Ended up ordering a DSOX3014T+DSOXLAN and picked up a N6450-60001 from rebay, new. Now, I wait for Agilent^WKeysight to ship.. they estimate April(!@#!@#) currently. What's really insane is they let me trade in my dslogic/oscilloscope combo that I backed via kickstarter and never used to get 30% off. =)
Ended up ordering a DSOX3014T+DSOXLAN and picked up a N6450-60001 from rebay, new. Now, I wait for Agilent^WKeysight to ship.. they estimate April(!@#!@#) currently. What's really insane is they let me trade in my dslogic/oscilloscope combo that I backed via kickstarter and never used to get 30% off. =)
That is a wonderful trade-in! I traded in a pristine Agilent scope for a DSOX3024T about 18 months ago. They asked a lot of questions about the scope and wanted to be sure that it was working. Supposedly someone was going to pick up the Agilent scope from me but then they asked me to ship it from New Jersey to California. Luckily I got the distributor to pay the $150 shipping cost, but I pad FedEx about $30 for the packing.
Of course I was worried that something would go wrong in shipping, so I took photos of the scope running next to the the current day's New York Times front page. I did not want to get a bill from Keysight for $1400! Apparently it arrived OK, I never heard from them.
In any case, I 'm surprised that a "non-top tier" scope would get the 30% discount since the offer says "up to 30%". When I did my trade-in there was also a free MSO option but they would not allow the offers to be combined.
FYI:
The patch locations for firmware 2.43:Code: [Select]1) options patch: 0x280940: change "04 00 A0 E1" -> "00 00 A0 E3"
2) nag patch: 0x2a9f38: change "66 5A FF EB" -> "01 00 A0 E3"
Thanks for the info!
Could you also show us the checksum patch?FYI:
The patch locations for firmware 2.43:Code: [Select]1) options patch: 0x280940: change "04 00 A0 E1" -> "00 00 A0 E3"
2) nag patch: 0x2a9f38: change "66 5A FF EB" -> "01 00 A0 E3"
Hi,
I maked patch for infiniiVisionCore.dll directly in nk.bin in v2.42 (2017032900) FW for DSOX3000A. There 4 bytes for patch "04 00 a0 e1" to "00 00 a0 e3" in start address FBC7FFh and checksum in address D40457h changed from "EB" to "E9". Actually checksum contain 4 bytes, but changed only this last byte (first in file as it's little endian). Checksum algorithm is UByte8bit.
infiniiVisionCore.dll placed in Record [164]: Start in memory = 81111000h, Length = 55D528h, Chksum of original nk.bin = 2604E8EBh
In nk.bin file this block started in D4045Bh and ended in 129D982h
Then nk.bin compressed by bincompress
Code: [Select]
bincompress.exe /c patched_nk.bin patched_nk.bin.comp
And flash it by loadP500Flash via telnet in scope
Code: [Select]
\windows\loadP500Flash -u ceImage1 \usb\patched_nk.bin.comp
Think that replace nk.bin.comp in CAB file (with original name of course) should work also, but didn't try.
After this mod scope work normally and LAN also. I just make this start link in \secure\startup
Code: [Select]
211#infiniivisionLauncher.exe -l MSO -l MEMUP -l EMBD -l AUTO -l FLEX -l PWR -l COMP -l SGM -l MASK -l BW50 -l AUDIO -l WAVEGEN -l AERO -l VID -l ADVMATH -l ASV -l SCPIPS -l RML -l VID -l CABLE -l DIS -l TOM -l SGMC
Don't included EDK and DVM as it is standard options in 2.42
Of course scope indicate that this FW is Ufinalized
Thanks laserK and Elik for advices.
\windows\loadP500Flash -u ceImage1 \usb\patched_nk.bin.comp
FYI:
The patch locations for firmware 2.43:Code: [Select]1) options patch: 0x280940: change "04 00 A0 E1" -> "00 00 A0 E3"
2) nag patch: 0x2a9f38: change "66 5A FF EB" -> "01 00 A0 E3"
So, doing these patches for 2.42 and above, requires going through a bunch of steps, which you really just need to walk through yourself, to see how it all works, versus writing up an entire novel on here trying to explain it...
You need to follow the steps for unpacking the firmware file, de-compressing the 'nk.bin' WindowsCE image, and locating the DLL within that image, you can just find it by using a hex editor, etc, and finding hex patterns...
