DSOX2000 and 3000 series - licence , have anyone tried to hack that scope ?

[PA0PBZ]

If the scope's OS isn't completely blocked you'll be able to get telnet welcome message (maybe in several minutes after connection). If so - you're saved.

I waited for more than 15 minutes but the telnet connection didn't show anything, and the RS232 debug port is still flooded with the "does not support multiple Open()'s" message.
It looks like this is blocking the other processes from doing anything.

[TheSteve]

This is a total long shot as the telnet port doesn't work but have you tried the web interface?

[dav]

Is the new 3000T "upgradable" in the same way?

[Faith]

Is the new 3000T "upgradable" in the same way?

Would be interesting to know. While the 3000T is very similar to the 3000A in terms of hardware there are differences.

And likewise the 3000T follows a different firmware branch (same as the 4000A) which again while based on the original 3000A there are differences.

Just tried to search around and can't seem to find any information directly related to the 4000A.

[memset]

Is the new 3000T "upgradable" in the same way?

Should be even easier, up to 1GHz.
Post frontend pictures to make sure.

[memset]

I waited for more than 15 minutes but the telnet connection didn't show anything, and the RS232 debug port is still flooded with the "does not support multiple Open()'s" message.
It looks like this is blocking the other processes from doing anything.

Try to disconnect front panel's flex cables. Chances are low, but worth trying.
Probably you'll need to load patched CE core via COM port to fix this problem.

[matthieu.e]

I try to match the DSOX3000 components with the DSOX2000 components but I am not sure about L4 and R2.
What is your opinion ?

What is the Agilent 2AD2-0001 ? Is that the ASIC and have we got a datasheet ?

That's an ASIC, yes.
Frontend seem to be very similar to 3000-series, further simplified to remove 50-ohm paths.
Both the anti-aliasing filter and low-pass filter are clearly seen and similar to 3000-series. Attenuated low-pass signal path is somewhat different though. I think you can boost it to 350-500MHz as 1-2-3, but that's not doing to be very useful without 50-Ohm coupled input.
Use 500MHz 3000-series component values as a reference for your upgrade and save all the original parts in separate marked containers to secure your way back. You'll need a signal generator to get this work properly done.

Yes I will have a generator to test the 2002A up to 500 MHz. I will study the schematic before to do the mod because it is the the only good scope I have on my workbench.
Memset, have you trace the schematic of the front-end on paper ? Could you send me a picture ? Thanks .

[PA0PBZ]

Try to disconnect front panel's flex cables. Chances are low, but worth trying.

I already disconnected the front panel -> no difference

Probably you'll need to load patched CE core via COM port to fix this problem.

I wonder if the 'startup' folder on USB is still valid, that way I could kill the infiniivision process - maybe.
I'm reading the complete thread again and also looking into the CE boot process. If I could disable the automatic startup of infiniivison (either one of the 2 ) I would be fine.

[memset]

Memset, have you trace the schematic of the front-end on paper ? Could you send me a picture ? Thanks .

No, I don't have any schematics.

[memset]

I wonder if the 'startup' folder on USB is still valid, that way I could kill the infiniivision process - maybe.

I don't think its possible on V2.41. The better way should be to use patched core (with a patch to remove the main application from startup process).

[TheSteve]

Try to disconnect front panel's flex cables. Chances are low, but worth trying.

I already disconnected the front panel -> no difference

Probably you'll need to load patched CE core via COM port to fix this problem.

I wonder if the 'startup' folder on USB is still valid, that way I could kill the infiniivision process - maybe.
I'm reading the complete thread again and also looking into the CE boot process. If I could disable the automatic startup of infiniivison (either one of the 2 ) I would be fine.

You did try the web interface on the one in a million chance it still happens to work right - you can use it to update firmware.

Has anyone looked into if there is a key sequence at boot that would force the bootloader to install new firmware? I am thinking something like that must exist, not sure it is meant for the end user of course.

If you can't inject a patched file via the serial port perhaps you could jtag the entire image, patch the file system and reflash it.

[mikeselectricstuff]

Try to disconnect front panel's flex cables. Chances are low, but worth trying.

I already disconnected the front panel -> no difference

Probably you'll need to load patched CE core via COM port to fix this problem.

I wonder if the 'startup' folder on USB is still valid, that way I could kill the infiniivision process - maybe.
I'm reading the complete thread again and also looking into the CE boot process. If I could disable the automatic startup of infiniivison (either one of the 2 ) I would be fine.

You did try the web interface on the one in a million chance it still happens to work right - you can use it to update firmware.

Has anyone looked into if there is a key sequence at boot that would force the bootloader to install new firmware? I am thinking something like that must exist, not sure it is meant for the end user of course.

If you can't inject a patched file via the serial port perhaps you could jtag the entire image, patch the file system and reflash it.

