Author Topic: Agilent MSO 5000/6000/7000 - anyone hacked these scopes?  (Read 184776 times)

JiriB and 1 Guest are viewing this topic.

Offline abyrvalg

  • Frequent Contributor
  • **
  • Posts: 452
  • Country: ru
Re: Agilent MSO 5000/6000/7000 - anyone hacked these scopes?
« Reply #50 on: January 30, 2014, 09:00:02 am »
I'll clarify a bit:
To boot you need to enter "emergency" mode first - turn off, turn on for 4sec, turn off, then turn on with USB stick inserted as described here http://www.home.agilent.com/agilent/redirector.jspx?action=ref&lc=eng&nfr=&ckey=670496&cname=AGILENT_EDITORIAL
For 6k series you need to have both BIN and JZP on USB stick (or even BIN only, seems that some or all 6k bootloader versions doesn't understand JZP, unlike 7k that understands JZP only).

For a permanent install you need to do it manually, so if you want just to try some bin - boot it from USB, but don't touch any JZP in scope's File explorer (that's where install is performed).
 

Offline Carrington

  • Super Contributor
  • ***
  • Posts: 1201
  • Country: es
Re: Agilent MSO 5000/6000/7000 - anyone hacked these scopes?
« Reply #51 on: January 30, 2014, 02:09:49 pm »
Hidden Menus (service).

Easter Egg:


« Last Edit: January 30, 2014, 06:31:31 pm by Carrington »
My English can be pretty bad, so suggestions are welcome. ;)
Space Weather.
Lightning & Thunderstorms in Real Time.
 
The following users thanked this post: TiN

Offline Carrington

  • Super Contributor
  • ***
  • Posts: 1201
  • Country: es
Re: Agilent MSO 5000/6000/7000 - anyone hacked these scopes?
« Reply #52 on: January 30, 2014, 05:00:39 pm »
I know that not exist options to increase BW. But has anyone tried 500-000000000000-29FEB2029?                                                                                                         
My English can be pretty bad, so suggestions are welcome. ;)
Space Weather.
Lightning & Thunderstorms in Real Time.
 

Offline madshaman

  • Frequent Contributor
  • **
  • Posts: 699
  • Country: ca
  • ego trans insani
Agilent MSO 5000/6000/7000 - anyone hacked these scopes?
« Reply #53 on: January 30, 2014, 05:04:58 pm »

I'll clarify a bit:
To boot you need to enter "emergency" mode first - turn off, turn on for 4sec, turn off, then turn on with USB stick inserted as described here http://www.home.agilent.com/agilent/redirector.jspx?action=ref&lc=eng&nfr=&ckey=670496&cname=AGILENT_EDITORIAL
For 6k series you need to have both BIN and JZP on USB stick (or even BIN only, seems that some or all 6k bootloader versions doesn't understand JZP, unlike 7k that understands JZP only).

For a permanent install you need to do it manually, so if you want just to try some bin - boot it from USB, but don't touch any JZP in scope's File explorer (that's where install is performed).

Sweet!!!  I'm neck deep in other *h*t right now, but this is what I wanted to hear.

Enormous thanks to everyone hacking around with this right now; it's much appreciated.
To be responsible, but never to let fear stop the imagination.
 

Online mikeselectricstuff

  • Super Contributor
  • ***
  • Posts: 12147
  • Country: gb
    • Mike's Electric Stuff
Re: Agilent MSO 5000/6000/7000 - anyone hacked these scopes?
« Reply #54 on: January 30, 2014, 05:10:12 pm »
Had a quick play with a hack abyrvalg sent to try enabling decodes on a 2-channel scope but no joy yet (gives "Option not supported" when it boots)

Had a look for license names in the sys6000.bin image  :
AFAICS the list is the same as the 7000 one posted earlier

Tried ALL, Which enables some demos - these are for use in conjunction with a demo board - ISTR having this when I had a scope on loan before buying mine.
When enabled, licnse info shows FPG*,LSS*,AMS*,CAN*,ALT*,232,FRC*,SND*,FLX*,553*

I had a look insode my MSO6012A, and apart from the front-end and ch3/4 ASICs it looks the same - same FPGA, so might be viable to enable decodes on 2ch models.

