain# 1 [29590 (0.080000V) - 32695 (0.216000V), 45pts]
Gain# 2 [29510 (0.216000V) - 32840 (0.624000V), 45pts]
Gain# 3 [29774 (0.624000V) - 32744 (1.600000V), 45pts]
Gain# 4 [29587 (1.600000V) - 32062 (3.520000V), 45pts]
Gain# 5 [29628 (3.520000V) - 32778 (9.600000V), 45pts]
Gain# 6 [29541 (9.600000V) - 32871 (28.000000V), 45pts]
Gain# 7 [29461 (28.000000V) - 32746 (80.500000V), 45pts]
DC Coupling
Gain# 0 [29441 (0.006666V) - 37946 (0.080000V), 45pts]
Gain# 4 [29587 (1.600000V) - 32062 (3.520000V), 45pts]
AC Coupling
Gain# 0 [29441 (0.006666V) - 37946 (0.080000V), 45pts]
Gain# 1 [29590 (0.080000V) - 32695 (0.216000V), 45pts]
Gain# 2 [29510 (0.216000V) - 32840 (0.624000V), 45pts]
Gain# 3 [29774 (0.624000V) - 32744 (1.600000V), 45pts]
Gain# 4 [29587 (1.600000V) - 32062 (3.520000V), 45pts]
Gain# 5 [29628 (3.520000V) - 32778 (9.600000V), 45pts]
Gain# 6 [29541 (9.600000V) - 32871 (28.000000V), 45pts]
Gain# 7 [29461 (28.000000V) - 32746 (80.500000V), 45pts]
DC Coupling
Gain# 0 [29441 (0.006666V) - 37946 (0.080000V), 45pts]
Gain# 4 [29587 (1.600000V) - 32062 (3.520000V), 45pts]
0 retry out of 920 offset searched
**** CAL PASSED **** Time: 25 seconds
**** Trigger Level ****
div -3, pos slope dac = 0x954F, neg slope dac = 0x94A3, avg = 38137.000
div -2, pos slope dac = 0x92CB, neg slope dac = 0x921D, avg = 37492.000
div -1, pos slope dac = 0x9049, neg slope dac = 0x8F9F, avg = 36852.000
div 0, pos slope dac = 0x8DC5, neg slope dac = 0x8D17, avg = 36206.000
div 1, pos slope dac = 0x8B3F, neg slope dac = 0x8A93, avg = 35561.000
div 2, pos slope dac = 0x88BF, neg slope dac = 0x8815, avg = 34922.000
div 3, pos slope dac = 0x863D, neg slope dac = 0x858F, avg = 34278.000
Trig 1 B1 = -643.143, B0 = 36206.857
div -3, pos slope dac = 0x9541, neg slope dac = 0x94AB, avg = 38134.000
div -2, pos slope dac = 0x92BF, neg slope dac = 0x9227, avg = 37491.000
div -1, pos slope dac = 0x903D, neg slope dac = 0x8FA7, avg = 36850.000
div 0, pos slope dac = 0x8DB5, neg slope dac = 0x8D23, avg = 36204.000
div 1, pos slope dac = 0x8B3B, neg slope dac = 0x8AA1, avg = 35566.000
div 2, pos slope dac = 0x88B5, neg slope dac = 0x881D, avg = 34921.000
div 3, pos slope dac = 0x8631, neg slope dac = 0x8593, avg = 34274.000
Trig 2 B1 = -643.000, B0 = 36205.714
div -3, pos slope dac = 0x959F, neg slope dac = 0x9517, avg = 38235.000
div -2, pos slope dac = 0x931F, neg slope dac = 0x9293, avg = 37593.000
div -1, pos slope dac = 0x909B, neg slope dac = 0x9013, avg = 36951.000
div 0, pos slope dac = 0x8E1D, neg slope dac = 0x8D89, avg = 36307.000
div 1, pos slope dac = 0x8B99, neg slope dac = 0x8B11, avg = 35669.000
div 2, pos slope dac = 0x8913, neg slope dac = 0x8887, avg = 35021.000
div 3, pos slope dac = 0x8695, neg slope dac = 0x8601, avg = 34379.000
Trig 3 B1 = -642.643, B0 = 36307.857
Trig 1 - AC offset 42.142857
Trig 2 - AC offset 43.285714
Trig 1 - LF Rej offset 42.142857
Trig 2 - LF Rej offset 48.285714
Trig 1 - HF_Rej offset -4.857143
Trig 2 - HF_Rej offset 0.285714
Trig 1 - AC_HF_REJ offset 41.142857
Trig 2 - AC_HF_REJ offset 48.285714
**** CAL PASSED **** Time: 29 seconds
**** Trigger Hysteresis ****
Hyst dac = 12288, pos slope dac = 0x8DB1, neg slope dac = 0x8D1F, range = 146, div = 0.227
Hyst dac = 14336, pos slope dac = 0x8DCD, neg slope dac = 0x8D05, range = 200, div = 0.311 +
Hyst dac = 16384, pos slope dac = 0x8DE7, neg slope dac = 0x8CE9, range = 254, div = 0.395 +
Hyst dac = 18432, pos slope dac = 0x8E07, neg slope dac = 0x8CCD, range = 314, div = 0.488 +
Hyst dac = 20480, pos slope dac = 0x8E23, neg slope dac = 0x8CAD, range = 374, div = 0.582 +
Hyst dac = 22528, pos slope dac = 0x8E41, neg slope dac = 0x8C93, range = 430, div = 0.669 +
Hyst dac = 24576, pos slope dac = 0x8E5F, neg slope dac = 0x8C75, range = 490, div = 0.762 +
Hyst dac = 26624, pos slope dac = 0x8E7B, neg slope dac = 0x8C55, range = 550, div = 0.855 +
Hyst dac = 28672, pos slope dac = 0x8E9F, neg slope dac = 0x8C35, range = 618, div = 0.961 +
Hyst dac = 30720, pos slope dac = 0x8EBF, neg slope dac = 0x8C17, range = 680, div = 1.057 +
Hyst dac = 32768, pos slope dac = 0x8ED9, neg slope dac = 0x8BF7, range = 738, div = 1.147 +
Hyst dac = 34816, pos slope dac = 0x8EFD, neg slope dac = 0x8BD7, range = 806, div = 1.253 +
Hyst dac = 36864, pos slope dac = 0x8F21, neg slope dac = 0x8BB7, range = 874, div = 1.359 +
Hyst dac = 38912, pos slope dac = 0x8F43, neg slope dac = 0x8B91, range = 946, div = 1.471 +
Hyst dac = 40960, pos slope dac = 0x8F63, neg slope dac = 0x8B71, range = 1010, div = 1.570 +
Trig Hyst B1 = 21092.986, B0 = 8241.704
Hyst dac = 12288, pos slope dac = 0x8E13, neg slope dac = 0x8D99, range = 122, div = 0.190
Hyst dac = 14336, pos slope dac = 0x8E29, neg slope dac = 0x8D7F, range = 170, div = 0.265 +
Hyst dac = 16384, pos slope dac = 0x8E47, neg slope dac = 0x8D61, range = 230, div = 0.358 +
Hyst dac = 18432, pos slope dac = 0x8E61, neg slope dac = 0x8D45, range = 284, div = 0.442 +
Hyst dac = 20480, pos slope dac = 0x8E7F, neg slope dac = 0x8D2B, range = 340, div = 0.529 +
Hyst dac = 22528, pos slope dac = 0x8E9D, neg slope dac = 0x8D11, range = 396, div = 0.616 +
Hyst dac = 24576, pos slope dac = 0x8EB7, neg slope dac = 0x8CEF, range = 456, div = 0.710 +
Hyst dac = 26624, pos slope dac = 0x8ED7, neg slope dac = 0x8CD3, range = 516, div = 0.803 +
Hyst dac = 28672, pos slope dac = 0x8EF3, neg slope dac = 0x8CB1, range = 578, div = 0.899 +
Hyst dac = 30720, pos slope dac = 0x8F0F, neg slope dac = 0x8C91, range = 638, div = 0.993 +
Hyst dac = 32768, pos slope dac = 0x8F2F, neg slope dac = 0x8C77, range = 696, div = 1.083 +
Hyst dac = 34816, pos slope dac = 0x8F4B, neg slope dac = 0x8C55, range = 758, div = 1.180 +
Hyst dac = 36864, pos slope dac = 0x8F6F, neg slope dac = 0x8C33, range = 828, div = 1.288 +
Hyst dac = 38912, pos slope dac = 0x8F93, neg slope dac = 0x8C13, range = 896, div = 1.394 +
Hyst dac = 40960, pos slope dac = 0x8FB1, neg slope dac = 0x8BF1, range = 960, div = 1.494 +
Hyst dac = 43008, pos slope dac = 0x8FD1, neg slope dac = 0x8BD1, range = 1024, div = 1.593 +
Trig Hyst (2) B1 = 21337.714, B0 = 8659.335
**** CAL PASSED **** Time: 31 seconds
**** Channel Delays ****
--- Vertical Settings ---
Top : 0.251256
Base : -29.095478
Final Scale : 80.000000
Final Offset (POS_SLOPE): -14.547739
Final Offset (NEG_SLOPE): -14.547739
edge trigger delay factors
iteration: 0
analog trigger channel : 1
pos polarity path delay adjustment (Sec) : 2.32219828e-009
pos edge, bi edge delay factor (312.5e-15 Sec counts): -1569
neg edge delay factor (312.5e-15 Sec counts): -1569
analog trigger channel : 2
pos polarity path delay adjustment (Sec) : 1.50453629e-009
pos edge, bi edge delay factor (312.5e-15 Sec counts): -4185
neg edge delay factor (312.5e-15 Sec counts): -4185
analog trigger channel : 2
pos polarity path delay adjustment (Sec) : 9.296875e-010
Chan2 TC2 pos edge, bi edge delay factor (312.5e-15 Sec counts): -8525
Chan2 TC2 neg edge delay factor (312.5e-15 Sec counts): -8525
external trigger channel
pos edge, bi edge delay factor (312.5e-15 Sec counts): 1091
neg edge delay factor (312.5e-15 Sec counts): 1091
iteration: 1
analog trigger channel : 1
pos polarity path delay adjustment (Sec) : 1.07758621e-011
pos edge, bi edge delay factor (312.5e-15 Sec counts): -1535
neg edge delay factor (312.5e-15 Sec counts): -1535
analog trigger channel : 2
pos polarity path delay adjustment (Sec) : 0
pos edge, bi edge delay factor (312.5e-15 Sec counts): -4185
neg edge delay factor (312.5e-15 Sec counts): -4185
analog trigger channel : 2
pos polarity path delay adjustment (Sec) : -2.52016129e-012
Chan2 TC2 pos edge, bi edge delay factor (312.5e-15 Sec counts): -8532
Chan2 TC2 neg edge delay factor (312.5e-15 Sec counts): -8532
external trigger channel
pos edge, bi edge delay factor (312.5e-15 Sec counts): 1108
neg edge delay factor (312.5e-15 Sec counts): 1108
timeout trigger delay factors
iteration: 0
analog trigger channel : 1
pos polarity path delay adjustment (Sec) : 3.53825431e-009
pos edge, bi edge delay factor (312.5e-15 Sec counts): -878
neg edge delay factor (312.5e-15 Sec counts): -878
analog trigger channel : 2
pos polarity path delay adjustment (Sec) : 1.12239583e-009
pos edge, bi edge delay factor (312.5e-15 Sec counts): -8608
neg edge delay factor (312.5e-15 Sec counts): -8608
external trigger channel
pos edge, bi edge delay factor (312.5e-15 Sec counts): -4742
neg edge delay factor (312.5e-15 Sec counts): -4742
iteration: 1
analog trigger channel : 1
pos polarity path delay adjustment (Sec) : -4.31034483e-012
pos edge, bi edge delay factor (312.5e-15 Sec counts): -891
neg edge delay factor (312.5e-15 Sec counts): -891
analog trigger channel : 2
pos polarity path delay adjustment (Sec) : -3.52822581e-012
pos edge, bi edge delay factor (312.5e-15 Sec counts): -8618
neg edge delay factor (312.5e-15 Sec counts): -8618
external trigger channel
pos edge, bi edge delay factor (312.5e-15 Sec counts): -4754
neg edge delay factor (312.5e-15 Sec counts): -4754
setup & hold trigger delay factors
iteration: 0
S&H Delay, pos slope (Sec): 1.62446121e-009
S&H Delay, pos slope factor (312.5e-15 Sec counts): -3302
S&H Delay, neg slope factor (312.5e-15 Sec counts): -3302
iteration: 1
S&H Delay, pos slope (Sec): -2.69396552e-012
S&H Delay, pos slope factor (312.5e-15 Sec counts): -3310
S&H Delay, neg slope factor (312.5e-15 Sec counts): -3310
multi-channel delay factors
iteration: 0
Ch 1 Pattern Delay, pos slope (Sec): 1.53286638e-009
(chan1PattDly[POS_SLOPE]) Ch 1 Pattern Delay, pos slope factor (312.5e-15 Sec counts): -1495
(chan1PattDly[NEG_SLOPE]) Ch 1 Pattern Delay, neg slope factor (312.5e-15 Sec counts): -1495
Ch 1 Pattern Delay, mixed, pos slope delay (Sec): 1.65409483e-009
(chan1PattDlyMixed[POS_SLOPE]) Ch 1 Pattern Delay, mixed, pos slope factor (312.5e-15 Sec counts): -6707
(chan1PattDlyMixed[NEG_SLOPE]) Ch 1 Pattern Delay, mixed, neg slope factor (312.5e-15 Sec counts): -6707
Ch 1 State Delay, pos slope (Sec): 1.52209052e-009
(chan1StateDly[POS_SLOPE]) Ch 1 State Delay, pos slope factor (312.5e-15 Sec counts): -1429
(chan1StateDly[NEG_SLOPE]) Ch 1 State Delay, neg slope factor (312.5e-15 Sec counts): -1429
Ch 1 Timer Delay, mixed, pos slope (Sec): 1.77262931e-009
(chan1TimerDlyMixed[POS_SLOPE]) Ch 1 Timer Delay, mixed, pos slope factor (312.5e-15 Sec counts): -9328
(chan1TimerDlyMixed[NEG_SLOPE]) Ch 1 Timer Delay, mixed, neg slope factor (312.5e-15 Sec counts): -9328
iteration: 1
Ch 1 Pattern Delay, pos slope (Sec): 2.60416667e-012
(chan1PattDly[POS_SLOPE]) Ch 1 Pattern Delay, pos slope factor (312.5e-15 Sec counts): -1487
(chan1PattDly[NEG_SLOPE]) Ch 1 Pattern Delay, neg slope factor (312.5e-15 Sec counts): -1487
Ch 1 Pattern Delay, mixed, pos slope delay (Sec): 0
(chan1PattDlyMixed[POS_SLOPE]) Ch 1 Pattern Delay, mixed, pos slope factor (312.5e-15 Sec counts): -6707
(chan1PattDlyMixed[NEG_SLOPE]) Ch 1 Pattern Delay, mixed, neg slope factor (312.5e-15 Sec counts): -6707
Ch 1 State Delay, pos slope (Sec): 8.08189655e-012
(chan1StateDly[POS_SLOPE]) Ch 1 State Delay, pos slope factor (312.5e-15 Sec counts): -1403
(chan1StateDly[NEG_SLOPE]) Ch 1 State Delay, neg slope factor (312.5e-15 Sec counts): -1403
Ch 1 Timer Delay, mixed, pos slope (Sec): 2.69396552e-012
(chan1TimerDlyMixed[POS_SLOPE]) Ch 1 Timer Delay, mixed, pos slope factor (312.5e-15 Sec counts): -9319
(chan1TimerDlyMixed[NEG_SLOPE]) Ch 1 Timer Delay, mixed, neg slope factor (312.5e-15 Sec counts): -9319
**** CAL PASSED **** Time: 4 seconds
**** Analog Channel Skews ****
--- Vertical Settings ---
Top : 0.251256
Base : -29.095478
Final Scale : 80.000000
Final Offset (POS_SLOPE): -14.547739
Final Offset (NEG_SLOPE): -14.547739
skew for channel: 2
adjustment (Sec) =: -3.98185484e-010
2Gsa/s factor in 312.5e-15 Sec counts: -1273
skew for channel: 2
adjustment (Sec) =: 2.52016129e-012
2Gsa/s factor in 312.5e-15 Sec counts: -1265
skew for channel: 1
adjustment (Sec) =: -8.09151786e-011
1GSa/s factor in 312.5e-15 Sec counts: -258
skew for channel: 2
adjustment (Sec) =: -9.73958333e-010
1GSa/s factor in 312.5e-15 Sec counts: -3116
skew for channel: 1
adjustment (Sec) =: -8.09151786e-011
1GSa/s factor in 312.5e-15 Sec counts: -516
skew for channel: 2
adjustment (Sec) =: -7.55208333e-011
1GSa/s factor in 312.5e-15 Sec counts: -3357
**** CAL PASSED **** Time: 1 seconds
-----< Memory Status >-----
Memory Load 50% -> 53%: 3%
Physical Used (MB) 36.570 -> 38.348: 1.777
Total Calibration Time: 375
Lowest Frame Temp : 17.750000
Highest Frame Temp: 18.750000
Update Cal Header
Factory Cal Mode
Revision : 2
Cal Mode : Factory
Cal Satus : CAL_OK
Firmware Ver : 01.01.2016092800
Cal Temp : 24.250000 C
Cal Date : Tue Jul 18 09:11:14 2017
Cal Duration : 351s
Service Cal Mode
Revision : 1
Cal Mode : Service
Cal Satus : CAL_OK
Firmware Ver : 01.01.2016092800
Cal Temp : 24.750000 C
Cal Date : Tue Jul 18 09:11:14 2017
Cal Duration : 351s
User Cal Mode
Revision : 8
Cal Mode : User
Cal Satus : CAL_OK
Firmware Ver : 01.01.2016092800
Cal Temp : 18.250000 C
Cal Date : Wed Sep 28 00:06:52 2016
Cal Duration : 375s
**********************************
Calibration PASSED
Board: 0
Inst: xxxxxxxxxx(serial number)
Date: Wed Sep 28 00:06:53 2016
Duration: 6.3 minutes
Inst Temp: 18.5 degrees C
**********************************
I looks like it is possible to add LAN option. :popcorn:
LaunchInfiniiVision:
BLT Module Config 03 - UNKNOWN
=========================================
BLT Product Config 24
Bandwidth : 200MHz
#Channel : 2
Board Rev : FPR
Clk Gating : Baldwin
Sample Rate : 4GSa
LAN PHY : Yes
BLT Module Config 03
Rev : LP0
Sample Rate : 0GSa/s
=========================================
-
When User calibration fails, the last known calibration data is restored:
**** CAL FAILED ****
Recall \Secure\cal\FactoryCal2.dat - ok
Recall \Secure\cal\ServiceCal1.dat - ok
Recall \Secure\cal\UserCal8.dat - ok
Cal Date Wed Mar 22 09:18:21 2017
Update Cal Failed Header
What is the point of updating the Cal Failed Header so every time the scope boots it shows uncalibrated warning message? Technically the scope is not uncalibrated, it is calibrated to the latest good known values recalled from Usercal8.dat.
-
I had same problem with user calibration when generator components was missing. Scope showed notification that it is uncalibrated after every boot.
-
What is the point of updating the Cal Failed Header so every time the scope boots it shows uncalibrated warning message? Technically the scope is not uncalibrated, it is calibrated to the latest good known values recalled from Usercal8.dat.
To remind you that something isn't 100%.
Without a noticeable warning, users may forget that the unit has an "issue". It's easily ignorable after boot up - but you really don't want to be allowed to forget about it.
Besides, what if there was a real calibration issue - not related to a hack?
-
My scope has PCB REV A004
I have REV A005 which is related with BLT rev 003 and BLT_MODULE_CONFIG_0, 1.068v, ID3.
REV A004 is related with BLT rev 002 and BLT_MODULE_CONFIG_0, 0.687v, ID2.
Firmware looks the same in both cases. Maybe here is problem with calibration. I don't notices differences in hardware between A004 and A005. In BLT PCB I noticed one difference - bias resistors for memory. I set my scope to ID2 on BLT_MODULE_CONFIG_0 and it works. I noticed difference in device load time. On ID3 it is 0ms, on ID2 it is 1ms. However I can't handle the responsibility, when something goes wrong. I forgot to check user calibration on this setting. Here are resistors for BLT_MODULE_CONFIG_0.
Other option is that I rework all integrated circuits on main board while reverse engineering Maybe I broke something.
-
I wrongly assumed that user calibration was failing at the same point as before (External Trigger Level). It advances and fails trying to finish some CH1 calibration before switching to CH2. And I am having the same failure in both ID 24 (DSOX) and ID 22 (original EDUX) modes, so I am suspecting it must be some modification to the frontend I did.
**** External Trigger Level ****
/1 Trig B1 = 5303.000, B0 = 35740.000
/5 Trig B1 = 1071.000, B0 = 35740.000
/1 Trig 2 B1 = 17283.000, B0 = 28463.000
/5 Trig 2 B1 = 3492.000, B0 = 28463.000
**** CAL PASSED **** Time: 2 seconds
**** Wave Gen ****
[calibrator] = 0x3fb48 Q | -52958.38 Q/V
[0: DIV1 + DIV1 ] = 0x1eb87 Q | 10133.60 Q/V | (calV=2.518676V) 33.462407 V
[1: DIV4 + DIV1 ] = 0x1fa97 Q | 10132.40 Q/V | (calV=2.505949V) 8.296394 V
[2: DIV16 + DIV1 ] = 0x1ffdb Q | 10132.80 Q/V | (calV=0.639389V) 2.089760 V
[3: DIV64 + DIV1 ] = 0x1fff4 Q | 10132.40 Q/V | (calV=0.160163V) 0.540750 V
[4: DIV1 + DIV23] = 0x1eb63 Q | 235987.50 Q/V | (calV=0.450675V) 1.427369 V
[5: DIV4 + DIV23] = 0x1fa86 Q | 235982.50 Q/V | (calV=0.109747V) 0.356415 V
[6: DIV16 + DIV23] = 0x1ffcd Q | 235985.00 Q/V | (calV=0.024963V) 0.089604 V
[7: DIV64 + DIV23] = 0x1ffe5 Q | 235987.50 Q/V | (calV=0.006987V) 0.023206 V
[0: DIV1 + DIV1 ] = 33.225354 V (overwrite)
**** CAL PASSED **** Time: 62 seconds
**** Wavegen Trigger Level Offset ****
Wavegen Trig Offset = 0x8BA1
**** CAL PASSED **** Time: 1 seconds
**** Baldwin Trig Time Qual ****
Set CalConfigScope range 1.000000E-005, delay -1.000000E-006
FAILED! Top meas failed to return good value
**** CAL FAILED ****
-
LaunchInfiniiVision:
BLT Module Config 03 - UNKNOWN
=========================================
BLT Product Config 24
Bandwidth : 200MHz
#Channel : 2
Board Rev : FPR
Clk Gating : Baldwin
Sample Rate : 4GSa
LAN PHY : Yes
BLT Module Config 03
Rev : LP0
Sample Rate : 0GSa/s
=========================================
I see something wrong with your startup. It is giving "BLT Module Config 03 - UNKNOWN" error and the sample rate is 0GSa/s.
On my scope, I don't get the UNKNOWN error (as my BLT Module Config is 02) and the sample rate is 5GSa/s.
Did your BLT module came originally set to Config 03?
-
Yes, Original value was 03. I played with resistor dividers and BLT configurations above 02 as marked as unknown. It is probably information about BLT PCB revision. I have no idea what is problem with your scope now. Did you check solder points on connectors between main and BLT board? It's easy to broke it while removing BLT PCB. I totally broke solder points under 2 connectors while first BLT board removing, but after resoldering it works well. Please also check outside 47ohm resistors between LMH6552 and LC low pass filter in frontends. Here are differential signal split points to ADC and to U401.
-
What capacitor and inductor values have you used at the end of the frontend, after the differential amplifier?
-
I don't change these components.
-
This is the best I got by changing different settings:
**** Baldwin Trig Time Qual ****
Set CalConfigScope range 1.000000E-005, delay -1.000000E-006
Top : 1.658292
Base : -1.557789
Vert Scale : 80.000000
Vert Offset: -0.778894
Trig Level : -0.778894
Horz Range : 1.000000e-007
Horz Delay : 1.500000e-008
CalConfigScope range 1.000000E-007, delay 1.500000E-008
--- Internal Timer ---
Could not perform TVolt measurement on edge trigger
**** CAL FAILED ****
Compared to your scope that passes User Calibration:
**** Baldwin Trig Time Qual ****
Set CalConfigScope range 1.000000E-005, delay -1.000000E-006
Top : 2.663317
Base : -29.095478
Vert Scale : 80.000000
Vert Offset: -14.547739
Trig Level : -14.547739
Horz Range : 1.000000e-007
Horz Delay : 1.500000e-008
CalConfigScope range 1.000000E-007, delay 1.500000E-008
--- Internal Timer ---
tVolt for Edge Trigger = 2.321820 ns
Zero Time = 2.321820 ns
Base on Mine: -1.557789. Base on Yours: -29.095478
But most of the time, I get:
**** Baldwin Trig Time Qual ****
Set CalConfigScope range 1.000000E-005, delay -1.000000E-006
Top : 1.256281
FAILED! Base meas failed to return good value
**** CAL FAILED ****
-
I don't change these components.
Have you applied the FRA patch released by Keysight?
-
No. I haven't.
-
I think the FRA patch released by Keysight breaks the copyright message after the spash screen. Where it used to say "Keysight Technologies..." it says "ght Technologies..." after the patch is installed.
Can anyone with the FRA patch installed verify?
-
Maybe the user calibration on my scope has to do with a triggering problem. I realized it is not triggering correctly on rising edge. I need to set the trigger level about 10% of the lower bottom of the signal and above to start triggering. Falling edge triggers correctly. I suspect it is the LOW PASS FILTER capacitor and inductor values that I tried to match to a 2000X, but I may be completely wrong...
-
All scopes have some hysteresis on trigger. Problem is related with CH1, CH2 or both? I check it on my scope. Rising edge need to little (about 10%) over bottom and falling edge trigger little under top of signal. I will try to install FRA patch, but before it I want to finish LAN adapter. Telnet can be helpful if something goes wrong. Do you have other Keysight scope like 2000x or something?
-
The trigger "issue" I have is with both CH1 and CH2. But based on your description, it is within normal range. I have an MSOX3024A.
-
I think I am getting close to the problem. I noticed the signal is unbalanced. I am feeding a square wave from the signal generator, 1Vpp, 1KHz, offset 0V. I am seeing -531mV to +482mV on CH1, -523mV to +509mV on CH2. I put back the original components in the LPF outside the differential amplifier, but there is no change in the signal levels. I suspect this issue is related to the user calibration problem.
I will measure the differential outputs and post some pictures.
-
I don't change these components.
Did you replace the LMH6550 on the EDUX for the LMH6552?
-
Yes, I'm using LMH6552. After replace components I had problem with offset, but it's gone after user calibration, except 500uV/div. This setting is very noisy and with small offset. Try also measure voltages on differential out to VCM/ADC ref voltage (LMH6552 pin 2).
-
I add PHY LAN8700C, but it looks like it not have MAC address assigned - FF-FF-FF-FF-FF-FF. I'm not sure about pull up/down configuration of PHY. I made some reverse engineering of 2000x, 3000x and 4000x teardown photos, but it's not enough clear where pull resistors are going - probably GND. Now are 10k pull down resistors to RXD0, RXD1, RXD2, RXD3 lines. LED's are connected like in recommended schematic for MII mode - PHY application. I try to read M25P40 memory and also play with wire shark to check out communication.
LAN PHY detected.
EDeviceLoadEeprom, MAC address not programmed.
-EDeviceLoadEeprom 03:04:05:06:07:08
Phy found addr 31 (ticks=3327)
WaitForLink Start (ticks=3329)
No Link (ticks=4331)
<--EDeviceInitialize
GMAC DMA status register = 0x0
LIN: Data Valid
BALDWIN_DDI: cBaldwinHwIf::Init: Initializing...
BALDWIN_DDI: cBaldwinHwIf::Init: Scope successfully identified.
BALDWIN_DDI: cBaldwinHwIf::Init: Success!
WaitForLink Start (ticks=6338)
Link Detected (ticks=6339)
GMAC Init : 100 Mbit/s FULL DUPLEX (MII)
Flushed Transmit Buffer
phyCfg->dwSpeed 0x64
phyCfg->bFullDuplex 0x1
<--EDeviceInitialize
GMAC DMA status register = 0x600004
DriverStart
GMAC Device enable interrupt
cable attached
Device load time:
NANDFLASH: 0 ms
SNANDFLASH: 0 ms
SHIM DLL, LoadRealDll [PalIO.dll] for [AgilentPalIO.dll]
SHIM [AgilentPalIO.dll] Get Process Addresses
LaunchInfiniiVision:
BLT Module Config 03 - UNKNOWN
-
Hi , any news / progress about 1000X hack ?
THX !!!
-
I add MAC address and it is possible to connect with scope by telnet. But hacking like in 2000x/3000x series is not working :(
-
So , if I am not interested in wavegen , FRA and stuff , what can I do to make a EDUX 1002A to get a 2Gs/s and 1Mpt memory ?
It is possible only by software or I still need to change resistors for Prod. ID ?
THX !
-
So , if I am not interested in wavegen , FRA and stuff , what can I do to make a EDUX 1002A to get a 2Gs/s and 1Mpt memory ?
It is possible only by software or I still need to change resistors for Prod. ID ?
THX !
Just change the Product ID resistors to 24 (DSOX). Software hack does not work.
-
Which resistors ?
What values ?
I've read this thread 3 times from beginning and more times searching through it but I cannot figure out what values and which resistors to change just for Id 24 on EDUX1002A .
Thank you !
-
My EDUX1002G is showing some strange traces while doing user calibration, at the very beginning of the process and after about 30 seconds into the process. Does anyone with the EDUX1002 or DSOX1000 see the same during user calibration? And of course it fails after running for about 4 minutes.
(https://www.eevblog.com/forum/blog/eevblog-978-keysight-1000x-hacking/?action=dlattach;attach=376186;image)
(https://www.eevblog.com/forum/blog/eevblog-978-keysight-1000x-hacking/?action=dlattach;attach=376188;image)
-
EDUX1002A does not show this on calibration time .
-
Which resistors ?
What values ?
I've read this thread 3 times from beginning and more times searching through it but I cannot figure out what values and which resistors to change just for Id 24 on EDUX1002A .
Thank you !
It is described on this thread: https://www.eevblog.com/forum/blog/eevblog-978-keysight-1000x-hacking/msg1162790/#msg1162790 (https://www.eevblog.com/forum/blog/eevblog-978-keysight-1000x-hacking/msg1162790/#msg1162790)
It activates all DSOX1000 features, which includes 1Mpts, 2GSa/s, 70MHz BW, etc
-
Thanks !
In the mean time thanks to a forum member (thuttu77) I have done the mod but still I am not sure about 1Mpts .
It show the same EDUX1002A but with 70 MHz , 2GSa , Segmented and Mask .
On EDUX 1002A resistors from left (green) was 1K & 10K (the picture is not from EDUX1002A) . I change it with 68k & 100K to obtain 0,95V corresponding to ID 023 .
-
Thanks !
In the mean time thanks to a forum member (thuttu77) I have done the mod but still I am not sure about 1Mpts .
It show the same EDUX1002A but with 70 MHz , 2GSa , Segmented and Mask .
On EDUX 1002A resistors from left (green) was 1K & 10K (the picture is not from EDUX1002A) . I change it with 68k & 100K to obtain 0,95V corresponding to ID 023 .
ID for DSOX1102G is 24, not 23. Do you know if 23 is the ID for DSOX1102A? If you see 70MHz, 2GSa/s and segmented memory, then you have the DSOX which by default has 1Mpts.
-
Yes , I know . As I mentioned I have EDUX1002A , not G, so I will not need Generator, FRA and stuff .
That way I need to choose ID023 for DSOX1002A .
I believe you about 1Mpts but there is a method to verify this ?
Thanx !
-
TK, photos from user calibration are very strange. I'm wonder, why it's not return fail immediately. Did you resolder connectors? If scope is working well, problem probably is in signal generator used for calibration. Check U33, U47 and stuff around it including PWM5V supply rail from U30. It's wired that it is in both channels... So check also 2 components on top side of main PCB, on the right from CH1 front end (capacitor and inductor). They are connecting both channels with BLT PCB. entry point of this connection in analog frontend it's via 390ohm resistor, A7 (sot23) double diode, 47X resistor to pin 1 of U34/U39. Maybe some capacitor on the way fail to open, and PWM signal is visible instead of DC. If here is everything okej I think that problem is in BLT board - bad solder points under BGA or damage inside IC's. Unfortunately my logic analyzer is too slow to capture digital communication while user calibration. I don't have more ideas to solve it.
-
TK, photos from user calibration are very strange. I'm wonder, why it's not return fail immediately. Did you resolder connectors? If scope is working well, problem probably is in signal generator used for calibration. Check U33, U47 and stuff around it including PWM5V supply rail from U30. It's wired that it is in both channels... So check also 2 components on top side of main PCB, on the right from CH1 front end (capacitor and inductor). They are connecting both channels with BLT PCB. entry point of this connection in analog frontend it's via 390ohm resistor, A7 (sot23) double diode, 47X resistor to pin 1 of U34/U39. Maybe some capacitor on the way fail to open, and PWM signal is visible instead of DC. If here is everything okej I think that problem is in BLT board - bad solder points under BGA or damage inside IC's. Unfortunately my logic analyzer is too slow to capture digital communication while user calibration. I don't have more ideas to solve it.
I resoldered all the connector pins (main PCB to BLT). I suspect my problem is with U34/U39. I will remove them and resolder. Have you soldered the center thermal pad? Any hints on how to solder them?
-
Thermal pad can be soldered only by hot air or IR station. U34/U39 is only differential amplifier. Thermal pad in LMH6552 is only for thermal purpose. If scope is working correctly on some test signal from generator I will search problem in other place.
-
TK, photos from user calibration are very strange. I'm wonder, why it's not return fail immediately. Did you resolder connectors? If scope is working well, problem probably is in signal generator used for calibration. Check U33, U47 and stuff around it including PWM5V supply rail from U30. It's wired that it is in both channels... So check also 2 components on top side of main PCB, on the right from CH1 front end (capacitor and inductor). They are connecting both channels with BLT PCB. entry point of this connection in analog frontend it's via 390ohm resistor, A7 (sot23) double diode, 47X resistor to pin 1 of U34/U39. Maybe some capacitor on the way fail to open, and PWM signal is visible instead of DC. If here is everything okej I think that problem is in BLT board - bad solder points under BGA or damage inside IC's. Unfortunately my logic analyzer is too slow to capture digital communication while user calibration. I don't have more ideas to solve it.
@hv222 Thanks to your hints, I resolved the user calibration error. It was the 390ohm resistor near U34 on CH1 frontend. The value was 3Mohms, even when it was marked 391. Replaced with a good one, and now it is a DSOX1102G that passes user calibration.
-
That's great. I'm preparing to new analog frontend design for this scope with 800MHz bandwidth and all main board on future. 800MHz sound's reasonable with 2GSPS ADC. I want to base on http://www.ti.com/lit/ug/tiduba4/tiduba4.pdf (http://www.ti.com/lit/ug/tiduba4/tiduba4.pdf) and https://www.flickr.com/photos/eevblog/21053475596/in/album-72157657671196148/ (https://www.flickr.com/photos/eevblog/21053475596/in/album-72157657671196148/) Maybe someone have more helpful resources like schematics, literature, application notes etc.?
-
Since Keysight released new firmware to DSO X 1000 series some time a go does enyone have tested / tried to hack it?
-
The new firmware will not allow you to set the date before year 2018. If you are using the trial serial decode option and setting back the time to use it "permanently", do not upgrade your scope to the latest firmware. Firmware cannot be downgraded.
-
The new version comes with a one month trial license for ALL ( DIS / EMB SERIAL Decode SPI/I2C plus AUTO which was not available before for EDUX Series) .
I don't know if this is possible because is a mod hardware (I have ID 23 ) or is a way to show that AUTO Decoding capabilities can be use even with EDUX Series . Auto was not marketed for sale with the EDUX series .
-
The new version comes with a one month trial license for ALL ( DIS / EMB SERIAL Decode SPI/I2C plus AUTO which was not available before for EDUX Series) .
I don't know if this is possible because is a mod hardware (I have ID 23 ) or is a way to show that AUTO Decoding capabilities can be use even with EDUX Series . Auto was not marketed for sale with the EDUX series .
I think it is because it was modded. SPI is not available on unmodded EDUX scopes, but it gets activated when modded.
-
The new firmware will not allow you to set the date before year 2018. If you are using the trial serial decode option and setting back the time to use it "permanently", do not upgrade your scope to the latest firmware. Firmware cannot be downgraded.
Its not problem to me I have serial debug license waiting activation, It would be interesting to see if AUTO is possible to add modded EDUX since info screen still says its EDUX but 70MHz
-
The new firmware will not allow you to set the date before year 2018. If you are using the trial serial decode option and setting back the time to use it "permanently", do not upgrade your scope to the latest firmware. Firmware cannot be downgraded.
Its not problem to me I have serial debug license waiting activation, It would be interesting to see if AUTO is possible to add modded EDUX since info screen still says its EDUX but 70MHz
If you activate the 30 day trial, it will activate all protocols including AUTO for a limited time. You cannot purchase AUTO on a modded EDUX scope because it is still an EDUX model for Keysight and they also verify the serial number.
-
I'm going to buy an EDUX1002A in the next few days. I'll let you know what firmware and hardware revision comes with.
Thanks for all the hard working you've been doing hacking this device!
-
Welcome to the forum, ePoxi. Enjoy your scope!
-
I have recently purchased a DSOX1102G-CFG001 70Mhz unit and would like to configure it to be a 100Mhz unit or better , would anyone know the resistor values to allow me to achieve this , thank you.
