DSOX2000 and 3000 series - licence , have anyone tried to hack that scope ?

[TheSteve]

USB high speed decode and trigger doesn't work on 3000T. See up thread starting at post 2786 on page 112. Turns out there was a marketing/technical miscommunication.

LS and FS works.

Edit: even if HS did work, you'd need a 1GHz+ bandwidth scope. It does work on the 4000A and 6000X but they have hardware to support HS that the 3000T doesn't.

Looks like only the 1 GHz and 1.5 GHz 4000 series have the extra FPGA (U2303) and a few other IC's. Good thing I never had the chance to try modding a 4000 series to 1 or 1.5 GHz. It would probably be unhappy without the extra parts.

[Howardlong]

USB high speed decode and trigger doesn't work on 3000T. See up thread starting at post 2786 on page 112. Turns out there was a marketing/technical miscommunication.

LS and FS works.

Edit: even if HS did work, you'd need a 1GHz+ bandwidth scope. It does work on the 4000A and 6000X but they have hardware to support HS that the 3000T doesn't.

Looks like only the 1 GHz and 1.5 GHz 4000 series have the extra FPGA (U2303) and a few other IC's. Good thing I never had the chance to try modding a 4000 series to 1 or 1.5 GHz. It would probably be unhappy without the extra parts.

Presumably that means that certain 4000A bandwidth upgrades are RTB?

Edit: I guess so.

[TheSteve]

USB high speed decode and trigger doesn't work on 3000T. See up thread starting at post 2786 on page 112. Turns out there was a marketing/technical miscommunication.

LS and FS works.

Edit: even if HS did work, you'd need a 1GHz+ bandwidth scope. It does work on the 4000A and 6000X but they have hardware to support HS that the 3000T doesn't.

Looks like only the 1 GHz and 1.5 GHz 4000 series have the extra FPGA (U2303) and a few other IC's. Good thing I never had the chance to try modding a 4000 series to 1 or 1.5 GHz. It would probably be unhappy without the extra parts.

Presumably that means that certain 4000A bandwidth upgrades are RTB?

Edit: I guess so.

Yes, it should be the same as the 3000a/3000t series more or less.
-100/200 MHz
-350/500 MHz
-1 GHz
-1.5 GHz

If you look on the Keysight parts site you can just see the added chips in the tiny pics on the 1 and 1.5 GHz models.

Like the 3000t series I believe all 4000 series use the same base PCB. The 3000A used an updated PCB for the 1 GHz model.

A lower model 4000 should still be possible to upgrade to 1.5 GHz as a crazy DIY project but adding BGA into the mix lowers my "excitement" level. If I was to take on such a project I'd want to be extremely confident it was going to work when done.

[Venturi962]

EEVBlog Flickr has a good photo of 200MHZ 4000X Series board with U2303 (bottom left between heatsinks) unpopulated:

https://www.flickr.com/photos/eevblog/8181558404/in/album-72157631997535516/

Closeup: https://www.flickr.com/photos/eevblog/8181518941/in/album-72157631997535516/  U2300, U2402 also unpopulated.

[TheSteve]

EEVBlog Flickr has a good photo of 200MHZ 4000X Series board with U2303 (bottom left between heatsinks) unpopulated:

https://www.flickr.com/photos/eevblog/8181558404/in/album-72157631997535516/

Closeup: https://www.flickr.com/photos/eevblog/8181518941/in/album-72157631997535516/  U2300, U2402 also unpopulated.

Yes, he did a great job with those pics. I used them to confirm the lower frequency models didn't have the parts populated. Added parts are likely trigger related if I had to guess.

[dr3hl3rt]

I am having a wierd issue...

I have a DSO-X 3024A which is now a MSO-X - and I got the official 16-channel cabelharness from keysight

but... D00 on the cable is routed to D01 on the scope - and none of the channels can bring anything to D00 on the scope.

I am very confused...

best regards,

Henrik

[sbvr4]

Hi,
Last I checked the link to generate the unique password to telnet in was down. Is that still needed to gain access via telnet? I have a 3000T.

Thanks

[Venturi962]

If on PhillyFlyers FW:

User: infiniivision
Pass: skywalker1977

[TheSteve]

If on PhillyFlyers FW:

User: infiniivision
Pass: skywalker1977

Did he patch out the unique password requirement for the t series?

[Venturi962]

Works for me on 4000X, so I would guess it's the same for 3000T as they share codebase.

[TheSteve]

Works for me on 4000X, so I would guess it's the same for 3000T as they share codebase.

I guess someone will have to try it, I can't as I don't run patched firmware.
I do know that telnet is disabled during the boot process on the 3000t series so you need to login quickly(with a script ideally) and kill the infiniivision process to stay connected.

[sajsoni]

Hello everyone, I have an Agilent DSO-X-3024A that didn't want to boot, so I followed the instructions from page 84 and successfully brought the oscilloscope back to life via the UART interface. after that I played a bit in U-Boot and (don't ask how) typed the erase flash command . Now when you turn it on, only one light comes on and nothing happens. Even on UART lines there is nothing ....
Is this the end for DSOX or is there a flash option to reload the U-Boot?   

[tv84]

If there is no uboot, there are no options via software.

You must reprogram the SPI memory with the bootloader. I'm not sure that you must take it out. Others may confirm that.