Front-end is obviously different from the 6034. Interestingly the trigger channel uses the same front-end as the analogue channels.
« Last Edit: January 30, 2014, 05:21:43 pm by mikeselectricstuff »
Youtube channel:Taking wierd stuff apart. Very apart.
Mike's Electric Stuff: High voltage, vintage electronics etc.
Day Job: Mostly LEDs
 

Online mikeselectricstuff

  • Super Contributor
  • ***
  • Posts: 12147
  • Country: gb
    • Mike's Electric Stuff
Re: Agilent MSO 5000/6000/7000 - anyone hacked these scopes?
« Reply #55 on: January 30, 2014, 05:15:20 pm »
OK I've just found the first new thing I can do that wasn't possible with trials - CIR option for circular segmented memory.
 
Youtube channel:Taking wierd stuff apart. Very apart.
Mike's Electric Stuff: High voltage, vintage electronics etc.
Day Job: Mostly LEDs
 

Offline Carrington

  • Super Contributor
  • ***
  • Posts: 1201
  • Country: es
Re: Agilent MSO 5000/6000/7000 - anyone hacked these scopes?
« Reply #56 on: January 30, 2014, 05:32:44 pm »
OK I've just found the first new thing I can do that wasn't possible with trials - CIR option for circular segmented memory.
There are references to this and other options in the sys6000.bin.
For example: 1mV Chan Scale lmt.
« Last Edit: January 30, 2014, 06:01:31 pm by Carrington »
My English can be pretty bad, so suggestions are welcome. ;)
Space Weather.
Lightning & Thunderstorms in Real Time.
 

Offline Carrington

  • Super Contributor
  • ***
  • Posts: 1201
  • Country: es
Re: Agilent MSO 5000/6000/7000 - anyone hacked these scopes?
« Reply #57 on: January 30, 2014, 05:36:54 pm »
Front-end is obviously different from the 6034. Interestingly the trigger channel uses the same front-end as the analogue channels.
@mikeselectricstuff: Thanks for the pictures.  :)
That's why I want to see pictures of the MSO/DSO6054A motherboard.



Note: There must be a memory of at least 1M (1024K) for the rom (rom6000.bin).
« Last Edit: January 30, 2014, 06:32:19 pm by Carrington »
My English can be pretty bad, so suggestions are welcome. ;)
Space Weather.
Lightning & Thunderstorms in Real Time.
 

Offline abyrvalg

  • Frequent Contributor
  • **
  • Posts: 452
  • Country: ru
Re: Agilent MSO 5000/6000/7000 - anyone hacked these scopes?
« Reply #58 on: January 30, 2014, 06:05:42 pm »
Carrington, there are even bigger memories, check https://www.eevblog.com/forum/testgear/agilent-mso-500060007000-anyone-hacked-these-scopes/msg377764/#msg377764 - that's a full list.
There are no bandwith options to enable with keys, but there are some NV capabilities flags programmed from factory also (one of them limits decoders usage on 2CH models).
 

Offline Carrington

  • Super Contributor
  • ***
  • Posts: 1201
  • Country: es
Re: Agilent MSO 5000/6000/7000 - anyone hacked these scopes?
« Reply #59 on: January 30, 2014, 06:09:59 pm »
Carrington, there are even bigger memories...
I get it.  ;) 48LC8M16A for example.

There are no bandwith options to enable with keys...
But, Agilent use the same the input stages for 300 and 500MHz models?
Hybrid chip at the DSO5054A and DSO6034A is 1NB7-8453.

There are some NV capabilities flags programmed from factory also (one of them limits decoders usage on 2CH models).
  8)
« Last Edit: January 30, 2014, 06:27:09 pm by Carrington »
My English can be pretty bad, so suggestions are welcome. ;)
Space Weather.
Lightning & Thunderstorms in Real Time.
 

