Still, for that kind of money (and even more - for the same generator - in the 3000 series), you'd think they could include a sweep function. Geez
It's all about internal politics and protecting their function gen market of course.
The function gen is actually a full dual channel arb and is quite capable of doing a lot more, look at the training signals as an example.
Dave.
I have noticed that software engineers refer to the ASICs as "Baldwin." Is this a codename for custom silicon?
Ok, here is some simplified C# source code explaining how the signature is verified.
RSAParameters RSAParam = new RSAParameters(); // Need to recover this yourself
Guid DivisionID = new Guid("{00000000-1111-2222-3333-444444444444}"); // Need to recover this yourself
string HWModelNumber = "DSOX1234A";
string HWSerialNumber = "AB12345678";
Guid LicenseId = new Guid("{00000000-1111-2222-3333-444444444444}");
string FeatureName = "dummy";
string FeatureVersion = "1";
DateTime? ExpirationDate = new System.DateTime(2011, 3, 30);
string ProductNumber = "DSOXDMY";
string Signature = "OZrKwpbZq3Oxp8eXebGo190UAYvLMFeyNvs7xCA0oAwDmPP3aV2azu+XFTViLzdYlazEETTJE9knLD7wJJovot3b+iQPgeTk0i8f5IpAdx21ncdJIDjIvi+Ail/mQggRKZLaBZeWF3JWSJ/OTA3jmpti/Qg1sNg3iTdroYzHfbI=";
string s = string.Format(CultureInfo.InvariantCulture, "{0}{1}{2}{3}{4}{5:R}{6:yyyyMMdd}{7}",
new object[] { DivisionID, HWModelNumber, HWSerialNumber, LicenseId, FeatureName, FeatureVersion, ExpirationDate, ProductNumber});
using (RSACryptoServiceProvider RSA = new RSACryptoServiceProvider())
{
using (SHA1CryptoServiceProvider SHA1 = new SHA1CryptoServiceProvider())
{
RSA.ImportParameters(RSAParam);
if (RSA.VerifyData( Encoding.UTF8.GetBytes(s), SHA1, Convert.FromBase64String(Signature) ))
{
MessageBox.Show("Jep! :)");
}
else
{
MessageBox.Show("Nope");
}
}
}
The RSA paramaters & DivisionID are missing on purpose, you need to recover them yourself. Please don’t ask me how to use this code for something else or what the missing variables are, I won’t help. My goal always is to check if it can be done, not to share a solution ready to go for everyone. If you need something for work -> BUY IT!
Remember that you can forget about warranty & support if things go wrong.
I have noticed that software engineers refer to the ASICs as "Baldwin." Is this a codename for custom silicon?
Custom chips often have internal code-names, which occasionally leak outside the company.
Also, the firmware doesn't have a BW35 option probably meaning 350Mhz is the minimum bandwidth for that board (just like Dave said):
enhTvTrig_3k
bw20_3k
bw50_3k
mso_3k
am4M_3k
MemMax_3k
fpgaProbe_3k
fpgaAltera_3k
lsSerDecode_3k
amSerDecode_3k
232SerDecode_3k
i2sSerDecode_3k
power_3k
distributor_3k
wavegen_3k
segmentedMem_3k
limitMask_3k
distributor_2k
education
wavegen_2k
segmentedMem_2k
limitMask_2k
bw10_2k
bw20_2k
enhTvTrig_2k
232SerDecode_2k
lsSerDecode_2k
amSerDecode_2k
i2sSerDecode_2k
mso_2k
Interesting information! Where did you get this list from?
I am curious as to what these options mean?
enhTvTrig_3k Enhanced TV trigger? What is it?
am4M_3k Is this 4Mpts option called DSOX3MemUp in the
datasheet?
MemMax_3k ?? ?? ?? No idea
fpgaProbe_3k FPGA Dynamic Probe for Xilinx
like on 7000 models?
fpgaAltera_3k FPGA Dynamic Probe for Altera
like on 7000 models?
power_3k Is this a sort of key to unlock
U1881A Power Measurement Application on a PC?
distributor_3k Auto Demo mode ?
Interesting information! Where did you get this list from?
It's in the firmware. I'm disappointed there's no built in option for memory relating to the 2k. If the HW is capable it would probably need a fw upgrade.
@Dave: Could you do high res images of the VGA module, both sides ? (preferrably with some dimensions reference as well)
I'd like to make a "clone" with just the LAN ... but obviously there has to be some way for the scope to identify the module. I also know that the scope will load the FPGA image itself and wait for the DONE pin to rise.
@Dave: Could you do high res images of the VGA module, both sides ? (preferrably with some dimensions reference as well)
I'd like to make a "clone" with just the LAN ... but obviously there has to be some way for the scope to identify the module.
There are few enough module types that my bet would be either a few pins used as hard-coded IDs linked to ground differently for different modules,or each function (LAN,VGA,GPIB), or a single pin with different resistor values for different module types.
