DSOX2000 and 3000 series - licence , have anyone tried to hack that scope ?

[[IDC]Dragon]

Today I got the serial connected. (Header was alright, only the orientation was flipped...)
Indeed it seems I 've got the same problem, the application tries to start twice, logs attached. There are two flavours, probably depending on the race outcome:
- The black screen with the logo repeatedly asks to contact Chris G.
- The Keysight splash screen just hangs.

Did I do something wrong to provoke this, or could the cab file be improved to avoid that situation?
The leading number in the .lnk file was excluding the # char and the file had no CR LF.

Thanks for the LAN 3D design link. Tempting to just order it from Shapeways. It seems to match the anagram.net PCB, but not the aewalin github.
Also thanks for the loaner offer. I'm from germany, profile updated. Prefer to buy a spare PCB, though.

[delphi_firebird]

@[IDC]Dragon

@hax129 forum member  ( https://www.eevblog.com/forum/profile/?u=25498 ) sold me a LAN kit for a very good price
he shipped it last monday from Denmark to France ( it is on the way )
You can contact him by PM if you are interested

The kit contains :
Main PCB
Back-plate PCB
LAN connector
1 x 10R resistor (R200)
2 x 300R resistors (R201+R202)
2 x 100nF capacitors (C200+C201)

Good luck

[[IDC]Dragon]

A total of 3 friendly forum members did offer me a LAN interface, thank you guys!
I've decided for the nice one with the Shapeways cover, so it can snap in and stay in place even under cable stress.
Now eagely waiting for it to arrive.

So, I understand I have to do the following after it arrives:
- using the serial, interrupt the boot with space, which brings me to CE loader (not uboot, like I first thought)
- it tells me the scope has address 192.168.1.131, so I have to prepare a little network for that
- on a PC, start the CELoader tool from ninja user PA0PBZ, with a NK.BIN.COMP file from some firmware cab renamed to NK.BIN and placed next to it
- hit 'd' at the CE loader prompt to download it
- edit: I see it tries some DHCP, so above IP may not be the final one, I may attach it to my regular network
- anyway: how to specify the server?
- it should load the firmware and make the scope temporarily useable again
- telnet into the scope (perhaps configure network first?) and fix a dual link problem
- be good again

Did I get that correctly?

[PA0PBZ]

- using the serial, interrupt the boot with space, which brings me to CE loader (not uboot, like I first thought)
- it tells me the scope has address 192.168.1.131, so I have to prepare a little network for that
- on a PC, start the CELoader tool from ninja user PA0PBZ, with a NK.BIN.COMP file from some firmware cab renamed to NK.BIN and placed next to it

Not rename but decompress, a link to the tools can be found in this thread.

- hit 'd' at the CE loader prompt to download it
- edit: I see it tries some DHCP, so above IP may not be the final one, I may attach it to my regular network
- anyway: how to specify the server?

The scope will find the celoader tool as long as it is on the same network. (think dhcp and tftp)

- it should load the firmware and make the scope temporarily useable again
- telnet into the scope (perhaps configure network first?) and fix a dual link problem

Network should be fine already otherwise it will not load the firmware.

- be good again

Did I get that correctly?

Enjoy 

[ogoun]

For those interested, the firmware for the 4000 series v4.08 does NOT allow the command line switches to work.
So, it is similar to the 3000a firmware v2.41 in structure, but the dll would need to be modified in the usual way at the appropriate location to allow the lic hack switches to work.

FWIW, the infiniivisionlauncher.exe file exists in both \secure\infiniivision, and \windows. They are different sizes, and the one in the infiniivision folder throws an error box if you try to launch it (cmd line switches or not). This is after killing the currently running instance of infiniivisioncore.dll, of course.

The one in \windows works as expected, except cmd line switches not working.

Of course, the \windows directory files are all RO, and probably some hidden ones too. ATTRIB refuses to make them RW, probably since the structure now in use with 4.08 (and I imagine 2.41) makes the \windows directory part of flash rom, not RAM.
Apparently, this also means that the files and file structure in this directory is somehow "munged", in a way that the CE OS knows how to deal with, but that the FS cant handle (?? headers stripped, etc).

Upshot: No easy way to copy or replace the files there.

If anyone has looked into the infiniivisioncore.dll code (ida, etc), drop me a PM. I am trying to find out where the string compared with "true" comes from. The routine is common to all versions, and 3 such routines are close to each other. Only one is relevant to this discussion (cmd line switch processing), AFAIK.

I would imagine that the string likely comes from a config or debug file, but I haven't managed to trace the flow back.


cya
o   

[[IDC]Dragon]

The network interface was in the mail today.
Thanks to the tools and descriptions from PA0PBZ, the scope was quickly back to life, with all features working.
Now I'm exploring...
(Great scope, quick display and reactions. Guess I'm glad I didn't pick the Tek MDO.)

Thanks again, guys!

PS: Looking behind the scenes of the "link method" CAB file, it should be easy to modify it such that it moves an existing link away, preventing this brick problem in future. After re-gaining confidence, I'll probably try to come up with such.

