DSOX2000 and 3000 series - licence , have anyone tried to hack that scope ?

[gamalot]

As I mentioned earlier my oscilloscope (MSO-X 3102A) has the typical NAND corruption.  I have already tried the tetris method with firmware versions 2.1, 2.3, 2.35 - no succes. I've tried different USB drives, different paths in the infiniivision.lnk file, but it still won't start booting from the USB drive.

I finally started comparing the lengths of the different firmwares. It looks like the firmware on my oscilloscope is  2.36.

Has anyone managed to fix their oscilloscope in this situation?

Can anyone tell me what the numbers in the paths mean?
For example:

Code: [Select]

44#\usb\infiniiVision\infiniiVisionLauncher.exeWhat

Code: [Select]

44# mean?

The length of the path string "\usb\infiniiVision\infiniiVisionLauncher.exe".

[cmilak34]

The length of the path string "\usb\infiniiVision\infiniiVisionLauncher.exe".

Finally I understood. Thank you!

I still fight with my NAND corruption. I compare length couple FW:

1.10 - 0x01238818 - 19105816
2.10 - 0x0124867C - 19170940
2.20 - 0x01248680 - 19170944
2.35 - 0x013064D4 - 19948756
x.xx  - 0x013064E8 - 19948776
2.37 - 0x0130656C - 19948908
2.41 - 0x015264A8 - 22176936

x.xx is my version of firmware. I know this is not definitive proof, but based on the sizes 2.35 and 2.37 I would guess that my version is 2.36.

Could some good soul send me this firmware please? Unfortunately I can't find this version.

[cmilak34]

Thank you very much, good man, for v2.36 (sorry, I don't remember your nickname).

I compared the length of the versions and, as I suspected, I had v.2.36 installed. Obviously the tetris method did not work on this version FW.

After discussion with analogRF, I decided to keep trying with version 2.35.

Finally it worked! The directory structure on the USB stick was wrong.

Here is a working structure:

Code: [Select]

USB flash
root
│
│
├───3000XSeries.02.35.2013061800.cab
├───infiniivisionStartupOverride.txt
│
├───Secure
│   ├───infiniiVision
│   │   │   Agilent.Cdf.Api.dll
│   │   │   ...
│   │   │
│   │   ├───fpga
│   │   │       FPGA2000A.bin
│   │   │       ...
│   │   │
│   │   ├───upgrade
│   │   │       infiniiVisionWebCom.dll
│   │   │
│   │   └───web
│   │       │   appletInstall.jar
│   │       │   ...
│   │       │
│   │       ├───css
│   │       │       AGBD____.TTF
│   │       │       default.min.css
│   │       │
│   │       ├───help
│   │       │       helpBrowserWebControl.asp
│   │       │       ...
│   │       │
│   │       ├───image
│   │       │       agilent.gif
│   │       │       ...
│   │       │
│   │       ├───include
│   │       │   │   vnc.min.js
│   │       │   │
│   │       │   └───web-socket-js
│   │       │           swfobject.js
│   │       │
│   │       ├───lib
│   │       │       edtftpj.jar
│   │       │       plugin.jar
│   │       │
│   │       ├───Lxi
│   │       │   └───Identification
│   │       │           Default.asp
│   │       │
│   │       └───navbar
│   │               bluebar.gif
│   │               ...
│   │
│   └───Startup
│           infiniivision.lnk
│
├───Startup
│       infiniivision.lnk
│
└───Temp
        EnvVars.txt
I don't think this is quite the structure tetris describes in his tutorial, but English isn't my first language, so I may have misunderstood something. Anyway, with this structure, version 2.35 ran without a problem.

One more thing - the same path was set in both infiniivision.lnk files - not only in \Startup\ but also in \Secure\Startup\.

In the infiniivision.lnk files was used the path sugested by analogRF (https://www.eevblog.com/forum/testgear/agilent-dsox3054a-not-booting-possible-nand-corruption-help!/msg3451418/#msg3451418)

Code: [Select]

51#\usb\Secure\infiniiVision\infiniivisionLauncher.exe
USB Flash drive used:
- Kingston
- 4GB
- FAT (not FAT32)

As you can see the installed version 2.36 was not the problem.

I would like to thank users Mike112 and analogRF. Especially without the help of analogRF I probably would not have been able to repair the oscilloscope.

I wish you all good luck for your next repairs.

