DSOX2000 and 3000 series - licence , have anyone tried to hack that scope ?

[Frank_Canada]

I followed the instructions of Titiris and reloaded the nk.nb0 file (loady 0x0361000 115200) of the firmware (and also tried different versions of firmware) but the same problem remains: U-Boot stops at the same place.
So bought brand new NAND memory, replaced the old NAND by the new one on the board and redid the same process (loady 0x0361000 115200). Now U-boots goes further but is kind of stock in a loop:

BALDWIN_DDI: cBaldwinHwIf::Init: Scope successfully identified.
Exception 'Data Abort' (4): Thread-Id=04100002(pth=8371a340), Proc-Id=00400002(pprc=816a8308) 'NK.EXE', VM-active=01e40002(pprc=87fcbeac) 'udevice.exe'
PC=c08fa088(baldwin_ddi.dll+0x0000a088) RA=c08fa07c(baldwin_ddi.dll+0x0000a07c) SP=d137f660, BVA=00000000
Exception 'Data Abort' (4): Thread-Id=04100002(pth=8371a340), Proc-Id=00400002(pprc=816a8308) 'NK.EXE', VM-active=01e40002(pprc=87fcbeac) 'udevice.exe'
PC=c01a5d84(gwes.dll+0x00055d84) RA=c01a5d6c(gwes.dll+0x00055d6c) SP=d137fdd8, BVA=00000104
Autonegociation Start (ticks=4633)
+StartAutoNegotiation: pDeviceContext 0xd05694c0
Exception 'Raised Exception' (-1): Thread-Id=047a0002(pth=8372bc20), Proc-Id=03a50006(pprc=837eeee0) 'recoverInfiniiVision.exe', VM-active=03a50006(pprc=837eeee0) 'recoverInfiniiVision.exe'
PC=400233d0(coredll.dll+0x000133d0) RA=803782c8(kernel.dll+0x000062c8) SP=0005fd1c, BVA=00000000
Exception 'Raised Exception' (-1): Thread-Id=04820002(pth=8372bc20), Proc-Id=03a5000a(pprc=837eeee0) 'recoverInfiniiVision.exe', VM-active=03a5000a(pprc=837eeee0) 'recoverInfiniiVision.exe'
PC=400233d0(coredll.dll+0x000133d0) RA=803782c8(kernel.dll+0x000062c8) SP=0005fd1c, BVA=00000000
Exception 'Raised Exception' (-1): Thread-Id=048a0002(pth=8372bc20), Proc-Id=03a5000e(pprc=837eeee0) 'recoverInfiniiVision.exe', VM-active=03a5000e(pprc=837eeee0) 'recoverInfiniiVision.exe'
PC=400233d0(coredll.dll+0x000133d0) RA=803782c8(kernel.dll+0x000062c8) SP=0005fd1c, BVA=00000000

[TK]

 :popcorn:It is probably because of something TheSteve already said... there is scope data stored at the factory on the NAND that is not going to be restored if you replace the memory chip

[TheSteve]

I've never tried installing a new NAND(as it is not needed for the corruption issue) but if I did I don't know how it would get formatted into a proper filesystem unless u-boot can do that automagically. And reading the needed information off the old NAND is also tough as it needs to be mounted as a filesystem so the scope unique data can be backed up.

[Hydrawerk]

Hello, I have a DSOX2002A since 2013. https://www.eevblog.com/forum/reviews/my-new-toy-)-agilent-dsox2002a-sex-on-a-stick!/25/
There is an old cracked firmware in my scope that somebody gave me back in 2013 or so. I loaded it into my scope and it works since then. All options from 2013 are unlocked for me. :-) My 5 year warranty expired in 2018.
Is there a new cracked firmware available now? Or is it more complicated and I need a LAN board to do some dangerous steps? Is there a danger of bricking my scope?
Yes, I have read last posts and the process seems to be dangerous and complicated for me now. Thanks for help.

[Mr. Scram]

Hello, I have a DSOX2002A since 2013. https://www.eevblog.com/forum/reviews/my-new-toy-)-agilent-dsox2002a-sex-on-a-stick!/25/
There is an old cracked firmware in my scope that somebody gave me back in 2013 or so. I loaded it into my scope and it works since then. All options from 2013 are unlocked for me. :-) My 5 year warranty expired in 2018.
Is there a new cracked firmware available now? Or is it more complicated and I need a LAN board to do some dangerous steps? Is there a danger of bricking my scope?
Yes, I have read last posts and the process seems to be dangerous and complicated for me now. Thanks for help.

Firmware 2.50 is available and can be installed through the menu system with no LAN required. As always there are no guarantees and you do this at your own risk but most if not all issues seem to stem from people not RTFM. Read the post linked below.

https://www.eevblog.com/forum/testgear/dsox2000-and-3000-series-licence-have-anyone-tried-to-hack-that-scope/msg2364363/#msg2364363

[Hydrawerk]

OK, I did the upgrade with a help from a forum member. My scope seems to be working OK. There is now a 200 000 waveforms / sec update rate.
As scribble wrote, rename from .ksx to .cab if current scope fireware is older than v2.41. I had to do it!

[Mr. Scram]

Does anyone have an idea what the official bandwidth upgrades for the 3000T series cost? As far as I can tell no one lists the actual prices which is utterly annoying.