-
The 100MHz option is a software enabled option with the same hardware ID (resistors ID), so the only way I know to go to 200MHz is the infiniivision.lnk method. But it enables some sort of experimental version with 200MHz but no other options are enabled. It also shows the unfinished firmware error message.
-
The 100MHz option is a software enabled option with the same hardware ID (resistors ID), so the only way I know to go to 200MHz is the infiniivision.lnk method. But it enables some sort of experimental version with 200MHz but no other options are enabled. It also shows the unfinished firmware error message.
So I can buy the DSOX1102G 70Mhz and get it to 100Mhz without any resistor mods or opening the unit at all, software only? Can you link me I can't find it in this massive thread
-
Sorry if it was confusing... there is no good software hack at this moment. The only one is the 200MHz experimental version option and I found it to be unreliable. You are stick with 70MHz, but the scope should be good for viewing 100MHz signals with attenuation.
-
Ah ok, I understand, thank you!
-
What is the procedure for poking around the internal WinCE filesystem? The 2000/3000 hacking thread talks about telnet but that doesn't seem possible with the 1000.
I'm curious if the 1.10 firmware release from March means anything interesting for software hacks since it's a full firmware image you can download.
-
I have read all this thread and the conclusion is that it is not possible to hack the DSOX1000 in a reliable and easy way, as it is in Rigol, Hantek and others. Unfortunately :( :-\
-
I read something about a "time travel glitch", to enable the re-activation of the serial decode free 30-day trial license:
https://www.eevblog.com/forum/testgear/time-travelling-on-my-keysight-edux1002g/msg1280254/#msg1280254 (https://www.eevblog.com/forum/testgear/time-travelling-on-my-keysight-edux1002g/msg1280254/#msg1280254)
https://www.eevblog.com/forum/testgear/problems-registering-promotional-dsox1102g/msg1257164/#msg1257164 (https://www.eevblog.com/forum/testgear/problems-registering-promotional-dsox1102g/msg1257164/#msg1257164)
Has someone tried this with the latest firmware ? My unit is in transit, I would like to know if this feature will be available...
-
I've been curious about accessing the file system as well. Having crashed the InfiniiVision software on the scope a few times before, I've noticed that a mouse pointer becomes visible (and usable, but no Windows CE features are accessible). Additionally, I find that if I boot the scope with a USB floppy drive, it crashes as well... but the Windows CE desktop and taskbar become visible for a very short period of time before the "InfiniVision encountered an unexpected error" screen takes over.
In all honesty I don't care for the bandwidth upgrades, I just want to be able to muck around in Windows Explorer. :-DD
-
I was having some more fun with the oscilloscope, and it appears that the Windows CE desktop shell is hidden but active soon after the splash screen appears, and it accepts keyboard input for a brief period of time. I suspect that there is some hidden hardware or software command that switches the oscilloscope's display framebuffer between Windows CE's and what I presume is the MegaZoom IV ASIC, which would explain why the WinCE desktop appears very briefly before crashing.
Pressing the Windows key and U (the shortcut for Windows CE's Suspend option in the Start menu) causes the oscilloscope to hang; note that this is NOT Windows+U, each key is pressed separately. If I use Windows and R to bring up the Run dialog, I can blindly type rebootinfiniivision and the oscilloscope reboots.
This would require further investigation, but this potentially opens the scope up to (non-permanent) infiniivisionLauncher.exe command-line hacks used on the 2000X/3000X series. (see https://www.eevblog.com/forum/testgear/dsox2000-and-3000-series-licence-have-anyone-tried-to-hack-that-scope/msg347345/#msg347345 (https://www.eevblog.com/forum/testgear/dsox2000-and-3000-series-licence-have-anyone-tried-to-hack-that-scope/msg347345/#msg347345))
-
I also recently discovered that you can crash the scope via the USB interface. I was having a play with pyvisa and the scope suddenly locked up after sending some badly formatted commands. I wasn't able to reproduce it yet, but maybe there is some kind of buffer overflow hiding there. Needs some further investigation.
-
The USB interface(s) on the scope seem to be pretty sensitive to errors. I've managed to crash the scope before by wiggling a USB drive in the front socket (although other times it just disables it until a power cycle).
I built a USB A/B switch cable so I can boot the scope with a USB floppy drive to crash the InfiniiVision software, then switch over to the keyboard and enter commands. In one example, I was able to open Control Panel in WinCE. Soon after the splash screen appears and the front panel LEDs begin cycling, I press Windows, S (for Settings) then C (for Control Panel); the crash handler goes fullscreen within one frame so I can't actually do much past this without an automated USB keyboard emulator - time to break out a nice USB-capable microcontroller! It appears that the crash handler does a pretty good job of blocking me from the Windows GUI but taking slow-motion captures of the screen have allowed me to begin probing into the layout of Windows CE inside the scope.
I think this could be a dedicated topic on its own (or at least a series of blog posts for me)...
-
It's done! I have managed to gain full WinCE GUI access. Now I can use my oscilloscope as a very expensive PDA... :scared:
Details to come, but one key part was using my Sony Clie NX73V's Data Import (USB drive emulation) mode which seems to crash InfiniiVision, but also make the crash handler think the firmware is corrupted. This brings us a Windows Explorer-esque prompt, and after entering "*.lnk" and opening a specially crafted .lnk to a batch file, the crash handler is taken down and a quick-and-dirty program I wrote restores the taskbar that the crash handler disabled.
Also, it appears the InfiniiVision Launcher hack on the 2000/3000 series might not be usable (or at least I haven't bothered testing this yet). The shortcut itself in the latest firmware (01.10.2018012838) \Secure\Startup\infiniivision.lnk is zero bytes, just like in the .ksx update package.
-
Hah, that is pretty cool!
I thought the .lnk was already tested and proven to not work on the 1000X series. Or maybe it will but nobody has patched the runtime yet.
I wonder what other WinCE devices your crashing technique might be able to be used on :)
-
Given that the 1000X series derives its functionality from the same InfiniiVision software used on their higher tier scopes, I bet other models might be susceptible to a similar glitch. I don't have any other models to test, however.
I apologize for the (maybe excessive) updates, but I must say this... Yes, it runs Doom!
-
I apologize for the (maybe excessive) updates, but I must say this... Yes, it runs Doom!
No need to apologize ... DOOM on a scope how cool is that :-+
-
A USB floppy plugged into my 3000t when powered on causes it to restart over and over, the screen is never initialized though. If you then unplug the floppy it boots with an error. My other WinCE devices ignored the floppy.
-
Does the floppy drive work if the scope is already powered on? On my scope it enumerates as "Floppy Drive" and is usable like any other mass storage (minus the crash on boot).
-
Does the floppy drive work if the scope is already powered on? On my scope it enumerates as "Floppy Drive" and is usable like any other mass storage (minus the crash on boot).
I tried it on a 3000A and 3000T, the floppy doesn't appear to be supported under either if connected after boot. On the 3000A I do get a screen saying it is checking the file system integrity and that it will restart if it is connected when it is powered on. While at that screen there is a mouse pointer if I have a USB keyboard/mouse connected. I haven't noticed it accepting any keyboard commands but if the timing was right it might. I suppose on the 3000 series it isn't needed anyway so lets get back to the 1000X show. Looking forward to seeing what you do next.
-
My writeup on gaining access to the WinCE desktop is finished!
Check it out here: https://ripitapart.com/2018/10/15/gaining-access-to-the-windows-ce-desktop-and-doom-on-the-keysight-dsox1102g-oscilloscope/ (https://ripitapart.com/2018/10/15/gaining-access-to-the-windows-ce-desktop-and-doom-on-the-keysight-dsox1102g-oscilloscope/)
The other thread in the Test Equipment forum is here: https://www.eevblog.com/forum/testgear/its-been-done-the-keysight-1000-x-series-dsos-run-doom!/ (https://www.eevblog.com/forum/testgear/its-been-done-the-keysight-1000-x-series-dsos-run-doom!/)
-
Hi!
I got a basic EDUX model to play with and ofc run DOOM on it 8)
Before I made any software modification I would you like to make some necessary hardware mod.
I already gather every components for the ext. trigger region, but I have trouble with the generator area.
Someone can help me identify the components for it? Unfortunately nor TK's, nor Dave's pictures are sharp enough on that area.
For starter a good picture would be helpful.
Thanks!
-
Hi,
Ask directly users TK or HV22 about values used .
But until you will not remove the limiter circuit from frontend you will not see any improvement on screen .
Good luck !
-
I already see a few improvements just changing the product config from 21 to 23.
Increased bandwidth from 50Mhz to 70Mhz with 2GSa/s sample rate, enabled segmented memory(SGM), mask testing(MASK) and also SPI decoding if you have a installed licence.
Of course hardware self test gonna fail, because the lack of ext. trigger circuity. Just until I add every missing parts, already on order.
Or do you mean more bandwidth than 70Mhz? because that's right, but I'm already happy with it, EDUX series just limited as ..
-
Yes , I mean bandwidth , you see any improvement from 50 to 70 ?
-
Check this post for front end EDUX to DSOX hack
https://www.eevblog.com/forum/blog/eevblog-978-keysight-1000x-hacking/msg1229796/#msg1229796 (https://www.eevblog.com/forum/blog/eevblog-978-keysight-1000x-hacking/msg1229796/#msg1229796)
-
And here for the ext. trigger .
https://www.eevblog.com/forum/blog/eevblog-978-keysight-1000x-hacking/425/ (https://www.eevblog.com/forum/blog/eevblog-978-keysight-1000x-hacking/425/)
Thanks hv222 .
-
Thanks guys. I already added the missing components for the external trigger. The third digital channel came alive and working, but still the hardware test failed. Later, on an another session I'm going to modify the frontend, also I got the PHY controller for networking.
@skander36 The 20MHz more bandwidth is not too much, but the other extra features are gold.
-
Unfortunately the frontend mod is postponed due missing resistors.. forget to order and can't find an equivalent on my junk bin |O
Until then I made a little reverse engineering on the missing 36 pin IC, next to the USB-B connector.
Turned out it's a USB HUB controller, not an ethernet controller. Why should they do that? More USB input perhaps? Question is it can handle an USB-ethernet adapter?
Datasheet: http://ww1.microchip.com/downloads/en/devicedoc/00001692c.pdf (http://ww1.microchip.com/downloads/en/devicedoc/00001692c.pdf)
And here is some picture:
(https://www.fercsa.com/keysight/36pin_ic_front.jpg)
(https://www.fercsa.com/keysight/36pin_ic_back.jpg)
-
The 20MHz more bandwidth is not too much, but the other extra features are gold.
Hi FERCSA , don't get me wrong , I think that Keysight make the best scopes on market today , but personally I don't think it worth the effort for transforming this scope . I think that is a better choice to buy one that has the options from factory (I mean calibrated and stable).
Regards .
-
@skander36
Look, I understand an instrument is good enough until (s)he has your trust, but this scope's mainboard is relatively simple and the PCB quality.. enjoy to work with. Converting to DSOX is already worth it by just replacing one resistor.
Adding missing components for the external trigger and replacing a few components at the front end area also worth it, just look at my nice square wave. Mine is successfully get trough user calibration after I had a few hiccups.
So here is a few interesting errors and clues for others. These are cuts from the serial log under calibration.
External trigger area, mysterious(no one measured it) cap under the comparator(LMV7219):
4.7uF
**** External Trigger Level ****
/1 Trig B1 = 5303.000, B0 = 35860.000
/5 Trig B1 = 1071.000, B0 = 35860.000
**** CAL FAILED ****
100nF
**Xtrig Delay Cal**
Failed. Could not get a duration trigger to fire.
**** CAL FAILED ****
10nF
Cal Satus : CAL_OK
So looks like a less than 100nF cap is necessary here. You can tell that just the color of the cap from a DSOX picture. And yes that's a misspell by keysight :-DD
Frontend LPF filter after diff amp, before ADC, when the two caps are too big. Basically i got a saw on the screen instead of a perfect square waveform from my source. It was funny to see and also the look on my face..
**** Baldwin Trig Time Qual ****
Set CalConfigScope range 1.000000E-005, delay -1.000000E-006
FAILED! Top meas failed to return good value
**** CAL FAILED ****
One more note. After replacing the diff amp at the frontend with a LMH6552, I got a ~500uV/div offset in minus, but it's gone after user calibration.
USB Hub hack.. I really don't get it why keysight put it there. The hub is for your PC, not for your scope. So I added a usb2serial adapter to the second downstream channel of the hub and no more hanging wire from my scope anymore, very neat.
Also there is a missing pair of protection diode here and there is one at the other usb socket, so no wonder why ginbot crashed the scope by just wiggling an USB drive.
Ohh just to confirm, ginbot's hack worked for the first try, nice job! :clap:
If you really need a second usb port, you have to utilize some pins on the none populated connector at the BLT board. SPEAr600 has 2 host ports. I use this for a permanent usb storage.
So everything looks great, I'm happy with the modifications and it's time to take a look into the firmware. First glace it's not that easy, usb boot not working and without a lan card I have to modify the nk.bin.comp file then flash it under windows to the second image space, then switch to it under uboot.
After all here is a few picture. More to come, but I have to edit them.
(https://www.fercsa.com/keysight/second_usb.png) (https://www.fercsa.com/keysight/second_usb.png)
second usb
(https://www.fercsa.com/keysight/new_lpf_vs_original_lpf.png) (https://www.fercsa.com/keysight/new_lpf_vs_original_lpf.png)
After I added the LMH6552. CH1=new LPF filter, R2=original LPF
(https://www.fercsa.com/keysight/frontend_mod_before.jpg) (https://www.fercsa.com/keysight/frontend_mod_before.jpg)
frontend before (CH2)
(https://www.fercsa.com/keysight/frontend_mod_after.jpg) (https://www.fercsa.com/keysight/frontend_mod_after.jpg)
frontend after (CH1)
(https://www.fercsa.com/keysight/trigger_mod_before.jpg) (https://www.fercsa.com/keysight/trigger_mod_before.jpg)
ext. trigger before
(https://www.fercsa.com/keysight/trigger_mod_after.jpg) (https://www.fercsa.com/keysight/trigger_mod_after.jpg)
ext. trigger after
-
Hi , you have obtained very good result . good for you !
But not all are so skilled like you , for most hobbyists (it's an EDU version) , modifications you did are hard to achieve needed Frontend and Ext. Trig. modifications .
Loosing warranty still remain a problem . Dave's scope is now broken and is not the only one that have this problem .
I like mods very much (I think that all my stuff are moded in some ways) but I concluded that for a precision instrument is better to have manufacturer warranty , other ways you will always have doubt about measurements you did .
Anyway you did a very good job and thank you for posting informations that encourage those they want to try to modify this scope. :-+
-
Mine is out of warranty since a few weeks now, so it not concerns me.
But I can tell you one thing, comparing my starting point(basic EDUX) and what I got now, there is a massive difference.
And who knows what comes next. At first glance there is a lot of hidden menu in the firmware.
More pix:
(https://www.fercsa.com/keysight/first_patch.png) (https://www.fercsa.com/keysight/first_patch.png)
First patch, looks like everything is on track :popcorn:
(https://www.fercsa.com/keysight/BLT_module.jpg) (https://www.fercsa.com/keysight/BLT_module.jpg)
Serial, JTAG and extra USB port (HOST2 on front, HOST1 not connected by default)
In the future if someone open up his/her scope(-G version), I'd really appreciate a hi-res photo from the wavegen area.
-
Yeah, when I was doing a string search in infiniiVisionCore.dll there are strings that refer to advanced features not found on the 1000-X series like AC power measurements (reactive power, etc.).
-
Hey guys,
So I just ended up buying this scope today, it’s in the mail and will reach me by Monday!!
All i need the scope for is to build guitar amps, guitar effects, troubleshoot issues in these devices.
Do you guys believe this would be sufficient.
Oh and what I’ve ordered is the EDUX1002A.
I also have a Philips PM3213 and soon will have a Tek CRO that I’m working with a friend to procure.
Any inputs are appreciated.
-
For the purposes of troubleshooting audio-frequency electronics I think it's plenty, and the measurement tools in the scope will make it easier to do than with an analog CRO too.
-
For the purposes of troubleshooting audio-frequency electronics I think it's plenty, and the measurement tools in the scope will make it easier to do than with an analog CRO too.
Oh, Thank you so much, I was a little tense after reading the memory depth thinking 100kpts was going to be a barrier for my audio frequency work.
Just wanted to get a good, reliable scope and went for it, the other options here in India are exorbitantly priced.
Had an OWON SDS7102 about an year back, sold it off as I was planning to move out of the country (that plan has now gone to trash), had to get back a scope, and the same scope now costs double the money I'd paid when i got it about a year and half ago.....madness....
-
Hi aryasridhar ,
For the audio it is far enough , although a big point for audio is the frequency response analyzer(FRA) function which is not found on 1002A.You shall look for G version (with generator) .
I use it for tuning some guitar effects (Electric Mistress was one of them, some type of flangers , etc) . You will need also a signal generator for signal injection . For audio bandwidth are not expensive .
When you will be using, you will find why they say that Keysight is a real scope .
Good luck !
-
@aryasridhar skander36 is right, for analog development a FRA is a huge plus. If you can change your order, don't hesitate, it's gonna worth it.
@ginbot86 yep that's my goal. Also it's possible to upgrade the scope's firmware with a modified nk.bin, without opening up. It'll makes easier to apply a hack in the future for non-tech people. Sounds cool?
Unfortunately the infiniiVisionCore.dll sit in the nk.bin file as a module, which makes it impossible to replace and makes everything complicated. For example, reflashing the firmware every time just because I made some changes or applying valid checksums. So this weekend I had a idea and I thought let's try it out.. I was able to boot up a customized u-boot/QEMU combo. If I can emulate a serial flash memory, not to mention a nand storage or just the corresponding memory addresses in RAM, that'll be real fun.
arm-softmmu/qemu-system-arm -M p500 -cpu arm926 -serial mon:stdio -net tap -net nic -kernel u-boot_image.bin
Running QEMU with GTK 2.x is deprecated, and will be removed
in a future release. Please switch to GTK 3.x instead
U-Boot Keysight-dirty #FERCSA (Nov 29 2018 - 02:09:55)Agilent P500
CPU: SPEAr600
DRAM: 128 MiB
*** Warning - bad CRC, using default environment
SerNum:serial number not programmed
Chip: BA Board Rev: x
Error: start and/or end address not on sector boundary
Net: unknown
Press space to stop autoboot 0 0
p500> help
? - alias for 'help'
adc - performs A/D conversion on channel
base - print or set address offset
bdinfo - print Board Info structure
boot - boot default, i.e., run 'bootcmd'
bootd - boot default, i.e., run 'bootcmd'
bootm - boot application image from memory
bootp - boot image via network using BOOTP/TFTP protocol
cdp - Perform CDP network configuration
cmp - memory compare
coninfo - print console devices and information
cp - memory copy
crc32 - checksum calculation
dcache - enable or disable data cache
dhcp - boot image via network using DHCP/TFTP protocol
echo - echo args to console
editenv - edit environment variable
erase - erase FLASH memory
expi - program EXPI Clock
flinfo - print FLASH memory information
fpga - loadable FPGA image support
fsinfo - print information about filesystems
fsload - load binary file from a filesystem image
go - start application at address 'addr'
help - print command description/usage
hwreset - Perform HW RESET of the CPU
i2c - I2C sub-system
icache - enable or disable instruction cache
iminfo - print header information for application image
imls - list all images found in flash
imxtract- extract a part of a multi-image
itest - return true/false on integer compare
loadb - load binary file over serial line (kermit mode)
loads - load S-Record file over serial line
loady - load binary file over serial line (ymodem mode)
loop - infinite loop on address range
ls - list files in a directory (default /)
md - memory display
mii - MII utility commands
mm - memory modify (auto-incrementing address)
mtest - simple RAM read/write test
mw - memory write (fill)
nand - NAND sub-system
nboot - boot from NAND device
nfs - boot image via network using NFS protocol
nm - memory modify (constant address)
ping - send ICMP ECHO_REQUEST to network host
printenv- print environment variables
protect - enable or disable FLASH write protection
rarpboot- boot image via network using RARP/TFTP protocol
reset - Perform RESET of the CPU
rtc - print time from RTC
run - run commands in an environment variable
saveenv - save environment variables to persistent storage
saves - save S-Record file over serial line
setenv - set environment variables
sleep - delay execution for some time
source - run script from memory
splash - load splash image on display
tftpboot- boot image via network using TFTP protocol
version - print monitor version
p500>
-
Maybe later it'll be useful for someone, so I'm gonna share this. I had to make a little detour, because none of my debuger/flasher/jtag cable worked and I have a bunch, believe me.
My first thing was to search trough ebay. I found an used j-link edu with a very reasonable price, of course next day it was gone.. #$+%
What should I do now? I remembered there is a option to upgrade an genuine st-link v2 to a j-link. So let's try it out.
Sure.. my cheapo v2 clone was not supported, but after a few NOPs and JMPs in the reflasher I got this:
Firmware: J-Link STLink V2 compiled Jun 26 2017 10:34:41
Hardware version: V1.00
S/N: XXXXXXXXX
VTref=3.300V
Unfortunately it's not supporting the JTAG protocol, only SWD, bummer.. I probed every pins, but I don't find the TDO, TDI pins. Luckly J-link commander has some options to toggle certain pins.
What's next? I thought it's maybe the stm32f101 chip, so I found my blue pill, nope not that, it's a stm32f103 dev board. Flashed the firmware aaand same issue..
I was a little bit disappointed, but what about J-link OB? After I extracted the firmware from ozone I got the following result:
Firmware: J-Link OB-STM32F103 V1 compiled Aug 14 2017 12:43:08
Hardware version: V1.00
S/N: -1
VTref=3.300V
Looks promising..
After probing, I finally got every necessary pins, bingooooo!
./JLinkExe
SEGGER J-Link Commander V6.40 (Compiled Oct 26 2018 15:07:12)
DLL version V6.40, compiled Oct 26 2018 15:07:03
Connecting to J-Link via USB...O.K.
Firmware: J-Link OB-STM32F103 V1 compiled Aug 14 2017 12:43:08
Hardware version: V1.00
S/N: -1
VTref=3.300V
Type "connect" to establish a target connection, '?' for help
J-Link>connect
Please specify device / core. <Default>: SPEAR600
Type '?' for selection dialog
Device>
Please specify target interface:
J) JTAG (Default)
TIF>
Device position in JTAG chain (IRPre,DRPre) <Default>: -1,-1 => Auto-detect
JTAGConf>
Specify target interface speed [kHz]. <Default>: 4000 kHz
Speed>auto
Device "SPEAR600" selected.
Connecting to target via JTAG
TotalIRLen = 8, IRPrint = 0x0011
JTAG chain detection found 2 devices:
#0 Id: 0x07926041, IRLen: 04, ARM926EJ-S Core
#1 Id: 0x07926041, IRLen: 04, ARM926EJ-S Core
Auto JTAG speed: 1286 kHz
CP15.0.0: 0x41069265: ARM, Architecure 5TEJ
CP15.0.1: 0x1D152152: ICache: 16kB (4*128*32), DCache: 16kB (4*128*32)
Cache type: Separate, Write-back, Format C (WT supported)
ARM9 identified.
J-Link>
I'm in. Currently I'm dumping the memory and trying to construct a memory map. Looks like "everything is hunky-dory".
-
So I got my EDUX1002A the other day, love it, for my needs it’s more than enough. Much better than the OWON SDS7102 I had back in the day.
Had a query though, the max input voltage into the channels is rated at 170V RMS, does that mean I can’t prove into guitar tube amps? as plate voltage could get upto 400V DC in them. But since I check signal flow, dealing with AC voltages in mV, would it be safe to use the scope in AC coupling?
For now I use my Philips PM3213 scope for tube amp troubleshooting.
-
Looks like santa coming early, not just on rigol land :popcorn:
(https://www.fercsa.com/keysight/hack_1.png) (https://www.fercsa.com/keysight/hack_1.png)
(https://www.fercsa.com/keysight/hack_2.png) (https://www.fercsa.com/keysight/hack_2.png)
(https://www.fercsa.com/keysight/hack_3.png) (https://www.fercsa.com/keysight/hack_3.png)
(https://www.fercsa.com/keysight/hack_4.png) (https://www.fercsa.com/keysight/hack_4.png)
-
No Santa for the rest of us if you don't share the hack...
-
No Santa for the rest of us if you don't share the hack...
Very soon, don't worry Santa is on it's way to you too, look out for your chimney haha. Enough with the jokes. Give me a little bit of time to test a few more iterations then I'll share it just like my hardware mods. This version was a very crude one, because I had to rewrite the complete licence loading rutin in assembly. Unfortunately there are some new extra features which not behaves as intended, but you'll see, probably it was there for further developments or just leftovers from the 2/3000 series fw, who knows.
-
FW v1.1: https://bit.ly/dsox1102hack (https://bit.ly/dsox1102hack)
MD5: ad84976ff2f5b044a21020436751c5c3
1.1 is the same as 1.0, it's just add a small guide while you updating.
Just copy my .ksx file to an usb stick then insert into your scope and open it with the built-in file explorer.
A few minutes later, when the screen turned to pitch black and every LED turned on make a cold reset (power off-on). Sometimes soft reset won't work..
A few times happened with me, if you can't load the firmware from the file explorer, just reset everything back to default and try again.
There are a few known bugs like the PWR, Power application, you can't select certain menu items.
Another one is BW50, I found some sub routines which relying on different frequencies like 50-70-100-200 but no mention of 500. It's not a big deal anyway because you can't go way beyond 200-220Mhz.
If you find something else just report it, then maybe it's fixable on assembly level without a bunch of work.
I loaded every possible options, so no difference between "normal" and -G version.
Also I put the original non-modified fw to the second image location as a fail-safe. You can switch to it with a serial cable by pressing 'space' then select '2' on the beginning of the boot process.
-
Everything seems to work as described. Training signal menu is missing i2c and SPI. I will continue testing.
Amazing hack :-+ :-+ :-+ Santa arrived before Christmas!
Is there any way to go back to normal firmware reinstalling it from the USB drive?
-
Sure, but I only tested the downgrade functionality with an older(2016) firmware which is works perfectly, thanks to the FWD option. Should be fine with the latest too.
-
With the FWD option installed with the hack, it is possible to downgrade by reflashing the original firmware. I assume it works with firmware 1.10 as well. Nice to have the option to downgrade!!
-
Complete front-end schematic for CH1. CH2 is similar, but have different connections going to other blocks in scope.
-
I tested the bandwidth after installing the FERCSA hack on the EDUX-1002G unit. It has the DSOX-1102G front end mod.
-3dB is around 150-160MHz
It can reliably measure frequency up to 360-380MHz but with significant signal attenuation.
-
I tested the bandwidth after installing the FERCSA hack on the EDUX-1002G unit. It has the DSOX-1102G front end mod.
-3dB is around 150-160MHz
It can reliably measure frequency up to 360-380MHz but with significant signal attenuation.
Did you replace the LP filter too? After the LMH6552, because the 150-160MHz a little bit low, I can measure a 200-205MHz pulse without any attenuation. Unfortunately I can't go above this right now, but looks like the scope still has some juice in it.
I had to dig into my notes, but I found it, so these are the components what I used:
LQP18MN47NG02D (47nH)
CL10C4R7BB8NNND (4.7pF C0G)
-
I tested the bandwidth after installing the FERCSA hack on the EDUX-1002G unit. It has the DSOX-1102G front end mod.
-3dB is around 150-160MHz
It can reliably measure frequency up to 360-380MHz but with significant signal attenuation.
Did you replace the LP filter too? After the LMH6552, because the 150-160MHz a little bit low, I can measure a 200-205MHz pulse without any attenuation. Unfortunately I can't go above this right now, but looks like the scope still has some juice in it.
I had to dig into my notes, but I found it, so these are the components what I used:
LQP18MN47NG02D (47nH)
CL10C4R7BB8NNND (4.7pF C0G)
At one point I had the LP filter replaced but I found it to have more noise than the standard values, so I rolled back. I will try the values you suggested and see if I can measure 200MHz without attenuation.
-
You will always get more noise with increased bandwidth.
-
Schematic of function generator and group of components located between analog front-end and function generator. This group probably handle the signal offset and part of user calibration. Some power supply components like ferrite beads and decoupling capacitors can be missing in power supply lines. I will appreciate I someone can measure capacitors and inductors values in function generator. Is amplitude of generated signal constant while changing frequency? I add generator function to my scope, but signal shape is not satisfied :(
U31 and U33 are SN74HCT04PW
U46 and U47 are TL274
-
Schematic of connectors between two boards and LCD FFC connector. Pin numbers are not equal to pin numbers provided by connector manufacturer. Geometrical location on schematic is matching with connectors location on analog board. Connectors are FCI / Amphenol Bergstak series. 40pin, 2 rows, 0.8mm pitch. 61082-04xxxxxx.
-
On the new 4-channel DSOX1204G ( FW 2.00) , they seem to have added a "Host ID", in the form DSOX1204G,CNnnnnnnnn,xxxxxxxxxxxxxxxx where n is the serial no. and x are alphanumerics.
There is an option to save this to a USB stick - help on this says it is used for redeeming licenses.
-
The new DSOX1204G runs Linux, so back to square one...
-
@mikeselectricstuff
Could you add more photos of 4ch version also with key board?
I try to share full schematic of 2ch version. It will be good point to compare both scopes.
-
@mikeselectricstuff
Could you add more photos of 4ch version also with key board?
I try to share full schematic of 2ch version. It will be good point to compare both scopes.
Not much time at the moment - let me know if there's anything specific
-
It looks like 4ch scope have bigger NAND memory - 2Gb instead of 1Gb in 2ch scope. All Micron memories was replaced by Winbond. SDRAM memories remains same size.
-
If the new models going to use Linux and have soft power switch, it is possible to reduce the booting time.
I uploaded the video which it is used on the product. Chatting about the suspend to memory is mentioned in the later in the video.
https://www.youtube.com/watch?v=kZMAb-fqp8A (https://www.youtube.com/watch?v=kZMAb-fqp8A)
-
The new 1204 has a real power switch
-
Hopefully, that's a sign that Keysight equipment designs will be more conscious of vampire power consumption.
-
Hopefully, that's a sign that Keysight equipment designs will be more conscious of vampire power consumption.
Agilent/Keysight scopes always had hard (real) power switches
-
Hopefully, that's a sign that Keysight equipment designs will be more conscious of vampire power consumption.
Agilent/Keysight scopes always had hard (real) power switches
Nope.
https://www.youtube.com/watch?v=Xjlxj0HDcw4 (https://www.youtube.com/watch?v=Xjlxj0HDcw4)
-
If the new models going to use Linux and have soft power switch, it is possible to reduce the booting time.
I uploaded the video which it is used on the product. Chatting about the suspend to memory is mentioned in the later in the video.
Not really, if the system is done well the boot time into application should be sub 5 seconds, getting the analog side ready for use likely takes almost as long, and would be needed on a return from suspend anyway.
-
Hopefully, that's a sign that Keysight equipment designs will be more conscious of vampire power consumption.
Agilent/Keysight scopes always had hard (real) power switches
Nope.
https://www.youtube.com/watch?v=Xjlxj0HDcw4 (https://www.youtube.com/watch?v=Xjlxj0HDcw4)
Sorry, I based my conclusion on the 1000X series and the 54622D (and other vintage HP / Agilent instruments)
-
So... Have tried someone to patching files in, re-packing and flashing the nk.bin? :)
after all, we all are interested in unlocking the licensed features :)
-
Hopefully, that's a sign that Keysight equipment designs will be more conscious of vampire power consumption.
6.5W may not sound much but over a year it adds up to about £8 at UK power rates, so over the life of the item it might add a significant part of its purchase cost.
-
I've found (maybe, this is not a news?:) ) that signature check is done in Agilent.Cdf.Api.Licensing.dl )
I patched this file to skip checking the signature in the license file. Now i need to try to replace this file in nk.bin, and install with the fw update.
-
Let us know then if that worked...
-
@vladsol It's already done. Only one page back.. and you should find a modified ksx file which activates all the official and unofficial options, later one can't be activated with any license. Also if Keysight really switch over to linux on the 1xx2 series too, it's just not worth the time and effort to dig deeper into the current firmware.
@TK Did you have time to replace your LP filter?
@Mike Any news about a firmware update for the 4ch version?
-
@TK Did you have time to replace your LP filter?
Not yet. I have the parts in the arrow shopping cart and waiting to order some additional components
-
@FERCSA, I apologize, have not seen before. This is great news :) Thank you!
Installed on DSOX1102G
Serial decoding is working. The power analyzer, unfortunately, does not work.
-
Keysight EDUX and DSOX are on sale at Element 14. The EDUX is $503 Canuck coins , equivalent of only $383 Yankee bucks. Coupled with the hack in this thread - insane value. Got one, shipping was $20 CAD.
-
There is a Keysight promotion: 15% for scopes <= 200MHz, 25% for >=350MHz
https://www.keysight.com/main/editorial.jspx?cc=US&lc=eng&ckey=3015601&nid=-32110.1203277.00&id=3015601 (https://www.keysight.com/main/editorial.jspx?cc=US&lc=eng&ckey=3015601&nid=-32110.1203277.00&id=3015601)
It does not include the new 4-channel 1000X series
-
External trigger area, mysterious(no one measured it) cap under LMV7219
Is it on the other side of the PCB ?
-
I looks like it is possible to add LAN option. :popcorn:
LaunchInfiniiVision:
BLT Module Config 03 - UNKNOWN
=========================================
BLT Product Config 24
Bandwidth : 200MHz
#Channel : 2
Board Rev : FPR
Clk Gating : Baldwin
Sample Rate : 4GSa
LAN PHY : Yes
Can you share details of this mod?
-
External trigger area, mysterious(no one measured it) cap under LMV7219
Is it on the other side of the PCB ?
Nope. Same side as most of the mods. Just look for U9 on this picture:
https://www.fercsa.com/keysight/trigger_mod_before.jpg (https://www.fercsa.com/keysight/trigger_mod_before.jpg)
Then top-right, there is a 10nF cap. I used 10nF, because I already had one. Others used a 33nF cap, so that could be good too.
I looks like it is possible to add LAN option. :popcorn:
LaunchInfiniiVision:
BLT Module Config 03 - UNKNOWN
=========================================
BLT Product Config 24
Bandwidth : 200MHz
#Channel : 2
Board Rev : FPR
Clk Gating : Baldwin
Sample Rate : 4GSa
LAN PHY : Yes
Can you share details of this mod?
I didn't make this mod, but you'll need a LAN8700C chip and just connect it to the unpopulated connector on the BLT module.
U-boot supports other chips like Microsemi (ex-Vitesse) VSC8641 and one from National, but I don't remember the exact part number.
I tried a cheap usb-lan adapter too, it had WinCE driver, but when I loaded this driver nothing happened. Probably there is a missing network related component or registry entry. It would be fun to solve this, because I successfully run a gdb server on this scope before, but I was not able to make a connection through serial.
-
I looks like it is possible to add LAN option. :popcorn:
LaunchInfiniiVision:
BLT Module Config 03 - UNKNOWN
=========================================
BLT Product Config 24
Bandwidth : 200MHz
#Channel : 2
Board Rev : FPR
Clk Gating : Baldwin
Sample Rate : 4GSa
LAN PHY : Yes
Can you share details of this mod?
It needs some PCB with LAN8700C. Schematic is same like this: http://ww1.microchip.com/downloads/en/DeviceDoc/evb8700_mii_sch.pdf (http://ww1.microchip.com/downloads/en/DeviceDoc/evb8700_mii_sch.pdf) to configure LAN8700C pins RXD0, RXD1, RXD2 and RXD3 require 10kOhm pull down resistor to GND.PHY is connected with processor board on unsoldered connector I don't used 100om resistors. I'm not sure if I mark pin 1 correctly. Check ground pins location.
You also need to modify memory U701. MAC is located in this flash at address 0x070000 to 0x070005 (6 bajts).Mac is not programmed by default - it value is 0xff 0xff 0xff 0xff 0xff 0xff. I got access to flash via FT2232 chip and software SPI FTDI programmer (flash was extracted from board). However this hack not give me too much. It was possible to connect with scope via telnet, but hacks knowed from 2000x and 3000x was not working.
-
Thank you hv222. Did you try if Keysight software works with the added LAN?
-
It detects scope, but I don't play with it.
-
The two things that immediately bothered me with the EDUX were too bright button lights (annoyingly distracting) and loud fan. Will be looking to reduce the LED brightness first thing when disassemble the scope. Has anyone found a nicer replacement fan model ?
-
...
And here is some picture:
(https://www.fercsa.com/keysight/36pin_ic_front.jpg)
(https://www.fercsa.com/keysight/36pin_ic_back.jpg)
Are the resistors 0805 or 0603 ?
-
0603. It's just for USB signal conditioning. Only option to make it useful is put uart to USB bridge and connect it to scope uart for debugging purpose.
-
The two things that immediately bothered me with the EDUX were too bright button lights (annoyingly distracting) and loud fan. Will be looking to reduce the LED brightness first thing when disassemble the scope. Has anyone found a nicer replacement fan model ?
You can try those rubber fan mounts. It helps a little. I found a few in my old PC.
As hv222 said they're 0603 components. I used an USB2514 chip, which has 4 ports, so my usb-serial and jtag is always connected if I need them.
Btw you got the G version or the none G?
-
It is an A, non-G one
-
So guys, I found some valuable information here but also got a little confused by the so many model variants of oscilloscopes.
To summarize, If one got a EDUX1002G (brand-new with the 01.01.1016092800 firmware version), besides the "time-machine" hack to evaluate the EMBD tool for lifetime, which are the other verified hacks it can be applied for ?
Thank You!
-
With the latest software hack from FERCSA, it is fully enabled as DSOX1102G with the serial decode options and it is supposed to be good up to 200MHz. You will need the hardware external trigger and front-end mods done on the EDUX.
-
With the latest software hack from FERCSA, it is fully enabled as DSOX1102G with the serial decode options and it is supposed to be good up to 200MHz. You will need the hardware external trigger and front-end mods done on the EDUX.
Ok, so all I got to mod is the described components at Reply #529 from @FERCSA ? No need for the resistor hack to convert EDUX -> DSOX ?