[xo01xoxo]

https://drive.google.com/file/d/1ryl1kb-962e0BtlbxDqIQ-d35yqo_ji5/view

[jtw]

Hi,

Could someone please send me the PhillyFlyers patched firmware for DSOX3000T Series (I believe the most recent is 7.40.2021031200_patched).

PM or email: flashinglasers@duck.com.

Thank you in advance!

[albertr]

https://drive.google.com/file/d/1ryl1kb-962e0BtlbxDqIQ-d35yqo_ji5/view
(Attachment Link)

xo01xoxo,

It's nice to see the movement, but it could help if you provided more details...

-albertr

[SethiUllman]

Hello, I am been going through these posts and am in need of this specific .cab file;

2000XSeries.02.00.2011101301.cab

Does anyone have this file? 

[diegodgo]

Hello, I have an MSO-X 2014A with a problem, but I can't do the recovery processes. It gives me this screen when booting in TeraTerm. Has anyone had this problem and managed to fix it?

Since now. Thanks

[ShQ]

Interesting thread! Judging from the devicetrees in the DSOX1204 firmware, it seems the DSOX1204 and DSOX2xxx are very similar -- they use the same (pretty ancient) ARM SoC, the ST SPEAr600. Makes me wonder if you could with some effort run Linux firmware on the older DSO2xxx, as the application is very obviously a derived codebase.

I just acquired a DSOX2004 for testing, does anyone have a link to the option-patched firmware on hand? All the links posted before are down.

[amindavid11]

Hello,

Could someone please send me the PhillyFlyers patched firmware for DSOX3000T Series.


Thank you in advance!

[ShQ]

Seems like my scope has been bricked, does anyone happen to have spare DSOXLAN modules lying around they'd like to sell? 

[Jay_Diddy_B]

Seems like my scope has been bricked, does anyone happen to have spare DSOXLAN modules lying around they'd like to sell? 

If you want to build one, the files are in this thread:

https://www.eevblog.com/forum/projects/diy-dsoxlan-interface-for-keysight-oscilloscopes/msg4323214/#msg4323214

You can order the boards from JLCPCB cheaper than I can send you a board.

There are two designs for different magjacks.


Regards,

Jay_Diddy_B

[MarkL]

Seems like my scope has been bricked, does anyone happen to have spare DSOXLAN modules lying around they'd like to sell? 

Someone recently announced they are selling pre-built homebrew DSOXLAN modules for 50 Euros, ships anywhere:

  https://test-equipment-for-sale-wanted-or-exchange.groups.io/g/main/message/5144

No affiliation or experience with the seller.

[PA0PBZ]

Here's the listing: https://www.ebay.com/itm/325830591919

@ShQ: Have not found my card yet so this may be a good option, at least this one you can keep 

[J-R]

In what way is your scope bricked?  Won't boot or just the wrong .lnk file?  Unless I'm mistaken, my understanding is the LAN module only works if the OS can start up.  Furthermore, the factory Keysight firmware disabled telnet some time ago, so you would need the hacked firmware to have already been flashed so that telnet is enabled.

[ShQ]

If you want to build one, the files are in this thread:

https://www.eevblog.com/forum/projects/diy-dsoxlan-interface-for-keysight-oscilloscopes/msg4323214/#msg4323214

You can order the boards from JLCPCB cheaper than I can send you a board.

There are two designs for different magjacks.


Regards,

Jay_Diddy_B

Ah yes, I did find these (thanks for the design by the way!), but I was hoping to find a way that's quicker than waiting a few weeks for the PCBs to come in. 

Someone recently announced they are selling pre-built homebrew DSOXLAN modules for 50 Euros, ships anywhere:

  https://test-equipment-for-sale-wanted-or-exchange.groups.io/g/main/message/5144

No affiliation or experience with the seller.

Here's the listing: https://www.ebay.com/itm/325830591919

@ShQ: Have not found my card yet so this may be a good option, at least this one you can keep 

Thanks, I'll have a look at that one -- and thanks a bunch for looking anyway.

In what way is your scope bricked?  Won't boot or just the wrong .lnk file?  Unless I'm mistaken, my understanding is the LAN module only works if the OS can start up.  Furthermore, the factory Keysight firmware disabled telnet some time ago, so you would need the hacked firmware to have already been flashed so that telnet is enabled.

It fails to boot, checksum error in NK.BIN (my own fault, not NAND corruption). The Windows CE bootloader actually has a way to load a recovery image over LAN, as PA0PBZ described a few years ago.

