DSOX2000 and 3000 series - licence , have anyone tried to hack that scope ?

[PlainName]

Even digital input selection for serial decoding should be possible, including I2S

Would really like that one - wouldn't need to have the PC and Logic on standby.

Which FW version do you have? And are you able to patch it?

2.41 and probably, given instructions.

[mlan]

Can anyone explain me how it is possible to add options to the .lnk file without patching the internal v2.41 infiniiVisionCore.dll file?  It first has to be 'unlocked', right?
Or did I miss something?

[[IDC]Dragon]

Today my 3014 got the other hardware upgrade of the current portfolio: Upping the sample rate from 4 to 5 GSa/s. Kudos to user "memset".
Originally I wanted to do that together with the frontend upgrade, but ordered only one inductor, didn't knew there's another on the backside. 
For the record, I used Coilcraft 0603CS-10NXGLU (10 nH), and of course removed the strapping resistor H2. I was a bit tempted to try 12 nH and hope this would do both frequencies, so I could change the sample rate back and forth, but from the ADF4360 datasheet this looked too marginal to be safe. The lock range of the oscillator is rather small.

After that mod, the trigger position was way off, the scope needs a new user calibration, which fixed it.
BTW, the calibration can be backed up with telnet and USB, it resides in the hidden folder "\secure\cal\", the two *cal.dat files. There's also a logfile from the calibration run, it seems Keysight does the same at their manufacturing site.

The scope seems to do well with the unusual rate from its biggest cousin, measured timings and display are correct. As expected, the effect of 25% finer sampling is not dramatic. The hardware rendering does a good job on sinc interpolation already. It's slightly visible on direct comparison. Again pictures of a "Jim Williams" pulse, 500 MHz bandwidth, before and after.
Slightly more amplitude of the pulse gets captured, the dip behind the pulse is a bit deeper. (We're talking about 4 vs. 5 samples per nanosecond division grid here, everything else is the sinc interpolation...)

Before, 4GSa/s:


After, 5 GSa/s:

[[IDC]Dragon]

Can anyone explain me how it is possible to add options to the .lnk file without patching the internal v2.41 infiniiVisionCore.dll file?  It first has to be 'unlocked', right?
Or did I miss something?

No patching required. The .lnk file starts a different executable, which allows command line parameters. The only and slight drawback is a nag message after boot.
You need firmware 2.41 installed beforehand. It was reported to work with 2K scopes:
https://www.eevblog.com/forum/testgear/dsox2000-and-3000-series-licence-have-anyone-tried-to-hack-that-scope/msg1100759/#msg1100759

[TheSteve]

The other drawback are issues with network connections to the scope - it has all been covered before.

[mlan]

Can anyone explain me how it is possible to add options to the .lnk file without patching the internal v2.41 infiniiVisionCore.dll file?  It first has to be 'unlocked', right?
Or did I miss something?

No patching required. The .lnk file starts a different executable, which allows command line parameters. The only and slight drawback is a nag message after boot.
You need firmware 2.41 installed beforehand. It was reported to work with 2K scopes:
https://www.eevblog.com/forum/testgear/dsox2000-and-3000-series-licence-have-anyone-tried-to-hack-that-scope/msg1100759/#msg1100759

Ok, it seems that \Secure\infiniiVision\infiniivisionLauncher.exe will start infiniiVisionCore.dll without any secure storage, and thus the FW falls back to 'unsecure' mode and will accept parameters (Hence the warning message). Very convenient behavior!
And \program files\infiniivision\infiniiVisionLauncher.exe will start infiniiVisionCore.dll with the correct secure storage context and thus will only accept officially installed licenses.

[memset]

I have a 3024T that I'd love to up to 500Mhz.
I will take pix of the board when I get back from holidays. I'm not at the level where I would be able to figure this out for myself, so I'd be relying on someone else taking the plunge first.

Would be really nice to get good pics from DSOX-T. T-versions should be relatively easy to push to 1Ghz by adding Teledyne attenuator relays. PCB topology should be "ghz-ready".

[Luminax]

Can anyone explain me how it is possible to add options to the .lnk file without patching the internal v2.41 infiniiVisionCore.dll file?  It first has to be 'unlocked', right?
Or did I miss something?

If you go digging some posts back, you'll notice someone from Keysight posting. Their attitude seems to be "You guys are hacking our scope? cool, show me what you can accomplish" and is generally taking the silent assent stance unless you start 'selling' the 'hacked' product and THEN they go to town.
So my guess is, they're worried about people bricking their oscilloscope and them getting swamped with repair request that they somehow made it easier(?) to hack... I guess? 
Eeeeey as long as I get my functions, I'm happy!b

[adranp]

As I have promised, please see the MSO-X 3014T detailed pictures. I did not have time to make a complete photo-session for the PCB, but I managed to snap pictures for one analog-frontend and a general view (front + back).

Please tell me what sections do you consider worthy pictured and I'll take them. It would be easy to use the two pcb general view pictures and draw there the sections of interest.

The pictures can be found here: http://www.idsys.ro/public/MSO-3014T-1.zip

:TheSteve - Could you be kind and throw an eye on the analog front-end and tell me your opinion? I did not have time yet to compare it with your mod but I'll do it in a couple of days surely.