The Flir E4, which also uses CE, has an early boot-up menu on the serial port  that appears to allow an update from USB

[PA0PBZ]

Killing the infiniivision process using the usb startup folder doesn't work for this version.
The web interface does the same thing as the telnet connection, it ACKs but that's it.
How do you guys interact with UBoot? All I get is the custom menu and all I can do is one of the keys in the menu:

l) Load memory resident image Load image 1 now
1) Load memory resident image 1 now
2) Load memory resident image 2 now
3) Load memory resident image 3 now
d) Download from platform builder now
u) Start u-boot by resetting
v) Verify Images
>

No ? or help or anything else...

[TheSteve]

I've not tried the bootloading yet. It is reasons like this I'd like to make a full backup of my NAND flash using the serial port or JTAG though.
Pages 6/7 of this thread seem to give enough info to boot an image into ram. If you can boot an image via tftp over the network hopefully you can edit the flash memory or reinstall version 2.41. I have a feeling it will require quite a bit of experimentation to get the network boot working properly but am sure you can do it.

[Keysight DanielBogdanoff]

Has anyone looked into if there is a key sequence at boot that would force the bootloader to install new firmware? I am thinking something like that must exist, not sure it is meant for the end user of course.

Nope

[PA0PBZ]

Nope

Is that like "It doesn't exist" or any of the other options?

[PA0PBZ]

Pages 6/7 of this thread seem to give enough info to boot an image into ram.

I know, but you have to interact with UBoot and it looks like I'm too stupid to find out how to do that 

[memset]

I know, but you have to interact with UBoot and it looks like I'm too stupid to find out how to do that 

Press 'u' and stop u-boot while its booting. Or reset and try to stop u-boot earlier.
I think your chance for easy win is to load nk.bin from older version, like 2.35 since it use different startup logic. You can even try to load nk.bin from Eth and boot application from USB.
Ethernet boot process was already described here.

[PA0PBZ]

Press 'u' and stop u-boot while its booting. Or reset and try to stop u-boot earlier.
I think your chance for easy win is to load nk.bin from older version, like 2.35 since it use different startup logic. You can even try to load nk.bin from Eth and boot application from USB. Ethernet boot process was already described here.

Uboot only stops on a space, Agilent modified the working:

Code: [Select]

#if defined CONFIG_ZERO_BOOTDELAY_CHECK
/*
* Check if key already pressed
* Don't check if bootdelay < 0
*/
if (bootdelay >= 0) {
if (tstc()) { /* we got a key press */
#ifdef CONFIG_AGILENTP500
if( getc() == ' '){  /* stop on space only */
puts ("\b\b\b 0");
abort = 1; /* don't auto boot */
}
#else
(void) getc();  /* consume input */
puts ("\b\b\b 0");
abort = 1; /* don't auto boot */
#endif

I tried 'u' but as expected it does nothing. The only way I can stop Uboot is with a space and then I get the menu with just a few choises, nothing else works.
So I still have no idea how to remove the malicious link...

[memset]

Uboot only stops on a space

Yes, it is. Just hit space while scope boots. If not sure, hold space and press power on.
Post your serial output starting right from the power on moment.

Like this:

Code: [Select]

U-Boot 2010.03 (Oct 18 2011 - 14:28:06)Agilent P500

CPU:   SPEAr600
DRAM:  128 MiB
Flash: 512 KiB
NAND:  fsmc-ecc1 128 MiB
In:    serial
Out:   serial
Err:   serial
SerNum:serial number not programmed
Chip:  BD Board Rev: 4
Net:   smsc
Press space to stop autoboot:  0  0
p500>       help
?       - alias for 'help'
adc     - performs A/D conversion on channel
base    - print or set address offset
bdinfo  - print Board Info structure
boot    - boot default, i.e., run 'bootcmd'
bootd   - boot default, i.e., run 'bootcmd'
bootm   - boot application image from memory
bootp   - boot image via network using BOOTP/TFTP protocol
cdp     - Perform CDP network configuration
cmp     - memory compare
coninfo - print console devices and information
cp      - memory copy
crc32   - checksum calculation
dcache  - enable or disable data cache
dhcp    - boot image via network using DHCP/TFTP protocol
echo    - echo args to console
editenv - edit environment variable
erase   - erase FLASH memory
expi    - program EXPI Clock
flinfo  - print FLASH memory information
fpga    - loadable FPGA image support
fsinfo  - print information about filesystems
fsload  - load binary file from a filesystem image
go      - start application at address 'addr'
help    - print command description/usage
hwreset - Perform HW RESET of the CPU
icache  - enable or disable instruction cache
iminfo  - print header information for application image
imls    - list all images found in flash
imxtract- extract a part of a multi-image
itest   - return true/false on integer compare
loadb   - load binary file over serial line (kermit mode)
loads   - load S-Record file over serial line
loady   - load binary file over serial line (ymodem mode)
loop    - infinite loop on address range
ls      - list files in a directory (default /)
md      - memory display
mm      - memory modify (auto-incrementing address)
mtest   - simple RAM read/write test
mw      - memory write (fill)
nand    - NAND sub-system
nboot   - boot from NAND device
nfs     - boot image via network using NFS protocol
nm      - memory modify (constant address)
ping    - send ICMP ECHO_REQUEST to network host
printenv- print environment variables
protect - enable or disable FLASH write protection
rarpboot- boot image via network using RARP/TFTP protocol
reset   - Perform RESET of the CPU
rtc     - print time from RTC
run     - run commands in an environment variable
saveenv - save environment variables to persistent storage
saves   - save S-Record file over serial line
setenv  - set environment variables
sleep   - delay execution for some time
source  - run script from memory
splash  - load splash image on display
tftpboot- boot image via network using TFTP protocol
version - print monitor version