[TopLoser]

Does anyone have an idea what the official bandwidth upgrades for the 3000T series cost? As far as I can tell no one lists the actual prices which is utterly annoying.

https://www.altoo.dk/Oscilloscopes/Medium+3000T-4000X/Options+and+Upgrades/

[EE-digger]

In the US, Newark, for  one, lists them.  DSOXT3B1T104U = $10,564 for the 1GHz upgrade, returned to service center.

[B0B45]

Hey Guys,

I consider to send my scope to Keysight for calibration.
The scope is hw and sw modded from 100Mhz to 500Mhz and has FW 2.50.
My plan is to reinstall the origial FW 2.50 before i sent it in.
Question: Can I always change back from the origial fw 2.50? Will there be leftovers of the fw hack after the FW update on the scope?
Do you think its a good idea to do a full calibration after the scope has been modified in general?

Regards B0B

[Mr. Scram]

Hey Guys,

I consider to send my scope to Keysight for calibration.
The scope is hw and sw modded from 100Mhz to 500Mhz and has FW 2.50.
My plan is to reinstall the origial FW 2.50 before i sent it in.
Question: Can I always change back from the origial fw 2.50? Will there be leftovers of the fw hack after the FW update on the scope?
Do you think its a good idea to do a full calibration after the scope has been modified in general?

Regards B0B

A 100MHz to 500MHz hack? Is that even possible?

[mlloyd1]

allegedly, the HW BW hack is possible if the hacker is skilled enough and uses the appropriate parts.

the question i have is if one performs the HW BW improvement hack, modifies the FW to include use HW BW improvement hack, then removes the modified FW hack by "downgrading" to the OEM FW before sending the unit in for servicing/calibration, won't the "downgraded" software be unhappy about the HW change and flag this for servicing when it goes in for calibration, causing a "warranty issue"?

mlloyd1
 

[TK]

There is no downgraded software, it is the same firmware for both the modded and original HW.

The HW mod to bring 100MHz - 200MHz to 500MHz involves changing the front end and also the resistors that change the model to be at least 350MHz base, so it is impossible to send it back to Keysight, even with the original factory firmware unless you replace back all the components to be the original 100MHz - 200MHz model.

[rodpp]

If you are paying for the calibration service, I see nothing wrong in sending a DSOX3014A hacked to 500MHz to calibrate as a DSOX3054A, of course paying for a DSOX3054A calibration service.

[B0B45]

Well, the problem is, if I send it in with just a altered Hardware they only can deny the service. But if the Firmware on this scope is manipulated I can get into real trouble because of copyright laws.

[TheSteve]

The automated calibration routines they likely use won't work properly I don't think. A 200 MHZ scope modified to 500 MHz reports it is still a dsox3024 - so the cal computer interface won't go above 200 MHz. There won't be an override button for hacked scopes.

[rodpp]

I don't think so, because one can buy a bandwidth upgrade. So a hacked DSOX3014A probably behaves like a upgraded DSOX3014A.

[TheSteve]

I don't think so, because one can buy a bandwidth upgrade. So a hacked DSOX3014A probably behaves like a upgraded DSOX3014A.

That is different as the 100/200 MHz are always calibrated as a 200 MHz unit. The 350/500 are always calibrated as a 500 MHz model. So if you did buy the BW upgrade they are ready to go. But there is no official 200-500 upgrade that doesn't require returning the scope to Keysight which would change the official model # as well.

[rodpp]

Are you sure that the bandwidth upgrade changes the model #?

Be it a SW upgrade (100MHz to 200MHz) or a HW upgrade (100/200MHz to 350/500MHz), I suppose that the model number (and serial # too) does not change.

If they change model and/or serial #, it has potential to cause problems because: a) the model printed in front of the instrument will not match with the SW number anymore, including if you query it remotely; b) all papers related with that instrument will not match too, including proof of purchase, calibration data, etc; c) companies would must update their inventory, and changes in model and serial # could not be allowed.


EDIT: Anyone with a HW upgraded bandwidth or HW hacked could inform what model # the scope is showing?

[TK]

I don't think the model number changes with the hardware mod.  When I modded my EDUX1002G to DSOX1102G, it still showed as EDUX1002G in the display.  The model number and serial number is written somewhere in the NAND memory.

[TheSteve]

The model number doesn't change when the BW is hacked via hardware or software. But if you send your scope back for an upgrade from 200 to 500 MHz the model number will change as they replace the entire mainboard.

[rodpp]

Ok, but if I remember correctly, inside the first firmware update package there was a tool to change the model number...

Does anyone knows a scope that had the bandwidth upgraded by Keysight (replacing the board) to confirm that?

[Dwaine]

I would think that Keysight would be more than happy taking your money for a cal.  If it fails cal and the hardware BW hack is there.  They will just laugh and ship the scope back to you and charge your credit card for the cal.

Or if the tech is bored.  They will try to sell you a new board for more $$$$.

[rodpp]

The model number doesn't change when the BW is hacked via hardware or software. But if you send your scope back for an upgrade from 200 to 500 MHz the model number will change as they replace the entire mainboard.

I checked with Keysight, the model number remains the same.

[B0B45]

End of story: calibration successful, no adjustment required.

Edited because we have some experts here

I noticed some time ago that the screen (as shown in the appendix) is getting blury. My guess, there is moisture between the front glass and the screen itself. Does anyone have any idea how to clean it up? By disassembling the scope, I could not separate the screen and the glass.

With best regards
B0B