-
With the latest software hack from FERCSA, it is fully enabled as DSOX1102G with the serial decode options and it is supposed to be good up to 200MHz. You will need the hardware external trigger and front-end mods done on the EDUX.
Ok, so all I got to mod is the described components at Reply #529 from @FERCSA ? No need for the resistor hack to convert EDUX -> DSOX ?
You need the resistor hack as well
-
Successfully replaced the stock FAN.
Before:
(http://img18106.imagevenue.com/loc101/th_363455527_20190226_110812_122_101lo.jpg) (http://img18106.imagevenue.com/img.php?image=363455527_20190226_110812_122_101lo.jpg)
After:
(http://img18127.imagevenue.com/loc365/th_363459579_20190228_142416_122_365lo.jpg) (http://img18127.imagevenue.com/img.php?image=363459579_20190228_142416_122_365lo.jpg)
New FAN: Sunon HA60251V4-000U-999
Now my oscilloscope is almost fully silent :)
-
FW v1.1: https://bit.ly/dsox1102hack (https://bit.ly/dsox1102hack)
MD5: ad84976ff2f5b044a21020436751c5c3
You sir are a legend. The update process worked flawlessly and all options are working on the DSOX1102G.
-
Successfully replaced the stock FAN.
Before:
(http://img18106.imagevenue.com/loc101/th_363455527_20190226_110812_122_101lo.jpg) (http://img18106.imagevenue.com/img.php?image=363455527_20190226_110812_122_101lo.jpg)
After:
(http://img18127.imagevenue.com/loc365/th_363459579_20190228_142416_122_365lo.jpg) (http://img18127.imagevenue.com/img.php?image=363459579_20190228_142416_122_365lo.jpg)
New FAN: Sunon HA60251V4-000U-999
Now my oscilloscope is almost fully silent :)
Photo shows HD6020B12M
-
Photo shows HD6020B12M
Take a look at the second photo.
SuperFan HD6020B12M was replaced by Sunon HA60251V4
-
Photo shows HD6020B12M
Take a look at the second photo.
SuperFan HD6020B12M was replaced by Sunon HA60251V4
My mistake, I assumed both photos were from the same new fan. Thanks for the info.
-
FERCSA HACKING firmware.
I have a 70MHz DSOX1102G I bought in 2018. I was interested in increasing the bandwidth to 100MHz, but I found the KS upgrade a bit expensive. Searching in this forum, I found the FERCSA HACKING firmware. At first I was a bit afraid that something went wrong, but I decided to install the FERCSA HACKING firmware on my DSOX.
The installation was done successfully, it took 3 minutes and in the end even the soft reset worked perfectly. Now I am very happy because I got a bandwidth of 200MHz and the time base now reaches 2nS (before the minium was 5nS) WOW :)
-I've attached some photos comparing the before and after and the installation process.
-I measured a signal from a 125MHz TCXO oscillator (before and after photo).
-I measured the SPI protocol of an Arduino (pictured below).
FERCSA, thank you for sharing this brilliant work and continue the development!
Good luck to everyone.
-
Can someone with a 1000G post a screenshot of the function gen output with 10 MHz square wave please?
-
Successfully replaced the stock FAN.
Before:
(http://img18106.imagevenue.com/loc101/th_363455527_20190226_110812_122_101lo.jpg) (http://img18106.imagevenue.com/img.php?image=363455527_20190226_110812_122_101lo.jpg)
After:
(http://img18127.imagevenue.com/loc365/th_363459579_20190228_142416_122_365lo.jpg) (http://img18127.imagevenue.com/img.php?image=363459579_20190228_142416_122_365lo.jpg)
New FAN: Sunon HA60251V4-000U-999
Now my oscilloscope is almost fully silent :)
I've done this with the same new fan and i would not say the scope is almost silent, however the annoying mid- frequency pitch whining noise has now gone. It was what bothered me the most. If anyone is considering the mod, go buy the fan now as Digikey just sent an obscolescence notification for this fan.
-
Can someone with a 1000G post a screenshot of the function gen output with 10 MHz square wave please?
Square Wave, 10MHz, 500mVpp, Offset=0V
With 50ohm passthrough
(https://www.eevblog.com/forum/blog/eevblog-978-keysight-1000x-hacking/?action=dlattach;attach=683460;image)
Without 50ohm passthrough
(https://www.eevblog.com/forum/blog/eevblog-978-keysight-1000x-hacking/?action=dlattach;attach=683466;image)
-
Tried the SunOn and the GDSTIME... both are worse than the original fan.
-
I am noticing a triggering issue on my EDUX1002G. I generate a 1 MHz square wave (it is the same with sinewave), 3.3Vpp, 0V offset. Edge trigger set to 0V. It is showing a 350mV -2ns offset from the center (0V, 0ns). User calibration runs successfully. I modded this scope from the EDUX to the DSOX frontend. Any suggestions on what should be changed / calibrated to make it trigger correctly?
(https://www.eevblog.com/forum/blog/eevblog-978-keysight-1000x-hacking/?action=dlattach;attach=686490;image)
-
I'm not sure, but it probably can be adjusted with probe calibration - delay calibration.
-
FERCSA HACKING firmware.
Some more testings after the hacking of DSOX-1102G. Frequency signal gererated by a Si5351 (clock generator up to 225MHz).
-
The notation of MHz units is really weird in the frequency counter in the screen left bottom.
-
Wow, you're right on that. It's not like it's using fixed-location neon, incandescent or LED annunciators. Very weird.
-
Wow, you're right on that. It's not like it's using fixed-location neon, incandescent or LED annunciators. Very weird.
It seems that this was done by the trainee or by a person who is not from the telecom area.
-
Hi TK,
Mine (EDUX1002A) shows the same , and is not moded in any way. It just pass user calibration .
Below is a Rigol 2102E software moded (licenses).
I did not used Keysight probes , just a coaxial cable from generator to scope .
-
Schematic of function generator and group of components located between analog front-end and function generator. This group probably handle the signal offset and part of user calibration. Some power supply components like ferrite beads and decoupling capacitors can be missing in power supply lines. I will appreciate I someone can measure capacitors and inductors values in function generator. Is amplitude of generated signal constant while changing frequency? I add generator function to my scope, but signal shape is not satisfied :(
U31 and U33 are SN74HCT04PW
U46 and U47 are TL274
@hv222 There seemed to be an error in the Gen schematic, the common contacts of the output relay should be swapped, otherwise the Gen output would never connect to the BNC panel connector. I have attached a corrected schematic.
-
FW v1.1: https://bit.ly/dsox1102hack (https://bit.ly/dsox1102hack)
MD5: ad84976ff2f5b044a21020436751c5c3
Any chance of having the Power application working?
-
Hi, I'm about to buy an EDUX102G but I'm still unclear about one thing: will I need an external trigger hack to enable SPI decoding with FERCSA hacked firmware?
-
You can do SPI decoding with 2 analog inputs. You will have to set to timeout instead of CS or ~CS (not CS).
-
You also need to modify memory U701. MAC is located in this flash at address 0x070000 to 0x070005 (6 bajts).Mac is not programmed by default - it value is 0xff 0xff 0xff 0xff 0xff 0xff.
Is that the right address? ....Seems to be located in a big chunk of unused space in the flash filled with FF.
-
You also need to modify memory U701. MAC is located in this flash at address 0x070000 to 0x070005 (6 bajts).Mac is not programmed by default - it value is 0xff 0xff 0xff 0xff 0xff 0xff.
Is that the right address? ....Seems to be located in a big chunk of unused space in the flash filled with FF.
As I remember it was away from any other data in memory.
-
...However at address 0x03E766 I have
ethaddr=00:03:D3:04:XX:XX.ipaddr=192.168.1.5
where I blanked the last two octets with XX:XX. Seems they do set MAC in the SPI flash. Do you have that in yours? (this is for the EDUX100A)
-
You also need to modify memory U701. MAC is located in this flash at address 0x070000 to 0x070005 (6 bajts).Mac is not programmed by default - it value is 0xff 0xff 0xff 0xff 0xff 0xff.
Is that the right address? ....Seems to be located in a big chunk of unused space in the flash filled with FF.
MAC address is set in the SPI flash chip. I think it is the right address, and FF means MAC address is not configured. I decoded it using a logic analyzer.
-
Any chance of having the Power application working?
I have to take a look one more time in the future. Last time (it was way back in winter) I didn't find anything useful, but I have to admit I don't spend to much time with it.
Also I tried to enable the packet lister menu without any luck. But I made some attempt to hijack some of the push buttons which was successful. So I have to find a way to connect the "dots". After all it looks promising, but currently I don't have time for it.
-
Hi, - Im in the same situation as you - just purchased a stock 1102g ,
Im struggling with a few things regarding this hack
Firstly, if coming from a 1102g do i need to do any hardware hacks?
Is the firmware hack reversible ?(where would i find the original firmware?) Is it easily changed
Primarily i want to do this hack to get serial decode - but see people/ screenshots suggest this unlocks lots (dozens) of licenses including PWR. (albeit with some issues) Advanced maths etc. Is it just me but i cant find any info on all these applications. It sounds great to open up all this functionality but i was under the impression that the only options are serial and CAN bus. love to know what these all are
Finally, and this is the real killer the firmware link v1.1 bitly seems dead, I will DM the original poster about this but thought id ask here as you seem to have done this the most recently and suggest it was really simple
Cheers
Jon
-
If you have the stock 1102G, you don't need any hardware mod. Firmware hack is 100% reversible by installing the latest firmware from Keysight, you don't need to go back to old firmware.
-
Can some one tell me working values to ID 23 I got my edux go to 70MHz 2GSa SGM etc but I cant get signal at all
I had 12k on top and 33k on bottom on left side set when connector is up of them so it should get 0.91V
EDIT: that were wrong but bith 15k and 15k I should get ID 24 and no signbal at all also trtied 12k and 8k but no signal either it was 0.98V
Thanks a lot I ll try those also it does put me think if I did actually change wrong resistor set since I didnt find pic what would say which one is ID0 and which one is ID1 but when I did look those values
maybe my 12k vas actually 121k so i did change wrong id bit.
Wait, so you replaced the left 2 resistors with 12k and 33K and your EDUX1002A now reads 70MHz? I've been looking through this forum and I would like to confirm before I commit.
-
New firmware available, v1.20 (1000XSeries.01.20.2019061038.ksx)
Release notes: https://www.keysight.com/upload/cmc_upload/All/Keysight_1000A_X_Series_Oscilloscope_Release_Notes_01_20.pdf (https://www.keysight.com/upload/cmc_upload/All/Keysight_1000A_X_Series_Oscilloscope_Release_Notes_01_20.pdf)
Looks like they don't made any effort to change over to linux.
If you revert back to the original firmware just use the original v1.10, until I update my code for the v1.20
-
EDUX1002A to DSOX1102G ,11th order Butterworth filter,the parameters are not from DSOX1000G or EDUX1000G。
-
Hello
I need to buy an oscilloscope , better after hacking EDUX1002A or DSOX1102A ??
You up Memory Depth(100 Kpts) in EDUX1002A to 1Mpts?
DSOX1102A easier to hack ? i need only change software ?
-
Hello
I need to buy an oscilloscope , better after hacking EDUX1002A or DSOX1102A ??
You up Memory Depth(100 Kpts) in EDUX1002A to 1Mpts?
DSOX1102A easier to hack ? i need only change software ?
Better to hack EDUX1002A. You get 1Mpts and you need more than a software hack.
-
Hello
I need to buy an oscilloscope , better after hacking EDUX1002A or DSOX1102A ??
You up Memory Depth(100 Kpts) in EDUX1002A to 1Mpts?
DSOX1102A easier to hack ? i need only change software ?
Take into account that you will need hardware hack for EDUX . Software hack will not help you too much. Most of the functions will not work properly . If you do not do entire HW hack , auto calibration will not work .
-
Is this adding a signal generator function?
-
Yes,but it's not just a singnal generator,it's other parts
more:
https://www.eevblog.com/forum/blog/eevblog-978-keysight-1000x-hacking/525/ (https://www.eevblog.com/forum/blog/eevblog-978-keysight-1000x-hacking/525/)
The schematic diagram is from hv222
-
New firmware available, v1.20 (1000XSeries.01.20.2019061038.ksx)
Release notes: https://www.keysight.com/upload/cmc_upload/All/Keysight_1000A_X_Series_Oscilloscope_Release_Notes_01_20.pdf (https://www.keysight.com/upload/cmc_upload/All/Keysight_1000A_X_Series_Oscilloscope_Release_Notes_01_20.pdf)
Looks like they don't made any effort to change over to linux.
If you revert back to the original firmware just use the original v1.10, until I update my code for the v1.20
Hi, any news regarding the 1.20 firmware hack? ;)
-
Hi, could anyone that did the signal gen. in their EDUX1000G's post the correct part numbers needed, especially the package types (ie LM339 ? is it soic or tssop?) , it will be much appreciated.
Thank you.
-
I don't know the exactly part numbers. I used 1% resistors, C0G/NP0 capacitors in signal patch and X7R, X5R (when X7R footprint was too big). Here are teardown photos https://www.flickr.com/photos/eevblog/33024469232/in/album-72157677358745114/ (https://www.flickr.com/photos/eevblog/33024469232/in/album-72157677358745114/)
footprints:
U21, U43, U45 - 8 LD SOIC / SO-8
- LM4041CEM3-1.2/NOPB or any other with R1C marking - SOT32
U22 - SO PowerPAD 8 (be aware, this part is also available on standard SO-8 without thermal pad)
U8, U10, U12 - SOIC-14
-
Thank you.
I just added these to my next order.
;)
-
Don't forget about components in power supply patch. There are also unsoldered components - capacitors and linear regulators required for signal generator.
-
Damn :( , capacitors I probably have but regulators probably not, can you share what kind?
Thanks again.
-
Just standard 78xx and 79xx family. All you need you have on teardown photos, except MLCC values. For 0603 footprint I used 100nF, for bigger one something between 1 and 10uF. I don't remember.
-
Maybe 78L05 and 79L05.
-
Sounds reasonable, will have to buy some of them.
Thanks guys.
-
I was going to dump my DS1054Z and buy an MSO5000 but the thing misses the mark on a lot of points so I'm not going in that direction again.
Thus I'm looking at grabbing a DSOX1204G. Does anyone know if there is a crack for the D1200BW2A bandwidth option and the D1200EMBA decode options? I don't need either of them immediately as such so this is an exploratory question.
-
Today I had a peek at FERCSA's work. :clap: Interesting! ::)
Maybe I can add something to it, although I've never seen a 1000X.
-
Today I had a peek at FERCSA's work. :clap: Interesting! ::)
Where can we see it...?
-
Thus I'm looking at grabbing a DSOX1204G. Does anyone know if there is a crack for the D1200BW2A bandwidth option and the D1200EMBA decode options? I don't need either of them immediately as such so this is an exploratory question.
Yes, there is.
-
Thus I'm looking at grabbing a DSOX1204G. Does anyone know if there is a crack for the D1200BW2A bandwidth option and the D1200EMBA decode options? I don't need either of them immediately as such so this is an exploratory question.
Yes, there is.
For 4ch Linux based DSOX1204G ? where?
-
Yes, there is.
For 4ch Linux based DSOX1204G ? where?
Oh, the DSOX1204G :palm: :-[ :-[ :-[ :-[
I'm not sure, but look for DSOX2000 and DSOX3000 hacks. I believe the hacks are the same across families.
-
DSOX1102G HKD Decoding I2C data bus from Si4735:
https://youtu.be/lSvhhtFS3_Y
-
Yes, there is.
For 4ch Linux based DSOX1204G ? where?
Oh, the DSOX1204G :palm: :-[ :-[ :-[ :-[
I'm not sure, but look for DSOX2000 and DSOX3000 hacks. I believe the hacks are the same across families.
The DSOX1204G is Linux based, not Windows CE like the 2000X or 3000X. There is no known hack yet
-
The DSOX1204G is Linux based, ...
[/quote]
Are you sure ? How do you know ? There is some info available ?
-
The DSOX1204G is Linux based, ...
Are you sure ? How do you know ? There is some info available ?
[/quote]
Yeap . I found it ... : https://www.keysight.com/main/redirector.jspx?action=ref&cname=EDITORIAL&ckey=3035129&lc=eng&cc=RO&nfr=-32110.1258591.00 (https://www.keysight.com/main/redirector.jspx?action=ref&cname=EDITORIAL&ckey=3035129&lc=eng&cc=RO&nfr=-32110.1258591.00)
-
Hi all, apologies if this has been covered, but is it possible to hack the EDUX1002A to EDUX1002G or DSOX1002G?
I think it's possible, but just wanted to make sure before I place an order.
Thank you!
-
Today I had a peek at FERCSA's work. :clap: Interesting! ::)
Maybe I can add something to it, although I've never seen a 1000X.
Any news about that work? ;D
-
At the embedded world yesterday I was told that in a couple of days there will be a new firmware for the Non-EDU versions to increase waveform update rate to 200.000 /s and to always enable serial decode/trigger!
Now I'm waiting quite excited to finally play with the serial options on my 1000x ;)
-
EDU models can be converted to DSO by changing 2 resistors... does it mean you can have free serial decoding and 200,000wfm/s on EDU models? Interesting :popcorn:
-
I don't think that it's that simple. Frontend needs substantial rework and sign gen section is missing quite a few components. Don't forget about the trigger too.
-
I know about the frontend limitation and signal generation section missing (only on A models). I am just talking about 200,000 wfm/s update rate and serial decoding.
-
I don't think that it's that simple. Frontend needs substantial rework and sign gen section is missing quite a few components. Don't forget about the trigger too.
For EDUX to be recognized as DSOX and to receive the promise 200k wfs and serial decoding, indeed is only need to change the value of a two resistors as TK said.
The other modifications are needed for bandwidth increase , awg to work and hardware callibration to pass .
But still need to wait for rumors to be true ...
L.E. With Fercsa mod, protocol decoding work . And is only software mod.
-
At the embedded world yesterday I was told that in a couple of days there will be a new firmware for the Non-EDU versions to increase waveform update rate to 200.000 /s and to always enable serial decode/trigger!
Now I'm waiting quite excited to finally play with the serial options on my 1000x ;)
I just checked the release note and the free serial decoding seems to be only for the 1200X models purchased after March 1, 2020:
Serial decode and trigger is now standard for DSOX and EDUX models purchased on or after March 1, 2020, with the following exceptions:
o DSOX1204AmodelswithaserialnumberlessthanCN59356100willrequireserial option license(s) (D1200EMBA, D1200AUTA)
o DSOX1204GmodelswithaserialnumberlessthanCN59357100willrequireserial option license(s) (D1200EMBA, D1200AUTA)
Increase in wfm/s:
200,000 wfm/s for DSOX1200 and 100,000 wfm/s for EDUX1200
The 1000X firmware release note does not mention anything about changes in the serial decoding or screen update rate.
-
Bummer... That's to bad, I guess with my old one I eventually have to buy the licence... :(
-
Hello, this is my first post.
I have a DSOX1102G with firmware 1.20 and by reading these threads I understand that the Fercsa mod. is for rev. 1.10.
Is my assumption correct, or have I misunderstood? Is here is a solution rev. 1.20?
ps I can't seem to find rev 1.10 anywhere. Perhaps once rev. 1.20 is installed, there is no downgrade path.
Thanks in advance for the help
-
Hello, this is my first post.
I have a DSOX1102G with firmware 1.20 and by reading these threads I understand that the Fercsa mod. is for rev. 1.10.
Is my assumption correct, or have I misunderstood? Is here is a solution rev. 1.20?
ps I can't seem to find rev 1.10 anywhere. Perhaps once rev. 1.20 is installed, there is no downgrade path.
Thanks in advance for the help
Yes you can load Fercsa version over 1.20 .
Please be patient , update wil take more than2 minutes .First splash screen wil be a red bug and after that Keysight splash .
In Help-About you will see all kind of licenses loaded .
Good luck !
-
Thanks Skander36. that's good news.
Follow-up question for the group:
I read through a number of threads regarding some front-end hardware mods that folks have done, but it's not clear (to me) if they are needed in addition to the SW unlocking that the Fercsa mod enables.
-
Taking a ride with your question, can someone help me compiling all modifications (HW + SW) to get the most out of an EDUX1002G v1.1?
I read most of the thread discussion, but it was unclear to me what was testing and what was the final mod pack.
I've postboned this for a while, but now with this quarenteen thing, it seems like I'll finally have some time to 'get my hands dirty'... :-/O
-
Hello friends, is it possible to update to the official firmware 1.20 with the Fercsa firmware already installed?
Thank you.
-
You mean that you have tried the Fercsa mod on rev1.20 or over 1.20 ? :o :clap: And it works successfully?
That's a really good news!
THX~~! ^-^
-
No. Actually I have Fercsa installed on my DSOX1102G and I would like to know if I can install the new official update V1.20 on the Fercsa version.
-
No. Actually I have Fercsa installed on my DSOX1102G and I would like to know if I can install the new official update V1.20 on the Fercsa version.
No, FERCSA's hack is a full self-contained firmware pack that replaces the one supplied by KS.
-
No. Actually I have Fercsa installed on my DSOX1102G and I would like to know if I can install the new official update V1.20 on the Fercsa version.
No, FERCSA's hack is a full self-contained firmware pack that replaces the one supplied by KS.
So,it means FERCSA's hack is also fit for the new rev1.2 or over the 1.2?
It seems skander36(#655) had installed it.~~ :D
THX~~
-
FERCSA firmware is based on 1.10
If you have official firmware 1.20, you cannot install FERCSA as KS does not allow downgrade the firmware level
If you have FERCSA installed and install official 1.20, you will loose all the hack and you cannot reinstall FERCSA firmware.
-
FERCSA firmware is based on 1.10
If you have official firmware 1.20, you cannot install FERCSA as KS does not allow downgrade the firmware level
If you have FERCSA installed and install official 1.20, you will loose all the hack and you cannot reinstall FERCSA firmware.
Got it~!THX~~~ :-+
-
I understand thank you! :-+
-
Hello, this is my first post.
I have a DSOX1102G with firmware 1.20 and by reading these threads I understand that the Fercsa mod. is for rev. 1.10.
Is my assumption correct, or have I misunderstood? Is here is a solution rev. 1.20?
ps I can't seem to find rev 1.10 anywhere. Perhaps once rev. 1.20 is installed, there is no downgrade path.
Thanks in advance for the help
Yes you can load Fercsa version over 1.20 .
Please be patient , update wil take more than2 minutes .First splash screen wil be a red bug and after that Keysight splash .
In Help-About you will see all kind of licenses loaded .
Good luck !
Have you installed FERCSA’s hack on new rev1.2 ?
It works?It seems nobody tries this on rev1.2....except you~~~ :scared:
I also have a EDUX1002A with new firmware 1.2..but I'm afraid to try it.... Because TK said it can't be installed~~
THX~~~~ :-+
-
No. Actually I have Fercsa installed on my DSOX1102G and I would like to know if I can install the new official update V1.20 on the Fercsa version.
No, FERCSA's hack is a full self-contained firmware pack that replaces the one supplied by KS.
So,it means FERCSA's hack is also fit for the new rev1.2 or over the 1.2?
It seems skander36(#655) had installed it.~~ :D
THX~~
To be more clear .
As I said before, Fercsa hack can be installed over 1.20 rev and 1.20 rev can be installed again over Fercsa hack.
But only when Fercsa hack is installed you will have hacks efective . Installing official rev. 1.20 will replace all hacks . To have it again you need to put again Fercsa hack .
For EDUX1002A (as mine) the hacks that work are Serial decoding(CAN, LIN, FLEX, ARIN, MIL Std.) + training signals, Mask . For other functions you don't have necesary hardware. Segmented recording does not work . You need other hw id .
I hope this clarify this problem.
-
No. Actually I have Fercsa installed on my DSOX1102G and I would like to know if I can install the new official update V1.20 on the Fercsa version.
No, FERCSA's hack is a full self-contained firmware pack that replaces the one supplied by KS.
So,it means FERCSA's hack is also fit for the new rev1.2 or over the 1.2?
It seems skander36(#655) had installed it.~~ :D
THX~~
To be more clear .
As I said before, Fercsa hack can be installed over 1.20 rev and 1.20 rev can be installed again over Fercsa hack.
But only when Fercsa hack is installed you will have hacks efective . Installing official rev. 1.20 will replace all hacks . To have it again you need to put again Fercsa hack .
For EDUX1002A (as mine) the hacks that work are Serial decoding(CAN, LIN, FLEX, ARIN, MIL Std.) + training signals, Mask . For other functions you don't have necesary hardware. Segmented recording does not work . You need other hw id .
I hope this clarify this problem.
Fercsa hack let's you downgrade the firmware and you can install any version. But it is my understanding that he never released any hack for version 1.20. Unless his hack presents itself as a very high version number, that any KS official firmware will think it is a valid upgrade.
We might need confirmation from FERCSA.
I have not tested firmware 1.20 because I sold my EDUX1002G
-
People ask if is possible . Yes is possible .
-
People ask if is possible . Yes is possible .
But you'll have the previous version of the firmware.
-
People ask if is possible . Yes is possible .
But you'll have the previous version of the firmware.
What do you mean ?
-
People ask if is possible . Yes is possible .
Wow,that's realllllly a good news~~~~~THX~~~ ^-^ :-+
-
People ask if is possible . Yes is possible .
Wow,that's realllllly a good news~~~~~THX~~~ ^-^ :-+
Do you have 1.20 installed?
-
People ask if is possible . Yes is possible .
Wow,that's realllllly a good news~~~~~THX~~~ ^-^ :-+
Do you have 1.20 installed?
I'm going to try,I bought a EDUX1002A and it’s calibration date is 2019/08/26 ,so I guess it has the new 1.2 frameware.
It's still on the way~~~ :P
I'll push the picture here if I have any good news~~~(Actually I hope it has 1.1 frameware :P )
-
External trigger area, mysterious(no one measured it) cap under LMV7219
Is it on the other side of the PCB ?
Nope. Same side as most of the mods. Just look for U9 on this picture:
https://www.fercsa.com/keysight/trigger_mod_before.jpg (https://www.fercsa.com/keysight/trigger_mod_before.jpg)
Then top-right, there is a 10nF cap. I used 10nF, because I already had one. Others used a 33nF cap, so that could be good too.
I tried 22nF and it didn't pass the self cal, so I'd say that 10nF is the maximum here.
-
Do you have some experience with fan replacement in 1000x? I'm looking for silence one.
-
I swapped mine for a Noctua fan. It’s a fairly simple task doesn’t even need breaking any seals. It’s still quite noticeable, but not nearly as loud as the original one. I later got another 1000X which already came with a much quieter fan, maybe just a little bit louder than the Noctua one. I feel like most of the noise is actually coming from the air being pushed through the vents, not the fan itself, so there isn’t much you can do really to get it super silent. But if anyone had success making a super silent 1000X, I’d be happy to hear.
-
I also switched to a Noctua fan (NF-A6x25 FLX) with the same result.
Since the air turbulence through the narrow fan guard slots in the plastic case is making most of the noise, I made the modification shown in the photo. Much quieter!
It could possibly be improved a little bit further by doing the same mod on the air outlet vents (on the right side of the case) but I didn't want to go to that extreme.
-
Hi,
This is my unassuming contribution to this thread that Dave started long ago. I'm sure that if he had had access to this table his life would have been a lot easier (but surely less fun!). Nonetheless, and for historical/reference reasons, i attach below a table of all the IDs that the 1000X app code (WinCE and Linux) accepts.
(Don't bash me, i know that most of this information is now old news for the more knowledgeable.)
My analysis is based mainly on the appcode analysis and validated with all the information shared by all of you throughout this thread (specially with the videos that started all of this). Unfortunately, I don't have any of these instruments.
All the Product_Configs that are not in the table have no significance whatsoever and result in invalid configurations. (As you see, there aren't so many scenarios as one might think.)
As you all know, executing the resistors_mod sets the voltage levels read by ADCs 0-7 (ADC 4 value is not used anywhere in the code).
Of course, one thing that is possible to do with a software patch, that the resistors_mod is unable to achieve, is that, by tweaking the table params, we can further change the behavior of each Product_Config setup. With that we can try different configurations that have not been tried before...
I marked in red the 2 cases that Dave found strange in his video and the parameters, that in my analysis, affected them. For example, further sample rates of 2.5GHz could be attempted by placing 0 in the SampleRate field of the "usual" Product_Configs 21-24.
It's also perfectly visible which are all the configs "FPR (Final Production Run)".
WinCE versions only go up to Product_Config 27. The remaining ones are only visible in the new Linux software.
If you see any errors please report. If you would like to test some software tweaks, maybe I can help.
(https://www.eevblog.com/forum/blog/eevblog-978-keysight-1000x-hacking/?action=dlattach;attach=1615900;image)
-
Hello, this is my first post.
I have a DSOX1102G with firmware 1.20 and by reading these threads I understand that the Fercsa mod. is for rev. 1.10.
Is my assumption correct, or have I misunderstood? Is here is a solution rev. 1.20?
ps I can't seem to find rev 1.10 anywhere. Perhaps once rev. 1.20 is installed, there is no downgrade path.
Thanks in advance for the help
Yes you can load Fercsa version over 1.20 .
Please be patient , update wil take more than2 minutes .First splash screen wil be a red bug and after that Keysight splash .
In Help-About you will see all kind of licenses loaded .
Good luck !
It is useful for DSOX1102A,but not DSOX1102G.
If your DSOX1102A has 1.20 FW,you can use FERCSA file to hack it.
If your DSOX1102G has 1.20 FW,you can not use FERCSA file to hack it
-
FERCSA file is also useful for EDUX1002A.
If your EDUX1002A has 1.20 FW,you can use FERCSA file to hack it.
-
I see somebody using modified file to hack 2000A 3000A 3000T 4000A OSC,these files modified Infiniivisioncore.dll.
but FERCSA's file didnot modify the Infiniivisioncore.dll.
-
If you're not busy, do i still have to open the shell to access it's serial port? Thanks!
-
Here is my contribution. The list of components to replace in the front end (both channels), trigger, product code, and three more resistors (display, edge adj and ext view) .
I also attached a few images from our colleagues in a different organization.
Moreover I'll update the list with the signal generator.
update: it was found an error in two resistors. They were updated.
-
Hi,
Just wanted to add to this thread some tests on my hacked DSOX1102A. Have the 1.01 version, new old stock I received today.
Tested the input sending a sine wave from my HP8640B via BNC with a pass through 50 ohm termination.
Seems to roll off at -3dB close to 290MHz and then drops down until I reach somewhere around 400MHz and then counts backwards and later starts from 0Hz again. Assume something with the sampling rate?
Anyway very happy with this scope 8)
Thanks to all that were involved in the hacking! :)
-
Hi,
Just wanted to add to this thread some tests on my hacked DSOX1102A. Have the 1.01 version, new old stock I received today.
Tested the input sending a sine wave from my HP8640B via BNC with a pass through 50 ohm termination.
Seems to roll off at -3dB close to 290MHz and then drops down until I reach somewhere around 400MHz and then counts backwards and later starts from 0Hz again. Assume something with the sampling rate?
Anyway very happy with this scope 8)
Thanks to all that were involved in the hacking! :)
Can you confirm that both self test and user cal is passing ?
Did you used the components guide posted before by rbaleiro ?
-
I only did the software hack by FERCSA, no hardware changes. But yes, self test and user cal passed.
-
Hi,
Just wanted to add to this thread some tests on my hacked DSOX1102A. Have the 1.01 version, new old stock I received today.
Tested the input sending a sine wave from my HP8640B via BNC with a pass through 50 ohm termination.
Seems to roll off at -3dB close to 290MHz and then drops down until I reach somewhere around 400MHz and then counts backwards and later starts from 0Hz again. Assume something with the sampling rate?
Anyway very happy with this scope 8)
Thanks to all that were involved in the hacking! :)
Can you confirm that both self test and user cal is passing ?
Did you used the components guide posted before by rbaleiro ?
DSOX1102A already has the 100MHz BW frontend, no mod is needed.
-
Is there any news about new software?
-
I'm surprised no one tried this but there is a loadP500Flash.exe in one of the directory on winCE and you can update the firmware to whatever you want. At this point I assume the windows hack still works on the latest fw.
I found it in my notes. The command line is smt like this:
\windows\loadP500Flash -u ceImage1 \usb\nk.bin.comp
So I'm pretty sure you can downgrade the fw with an old non modified nk.bin.comp file.
Also I advise to flash the ceImage2 first as a failsafe so if you screw up the ceImage1 then you have a chance to boot up your scope from u-boot. OR. You can flash the old nk.bin.comp to ceImage2 in the first place then boot it up from u-boot. After that you can upload my ksx file through the interface as a normal update.
Should be this:
\windows\loadP500Flash -u ceImage2 \usb\nk.bin.comp
And on the next reboot:
U-Boot 2010.03 (Oct 18 2011 - 14:28:06)Agilent P500
CPU: SPEAr600
DRAM: 128 MiB
Flash: 512 KiB
NAND: internal ecc 128 MiB
Debug serial initialized ........OK
RTC: 2024-18-11 4:98:4.59 UTC
Microsoft Windows CE Bootloader Common Library Version 1.4 Built May 7 2015 01:38:03
Microsoft Windows CE 6.0 Ethernet Bootloader for the Agilent P500 board
Adaptation performed by Agilent Technologies (c) 2008
PHY not found.
P500 Boot Loader Configuration :
Mac address .......... (00:01:02:03:04:05)
Ip address ........... (192.168.1.100)
Subnet Mask address .. (255.255.255.0)
DHCP ................. (Enabled)
Boot delay (seconds).. (0)
Load image 1 at startup
Image addresses. (0xdxxxxxxx for NAND, 0x8xxxxxxx for RAM)
1 (0xd0600000)
2 (0xd1e00000)
l) Load memory resident image Load image 1 now
1) Load memory resident image 1 now
2) Load memory resident image 2 now
3) Load memory resident image 3 now
d) Download from platform builder now
u) Start u-boot by resetting
v) Verify Images
>
Then choose 2) option.
Right now I can't confirm this but theoretically should work. Currently I don't have time for this or for any hack may be during xmas.
-
Wow! Yay!
EEVBlog's 1000X hack is featured on the Vendor's blog
https://blogs.keysight.com/blogs/tech/bench.entry.html/2018/08/22/oscilloscope_s_frequ-IqBG.html (https://blogs.keysight.com/blogs/tech/bench.entry.html/2018/08/22/oscilloscope_s_frequ-IqBG.html)
Thanks for the frequency counter tip, Daniel :D
-
(https://www.fercsa.com/keysight/BLT_module.jpg) (https://www.fercsa.com/keysight/BLT_module.jpg)
Serial, JTAG and extra USB port (HOST2 on front, HOST1 not connected by default)
An error in USB HOST1 pinout on J104. The D+ and D- signals should be swapped on the unpopulated connector on the BLT module. A copy of the corrected photo is attached.
Caused me some grief before I figured that out :D
Also added HOST1 VBUS and HOST1 OVRC signals.
-
I was able to boot up a customized u-boot/QEMU combo. If I can emulate a serial flash memory, not to mention a nand storage or just the corresponding memory addresses in RAM, that'll be real fun.
arm-softmmu/qemu-system-arm -M p500 -cpu arm926 -serial mon:stdio -net tap -net nic -kernel u-boot_image.bin
Running QEMU with GTK 2.x is deprecated, and will be removed
in a future release. Please switch to GTK 3.x instead
U-Boot Keysight-dirty #FERCSA (Nov 29 2018 - 02:09:55)Agilent P500
CPU: SPEAr600
DRAM: 128 MiB
*** Warning - bad CRC, using default environment
SerNum:serial number not programmed
Chip: BA Board Rev: x
Error: start and/or end address not on sector boundary
Net: unknown
Press space to stop autoboot 0 0
p500> help
? - alias for 'help'
adc - performs A/D conversion on channel
base - print or set address offset
bdinfo - print Board Info structure
boot - boot default, i.e., run 'bootcmd'
bootd - boot default, i.e., run 'bootcmd'
bootm - boot application image from memory
bootp - boot image via network using BOOTP/TFTP protocol
cdp - Perform CDP network configuration
cmp - memory compare
coninfo - print console devices and information
cp - memory copy
crc32 - checksum calculation
dcache - enable or disable data cache
dhcp - boot image via network using DHCP/TFTP protocol
echo - echo args to console
editenv - edit environment variable
erase - erase FLASH memory
expi - program EXPI Clock
flinfo - print FLASH memory information
fpga - loadable FPGA image support
fsinfo - print information about filesystems
fsload - load binary file from a filesystem image
go - start application at address 'addr'
help - print command description/usage
hwreset - Perform HW RESET of the CPU
i2c - I2C sub-system
icache - enable or disable instruction cache
iminfo - print header information for application image
imls - list all images found in flash
imxtract- extract a part of a multi-image
itest - return true/false on integer compare
loadb - load binary file over serial line (kermit mode)
loads - load S-Record file over serial line
loady - load binary file over serial line (ymodem mode)
loop - infinite loop on address range
ls - list files in a directory (default /)
md - memory display
mii - MII utility commands
mm - memory modify (auto-incrementing address)
mtest - simple RAM read/write test
mw - memory write (fill)
nand - NAND sub-system
nboot - boot from NAND device
nfs - boot image via network using NFS protocol
nm - memory modify (constant address)
ping - send ICMP ECHO_REQUEST to network host
printenv- print environment variables
protect - enable or disable FLASH write protection
rarpboot- boot image via network using RARP/TFTP protocol
reset - Perform RESET of the CPU
rtc - print time from RTC
run - run commands in an environment variable
saveenv - save environment variables to persistent storage
saves - save S-Record file over serial line
setenv - set environment variables
sleep - delay execution for some time
source - run script from memory
splash - load splash image on display
tftpboot- boot image via network using TFTP protocol
version - print monitor version
p500>
@FERCSA is an easy way to load your custom Uboot? I need to play with mii commands.
-
Really? EDUX1002A with 1.20FW can be hack?
-
You can apply FERCSA hack on top of 1.20 but your scope will become 1.10.
