DSOX2000 and 3000 series - licence , have anyone tried to hack that scope ?

[Bud]

@ShQ would you be able to compile your utility into a Windows executable ? 

[ShQ]

No problem! Attached it to this post, along with a slightly newer version of the source code to address some portability issues and a minor bug.
It requires WinUSB or libusbK.

I don't have a Windows install to test on though, so hopefully it works. Please let me know if it doesn't!

[Bud]

Awsome, thank you. Is it requiring WinUSB to compile or to run, or for both?

[ShQ]

To run. The libusb wiki page recommends Zadig to manage libusb drivers, that may make it easier.

[FrancescoChino]

Dear All,
I have the sam booting problem with the DSO-X 2000 oscilloscope, but I'm not able to download anymore the FW 2.35.
Could someone of you tell me wher is possible to obtain this older FW version ?

Thank you

Francesco

[albertr]

Hum, interesting! It indeed seems to do that, but then the question is: why doesn't this trigger that condition every boot?

It doesn't seem like it gets cleared before that condition runs:

Code: [Select]

p500> md.b 0xD2B01F00 10
d2b01f00: 44 44 52 5f 44 52 49 56 45 52 00 00 00 00 00 00    DDR_DRIVER......

... WOW, I am stupid. The U-Boot mod isn't even needed!

Just verified that it works perfectly fine on an untouched p500_ddrdriver.bin and u-boot_image.img -- was so caught up in that discovery that I hadn't even bothered testing without. 
It must be that this indicates that there was no XLOADER in-between, which would presumably clear that part of memory. Thanks for checking me on that!

That makes our summary easier!
1) Extract a Keysight 2.65 firmware update
2) Power up the scope while using a tool to hold down the button labeled "CAL" on the back
3) Connect to the scope USB port
4) Use the attached spearload program or ST's own flasher (linked above) to load p500_ddrdriver.bin and u-boot_image.img from the update
5) Enjoy your fresh USB serial, no functioning NAND required!

Can you share the p500_ddrdriver.bin and u-boot_image.img files? I'm not sure how to extract them from the F/W update... or maybe you can share the instructions on how to extract these files from ksx F/W update?

-albertr

[tv84]

Can you share the p500_ddrdriver.bin and u-boot_image.img files? I'm not sure how to extract them from the F/W update... or maybe you can share the instructions on how to extract these files from ksx F/W update?

7-Zip is enough.

[albertr]

Can you share the p500_ddrdriver.bin and u-boot_image.img files? I'm not sure how to extract them from the F/W update... or maybe you can share the instructions on how to extract these files from ksx F/W update?

7-Zip is enough.

Ok, thanks! I extracted the files with 7z, and I assume that pboot_rel.bin is u-boot_image.img? But where can I find p500_ddrdriver.bin?

Code: [Select]

bash-3.2$ file pboot_rel.bin
pboot_rel.bin: u-boot legacy uImage, PBOOT, Linux/ARM, OS Kernel Image (gzip), 37935 bytes, Thu Oct 29 08:22:14 2015, Load Address: 00000000, Entry Point: 00000000, Header CRC: 0X2D999100, Data CRC: 0X84FF067B
-albertr

[diegodgo]

Hello.

I have the original file in this version, please give me your email and I will send it to you.

Dear All,
I have the sam booting problem with the DSO-X 2000 oscilloscope, but I'm not able to download anymore the FW 2.35.
Could someone of you tell me wher is possible to obtain this older FW version ?

Thank you

Francesco

[ahakman]

That makes our summary easier!
1) Extract a Keysight 2.65 firmware update
2) Power up the scope while using a tool to hold down the button labeled "CAL" on the back
3) Connect to the scope USB port
4) Use the attached spearload program or ST's own flasher (linked above) to load p500_ddrdriver.bin and u-boot_image.img from the update
5) Enjoy your fresh USB serial, no functioning NAND required!

I just spent way too long trying to compile your spearload in current Debian (really rusty at c / build stuff - I've become a python softy now apparently).
I had to make 2 changes to the Makefile to make it compile and link successfully:

remove "-std=c2x" from the CFLAGS variable (sounds like -std=c2x forces it to be pure c std 2000, which doesn't support macros, hence it complains about all of the byte order swapping functions from endian.h  - leaving it undefined means use "gnu c standard" that does support macros)
and
in the binary build target, move "$(CFLAGS) $(LDFLAGS)" to the end of the line - if the flags are specified before the object file / binary, it can't find libusb-1.0. Simply moving the flags after the source/target fixes that issue (found a reference to that on stackexchange).