[sajsoni]

How to load SPI memory at all and with which files?
In 3000XSeries.cab there are bin files that are related to uboot ....
I see that SPEAr 600 is based on dual ARM926, is there a possibility to load a new uboot via JTAG interface or some other pins? I tried with debug pins from SPEAr 600 datasheet and some ARM programmers, but I don't have a connection ...
I don't know where to start ...

[TheSteve]

This sounds like a pretty good challenge - to use the jtag interface two resistors need to be moved to enable it. I am guessing you already did that but if not see the details here:
https://www.eevblog.com/forum/testgear/dsox2000-and-3000-series-licence-have-anyone-tried-to-hack-that-scope/msg274963/#msg274963

Assuming the firmware updates have all of the required information you will still need to figure out the memory map and where to locate things.
I guess see if you can get u-boot installed and working and go from there.

[Bud]

If there is no uboot, there are no options via software.

You must reprogram the SPI memory with the bootloader. I'm not sure that you must take it out. Others may confirm that.

It was a simple task on my 1000x , the SPI memory is a SOIC-8 chip on the back of the BLT module. Not sure what chip is used on the 3000 model.

Edit: this is astounding that it is possible to erase Uboot from Uboot, lol.

[Bud]

How to load SPI memory at all and with which files?
In 3000XSeries.cab there are bin files that are related to uboot ....
I see that SPEAr 600 is based on dual ARM926, is there a possibility to load a new uboot via JTAG interface or some other pins? I tried with debug pins from SPEAr 600 datasheet and some ARM programmers, but I don't have a connection ...
I don't know where to start ...

It was posted in the 1000x hacking thread how to connect JTAG to SPEAR600. You can look at that for reference but some details like pull up/down resistors may differ. I've done that on my 1000x.

[sajsoni]

Thanks for the answers, I missed that post about removing the resistor. I will try to remove them to see if I can communicate with SPEAR 600.
I know it’s impossible to erase, but is there a first time for everything 

[Bud]

Did you see this post?
https://www.eevblog.com/forum/testgear/dsox2000-and-3000-series-licence-have-anyone-tried-to-hack-that-scope/msg1458452/#msg1458452

It appears it may be possible to reflash the NOR (SPI) via USB. The USB Flasher utility seems to be still available from ST web site.
A bit of a challenge maybe in specifying a proper address in the scope memory map. You could try sending the OP a personal message.

[tv84]

Did you see this post?
https://www.eevblog.com/forum/testgear/dsox2000-and-3000-series-licence-have-anyone-tried-to-hack-that-scope/msg1458452/#msg1458452

It appears it may be possible to reflash the NOR (SPI) via USB. The USB Flasher utility seems to be still available from ST web site.
A bit of a challenge maybe in specifying a proper address in the scope memory map. You could try sending the OP a personal message.

That post is the easiest way to do it, definitely. BTW, what address are you referring to?

[Bud]

I mean the start and stop addresses for XBoot, UBoot and PBoot in the NOR memory space. But it should be possible to figure them out from the firmware UBoot binary image. The below is from my records for the 1000x NOR:

Code: [Select]

end of SPI Flash F807FFFF NOR
PBoot F8050000 0x946F NOR
Uboot F8010000 0x2FDD4 NOR
XLOADER F8000000 0x153A NOR
start of SPI Flash F8000000 0x80000 NOR
The third column is the length of the data blobs.
I am pretty sure the leading "F8" should be removed if the USB Flasher utility is used.
Again , this is for the 1000x. I do not know the setup for the 3000 scope.

[sajsoni]

I connected the oscilloscope to the PC, download the USB Flasher utility from https://www.st.com/en/development-tools/stsw-spear008.html
and ActiveTCL 8.16.11. I tried to follow the instructions in the USB Flasher to establish a connection with the SPEAR 600, but it didn't work on Win10 and Win7, at least it didn't work for me.
Then I tried on an old computer with WinXp and successfully connected to the SPEAR 600 SoC, only I had to find an older version of AcitveTCL 8.15.14 (http://www.softoware.org/apps/get-activetcl-for-windows- 32-bit-for-windows.html).
Now it remains to try to load XBoot, UBoot and PBoot ...

[sajsoni]

I mean the start and stop addresses for XBoot, UBoot and PBoot in the NOR memory space. But it should be possible to figure them out from the firmware UBoot binary image. The below is from my records for the 1000x NOR:

Code: [Select]

end of SPI Flash F807FFFF NOR
PBoot F8050000 0x946F NOR
Uboot F8010000 0x2FDD4 NOR
XLOADER F8000000 0x153A NOR
start of SPI Flash F8000000 0x80000 NOR
The third column is the length of the data blobs.
I am pretty sure the leading "F8" should be removed if the USB Flasher utility is used.
Again , this is for the 1000x. I do not know the setup for the 3000 scope.

Thanks! I'll try with the specified layout in memory, I guess I can't destroy flash memory anymore

[Bud]

But configuring 3 partitions separately (Xboot,Uboot,Pboot) would require 3 separate bin source files. If the 3000 SPI firmware comes as a single file than it would need to be split using  respective  offsets for each partition. I guess alternatively only one partition can be configured for the size of the firmware and the entire firmware bin file loaded at once.

[tv84]

There is extra info besides the 3 blocks that goes into that mem. Namely, the MAC, GUID and S/N.

But I don't see why can't be flashed in one time only. Seems easier than it sounds to create the macro block.