-
Everything seems to work as described. Training signal menu is missing i2c and SPI. I will continue testing.
Amazing hack :-+ :-+ :-+ Santa arrived before Christmas!
Is there any way to go back to normal firmware reinstalling it from the USB drive?
SPI training signal is applied to the digital pod , which 1000X do not have, so this is likely the reason it is not in the hacked menu. Perhaps I2C is the same.
-
Any chance of having the Power application working?
I have to take a look one more time in the future. Last time (it was way back in winter) I didn't find anything useful, but I have to admit I don't spend to much time with it.
Also I tried to enable the packet lister menu without any luck. But I made some attempt to hijack some of the push buttons which was successful. So I have to find a way to connect the "dots". After all it looks promising, but currently I don't have time for it.
Power Analysis feature is not programmatically accessible through the VISA interface either on the hacked scope. Chances are it may not work alltogether. Or it may not had been activated properly.
-
@FERCSA is an easy way to load your custom Uboot? I need to play with mii commands.
Just install a general QEMU for ARM processors and use the same command line options as above.
My U-boot binary is here: link (http://www.fercsa.com/keysight/u-boot-20181203.bin)
It's not gonna work, just tried. Looks like I compiled a custom qemu back then :palm:
-
It is alright, i have solved the problem i was having.
-
A little birdie told me one early morning that Santa will be bringing the liberated v1.20 to all of 1000X loyal fans :)
(https://www.eevblog.com/forum/blog/eevblog-978-keysight-1000x-hacking/?action=dlattach;attach=1127376;image)
-
Nice stuff!
Love mine after hw and fw mode!
Thank you guys!
-
A little birdie told me one early morning that Santa will be bringing the liberated v1.20 to all of 1000X loyal fans
Thank you Santa! :-+
-
It is only for the older WinCE based models, correct?
-
It is. The Linux ones to me should be called 1200x.
-
But...wait ! There is more ! :D
It comes with 2 Megapoints of memory , double of what was achieved until now :box:
(https://www.eevblog.com/forum/blog/eevblog-978-keysight-1000x-hacking/?action=dlattach;attach=1127724;image)
-
It is standard 2Mpts on the 1200X series, so maybe it is something they released with 1.20 on the old 1000X scopes?
-
Nope, just retested on a v1.20 with no mem hack, returns 1Mpts:
(https://www.eevblog.com/forum/blog/eevblog-978-keysight-1000x-hacking/?action=dlattach;attach=1127796;image)
Edit: both screenshots are with memMax license enabled by the way.
Edit: Keysight's Release Note on v1.20 did not mentioned memory change either.
https://www.keysight.com/upload/cmc_upload/All/Keysight_1000A_X_Series_Oscilloscope_Release_Notes_01_20.pdf (https://www.keysight.com/upload/cmc_upload/All/Keysight_1000A_X_Series_Oscilloscope_Release_Notes_01_20.pdf)
Edit3: Santa said he's done many more memory tests than one may think >:D , interesting details will come in a separate post.
-
A little birdie told me one early morning that Santa will be bringing the liberated v1.20 to all of 1000X loyal fans :)
(https://www.eevblog.com/forum/blog/eevblog-978-keysight-1000x-hacking/?action=dlattach;attach=1127376;image)
Is the infiniivisioncore.dll modified successfully?
-
Santa did not give out details :-//
-
interesting details will come in a separate post.
-
Ok,
so... maybe I am off but wanna ask someone who did the HW and FW mod on the edux scope how the square wave (demo 1khz) looks like on the X1 probes.
Mine has a skew on the horizontal section of the waveform especially if you zoom in on vertical but noticeable from 1v(both ch1 and ch2 are the same).
I just want to know if this is a mod issue(like the output from the diff amp) or something else.
On x10 probes I can get rid of that skew by adjusting the probe trimmers.
And if the HW mod is different than stock edux.
Thanks guys.
-
interesting details will come in a separate post.
This comment was about memory, not licenses.
-
Ok,
so... maybe I am off but wanna ask someone who did the HW and FW mod on the edux scope how the square wave (demo 1khz) looks like on the X1 probes.
Mine has a skew on the horizontal section of the waveform especially if you zoom in on vertical but noticeable from 1v(both ch1 and ch2 are the same).
I just want to know if this is a mod issue(like the output from the diff amp) or something else.
On x10 probes I can get rid of that skew by adjusting the probe trimmers.
And if the HW mod is different than stock edux.
Thanks guys.
You do not need wavegen to compensate probes, just connect the probes to the exposed terminals on the Edux. Turn off Training signals and the scope will output the regular probe compensation square wave. The mod did not affect that circuit.
-
No, compensation 1khz works ok... but it looks like in attached picture on x1 probes...
-
Just adjust the compensation control on the probe. This is why probes have them.
-
Yeah well, I know that :) But the compensation is only on 10:1. My question was is it normal for the wave to look like that on X1 probes?
-
Probes have more input capacitance on x1, so it makes sense a same square wave would look "slopier".
-
Thanks,
I know the difference, but I just did not remembered it like this before update!
Well maybe i am seeing things.
-
Probes have more input capacitance on x1, so it makes sense a same square wave would look "slopier".
At 1kHz?
-
My question was is it normal for the wave to look like that on X1 probes?
No it is not normal (DSOX1102G, N2140A 200MHz probes, x1).
-
My question was is it normal for the wave to look like that on X1 probes?
No it is not normal (DSOX1102G, N2140A 200MHz probes, x1).
Thank man,
So I was not crazy :)
Now.. the only thing that comes to my head is that the filter parts after the diff amp are not exactly right. Or maybe I am wrong?
Someone with more experience could shine some light.
I've done the mod exactly as showed on this thread.
Thanks.
-
Anyone?
-
Have you done the mods as pointed by rbaleiro (page 28)?
Have your unit passed self-calibrarion ?
-
Have you done the mods as pointed by rbaleiro (page 28)?
Have your unit passed self-calibrarion ?
Hi,
Yes, did the mods exactly (and checked on back pages for confirmation)
All the self calibrations passed (HW and USER)
Mine is the EDUX10002A version and I have done the CH1 CH2 and TRIGG(and extra resistors for ext in) mods plus 23 ID for DSO1102A.
Everything works fine except that weird thing on X1 probes. I feel that it might be related to the filter on the diff amp. I've used 47uh and 4.7 pF as others said or maybe when you do the mod the trimmer on the input has to be readjusted? I am not an expert on how the oscilloscope front end works.
Thanks for the time.
-
They look the same, your picture and the other one that says yours is not normal. Have you measured rise time to have a more specific value rather than an image?
-
Use a good quality probes. The 70MHz ones supplied with EDUX are shitty ones, one already quit on me after maybe couple dozen uses.
-
Use a good quality probes. The 70MHz ones supplied with EDUX are shitty ones, one already quit on me after maybe couple dozen uses.
Yeah...could be but both probes have exact same result on either the channels. I can go on and use it on x10 without issues. But as ive said i cant seem to recall this before the mod. So it feels like a difference and i want to know the cause for my piece of mind.
Thanks.
-
Tested with more probes on x1... same result.
even on x10 probes, I can barely calibrate them to look perfect.
-
My modded scope have same issiue. Unfortunatelly I don't have possibility to check what is source o problem - frontend or test signal generator.
-
My modded scope have same issiue. Unfortunatelly I don't have possibility to check what is source o problem - frontend or test signal generator.
Well, I've tested the 1khz signal from another scope and it looks the same.
My bet is that somewhere on the front end there is a weird thing. Maybe the output filter (after diff amp)
Can someone confirm that on DSO1102 the filter has 47uH and 4.7pF?
-
Another problem I found last time is a jitter on external trigger. Scope can't align trigger edge with time 0.
-
So I think this is just a weird thing happening here. either the input trimmer on the CH input needs to be calibrated again or this is how the scope reacts when using an x1 probe. But it should not right? On x10 probes when calibrated everything is fine.
Oh well :) the scope performs fine so this is more of an "obsession" for me at least. :P
What does Santa say?
-
OK folks, try the attached to do it in a controlled manner :box: Read the instruction in the attachment and ask if anything is not clear.
Because the full package is too big to send in an attachment, this one instead is using a .diff file patch over the original kernel file. The command line tool for diff file application was borrowed from the DSOX2000 thread.
Edit: I pulled the Diff package for now, will publish the Full one later today.
Update: here it is. You are welcome ;D
https://we.tl/t-jeXp74iDxF (https://we.tl/t-jeXp74iDxF)
-
Hey @Bud, tried installing the patched 1.20, but when I try to load "120patch_install.cab" the scope shows me an "Error: the file did not load correctly." I checked the MD5 and it's all good. I'm using a DSOX1102G, and I already tried to Factory Reset.
Also tried to create a new full .cab install, with both firmwares in it, and changed install.xml to install the patched firmware into ceImage1, with no luck (the upgrade goes well but I don't have the new licences).
[edit] Strange, I got back to patched 1.10 (from Fercsa) and just installed "120patch_install.cab" over it successfuly, new firmware with full licenses! But if I try again from a clean 1.20, it doesn't work... weird.
I tried a bunch of options, but for whatever reason the ceImage1 doesn′t want to flash when I′m already on 1.20. And I don′t want a Frankenstein 1.10/1.20 mix... I′d like to make sure I′ve updated everything that′s inside the original ksx file.
-
Hey @Bud, tried installing the patched 1.20, but when I try to load "120patch_install.cab" the scope shows me an "Error: the file did not load correctly." I checked the MD5 and it's all good. I'm using a DSOX1102G, and I already tried to Factory Reset.
Also tried to create a new full .cab install, with both firmwares in it, and changed install.xml to install the patched firmware into ceImage1, with no luck (the upgrade goes well but I don't have the new licences).
[edit] Strange, I got back to patched 1.10 (from Fercsa) and just installed "120patch_install.cab" over it successfuly, new firmware with full licenses! But if I try again from a clean 1.20, it doesn't work... weird.
I tried a bunch of options, but for whatever reason the ceImage1 doesn′t want to flash when I′m already on 1.20. And I don′t want a Frankenstein 1.10/1.20 mix... I′d like to make sure I′ve updated everything that′s inside the original ksx file.
Maybe the Infiniivision core.dll is not patched correctly for DSOX1102G.
-
Hey @Bud, tried installing the patched 1.20, but when I try to load "120patch_install.cab" the scope shows me an "Error: the file did not load correctly." I checked the MD5 and it's all good. I'm using a DSOX1102G, and I already tried to Factory Reset.
Also tried to create a new full .cab install, with both firmwares in it, and changed install.xml to install the patched firmware into ceImage1, with no luck (the upgrade goes well but I don't have the new licences).
[edit] Strange, I got back to patched 1.10 (from Fercsa) and just installed "120patch_install.cab" over it successfuly, new firmware with full licenses! But if I try again from a clean 1.20, it doesn't work... weird.
I tried a bunch of options, but for whatever reason the ceImage1 doesn′t want to flash when I′m already on 1.20. And I don′t want a Frankenstein 1.10/1.20 mix... I′d like to make sure I′ve updated everything that′s inside the original ksx file.
If you modify ceImage1 and ceImage2,can you hack DSOX1102G?
-
Maybe the Infiniivision core.dll is not patched correctly for DSOX1102G.
Well, the weird thing is I could get the patched 1.20 firmware working but only when installed from the 1.10 firmware, but that doesn't update everything (like infiniiVisionSetup.cab), so I guess my firmware isn't fully up to date and may have problems. I'd like to be able to flash and patch everything.
If you modify ceImage1 and ceImage2,can you hack DSOX1102G?
I wouldn't flash the ceImage2 with the patched version, as the ceImage2 is used as a backup. I'd rather keep the safe "official" version there.
-
I helped my friend hack his DSOX1102G.
But its firmware downgrade from V1.2 to V1.1.
-
I tested on EDUX 1002A. I do have a full package but need to find a place to upload it to... stay tuned.
-
I tested on EDUX 1002A. I do have a full package but need to find a place to upload it to... stay tuned.
You forgot to write how to change link file.
-
The LNK method does not work on 1000X.
-
[edit] Strange, I got back to patched 1.10 (from Fercsa) and just installed "120patch_install.cab" over it successfuly, new firmware with full licenses! But if I try again from a clean 1.20, it doesn't work... weird.
I tried a bunch of options, but for whatever reason the ceImage1 doesn′t want to flash when I′m already on 1.20. And I don′t want a Frankenstein 1.10/1.20 mix... I′d like to make sure I′ve updated everything that′s inside the original ksx file.
Technically, the 1.20 nk.bin is all is needed to put over 1.10, the rest of files is identical except the local language files. You can use a file compare software to see what differred between the official 1.10 and official 1.20.
-
Technically, the 1.20 nk.bin is all is needed to put over 1.10, the rest of files is identical except the local language files. You can use a file compare software to see what differred between the official 1.10 and official 1.20.
Oh, well I guess it′s more or less fine then, but I still don′t know why your package refuses to update from a 1.20 install, but you still can downgrade to patched 1.10. And why my patched full 1.20 install seems to succeed but in fact the ceImage1 is kept unchanged. That sound sketchy, and I′d like to hear from you if you know a reason why this could happen.
-
Try this link to a full package (~30Mb) with a backup of the original 1.20 in Image2:
https://we.tl/t-GW2QZ3NnjQ (https://we.tl/t-GW2QZ3NnjQ)
-
And why my patched full 1.20 install seems to succeed but in fact the ceImage1 is kept unchanged.
:-// During work I loaded the interim versions into Image 2, keeping Image 1 original (I had a serial connection so I could select at power on which image I want to boot). Then once the work was finished I updated Image 1 as well. Hard to tell. But I did it over FERCSA's version 1.10. Maybe this should be the recommended way to do it.
Sadly I cant try things at this time. After I made the patch I was doing other work that required removing the BLT module a few times, and it seems I may have eventually damaged the module by flexing. Will look into it after the holidays.
-
Try this link to a full package (~30Mb) with a backup of the original 1.20 in Image2:
https://we.tl/t-3ODV5OcpUI (https://we.tl/t-3ODV5OcpUI)
(the link will expire in 7 days)
Well it worked, reinstalled 1.20 stock just to be on the safe side, then flashed your install file and it rebooted just fine with everything patched. That's not fair, I did the same thing! >:(
Thanks again man! ;D And Merry Christmas !
-
Thanks for confirming :) Happy 'scoping !
-
Here is the boot log of the liberated 1.20
U-Boot 2010.03 (Oct 18 2011 - 14:28:06)Agilent P500
CPU: SPEAr600
DRAM: 128 MiB
Flash: 512 KiB
NAND: internal ecc 128 MiB
Debug serial initialized ........OK
RTC: 2024-20-12 1:103:51.26 UTC
Microsoft Windows CE Bootloader Common Library Version 1.4 Built May 7 2015 01:
38:03
Microsoft Windows CE 6.0 Ethernet Bootloader for the Agilent P500 board
Adaptation performed by Agilent Technologies (c) 2008
System ready!
Preparing for download...
RTC: 2024-20-12 1:103:51.26 UTC
Loading image 1 from memory at 0xD0600000
O
BL_IMAGE_TYPE_BIN
X
XXXXOOOOXXOOOOOOOOXOXOOOOOOOOXOOOXOOOOXXXOOOOOOOOOXOOOOXOXXOXOXXOXOXOXOXXXXOOXXX
OOOOOOXXOXXOXXXXXXOOOXXXOOXXOXOXXOXXOOOXOOOXXOOXOXOOOOXOXOOOOOXOOOXOOXOXXOXOXXXX
XXOXXXXOOOXOOOXOXOOOOXOOOOXOXOX
OOOOOOXOOOXOOXOOOOXOOOOXOOXXOOXOOOOOOOOOXOOOOXOOOOOOXOXOOOOXOXOOOOOOOXXOOXOOXOXO
OOXOOOXOOXXOXOXOOOXOXXXXXOXOXXXOXXXOXOXXOOOXXXOXXXXXXXXOXXXXXXXOXXXXOXOXXOXOOOXX
XXXOXXXXOOOXOXXOOX
XXOXXOOXOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO
OOOOOOOOOOOOOOXXOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOXXXXOXOOOX
OXOOOXOOXXXXXXXXXXXXXrom_offset=0x0.
XXImageStart = 0x80361000, ImageLength = 0x1A857C0, LaunchAddr = 0x80362000
Completed file(s):
-------------------------------------------------------------------------------
[0]: Address=0x80361000 Length=0x1A857C0 Name="" Target=RAM
Loading image 1 succeeded.
ROMHDR at Address 80361044h
Preparing launch...
RTC: 2024-20-12 1:103:51.29 UTC
Launching windows CE image by jumping at address 0x 362000
Windows CE Kernel for ARM (Thumb Enabled) Built on Mar 8 2013 at 17:05:33
Setting up for a Cold Reboot
Done Setting up for a Cold Reboot
Windows CE Firmware Init
BSP 1.0.0 for the SPEARHEAD600AB board (built Jun 10 2019)
Adaptation performed by ADENEO (c) 2005
+OALIntrInit
-OALIntrInit(rc = 1)
Initialize driver globals Zeros area...
pDrvGlobalArea 0xa0060000 size 0x800 (0xa0060800 -0xa0060000)
Initialize driver globals Zeros area...done
OALKitlStart
Firmware Init Done.
OALIoctlHalEnterI2cCriticalSection init i2c cs
++SER_Init: context Drivers\Active\14
SER_Init, dwIndex:2
SER2 got sysintr:0x00000017
SER2 Serial Port, new baud rate:0x1c200 (UARTCLK:48000000 IBRD:0x1a FBRD:0x2)
OHCI\system.c, GCFG_USBH1_SW_RST
OHCI\system.c, GCFG_USBH2_SW_RST
LAN PHY detected.
-EDeviceLoadEeprom 00:30:D3:20:D7:70
Phy found addr 15 (ticks=3502)
WaitForLink Start (ticks=3504)
Link Detected (ticks=3506)
GMAC Init : 100 Mbit/s FULL DUPLEX (MII)
Flushed Transmit Buffer
phyCfg->dwSpeed 0x64
phyCfg->bFullDuplex 0x1
<--EDeviceInitialize
GMAC DMA status register = 0x600004
GMAC Device enable interrupt
DriverStart
GMAC Device enable interrupt
LIN: Data Valid
BALDWIN_DDI: cBaldwinHwIf::Init: Initializing...
BALDWIN_DDI: cBaldwinHwIf::Init: Scope successfully identified.
BALDWIN_DDI: cBaldwinHwIf::Init: Success!
Autonegociation Start (ticks=5533)
Autonegociation End (ticks=8038)
WaitForLink Start (ticks=8039)
Link Detected (ticks=8042)
GMAC Init : 100 Mbit/s FULL DUPLEX (MII)
cable attached
Device load time:
NANDFLASH: 0 ms
SNANDFLASH: 0 ms
USB Hard Disk Drive: 0 ms
Summary of scan:
All FATs on volume agree
Percent Fragmentation: 0
Invalid Directories: 0
Invalid Files: 0
Invalid Clusters: 0
Lost Cluster Chains: 0
ScanVolume \Agilent Flash (NANDFLASH) 0.306000
Summary of scan:
All FATs on volume agree
Percent Fragmentation: 0
Invalid Directories: 0
Invalid Files: 0
Invalid Clusters: 0
Lost Cluster Chains: 0
ScanVolume \Secure (SNANDFLASH) 0.402000
SHIM DLL, LoadRealDll [PalIO.dll] for [AgilentPalIO.dll]
SHIM [AgilentPalIO.dll] Get Process Addresses
LaunchInfiniiVision:
SHIM DLL, LoadRealDll [PalSStorage.dll] for [AgilentPalSStorage.dll]
SHIM [AgilentPalSStorage.dll] Get Process Addresses
Create: \Secure\bin\
Released build, Jun 10 2019, 21:13:39
Initializing FPGA...
************************************
Ver: 1.067 Released
************************************
*** Liberating License: Acq Memory Max
*** Liberating License: Embedded serial decode and trigger
*** Liberating License: Automotive serial decode and trigger
*** Liberating License: Flex Ray serial decode
*** Liberating License: Power application
*** Liberating License: Segmented Memory
*** Liberating License: Mask limit testing
*** Liberating License: Telecom Mask Test
*** Liberating License: 500MHz Bandwidth
*** Liberating License: 200MHz Bandwidth
*** Liberating License: Audio serial decode and trigger
*** Liberating License: Education kit license
*** Liberating License: WaveGen license
*** Liberating License: 1553 & 429 serial decodes
*** Liberating License: Enhanced Video Triggering
*** Liberating License: Advance Math
*** Liberating License: Flex Ray Plus
*** Liberating License: Digital Voltmeter
*** Liberating License: ASV
*** Liberating License: Cable Calibration
*** Liberating License: Infiniium Mode
*** Liberating License: Remote Log
*** Liberating License: Circular Segmented Memory
*** Liberating License: Tomotherapy
*** Liberating License: F8AEAE82
Calibration mode User
Cal Date Sat Nov 07 00:57:51 2020
Startup sequence is complete.
SHIM DLL, LoadRealDll [PalSysManagement.dll] for [AgilentPalSysManagement.dll]
SHIM [AgilentPalSysManagement.dll] Get Process Addresses
SHIM DLL, LoadRealDll [PalCaps.dll] for [AgilentPalCaps.dll]
SHIM [AgilentPalCaps.dll] Get Process Addresses
SHIM DLL, LoadRealDll [PalWin32.dll] for [AgilentPalWin32.dll]
SHIM [AgilentPalWin32.dll] Get Process Addresses
System has been running 22.839304 seconds
Start Up Sequence 10.222012
Memory Load 58%
System Physical Memory 42.355 / 73.465 MB
Process Virtual Memory 46.875 / 1024.000 MB
-----> InfiniiVision is running <-----
will do USB phy workaround: CheckCRC
Running the hardware Self-Test after a boot:
** self test: PASSED : DDR Mem Bus
** self test: PASSED : Acquisition Memory
** self test: PASSED : ADC
** self test: PASSED : MegaZoom SIPO
** self test: PASSED : TrigComp & Mux
** self test: PASSED : Temp Sensor
** self test: PASSED : FirmwareStatus
** self test: PASSED : Language
I hooked up a LAN chip to the scope so there are associated entries for the network in the log. A stock 1000X would only say "PHY Not found" instead.
I also got the External Trigger mod, all passed.
Not sure if the 2 Megapoints memory is tested in the Acquisition Memory test, but that can be verified by other means.
-
If you modify ceImage1 and ceImage2,can you hack DSOX1102G?
All 1000X have same firmware, so all of them should work. The package was developed on a EDUX 1002A modified for 200MHz front-end, external trigger, Wavegen and LAN.
-
The LNK method does not work on 1000X.
When I use patched V1.20 file made by PhillyFlyers to hack EDUX1002A,with link file,it display strange options.
So,I think PhillyFlyers’s file patched not correctly or fully.
Maybe there exists Link file method to hack 1000X,but we do not find it so far.
-
Why do you want that, there are 1.10 and 1.20 available now. :-//
Several people have told you LNK method used for 2000X-4000X scopes is NOT working for 1000X. Connect a serial console to the scope and you will see error messages if you try using a Lnk file.
-
Why do you want that, there are 1.10 and 1.20 available now. :-//
Several people have told you LNK method used for 2000X-4000X scopes is NOT working for 1000X. Connect a serial console to the scope and you will see error messages if you try using a Lnk file.
Thank you.
When I go into 1000X WinCE and 2000X WinCE,I find they have similar file structure.
So I am thinking why we can not add 1000X options like 2000X-4000X with link file.
Is there other segment in infiniivisioncore.dll or some file needing to change?
-
They may be similar but it does not work on 1000X. This is what you get if you try making a LNK file
LaunchInfiniiVision: -l MSO -l BW20 -l DIS
SHIM DLL, LoadRealDll [PalSStorage.dll] for [AgilentPalSStorage.dll]
SHIM [AgilentPalSStorage.dll] Get Process Addresses
Exception 'Raised Exception' (-1): Thread-Id=0457000a(pth=83df24f8), Proc-Id=045
6000a(pprc=83da9bd0) 'infiniivisionlauncher.exe', VM-active=0456000a(pprc=83da9b
d0) 'infiniivisionlauncher.exe'
PC=40068ae0(coredll.dll+0x00058ae0) RA=803782c8(kernel.dll+0x000062c8) SP=0002f2
d8, BVA=0002f3e4
PARSE ERROR: Argument: -l
Couldn't find match for argument
Brief USAGE:
infiniivision [--ExtTalClk] [--IntTalClk] [--4GSa] [--5GSa] [--]
[--version] [-h]
For complete USAGE and HELP type:
infiniivision --help
There is no -l argument option available in 1000X.
Good luck if you still want it.
-
They may be similar but it does not work on 1000X. This is what you get if you try making a LNK file
LaunchInfiniiVision: -l MSO -l BW20 -l DIS
SHIM DLL, LoadRealDll [PalSStorage.dll] for [AgilentPalSStorage.dll]
SHIM [AgilentPalSStorage.dll] Get Process Addresses
Exception 'Raised Exception' (-1): Thread-Id=0457000a(pth=83df24f8), Proc-Id=045
6000a(pprc=83da9bd0) 'infiniivisionlauncher.exe', VM-active=0456000a(pprc=83da9b
d0) 'infiniivisionlauncher.exe'
PC=40068ae0(coredll.dll+0x00058ae0) RA=803782c8(kernel.dll+0x000062c8) SP=0002f2
d8, BVA=0002f3e4
PARSE ERROR: Argument: -l
Couldn't find match for argument
Brief USAGE:
infiniivision [--ExtTalClk] [--IntTalClk] [--4GSa] [--5GSa] [--]
[--version] [-h]
For complete USAGE and HELP type:
infiniivision --help
There is no -l argument option available in 1000X.
Good luck if you still want it.
Thank you.
I learn more.
-
Can someone please share their EDUX / 1000X Factory Cal files ? They are in the hidden \Secure\Cal folder. File names are or similar to :
ServiceCal.dat
FactoryCal.dat
-
Can someone help me with the Factory Cal files please ? :-/O
-
Can someone please share their EDUX / 1000X Factory Cal files ? They are in the hidden \Secure\Cal folder. File names are or similar to :
ServiceCal.dat
FactoryCal.dat
There you go, they come from a DSOX1102G though, hope it'll help you.
-
Well, I've tested the 1khz signal from another scope and it looks the same.
My bet is that somewhere on the front end there is a weird thing. Maybe the output filter (after diff amp)
Can someone confirm that on DSO1102 the filter has 47uH and 4.7pF?
Did you mean 47nH instead of 47uH?
https://www.eevblog.com/forum/blog/eevblog-978-keysight-1000x-hacking/msg1983362/#msg1983362 (https://www.eevblog.com/forum/blog/eevblog-978-keysight-1000x-hacking/msg1983362/#msg1983362)
-
Good catch, should be 47nH.
-
There you go, they come from a DSOX1102G though, hope it'll help you.
Thanks a bunch, it did help, more good stuff will follow shortly.
-
Good catch, should be 47nH.
No, my typo :P I used this one: LQP18MN47NG02D 47nH
-
No, my typo :P I used this one: LQP18MN47NG02D 47nH
2.2 Ohm series resistance is a bit on the high side for a 47nH 0603, but don't know how relevant that is in this particular circuit.
-
Another problem I found last time is a jitter on external trigger. Scope can't align trigger edge with time 0.
Can you provide details of a test setup so I can try to replicate ?
-
Here is my contribution. The list of components to replace in the front end (both channels), trigger, product code, and three more resistors (display, edge adj and ext view) .
I also attached a few images from our colleagues in a different organization.
Moreover I'll update the list with the signal generator.
Two errors spotted in the Excel spreadsheet components list and the PNG screenshot (refer to the quoted post for details). An updated screenshot is attached.
-
Does a list exist for the 1000a --> 1000g wavegen components?
-
Try this link to a full package (~30Mb) with a backup of the original 1.20 in Image2:
https://we.tl/t-3ODV5OcpUI
(the link will expire in 7 days)
I successfully applied the 1.20 Hack made by Bud to my DSOX-1102G which had firmware 1.10 previously, it works like a charm! Great job Bud, congrats! Julio. :clap:
-
Try this link to a full package (~30Mb) with a backup of the original 1.20 in Image2:
https://we.tl/t-3ODV5OcpUI (https://we.tl/t-3ODV5OcpUI)
(the link will expire in 7 days)
Hello! Thank you for the work you put into this. Would it be possible to get a re-share of the download? TIA!
-
Hello! Thank you for the work you put into this. Would it be possible to get a re-share of the download? TIA!
Give this a go: https://mega.nz/file/vcF0zZ5Z#6B3GNsS3t1eJuQx6uP3YR7wk3dpoAewSRzmdZuL2szY
-
Give this a go
Super, worked perfectly on my scope. Thank you kindly.
-
Hi all,
I just received my new DSOX1202G and i noticed the FAN is noisy. It makes a noise like "grrrr" not that loud but if you sit at the bench for hours it's getting really annoying.
It looks really interested that you managed to hack DSOX1102. Is there a hack available for the newer model DSOX1202? I see all the replies are mostly for DSOX1102
-
Hi all,
I just received my new DSOX1202G and i noticed the FAN is noisy. It makes a noise like "grrrr" not that loud but if you sit at the bench for hours it's getting really annoying.
It looks really interested that you managed to hack DSOX1102. Is there a hack available for the newer model DSOX1202? I see all the replies are mostly for DSOX1102
The DSOX1202G has temperature controlled fan and noise should go low after a few seconds after turning the scope on.
This scope is linux based and there is no software hack available
-
Hi all,
I just received my new DSOX1202G and i noticed the FAN is noisy. It makes a noise like "grrrr" not that loud but if you sit at the bench for hours it's getting really annoying.
It looks really interested that you managed to hack DSOX1102. Is there a hack available for the newer model DSOX1202? I see all the replies are mostly for DSOX1102
The DSOX1202G has temperature controlled fan and noise should go low after a few seconds after turning the scope on.
This scope is linux based and there is no software hack available
Thank you for your fast response. Well it doesn't seem to go low after a few seconds, i have kept it on for 1-2 hours because i was working with and the noise was stable all the time. At least to my ears. The annoying thing is the noise type, it's not the air flow that you hear but something like grrrrr in higher frequency.
So for the linux version needs some further investigation.
-
Thank you for your fast response. Well it doesn't seem to go low after a few seconds, i have kept it on for 1-2 hours because i was working with and the noise was stable all the time. At least to my ears. The annoying thing is the noise type, it's not the air flow that you hear but something like grrrrr in higher frequency.
...
In my experience, the high frequency "grrrrr" is caused by the turbulent airflow between the slot pattern in the case and the input side of the fan. I modified my 1st gen 1000x by cutting out the slots in the case and replacing that function with a wire fan guard that is spaced farther away from the fan. It almost completely eliminated the annoying high frequency noise and is now mostly just the lower frequency "shhhh" of air movement.
Here's a photo:
-
This is a good idea. I gave a try with a quick 3D printed grid having in mind to reduce the possible FAN turbulence.
It made a small difference but there is still some noise.
(There is a cut in half to the printed part as it was a quick design and there was a mistake in the distances but it was still a good fit for test)
-
I wouldn't think that an added grill would help much.
I think that the annoying, higher frequency noise is being generated by the turbulence between each moving fan blade and the slotted grill in the case. The sound would have already been created before the added grill comes into play.
As an experiment, try removing the back case of the scope to hear the difference (it's only four screws).
-
Do you know if i remove the screws and the back cover will void the warranty?
-
I don't know.
-
Do you know if i remove the screws and the back cover will void the warranty?
In the US it does not void the warranty. Every country has different warranty laws, so you should ask your local Keysight rep.
-
As it's getting really disturbing while working i removed the back cover to check if the noise changes. But the result is the same. The noise is coming from the fan itself.
Check the video.
https://drive.google.com/file/d/13oBXFKfoMoiRLk5rrGS71VSptFmQdDiC/view?usp=sharing
I wouldn't expect this noise from an instrument that costs a thousand
-
In addition to the fan grill modification, I replaced the fan in my first generation 1000x with a Noctua NF-A6x25 FLX.
Don't know if it's appropriate for the second generation 1200x.
-
As it's getting really disturbing while working i removed the back cover to check if the noise changes. But the result is the same. The noise is coming from the fan itself.
Check the video.
https://drive.google.com/file/d/13oBXFKfoMoiRLk5rrGS71VSptFmQdDiC/view?usp=sharing
I wouldn't expect this noise from an instrument that costs a thousand
It must have a faulty fan. Mine had lower noise than the first generation 1000X
-
I can confirm DSOX1202 has the same FAN as 1102
HengLiXin HD6020B12M
-
I finally replaced the FAN with a Noctua NF-A6X25 and everything now sounds a lot smoother.
I created a small video in case anyone has the same issue and wants to hear samples
https://youtu.be/ekAmelIheRk
-
Hi guys,
Here is my history of trying to modify the EDUX1002A into DSOX1002A.
I bought all the components (a few imported and others directly from here, Brazil). When unmounting the parts one of the white plastic connectors in the logic board became loose in the board and I've tried to put it back with hot air... result: it melted.
A long time after trying to realize the type of connector and brand, finally found it. Luckily got it as a sample and soldered it. (https://www.te.com/usa-en/product-5177984-1.html (https://www.te.com/usa-en/product-5177984-1.html))
All the other components were put in place as specified. Particularly the WSON LMH6552SD is hard to tell if its in place correctly... because the contacts are bellow the IC. That may be one of the issues I am facing.
When i finally put that to work... the oscilloscope turned on, but any signal I put in the channels 1 or 2 doesnt show anything. Neither the test function is working... it is acting like there was no probe. May be the trigger.. may be the WSON IC... how to know?!
Another thing is the product ID. Even replacing the resistor it still shows EDUX in the screen. Is there anything I am missing? My firmware version is FERCSA's 1.10.
Happy to hear some tips on how to solve it.
update: updated the firmware to 1.20 and still working the same.
-
Another thing is the product ID. Even replacing the resistor it still shows EDUX in the screen. Is there anything I am missing? My firmware version is FERCSA's 1.10.
The model number in the screen will never change, as it is programmed somewhere protected in the FLASH memory, the same for the serial number
-
Hi guys,
Here is my history of trying to modify the EDUX1002A into DSOX1002A.
I bought all the components (a few imported and others directly from here, Brazil). When unmounting the parts one of the white plastic connectors in the logic board became loose in the board and I've tried to put it back with hot air... result: it melted.
A long time after trying to realize the type of connector and brand, finally found it. Luckily got it as a sample and soldered it. (https://www.te.com/usa-en/product-5177984-1.html (https://www.te.com/usa-en/product-5177984-1.html))
All the other components were put in place as specified. Particularly the WSON LMH6552SD is hard to tell if its in place correctly... because the contacts are bellow the IC. That may be one of the issues I am facing.
When i finally put that to work... the oscilloscope turned on, but any signal I put in the channels 1 or 2 doesnt show anything. Neither the test function is working... it is acting like there was no probe. May be the trigger.. may be the WSON IC... how to know?!
Another thing is the product ID. Even replacing the resistor it still shows EDUX in the screen. Is there anything I am missing? My firmware version is FERCSA's 1.10.
Happy to hear some tips on how to solve it.
If the connector that you resoldered is the one to the left, that is where the input signals are going to the ADC, so I suggest you to check the soldering of the connector one more time. It is strange that both channels are gone, so I suspect it can be this connector. Or it can be the WSON IC, as you said, it is very hard to solder. Remove them and check for bridges on the pads, clean and resolder with very few solder
-
Hi guys,
Here is my history of trying to modify the EDUX1002A into DSOX1002A.
I bought all the components (a few imported and others directly from here, Brazil). When unmounting the parts one of the white plastic connectors in the logic board became loose in the board and I've tried to put it back with hot air... result: it melted.
A long time after trying to realize the type of connector and brand, finally found it. Luckily got it as a sample and soldered it. (https://www.te.com/usa-en/product-5177984-1.html (https://www.te.com/usa-en/product-5177984-1.html))
All the other components were put in place as specified. Particularly the WSON LMH6552SD is hard to tell if its in place correctly... because the contacts are bellow the IC. That may be one of the issues I am facing.
When i finally put that to work... the oscilloscope turned on, but any signal I put in the channels 1 or 2 doesnt show anything. Neither the test function is working... it is acting like there was no probe. May be the trigger.. may be the WSON IC... how to know?!
Another thing is the product ID. Even replacing the resistor it still shows EDUX in the screen. Is there anything I am missing? My firmware version is FERCSA's 1.10.
Happy to hear some tips on how to solve it.
If the connector that you resoldered is the one to the left, that is where the input signals are going to the ADC, so I suggest you to check the soldering of the connector one more time. It is strange that both channels are gone, so I suspect it can be this connector. Or it can be the WSON IC, as you said, it is very hard to solder. Remove them and check for bridges on the pads, clean and resolder with very few solder
The connector that broke was the one near the Product ID. That may be the case it is not recognizing the modification.... still, the conector is perfectly fit.
Below are some pictures of the state of the oscilloscope. The trigger function has always to be in normal mode to show anything... cause it isnt synchronizing. The square shaped curves are measured in the test point without any function. The curvy shapes are the sine wave being generated by the HELP->sine generation. The signals not synchronized is just to show how it stays.
Please, if you can explain how to properly make the WSON IC soldering... cause I saw several tutorials on youtube and still have my doubts about it. If u can be clear about amount of tin, flux, air pump pressure and temperature I would really appreciate!
-
This is what works for me:
Use:
1. 63/37 (eutectic) 0.02" diameter leaded solder (like Kester 44).
2. A soldering iron tip that is chisel shaped and as close to the width of the pad as possible. I use a 700 degree (F) tip temperature for soldering and an 800 degree (F) tip temperature for desoldering.
3. Copious amounts of liquid flux! I use a Kester 186 flux pen. Amtech no-clean tacky flux is highly regarded but I have yet to try it.
4. 99+% isopropyl alcohol with a brush to remove flux.