[PA0PBZ]

This is what I see, could it be bad 'space' timing? Looks like I'm already in the next bootloader?
I have to try again when I'm home.
I've made it stop many times but never seen anything else than this:

Code: [Select]

U-Boot 2010.03 (Oct 18 2011 - 14:28:06)Agilent P500

CPU:   SPEAr600
DRAM:  128 MiB
Flash: 512 KiB
NAND:  internal ecc 128 MiB

Debug serial initialized ........OK
RTC: 2016-9-3   21:5:45.25 UTC

Microsoft Windows CE Bootloader Common Library Version 1.4 Built May  7 2015 01:38:03
Microsoft Windows CE 6.0 Ethernet Bootloader for the Agilent P500 board
Adaptation performed by Agilent Technologies (c) 2008



P500 Boot Loader Configuration :

Mac address .......... (00:30:D3:XX:XX:XX)
Ip address ........... (192.168.1.190)
Subnet Mask address .. (255.255.255.0)
DHCP ................. (Enabled)
Boot delay (seconds).. (0)
Load image 1 at startup

Image addresses. (0xdxxxxxxx for NAND, 0x8xxxxxxx for RAM)
        1 (0xd0600000)
        2 (0xd1600000)

l) Load memory resident image Load image 1 now
1) Load memory resident image 1 now
2) Load memory resident image 2 now
3) Load memory resident image 3 now
d) Download from platform builder now
u) Start u-boot by resetting
v) Verify Images

>


[memset]

This is what I see, could it be bad 'space' timing? Looks like I'm already in the next bootloader?

Yes, for some reason all output after that NAND string is missing until you're booted into the next (CE) loader. It could be your RS232 adapter issue like buffer overflow, flow control turned on or something like that. Make sure any type of flow control is turned off in the port settings.
Then you try 'u' in CE loader, does it reboot and print more lines?

[PA0PBZ]

Then you try 'u' in CE loader, does it reboot and print more lines?

When I do the 'u' it starts again from the top ('U-Boot 2010.03...'), then goes into normal boot if I don't touch anthing. I will experiment some more when I'm home tonight, thanks so far!

(Edit: I have never seen the text you see after the NAND string)

[Wiljan]

Just a shoot on the U-boot 

I do recall another project while ago where the only way to break the U-boot was to send a real "break" cmd
In some terminal software you can send a "break" cmd with alt+ b and in other you have to select it in a menu.

A break cmd are forcing the TX data low for a certain time (much longer than a normal byte)
Sometimes the uart are not able to send the break, try to monitor it on another scop.

[PA0PBZ]

And.... FIXED! 

There was no way I could stop UBoot, I have no idea why but I tried everything, even 2 different RS232 TTL interfaces. So I realized I had to work with what they offered me, the CE loader menu. One thing caught my attention:

d) Download from platform builder now

Hmm, I don't have platform builder, I wonder what it does. Wireshark to the rescue - it looks like TFTP on a non-standard port (980). Well, I could of course code something together but am I the first one to look at this? Apparently not, because a quick google found CELoader, which is a standalone program (oh wait, app these days) to do exactly that, offer an NK.BIN to anything asking. Only source code, well I can do that. So I built the CELoader.exe, extracted the NK.BIN.COMP from the 2.35 cab,  decompressed it to NK.BIN and put it in the CELoader.exe folder. Started CELoader, halted the scope on the CE loader menu and pressed <d>. It works.... well, sort of. The scope hangs on the splash screen but the RS232 is not flooded with error messages this time, so who knows? Fired up PuTTY and yes, we have a telnet connection. The rest is simple, there where 2 .lnk files in Secure\Startup, one infiniivision.lnk and one infiniivision_ext.lnk. Why? You tell me. Renamed infiniivision_ext.lnk to infiniivision_ext.xxx and rebooted the scope. Bingo! That's enough for this evening, I'll try the -l all -l bw50 tomorrow 

Thanks for all the comments, specially from memset who made me not give up and admit defeat.