[John1996]

Could someone please send me the last patched firmware for MSOX3000T Series. Thanks.

[amindavid11]

https://drive.google.com/file/d/1ryl1kb-962e0BtlbxDqIQ-d35yqo_ji5/view
(Attachment Link)

Is this a new FW hack? Can this be used with the 3000T?

[tv84]

Can this be used with the 3000T?

If it's a 4000X FW, then no.

[ShQ]

Made some progress while waiting for a LAN adapter, which ended up making getting one redundant.

First on the agenda was trying if I could simply "borrow" an 8P8C jack and some magnetics from an old network switch,
attach some probes to the expansion connector, and solder the wires attached to the probes directly to the magnetics.
It made for a wonderfully cursed setup:



Sadly, after a lot of fiddling around and re-soldering I wasn't able to fully get it to work; running ethernet signals was possibly not what dupont wires were invented for.

However, when closing up the probe setup and taking another look at the mainboard, I couldn't help but wonder why the user cal button was so auspiciously located on the back,
directly on the mainboard. What would happen if it was pushed while in the bootloader?

...

Well, nothing. What about while the scope is powering up?
Huh. No UART output. Is it just a weird reset line?
Maybe the SoC is doing something odd, let's hook up the USB and see if it enumerates at all.



... what's this? The SPEAr300 reference manual has some hints:

38.5.3    USB boot

USB Boot refers upgrading of Flash memories (NAND and NOR) via USB.
[...]

After receiving 12 bytes BootROM decodes 12 byte command, changes the USB state machine to GET_DATA phase and then waits for expected number of bytes from Host.
BootROM receives the data and stores it into load address specified in the command, once all the data is received, BootROM changes the USB state machine to EXEC phase and decodes the type of data, if the received data is DDR Driver, then BootROM jumps to loadaddress, executes the DDR driver and jumps back to BootROM.

Now that the DDR is initialized, BootROM changes the USB state machine again to GET_CMD phase.
Now same process is repeated again, but this time type of data received is FIRMWARE, the FIRMWARE is capable of receiving data from Host, Flash upgrade capable etc.
After receiving the FIRMWARE, BootROM jumps to it in DDR.

That sounds great! Something is off though, even disregarding it containing one of the longest run-on sentences I've ever seen: the USB descriptors don't quite match.
Now, this is a reference manual for the SPEAr300, not SPEAr600, so maybe that's the sole difference? The SPEAr1340 seems to have a significantly more involved protocol.
Luckily (found in this very thread even, thanks @abyrvalg!), ST has released a "flasher", and it comes with source code!
And, the source code mentions the main descriptor difference!

Code: [Select]

#define MY_VID 0x0483
#define SPR600_PID 0x7261
#define SPR300_PID 0x3801

It's a Windows-based tool however, based on old libusb 0.1. 
I took the liberty of rewriting it into slightly more portable C taking advantage of the more modern libusb 1.0 (sources attached to this post).
Time to try it out! It needs a DDR driver and a U-boot image, both we can take from any Keysight firmware update:

Code: [Select]

$ spearload -t spear600 p500_ddrdriver.bin u-boot_image.bin
spearload: opening device...
spearload: sending DDR driver p500_ddrdriver.bin...
.
......
spearload: sending firmware u-boot_image.bin...
.
...

Back at the UART, we are greeted with success!

Code: [Select]

U-Boot 2010.03 (May 18 2017 - 11:28:22)Agilent P500

CPU:   SPEAr600
DRAM:  128 MiB
Flash: 512 KiB
NAND:  internal ecc 128 MiB

However, this just brings us back where we started: if you've been following along the thread, you may have noted that not everyone is lucky with getting a functional U-boot that can be interrupted.
Sadly, mine is no exception: after above output, any serial output simply dies.

I decided to finally take some time and dive into the U-Boot image to figure out why exactly this is happening.
It seems to happen right after the early serial I/O is replaced by the more featured serial drivers, but they seem to poke the same registers. Odd.
There's a little function call tucked away there, what does it do?



  USB serial! But it would boot way too fast to allow us to enumerate the device, connect and interrupt! ... Right?
Well, Keysight seems to have thought of that as well: there's a sneaky little conditional waay later in the initialisation process:



This basically checks for pre-production silicon, or the DDR driver being present at a specific address (the string is it is comparing to being present in p500_ddrdriver.bin).

I first tried loading the driver to appear at that expected address, but that didn't seem to work. Bummer, possibly the driver code is not relocatable.