For really small SMD parts (like the WSON package):
1. For rework, remove all lead-free solder from the pads using flux and copper braid.
2. Tin pads with leaded solder and then remove excess with flux and copper braid, so pads are perfectly flat.
3. Coat pads with plenty of liquid flux.
4. Place part on fluxed pads and hold in place with fine tweezers.
5. Wipe soldering iron tip on wet sponge to remove any solder or burnt flux. Tip needs to be perfectly clean and shiny.
6. Melt a tiny amount of solder on the very end of the soldering iron tip. This is the only solder that will be used to make the solder joint!
7. Briefly touch the solder that is on the end of the tip to the junction between the part and the pad and then smoothly pull the tip away along the surface of the pad. Surface tension of the solder will cause excess solder to be removed from the joint. The flux will make sure that the solder flows properly into the joint.
8. Clean off flux with isopropyl alcohol.
-
This is what works for me:
Use:
1. 63/37 (eutectic) 0.02" diameter leaded solder (like Kester 44).
2. A soldering iron tip that is chisel shaped and as close to the width of the pad as possible. I use a 700 degree (F) tip temperature for soldering and an 800 degree (F) tip temperature for desoldering.
3. Copious amounts of liquid flux! I use a Kester 186 flux pen. Amtech no-clean tacky flux is highly regarded but I have yet to try it.
4. 99+% isopropyl alcohol with a brush to remove flux.
For really small SMD parts (like the WSON package):
1. For rework, remove all lead-free solder from the pads using flux and copper braid.
2. Tin pads with leaded solder and then remove excess with flux and copper braid, so pads are perfectly flat.
3. Coat pads with plenty of liquid flux.
4. Place part on fluxed pads and hold in place with fine tweezers.
5. Wipe soldering iron tip on wet sponge to remove any solder or burnt flux. Tip needs to be perfectly clean and shiny.
6. Melt a tiny amount of solder on the very end of the soldering iron tip. This is the only solder that will be used to make the solder joint!
7. Briefly touch the solder that is on the end of the tip to the junction between the part and the pad and then smoothly pull the tip away along the surface of the pad. Surface tension of the solder will cause excess solder to be removed from the joint. The flux will make sure that the solder flows properly into the joint.
8. Clean off flux with isopropyl alcohol.
Thank you for the reply. Unfortunately this WSON package doesnt have a terminal on the side, just at the bottom. No way I can use the iron, has to be with hot air.
-
Thank you for the reply. Unfortunately this WSON package doesnt have a terminal on the side, just at the bottom. No way I can use the iron, has to be with hot air.
I have used that technique successfully on those LMH6552SD WSON packages. The key elements are pre-tinning the pads with leaded solder, lots of flux, and the precise alignment of the part on the pads. The liquid flux is essential to getting the solder to smoothly flow into the junction between the terminals underneath the part and the pad.
-
Thank you for the reply. Unfortunately this WSON package doesnt have a terminal on the side, just at the bottom. No way I can use the iron, has to be with hot air.
I have used that technique successfully on those LMH6652SD WSON packages. The key elements are pre-tinning the pads with leaded solder, lots of flux, and the precise alignment of the part on the pads. The liquid flux is essential to getting the solder to smoothly flow into the junction between the terminals underneath the part and the pad.
Ive checked the terminals and apparently there is a tiny terminal in the side of the package. I have to buy a more precise tip, but i couldnt find a chisel type that is too small as the terminal (0.25mm). Just cilindrical/conical. Is it a problem? The only flux i have is this paste like the "no clean flux" you said... but i have no idea if that is no clean. What do u think?
-
Another thing is the product ID. Even replacing the resistor it still shows EDUX in the screen. Is there anything I am missing? My firmware version is FERCSA's 1.10.
The model number in the screen will never change, as it is programmed somewhere protected in the FLASH memory, the same for the serial number
So what is the point of replacing the Product ID thru the resistors, tho? How can I check if the change is working?
-
Another thing is the product ID. Even replacing the resistor it still shows EDUX in the screen. Is there anything I am missing? My firmware version is FERCSA's 1.10.
The model number in the screen will never change, as it is programmed somewhere protected in the FLASH memory, the same for the serial number
So what is the point of replacing the Product ID thru the resistors, tho? How can I check if the change is working?
The information you see in the screen is not changed, but the scope will boot into the mode set by the resistors. You will see features that are only enabled on the DSOX, even when the information says EDUX...
The HW mod is required as the EDUX comes limited to 50MHz and no ext digital input on the additional BNC. By adding the missing components and changing those that are different, you are enabling the HW to be ready to the soft configuration that is liberated by the FERCSA Hack.
-
I used a 0.031" (0.79mm) chisel tip, turned so the width of it was vertical. Chisel tips are much preferred for this since they can feed solder to the joint more easily than a conical tip. Due to surface tension, a conical tip will tend to form a ball of solder at the tip which then places a blob of solder on the work. A chisel tip has a small reservoir of solder on the face of the chisel which can feed solder as needed by the size of the joint.
I highly recommend using liquid flux for small SMD parts. Paste flux can be too thick, causing the part to float and move as the paste begins to melt.
For me, precisely positioning the WSON over the thin pads was the most challenging. First time I tried it, the terminals centered themselves between adjacent pads.
-
Finally it worked! What made the real difference was using a 0.2mm copper soldering tip B900M-TI and the NO CLEAN FLUX. In addition I had a problematic resistor in the channel 1 causing me headaches.
Now I realized that the measurement is slightly out of calibration. I have already done the automatic user calibration from the scope and the probe capacitance calibration.
Is there any way we can calibrate it to make it more precise? I feel the trace is too thick and the peak voltage usually is higher than it should be.
-
Try this link to a full package (~30Mb) with a backup of the original 1.20 in Image2:
https://we.tl/t-GW2QZ3NnjQ (https://we.tl/t-GW2QZ3NnjQ)
Hi Bud,
I am trying to tryout your package on my DSOX1102G. It seems that the link has dead. Can I ask if we could get it refreshed? Thanks~
-
Grab it from this post:
https://www.eevblog.com/forum/testgear/dsox2000-and-3000-series-licence-have-anyone-tried-to-hack-that-scope/msg3388792/#msg3388792 (https://www.eevblog.com/forum/testgear/dsox2000-and-3000-series-licence-have-anyone-tried-to-hack-that-scope/msg3388792/#msg3388792)
User PhillyFlyers kindly provided a storage for it. :-+
-
Grab it from this post:
https://www.eevblog.com/forum/testgear/dsox2000-and-3000-series-licence-have-anyone-tried-to-hack-that-scope/msg3388792/#msg3388792 (https://www.eevblog.com/forum/testgear/dsox2000-and-3000-series-licence-have-anyone-tried-to-hack-that-scope/msg3388792/#msg3388792)
User PhillyFlyers kindly provided a storage for it. :-+
Thanks a lot! I have tried upgrading from 1.10 liberated firmware directly. So far so good~
-
I finally replaced the FAN with a Noctua NF-A6X25 and everything now sounds a lot smoother.
I created a small video in case anyone has the same issue and wants to hear samples
https://youtu.be/ekAmelIheRk
Hi candrian
I also have the original fan replaced by the Noctua one. Indeed part of the noise is gone, but there is still a high freq tone, not as good as you shown in the video. Not sure if the fan grill mod is also necessary...
-
The most important mod is a rubber suspension for the fan, so motor vibrations don't transmit into the "sound board" of the equipment enclosure... Often this is enough to make the stock fan tolerable.
-
I soldered the components to turn my DSOX1102A into a DSOX1102G, and I got the function generator to work but the amplitude of the signals is too high and causes signal clipping.
If I set the amplitude to a lower values the signals look fine.
When I traced back the signals, I could see it is the DAC itself that is outputting the larger than supposed amplitude and not the opamps that I soldered. It seems like the function generator is missing a calibration.
Can anyone who tried this let me know if you experienced a similar issue and how it can be fixed?
Thanks
-
I had that and it was fixed after running a user calibration. The scope however needs to be modded to the proper model with the strapping resistors.
-
Hello all,
I did go thru all thread, great work! thanks for effort, now I am happy user of DSOX1102A.
I have a couple a questions:
- Is fercsa.ksx can be applicable for FW 01.20 ? Found answer in post #767
- Is anybody tried solder not populated components for signal generator?
Thanks!
-
Hi All I found all answers thanks.
I did order parts, but I disappointed with BNC connector... The BNC jack which used in DSOX 1102X is non-standard...
Is anybody know part number for BNC which Keysight use?
Thanks
-
Did you find a full list of the other non-populated signal generator parts, including capacitor and inductor values?
-
I am going to start with: https://www.eevblog.com/forum/blog/eevblog-978-keysight-1000x-hacking/msg2544486/#msg2544486 (https://www.eevblog.com/forum/blog/eevblog-978-keysight-1000x-hacking/msg2544486/#msg2544486)
The unspecified caps and inductor I am going use some regular value - I have standard kit of caps and inductors.
But I stuck with BNC it has smaller layout than regular BNC jack...
-
Do you think this BNC connector might work?
https://www.digikey.com/en/products/detail/te-connectivity-amp-connectors/1-1634505-0/1755945 (https://www.digikey.com/en/products/detail/te-connectivity-amp-connectors/1-1634505-0/1755945)
-
No ( since layout size for mounting posts biggest then layout at the PCB...
I already bought nice metallic BNC jack with the same size but it not fit.
I just wondering is any other BNC size for mounting posts is exists or Keysight use some custom BNC jack.
-
Do you think this BNC connector might work?
https://www.digikey.com/en/products/detail/te-connectivity-amp-connectors/1-1634505-0/1755945 (https://www.digikey.com/en/products/detail/te-connectivity-amp-connectors/1-1634505-0/1755945)
It took me months to find the correct BNC for the 1000X (EDUX1052A) and this one fits perfectly: https://fieldcomponents.com/RFB-1112-1B.html (https://fieldcomponents.com/RFB-1112-1B.html)
-
I soldered the components to turn my DSOX1102A into a DSOX1102G, and I got the function generator to work but the amplitude of the signals is too high and causes signal clipping.
If I set the amplitude to a lower values the signals look fine.
When I traced back the signals, I could see it is the DAC itself that is outputting the larger than supposed amplitude and not the opamps that I soldered. It seems like the function generator is missing a calibration.
Can anyone who tried this let me know if you experienced a similar issue and how it can be fixed?
Thanks
Did you make any photos? How many components do i need to do this modification? Because i did not disassemble yet my scope.
-
Hóóóii!
Can I help with this? Or isn't necessary anymore.
I've flashed the 1.2 hack on my EDUX1002A that i've bought with my first jobs!(factory eletronics/Firmware V1.1).
I get a little problem when measuring signals like Probe Comp,
Aparently there is a bug on display signal/points(?)
So I've downloaded and flashed the FERCA v1.1, aparently everything is fine, now I can try to use UART/i2c which was my biggest curiosity.
Has anyone scheduled all the upgrades we can do on an edux1002?
Without hardware, basically we can enable i2c and uart functions...maybe the acquisition memory?
With hardware we can modify the band from 50 to 200Mhz and add a functions generator, would the memory acquisition part be here too(on the dso model resistors select)?
Dave is the best english teacher ever!
best regards
-
I've flashed the 1.2 hack on my EDUX1002A that i've bought with my first jobs!(factory eletronics/Firmware V1.1).
I get a little problem when measuring signals like Probe Comp,
Aparently there is a bug on display signal/points(?)
So I've downloaded and flashed the FERCA v1.1, aparently everything is fine, now I can try to use UART/i2c which was my
You should try the original 1.2 firmware and if the problem is there, report it to Keysight.
-
I'll still be able to patch and unlock the decoding features?
-
But...wait ! There is more ! :D
It comes with 2 Megapoints of memory , double of what was achieved until now :box:
(https://www.eevblog.com/forum/blog/eevblog-978-keysight-1000x-hacking/?action=dlattach;attach=1127724;image)
I used hacked 1.20 firmware.
Everything is a full option. Thank you sir.
Is the memory now 2M?
Or should I use another method?
-
It is unlocked as part of the 1.20 package.
-
It is unlocked as part of the 1.20 package.
Wow, that's amazing.
Have a nice day.
-
I agree. Just for fun I send some charts. It's not going to get any better...
Thank you.
-
But...wait ! There is more ! :D
It comes with 2 Megapoints of memory , double of what was achieved until now :box:
(https://www.eevblog.com/forum/blog/eevblog-978-keysight-1000x-hacking/?action=dlattach;attach=1127724;image)
Here are test screenshots of memory depth of 1 and 2 MPoints - the 1.20 firmware captures twice as much of a waveform with 2 MPoints.
(https://www.eevblog.com/forum/blog/eevblog-978-keysight-1000x-hacking/?action=dlattach;attach=1276945;image)
(https://www.eevblog.com/forum/blog/eevblog-978-keysight-1000x-hacking/?action=dlattach;attach=1276949;image)
Edit: Mind you this is the EDUX which stock model comes with only 0.1 MPoints. :D
-
A few more notes on Keysight acquisition memory.
The Single acquisition memory is the amount of sampling memory used when you press the “Single” button. In this mode the scope in general uses all available memory in full (still depends on Time/div setting). Attached is information that was collected from the Keysight 1000x Infiniivision oscilloscopes user manual. I think this information is important to understand and is worth memorizing (no pun intended) to be able to apply it to specific use cases and to maximize useful memory that will be used by the scope.
-
Segmented Memory mode:
We previously talked that v1.20 hack enabled 2 MPoints of Single acquisition memory and referred to Keysight’s explanation how it is used in different acquisition modes. Now, in reality things are a bit more complicated and may be confusing to an extent. This specifically applies to Segmented memory mode. Surprisingly, in fact FERSA 1.10 hack already made 2M Points of Segmented memory available, but it could only be used by the scope in Segmented mode (vs 1M points in Single acquisition mode). This new v1.20 hack has liberated 2M points for Single acquisition mode while Segmented memory stayed at 2M points. It is probably fair to say that most of the users will use Single acquisition mode much more often than Segmented one, so doubling the Single acquisition memory in v1.20 hack was of a great value to them.
To add to the confusion, the v1.20 hack actually also increased utilization of the Segmented memory by the scope. Stay with me to understand why. Let’s for the moment refer back to the following part of the above screenshot about the maximum number of data points:
- Whether segmented memory (available on DSOX1000-Series models) is on. Acquisition memory is divided by the number of segments
I found the second part of it not being entirely accurate. Calculating the number of points per segment is not as simple as dividing total memory by the number of segments. The scope seems to have a sophisticated algorithm for memory partitioning in Segmented mode and the number of points not always adds to 2M points. I am guessing this may be because some of the memory is used by the scope to perform the task for calculations, indexing of segments and such. It may vary as much as 50% depending on the number of segments selected by the user and is especially pronounced at low segments count, approaching more or less even and full memory utilization at higher segments count.
If that was not enough of a confusion and you want more, here it is. In Segmented memory mode there are actually two of them: Linear and Circular. Up until this point we were talking about Linear segmented mode. When you select Linear segmented mode, the scope will wait until all of segments are filled with data and then automatically stop the acquisition and display the captured data. In Circular mode the scope will continuously wrap around after all of segments are filled and it is up to the user when to hit the Stop button (while running in Circular the scope will display a rough segment counter but will not display the signal being acquired).
But this is not the only difference between Linear and Circular modes. They also seem to have different memory allocation algorithms. Number of memory points per segment in Circular mode always is less than that of in Linear mode under all other conditions being equal. My guess is the same as in the Linear mode this may be because of additional overhead required by the scope to perform the task, plus some more for additional calculation or alignment of segments, or to maximize the speed, do not know. The difference in number of samples per segment for a given Time/div between Circular and Linear modes can be as big as 50 %, that is – in Circular mode you may get twice as less number of points per segment then in Linear mode (depending on the number of segments). I think this is something that may need to be understood and kept in mind.
Now to the good news: the v1.20 mem hack provides an improvement in memory utilization in both Linear and Circular segmented modes, as much as 30% at some lower segments count. The chart below represents memory utilization in Linear mod for v1.20 with no mem hack and the same v1.20 with one.
(https://www.eevblog.com/forum/blog/eevblog-978-keysight-1000x-hacking/?action=dlattach;attach=1278028;image)
-
Replacing the splash screen on 1000X:
You can use the attached scripts to install and restore a custom boot splash screen. The scripts were tested on EDUX 1002A but are expected to work for other 1000X series scopes. Instructions are in Readme files and are self-explanatory.
A few ready to use splash screen samples are also attached. You can use your own image but you need to format it to the specs outlined in the Readme file in Install Splash zip archive.
Here is the Altium parkour image installed as the custom splash screen on the EDUX:
(https://www.eevblog.com/forum/blog/eevblog-978-keysight-1000x-hacking/?action=dlattach;attach=1278325;image)
-
Hacking into the WinCE shell:
The attached script allows to drop into the WinCE operating system shell. From there you can browse around and explore the application files/data, run external tools from USB to explore the Registry, run DOOM, etc. You can connect a keyboard or mouse to the USB port. This is more of a tool to satisfy your curiosity rather than anything for normal scope use.
This tool is based on an other fellow's work published earlier in this thread. My contribution was to wrap it in a script to make it simple to use.
-
Hi,
add a line with "copy" works great ...
%1\ShowTaskbar.exe
copy \Secure\cal\*.* \USB\
\windows\cmd.exe /c \windows\createUserAccounts.exe
-
If you want to make a copy of the calibration files you can simply run that command from the command line after dropping into WinCE shell.
-
It is true! Thank you.
But I fight with calibration. On the 1.6V External Trigger stops. When the EXT trigger is turned on, the timeline breaks down . I don't even want to advise, it's strange. :phew:
Trig Hyst B1 = 18937.725, B0 = 8124.452 **** CAL PASSED **** Time: 13 seconds
**** External Trigger Level **** /1 Trig B1 = 5303.000, B0 = 35814.000
/5 Trig B1 = 1071.000, B0 = 35814.000 **** CAL FAILED ****
Cal Date Fri Sep 17 13:59:06 2021 Update Cal Failed Header
Factory Cal Mode Revision : 2
Cal Mode : Factory Cal Satus : CAL_OK
Firmware Ver : 01.01.2016092800 Cal Temp : 24.250000 C
Cal Date : Fri Sep 30 11:35:23 2016 Cal Duration : 401s
Service Cal Mode Revision : 1
Cal Mode : Service Cal Satus : CAL_OK
Firmware Ver : 01.01.2016092800
-
Have you done the trigger mod ?
https://www.eevblog.com/forum/blog/eevblog-978-keysight-1000x-hacking/msg3217012/#msg3217012 (https://www.eevblog.com/forum/blog/eevblog-978-keysight-1000x-hacking/msg3217012/#msg3217012)
-
Adding LAN interface:
None of the 1000X series scopes has Ethernet LAN interface. They are however capable of supporting one, which was reported on EEVBlog here:
https://www.eevblog.com/forum/blog/eevblog-978-keysight-1000x-hacking/msg1347094/#msg1347094 (https://www.eevblog.com/forum/blog/eevblog-978-keysight-1000x-hacking/msg1347094/#msg1347094)
The BLT module on the scope, the Uboot bootloader and the device’s Windows CE operating system support LAN if one is built (a physical layer PHY chip is required) and connected to the unpopulated connector J104 on the BLT module. User hv222 of EEVBlog kindly shared reversed engineered information on the connector here:
https://www.eevblog.com/forum/blog/eevblog-978-keysight-1000x-hacking/msg2183900/#msg2183900 (https://www.eevblog.com/forum/blog/eevblog-978-keysight-1000x-hacking/msg2183900/#msg2183900)
There was a trick however, that caused me a few days of headache and heavy troubleshooting trying to get going the LAN module that I built using the Microchip LAN8700 Ethernet PHY chip. I finally figured out that it was required to pull pin 39 of U104 to Ground in order to signal "LAN present" condition. Which I did and with the next reboot:
…
LAN PHY detected.
-EDeviceLoadEeprom 00:30:D3:20:D7:70
Phy found addr 31 (ticks=3225)
WaitForLink Start (ticks=3227)
No Link (ticks=4229)
<--EDeviceInitialize
GMAC DMA status register = 0x0
LIN: Data Valid
…
WaitForLink Start (ticks=6219)
Link Detected (ticks=6220)
GMAC Init : 100 Mbit/s FULL DUPLEX (MII)
Flushed Transmit Buffer
phyCfg->dwSpeed 0x64
phyCfg->bFullDuplex 0x1
<--EDeviceInitialize
GMAC DMA status register = 0x600004
DriverStart
GMAC Device enable interrupt
cable attached
The System screen now showed a LAN interface:
(https://www.eevblog.com/forum/blog/eevblog-978-keysight-1000x-hacking/?action=dlattach;attach=1283110;image)
To scan open ports on the EDUX I used the software called Angry IP Scanner (https://angryip.org/ (https://angryip.org/)). This resulted in discovering a few open ports as shown in the following screenshot:
(https://www.eevblog.com/forum/blog/eevblog-978-keysight-1000x-hacking/?action=dlattach;attach=1283116;image)
It can be seen that the scope has the following ports/services available:
- port 21: FTP
- port 23: Telnet
- port 80: WEB HTTP interface
- port 443: not sure how it may be used, refuses connections from the browser using HTTPS
- port 111: unknown use
- ports 5024, 5025: SCPI interface that provides access from Keysight IO Libraries and software like BenchVue over the network LAN interface.
With the LAN interface built and configured, you can use Telnet to remotely connect to the oscilloscope’s IP address using the following credentials:
User: infiniivision
Password: skywalker1977
Once logged in, you are in the Telnet Home folder and can run a DIR command to look around.
(https://www.eevblog.com/forum/blog/eevblog-978-keysight-1000x-hacking/?action=dlattach;attach=1283122;image)
From here you can explore the file system and run commands supported by the Pocket CMD command line interpreter. You can copy, delete, rename files, run the executables located in \Windows and other folders, list processes, kill processes, reboot the scope, etc. There is a hidden folder \Secure which is not listed by the DIR command, but it is possible to get in by typing cd \Secure in the Telnet window. There are several subfolders inside there including the \Secure\Infiniivision\web folder.
-
The StupidBear LAN board for the EDUX provides 100Mbit/s full duplex network Ethernet connectivity. It also has a USB-to-UART bridge and a second USB Host port, which were used for debugging and to connect a keyboard or mouse. They are not needed if only LAN is required. The board gets power from the main board. Refer to the PDF attachment for the schematic.
(https://www.eevblog.com/forum/blog/eevblog-978-keysight-1000x-hacking/?action=dlattach;attach=1283842;image)
(https://www.eevblog.com/forum/blog/eevblog-978-keysight-1000x-hacking/?action=dlattach;attach=1283848;image)
The board was designed to plug in to the installed mezzanine connector J104 on the BLT board and then is secured to the main board's existing mounting poles via 2.5mm spacers. Raising the StupidBear LAN board above the main board by 2.5mm was required in order to maintain proper mating to the mezzanine connector J104 on the BLT board. The BLT board has to be unscrewed and lifted off, the LAN board is connected to it, then the entire assembly is carefully placed on the main board, and is secured with 4 BLT board screws and two new screws by the LAN connector (again, two 2.5mm spacers are needed under the LAN board to maintain proper height above the main board).
(https://www.eevblog.com/forum/blog/eevblog-978-keysight-1000x-hacking/?action=dlattach;attach=1283860;image)
The stock scope does not have J104 soldered. The connector must be purchased and soldered onto the BLT board. The connector data:
Amphenol 61083-041402LF
Digikey part number: 609-1667-1-ND
(https://www.eevblog.com/forum/blog/eevblog-978-keysight-1000x-hacking/?action=dlattach;attach=1283854;image)
Also attached is the BOM that has DigiKey part numbers for the critical components, and the Gerber files to order a PCB if you want to build a StupidBear LAN board for your Keysight 1000X including the EDUX model and have some fun.
Important: The LAN PCB thickness must be 1mm in order to have some clearance above the components under it on the scope's main PCB.
-
Using Keysight LXI (LAN eXtensions for Instrumentation) interface using Keysight BenchVue:
Keysight BenchVue is a software that provides virtual instrument panels for accessing and controlling network devices supporting LXI interface over Ethernet. With the LAN interface added to the scope, BenchVue worked just fine (a trial version of BenchVue can be downloaded from Keysight web site). The following screenshot shows a session with the modified EDUX1002A scope on which the Wavegen was unlocked too:
(https://www.eevblog.com/forum/blog/eevblog-978-keysight-1000x-hacking/?action=dlattach;attach=1283893;image)
Custom software can be created in a number of usual ways in C, VB, VBA and other programming languages using Keysight I/O libraries.
Talking to LXI interface using telnet (port 5024):
With the LAN interface added it is possible to exchange SCPI commands and data with the scope just over Telnet using port 5024. Telnet credentials to log in to the scope are the same as for the regular Telnet connection provided earlier above. The following screenshot captured a few commands/responses exchanged that way:
(https://www.eevblog.com/forum/blog/eevblog-978-keysight-1000x-hacking/?action=dlattach;attach=1283899;image)
Using WEB interface and FTP:
WEB server and \Secure\Infiniivision\web folder is the home folder of the scope’s WEB server, the one you get connected to from outside using your favorite Internet browser to the scope’s IP address. On the 1000X the web folder is empty but you can put WEB pages and applications in it and use it just like a regular WEB server, within the limitations of web technologies supported by Windows CE 6.0. Regular WEB sites, ASP and JAVA pages seem to work fine, as long as the WEB pages do not attempt to interact with the operating system by calling or creating COM objects that may not exist or unsupported.
FTP root folder:
FTP connectivity using the same credentials as for Telnet. In the scope file system the FTP root folder is set to \Temp. Once connected, two other folders can be seen:
(https://www.eevblog.com/forum/blog/eevblog-978-keysight-1000x-hacking/?action=dlattach;attach=1283905;image)
Using FTP, files and data can be copied to the scope and back, which can be used in conjunction with Telnet to explore and experiment with the device. The FTP storage is however volatile, data is lost after a reboot.
Webdata folder is mapped to \temp\webdata.
Webupdate folder is mapped to \Agilent Flash\webupdate , which is a hidden folder and may somehow be used for firmware updates over FTP, not sure. It is not accessible from the browser using HTTP.
-
Yes, of course...
Update: **** CAL PASSED ****
A little bad soldering U9 / pin2
I am happy :)))
Thank you.
-
Attached.
-
My posts #827 and #828 are now updated.
-
External Trigger reverse engineered schematic (with the External Trigger hardware mod in place).
-
The StupidBear LAN board for the EDUX provides 100Mbit/s full duplex network Ethernet connectivity. It also has a USB-to-UART bridge and a second USB Host port, which were used for debugging and to connect a keyboard or mouse. They are not needed if only LAN is required. The board gets power from the main board. Refer to the PDF attachment for the schematic.
(https://www.eevblog.com/forum/blog/eevblog-978-keysight-1000x-hacking/?action=dlattach;attach=1283842;image)
(https://www.eevblog.com/forum/blog/eevblog-978-keysight-1000x-hacking/?action=dlattach;attach=1283848;image)
The board was designed to plug in to the installed mezzanine connector J104 on the BLT board and then is secured to the main board's existing mounting poles via 2.5mm standoffs. Raising the StupidBear LAN board above the main board by 2.5mm was required in order to maintain proper mating to the mezzanine connector J104 on the BLT board. The BLT board has to be unscrewed and lifted off, the LAN board is connected to it, then the entire assembly is carefully placed on the main board, and is secured with 4 BLT board screws and two new screws by the LAN connector (again, two 2.5mm standoffs are needed under the LAN board to maintain proper height above the main board).
(https://www.eevblog.com/forum/blog/eevblog-978-keysight-1000x-hacking/?action=dlattach;attach=1283860;image)
The stock scope does not have J104 soldered. The connector must be purchased and soldered onto the BLT board. The connector data:
Amphenol 61083-041402LF
Digikey part number: 609-1667-1-ND
(https://www.eevblog.com/forum/blog/eevblog-978-keysight-1000x-hacking/?action=dlattach;attach=1283854;image)
Also attached is the BOM that has DigiKey part numbers for the critical components, and the Gerber files to order a PCB if you want to build a StupidBear LAN board for your Keysight 1000X including the EDUX model and have some fun.
Nice board!
-
Hi everyone ;)
I'm considering about moddinng the WaveGEN recently , but i’m stucking on some problems :palm:
(Thank you for the schematic provided by hv122)
Yeah..we have the schematic..but how to confirm the capacitors and inductors even FB's value?
-
Here is the function generator schematic with the LPF filter values that I used. The LPF was designed for 40MHz cut-off frequency.
I did not use the output filter C29 L7 L8 C30. Jumpers were used instead of inductors L7/L8.
The generator requires populating the unused parts in the power supply section on the main PCB for +/-15V and +/-5V supply rails. Attached is a photo of the populated +/-15V section.
Digikey part numbers for the additional aluminum capacitors:
470uF 35V P18963CT-ND Qty 2
100uF 50V 493-2306-1-ND Qty 2
The positive 15V voltage regulator Digikey P/N:
MC78M15CTTRKGOSCT-ND
I did not keep the bag from the negative 15V rail regulator but I suppose it was Digikey P/N:
MC79M15CDTRKGOSCT-ND
The +/-5V power supply section is on the bottom side of the main board next to the power supply connector. There are two ICs: U17 (LM79L05) and U18 (LM78L05) and a few capacitors around them that need to be populated.
Some Digikey part numbers I used for the function generator:
Resistor array 4x10K 1206 CRA6S810.0KACT-ND Qty 2
Resistor array 4x100K 1206 Y9104CT-ND Qty 2
Resistor 18 Ohm 2512 1W 541-18.0AFCT-ND Qty 3
Relay DPDT 4.5VDC 255-5466-1-ND Qty 2 (you need one more for External Trigger mod)
IC Quad Comparator LM339AMX/NOPBCT-ND Qty 1
IC NOR Gate MC74ACT02DGOS-ND Qty 1
Diode array BAV99 1727-4311-1-ND Qty 4
-
WOw,thanks! :-+
-
Have fun, as much or more as I had working on the mods. The EDUX1002A is a treasure, it was incredible fun working with it to update it from the lowest model in the series to the highest one and actually overpassing the highest DSOX1102G 2-channel model in the series because of addition of the LAN port and 2MPoints acquisition memory. The EDUX1002A is like Keysight version of Flir E4 which was I also had a lot of fun with upgrading. :D
-
Have fun, as much or more as I had working on the mods. The EDUX1002A is a treasure, it was incredible fun working with it to update it from the lowest model in the series to the highest one and actually overpassing the highest DSOX1102G 2-channel model in the series because of addition of the LAN port. The EDUX1002A is like Keysight version of Flir E4 which was I also had a lot of fun with upgrading. :D
Exactly , by the way,I got a EDUX1052A few days ago and I'm going to take it apart 8)
Waitting my photos 8)
-
Bud,
Do you recall what you used for L6 and L10?
They are on your separate schematic for the VP15_FG and VM15_FG supplies.
-
Just some regular 1A-2A ferrite beads that i had in the parts bin, i did not buy anything special. This is not a critical part.
-
Tadaaaa 8) New KEYSIGHT EDUX1052A Teardown
It's almost identical to previous 1000x version
New features:
1.LAN port(MicroChip 8710A)
2.Fan controller(LP2951)
3.The frontend removes two capacitors and one resistor,using OPA4872 instead of LMH6574 and changing some resistor's value.
4.Larger RAM and ROM in BLT board,It may be designed to adapt new Linux sysytem and 2M memory depth.(Now has 256M rom and 128M ram(for MegaZOOM asic),Old 1000x has 128M rom and 64M ram)
-
This bnc jack is well fitted and made by Dosin China. (It's also difficult to find in China,this bnc jack is finest quality that i can find in mass production)
Part number:801-0033, (https://www.china-guan.com/product-item/dosin-801-0033 (https://www.china-guan.com/product-item/dosin-801-0033))
BUY here: https://detail.1688.com/offer/657779171916.html?spm=a26286.8292848.success-action.2.b308749fX3nwpG (https://detail.1688.com/offer/657779171916.html?spm=a26286.8292848.success-action.2.b308749fX3nwpG)
(I have confirmed they can express to forign countries)
Update:
Another high quality BNC jack,It seems better than Dosin and much cheaper than Doisn,showing in picture BNC3.
BUY here: https://detail.1688.com/offer/627726966672.html?spm=a261y.7663282.combination.5.2cb465d0GekFEA (https://detail.1688.com/offer/627726966672.html?spm=a261y.7663282.combination.5.2cb465d0GekFEA)
-
Hi all,
Meet problems here, my EDUX1002G show no waves at all.
Product config is set to be 24, FW=1.20 patched; no other hardware mod is performed.
I re-installed the official FW1.20 but still failed and showed same error.
Self test failed: ADC:TrigComp & MUX
User test is unable to finish.
The boot log via UART mainly says:
HARDWARE ERROR!!!!! ******** I-Clock failure ******** (12)
HARDWARE ERROR!!!!! ******** Timeout while trying to stop Talon clocks ******** (2)
HARDWARE ERROR!!!!! ******** P-Clock failure ******** (13)
HARDWARE ERROR!!!!! ******** Timeout while trying to stop Talon clocks ******** (2)
I have no idea what's gone wrong here, it's so frustrating as I am new to hack hardwares and it's my first scope.
Please, can anyone help? Appreciate any help or comment.
Regards,
Eric
U-Boot 2010.03 (Oct 18 2011 - 14:28:06)Agilent P500
CPU: SPEAr600
DRAM: 128 MiB
Flash: 512 KiB
NAND: internal ecc 128 MiB
Debug serial initialized ........OK
RTC: 2024-21-6 7:88:5.6 UTC
Microsoft Windows CE Bootloader Common Library Version 1.4 Built May 7 2015 01:38:03
Microsoft Windows CE 6.0 Ethernet Bootloader for the Agilent P500 board
Adaptation performed by Agilent Technologies (c) 2008
PHY not found.
System ready!
Preparing for download...
RTC: 2024-21-6 7:88:5.6 UTC
Loading image 1 from memory at 0xD0600000
O
BL_IMAGE_TYPE_BIN
X
XXXXOOOOXXOOOOOOOOXOXOOOOOOOOXOOOXOOOOXXXOOOOOOOOOXOOOOXOXXOXOXXOXOXOXOXXXXOOXXXOOOOOOXXOXXOXXXXXXOOOXXXOOXXOXOXXOXXOOOXOOOXXOOXOXOOOOXOXOOOOOXOOOXOOXOXXOXOXXXXXXOXXXXOOOXOOOXOXOOOOXOOOOXOXOX
OOOOOOXOOOXOOXOOOOXOOOOXOOXXOOXOOOOOOOOOXOOOOXOOOOOOXOXOOOOXOXOOOOOOOXXOOXOOXOXOOOXOOOXOOXXOXOXOOOXOXXXXXOXOXXXOXXXOXOXXOOOXXXOXXXXXXXXOXXXXXXXOXXXXOXOXXOXOOOXXXXXOXXXXOOOXOXXOOX
XXOXXOOXOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOXXOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOXXXXOXOOOXOXOOOXOOXXXXXXXXXXXXXrom_offset=0x0.
XXImageStart = 0x80361000, ImageLength = 0x1A857C0, LaunchAddr = 0x80362000
Completed file(s):
-------------------------------------------------------------------------------
[0]: Address=0x80361000 Length=0x1A857C0 Name="" Target=RAM
Loading image 1 succeeded.
ROMHDR at Address 80361044h
Preparing launch...
RTC: 2024-21-6 7:88:5.9 UTC
Launching windows CE image by jumping at address 0x 362000
Windows CE Kernel for ARM (Thumb Enabled) Built on Mar 8 2013 at 17:05:33
Setting up for a Cold Reboot
Done Setting up for a Cold Reboot
Windows CE Firmware Init
BSP 1.0.0 for the SPEARHEAD600AB board (built Jun 10 2019)
Adaptation performed by ADENEO (c) 2005
+OALIntrInit
-OALIntrInit(rc = 1)
Initialize driver globals Zeros area...
pDrvGlobalArea 0xa0060000 size 0x800 (0xa0060800 -0xa0060000)
Initialize driver globals Zeros area...done
OALKitlStart
Firmware Init Done.
OALIoctlHalEnterI2cCriticalSection init i2c cs
++SER_Init: context Drivers\Active\14
SER_Init, dwIndex:2
SER2 got sysintr:0x00000017
SER2 Serial Port, new baud rate:0x1c200 (UARTCLK:48000000 IBRD:0x1a FBRD:0x2)
OHCI\system.c, GCFG_USBH1_SW_RST
OHCI\system.c, GCFG_USBH2_SW_RST
LAN PHY NOT detected.
DeleteP500EnetRegistry:
\Comm\GMAC 0x0
\Comm\GMAC1 0x0
\Comm\Tcpip\Linkage 0x0
\Drivers\Virtual 0x0
\Drivers\BuiltIn\LIN 0x5
LIN: Data Valid
BALDWIN_DDI: cBaldwinHwIf::Init: Initializing...
BALDWIN_DDI: cBaldwinHwIf::Init: Scope successfully identified.
BALDWIN_DDI: cBaldwinHwIf::Init: Success!
Device load time:
NANDFLASH: 0 ms
SNANDFLASH: 0 ms
SHIM DLL, LoadRealDll [PalIO.dll] for [AgilentPalIO.dll]
SHIM [AgilentPalIO.dll] Get Process Addresses
LaunchInfiniiVision:
SHIM DLL, LoadRealDll [PalSStorage.dll] for [AgilentPalSStorage.dll]
SHIM [AgilentPalSStorage.dll] Get Process Addresses
Released build, Jun 10 2019, 21:13:39
Initializing FPGA...