Not totally implausible that it detects the FPGA, but my guess is they wouldn't want to rule out the possibility of a LAN-only module in future.
As the FPGA is only for VGA out, it is probably an output-only peripheral (unless they use monitor ID..) so may be feasible to fake the configuration handshake if necessary.
I think it's a hardcoded ID, but need to find it
It can't be the FPGA because it's not loaded yet. The code clearly gets the type of device, and then selects the appropriate image and loads the FPGA. It then waits for the 'DONE' bit to go high. (so you'd have to simulate the DONE bit going high, but that's easy).
I got images from the video, compensated perspective and lined them up. Now, just need to run them through de-pcb. (obviously I don't have the internal layers so there will be guess work).
The scope IDs external modules by reading their FPGA signatures.
Yes, the LAN/VGA FPGA will get updated when you [re]install the system firmware update but for this it has to be identified first.
I don't know if FPGA has a sort of protected area that does not get updated. Then it's a bit more complicated.
Maybe LAN module gets inited regardless of LAN card presence? It would be great but it's hardly likely.
The scope IDs external modules by reading their FPGA signatures.
? What makes you think that ?
1) Those FPGAs are SRAM based, they loose their configuration at each power down and there is no external configuration flash on the module, so the scope _HAS_ to load their configuraton at each boot. And to load the correct one, it has to have identified the module type _BEFORE_.
2) You could imaginge that the scope reads the FPGA model by JTAG but since both board have the exact same FPGA, this is not possible to differentiate them that way.
The scope IDs external modules by reading their FPGA signatures.
? What makes you think that ?
1) Those FPGAs are SRAM based, they loose their configuration at each power down and there is no external configuration flash on the module, so the scope _HAS_ to load their configuraton at each boot. And to load the correct one, it has to have identified the module type _BEFORE_.
It is possible to read the FPGA type though.
2) You could imaginge that the scope reads the FPGA model by JTAG but since both board have the exact same FPGA, this is not possible to differentiate them that way.
Have you seen the inside of the GPIB module then? It probably would make sense for it to use an FPGA as many GPIB chips are obsolete - not sure of there are any in current production,and even if so probably not in 3.3v logic.
Bear in mind that it doesn't actually need to do anything specific to the LAN I/F depending on if it's present or not, as it's just a magjack, so if not present it just won't ever see any packets.
Have you seen the inside of the GPIB module then? It probably would make sense for it to use an FPGA as many GPIB chips are obsolete - not sure of there are any in current production,and even if so probably not in 3.3v logic.
No but I've seen the software logic inside the scope and the FPGA configuration file (.bit) for both the GPIB and LAN/VGA module.
Bear in mind that it doesn't actually need to do anything specific to the LAN I/F depending on if it's present or not, as it's just a magjack, so if not present it just won't ever see any packets.
Yes, but I think the options for LAN would be grayed out in the menu. (just a guess... If someone with an actual device could confirm it would be nice).
Yes, but I think the options for LAN would be grayed out in the menu. (just a guess... If someone with an actual device could confirm it would be nice).
When LAN/VGA module is absent you have no access to any LAN menus. They are not greyed out, they simply disappear.
Just took another look at Dave's video.
On the assumption that it's a pullup/pulldown pin, it may not be that hard to figure out which are the ID pin or pins.
From the video you can pretty much see which pins are likely to be ground or power, as there is only a short track with a via to an inner plane.
Meter out these pins on the scope to eliminate all those that are actually power and ground, and you're probably only left with few enough to do some trial & error with pulldowns to see if any make the LAN manus appear - I don't know to what extent an ethernet MAC can tell if its magjack is disconnected, although this may give a helpful selftest failure message.
I'll put up the high res photos of the module and scope in the next day or two, super busy right now!
Dave.
Great, can you also show whats inside the logic probe?
Logic probe pad case is held together with two rivets. They need drilling out.
I think the probes are just their usual 40 pin POD, so it should just be a 90kOhm resitor from the connector to the probe ...
The voltage comparators are obviously in the scope.
But yeah, confirming it would be nice.
I think the probes are just their usual 40 pin POD, so it should just be a 90kOhm resitor from the connector to the probe ...
The voltage comparators are obviously in the scope.
But yeah, confirming it would be nice.
If this helps, they measure 90.0kOhms from pod socket to the connector on signal line and 0R on the GND line.
Yes thanks.
Do you have a pinout by anychance ?
im getting a 3000 series this week. i am willing to hack mine if someone is willing to help me do it.
I've got a low-end 2000 waiting for me when I finish up my day job. I'm going to try unlocking everything just to prove it can be done, then I'll probably remove the licenses as I don't technically need them (if I needed them, I'd buy them - besides which, I won't have the relevant probes for the 200Mhz or MSO options).
Sorry in advance, but I also won't be giving out any keys or specifics about how to do this. All the relevant information is already out there and just needs putting together by anyone wanting to do this themselves.
Have any one confirmed that they have hack it? or is it still officially "unhacked"? (I will get my 2000 this week so i'm a bit excited
)