As safar explained, the 'nk.bin' has checksums for blocks of data, so when you apply the patches into the DLL spots within the nk.bin (decompressed), you need to also fix the checksum for that block. It's a standard 'checksum' algorithm, using single byte as input data (ie versus 16-bit, 32-bit etc 'symbols' for checksum), ie in Safar's post he called it 'UByte8Bit', as other programs tend to say that as well..
A trial one I found that makes it easy is the '010 Editor', it does that checksum calc, as well as many others..
If I were you, I'd download the 2.42 firmware, unpack it, and follow the info that Safar mention in his post... once you can understand what he did, and the locations he patched, you can do it to 2.43 as well....
So, doing these patches for 2.42 and above, requires going through a bunch of steps, which you really just need to walk through yourself, to see how it all works, versus writing up an entire novel on here trying to explain it...
You need to follow the steps for unpacking the firmware file, de-compressing the 'nk.bin' WindowsCE image, and locating the DLL within that image, you can just find it by using a hex editor, etc, and finding hex patterns...
As safar explained, the 'nk.bin' has checksums for blocks of data, so when you apply the patches into the DLL spots within the nk.bin (decompressed), you need to also fix the checksum for that block. It's a standard 'checksum' algorithm, using single byte as input data (ie versus 16-bit, 32-bit etc 'symbols' for checksum), ie in Safar's post he called it 'UByte8Bit', as other programs tend to say that as well..
A trial one I found that makes it easy is the '010 Editor', it does that checksum calc, as well as many others..
If I were you, I'd download the 2.42 firmware, unpack it, and follow the info that Safar mention in his post... once you can understand what he did, and the locations he patched, you can do it to 2.43 as well....
Hi, yes I use IDA for find code and 010 Editor for patch.
I try to explain algorithm (with all steps as it can used by somebody else):
1. Get nk.bin.comp from FW files (ksx = cab) - I use WinRAR, but many arc programs can extract files from CAB
2. Decompress nk.bin.comp by "bincompress.exe /d nk.bin.comp nk.bin"
3. Extract infiniiVisionCore.dll with Remaker for WinCE5
4. Found code in IDA - Sorry, but I don't explain how as it need to write lot info here
5. With sync screens in IDA I look for patch hex code and for nearest area "signature" code also for find it in nk.bin (12..20 bytes for unique found result)
6. (As I lazy for remember bin structure I just to) Make DataTable with "viewbin.exe -d nk.bin > data.txt" - beware file is very big - about 113 MB for 2.43
7. Open nk.bin in Hex Editor and use "signature" code for found patch place (actually I use "find all" and if here is more than 1 result I try to expand "signature" for search)
8. Make patch in this place.
9. Open data.txt and find same "signature" - you found it in some Record [ ] block ([160] for 2.43). Here we need start Record signature for find it in Hex Editor, Record Length And Checksum (checksum is backwards in file as it LittleEndian code). Of course you can look for bin structure and make it more smart.
10. Find Record start signature - 4 bytes before start position is Checksum - compare it with data.txt. Here I bookmarked position.
11. Select block in editor with start on start Record position and Length from data.txt.
12. Calc checksum UByte8Bit
13. Turn back to bookmark and correct checksum (4 bytes before start, and remember for back order)
14. Save patched_nk.bin
15. Compress it to nk.bin.comp by "bincompress.exe /c nk.bin nk.bin.comp"
16. Flash scope, but kill process before
I attach all tools here
I make patched.bin.comp with PhillyFlyers info and with corrected checksum:
Patched2.43
You can flash it as usual by loadP500Flash via telnet in scope
Code: [Select]
\windows\loadP500Flash -u ceImage1 \usb\patched_nk.bin.comp
Checked on my DSOX3034A
Quote
I make patched.bin.comp with PhillyFlyers info and with corrected checksum:
Patched2.43
You can flash it as usual by loadP500Flash via telnet in scope
Code: [Select]
\windows\loadP500Flash -u ceImage1 \usb\patched_nk.bin.comp
Checked on my DSOX3034A
*** FYI ****
The file you posted is the 'uncompressed' and patched nk.bin, so make sure anyone, you do the
'bincompress /d patched_nk.bin patched_nk.bin.comp' first!! as you don't want to flash the uncompressed image, the scope will not boot...
************
Nice Safar! Great writeup, that's an awesome (and fast) writeup!
Nice Safar! Great writeup, that's an awesome (and fast) writeup!
U Welcome!