************************************
Ver: 1.067 Released
************************************
*** Liberating License: Acq Memory Max
*** Liberating License: Embedded serial decode and trigger
*** Liberating License: Automotive serial decode and trigger
*** Liberating License: Flex Ray serial decode
*** Liberating License: Power application
*** Liberating License: Segmented Memory
*** Liberating License: Mask limit testing
*** Liberating License: Telecom Mask Test
*** Liberating License: 500MHz Bandwidth
*** Liberating License: 200MHz Bandwidth
*** Liberating License: Audio serial decode and trigger
*** Liberating License: Education kit license
*** Liberating License: WaveGen license
*** Liberating License: 1553 & 429 serial decodes
*** Liberating License: Enhanced Video Triggering
*** Liberating License: Advance Math
*** Liberating License: Flex Ray Plus
*** Liberating License: Digital Voltmeter
*** Liberating License: ASV
*** Liberating License: Cable Calibration
*** Liberating License: Infiniium Mode
*** Liberating License: Remote Log
*** Liberating License: Circular Segmented Memory
*** Liberating License: Tomotherapy
*** Liberating License: F8AEAE82
Calibration mode User
Cal Date Tue Feb 23 08:31:11 2021
Expected 0x38 got 0x0
HARDWARE ERROR!!!!! ******** I-Clock failure ******** (12)
HARDWARE ERROR!!!!! ******** Timeout while trying to stop Talon clocks ******** (2)
Expected 0x38 got 0xc6 Baldwin 0 (Master = 0, Slave = 1)
Continuing as if there weren't a problem
HARDWARE ERROR!!!!! ******** P-Clock failure ******** (13)
Startup sequence is complete.
HARDWARE ERROR!!!!! ******** Timeout while trying to stop Talon clocks ******** (2)
HARDWARE ERROR!!!!! ******** Timeout while trying to stop Talon clocks ******** (2)
HARDWARE ERROR!!!!! ******** Timeout while trying to stop Talon clocks ******** (2)
HARDWARE ERROR!!!!! ******** Timeout while trying to stop Talon clocks ******** (2)
System has been running 14.704744 seconds
Start Up Sequence 5.387492
Memory Load 50%
System Physical Memory 36.211 / 73.465 MB
Process Virtual Memory 44.750 / 1024.000 MB
-----> InfiniiVision is running <-----
will do USB phy workaround: CheckCRC
HARDWARE ERROR!!!!! ******** Timeout while trying to stop Talon clocks ******** (2)
HARDWARE ERROR!!!!! ******** Timeout while trying to stop Talon clocks ******** (2)
-
Assuming that you removed the BLT board to get to the config resistors, carefully check all of the BLT and matching motherboard connectors, including their solder joints, for damage.
-
Could be incorrect strapping resistors value or position. Double check the product ID config for 1102G
You only change resistors on the main board, not on BLT board.
-
Config resistors are on the main board but the connectors can be damaged when removing the BLT board to get access to them. Those board to board connectors can be very tight and require significant force to separate them.
-
I use these filter showing in pictures, all parts are easy to buy and make full use of them.
(NOT offical values,unless someone will measure and share them :D)
https://rf-tools.com/lc-filter/
The 0603 ferrite beads near EL5166ISZ and EL5166ISZ which you can get them from channel 1,2.(only EDU version)
I use TDK MPZ2012S601AT000 as another 0805 ferrite bead.(600 OHM@100MHZ 2A)
-
Hi Bud, I have a question, what’s the meaning of this part and how to set C13's value?
Thanks!
-
The value is in the PDF version of the schematic in reply #835. It was selected based on minimum ringing in a circuit simulator with step voltage applied to pin 3.
-
The value is in the PDF version of the schematic in reply #835. It was selected based on minimum ringing in a circuit simulator with step voltage applied to pin 3.
c31 and c13 are not noted :P
-
I've refreshed the PDF now, not sure how that happened.
-
Bud,
Did you add a switch to turn on the waveform generator function?
-
I have not finished that part. Only controlled the gen via GPIB.
-
Hi,
Checked the ID resistor, no problem. I found some others have the problems too.
https://www.eevblog.com/forum/testgear/keysight-1200a-x-series-(edux1052a)-p-clock-and-i-clock-malfunction-error/ (https://www.eevblog.com/forum/testgear/keysight-1200a-x-series-(edux1052a)-p-clock-and-i-clock-malfunction-error/)
The scope showed no waveforms, and indicate P/I-clock error.
Memeber pnv57 said:
This happened to me, after I ripped the two terminals that are next to each other on the BLT board.
I soldered them back, and got those errors.
Went back through, and soldered them all better, errors gone, now I have a trace.
The issue is that the trace would "jump" and the sine wave would be static (triggered) on the screen, but there would be a little step in it.
I went back though, and I added solder while bending each pin down to the board with a pick, and allowing the solder to harden before removing the pick.
This made all of the connections much better and fixed the problem for me.
I suggest that you remove and reinsert the BLT board, and if that doesn't work, use a pick and ensure each pin of the 4 connectors is firmly attached.
Honestly, I don't really understand what he's saying? By just re-inserting the BLT module can fix the error?
I have tried re-inserting many times but showed no improvement.
So, it looks like it's not the ID config resistor problem, but the soldering junction contact problem?
Any suggestion for my situation and comments? Please help, thank you!
-
Hi,
Checked the ID resistor, no problem. I found some others have the problems too.
https://www.eevblog.com/forum/testgear/keysight-1200a-x-series-(edux1052a)-p-clock-and-i-clock-malfunction-error/ (https://www.eevblog.com/forum/testgear/keysight-1200a-x-series-(edux1052a)-p-clock-and-i-clock-malfunction-error/)
The scope showed no waveforms, and indicate P/I-clock error.
Memeber pnv57 said:
This happened to me, after I ripped the two terminals that are next to each other on the BLT board.
I soldered them back, and got those errors.
Went back through, and soldered them all better, errors gone, now I have a trace.
The issue is that the trace would "jump" and the sine wave would be static (triggered) on the screen, but there would be a little step in it.
I went back though, and I added solder while bending each pin down to the board with a pick, and allowing the solder to harden before removing the pick.
This made all of the connections much better and fixed the problem for me.
I suggest that you remove and reinsert the BLT board, and if that doesn't work, use a pick and ensure each pin of the 4 connectors is firmly attached.
Honestly, I don't really understand what he's saying? By just re-inserting the BLT module can fix the error?
I have tried re-inserting many times but showed no improvement.
So, it looks like it's not the ID config resistor problem, but the soldering junction contact problem?
Any suggestion for my situation and comments? Please help, thank you!
It seems that he resoldered all connectors on BLT board :-\
I guess because it's a multi-layer board and it's a little bit diffcult to take down, it may be injured when you take down it.
I wish it doesn't have any injury between internal lines :-//
-
Has anybody managed to hack the function generator of DSOX1202G? Could it be converted to a waveform generator ?
-
Has anybody managed to hack the function generator of DSOX1202G? Could it be converted to a waveform generator ?
I'm afraid not,because it needs to redesign the whole software and hardware,not just simply hack hum?
It’s better to buy an AWG ;)
-
It looks to me the waveforms it already creates are not standard waveforms. It looks like the SW is reading a file describing the waveform's pattern and then producing it on the output. I believe it's also an easier implementation for the manufacturer to have been implemented like this.
-
There has to be UI items for each waveform in the menu. You can't hack something that does not exist.
-
Yes I understand what you have in your mind but what you are describing is in higher kevel. The menu items are the front end but in the back end it's not impossible to call an app which loads a waveform pattern from a descriptor file.
It doesn't mean that because there is no option in the menu that you can't run something in the back end using another interface once you have gain access to the system.
-
As for the wavegen button,they didn't redesign the button pannel,just cut them off to cut the cost.
So...you just need to find something to prolong it or just use something to stick it. :-DD
-
I finished my EDUX1052A mod(both frontend and wavegen) but have some problems.
When i use product id 33(DSOX1202G) or 35(EDUX1052G),I can't pass the user cal(hardware self test passed),but 1202A(32) and 1052A(34) are passed.
The wavegen works not well,the amplitude of the signals getting too high causes signal clipping,and in some amplitude it's not coherent,I don’t know whether it's reason is uncalibrated.
The uart in new models is locked,it needs the username and password to login,so i can’t get any information.
SOLVED:There is another part of components on the back of board showing in #864
-
Have you verified that the Self Cal feedback circuit in the Wavegen is working properly?
It is comparator U10D in Bud's schematic:
https://www.eevblog.com/forum/blog/eevblog-978-keysight-1000x-hacking/?action=dlattach;attach=1288201 (https://www.eevblog.com/forum/blog/eevblog-978-keysight-1000x-hacking/?action=dlattach;attach=1288201)
-
Thanks,There is another part of components on the back of board,I didn't notice them!
After added them,self test and user cal passed,wavegen works well.
Conclusion:EDUX1052A can be moded to DSOX1202G 70M version,enjoy it! :D
PRODUCT ID:
DSOX1204A: 30
DSOX1204G: 31
DSOX1202A: 32
DSOX1202G: 33
EDUX1052A: 34
EDUX1052G: 35
-
Hello! Updating the firmware of edux1002G, without changing anything in the hardware, is there any improvement? Memory depht? Waveforms?
-
You will get more memory but if any of the added modes require enhanced trigger, the scope may likely fail user calibration because you did not modd-ed the trigger circuit.
-
Understand. For the hack to be effective, would i'm have to modify the firmware and hardware then? And the wf/s, any improvement?
I see that the edux1052 has twice the memory and wf/s, so I'm not sure whether to buy the edux1002g (1 year warranty) or edux1052g (3 year warranty) the distributor has the 2 models here, but the 1052g is $230 (usd) more expensive
-
I do not know how to measure wf/s , and there is no indication of this mettic in the setup screen.
-
I wrote wrong sorry. It's wfm/s.
-
I know what you mean. This is a specification on the device datasheet, you can't measure it.
-
Yes. My question was if the wfm/s specification changes when updating the edux1002g firmware?
-
That is what I am trying to say - you can't measure it and therefore it is unknown if it changed or not.
-
Now I get it. Sorry for this, my english is bad.
Thanks for the answers.
Do you think I should buy the edux1002g or the edux1052g? EDUX1052G is more expensive, but in addition to having better performance, it has an additional 2 years warranty.
-
It should be your decision.
-
That's right!
I bought the edux1052g.
Thank you very much Bud for your help and patience.
Best regards, Raphael
-
Hi Everyone,
Thank you to all who have put time effort and money into figuring out these upgrades, I really appreciate it. I'm having an issue with the external trigger view for an EDUX1002A which has had its ID set to 23 (DSOX1202A) had the trigger mod done and had the 1.20 license enabled firmware (including the 2Mpt memory hack) installed. I've checked and double checked all the modifications required and the quality of the work and can't figure out what's causing this.
Everything works perfectly until I enable external trigger view (pressing the "External" button). When I do that and the time base is set to greater than 50us/ then a weird artifact occurs where the data to the left and right of the trigger point no longer match. Below is the capture with channel 1 monitoring the probe compensation signal and externally triggering off the probe compensation signal using a second 10:1 probe, everything is fine.
[attach=1]
I turn on external view, with no other changes and you can see the strange artifact as shown below.
[attach=2]
If I set the timebase to less than 100uS/ the artifact goes away. Maybe interestingly, the artifact always occurs a fixed number of divisions to the left of the trigger point.
[attach=3]
Part of me definitely wonders if it's part of the memory hack, just because it looks so much like a circular buffer overflow, but I can't find any information about anyone else having the issue (though it's maybe an edge use case?). I would uninstall the hacked software to see if that's the cause, but frankly I'm not sure how to do that.
Any help or pointers as to what I should be looking at would be greatly appreciated.
Mike
-
Confirmed.
-
You can downgrade to an official firmware but i'd think you will also have to change the ID back.
-
Thanks JDubU and Bud, I was mainly interested in understanding if the issue was specific to my machine, or due to the hack. Obviously backing out the firmware hack causes a bigger loss of functionality than dealing with the issue by avoiding the condition that manifest it, this sort of thing is always a risk when you take a "working" machine and try to "improve" it.
Bud, I'm not sure if you performed the hack or were just the gateway for it to this community, but you definitely seem close to the source. Is there any chance of a version without the memory hack? Of course I don't know this is the issue, I'm just latching on to how similar it looks to other issues when buffer indexes have wrapped around. I know this isn't the latest hotness anymore, but some of us are still keen on our little scopes.
Thanks again,
Mike.
-
There was no memory wraparound problem at the time when extended memory was enabled, i tested that with a linear voltage ramp over the entire screen. I tested both channels but i did not test the external trigger view. Try to turn on Ch1 Ch2 in addition to external view and see if you observe similar issues on Ch1 Ch2 traces.
Edit: Found the screenshot of a linear ramp. 2MSa/s over 1s horizontal (10 divisions 100mS/) gives 2 MPoints of memory.
-
I'll try channel 2 and the linear sweep with the external trigger view tonight.
Edit: issue affects both channels. Everything still works fine with the external view off. Below the ramp is triggering off the external probe on the same signal as channel 2. Scope_9 is both channels showing the probe compensation with ext view on.
Scope_10 is the ramp on channel 2
scope_11 is the same ramp but with ext view on.
-
So I've been following this thread and am considering getting one of these. I'm messing around on Mouser looking at parts costs, and is it really necessary to use the LMH6552SD? According to the datasheet, the LMH6552MA has the same lead spacing, and actually has leads! Plus it looks like it's replacing an SOIC already, so why replace it with a WSON? The MA is $1.50 more, but easier to solder.
-
Do it and let us know if that worked ! :)
-
Well, if I order from Mouser, some things are back ordered. It won't be until May or June until I'd get them. Was just curious if there was a specific reason you chose that one or if it is just what was in the parts bin. Thanks for the work you put into this, it's a great value. Getting the parts could be an issue though. Just wanted to get it right.
-
I am not a right person to ask, several people did it long before me.
-
It looks like Keysight has released v2.12 for this. I'm not a code expert, but it looks like it's still Win CE. Does anyone know if there are any added security measures that would prevent the software hack from working?
-
If it is for DSOX1200 series scope, it is Linux.
-
Indeed it is. *Sigh* Briefly looking through the code, there are references to the 1000x series though. I'll assume they switched to Linux on version 2.0, and it's now impossible to do the software mods. Thanks for the help!
-
Keysight refers to both DSOX1100 (WinCE) and DSOX1200 (Linux) series as 1000 series scopes. Go figure.
-
Ok, so I answered my own question regarding the LMH6552, but raised another one. As per the data sheet:
8.2.1.2.1 WSON Package
Due to its size and lower parasitics, the WSON requires the lower optimum value of 275 Ω for RF. This gives a
flat frequency response with minimal peaking. With a lower RF value the WSON package has a reduction in
noise compared to the SOIC with its optimum RF = 360 Ω.
The stock value in the scope is 390 Ω. With the proper Rf (275 Ω), the noise floor would be lower. There's about a 30% difference between those resistor values, not sure if that translates into a 30% reduction in noise.
Even though the 1000x series is discontinued, owners may want to look into this. Plus, the work in this thread is still relevant to the new EDUX1052 models (the hardware mods anyways). I think I'm going to bite the bullet and get an EDUX and see if I can do a full hardware mod. I still have some questions about the three missing components on the front end of the 1052 vs. the 1000x, and how to do the button for the wave generator since the software can't be hacked. Wxqhigh seems to be the only one that has successfully done the 1052A to 1072G. I'll most likely reach out to him, order the scope and parts, and start a new thread. Stay tuned![attachimg=1][attachimg=2][attachimg=3]
-
Hi to everyone
I have also notice the issue that miket6000 has!!!
My osciloscope is a EDUX1002G with the hacked firmware and ID as DSOX1102G, also i have made the ext trigger mod on it!
The Hardware test is passed, but the only strange thing is this "bug" when you select the ext triger!!!!
If anyone has any idea what is the cause of this it will be very helpfull !
Greetings from Greece
Petros
-
1000X crashed..
I have two 1000X EDUX1002A one of them has NAND problem the other works perfectly on FERCSA firmware.
I have already hooked up the serial port and here is the output.
Completed file(s):
-------------------------------------------------------------------------------
[0]: Address=0x80361000 Length=0x1A80C40 Name="" Target=RAM
Loading image 1 failed, trying next one
Loading image 2 from memory at 0xD1E00000
BL_IMAGE_TYPE_UNKNOWN
Loading image 2 failed, trying next one
All images failed
Press r to reset
Can't burn the original or the FERCSA firmware, even tried upload it via dummy modem, but UBoot commands don't respond.
I swapped the U701 serial flash IC from the working BLT board, but that didn't help.
any way to load firmware without LAN?
-
What do you mean by Uboot commands do not respond?
Maybe try a different terminal software. I recall not all of it works, TerraTerm I believe worked and was what people used.
If not that, then what you can try (beside my StupidBear LAN board) is solder a blank U701. The CPU behavior is such that if it can't find the NOR it will go into USB boot mode. You then will need the ST USB Downloader utility and flash the firmware over USB. Try scanning this thread in reverse direction, I recall someone did it some time back, details should be clear. And it has the exact ST utility name, i am not sure i named it correct.
-
I will try to solder a blank U701 and see if the device will boot on usb mode.
Thank you !
-
That is what I am trying to say - you can't measure it and therefore it is unknown if it changed or not.
Recently got the 1102g, and while exploring the menus i found that in utility >options>auxiliary there is an option under Gen Out that allows you to select trigger out on the generator connector. I measured that with the owon, and it's a bit over the 50k rate they specify, at least at the faster timebase settings.
-
Has there been any instability issues with Bud's modded firmware? I want to try it, if anything, just for the serial decodes, but i don't want to risk any instability or damage to my oscilloscope, beyond the risk of a regular firmware upgrade. Also I see the only source for Bud's firmware now is from Mega. Does anyone have the checksum for Bud's firmware? also want to be sure it's not been changed.
I'll try channel 2 and the linear sweep with the external trigger view tonight.
Edit: issue affects both channels. Everything still works fine with the external view off. Below the ramp is triggering off the external probe on the same signal as channel 2. Scope_9 is both channels showing the probe compensation with ext view on.
Scope_10 is the ramp on channel 2
scope_11 is the same ramp but with ext view on.
Is this a common issue with Bud's firmware?
Thank you! :)
-
Having given a try to Bud's firmware and finding it also has the weird bug when ext trigger is on at certain timebases, as seen in the attached screenshot, I wanted to adventure into modding the firmware without a clue of where to start. Anyway, opening some files with hex editors, i found this. So it seems at least bits of this firmware go back to the DSO1000A series, the even older low end scopes(which i found to be a curiosity), as well as some mentions of Symantec time stamping services. This from the INFINI~1.025 executable file. Maybe the Symantec time stuff is what's keeping track of the trial period? I'm mostly interested in just the serial decodes, for some of which i would need the ext trigger channel to be active. So maybe change something about the timing of the trial period would work for that purpose?
If anyone has any ideas/tips on how to move forward, as this is my first time trying to do something like this, they would be very welcome.
Thank you!
-
This is only an issue when External View is enabled. Normal 2-channel working mode is not affected.
I found the older 1M memory version nk.bin.comp file. If you can provide a link to storage I can upload it. But it will be up to you to put it in the firmware update package.
-
This is only an issue when External View is enabled. Normal 2-channel working mode is not affected.
I found the older 1M memory version nk.bin.comp file. If you can provide a link to storage I can upload it. But it will be up to you to put it in the firmware update package.
Hi! Would it be ok for you to upload it to gofile.io or send it to me by email and i can upload it publicly on mega in case anyone else wants to download it? Thank you!
-
Make it simple for me and give me a link or email. File size is 15Mb.
-
Make it simple for me and give me a link or email. File size is 15Mb.
Thank you, I've sent you a message with my email
-
I've tried the new firmware using Bud's provided file, and now the weird wrap-around issue is gone when you use ext trigger. the oscilloscope options still report memMax as an unlocked option, but it's now limited to the standard 1M of the 1102g, and it seems to be working great with any combination of channels/trigger source active. Thank again Bud! :) I'll make the new firmware file available today or tomorrow, still looking for a place to put it
-
Here's the packaged firmware with standard 1M memory and everything else liberated. This file will remain available on gofile as long as it's regularly downloaded https://gofile.io/d/joI7Gr
-
Wow. I've not been back to this forum for a few months and just saw the work that's happened here. I've put my scope aside for a while as I was having trouble soldering the higher speed opamp and was working on another project. Great to hear you've made such great progress on fixing the strange running issue I noticed. I'll get the scope out of the box, fix up channel 2 and try it out ASAP.
Thanks!
-
hello
the link is inactive!!
has anyone else tried this firmware?
-
hello
the link is inactive!!
has anyone else tried this firmware?
i've uploaded it again. It only remains available if it's downloaded a lot, the link will last a few days if not downloaded regularly. here it is! https://gofile.io/d/6aOoHF
-
thank you Anthocyanina!!!!
i have install it, and now the weird issue is gone!!!!!
best regards from Greece
-
Hi!
First of all, thanks for the custom firmware Bud! 70 to 200 MHz is quite a difference :box:
But when I upgraded my scope, the serial decoder licenses (and maybe some others) didn't apply. I already tried to flash both 2 and 1 Mpt version. The training signals are also gone.
By reverting back to the original firmware, the serial licenses returns (the trial periods are active yet).
Is there anything that I should do before flashing the Bud's firmware?
-
Hi!
First of all, thanks for the custom firmware Bud! 70 to 200 MHz is quite a difference :box:
But when I upgraded my scope, the serial decoder licenses (and maybe some others) didn't apply. I already tried to flash both 2 and 1 Mpt version. The training signals are also gone.
By reverting back to the original firmware, the serial licenses returns (the trial periods are active yet).
Is there anything that I should do before flashing the Bud's firmware?
It worked for me without doing anything else, just installing the firmware. The only thing I can think that may be interfering is having the trial period active, and there is also a license "DIS" on your oscilloscope that i don't see in mine and don't know what that stands for. Maybe wait until the trial period is over and try Bud's liberated firmware again? :-//
-
It worked for me without doing anything else, just installing the firmware. The only thing I can think that may be interfering is having the trial period active, and there is also a license "DIS" on your oscilloscope that i don't see in mine and don't know what that stands for. Maybe wait until the trial period is over and try Bud's liberated firmware again? :-//
I guess I'll have to wait nearly a month then. :palm:
Gotta keep my fingers crossed! :P
-
Or you can open it up and hook up a UART adapter to see what is going on during boot.
-
Or you can open it up and hook up a UART adapter to see what is going on during boot.
I will, but first I'll just use the trial version until it expires to see if that's the case, I'm a bit lazy to get an UART adapter and disassemble the scope. ::)
Anyway, I'll post my findings once the trial period ends.
-
i've uploaded it again. It only remains available if it's downloaded a lot, the link will last a few days if not downloaded regularly. here it is! https://gofile.io/d/6aOoHF
Hi Anthocyanina, could you reupload this please? ;D
-
here it is! wish i had somewhere to keep it permanently https://gofile.io/d/K2rj0S
-
The trial period ended on my scope and then I flashed Bud's firmware again. Now it works with everything unlocked! ;D
-
Interesting! Thanks for sharing.
-
Hi Anthocyanina, could you reupload this please? ;D
-
Hi Anthocyanina, could you reupload this please? ;D
here it is!
https://gofile.io/d/osxVl9
-
Sorry if this is in here somewhere, this is a very long thread!
Is the 1200 series hackable? Specifically the DSOX1202G :)
-
Bad news: https://community.element14.com/members-area/personalblogs/b/gough-lui-s-blog/posts/keysight-sbe-follow-up-1-dso-noise-dmm-calibration-post-teardown-more
DSO Hacking?
I think it’s probably no big secret that the Keysight Infiniivision oscilloscopes have long been the subject of various modifications and hacks to improve bandwidth and functionality. While this is definitely against the wishes of the manufacturer, it seems that individuals doing so have met various levels of success at their own risk.
As someone with a lot of scopes to choose from, I thought it would be interesting to see if the hacks documented for the 1000X series could be applied to the “related” EDUX1052G. The first thing to notice is that the new instruments seem to be Linux based, as opposed to the earlier Windows CE-based counterparts, so firmware/software hacks seem out of the question. Hardware hacks, however, still seem to be a possibility.
A quick search online turned up this post which listed the strapping IDs for this family. As an EDUX1052G, this unit would have an ID of 35. From the family, the logical “upgrade” would be to the DSOX202G which would unlock more memory and bandwidth up to 70MHz. A bit more looking around seemed to suggest the following strapping resistor configurations to be likely valid.
Tearing the unit apart again, I did identify the strapping resistors – although the ones on the board appeared to be a tenth the value listed on the posting. This is no issue, as they function as voltage dividers and only the ratio matters. It is just our luck that changing the 5 to a 3 just means swapping the top and bottom resistor of the second digit – which I managed to achieve.
After performing the modification and restarting, it seemed to have the increased bandwidth and memory, but retaining its original ID. However, it wasn’t entirely successful as the channel buttons and knobs for the math and regular channels did not function as expected, calling up other functions instead. Trying the button test feature, pressing all buttons, I was not able to activate those controls after the modification was done. I suspect this means that the front-panel matrix connection must be different between models despite having the same keypad layout, but I didn’t feel it worth the effort to try chasing that down. I suppose if one always uses the oscilloscope via the remote front-panel, that would be acceptable, but I just couldn’t see that happening for me.
In the end, I’d have to recommend that users don’t try this on their EDUX1052G. Not having a properly functioning front-panel interface is very frustrating, but furthermore, the whole procedure is quite involved and risks damaging the unit. The SMD resistors involved are very tiny – losing them or damaging them would make for a very bad day! Furthermore, the small bandwidth increase is very marginal, although the increased memory would be nice. In the end, I reverted the resistor configuration to the original and called it a day. There may have been a way to make it work … but frankly, I couldn’t be bothered to invest any more effort to try and track it down.
-
Hacking into the WinCE shell:
The attached script allows to drop into the WinCE operating system shell. From there you can browse around and explore the application files/data, run external tools from USB to explore the Registry, run DOOM, etc. You can connect a keyboard or mouse to the USB port. This is more of a tool to satisfy your curiosity rather than anything for normal scope use.
This tool is based on an other fellow's work published earlier in this thread. My contribution was to wrap it in a script to make it simple to use.
To try and further explore the scope, I've tried this, but when i connect a mouse or keyboard, they don't work. Do they have to be plugged in at the same time as the usb drive? Thank you!
-
I did not have or use a USB hub, it was likely i unplugged the USB drive after dropping to WinCE Shell and plugged the keyboard or mouse.
-
I did not have or use a USB hub, it was likely i unplugged the USB drive after dropping to WinCE Shell and plugged the keyboard or mouse.
I've tried with two different keyboards, and neither is recognized. not even the lights. Any idea what might be happening? even booting normally and plugging the keyboards does't work
-
What is the "DIS" option on the 1000X and what does it do?
-
Likely the Display show mode, to sit on the shelf in the showroom and loop through different modes to demonstrate the device's capabilities.
-
Thanks
Any idea of how to turn this DEMO mode on?
It seems I can not find anything to this on the Keysight website.
-
It seems the store DEMO mode can be turned on by:
> Options
> Preferences
> Screen Saver
> Store Demo (turn off)
But this works with and without the DIS option turned on.
It seems DIS = distributor option.
But is this really only for the store demo mode?
It seems not.
-
It's been a while, i forget... The distributer license as far as i remember enables a few other options for the duration of evaluation period.
-
Yes, DIS is distributor license, it temporarily enables the features marked with the 'x' in the Pack1 column.
-
What is the "DIS" option on the 1000X and what does it do?
The DIS is a "Distributor" license that usually represents a pack of licenses (dependent on the device model) that are made available by KS salesmen in a temporary form so that he or the customer can try the included options for a certain trial period.
AFAIK there are 3 different DIS licenses which represent packs for different devices (1000X, 2000X, 3000X). Don't know if the DIS includes limited options on a EDU vs non-EDU version.
-
I follow this thread to upgrade my Dsox2011G, Yeah, the PWR option is actived. But what I call PWR option by
pressing analuye key, it seem can not roll down the selection to PSRR, or other. So none of PWR function can be apply.
So I think PWR funtion is not dev. in Dosx1000 series firmwear.
anyone have the same case with it?
Roger.
-
PWR does not work.
-
PWR does not work.
It seem the RFA have many updated on V1.20.
-
here it is! wish i had somewhere to keep it permanently https://gofile.io/d/K2rj0S
Hi Anthocyanina, could you upload the file again please. :D
-
here it is! wish i had somewhere to keep it permanently https://gofile.io/d/K2rj0S
Hi Anthocyanina, could you upload the file again please. :D
https://gofile.io/d/u6Hzkw there you go
-
Hi, I have a dsox1102g, would the patched 1000x firmware work on this model?
-
All beige color 1000X scopes. Not the black 1200X ones, those ones run Linux.
-
here it is! wish i had somewhere to keep it permanently https://gofile.io/d/K2rj0S
Hi Anthocyanina, could you upload the file again please. :D
https://gofile.io/d/u6Hzkw there you go
Hi Anthocyanina,could you please upload the file again :)
-
here it is! wish i had somewhere to keep it permanently https://gofile.io/d/K2rj0S
Hi Anthocyanina, could you upload the file again please. :D
https://gofile.io/d/u6Hzkw there you go
Hi Anthocyanina,could you please upload the file again :)
https://gofile.io/d/Fa4qwt there you go! if anyone can host this for longer, that would be great!
-
here it is! wish i had somewhere to keep it permanently https://gofile.io/d/K2rj0S
Hi Anthocyanina, could you upload the file again please. :D
https://gofile.io/d/u6Hzkw there you go
Hi Anthocyanina,could you please upload the file again :)
https://gofile.io/d/Fa4qwt there you go! if anyone can host this for longer, that would be great!
nice!!
-
Does this work for the DSOX1204g? Is there a chance to get the file again ?
-
It does not work for 1200 series scopes.
-
tnx for the info. To sad the BW upgrade is so expensive .....
-
here it is! wish i had somewhere to keep it permanently https://gofile.io/d/K2rj0S
Hi Anthocyanina, could you upload the file again please. :D
https://gofile.io/d/u6Hzkw there you go
Hi Anthocyanina,could you please upload the file again :)
https://gofile.io/d/Fa4qwt there you go! if anyone can host this for longer, that would be great!
If you could re-upload it, I should be able to move the files onto mega.nz, so that there is no time limit.
Thanks =)
-
Hello,
can you resend the FW again? I want to use it and older links are expired... thanks!!
-
here it is! wish i had somewhere to keep it permanently https://gofile.io/d/K2rj0S
Hi Anthocyanina, could you upload the file again please. :D
https://gofile.io/d/u6Hzkw there you go
Hi Anthocyanina,could you please upload the file again :)
https://gofile.io/d/Fa4qwt there you go! if anyone can host this for longer, that would be great!
If you could re-upload it, I should be able to move the files onto mega.nz, so that there is no time limit.
Thanks =)
Cool, here it is! https://gofile.io/d/cQAIy3
-
Thank you!
Is there any way how to change the scope type in screen "About oscilloscope" from EDU-X 1002A to DSOX 1102G?
-
Thank you very much!
Here is the link: https://mega.nz/file/GkVSVaiY#3PVl1AI0F0FEWE_RMl5mqP7kXpECmojEtstUbp-zX6I (https://mega.nz/file/GkVSVaiY#3PVl1AI0F0FEWE_RMl5mqP7kXpECmojEtstUbp-zX6I)
-
For BUD:
Anthocyanina wrote me you maybe know the possibility how to change / or where is stored/ oscilloscope type. I have EDUX type. I have changed modyfied FW and resistor on the main board and the scope type is still shown like EDUX type. Is possibility to change it to DSO-X type? This is shown in About oscilloscope" screen.
Thanks!
-
I do not know.
-
Hi there,
Today I updated my 1000X with the BUD file. See photo 1
All licenses are active now, but the bandwidth remains 50Mhz.
Am I missing something?
Thanks in advance!
Mathieu
-
Hi there,
Today I updated my 1000X with the BUD file. See photo 1
All licenses are active now, but the bandwidth remains 50Mhz.
Am I missing something?
Thanks in advance!
Mathieu
Hi, you can see it also says BW20, which is the 200MHz option, i believe. have you checked the timebase? with that firmware it should get to 2ns/, which is only available when unlocked to 200MHz if i'm not wrong. I may be remembering wrong, but i think there were some components that needed to be added or removed from the edu version to fully unlock the hardware to 200MHz, but that doesn't change what the software unlock does.
-
This option requires hardware upgrade in the front end channels. Information is in this thread.
-
Ok. I thought that hardware-mod was not necessary anymore.
When I load the Fercsa hack, the bandwidth becomes 70 Mhz!
Timebase = 5ns
-
For 70 MHz, not for 200MHz. The IC used in EDUX front end amplifier is not capable of 200MHz.
-
Hello!
For BW increase o EDU you must change the resistor on main board (original is 01B and you must change by 01C when you want to use id 24 with generator etc). After this action without changed FW the BW will go to 70MHz from 50MHz.
My story with EDUX type:
I have tried the upgrade, but before this I was having few days active trial licences because I made some work with SPI bus and I needed to analyze it.
In the first time I have changed the resistor on the board. Unit went from 50MHz to 70MHz, activate generator and more memory. See the attached photo.
After change FW (Bud1M 1000x series v. 1.2) uploaded by Anthocyanina, the BW went to 200MHz, but only few options were active, BUT serial decoding, sample rate etc. were deactivated! I have tried to change FW back to original and bus decoding was again activated (trial). I wanted to clear it. It was possible by changing year in clock one year back and switch off/on the unit. Then were only options by HW modify active (no bus decoding etc).
Now I have applied Bud1M 1000x series v. 1.2 again. After done, all options are now activated (incl. bus decoding, sample rate, BW 200MHz...).
So when you have trial licences active, on the first time you must clear them or some interaction with hacked FW will stand!
-
There is no wave generator on 1002A, the board is not populated with generator parts, you have to solder the parts.
-
Is this the resistor 'mod' I have to do on my EDUX1002A?
Add 15K on the left and add 10ohm on the right?
-
To TK:
You wrote: "The information you see in the screen is not changed, but the scope will boot into the mode set by the resistors. You will see features that are only enabled on the DSOX, even when the information says EDUX...
The HW mod is required as the EDUX comes limited to 50MHz and no ext digital input on the additional BNC. By adding the missing components and changing those that are different, you are enabling the HW to be ready to the soft configuration that is liberated by the FERCSA Hack."
Can you confirm that the correct resistors(mod) for my EDUX1002 are mentioned in the picture I uploaded?
Thanks!
-
To BUD.
Pse can you answer my question? See picture above.
Thanks!
Mathieu
-
Mathieu:
https://www.eevblog.com/forum/blog/eevblog-978-keysight-1000x-hacking/msg3217012/#msg3217012 (https://www.eevblog.com/forum/blog/eevblog-978-keysight-1000x-hacking/msg3217012/#msg3217012)
https://www.eevblog.com/forum/blog/eevblog-978-keysight-1000x-hacking/?action=dlattach;attach=1059298;image (https://www.eevblog.com/forum/blog/eevblog-978-keysight-1000x-hacking/?action=dlattach;attach=1059298;image)
-
Thanks JDubU!
Unfortunately, the values of the 4 resistors are not easy to read.
If the picture I posted above is correct, I know which 2 resistors I need to solder in parallel on my EDUX1002A.
-
Your picture above is not correct.
For DSOX1102A (no wavegen):
10K (01C) 12.1K (09C)
6.49k (79B) 4.64k (65B)
If you prefer to use parallel resistors, you can use this calculator:
https://www.omnicalculator.com/physics/parallel-resistor (https://www.omnicalculator.com/physics/parallel-resistor)
Here is a calculator for the (EIA-96) resistor codes:
https://www.digikey.com/en/resources/conversion-calculators/conversion-calculator-smd-resistor-code (https://www.digikey.com/en/resources/conversion-calculators/conversion-calculator-smd-resistor-code)
-
Thanks!
SMD 79b and 65B cannot be found on the internet. Even Aliexpress is sold out...
So parallel mounting seems to be the only option.
-
Interesting... They are readily available in the US from both Mouser and Digikey:
https://www.mouser.com/c/passive-components/resistors/film-resistors/thick-film-resistors-smd/?q=0603%20resistor&resistance=4.64%20kOhms%7C~6.49%20kOhms&tolerance=1%20%25&instock=y (https://www.mouser.com/c/passive-components/resistors/film-resistors/thick-film-resistors-smd/?q=0603%20resistor&resistance=4.64%20kOhms%7C~6.49%20kOhms&tolerance=1%20%25&instock=y)
https://www.digikey.com/en/products/filter/chip-resistor-surface-mount/52?s=N4IgjCBcoMxaBjKAzAhgGwM4FMA0IB7KAbXDBggF18AHAFyhAGU6AnASwDsBzEAX3wAmAAwAOAKzwQSSGix5CJEABYAdADZlAAgDWAeQAWAW0wh861coCcuwyZDUQ9RgFVO7OnuQBZbKkwArqzY-PgAtIJSMmwBCkSQpJKUfAIgkQkgwurCMFrBmOyYdASsDnxAA (https://www.digikey.com/en/products/filter/chip-resistor-surface-mount/52?s=N4IgjCBcoMxaBjKAzAhgGwM4FMA0IB7KAbXDBggF18AHAFyhAGU6AnASwDsBzEAX3wAmAAwAOAKzwQSSGix5CJEABYAdADZlAAgDWAeQAWAW0wh861coCcuwyZDUQ9RgFVO7OnuQBZbKkwArqzY-PgAtIJSMmwBCkSQpJKUfAIgkQkgwurCMFrBmOyYdASsDnxAA)
-
For DSOX1102A (no wavegen):
10K (01C) 12.1K (09C)
6.49k (79B) 4.64k (65B)
On my EDUX1002A 3 resistors are the same. I only have to solder the 79B.
I ordered at Mouser.nl
Many thanks!
-
I made a switch to enable EDUX or DSOX mode.
When I want to do a user calibrate, the scope can do that in EDUX mode.
-
I still love the "bad apple" :-DD :phew:
-
Does anyone know, if the BW can be software updated on a DSOX1202A ?