So
CFLAGS += -std=c2x -Wall -Wextra -pedantic -Wno-zero-length-array        ==>       CFLAGS += -Wall -Wextra -pedantic -Wno-zero-length-array
and
(CROSS_COMPILE)$(CC) $(CFLAGS) $(LDFLAGS) $^ -o $@        ==>      $(CROSS_COMPILE)$(CC) $^ -o $@ $(CFLAGS) $(LDFLAGS)   

But it's compiled now!
On with the show...

Edited to add:
There's also a bug in read_file()
the 3rd argument to fread should be "size - total", not "total - size" - what you had originally gives negative values, and the libc I'm using complains about that and throws a "spearload: read_file: ./p500_ddrdriver.bin: could not read: Bad address" error - you can't tell it to read a negative number of records!

But now after changing those things, it must be working - it's showing up as a serial device now!

Bus 001 Device 014: ID 0957:7a18 Agilent Technologies, Inc. P500

[ahakman]

So I must be doing something wrong.

I boot with the cal switch pushed in, it shows up as the STMicroelectronics ST SPEAr SoC Family Device
I use spearload to push p500_ddrdriver.bin and u-boot_image.bin (from 3000XSeries.02.65.20210307001_patched.ksk available a few pages back in this thread)
It then turns into a USB serial device (shows up at /dev/ttyACM0)
I can connect to it by minicom and I get the p500> prompt and can see and run all the u-boot commands.
I use ymodem to upload nk.nb0 (from the same firmware above) and have prepared the USB stick (also from the same frimware as above)
when I "go 0x00362000", I see "## Starting application at 0x00362000 ...", but at that point the USB serial device disappears, and minicom disconnects.

I do see a little bit of activity on the USB stick, but it never actually boots the application, and just sits there with the screen dark. About every minute or so the light on the usb stick flashes a little

Also for creating the .lnk file on the USB stick, I'm using "51#\usb\Secure\infiniiVision\infiniivisionLauncher.exe" so it should be running the application from the USB stick, not from the flash

Any hints or guesses what I'm doing wrong? Do I need to be using the firmware version that's already on the scope, even if the startup link points to the USB stick?

[Bud]

Connect a second terminal to the UART output on the board to see boot process output.

[TheSteve]

Maybe try the process with 2.35 version firmware - it allows \usb

[ahakman]

Yeah, both of those suggestions (using the dedicated uart instead of the usb-serial uart, and trying with 2.35) were going to be my next steps, but when it's 5am and you've been up all night, you have to call it and go to bed at some point!

I did manage to find a working link for 2.35 somewhere way back in this thread, I just have to go through the process to prepare the usb stick and get nk.nb0 from it again...

So after finally finding a USB-TTL rs232 adapter, when booting from uboot over usb-serial console and monitoring the other console, this is where it gets stuck after I issue the go 0x00362000

Code: [Select]

Windows CE Kernel for ARM (Thumb Enabled) Built on Jan 24 2013 at 14:52:37
Setting up for a Cold Reboot
Done Setting up for a Cold Reboot
Windows CE Firmware Init
BSP 1.0.0 for the SPEARHEAD600AB board (built Jun 18 2013)
Adaptation performed by ADENEO (c) 2005
+OALIntrInit
-OALIntrInit(rc = 1)
Initialize driver globals Zeros area...
pDrvGlobalArea 0xa0060000  size 0x800 (0xa0060800 -0xa0060000)
Initialize driver globals Zeros area...done
 OALKitlStart
Firmware Init Done.
OALIoctlHalEnterI2cCriticalSection init i2c cs
ERROR: C:\WINCE600\PLATFORM\COMMON\SRC\SOC\STM\SPEARHEAD600\DRIVERS\GPIO\.\sh600_gpio_hw.cpp line 170: GPB driver, RegQueryDword('ISTPriority') failed, status:2
ERROR: C:\WINCE600\PLATFORM\COMMON\SRC\SOC\STM\SPEARHEAD600\DRIVERS\GPIO\.\sh600_gpio_hw.cpp line 170: GPB driver, RegQueryDword('ISTPriority') failed, status:2
++SER_Init: context Drivers\Active\14
SER_Init, dwIndex:2
SER2 got sysintr:0x00000017
SER2 Serial Port, new baud rate:0x1c200  (UARTCLK:48000000 IBRD:0x1a FBRD:0x2)
OHCI\system.c, GCFG_USBH1_SW_RST
OHCI\system.c, GCFG_USBH2_SW_RST
-EDeviceLoadEeprom 00:30:D3:20:AE:A7
Phy found addr 31 (ticks=2722)
WaitForLink Start (ticks=2724)
No Link (ticks=3726)
<--EDeviceInitialize

GMAC DMA status register = 0x0
BALDWIN_DDI: cBaldwinHwIf::Init: Initializing...
BALDWIN_DDI: cBaldwinHwIf::Init: Scope successfully identified.