BTW, I try to find some points in IDA for patch message "LAN VGA option module fault", but it seems like one subroutine which select all "System concerns detected" error messages from different enter points. It difficult to understand source for me without real debugger.
I am wondering: if these files were patched wrong, will the scope still start up (at least to allow the telnet access)?`
So, doing these patches for 2.42 and above, requires going through a bunch of steps, which you really just need to walk through yourself, to see how it all works, versus writing up an entire novel on here trying to explain it...
You need to follow the steps for unpacking the firmware file, de-compressing the 'nk.bin' WindowsCE image, and locating the DLL within that image, you can just find it by using a hex editor, etc, and finding hex patterns...
As safar explained, the 'nk.bin' has checksums for blocks of data, so when you apply the patches into the DLL spots within the nk.bin (decompressed), you need to also fix the checksum for that block. It's a standard 'checksum' algorithm, using single byte as input data (ie versus 16-bit, 32-bit etc 'symbols' for checksum), ie in Safar's post he called it 'UByte8Bit', as other programs tend to say that as well..
A trial one I found that makes it easy is the '010 Editor', it does that checksum calc, as well as many others..
If I were you, I'd download the 2.42 firmware, unpack it, and follow the info that Safar mention in his post... once you can understand what he did, and the locations he patched, you can do it to 2.43 as well....
Hi, yes I use IDA for find code and 010 Editor for patch.
I try to explain algorithm (with all steps as it can used by somebody else):
1. Get nk.bin.comp from FW file (ksx = cab) - I use WinRAR, but many arc programs can extract files from CAB.
2. Decompress nk.bin.comp by "bincompress.exe /d nk.bin.comp nk.bin".
3. Extract infiniiVisionCore.dll with Remaker for WinCE5.
4. Open dll in IDA and find asm code for patch - Sorry, but I don't explain how as it need to write lot info here.
5. With sync screens in HexView of IDA I look for patch hex code and for nearest area "signature" code also for find it in nk.bin (12..20 bytes for unique found result).
6. (As I lazy for remember bin structure I just to) Make DataTable with "viewbin.exe -d nk.bin > data.txt" - beware output file is very big - about 113 MB for 2.43.
7. Open nk.bin in Hex Editor and use "signature" code for find patch place (actually I use "find all" and if here is more than 1 result I try to expand "signature" for search).
8. Make patch in this place.
9. Open data.txt and find same "signature" - you found it in some Record [ ] block ([160] for 2.43). Here we need start Record signature for find it in Hex Editor, Record Length And Checksum (checksum is backwards in file as it LittleEndian code). Of course you can look for bin structure and make it more smart.
10. Find Record start signature - 4 bytes before start position is Checksum - compare it with data.txt (remember for back order). Here I bookmarked position.
11. Select block in editor with start on start Record position and Length from data.txt.
12. Calc checksum UByte8Bit.
13. Turn back to bookmark and correct checksum (4 bytes before start, and remember for back order).
14. Save as patched_nk.bin.
15. Compress it to nk.bin.comp by "bincompress.exe /c nk.bin nk.bin.comp".
16. Flash scope, but kill infiniiVision process before.
17. Reboot scope.
I attach all tools here
88#infiniivisionLauncher.exe -l MSO -l BW20 -l DIS -l PLUS -l SCPIPS -l VID -l CABLE --perf
But the real reason I ordered it was for the extra trigger options as that’s what has bothered me the most about this scope since I’ve owned it. Five hundred dollar Chinese scopes had more extensive triggering options. That is now fixed! The menu options went from 5 to 12. Math options increased from 5 to 21! (see the photos for details). The upgrade also is supposed to include the record memory upgrade (to 1 Meg) and the segmented memory option. I already had these but I don’t feel cheated as the features I got are well worth the money spent.
For me, this is like having a new scope. Thanks Keysight!
Quote
I make patched.bin.comp with PhillyFlyers info and with corrected checksum:
Patched2.43
You can flash it as usual by loadP500Flash via telnet in scope
Code: [Select]
\windows\loadP500Flash -u ceImage1 \usb\patched_nk.bin.comp
Checked on my DSOX3034A
*** FYI ****
The file you posted is the 'uncompressed' and patched nk.bin, so make sure anyone, you do the
'bincompress /d patched_nk.bin patched_nk.bin.comp' first!! as you don't want to flash the uncompressed image, the scope will not boot...
************
Ohhh, sorry, I will change it