Offline abyrvalg

  • Frequent Contributor
  • **
  • Posts: 452
  • Country: ru
Re: Agilent MSO 5000/6000/7000 - anyone hacked these scopes?
« Reply #60 on: January 30, 2014, 06:42:09 pm »
Since our little "project" has advanced to a more hw-specific testing, but I don't have any hw (but have lots of work waiting), I think it's time to quit.
I've attached two scripts for anyone who has IDA and enough will to continue.
types.idc contains some useful type declarations, ApplyVxSymbols.py is a modified symbol table processing script (table format is a bit different in new versions). Set "demangled names -> names",  "assume gcc 3.x names", "general -> auto comments" IDA options, apply symbol table and you'll have a pretty readable output with names speaking for themselves.
 

Offline Carrington

  • Super Contributor
  • ***
  • Posts: 1201
  • Country: es
Re: Agilent MSO 5000/6000/7000 - anyone hacked these scopes?
« Reply #61 on: January 30, 2014, 06:54:40 pm »
@ abyrvalg: Thank you very much for everything.  :-+



Another tool, readelf: http://code.google.com/p/lumpy/source/browse/trunk/compilers/c/bin/readelf.exe?r=57
Works with lib6000.bin
« Last Edit: January 30, 2014, 07:47:48 pm by Carrington »
My English can be pretty bad, so suggestions are welcome. ;)
Space Weather.
Lightning & Thunderstorms in Real Time.
 

Offline abyrvalg

  • Frequent Contributor
  • **
  • Posts: 452
  • Country: ru
Re: Agilent MSO 5000/6000/7000 - anyone hacked these scopes?
« Reply #62 on: January 30, 2014, 09:03:39 pm »
Symbols that readelf understands (ELF/DWARF) are understood by recent IDA versions directly (starting from 6.2 or 6.3, don't remember already). But sysXXXX.bin doesn't have that kind of symbols, it has VxWorks-specific table in data segment instead. That's why there is a special script for it. Look for "Adding %ld symbols" string, then follow a xref to it - there will be a function that xrefs 3 data items - some uninitialized var (.space 4), symbol count value (.long 0xXXXX) and the table itself (sparse initialized area starting with 00s).

Btw, libXXXX is referenced as "OpenSourceLibrary" in sys. I guess it contains some GPL code that can't be included into the "commercial" part (otherwise they must publish all their own  source code that is linked with GPLed code). Nothing actually interesting there. Model checks are inside initializeFeatures() function in sys (gpInstOptions var).
 

Offline Pehtoori

  • Contributor
  • Posts: 21
  • Country: 00
Re: Agilent MSO 5000/6000/7000 - anyone hacked these scopes?
« Reply #63 on: February 01, 2014, 08:54:23 pm »
I am aware that you can enable all the options and then set back the clock to keep these options enabled indefinitely.  That's certainly livable.  However, that's not a pretty solution, and it's nice to have the clock set properly for screen shots, etc.

This text just hit my eyeballs. Can't you set date to 12.1.2037 then apply options and roll back to current date? Then your screen shots would be correct etc. (2037 because Unix epoch is 1.19.2038.)
 

Offline abyrvalg

  • Frequent Contributor
  • **
  • Posts: 452
  • Country: ru
Re: Agilent MSO 5000/6000/7000 - anyone hacked these scopes?
« Reply #64 on: February 02, 2014, 12:22:02 am »
Pehtoori, no, the feature key contains an absolute expiration date like 02FEB2014
 

Online mikeselectricstuff

  • Super Contributor
  • ***
  • Posts: 12147
  • Country: gb
    • Mike's Electric Stuff
Re: Agilent MSO 5000/6000/7000 - anyone hacked these scopes?
« Reply #65 on: February 02, 2014, 12:33:12 am »
I am aware that you can enable all the options and then set back the clock to keep these options enabled indefinitely.  That's certainly livable.  However, that's not a pretty solution, and it's nice to have the clock set properly for screen shots, etc.

This text just hit my eyeballs. Can't you set date to 12.1.2037 then apply options and roll back to current date? Then your screen shots would be correct etc. (2037 because Unix epoch is 1.19.2038.)
The trials have a fixed expiry date 14 days from when they were issued
But with the license hack, it's no longer an issue.