-
Hello everyone .I have got a DSOX1102G and installed the "Hacked" firmware,now I have got a full bandwith DSOX1102G with all function enabled,but I loss my model and SN. In "About This Scope" Page,It show Model:Unset,Serial Number : UnSet ,Bandwidth :200M。What is wrong? How can I get my Model and SN back? :scared:
-
Like This (https://tscarletcloud.oss-cn-beijing.aliyuncs.com/img001?Expires=1686818997&OSSAccessKeyId=TMP.3KiohVAUUS6dHMryb1VQtok3eCjVAKVHHFEMB6jZZmd8T1tUKweWXKBkaQHE3Lcp191p6K3cvuNXWT5Tk7huBa2vob5qFE&Signature=9QP%2BvafyTaQiSLDZrJ6Llse2ir4%3D)
-
(http://tscarletcloud.oss-cn-beijing.aliyuncs.com/img001)
-
Hello everyone .I have got a DSOX1102G and installed the "Hacked" firmware,now I have got a full bandwith DSOX1102G with all function enabled,but I loss my model and SN. In "About This Scope" Page,It show Model:Unset,Serial Number : UnSet ,Bandwidth :200M。What is wrong? How can I get my Model and SN back? :scared:
that's a weird one, try installing the official firmware and see if that restores the serial number?
-
Thx,I have tried,but still get UnSet Model and UnSet SN |O
-
Thx,I have tried,but still get UnSet Model and UnSet SN |O
hmm! no idea then, i would say contact keysight about it, but they will completely ignore you if you're not a business. As long as that isn't affecting functionality, i would just ignore that.
-
Please, upload latest hack firmware for 1102g?
-
This is a few pages back, the latest I am aware of. https://mega.nz/file/GkVSVaiY#3PVl1AI0F0FEWE_RMl5mqP7kXpECmojEtstUbp-zX6I
-
My DSOX1102A seems to have a flash corruption issue. As far as I understand this is a common issue with these scopes, which is theoretically fixable if you can actually access and write to the corrupted memory.
At first I tried looking into the U701 chip because this thread suggested that it might be possible to access the rest of the flash through doing something to that chip: https://www.eevblog.com/forum/repair/keysight-1000x-(edux1002a)-fails-to-boot-uart-logged-at-boot/. (https://www.eevblog.com/forum/repair/keysight-1000x-(edux1002a)-fails-to-boot-uart-logged-at-boot/.) But there doesn't seem to be any information on how to actually pull that off, and I got no responses to me asking there.
I am currently trying to connect to the J-LINK interface with my j-link edu mini, because to me, that seemed like the most obvious way to actually get access to the flash of the scope. But I am running into an: "Error: CPU-TAP not found in JTAG chain" when trying to connect to it. The SPEAR600 cpu in the scope seems to be supported by my j-link, and I double checked all of the wiring. Also, I tried connecting to it after pulling off U701, in an attempt to get the CPU into a state where it might be more likely to accept me trying to access its J-link interface.
Also, someone seems to have already had some success in connecting to the CPU through the J-Link interface: https://www.eevblog.com/forum/blog/eevblog-978-keysight-1000x-hacking/msg2019472/#msg2019472 (https://www.eevblog.com/forum/blog/eevblog-978-keysight-1000x-hacking/msg2019472/#msg2019472) so I am not sure why it isn't working for me. At this point I am kinda stuck on this one and not sure how I would continue troubleshooting this particular method.
There was also the suggestion in the afformentioned thread that building that stupidbear LAN card, and using that to write to flash. I am open to going that route, but before spending all that extra time, money, and effort, I would like to know how big a chance there is of that actually leading to success. And if there is any documentation on how to actually do it, so far I have seen a bunch of suggestions on how to go about repairing scopes with this issue, but nothing in terms of recorded cases of successful fixes.
-
To enable JTAG you have to pull high a couple lines as shown in a picture in Reply #530. You can also check with Spear600 manual how to enable JTAG. I've done that and it worked, though i did not use it to upload the firmware.
-
To use the StupidBear LAN board for firmware upload purpose you need to first update the U701. But updating U701 will give you access to Ymodem and uploading via the serial port, so LAN access becomes a moot point, why bother.
To update U701 you have to change bootdelay (or uboot_delay, or boot_delay, cant remember the exact name) variable in Uboot section from 0 to 1...3 seconds. This will allow to interrupt boot process by pressing spacebar and access firmware uploading options. But you also MUST recalculate and update the checksums in the Uboot header and entire Uboot block after changing the delay. Unless you already know where to find the checksum bytes you have to study Uboot structure. Failure to update the checksums will brick your scope so this is a vital thing to do. Do not modify U701 if you do not understand what you are doing.
-
The safiest and easy option would be to replace U701 with a new blank chip from Digikey and use STM Flash Utility to upload the firmware via USB. What happens is when you turn on the scope it will try use Uboot in NOR U701 and if it can't find it (which will be the case if U701 is empty), the scope will switch to boot from USB (the USB connector at the back). This is where STM Flash utility comes into play. You run the utility and it gives you access to the address space. You then configure it to upload the firmware as either in chunks (say only U701 part) or as a single block for everything.
This method was described either in this thread or in 2000/3000 thread, i cant remember where- you will have to comb the threads to search for it either page by page or using kewords like STM Flash (or flashing) utility within those threads. The utility itself used to be available from STM web site, not sure if it still is.
-
Any one found a hack for the DSOX1202 ?
-
The safiest and easy option would be to replace U701 with a new blank chip from Digikey and use STM Flash Utility to upload the firmware via USB. What happens is when you turn on the scope it will try use Uboot in NOR U701 and if it can't find it (which will be the case if U701 is empty), the scope will switch to boot from USB (the USB connector at the back). This is where STM Flash utility comes into play. You run the utility and it gives you access to the address space. You then configure it to upload the firmware as either in chunks (say only U701 part) or as a single block for everything.
This method was described either in this thread or in 2000/3000 thread, i cant remember where- you will have to comb the threads to search for it either page by page or using kewords like STM Flash (or flashing) utility within those threads. The utility itself used to be available from STM web site, not sure if it still is.
So I did this, and managed to use the STM flash utility to flash uboot, pboot, and xloader. These work, and I am able to get into the p500 commandline. I then, as a first experiment, tried if I could load something to the FPGA using the method described here: https://www.eevblog.com/forum/testgear/dsox2000-and-3000-series-licence-have-anyone-tried-to-hack-that-scope/msg3802571/#msg3802571. (https://www.eevblog.com/forum/testgear/dsox2000-and-3000-series-licence-have-anyone-tried-to-hack-that-scope/msg3802571/#msg3802571.) The commandline seemed to accept this just fine, so I am assuming this worked. I then proceeded to try and copy that data, from ram, to the right place in nand (0xd0060000) using the "cp" command, but that command just hang forever, so I had to restart the device. I then tried uploading everything to the right addresses in NAND using that STM flash utility:
(http://tt-392.space/st.jpg)
I set up the partitions like this, and then I uploaded the files, and rebooted the scope, and I got something like this:
System ready!
Preparing for download...
RTC: 2024-23-11 3:100:32.29 UTC
Loading image 1 from memory at 0xD0600000
Incorrect Data 0 EccResult: 3303c3 EccError: ccfc3c EccRead: ffffff
IsCompressed: ReadFlash failed
Incorrect Data 0 EccResult: 3303c3 EccError: ccfc3c EccRead: ffffff
EBOOT_ReadFlash failed
ERROR: Unable to read image signature.
BL_IMAGE_TYPE_UNKNOWN
Loading image 1 failed, trying next one
Loading image 2 from memory at 0xD1E00000
Incorrect Data 0 EccResult: 3303c3 EccError: ccfc3c EccRead: ffffff
IsCompressed: ReadFlash failed
Incorrect Data 0 EccResult: 3303c3 EccError: ccfc3c EccRead: ffffff
EBOOT_ReadFlash failed
ERROR: Unable to read image signature.
BL_IMAGE_TYPE_UNKNOWN
Loading image 2 failed, trying next one
All images failed
Press r to reset
So clearly not everything is nicely in place to boot from yet, So to check if it I tried loading the FPGA image from the NAND flash:
p500> fpga 0xd0060000 45480
failed: 979 731
Could not copy from NAND offset 0x60000. Error -74 With ECC
failed: 1225 979
Could not copy from NAND offset 0x60000. Error -74 NO ECC
FPGA programming FAILED!
That seemed kinda odd to me, so I checked the memory using the "md" (memory display) command in <p500>, and I got a bunch of 0's and a few bytes of data that didn't look like the start of the FPGA file when I run it through xxd on my PC. (I don't think I kept a log of me printing this data).
Later, because like I mentioned at the start, copying data to NAND from <p500> seemed to hang, and the data I was reading from NAND didn't make sense, I figured that writing to NAND just wasn't working, and while troubleshooting this, I happened to try to read a block of data from the start of the NAND memory twice:
p500> md 0xd0000000
d0000000: 00000036 00000000 00000000 00000000 6...............
d0000010: 00000000 00000000 0000013f 00000000 ........?.......
d0000020: 00000000 0000001a 00000003 00000070 ............p...
d0000030: 00000301 00000012 00000000 00000000 ................
d0000040: 00000000 00000000 00000000 00000000 ................
d0000050: 00000000 00000000 00000000 00000000 ................
d0000060: 00000000 00000000 00000000 00000000 ................
d0000070: 00000000 00000000 00000000 00000000 ................
d0000080: 00000000 00000001 00000000 00000000 ................
d0000090: 00000000 00000000 00000000 00000000 ................
d00000a0: 00000000 00000000 00000000 00000000 ................
d00000b0: 00000000 00000000 00000000 00000000 ................
d00000c0: 00000000 00000000 00000000 00000000 ................
d00000d0: 00000000 00000000 00000000 00000000 ................
d00000e0: 00000000 00000000 00000000 00000000 ................
d00000f0: 00000000 00000000 00000000 00000000 ................
p500> md 0xd0000000
d0000000: 0000007f 00000000 00000000 00000000 ................
d0000010: 00000000 00000000 0000013f 00000000 ........?.......
d0000020: 00000000 0000001a 00000003 00000070 ............p...
d0000030: 00000301 00000012 00000000 00000000 ................
d0000040: 00000000 00000000 00000000 00000000 ................
d0000050: 00000000 00000000 00000000 00000000 ................
d0000060: 00000000 00000000 00000000 00000000 ................
d0000070: 00000000 00000000 00000000 00000000 ................
d0000080: 00000000 00000001 00000000 00000000 ................
d0000090: 00000000 00000000 00000000 00000000 ................
d00000a0: 00000000 00000000 00000000 00000000 ................
d00000b0: 00000000 00000000 00000000 00000000 ................
d00000c0: 00000000 00000000 00000000 00000000 ................
d00000d0: 00000000 00000000 00000000 00000000 ................
d00000e0: 00000000 00000000 00000000 00000000 ................
d00000f0: 00000000 00000000 00000000 00000000 ................
The thing that worries me is that the data isn't identical between two reads, suggesting that something is wrong with either the NAND chip / connection, or I guess something in the memory setup?
(I also tried uploading the boot image through ymodem to ram (after loading the fpga image using the same method), but that took 45 minutes, and it didn't boot. I guess I might have done something wrong in preparing the image or something. I didn't keep a log, and I haven't had time yet to try that again)
-
I could load something to the FPGA using the method described here: https://www.eevblog.com/forum/testgear/dsox2000-and-3000-series-licence-have-anyone-tried-to-hack-that-scope/msg3802571/#msg3802571. (https://www.eevblog.com/forum/testgear/dsox2000-and-3000-series-licence-have-anyone-tried-to-hack-that-scope/msg3802571/#msg3802571.) The commandline seemed to accept this just fine, so I am assuming this worked. I then proceeded to try and copy that data, from ram, to the right place in nand (0xd0060000) using the "cp" command, but that command just hang forever, so I had to restart the device.
I think you used wrong address, should have used 0x60000. When use NAND command to read/write, use physical addresses.
Also you may need to Erase the NAND address block first, before writing to it. I am unsure if NAND write does it for you.
I then tried uploading everything to the right addresses in NAND using that STM flash utility:
(http://tt-392.space/st.jpg)
I set up the partitions like this, and then I uploaded the files, and rebooted the scope, and I got something like this:
Are you sure the NAND block size is 0x10000? You should be able to check it from p500 prompt using one of NAND commands- type "NAND help" to see list of commands. I can't remember which one. You have to use that block size then in the Flasher utility in NAND section, and when manipulating NAND from p500 prompt.
Edit: Just noticed you used cp command to write to NAND, i think you cant do that, you have to use NAND commands to work with NAND. Type nand help from p500 to see list of commands for nand. The cp command is for RAM.
-
Are you sure the NAND block size is 0x10000? You should be able to check it from p500 prompt using one of NAND commands- type "NAND help" to see list of commands. I can't remember which one. You have to use that block size then in the Flasher utility in NAND section, and when manipulating NAND from p500 prompt.
Edit: Just noticed you used cp command to write to NAND, i think you cant do that, you have to use NAND commands to work with NAND. Type nand help from p500 to see list of commands for nand. The cp command is for RAM.
Alright, I have been tinkering for a bit longer now. The nand block size was indeed off, and I was able to upload stuff to the nand flash using the tool from ST, and confirm the data was there using the: "nand dump" command. I tried using this to flash both the kernel, and the fpga image. But trying to load them, into for example the FPGA, or to read from nand (using the "nand read "command) in general gave me errors, often with error code "-71" my suspicion is that something goes wrong with the oob bytes (which I am interpreting as parity data?) when flashing with that ST tool.
What I tried next was using loady to load the fpga image over uart, and then using the "nand write" command to copy that data to nand (offset 0x60000). This indeed worked, the "fpga" command doesn't complain anymore, and I can actually use the "nand read" command on the data now.
I then used the same method to load nk.bin.comp (which I interpreted as the compressed OS image), into nand offset 0x600000. This went well, and I was able to, after restarting the scope to clear the RAM, write the data from NAND, back into RAM to check the checksum which matched the one I got out of the file on my pc. I then proceeded to solder the original NOR flash onto my scope, and attempted a boot. I got the following result:
U-Boot 2010.03 (Oct 18 2011 - 14:28:06)Agilent P500
CPU: SPEAr600
DRAM: 128 MiB
Flash: 512 KiB
NAND: internal ecc 128 MiB
Debug serial initialized ........OK
RTC: 2024-23-11 7:99:35.56 UTC
Microsoft Windows CE Bootloader Common Library Version 1.4 Built May 7 2015 01:38:03
Microsoft Windows CE 6.0 Ethernet Bootloader for the Agilent P500 board
Adaptation performed by Agilent Technologies (c) 2008
PHY not found.
System ready!
Preparing for download...
RTC: 2024-23-11 7:99:35.56 UTC
Loading image 1 from memory at 0xD0600000
O
BL_IMAGE_TYPE_BIN
X
XXXXOOOOXXIncorrect Data 2 EccResult: cf330 EccError: 3cfcc3 EccRead: 300ff3
EBOOT_ReadFlash failed offset 62d7ce
EBOOT_ReadFlash failed location d0632000
ODeCompressFlash: CeCompressDecode() failed
CeDecompressFlashBlock failed
****** Data record 7 corrupted, ABORT!!! ******
Completed file(s):
-------------------------------------------------------------------------------
[0]: Address=0x80361000 Length=0x1A857C0 Name="" Target=RAM
Loading image 1 failed, trying next one
Loading image 2 from memory at 0xD1E00000
BL_IMAGE_TYPE_UNKNOWN
Loading image 2 failed, trying next one
All images failed
Press r to reset
It seems to try something with the data at 0xD0600000, but gives up quite quickly.
My guess is that I am either using the wrong file (though I'd have no idea what other file inside of infiniiVisionSetup.cab could be it), or that it might need some preprocessing to decompress it beforehand, but as far as I understand, the boot process does expect a compressed file. I did try decompressing it a while ago. Back then, I think I used the instructions from https://www.eevblog.com/forum/testgear/dsox2000-and-3000-series-licence-have-anyone-tried-to-hack-that-scope/msg2136181/#msg2136181 (https://www.eevblog.com/forum/testgear/dsox2000-and-3000-series-licence-have-anyone-tried-to-hack-that-scope/msg2136181/#msg2136181) back then. But the resulting file was too big to even fit in the region of flash in which it is supposed to go, so I am guessing that isn't it.
-
Try without writing nk.bin.comp into NAND. Just prepair nk.nb0 file as desribed in titiris's post you referenced and use the output from viewbin.exe, the color coded offsets in that post. Load that nk.nb0 using ymodem into RAM to the proper offset and execute the image from RAM using go <your start address> command (do not reboot) If the scope starts, immediately run firmware upgrade and let the scope worry about writing firmware to NAND.
But to do this you again need access to Uboot.
-
By the way, what NOR image did you flash into U701 using ST flasher? Did you use the original image with bootdelay changed and checksums updated or was it any other image, which may be dangerous? I say only use the changed one from your scope because it initializes cruicial environment variables.
-
Try without writing nk.bin.comp into NAND. Just prepair nk.nb0 file as desribed in titiris's post you referenced and use the output from viewbin.exe, the color coded offsets in that post. Load that nk.nb0 using ymodem into RAM to the proper offset and execute the image from RAM using go <your start address> command (do not reboot) If the scope starts, immediately run firmware upgrade and let the scope worry about writing firmware to NAND.
But to do this you again need access to Uboot.
I tried this back when I tried following the instructions from that post, however, when I ran: "go 0x00362000", it just hang, and did nothing. I might have messed something up back then though, I also didn't have the FPGA image flashed to NAND yet (I did load it from ram). I am open to trying again, but have been a bit hesitant so far because it takes like 45 minutes to upload that uncompressed image through UART.
By the way, what NOR image did you flash into U701 using ST flasher? Did you use the original image with bootdelay changed and checksums updated or was it any other image, which may be dangerous? I say only use the changed one from your scope because it initializes cruicial environment variables.
The image I flashed was one I extracted from the firmware upgrade package from keysights website. I didn't change anything about it, but when I boot with that image flashed, it does give me 3 seconds to press space and then goes into the <p500> shell. For the last boot test I described in my previous post, I used the original NOR chip, which I left unchanged as a backup.
-
Or are you suggesting I extract the data from the original NOR flash, and modify those?
-
Just did that, am in the <p500> console with a practically identical image to the original NOR chip now. Guess the next step is loading that decompressed OS image in ram.
-
Did what? Updated the original NOR? Make sure you updated UBoot checksums as well, otherwise Uboot will assume its data is corrupted and will not load the environment variables and that will cause further NAND corruption.
From UBoot prompt type printenv and post the output here. Let us review it before you attempt to boot an image.
-
Did what? Updated the original NOR?
Uh, ye, the ROM thing, I forgot to quote myself in that post.
Make sure you updated UBoot checksums as well, otherwise Uboot will assume its data is corrupted and will not load the environment variables and that will cause further NAND corruption.
From UBoot prompt type printenv and post the output here. Let us review it before you attempt to boot an image.
I am not entirely sure what checksums you are talking about, there is this thing: https://reverseengineering.stackexchange.com/questions/26108/how-do-i-calculate-crc32-of-a-u-boot-header-in-a-modified-firmware-image (https://reverseengineering.stackexchange.com/questions/26108/how-do-i-calculate-crc32-of-a-u-boot-header-in-a-modified-firmware-image). But that is just a checksum of the first 64 bytes, which I haven't changed, so I don't see why the checksum would need updating?
Also, as far as I can tell, the environment variables are there:
p500> printenv
bootcmd=tftp 0x4000000 nk.bin;bootm 0xf8050000
ramboot=dhcp 0x4000000 nk.bin;bootm 0xf8050000
bootdelay=3
baudrate=115200
serverip=192.168.1.10
preboot=splash load;fpga;expi
gatewayip=192.168.1.10
netmask=255.255.255.0
usbtty=cdc_acm
fpgadata=0xd0060000
fpgasize=0x75394
splashdata=0xd0000000
dispParm1=0x300 0x400 0x2625A00 0x1 0x3
dispParm2=0x20 0x4c 0x1 0x2 0x3
boardversion=4
ps=0
rtc=0
erase_env=protect off 1:4;erase 1:4
store_uboot=protect off 1:1-3;erase 1:1-3;cp.b 0x800000 0xF8010000 ${filesize};protect on 1:1-3;imi 0xF8010000
get_uboot_eth=dhcp 0x800000 u-boot_image.bin;run store_uboot
get_uboot_uart=loadb 0x800000 115200;run store_uboot
verify=n
ethaddr=00:03:d3:04:10:00
ipaddr=192.168.1.100
serialnum=serial number not programmed
chipversion=BD
ethact=unknown
Environment size: 777/16380 bytes
I am just missing a serial number, but I am just going by that not being needed to get a boot.
Also.... I don't think there is much more NAND to be corrupted.... I accidentally did a full NAND erase at some point.
I am planning to retry the method described in: https://www.eevblog.com/forum/testgear/dsox2000-and-3000-series-licence-have-anyone-tried-to-hack-that-scope/msg2136181/#msg2136181 (https://www.eevblog.com/forum/testgear/dsox2000-and-3000-series-licence-have-anyone-tried-to-hack-that-scope/msg2136181/#msg2136181) today. I have already seen some steps I missed last time.
-
Oh, that is unfortunate....Your device calibration is gone then and Infiniivision application is gone. Downloading nk.bin will only restore WinCE image but I think boot process will fail when it comes to starting the scope application. So you won't be able to run firmware upgrade from the scope menu.
-
Oh, that is unfortunate....Your device calibration is gone then and Infiniivision application is gone. Downloading nk.bin will only restore WinCE image but I think boot process will fail when it comes to starting the scope application. So you won't be able to run firmware upgrade from the scope menu.
Well... calibration data is unfortunate, but I just followed the instructions from that other post, for creating the USB with stuff the scope needs to boot, and loaded the nk.nb0 file to ram, and it actually booted.... (though with a message on the display saying: "OS version incorrect, please reload system firmware"). So I don't think I am going to give up just yet.
I was also able to start the firmware upgrade. Though it was complaining about environment data during the upgrade, and it did fail to boot afterwards.
U-Boot 2010.03 (Oct 18 2011 - 14:28:06)Agilent P500
CPU: SPEAr600
DRAM: 128 MiB
Unknown id: 0x13409d. Using ST_M23P40
Flash: 64 KiB
NAND: fsmc-ecc1 128 MiB
*** Warning - bad CRC, using default environment
In: serial
Out: serial
Err: serial
SerNum:serial number not programmed
Chip: BD Board Rev: 4
Error: start address not on sector boundary
Net: unknown
BMP data is not valid. Use splash bmp
Press space to stop autoboot: 2
p500> loady 0x0361000 115200
## Ready for binary (ymodem) download to 0x00361000 at 115200 bps...
CSending: nk.nb0
Ymodem sectors/kbytes sent: 0/ 0kRetry 0: NAK on sector
Retry 0: NAK on sector
Retry 0: NAK on sector
Retry 0: NAK on sector
Retry 0: NAK on sector
Retry 0: NAK on sector
Retry 0: NAK on sector
Bytes Sent:27809792 BPS:7995
Sending:
Ymodem sectors/kbytes sent: 0/ 0k
Transfer complete
) packets, 10 retries
## Total Size = 0x01a857c0 = 27809728 Bytes
p500> crc 0x0361000 0x01a857c0
CRC32 for 00361000 ... 01de67bf ==> f3fb57d9
p500> go 0x00362000
## Starting application at 0x00362000 ...
Windows CE Kernel for ARM (Thumb Enabled) Built on Mar 8 2013 at 17:05:33
Setting up for a Cold Reboot
Done Setting up for a Cold Reboot
Windows CE Firmware Init
BSP 1.0.0 for the SPEARHEAD600AB board (built Jun 10 2019)
Adaptation performed by ADENEO (c) 2005
+OALIntrInit
-OALIntrInit(rc = 1)
Initialize driver globals Zeros area...
pDrvGlobalArea 0xa0060000 size 0x800 (0xa0060800 -0xa0060000)
Initialize driver globals Zeros area...done
OALKitlStart
Firmware Init Done.
OALIoctlHalEnterI2cCriticalSection init i2c cs
UBOO: CRC does not match for primary a431ee82 7f16dd10
ERROR: c:\WINCE600\3RDPARTY\Agilent\HPP\P500\Drivers\p500_uboo\.\p500_uboo_hw.cpp line 143: UBOO: CRC does not match for backupffffffff a05a35aa
ERROR: c:\WINCE600\3RDPARTY\Agilent\HPP\P500\Drivers\p500_uboo\.\p500_uboo_drv.cpp line 116: UBOO_Init - Failed to initialize UBOO Controller
++SER_Init: context Drivers\Active\14
SER_Init, dwIndex:2
SER2 got sysintr:0x00000017
SER2 Serial Port, new baud rate:0x1c200 (UARTCLK:48000000 IBRD:0x1a FBRD:0x2)
FMD: Start of the FileSystem not set, reverting to default values
OHCI\system.c, GCFG_USBH1_SW_RST
OHCI\system.c, GCFG_USBH2_SW_RST
LAN PHY NOT detected.
DeleteP500EnetRegistry:
\Comm\GMAC 0x0
\Comm\GMAC1 0x0
\Comm\Tcpip\Linkage 0x0
\Drivers\Virtual 0x0
\Drivers\BuiltIn\LIN 0x5
FMD: Start of the FileSystem not set, reverting to default values
LIN: Data Valid
BALDWIN_DDI: cBaldwinHwIf::Init: Initializing...
BALDWIN_DDI: cBaldwinHwIf::Init: Scope successfully identified.
BALDWIN_DDI: cBaldwinHwIf::Init: Success!
Device load time:
NANDFLASH: 380 ms
USB Hard Disk Drive: 380 ms
ERROR: OALIoCtlHalGetDeviceInfo: Device doesn't support IOCTL_HAL_GET_DEVICE_INFO::SPI_GETBOOTMENAME
SHIM DLL, LoadRealDll [PalIO.dll] for [AgilentPalIO.dll]
SHIM [AgilentPalIO.dll] Get Process Addresses
LaunchInfiniiVision:
SHIM DLL, LoadRealDll [PalSStorage.dll] for [AgilentPalSStorage.dll]
SHIM [AgilentPalSStorage.dll] Get Process Addresses
SHIM DLL, LoadRealDll [PalWin32.dll] for [AgilentPalWin32.dll]
SHIM [AgilentPalWin32.dll] Get Process Addresses
FWUpdate: Bad news, can't get environment data
Create: \Agilent Flash\selftest\
Create: \Secure\cal\
Create: \Secure\help\
Create: \Secure\bin\
Create: \Agilent Flash\wfmMem\
Create: \Agilent Flash\LxiMdns\
Released build, Jun 10 2019, 21:13:39
Initializing FPGA...
************************************
Ver: 1.067 Released
************************************
Calibration mode User
Serial Number file isn't loaded, defaulting to 0
open FAILED
open FAILED
open FAILED
Cal Date Thu Jan 01 00:00:00 1970
Could not load valid cal factors
Startup sequence is complete.
Saved configuration invalid
FWUpdate: Bad news, can't get environment data
System has been running 134.088058 seconds
Start Up Sequence 5.067179
Memory Load 47%
System Physical Memory 33.957 / 73.465 MB
Process Virtual Memory 42.375 / 1024.000 MB
-----> InfiniiVision is running <-----
failed open \Secure\InfiniiVision\LudicrousSpeed.usb
no workaround for USB phy
** BEGIN ** ExtractFileFromCabFile: INSTALL.XML
** END ** ExtractFileFromCabFile: INSTALL.XML: 140 ms
** BEGIN ** ExtractFileFromCabFile: infiniiVisionSetup.cab
** END ** ExtractFileFromCabFile: infiniiVisionSetup.cab: 13425 ms
** BEGIN ** ExtractFileFromCabFile: _setup.xml
** END ** ExtractFileFromCabFile: _setup.xml: 14 ms
** BEGIN ** ExtractFileFromCabFile: INFINI~1.025
** END ** ExtractFileFromCabFile: INFINI~1.025: 15 ms
** BEGIN ** ExtractFileFromCabFile: INSTALL.XML
** END ** ExtractFileFromCabFile: INSTALL.XML: 24 ms
** BEGIN ** ExtractFileFromCabFile: INSTALL.XML
** END ** ExtractFileFromCabFile: INSTALL.XML: 16 ms
** BEGIN ** ExtractFileFromCabFile: updateSplashImage.wvga.bin
** END ** ExtractFileFromCabFile: updateSplashImage.wvga.bin: 8 ms
GetNextUsbEvent, bOpenContextClosing
EventThread, ERROR ABORTED or INVALID HANDLE, exiting
GetSetupPacket, tmcDriverClosing 2
** BEGIN ** ExtractFileFromCabFile: nk.bin.comp
** END ** ExtractFileFromCabFile: nk.bin.comp: 6893 ms
** BEGIN ** ProcessRecipeStep: \windows\loadP500Flash -u ceImage2 \TEMP\{FB49C34B-AF8F-785E-20BD-0D9FCFF926FB}\nk.bin.comp
SHIM DLL, LoadRealDll [PalSysManagement.dll] for [AgilentPalSysManagement.dll]
SHIM [AgilentPalSysManagement.dll] Get Process Addresses
FWUpdate: Bad news, can't get environment data
FWUpdate: Bad news, can't get environment data
fwUpdateOffset error: Too Big Error
** END ** ProcessRecipeStep: \windows\loadP500Flash -u ceImage2 \TEMP\{FB49C34B-AF8F-785E-20BD-0D9FCFF926FB}\nk.bin.comp: 432 ms
** BEGIN ** ExtractFileFromCabFile: updateBootLoaders2.exe
** END ** ExtractFileFromCabFile: updateBootLoaders2.exe: 184 ms
** BEGIN ** ExtractFileFromCabFile: pboot_rel.bin
** END ** ExtractFileFromCabFile: pboot_rel.bin: 244 ms
** BEGIN ** ProcessRecipeStep: \TEMP\{FB49C34B-AF8F-785E-20BD-0D9FCFF926FB}\updatebootloaders2.exe
Update XLOADER at address f8000000.
XLOADER is up to date. Skipping
Update UBOOT at address f8010000.
UBOOT is up to date. Skipping
Update PBOOT at address f8050000.
PBOOT is up to date. Skipping
** END ** ProcessRecipeStep: \TEMP\{FB49C34B-AF8F-785E-20BD-0D9FCFF926FB}\updatebootloaders2.exe: 95 ms
** BEGIN ** ExtractFileFromCabFile: nk.bin.comp
** END ** ExtractFileFromCabFile: nk.bin.comp: 6873 ms
** BEGIN ** ProcessRecipeStep: \windows\loadP500Flash -u ceImage1 \TEMP\{FB49C34B-AF8F-785E-20BD-0D9FCFF926FB}\nk.bin.comp
SHIM DLL, LoadRealDll [PalSysManagement.dll] for [AgilentPalSysManagement.dll]
SHIM [AgilentPalSysManagement.dll] Get Process Addresses
FWUpdate: Bad news, can't get environment data
FWUpdate: Bad news, can't get environment data
fwUpdateOffset error: Too Big Error
** END ** ProcessRecipeStep: \windows\loadP500Flash -u ceImage1 \TEMP\{FB49C34B-AF8F-785E-20BD-0D9FCFF926FB}\nk.bin.comp: 433 ms
** BEGIN ** ExtractFileFromCabFile: fpga1000a.bin
** END ** ExtractFileFromCabFile: fpga1000a.bin: 102 ms
** BEGIN ** ProcessRecipeStep: \windows\loadP500Flash -u fpga --target marsupial \TEMP\{FB49C34B-AF8F-785E-20BD-0D9FCFF926FB}\fpga1000a.bin
SHIM DLL, LoadRealDll [PalSysManagement.dll] for [AgilentPalSysManagement.dll]
SHIM [AgilentPalSysManagement.dll] Get Process Addresses
** END ** ProcessRecipeStep: \windows\loadP500Flash -u fpga --target marsupial \TEMP\{FB49C34B-AF8F-785E-20BD-0D9FCFF926FB}\fpga1000a.bin: 615 ms
** BEGIN ** ExtractFileFromCabFile: cleanupFileSystem.exe
** END ** ExtractFileFromCabFile: cleanupFileSystem.exe: 164 ms
** BEGIN ** ProcessRecipeStep: \TEMP\{FB49C34B-AF8F-785E-20BD-0D9FCFF926FB}\cleanupFileSystem.exe
** END ** ProcessRecipeStep: \TEMP\{FB49C34B-AF8F-785E-20BD-0D9FCFF926FB}\cleanupFileSystem.exe: 15 ms
** BEGIN ** ExtractFileFromCabFile: infiniivisionSetup.cab
** END ** ExtractFileFromCabFile: infiniivisionSetup.cab: 8084 ms
** BEGIN ** ProcessRecipeStep: \windows\wceldcmd.exe /delete 0 \TEMP\{FB49C34B-AF8F-785E-20BD-0D9FCFF926FB}\infiniivisionSetup.cab
** END ** ProcessRecipeStep: \windows\wceldcmd.exe /delete 0 \TEMP\{FB49C34B-AF8F-785E-20BD-0D9FCFF926FB}\infiniivisionSetup.cab: 833 ms
** BEGIN ** ExtractFileFromCabFile: splashImage.png
** END ** ExtractFileFromCabFile: splashImage.png: 285 ms
** BEGIN ** ProcessRecipeStep: \windows\compileImageForSplashScreen.exe \TEMP\{FB49C34B-AF8F-785E-20BD-0D9FCFF926FB}\SplashImage.png \Secure\InfiniiVision\splashImage.bin
** END ** ProcessRecipeStep: \windows\compileImageForSplashScreen.exe \TEMP\{FB49C34B-AF8F-785E-20BD-0D9FCFF926FB}\SplashImage.png \Secure\InfiniiVision\splashImage.bin: 2438 ms
** BEGIN ** ProcessRecipeStep: \windows\rebootInfiniivision.exe
U-Boot 2010.03 (Oct 18 2011 - 14:28:06)Agilent P500
CPU: SPEAr600
DRAM: 128 MiB
Unknown id: 0x13409d. Using ST_M23P40
Flash: 64 KiB
NAND: fsmc-ecc1 128 MiB
*** Warning - bad CRC, using default environment
In: serial
Out: serial
Err: serial
SerNum:serial number not programmed
Chip: BD Board Rev: 4
Error: start address not on sector boundary
Net: unknown
BMP data is not valid. Use splash bmp
Press space to stop autoboot: 0
no link
Using unknown device
TFTP from server 192.168.1.10; our IP address is 192.168.1.100
Filename 'nk.bin'.
Load address: 0x4000000
I am currently uploading again for another attempt. Though not sure what I am going to try differently this time.
-
*** Warning - bad CRC, using default environment
That is exactly what I told you about updating Uboot CRC in NOR. Uboot found incorrect CRC and did not load the environment variables and that has caused bunch of errors. You have to properly update the CRC in your modified NOR. I do not think you can use the original NOR because there will be no access to ymodem.
-
I'll search my archives if I have Uboot CRC update information somewhere in my records.
-
/==========================================
Updating u-boot in SPI Flash (ST M2540P IC) for EDUX1002A
Location of Uboot image in SPI firmware : 0x00010000 - 0x0003F90B
Location of Uboot environment variables: 0x00040000 - 0x00043FFF
The first 4 bytes in envvars area is a CRC32 of the envvars area in Little Endian (LSB first) format over the block 0x00040004 - 0x00043FFF (including zero bytes fill after the env variables end.)
For example if a calculated CRC32 is 98C7C680, then the first 4 bytes (0x40000-0x40003) become 80C6C798.
It is IMPORTANT to update this envvars CRC32 if envvars area is patched.
Failure to update the env variables data checksum after a change (typically by unsoldering and re-programming the U701 IC located on the bottom side of the BLT Module) will cause u-boot to load default environment variables which will lead to failed boot and NAND corruption.
To calculate CRC32 over a block of data use any existing tool which can do this, like a Hex editor.
User envvars area is located in SPI chip outside of the U-boot binary image, so if user envvars are patched, the U-boot's own header CRC32 and Data CRC32 do not need to be updated.
/==========================================
-
... it takes like 45 minutes to upload that uncompressed image through UART.
This is where the StupidBear LAN board shines. Uploading an image through network only takes a few min.
-
/==========================================
Updating u-boot in SPI Flash (ST M2540P IC) for EDUX1002A
Location of Uboot image in SPI firmware : 0x00010000 - 0x0003F90B
Location of Uboot environment variables: 0x00040000 - 0x00043FFF
The first 4 bytes in envvars area is a CRC32 of the envvars area in Little Endian (LSB first) format over the block 0x00040004 - 0x00043FFF (including zero bytes fill after the env variables end.)
For example if a calculated CRC32 is 98C7C680, then the first 4 bytes (0x40000-0x40003) become 80C6C798.
It is IMPORTANT to update this envvars CRC32 if envvars area is patched.
Failure to update the env variables data checksum after a change (typically by unsoldering and re-programming the U701 IC located on the bottom side of the BLT Module) will cause u-boot to load default environment variables which will lead to failed boot and NAND corruption.
To calculate CRC32 over a block of data use any existing tool which can do this, like a Hex editor.
User envvars area is located in SPI chip outside of the U-boot binary image, so if user envvars are patched, the U-boot's own header CRC32 and Data CRC32 do not need to be updated.
/==========================================
So, I succeeded in creating the new image, with correct checksum, and it doesn't complain anymore, but I am not getting into <p500> anymore, the bootdelay is still 3, And I can press space on startup, and then I get into this (somewhat familiar from the original flash) screen. I am getting the feeling that the only reason I was getting into the <p500>, was because the checksum was wrong...
Here is my current output (including me pressing space on startup).
U-Boot 2010.03 (Oct 18 2011 - 14:28:06)Agilent P500
CPU: SPEAr600
DRAM: 128 MiB
Unknown id: 0x13409d. Using ST_M23P40
Flash: 64 KiB
NAND: internal ecc 128 MiB
Debug serial initialized ........OK
RTC: 2024-19-6 2:85:47.54 UTC
Microsoft Windows CE Bootloader Common Library Version 1.4 Built May 7 2015 01:38:03
Microsoft Windows CE 6.0 Ethernet Bootloader for the Agilent P500 board
Adaptation performed by Agilent Technologies (c) 2008
PHY not found.