Still, there's no reason we can't simply patch this conditional! Making the following changes in u-boot_image.bin from firmware 2.65:

Code: [Select]

Offset 0x16100:  0c 00 00 1a -> 0c 00 00 ea   ; bne -> b
Offset 0x18:     57 11 83 33 -> 4f 18 d7 f0   ; data checksum
Offset 0x4:      6c 2f de de -> 4e 52 6b 13   ; header checksum

Update: disregard the above! It seems that the DDR driver itself moves the string into that location (and presumably XLOADER, the normal loader after the DDR training sequence clears it),
so no modifications are necessary!

Guess what suddenly appears on the USB side?

Code: [Select]

Welcome to minicom 2.8

OPTIONS:
Compiled on Oct 25 2021, 06:07:01.
Port /dev/tty.usbmodem00000001, 22:22:23

Press Meta-Z for help on special keys


p500>

Finally! So in summary, you can get a working U-Boot serial on these bad boys without even opening the scope!

The short version:
1) Extract a Keysight 2.65 firmware update
2) Modify u-boot_image.img as per the instructions above
3) Power up the scope while using a tool to hold down the button labeled "CAL" on the back
4) Connect to the scope USB port
5) Use the attached spearload program or ST's own flasher (linked above) to load p500_ddrdriver.bin and the modified u-boot_image.img
6) Enjoy your fresh USB serial, no functioning NAND required!

And since it's bootROM functionality, they can't patch this one out from existing products.

[tv84]

Nice investigation! 

So, you are forcing the setting of env vars:
preboot=set stdin usbtty;set stdout usbtty;set stderr usbtty
bootdelay=-1

I think you could make it even "simpler/cleaner" and not require the U-Boot patch:   

- Just extend the size of p500_ddrdriver.bin in order to accommodate the "DDR_DRIVER" string at the verification address 0xD2B01F00.

[ShQ]

Interesting idea! I don't think that'll be possible: the difference between the native load address 0xD2800B00 and expected address 0xD2B01F00 is about 3 megabytes, which you'd have to upload to the chip before DRAM is functional (that's the point of the driver, after all ) -- it simply doesn't have that much SRAM, I think.

Plus: you'd have to make similar modifications to the DDR driver header to adjust the size and both checksums, so the difference being changing one byte versus adding 3 megabytes, I think the one byte wins in cleanliness here.

[tv84]

Plus: you'd have to make similar modifications to the DDR driver header to adjust the size and both checksums, so the difference being changing one byte versus adding 3 megabytes, I think the one byte wins in cleanliness here.

  I knew you would say that. 

As you reminded me, the SRAM is not sufficient for such a file... 

I've just opened p500_ddrdriver.bin and one of the first operations it does is precisely:

strcpy((BYTE *)0xD2B01F00, "DDR_DRIVER");

This must be a flag saying that the driver is loaded.

Your method wins!

[ShQ]

Hum, interesting! It indeed seems to do that, but then the question is: why doesn't this trigger that condition every boot?

It doesn't seem like it gets cleared before that condition runs:

Code: [Select]

p500> md.b 0xD2B01F00 10
d2b01f00: 44 44 52 5f 44 52 49 56 45 52 00 00 00 00 00 00    DDR_DRIVER......

... WOW, I am stupid. The U-Boot mod isn't even needed!

Just verified that it works perfectly fine on an untouched p500_ddrdriver.bin and u-boot_image.img -- was so caught up in that discovery that I hadn't even bothered testing without. 
It must be that this indicates that there was no XLOADER in-between, which would presumably clear that part of memory. Thanks for checking me on that!

That makes our summary easier!
1) Extract a Keysight 2.65 firmware update
2) Power up the scope while using a tool to hold down the button labeled "CAL" on the back
3) Connect to the scope USB port
4) Use the attached spearload program or ST's own flasher (linked above) to load p500_ddrdriver.bin and u-boot_image.img from the update
5) Enjoy your fresh USB serial, no functioning NAND required!

[tv84]

Just verified that it works perfectly fine on an untouched p500_ddrdriver.bin and u-boot_image.img -- was so caught up in that discovery that I hadn't even bothered testing without. 
It must be that this indicates that there was no XLOADER in-between, which would presumably clear that part of memory. Thanks for checking me on that!

I also was baffled when I saw it loading first. But I assumed you had that covered...  I then went to think: damn, I really don't know sh.. about this uboot stuff.

Glad it helped perfect your discovery.