The only thing remaining is to see if the decoders can be made to work on 2-channel models
 
« Last Edit: February 02, 2014, 12:35:56 am by mikeselectricstuff »
Youtube channel:Taking wierd stuff apart. Very apart.
Mike's Electric Stuff: High voltage, vintage electronics etc.
Day Job: Mostly LEDs
 

Offline Carrington

  • Super Contributor
  • ***
  • Posts: 1201
  • Country: es
Re: Agilent MSO 5000/6000/7000 - anyone hacked these scopes?
« Reply #66 on: February 02, 2014, 02:24:19 am »
I edited ApplyVxSymbols, now it also work with IDA v6.1 and python v2.6.6.
My English can be pretty bad, so suggestions are welcome. ;)
Space Weather.
Lightning & Thunderstorms in Real Time.
 

Offline Carrington

  • Super Contributor
  • ***
  • Posts: 1201
  • Country: es
Re: Agilent MSO 5000/6000/7000 - anyone hacked these scopes?
« Reply #67 on: February 02, 2014, 03:14:31 pm »
The only thing remaining is to see if the decoders can be made to work on 2-channel models
A flash dump could be very useful. And even better two dumps from two different models, 2 and 4 channel for example.
Is this a flash? It is connected to the FPGA or to the PPC405?


My English can be pretty bad, so suggestions are welcome. ;)
Space Weather.
Lightning & Thunderstorms in Real Time.
 

Offline free_electron

  • Super Contributor
  • ***
  • Posts: 7509
  • Country: us
    • SiliconValleyGarage
Re: Agilent MSO 5000/6000/7000 - anyone hacked these scopes?
« Reply #68 on: February 02, 2014, 05:15:18 pm »
That is flash memory. J2400 looks intriguiing...
Professional Electron Wrangler.
Any comments, or points of view expressed, are my own and not endorsed , induced or compensated by my employer(s).
 

Offline abyrvalg

  • Frequent Contributor
  • **
  • Posts: 452
  • Country: ru
Re: Agilent MSO 5000/6000/7000 - anyone hacked these scopes?
« Reply #69 on: February 02, 2014, 06:40:51 pm »
There is no need to open the scope at all to read the flash. Just telnet to VxWorks debug console and dump the uppermost memory addresses:
FFF00000-FFFFFFFF - bootloader
FFEF0000-FFF00000 - NV area:
  FFEF0000 [7] - MAC address
  FFEF0020 [2] - "feature register" (SEC option flag)
the rest (before FFEF0000) should be a C:\ file system

It should be possible to program flash from debug console too - by invoking the programming function with "sp" command, but this can brick the scope easily, so better I'll not publish a detailed instruction until there will be some clear plan what and where to program.

IMO, there is no need for raw flash access at current stage. The bootloader part is much more obscure to work with (there is no symbol table), all interesting stuff is in sys part, really no idea what to look outside JZPs now. Changing the model type in NV will not work - Mike had tried my patch that sets 4CH flag in RAM and the scope just hung, so the only hope is some fine grained compatibility check patch in sys. The other interesting direction is C:\bin\CmdLine.cmd file - it is not present by default, but it is possible to specify several parameters to sys in it (i.e. there are parameters to enable each feature w/o key - can be more handy than patching sys because they will stay there after updates), look for hasOption() calls.
 

Offline Carrington

  • Super Contributor
  • ***
  • Posts: 1201
  • Country: es
Re: Agilent MSO 5000/6000/7000 - anyone hacked these scopes?
« Reply #70 on: February 02, 2014, 06:52:23 pm »
That is flash memory. J2400 looks intriguiing...
Ok, you are referring to the J2400 connector. Yes, it can be the FPGA JTAG connector.
My English can be pretty bad, so suggestions are welcome. ;)
Space Weather.
Lightning & Thunderstorms in Real Time.
 