[[IDC]Dragon]

In case I'm not the last noob to join the party, hope to close the boobytrap.
Here is a refined procedure, see attached. No benefit for existing users, this is rather for newcomers, to prevent bricking with the dual link problem.
The readme file is updated, all credits for the method in general to user "memset".

I've split the procedure into an install CAB which moves away the factory link (if present) and copies the .lnk file from USB, and an uninstall CAB which removes the added .lnk and restores the original link, if one was present.
The supplied .lnk file should be a useful template on how to set all options:

Code: [Select]

121#\Secure\infiniiVision\infiniivisionLauncher.exe -l DIS -l MSO -l MEMUP -l SCPIPS -l CABLE -l SGMC -l FLEXC -l TOM -l BW20It's using "-l DIS" to enable most of them (instead of "-l all" which gives asterisk marks in the about box), then filling up the rest. You may want to edit your bandwidth at the end.

I've tested uninstall, install and more install to update on my 3014A. So far not tested on a 2000 series model, but according to previous postings that should work, too.
Use at your own risk, of course.

[[IDC]Dragon]

I'm pleased to report that I've also done the frontend upgrade. Kudos to the brave members who reverse engineered the differences!
Here's my Mouser shopping cart:
http://www.mouser.com/ProjectManager/ProjectDetail.aspx?AccessID=BF470B281D
It also includes the 2 inductors for the 5 GSa/s PLL mod, which I haven't done yet. What's the experience with that?

Some testing with a "Jim Williams" avalanche pulse generator. The difference is quite stunning, the vision clears like putting on the correct glasses.

Before, with 200 MHz bandwidth option:


After frontend mod, with 500 MHz bandwidth option (same amplitude and timebase, although better would be possible):


Good old analog Tektronix 2467B (400 MHz bandwidth):

[TheSteve]

Awesome, congrats on the mod! I've been waiting for someone else to take the plunge.

[adranp]

:TheSteve

I have to say first many thanks for your effort and for all other members on front-end upgrade procedure.

I'm really thinking on doing a 3000T front-end upgrade from 100Mhz to 350 Mhz, and I would really appreciate some help from you. Are the parts needed the same as those for 3000A Series?
Has anyone completed a 3000T frontend upgrade?

All my regards.

[TheSteve]

:TheSteve

I have to say first many thanks for your effort and for all other members on front-end upgrade procedure.

I'm really thinking on doing a 3000T front-end upgrade from 100Mhz to 350 Mhz, and I would really appreciate some help from you. Are the parts needed the same as those for 3000A Series?
Has anyone completed a 3000T frontend upgrade?

All my regards.

I'm not aware of anyone who has attempted the mod. I think you'd need to open it up and take some good quality pictures of the PCB(especially under the front end cans) and post them so we can compare.

[adranp]

I hope to find some time to start this mod. Will keep you updated. Thanks.

[TopLoser]

How are you going to enable the 350MHz option in software first?

[Someone]

How are you going to enable the 350MHz option in software first?

On the basis that the 3000T has the same "return to service center" requirement as the 3000A when you go from 100MHz to 350MHz:
http://www.keysight.com/en/pdx-x205434-pn-DSOXT3B1T34U/3000t-x-series-4-channel-bandwidth-upgrade-100-to-350-mhz?cc=US&lc=eng
It wont need a license as the scope will jump right to 350MHz. Even with a 200MHz license installed the 3000X still enables 350MHz when it sees the board coding/strapping for the 350/500MHz acquisition front end. Hardware hacking for the win.

[TopLoser]

So going from 100MHz to 200MHz is a software only option but 100/200 to 350 is hardware enabled?

Thats very convenient.

[Howardlong]

So going from 100MHz to 200MHz is a software only option but 100/200 to 350 is hardware enabled?

Thats very convenient.

Looking back retrospectively it is a bit strange that they didn't just put in the parts for a 500MHz scope and cripple it in the same way as they did for 100 vs 200 or 350 vs 500. I am not sure if the software configured bandwidth limitations are implemented in the analogue or digital domains.

If it's in the analogue domain, then I'd imagine there's a limitation in the front end ASIC that only supports two filter settings largely determined by the parts around it. If all the filtering is done in the digital domain then I don't know why they didn't just place the 500MHz parts in at manufacturing and use software switchable digital filtering for all four options. As I recall, there was no apparent cost difference for the front end BOM for the 500MHz scope compared to the 100MHz scope.

There is a third posibility, and that's a marketing one, but as we're predominantly engineers here, I won't pretend to understand how that bit might work, but we can all speculate!

This of course may be all moot, as we don't know that the front end in the 3000T is sufficiently similar to that of a 3000A.

[Pinkus]

Marketing sound reasonable.
Look for how long the DSOX series was being sold and nobody did this kind of hardware mod (at least they did not talk about it on the net) or even a comparision of the two front ends. Agilent came out 2010 (or 2011) with the DSOX3000 series, thus it took 6 years for this (again: thank you memset and howard and all others who provided their knowledge and risking their hardware to achive this).