[TheSteve]

At a quick glance it looks pretty darn promising to me. As memset predicted it looks as though they are using a single PCB for all of the T series scopes. You can see where the Teledyne attenuator relay would mount which is needed to go above 500 MHz.
The mod to 500 MHz looks identical to the 3000A series - the 1 GHz mod would be more work as we need to know the proper part values, it would also need the additional relay per channel and the drive circuitry(looks pretty simple). Moving one of the existing relays is probably also required.
Being there is no open hack for the T series the jumper config will only get you to 350 MHz with the 500 MHz mod, so if we can determine the proper part values it makes sense to go right to 1 GHz as that can configured via jumper with no license needed(if the strapping jumpers are the same - it is very likely they are).
If I had a T series I'd be compiling the parts to order list right now.

[adranp]

:TheSteve - Great.. I'd be willing to look at the 1Ghz mod if we could sort out the part needed (attenuator relay). I assume it's position would be at K504 silkscreen marking.. Right?
What relay are you talking about moving? I assume you're talking about one of the two white/yellowish Japan made, in the frontend.. Where would these need to be moved?

:memset - Any help would greatly be appreciated. Waiting any questions or ideas.

Is anyone willing to open up a 1GHz 3104T version to help us out in finding out the exact part needed?

[TheSteve]

The relay is likely the same as the 3000a model, it is the inductors/capacitors that could be tougher to determine.

[mikeselectricstuff]

Here you go...

[Dubbie]

Not particularly useful at this stage, but here is the frontend of the 200Mhz model.

[Howardlong]

Interesting that they're using what appears to be the same board: on the 3000A the Teledyne relay didn't have any placement lands on the 500MHz and below units that I've seen.

[mikeselectricstuff]

Interesting that they're using what appears to be the same board: on the 3000A the Teledyne relay didn't have any placement lands on the 500MHz and below units that I've seen.

Maybe when they did the T version PCB they combined the versions

[memset]

Great work with all these pictures, adranp, mikeselectricstuff, Dubbie!
Looks like for 1GHz 3000T-version upgrade K503 should be moved to K501 with K504 added alongside with corresponding replacement of several passive components. Also, antialiasing filter for 1Ghz looks to be significantly different from <1GHz version with extra RC link.
As I thought before, PCB topology is the same so the 1GHz upgrade is definitely possible. Same must be true for 4000X-series.

And for 3000A-series they decided to erase some components from PCB design like Teledyne relay signal/control paths, so part of topology is missing from PCB.
I still think it should be possible to upgrade 3000A to 1GHz, but presonally I gave up on 1GHz because I need my only scope to be in working condition instead of being disassembled permanently for all these experiments.

[adranp]

As always :mikeelectricstuff is helping big time. All my regards.

I've looked for the Teledyne attenuator relay and it seems quite hard to procure (no stocks). Any ideas?
Also there are quite a lot of passives there to plant.
There's a transistor there at Q501 also needed. I've tried looking for the marking (N1 v) and there are a few possible matches for that. Anyone know what that could be?

Let's start to put together the list for all the parts needed and I'm willing to look into modding to 1Ghz. 

[memset]

Let's start to put together the list for all the parts needed and I'm willing to look into modding to 1Ghz. 

To try the 1GHz mod we'll need to find out correct 1GHz-variant values for these 5 unknown caps (look at the picture for 5 caps marked with big red dots).
To read out their values one need to desolder them one by one and measure with some very precise sub-pF cap meter.
I think both types of AA filter symmetric caps should have the same low-pF value. Also, AA shunt caps are expected to be less than 2.0pF. Attenuator RC cap is also low-pF, but the value could be up to 100's of pF.

[memset]

There's a transistor there at Q501 also needed. I've tried looking for the marking (N1 v) and there are a few possible matches for that. Anyone know what that could be?

Q501 should be Teledyne's control N-MOSFET. I think it's MMBF0201NL. Unfortunately, P-MOSFET Si2301CDS also fits for N1 marking, but only N-fet seems to be sane to use for relay switching control.
To make it sure one needs to check if Q501's Source pin is grounded.

[nctnico]

If Q501 is only there to drive the relay then any jelly bean MOSFET would do. In case of N channel the 2N7002 or SI2302 are good candidates.

[Dubbie]

Is your scope still apart Mike?

If so are you willing to measure the caps?

[mikeselectricstuff]

Is your scope still apart Mike?

Sorry no.

[Howardlong]

I have two comments about reverse engineering the front end from some work we did a few months ago on the 3000A.

Firstly, you need to take the greatest of care when removng the metal cans, it is all too easy to inadvertently break the ground track and vias on the lugs. Repeated removal and replacement weakens these tracks and vias, and repair isn't the easiest.

Secondly, take care about cleaning the board. There is some high impedance stuff going on and any ionic residue will cause the front end to oscillate, that took me a looooong time to figure out. If you do use any cleaning agents, be aware that getting them out of an encapsulated relay is going to be bloody hard work.

[adranp]

:memset

"To make it sure one needs to check if Q501's Source pin is grounded." -> The source pin (the upper left pad) of Q501 is grounded. Just checked that now.


:Howardlong

What you are saying is very very true.. One ground pad for the metal cans in my case raised slightly at disassembly.. Solved that easy in my case, but anyone trying this should take great care not prying the metal cans too hard.

Clearly, pcb cleaning is very very important.. Though, my question to you, is what cleaning agent would you recommend in this case?