Offline Carrington

  • Super Contributor
  • ***
  • Posts: 1201
  • Country: es
Re: Agilent MSO 5000/6000/7000 - anyone hacked these scopes?
« Reply #71 on: February 02, 2014, 07:09:22 pm »
There is no need to open the scope at all to read the flash. Just telnet to VxWorks debug console and dump the uppermost memory addresses:
FFF00000-FFFFFFFF - bootloader
FFEF0000-FFF00000 - NV area:
  FFEF0000 [7] - MAC address
  FFEF0020 [2] - "feature register" (SEC option flag)
the rest (before FFEF0000) should be a C:\ file system

It should be possible to program flash from debug console too - by invoking the programming function with "sp" command, but this can brick the scope easily, so better I'll not publish a detailed instruction until there will be some clear plan what and where to program.
That's great! I did not know that.

IMO, there is no need for raw flash access at current stage. The bootloader part is much more obscure to work with (there is no symbol table), all interesting stuff is in sys part, really no idea what to look outside JZPs now.
I thought about flash dumps from two different model, specially due to the content of gpInstOptions, because it is everywhere in the firmware.
I think that their content makes the difference between diferentes family features.

Changing the model type in NV will not work - Mike had tried my patch that sets 4CH flag in RAM and the scope just hung, so the only hope is some fine grained compatibility check patch in sys.
Is that flag related to gpInstOptions?

The other interesting direction is C:\bin\CmdLine.cmd file - it is not present by default, but it is possible to specify several parameters to sys in it (i.e. there are parameters to enable each feature w/o key - can be more handy than patching sys because they will stay there after updates), look for hasOption() calls.
This also is great!
« Last Edit: February 02, 2014, 07:11:23 pm by Carrington »
My English can be pretty bad, so suggestions are welcome. ;)
Space Weather.
Lightning & Thunderstorms in Real Time.
 

Offline Carrington

  • Super Contributor
  • ***
  • Posts: 1201
  • Country: es
My English can be pretty bad, so suggestions are welcome. ;)
Space Weather.
Lightning & Thunderstorms in Real Time.
 

Offline Carrington

  • Super Contributor
  • ***
  • Posts: 1201
  • Country: es
Re: Agilent MSO 5000/6000/7000 - anyone hacked these scopes?
« Reply #73 on: February 06, 2014, 05:58:47 pm »
Hi guys!

I have news, thanks to the help of abyrvalg (he is a genius), my MSO6034A is now a MSO6054A.  :-+
The hybrid chip at the input stage supports 500MHz, but I don't have a signal generator to test.
Aslo the fastest pulse that I found was 800ps (tr), so I could not estimate the real BW.



Can anyone test the BW?

Note:In the attached files are the instructions to apply the patch.
« Last Edit: February 14, 2014, 04:14:50 pm by Carrington »
My English can be pretty bad, so suggestions are welcome. ;)
Space Weather.
Lightning & Thunderstorms in Real Time.
 

Online mikeselectricstuff

  • Super Contributor
  • ***
  • Posts: 12147
  • Country: gb
    • Mike's Electric Stuff
Re: Agilent MSO 5000/6000/7000 - anyone hacked these scopes?
« Reply #74 on: February 08, 2014, 11:31:50 am »
That sample rate hack doesn't improve bandwidth
Attatched pics show a 250-750MHz stepped sweep before & after - no difference.

When I get time I'll see if the digital channels are improved.

My (early s/n 440013xx MSO6034A) didn't seem to work with the soft-loading method - appeared to go through the normal process of sitting a while with the "Single" LED on, but instead of booting the new FW it just sits there lighting up lines of the front panel LEDs til you pull the USB stick, at which point it reboots.

Hacked FW loads to flash OK though - it was only after loading I suddenly thought that without the soft-load capability, how would I recover if it hung, but I think that "emergency" update file is what that is for. I did try loading that version but again it sat in a led-flashy loop.
Think I'll stay away from playing with that scope - I still have a more recent MSO6012A to play on.

I wonder if the sample rate  hack will improve sample rate on digital channels on that...?
 





Youtube channel:Taking wierd stuff apart. Very apart.
Mike's Electric Stuff: High voltage, vintage electronics etc.
Day Job: Mostly LEDs
 


Share me

Digg  Facebook  SlashDot  Delicious  Technorati  Twitter  Google  Yahoo
Smf