P500 Boot Loader Configuration :
Mac address .......... (00:03:D3:04:10:00)
Ip address ........... (192.168.1.100)
Subnet Mask address .. (255.255.255.0)
DHCP ................. (Enabled)
Boot delay (seconds).. (0)
Load image 1 at startup
Image addresses. (0xdxxxxxxx for NAND, 0x8xxxxxxx for RAM)
1 (0xd0600000)
2 (0xd1e00000)
l) Load memory resident image Load image 1 now
1) Load memory resident image 1 now
2) Load memory resident image 2 now
3) Load memory resident image 3 now
d) Download from platform builder now
u) Start u-boot by resetting
v) Verify Images
>
Did I miss a a var I needed to modify? when originally modifying the flash, I set the "bootdelay" to 3 in 2 places I could find it in flash:
(here is the strings containing bootdelay in the monolithic image which I flashed to the chip)
> strings dump5.bin | grep bootdela
bootdelay
bootdelay=3
bootdelay=3
pbootdelay=0
-
Only change bootdelay and pbootdelay to ,say, 3, but only in the env var section 0x00040000 - 0x00043FFF. Do not change anything before 0x00040000.
-
Only change bootdelay and pbootdelay to ,say, 3, but only in the env var section 0x00040000 - 0x00043FFF. Do not change anything before 0x00040000.
I guess I should set one of those bootdelays back to 0 then (if that one is indeed not in the env vars area). But I kinda doubt that will fix my current problem: If I boot this chip with the correct checksums (and thus not with the fallback env vars) I can't seem to be able to enter into the <p500> shell, thus I can't download the image to ram to attempt another boot.
(I did also try setting pbootdelay to 3 after my last post).
-
Check the original NOR what bootdelay was set to in Uboot area and leave it the same in the modified NOR. Only change stuff in env vars area.
I am pretty sure this was what I had. Do you hit space bar when the scope is powered on? It will not stop for you by itself, you have to hit (if i remember correctly) space bar.
-
Hold on a sec. This was your log in your reply #985:
U-Boot 2010.03 (Oct 18 2011 - 14:28:06)Agilent P500
CPU: SPEAr600
DRAM: 128 MiB
Flash: 512 KiB
NAND: internal ecc 128 MiB
Now you are not getting NOR identified:
U-Boot 2010.03 (Oct 18 2011 - 14:28:06)Agilent P500
CPU: SPEAr600
DRAM: 128 MiB
Unknown id: 0x13409d. Using ST_M23P40
Flash: 64 KiB
NAND: internal ecc 128 MiB
What is going on here?
-
This is what it should look like when bootdelay variable changed:
U-Boot 2010.03 (Oct 18 2011 - 14:28:06)Agilent P500
CPU: SPEAr600
DRAM: 128 MiB
Flash: 512 KiB
NAND: internal ecc 128 MiB
In: serial
Out: serial
Err: serial
SerNum:serial number not programmed
Chip: BD Board Rev: 4
Net: smsc
Press space to stop autoboot: 4 0 3
p500>
And if you do not interrupt it by pressing space, it will proceed to loading PBOOT. You can againg press space to interrupt PBOOT which gives you that menu to select an image source:
## Booting kernel from Legacy Image at f8050000 ...
Image Name: PBOOT
Created: 2015-05-07 8:18:27 UTC
Image Type: ARM Linux Kernel Image (gzip compressed)
Data Size: 37749 Bytes = 36.9 KiB
Load Address: 00000000
Entry Point: 00000000
Uncompressing Kernel Image ... OK
Starting kernel ...
Debug serial initialized ........OK
RTC: 2024-20-12 6:103:32.30 UTC
Microsoft Windows CE Bootloader Common Library Version 1.4 Built May 7 2015 01:38:03
Microsoft Windows CE 6.0 Ethernet Bootloader for the Agilent P500 board
Adaptation performed by Agilent Technologies (c) 2008
Press [ENTER] to launch image stored in flash or [SPACE] to cancel.
Initiating image launch in 3 seconds 2 seconds 1 seconds
P500 Boot Loader Configuration :
Mac address .......... (00:30:D3:20:D7:70)
Ip address ........... (192.168.1.212)
Subnet Mask address .. (255.255.255.0)
DHCP ................. (Enabled)
Boot delay (seconds).. (3)
Load image 1 at startup
Image addresses. (0xdxxxxxxx for NAND, 0x8xxxxxxx for RAM)
1 (0xd0600000)
2 (0xd1e00000)
l) Load memory resident image Load image 1 now
1) Load memory resident image 1 now
2) Load memory resident image 2 now
3) Load memory resident image 3 now
d) Download from platform builder now
u) Start u-boot by resetting
v) Verify Images
Something must still be wrong with your setup.
-
Hold on a sec. This was your log in your reply #985:
U-Boot 2010.03 (Oct 18 2011 - 14:28:06)Agilent P500
CPU: SPEAr600
DRAM: 128 MiB
Flash: 512 KiB
NAND: internal ecc 128 MiB
Now you are not getting NOR identified:
U-Boot 2010.03 (Oct 18 2011 - 14:28:06)Agilent P500
CPU: SPEAr600
DRAM: 128 MiB
Unknown id: 0x13409d. Using ST_M23P40
Flash: 64 KiB
NAND: internal ecc 128 MiB
What is going on here?
Oh... I think I know what is happening there. When I was buying some extra flash chips to make sure I could leave the original NOR intact as a backup. I noticed that the one that was originally in my scope, the ST25P40VP wasn't available. I did however see someone in another post (I don't remember where exactly) link to the IS2LP040, and I figured that they are probably just using that one in the newer models or something like that, so should probably be fine. So that is what I bought for testing. I guess I was wrong about that.
Either way, I guess I gotta either wait for chips to arrive from aliexpess, or use the original chip and hope I did nothing wrong when dumping the chip.
-
Ok. Yes you have to use a proper chip, all sort of funny things may be happening with Uboot making its guesses.
-
Ok. Yes you have to use a proper chip, all sort of funny things may be happening with Uboot making its guesses.
Hmm, just tried with the proper chip, once with bootdelay set to 4, and once with both bootdelay and pbootdelay set to 3. It is not complaining about the flash chip anymore, but I am still not getting into the <p500> shell... not sure what else there is to try to try at this point...
U-Boot 2010.03 (Oct 18 2011 - 14:28:06)Agilent P500
CPU: SPEAr600
DRAM: 128 MiB
Flash: 512 KiB
NAND: internal ecc 128 MiB
Debug serial initialized ........OK
RTC: 2024-19-6 3:84:41.49 UTC
Microsoft Windows CE Bootloader Common Library Version 1.4 Built May 7 2015 01:38:03
Microsoft Windows CE 6.0 Ethernet Bootloader for the Agilent P500 board
Adaptation performed by Agilent Technologies (c) 2008
PHY not found.
Press [ENTER] to launch image stored in flash or [SPACE] to cancel.
Initiating image launch in 3 seconds
P500 Boot Loader Configuration :
Mac address .......... (00:03:D3:04:10:00)
Ip address ........... (192.168.1.100)
Subnet Mask address .. (255.255.255.0)
DHCP ................. (Enabled)
Boot delay (seconds).. (3)
Load image 1 at startup
Image addresses. (0xdxxxxxxx for NAND, 0x8xxxxxxx for RAM)
1 (0xd0600000)
2 (0xd1e00000)
l) Load memory resident image Load image 1 now
1) Load memory resident image 1 now
2) Load memory resident image 2 now
3) Load memory resident image 3 now
d) Download from platform builder now
u) Start u-boot by resetting
v) Verify Images
>
-
I guess you could attach the NOR bin dump for us to take a look.
-
I guess you could attach the NOR bin dump for us to take a look.
Oh sure, here it is. Though, the forum doesn't seem to like files ending with .bin, so I renamed it .bin.py
edit:
looks like the attachment messed up anyways, 1sec, I'll upload it to my VPS to make a download link
-
I guess you could attach the NOR bin dump for us to take a look.
Oh sure, here it is. Though, the forum doesn't seem to like files ending with .bin, so I renamed it .bin.py
edit:
looks like the attachment messed up anyways, 1sec, I'll upload it to my VPS to make a download link
Just add a .txt extension and it will upload here. Then mention to remove the .txt extension.
-
I guess you could attach the NOR bin dump for us to take a look.
Oh sure, here it is. Though, the forum doesn't seem to like files ending with .bin, so I renamed it .bin.py
edit:
looks like the attachment messed up anyways, 1sec, I'll upload it to my VPS to make a download link
Just add a .txt extension and it will upload here. Then mention to remove the .txt extension.
I think I basically did that by renaming it .py, and it didn't like that, or maybe something just went bad when uploading, either way, I ended up just putting them both in a zip. (both being the original dump, and the one with the modified bootdelay)
-
You were talking about using JTAG at some point. Did you do anything to enable JTAG ? If so, you'd need to roll that back if want to boot from NOR.
-
You were talking about using JTAG at some point. Did you do anything to enable JTAG ? If so, you'd need to roll that back if want to boot from NOR.
Back then, I soldered on a JTAG connector, and before I could do the hardware mod to enable JTAG, I figured out how to use that ST tool. So I ended up never doing that mod.
-
You have to change this variable value. Note the Offset.
Do not forget to update the checksum.
-
You have to change this variable value. Note the Offset.
Do not forget to update the checksum.
Wait wut.... I guess, after having tried with both bootdelay, and pbootdelay set to 3, when I wanted to test with bootdelay=4 and pbootdelay=0, I accidentally mixed up pbootdelay and bootdelay. I can't believe I messed that up.... Guess I'll try again after school tomorrow (really need to sleep rn)
-
You have to change this variable value. Note the Offset.
Do not forget to update the checksum.
I just uploaded a new image (attached) through ymodem in <p500> (I got into <p500> because of a previous messed up crc). After uploading I also did a checksum, on the scope, to confirm everything was in place.
<p500> crc 0xf8000000 0x80000
CRC32 for f8000000 ... f807ffff ==> c7bc2d68
which matches what I get on my desktop:
> cat bootdelay.bin | crc32
c7bc2d68
But I am once again getting that same boot menu and no <p500>:
U-Boot 2010.03 (Oct 18 2011 - 14:28:06)Agilent P500
CPU: SPEAr600
DRAM: 128 MiB
Flash: 512 KiB
NAND: internal ecc 128 MiB
Debug serial initialized ........OK
RTC: 2024-19-6 6:85:19.21 UTC
Microsoft Windows CE Bootloader Common Library Version 1.4 Built May 7 2015 01:38:03
Microsoft Windows CE 6.0 Ethernet Bootloader for the Agilent P500 board
Adaptation performed by Agilent Technologies (c) 2008
PHY not found.
P500 Boot Loader Configuration :
Mac address .......... (00:03:D3:04:10:00)
Ip address ........... (192.168.1.100)
Subnet Mask address .. (255.255.255.0)
DHCP ................. (Enabled)
Boot delay (seconds).. (0)
Load image 1 at startup
Image addresses. (0xdxxxxxxx for NAND, 0x8xxxxxxx for RAM)
1 (0xd0600000)
2 (0xd1e00000)
l) Load memory resident image Load image 1 now
1) Load memory resident image 1 now
2) Load memory resident image 2 now
3) Load memory resident image 3 now
d) Download from platform builder now
u) Start u-boot by resetting
v) Verify Images
>
I included the file again, and bootdelay really is set in there this time.... (that or I really am going crazy)
-
Found the problem. So I tried setting the env vars by hand, and noticed that after typing: "setenv stdin usbtty", I could no longer input anything. Then it occured to me that the countdown was actually happening on a different output, through the usb port on the back. So I connected that, reflashed the chip with the bin I tried before, and I was able to interrupt the boot properly through the usb that port.
-
You can set it back to "serial" now so you have a single console for input and output.
-
Successful boot, and firmware upgrade with the right env vars, and boot from NAND!!!
Thanks so much for all the help!!!!!!
Also did a rough calibration with my bench top PSU, should be good enough for most of the stuff I do usually do with my scope.
(http://tt-392.space/scope2.jpg)
(yes, I am aware that probe comp needs some work)
It is still still complaining about a few things, but I'm sure I'll be able to do something about those. Also, nice bandwidth. Either way, I have a working scope now.
(http://tt-392.space/scope1.jpg)
I guess next up is trying to get some of the info on that screen correct, and then, of course, to do some hacks :). (Also, I broke off the power button from its stem at some point, but I'm sure I'll be able to figure something out to fix that.)
Either way, kinda out of time to work on the scope today. Will look into it more later.
edit:
the power button bit of plastic apparently just fits snugly in its place, and works just fine even when not physically connected.
-
Great. So your jorney is a demonstration that Keysight 1000x scopes can be restored even if the firmware was completely gone. Pretty impressive.
-
Great. So your jorney is a demonstration that Keysight 1000x scopes can be restored even if the firmware was completely gone. Pretty impressive.
Oh, right, I didn't realize that this was the first documented case of that happening... That is pretty cool. Either way, I am planning to put together a guide to have all of the information available in one place, so that people don't have to dig through a bunch of messages to figure out how to recover their own scope. Though, idk when I'll get around to doing this yet.
-
It is a Christmas night of 2023 and it's been three years since the 1000x Liberated firmware became available. By now though, access to the fully patched liberated firmware update file has become a problem due to its size and hosting problem. To address the issue and in celebration of the 3 years of 1000x Liberation, attached is a small package with a set of tools that new users who missed the train can now use to create a liberated v1.20 firmware by themselves.
This package uses Diff method to apply a difference data blob to the official v1.20 firmware for 1000x scopes. Because of this method, the package size is small which makes it possible to attach it to a forum post.
I have verified that the tool creates a patched file that matches the one in fully patched firmware package, so the tool seems to work properly. But I did not try to install. Please report your experience. :popcorn:
Have fun and Happy Holidays! :-+
-
I'm wandering that how did KS write model and SN into the scope? If there are any tools or scripts? :-\
-
After the installation of "1000X patched 1.20 with backup Image2.ksx", there is only 1Mpts can be caped. That is odd.
-
There is a version with 2Mpts but it is only good for 1- or 2-channel modes. If you turn on 3rd channel (external input), the displayed signal starts wrapping around on bigger time/ settilngs because of insufficient memory for 3 channels. That may cause confusion if the user does not understand that, so in general using the version with 1Mpts is safer.
-
The StupidBear LAN board for the EDUX provides 100Mbit/s full duplex network Ethernet connectivity. It also has a USB-to-UART bridge and a second USB Host port, which were used for debugging and to connect a keyboard or mouse. They are not needed if only LAN is required. The board gets power from the main board. Refer to the PDF attachment for the schematic.
The board was designed to plug in to the installed mezzanine connector J104 on the BLT board and then is secured to the main board's existing mounting poles via 2.5mm spacers. Raising the StupidBear LAN board above the main board by 2.5mm was required in order to maintain proper mating to the mezzanine connector J104 on the BLT board. The BLT board has to be unscrewed and lifted off, the LAN board is connected to it, then the entire assembly is carefully placed on the main board, and is secured with 4 BLT board screws and two new screws by the LAN connector (again, two 2.5mm spacers are needed under the LAN board to maintain proper height above the main board).
The stock scope does not have J104 soldered. The connector must be purchased and soldered onto the BLT board. The connector data:
Amphenol 61083-041402LF
Digikey part number: 609-1667-1-ND
Also attached is the BOM that has DigiKey part numbers for the critical components, and the Gerber files to order a PCB if you want to build a StupidBear LAN board for your Keysight 1000X including the EDUX model and have some fun.
Important: The LAN PCB thickness must be 1mm in order to have some clearance above the components under it on the scope's main PCB.
Hi Bud, I had an accident today when trying to diagnose a USB problem with my scope. The USB port isn't detecting anything, and between 5V and ground, i read 120 ohm, and there's 5V between each data line and ground as well. Anyway, when i was taking it apart, one of the connectors in the BLT module came apart, half of the pins remained on the PCB, and the other half stayed with the connector, which fell off the PCB. Fortunately no pads were damaged, and I was able to put the connector back on the PCB by carefully aligning the pins with the holes, but this just makes contact with the pads very loosely. I'm wondering if you know what temperature these connectors can withstand as i intend to attempt to resolder the connector with a hot air station and this is my first time trying to solder a connector of this type and the datasheet doesn't specify soldering temperatures.
I'm also curious about the part number you mention. Is that also the same part for the connectors already present on the board? Asking since you mention adding a spacer for the LAN board, so it would make sense that the parts already in the board are taller ones than the one you installed. I think it would be good to buy a few connectors and practise soldering on a test board.
And also, if you could measure the resistance between ground and +5V of the USB port and let me know, that would be great, because i really doubt 120 ohm is what it's supposed to be.
Thank you!
-
The connector is same as the other ones if i remember correctly. A spacer was needed to provide a clearance between the LAN board and some other circuit under it, i recall that was a DC power converter or something. For same reason the LAN PCB thickness has to be 1mm (I wrote in my post what it should be).
Soldering the connector with hot air was difficult and I melted just a bit of the shroud, so be careful. I would recommend preheating the board or use a suitable soldering iron and microscope. i cant say the temperature, just go with whatever melts the solder after 30 sec. You also can wrap the connector housing in kapton tape to protect from heat. I recall i used a piece of aluminum foil from a chocolate bar for that.
-
after days practising on scrap boards with tiny connectors i decided to attempt to resolder the original connector. i first wanted to find the fault with the USB host connector, and it turns out the power chip IC is shorted, so i removed it (the magnetic component on the USB data line was removed accidentaly with hot air, but should be easy to resolder). I don't know if anything upstream is also damage or what damaged it since the last time i used it to get data onto a flash drive it worked fine.
anyway, here's the end result of the repair. it's far from the best soldering job for sure, but it's the best i could do with the crappy irons with large tips i have, and it works. i'm glad this was the connector going to the display and not the one on the analog side. i checked all the other connectors on the BLT board to see if any of them had also suffered damage from removing the board, but luckily they were all fine. i reassembled the scope now with the USB switch IC removed, and everything works fine, except for the usb port at the front, of course. i ended up preheating the board for a bit and that helped when i went in with the iron.
thank you Bud!
-
Good that you were able to get it back! :-/O
Weird problem with the USB power switch IC ....
-
something else happened now with this scope. it was running fine, and then it froze, then i shut it off, and when i turned it on, all LEDs are on, and the relays clicked, but no light sequence. When i resoldered the connector i left it running for about 6 hours and it was fine. Any idea what may have happened now?
Thank you! |O
-
Does it produce any output on the debug serial console ?
-
Does it produce any output on the debug serial console ?
I'm going to open it up and let you know. But I think i might have to rework that connector on the BLT, cause i just noticed another symptom: the display presents a barely visible black bar that covers a quarter of it on the side of the buttons, like a checkered pattern. i tried getting a picture of that, but it doesn't show on camera, it's a very faint checker pattern with black and unlit pixels.
Thank you!
-
i opened it up, and removed the BLT to solder wires for the serial port. out of curiosity i powered the scope without the BLT plugged in and it behaved in the same manner it did after it froze.
i inspected the solder joints of all the BLT connectors again, and the connectors on the main board, and they all looked ok, no loose pins or broken joints or anything mechanically suspect.
i then soldered the wires for the serial port, made sure there were no bridges, both by visual inspection and by measuring resistance before and after soldering between the neighbouring pads.
i powered on the scope, with the two wires for the serial port plugged to probes on another oscilloscope, powered it on, and no activity, one of the two wires went high, the other remained low, and that was it.
i pressed on the BLT to make sure the connectors had mated properly, but no changes. i then started poking around the BLT with another oscilloscope and all the JTAG points went high, and all the debug points were low except for one which had a 200MHz signal on it.
what else?
another thing i noticed was the arm spear600 soc was still getting hot. not burning hot, but still significantly warm, the FPGA wasn't getting noticeably hot, so this might be significant?
i also probed directly on the via dave used to get serial out, thinking maybe my wire could be broken inside the insulation, but nope, no activity at all.
does this spear600 chip also handle USB host? i wonder if the USB port dying could be due to some internal damage in that chip somehow and whatever had died inside killed the spear600 for good?
i really don't want to lose this scope, both because it's the nicest to use i have and because turning it into e-waste would be way too awful. I've been looking around to see if anyone sells the BLT board on ebay or elsewhere, since i damaged the connector, but no luck.
:scared:
-
Yes the USB controller (2 of them) are on Spear600.
Put the BLT board back, connect the scope to your computer USB (use the USB port on the back of the scope). Turn audio on on the computer. Power on the scope and listen if the computer makes a sound blip indicating a USB device connected. Check the USB devices list in Device Manager for a new device or new unrecognized device. It may show up as Spear600 SOC or something. Post here what was the outcome.
Edit: provide adequate cooling to BLT module if you keep back cover removed. I use a PC fan blowing from the side and the fan is powered from a separate walwart PS.
Edit2: while the scope is open, check if the keypad flat cable is seated correctly, or re-seat it.
-
Yes the USB controller (2 of them) are on Spear600.
Put the BLT board back, connect the scope to your computer USB (use the USB port on the back of the scope). Turn audio on on the computer. Power on the scope and listen if the computer makes a sound blip indicating a USB device connected. Check the USB devices list in Device Manager for a new device or new unrecognized device. It may show up as Spear600 SOC or something. Post here what was the outcome.
Edit: provide adequate cooling to BLT module if you keep back cover removed. I use a PC fan blowing from the side and the fan is powered from a separate walwart PS.
Edit2: while the scope is open, check if the keypad flat cable is seated correctly, or re-seat it.
Unfortunately, no USB sound, and no device is detected. other than the fan turning on, the relays clicking and the front panel lighting up, this scope has no signs of life. :-BROKE
now i'm looking into maybe replacing the spear600, but the mystery behind its apparent death, and what else might have died, remains!
Thank you!
-
new development on the death of my scope!
I plugged it back in just now, thinking maybe just as it froze to never turn back again randomly it might decide to come back to life, and well, it kind of did just that. this time it did the circling lights bit and showed the megazoom splash-screen then the keysight logo and it froze on the keysight logo for a few minutes until i shut it off. I tried turning it back on again and it wouldn't turn on, presenting the same symptoms as before (all front panel lights on, weird pattern on the screen, fan spin)
this may be a stretch, but could its reluctance to turn on be related to the real time clock battery? when i broke the connector then fixed it, when it turned on for the first time after the repair it gave me an error related to the time, and the controls were locked until i restarted the scope once. maybe this was also a sign it was going to die, maybe it really needs the battery? i'm going to open it up again tomorrow and check the coin battery to see if it's good, this is quite a long shot, but there's nothing to lose with trying that! :palm:
-
If I were you I would keep the serial debug console connected and log all boot attempts. It may help with troubleshooting.
-
Anthocyanina:
If you need to replace the BLT connector, here's the source that I used:
https://www.digikey.com/en/products/detail/te-connectivity-amp-connectors/5-5177986-1/4569888 (https://www.digikey.com/en/products/detail/te-connectivity-amp-connectors/5-5177986-1/4569888)
Same thing happened to me the first time I removed the BLT board. As Bud recommended, Kapton tape to protect the plastic body makes soldering them a whole lot easier.
-
Anthocyanina:
If you need to replace the BLT connector, here's the source that I used:
https://www.digikey.com/en/products/detail/te-connectivity-amp-connectors/5-5177986-1/4569888 (https://www.digikey.com/en/products/detail/te-connectivity-amp-connectors/5-5177986-1/4569888)
Same thing happened to me the first time I removed the BLT board. As Bud recommended, Kapton tape to protect the plastic body makes soldering them a whole lot easier.
Thanks, yeah, i found the connector, but as funds are extremely limited at the moment, i was able to resolder it, which gave some life back to the scope, which sadly died a few days later in an inexplicable manner, or inexplicable with my limited knowledge.
-----
Another update on the scope's death:
after opening it yet again to test the battery hypothesis, i find the battery is fine, but i removed it and replaced it anyway, connected the serial lines to a serial usb adapter and another scope to check for any signs of life, then i pressed the power button, and no signs of life again, i removed the new battery, powered the scope back on, still no signs of life. i placed the old battery back in, turned it on once more, still no signs of life, so i put it back together, and i think that will be the sad end of this scope.
maybe eventually i'll have the money to buy an used edux version to get the BLT module from it or harvest the wavegen parts from mine and make an 1102g out of two scopes.
for now, this is just a nice to look at paperweight as it remains to my eyes the nicest looking oscilloscope out there.
also, if anyone out there is selling a BLT module, i don't know, perhaps your 1000x scope fell off the bench and is broken beyond repair and still has a good BLT on it, i'm willing to buy it, just not right this moment as i have no money, but in the near future for sure. if you, person who is reading this, have a working BLT module and are willing to sell it, message me! (i do wonder tho about compatibility between the 1000x and 1200x series BLT modules)
-
Hi,
Reading the exchanges between Bud and TT-392 users, I am trying to fix an oscilloscope with a typical nand problem. (I repaired the x3000 series a few weeks ago).
However, after reprogramming the memory, calculating the checksums I am shown as expected the caption:
"Press [ENTER] to launch image stored in flash or [SPACE] to cancel."
but the oscilloscope doesn't respond to pressing buttons on the keyboard |O
space, enter, r , just nothing....
I am working on a laptop. I have already tried to connect the USB keyboard to the computer and to the oscilloscope. I have run out of ideas...
Do you have any advice?
-
Which oscilloscope is that? Can you give more context, it is unclear how you got to what you wrote.
-
Which oscilloscope is that? Can you give more context, it is unclear how you got to what you wrote.
The oscilloscope I am repairing is the DSXO1102A.
I have fixed the error of no keyboard response, the Tx lead to the oscilloscope was incorrectly connected to FTDI cable.
I have the connection made according to the video in post 1.
Despite this interrupting the boot procedure, I do not enter pboot :-(
In memory, I changed pbootdelay and bootdelay to 3, along with CRC correction.
I attach the logs and the memory file.
log -1 without interrupt loading (nand corruption issue)
log -2 aborted loading procedure, I was hoping that pboot would appear ;-(
-
I can't seem to be able to let this scope rest in peace, so i took it apart yet again, serial plugged in to another scope and to an USB adapter, it seems my adapter is dead, so it's good i prepared theo ther scope for decode and the longest record possible. after turning it on and off for a few times, i got some serial output, finally!
seeing the cpu ID itself was great, there was nothing on the screen, no rolling front panel lights still, but there was that line on the serial, telling me it's at least partially alive still.
The last bit captured on that boot attempt is what you see on the second image. It abruptly stopped at "Ethernet Bootload." (is this the end of this line? or was it meant to be "Ethernet bootloader..."?) and after that, the serial output completely stopped and the line remained high until i shut it off. I tried again for about 50 times, but never got another message on the serial line, just like last time after seeing the logo on the screen.
So! something is for sure either preventing boot, or stopping it, seemingly at random, with more fully prevented boots than stopped boot attempts, but still unpredictable. I'm going to see if i can get another USB to serial adapter.
Does this tell you anything, @Bud?
Thank you!
-
In memory, I changed pbootdelay and bootdelay to 3, along with CRC correction.
I attach the logs and the memory file.
Try replacing usbtty -> serial
Recalculate the checksum then.
-
Ok! there's been yet another development! I kept turning it off and on multiple times, and on the latest partial boot, i got this. I captured 5.5 seconds of data. moving it around, i saw a short pulse spiking over 15V on the line, and then i started scrolling over the capture to see what was new. this time it got past the "Ethernet bootload" bit, it really was "Ethernet bootloader" of course, and i compared what i got with the output Dave captured on his hacking video.
it followed the normal output until "BL_IMAGE_TYPE_BIN", and then I got a couple of messages saying "Rewrite recommended, Internal ECC corrected data at 0xca" and the same message with another address "0xc7".
in between the ECC corrected messages i was getting the X and O letters seen on Dave's output, and the recorded data ended with an O, and the line remained high for the next couple of seconds until the record ended.
this has been a lot more informative and now appears to show a likely cause, corrupted memory, perhaps? hmmm! still very curious that the boot process continues to stop in seemingly random places, with two attempts without data getting it as far as showing the logos on the screen, and these two latest attempts with data stopping way before that.
-
Get a normal serial adapter man, stop torturing yourself and us ;)
-
So! something is for sure either preventing boot, or stopping it, seemingly at random, with more fully prevented boots than stopped boot attempts, but still unpredictable. I'm going to see if i can get another USB to serial adapter.
Double check that the NOR EEPROM chip is soldered well.
-
So! something is for sure either preventing boot, or stopping it, seemingly at random, with more fully prevented boots than stopped boot attempts, but still unpredictable. I'm going to see if i can get another USB to serial adapter.
Double check that the NOR EEPROM chip is soldered well.
is that the M25P40? if so, It is well soldered. removing the BLT module again to see that was a bit easier this time. I'll keep it unplugged for now. would it help to get a dump from it?
watching Dave's video again, the first few lines list CPU, DRAM Flash, and NAND, and on the NAND line, it says "internal ecc 128MiB". since the strange line i get says something about internal ecc corrected data at... would it still be more likely it is something with the flash and not something with the internal memory of the spear600 itself?
Thank you!
-
There is a Uboot environment variable in EEPROM that sets ECC type. If for whateve reason that variable is not loaded you will get those ecc correction errors during boot.
-
In memory, I changed pbootdelay and bootdelay to 3, along with CRC correction.
I attach the logs and the memory file.
Try replacing usbtty -> serial
Recalculate the checksum then.
Thanks !
Now pboot is working.
I tried to upload the soft like the x3000 series and the method described in another thread. Uploading via loady the nk.nb0 file previously prepared and firing from infinivision flash drive.
Unfortunately I only showed the logo on the oscilloscope and a reset occurred :-/.
log_3 - boot procedure
log_4 - printenv
-
You cant use 3000x USB based procedure for 1000x, it is not working on 1000x., forget it.
Something maybe missing in your printenv output, i will look later today.
-
Before doing the 'go' command try 'run preboot'
Edit: ...unplug the USB drive before attempting to boot.
-
Before doing the 'go' command try 'run preboot'
Edit: ...unplug the USB drive before attempting to boot.
When I tried to use "run preboot" (between loady and go) then after using the "go" command no action occurred.
I initially tried on firmware version 1.2 from the manufacturer's website and 1.1 patch from the forum. In both cases booting stops at the same point. (The original firmware is 1.1)
What do you mean by "...unplug the USB drive before attempting to boot." ?
After all, the procedure is to upload the nk.nb0 file to memory (it's basically a windows CE image) and have the system fire the application from the flash drive. Am I wrong ?
TT-392 went through a similar procedure so I hope that I will also succeed.
-
Can you point me to a TT-392's post where he said he started the application from a USB drive ?
-
eh you are right without a flash drive the application started by itself and could be updated from the flash drive then.
As a thank you, I am preparing a description of the procedure should someone look here in the future with an identical problem and not have to ask questions.
I think that I will finish the description later today max. tomorrow.
-
If your oscilloscope has a black screen and only the buttons light up probably this tutorial should fix it.
- unscrew the oscilloscope to get at the small board mounted in the motherboard.
- solder out u701 chip (on back of plate)
- rip the x.bin file with the programmer
- open the file in hexeditor
- edit bootdelay=3 and pbootdelay=3 positions (look for 000402E0 and 00040380)
- change usbtty to serial (00040280 and following)
- calculate (in hexeditor) from addresses (0x00040004 - 0x00043FFF) the value of crc32. Change on the first 4 bytes(0x00040000-0x00040003).
Remember the reverse order of entry! If the calculated value is 75 4D 12 8E then we type 8E 12 4D 75.
- we save the file, upload to memory, solder.
- solder the wires to the serial port as in the attached video in the 1st post (I also include a photo before cleaning the excess flux ;-)).
We connect to the computer via usb-uart converter. We install TeraTerm. It will be needed to handle the serial port and the YModem protocol.
From the default settings of the serial port, we change the speed to 115200.
- Now we have access to pboot (prompt p500) on the serial. (If we abort the boot)
Prepare the necessary file.
Download the firmware from the manufacturer's website. Open in totalcommander or change the extension to x.cab then it should open as an archive also in windows.
We proceed to:
X:\yourfolder>bincompress /d nk.bin.comp nk.bin
Check the length of the file.
X:yourfolder>viewbin nk.bin
Image Start = 0x80361000, length = 0x01A857C0
Start address = 0x80362000
Checking record #45 for potential TOC (ROMOFFSET = 0xFE992E44)
Checking record #50 for potential TOC (ROMOFFSET = 0xFE9C3E44)
Checking record #126 for potential TOC (ROMOFFSET = 0xFF1F0E3C)
Checking record #189 for potential TOC (ROMOFFSET = 0x00000000)
NOTICE! Record 189 looked like a TOC except DLL first = 0x4001C001, and DLL last = 0x4192C095.
Done.
X:yourfolder>cvrtbin.exe -r -a 0x80361000 -w 32 -l 0x01A857C0 nk.bin
This will result in a nk.nb0 in the same folder.
- Now we can upload the prepared file to memory.
p500> loady 0x00361000 115200
In Tera Term go to File->Transfer->YMODEM->Send.... and open the nk.nb0 that you have prepared before.
The uploading process will take about 50 minutes.
# Ready for binary (ymodem) download to 0x00361000 at 115200 bps....
CCCxyzModem - CRC mode, 1(SOH)/27158(STX)/0(CAN) packets, 10 retries
## Total Size = 0x01a857c0 = 27809728 Bytes
-Now we can boot the system. You need to remember that nothing is inserted in the USB port.
p500> go 0x00362000
## Starting application at 0x00362000 ...
Windows CE Kernel for ARM (Thumb Enabled) Built on Mar 8 2013 at 17:05:33
Setting up for a Cold Reboot
Done Setting up for a Cold Reboot
Windows CE Firmware Init
BSP 1.0.0 for the SPEARHEAD600AB board (built Jun 10 2019)
Adaptation performed by ADENEO (c) 2005
+OALIntrInit
-OALIntrInit(rc = 1)
Initialize driver globals Zeros area....
pDrvGlobalArea 0xa0060000 size 0x800 (0xa0060800 -0xa0060000)
Initialize driver globals Zeros area...done
OALKitlStart
Firmware Init Done.
OALIoctlHalEnterI2cCriticalSection init i2c cs
++SER_Init: context Drivers.
SER_Init, dwIndex:2
SER2 got sysintr:0x00000017
SER2 Serial Port, new baud rate:0x1c200 (UARTCLK:48000000 IBRD:0x1a FBRD:0x2)
OHCI\system.c, GCFG_USBH1_SW_RST
OHCI\system.c, GCFG_USBH2_SW_RST
LAN PHY NOT detected.
DeleteP500EnetRegistry:
\_CommGMAC 0x0.
\_CommGMAC1 0x0.
\_CommTcpipLinkage 0x0.
\n-Virtual 0x0.
\■DriversBuiltInLIN 0x5
LIN: Data Valid
BALDWIN_DDI: cBaldwinHwIf::Init: Initializing...
BALDWIN_DDI: cBaldwinHwIf::Init: Scope successfully identified.
BALDWIN_DDI: cBaldwinHwIf::Init: Success!
ERROR: c:WINCE600PLATFORMCOMMONDIVERS.c line 656: Rewrite recommended, internal ECC corrected data at 0xbe15.
Rewrite Block at Sector Address 0xbe15. 4541
Read Block SUCCEEDED 4572
Erased Block SUCCEEDED 4574
Completed rewriting Block SUCCEEDED 4623
Device load time:
NANDFLASH: 0 ms
SNANDFLASH: 0 ms
ERROR: OALIoCtlHalGetDeviceInfo: Device doesn't support IOCTL_HAL_GET_DEVICE_INFO::SPI_GETBOOTMENAME
SHIM DLL, LoadRealDll [PalIO.dll] for [AgilentPalIO.dll].
SHIM [AgilentPalIO.dll] Get Process Addresses
LaunchInfiniiVision:
SHIM DLL, LoadRealDll [PalSStorage.dll] for [AgilentPalSStorage.dll].
SHIM [AgilentPalSStorage.dll] Get Process Addresses
invalid clock reading: Sat Jan 01 01:00:00 2000
Released build, Jun 10 2019, 21:13:39
Initializing FPGA...
************************************
Ver: 1.067 Released
************************************
ERROR: c:\WINCE600\PLATFORM\COMMON\SRC\SOC\STM\COMMON\DRIVERS\NandFlash\.\stm_NandFlash.c line 656: Rewrite recommended, internal ECC corrected data at 0xbfc8
Rewriting Block at Sector Address 0xbfc8. 11622
ERROR: c:\WINCE600\PLATFORM\COMMON\SRC\SOC\STM\COMMON\DRIVERS\NandFlash\.\stm_NandFlash.c line 656: Rewrite recommended, internal ECC corrected data at 0xbfc8
Read Block SUCCEEDED 11667
Erased Block SUCCEEDED 11668
Completed rewriting Block SUCCEEDED 11703
Calibration mode User
Cal Date Mon Apr 08 13:10:31 2019
Startup sequence is complete.
Saved configuration invalid
System has been running 16.266155 seconds
Start Up Sequence 6.680450
Memory Load 52%
System Physical Memory 37.832 / 73.465 MB
Process Virtual Memory 46.688 / 1024.000 MB
-----> InfiniiVision is running <-----
- Now on the flash drive (FAT32) place the firmware from the manufacturer's website and run the update procedure.
It is important to remove the flash drive after restarting, otherwise the system will not boot.
Thanks again Bud for the information ! With your help and information about the repair procedure for the x2000 and x3000 oscilloscopes, I was able to repair this model as well.
-
:-+
-
ok! i checked every solder joint on the BLT connectors and the components with visible solder joints, nothing looked suspect, but as a just in case, i used the hot air station on the spear600 and the memory ICs. i noticed some flux residue was left near the damaged connector, so i just basically bathed that side of the BLT in isopropyl, making sure tehre was no residue at all, then i placed the BLT back where it belongs, but i didn't fully press it in, just enough that there would be contact, and to my surprise, i got a full boot! still don't have a proper USB adapter, but i captured the data with an analog discovery 2, which was a lot easier to read than scrolling the rigol capture. there were a couple of differences on the log between what i got and one log someone posted years ago on this thread, but i read it all and there were no errors this time.
i then fully seated the BLT and turned it back on, and i got a few more full boot sequences. it boots up much more consistently than before, but it some times takes significantly more time for a full boot, and sometimes it does boot at its regular speed, and sometimes it doesn't boot at all.