And it just sits there for forever not doing anything.

I don't know if that means the USB stick isn't setup right? I tried both literally what's written in post #2085 "Copy the CONTENTS of secure to the root of the USB stick", and also what's in post #3204 which is copy the FOLDER secure to the root of the USB stick - same thing.

I'm trying again re-formatting the stick as FAT16 - No difference.

I see @rizal5478 showed the exact same boot log stopping in the same place at

BALDWIN_DDI: cBaldwinHwIf::Init: Scope successfully identified.
and never getting to
BALDWIN_DDI: cBaldwinHwIf::Init: Success!

in message #2114 - doesn't seem like there was any resolution to that.

Pretty sure the easy solution here is to get Keysight to replace it rather than spending so much time trying to recover it. I have boot logs that proves it's nand corruption, though my last interaction with keysight support was less than stellar...

[Bud]

I think your FPGA is not getting loaded.
Is a reason you go to USB first? Have you tried to boot normally?
The thing is that the Uboot you send over USB may not have the environment variables, which are stored in NOR.

Edit: That is exactly what the boot log in the post you referenced said:

Code: [Select]

FPGA programming FAILED!
And also:

Code: [Select]

Could not copy from NAND offset 0x60000. Error -74 With ECC
Address 0x60000 is where the FPGA image is stored in NAND

[ahakman]

Booting normally, and interrupting u-boot and uploading nk.nb0 over serial took 10x longer than it did over usb, but it got slightly further.

I got a splash screen, but abruptly stopped.

From the log:

Code: [Select]

GMAC DMA status register = 0x0
BALDWIN_DDI: cBaldwinHwIf::Init: Initializing...
BALDWIN_DDI: cBaldwinHwIf::Init: Scope successfully identified.
BALDWIN_DDI: cBaldwinHwIf::Init: Success!
Running infiniiVisionInstallHelper
ERROR: OALIoCtlHalGetDeviceInfo: Device doesn't support IOCTL_HAL_GET_DEVICE_INFO::SPI_GETBOOTMENAME
Failed to start/configure network.
Time for NANDFLASH to load: 0 ms.
Time for SNANDFLASH to load: 0 ms.
Time for USB Hard Disk Drive to load: 0 ms.
Starting ProcessStartupFolder
ProcessStartupFolder: \usb\Startup\
                                   running \usb\Startup\infiniivision.lnk...

The Startup\infiniivision.link file contains:

Code: [Select]

51#\usb\Secure\infiniiVision\infiniivisionLauncher.exe

the folder structure on the usb key indeed has
\Secure\infiniiVision\infiniivisionLauncher.exe

but it doesn't seem to run

[ahakman]

I got it working

From the size of the image on the scope, I could tell it had 2.37 on it to start with (the version that was corrupt).

Booting 2.35 from ymodem / the usb stick didn't work

Booting 2.37 from ymodem / the usb stick did work, but the application has to be in \usb\Secure in 2.37 - the first time I tried it, it was in \usb\infiniivision - it didn't like that - it said "invalid parameters" when booting and then rebooted from the flash and threw the error about the image being corrupt.

So if your scope initially has 2.35 or 2.36 on it, you can boot 2.35 from ymodem / USB, with the application in \usb\infiniivision\
If your scope initially has 2.37 on it, you can NOT boot 2.35 from ymodem / USB, but you CAN boot 2.37 from ymodem / USB with the application in \usb\Secure\infiniivision\

I installed 2.65 from the USB stick once it booted, and now it boots itself fine from the flash!

[Bud]

Great! One more restored 

[ahakman]

I do notice a difference in the startup sequence of lights compared to my DSOX2012A, which Agilent Keysight replaced a few years ago for corrupt NAND (and is running 2.50 firmware) so is practically brand new.

On the DSOX2012A, the light sequence is
ref -> +math -> +digital -> +serial -> +run/stop +single
all lights off
channel buttons -> wavegen + intensity -> all 4 triangle lights -> run/stop + single -> only single
application is running, lights as they are for operation

On this one (DSOX2024A) the light sequence is different
ref -> +math -> +digital -> +serial -> +run/stop +single
all lights off
channel buttons -> wavegen + intensity -> all 4 triangle lights -> run/stop + single -> only single for noticeably longer
all lights off
channel buttons -> wavegen + intensity -> all 4 triangle lights -> run/stop + single
all lights off
channel buttons -> wavegen + intensity -> all 4 triangle lights -> run/stop + single
all lights off

Is it normal for the 4 channel scope to take longer to boot / have the extra 2 cycles of lights during booting? Or is this a sign of worn out NAND that takes longer (and hence the better solution would've been replacement rather than recovery)? Or does 2.65 just take longer to boot than 2.50?