If you then look for the price differences (actual pricing) of a DSOX3000
100 Mhz: 3672€
200 Mhz: 4095€
350 Mhz: 7638€
500 Mhz: 10306€
1 Ghz: 12791€

it is be much easier for the sales people to explain the huge price difference between e.g. a 200 and 350 Mhz with "different hardware" which sounds like / implicates (and maybe the sales people are also saying this*) a huge amound of expensive extra circuitry inside the scope which is just too complex and too expensive to be included in all units. This makes it easy for them to justify the price gap.

* but maybe we are all wrong and in real, all 350 Mhz and higher scopes had to be manually carefully calibrated by elf-like virgins and this works best only in August-full moon nights on a small Malaysian island.....

[TheSteve]

It's quite entertaining to read the other main thread about the DSOX3000 series and how even Dave posted that the 500 MHz model had a much more expensive front end then the 100/200 MHz after speaking to a contact at Agilent. And I think a number of years back we all would have believed it. Fast forward to 2016 and I'd find it odd if they used more then a single PCB rev to do the entire 3000T series.

[adranp]

Exactly as it was said already, there are 3 versions of the frontend
1) 100 (HW) and 200Mhz (software option)
2) 350 (HW) and 500 Mhz (software option)
3) 1 Ghz (HW)

I, like :TheSteve said, believe they are using 1 PCB for all versions. The big cost difference on the frontend hardware upgrade, is not coming from the hardware. The BOM won't be much different for any of the higher bandwidth versions (look at :[IDC]Dragon shopping cart and you'll see under 50EURO cost for the parts)  , though they would charge for calibration and workmanship , which can go very high. Workforce is now the main cost in many servicing businesses.

I'm really interested in trying to go even to 1Ghz if possible. I'll post pro quality pictures of my 3014T frontend soon. If anyone is kind enough to post 3054T or 3104T frontend pictures I'd be really be indebted.

[TheSteve]

1 GHz would be awesome - we would have gone there with the original 3000 series if the PCB had been the same. Tough to properly shoe-horn in the 50 ohm attenuator relays with no footprint for them.

[Howardlong]

Indeed, and the difference in BOM cost between 100MHz and 1GHz is probably ITRO $20. This is assuming there's no difference in the ADCs, ASICs and FPGAs to support 5GSa/s vs 4GSa/s, and it's just the front end relays.

[Zucca]

I have a stock 500MHz, I keep watching here to make the big jump to the Ghz moon... so far no big news as I understand. Do you need high res pics of the 500Mhz front end? IMO no, in any case PM me I'll do my best to support you talented guys.

[Pinkus]

I have a stock 500MHz, I keep watching here to make the big jump to the Ghz moon... so far no big news as I understand. Do you need high res pics of the 500Mhz front end? IMO no, in any case PM me I'll do my best to support you talented guys.

what I understood is that:
1) the boards for 100 - 500 Mhz are the same, 350/500 Mhz are just using some different capacitor/inductor values at the front end compared to the 100/200 Mhz boards.
Thus upgrade 100->200 and 350->500 Mhz can be done by software. 100/200 -> 350/500 Mhz will just need a few some parts replaced.
2) the 1 GHz board is indeed different (addl. relay etc.), thus an 'upgrade'  will not be possible (at least not an easy upgrade).

[Howardlong]

I have a stock 500MHz, I keep watching here to make the big jump to the Ghz moon... so far no big news as I understand. Do you need high res pics of the 500Mhz front end? IMO no, in any case PM me I'll do my best to support you talented guys.

what I understood is that:
1) the boards for 100 - 500 Mhz are the same, 350/500 Mhz are just using some different capacitor/inductor values at the front end compared to the 100/200 Mhz boards.
Thus upgrade 100->200 and 350->500 Mhz can be done by software. 100/200 -> 350/500 Mhz will just need a few some parts replaced.
2) the 1 GHz board is indeed different (addl. relay etc.), thus an 'upgrade'  will not be possible (at least not an easy upgrade).

That is also my understanding, plus that the sampling rate is 5GSa/s compared to 4GSa/s, so I don't know if there is anything different beyond the AFE such as ADC, FPGA or ASIC speed grades.

One thing I had considered is whether or not the Teledyne relay is really required, or it can use the existing relays with some degradation to 1GHz. At the time we were looking at the part differences between the 100/200 and 350/500, I'm not aware of a full schematic being made, although I remember the question being asked among the interested parties. I can't remember if the Teledyne relay is an additional one, or a replacement of an existing relay. Either way, the boards are _definitely_ different, it's not just an unpopulated part. Trying to run bodge wires at this kind of frequency isn't going to end well, which is why I'm wondering if just running the existing relays out of spec and any appropriate L/C changes would be enough.

[Luminax]

I'm kinda wondering what those series number meant... the firmware/categorizing is usually 2XX2/2XX4 which usually denotes 2 channels against 4 channels... but what about the numbers in between, hmmm
I have a stock DSOX2014A which, in a company working with remotes and digitals and such, I really can't see how this company of mine hopes to get away with no Digital or Serial functions 

I'm poking the upper management for an upgrade, in the meantime... *ahem*