Now I'd like to find a DSOX 3034 or a 4000 series that's corrupt for a decent price and get that fixed... eventually - they seem to pop up occasionally.
I haven't been looking a lot since I got the 2012A a few years ago, but having 4 channels really would be nice for some stuff I'm working on now!

Also, does anyone have suggestions for probes? Even with the DSOX2012A, I've been using the probes that came with my 54645D, but that's only 2 channel too, and now I have a 4 channel DSOX2024A

[EE-digger]

Just an FYI to all regarding NAND corruption repair.  Spoke to Keysight this morning and it is no longer free, the system shows as billable.  The good news, if this is to some, is that in this location (US), the repair is $1900 which includes full calibration.  That's not bad, considering.

Also, the freebies ended in December 2022 (2019 in the original service note).  For our European friends, perhaps the end date was different.

[Jedi]

Hello, I am a user of the 4000 series.
A few days ago, I confirmed that my device no longer boots due to a NAND error.
I am attaching the u-boot log via serial.
Is there a way to reflash the 4000 series? Thank you

Code: [Select]

U-Boot 2010.03 (Jan 26 2011 - 12:37:34)Agilent P500

CPU:   SPEAr600
DRAM:  128 MiB
Flash: 512 KiB
NAND:  256 MiB
In:    serial
Out:   serial
Err:   serial
SerNum:serial number not programmed
Chip:  BD Board Rev: 4
Net:   smsc
Press space to stop autoboot:  0
## Booting kernel from Legacy Image at f8050000 ...
   Image Name:   PBOOT
   Created:      2011-08-12  17:16:04 UTC
   Image Type:   ARM Linux Kernel Image (gzip compressed)
   Data Size:    37297 Bytes = 36.4 KiB
   Load Address: 00000000
   Entry Point:  00000000
   Uncompressing Kernel Image ... OK

Starting kernel ...


Debug serial initialized ........OK

Microsoft Windows CE Bootloader Common Library Version 1.4 Built Aug 12 2011 11:03:19
Microsoft Windows CE 6.0 Ethernet Bootloader for the Agilent P500 board
Adaptation performed by Agilent Technologies (c) 2008

image2 value is out of range 0 so it will be ignored.
  It must be a hexadecimal integer between 0xd00000000 and 0xd7ffffff or between 0x800000000 and 0x87ffffff.

System ready!
Preparing for download...
 Loading image 1 from memory at 0xD0400000
O
BL_IMAGE_TYPE_BIN

X
XXXXOOOOXOOOOOOOOXOXXOIncorrect Data 1 EccResult: ff0fff EccError: ff3cfc EccRead: 3303
 EBOOT_ReadFlash failed offset 47cdc3
 EBOOT_ReadFlash failed location d0480000
ODeCompressFlash: CeCompressDecode() failed
 CeDecompressFlashBlock failed
****** Data record 9 corrupted, ABORT!!! ******

Completed file(s):
-------------------------------------------------------------------------------
[0]: Address=0x80361000  Length=0x29B0048  Name="" Target=RAM
 Loading image 1 failed, trying next one
 All images failed

Press r to reset

[Jwalling]

Just an FYI to all regarding NAND corruption repair.  Spoke to Keysight this morning and it is no longer free, the system shows as billable.  The good news, if this is to some, is that in this location (US), the repair is $1900 which includes full calibration.  That's not bad, considering.

Also, the freebies ended in December 2022 (2019 in the original service note).  For our European friends, perhaps the end date was different.

That's interesting - which model # were you inquiring about?
I ask because I just exchanged emails this week with a guy with an MSOX2014A in the USA, and Keysight is going to repair for free under service note MSOX2024A-06B.

[Svitchy]

Hey guys!! Can some one share files with me, i need PhillyFlyers patched FW 2.65 for the 2000-X series scopes?!
Will apreciate for help!

[EE-digger]

Just an FYI to all regarding NAND corruption repair.  Spoke to Keysight this morning and it is no longer free, the system shows as billable.  The good news, if this is to some, is that in this location (US), the repair is $1900 which includes full calibration.  That's not bad, considering.

Also, the freebies ended in December 2022 (2019 in the original service note).  For our European friends, perhaps the end date was different.

That's interesting - which model # were you inquiring about?
I ask because I just exchanged emails this week with a guy with an MSOX2014A in the USA, and Keysight is going to repair for free under service note MSOX2024A-06B.

DSOX3034A and this was the official word ... but ... you have to talk with them as the end result can be different.  Nice people, still a great company.

[Pinkus]

My DSOX4024a with a NAND problem was also repaired without any discussion (Germany).
Since then, Keysight has been a favourite of mine.