Author Topic: DSOX2000 and 3000 series - licence , have anyone tried to hack that scope ?  (Read 1291240 times)

0 Members and 4 Guests are viewing this topic.

Offline lampask

  • Newbie
  • Posts: 3
  • Country: sk
Re: DSOX2000 and 3000 series - licence , have anyone tried to hack that scope ?
« Reply #3350 on: November 15, 2024, 03:27:24 am »
When checking the past attempts at modifying the X3000A frontend by people in the thread I wanted to revisit the possibility of upgrading the bandwidth to 1Ghz by adding a daughter board to the frontend of 100/200mhz or 350/500mhz versions. After inspecting the frontend part of the board from photos sent in this thread it seems nearly identical, the daughter board would need to add the Teledyne attenuator relay, the low R_on n-channel mosfet, BAV99 diode and a few additional components. (I would also need to change the strapping resistors and possibly switch the hex inverter ic)

As I do not own a 3104A series scope and cannot measure stuff myself I wanted to ask someone with more experience with this scope how is the relay switching implemented. There are vias around the extra diode and mosfet that I cannot identify from photos, but thats about everything that can be seen from the top and bottom layers. I had a suspicion that the gate of the mosfet might be connected to the U202 register IC, and the drain to the relay switching vias through the diode, but I can't be sure about this and it would be nice to hear form someone who possibly tried to reverse engineer this before with an access to the hardware.

I have attached one side photo of the frontend section of the 3104A sent before https://www.eevblog.com/forum/testgear/dsox2000-and-3000-series-licence-have-anyone-tried-to-hack-that-scope/?action=dlattach;attach=287307;image, where I have marked the interesting connections that I mentioned.
 
« Last Edit: November 15, 2024, 12:17:53 pm by lampask »
 

Offline BillCRM

  • Contributor
  • Posts: 26
  • Country: cn
Re: DSOX2000 and 3000 series - licence , have anyone tried to hack that scope ?
« Reply #3351 on: December 04, 2024, 12:08:18 pm »
V2.66 patched successfully with info on the forum, mod at record 168, patch as usual. Patch to 00 00 a0 e3 & 01 00 a0 e3! If you don't understand, go back and watch PhillyFlyers' and safar's posts. :-+
 
The following users thanked this post: Thor-Arne, luisprata, msuthar

Offline BillCRM

  • Contributor
  • Posts: 26
  • Country: cn
Re: DSOX2000 and 3000 series - licence , have anyone tried to hack that scope ?
« Reply #3352 on: December 06, 2024, 03:43:11 pm »
Hack of 3000T and 4000A of V7.60 also achieved, at record 172&174, patch as usual! :-+
 
The following users thanked this post: Pinkus

Offline Gregdavill

  • Newbie
  • Posts: 2
  • Country: au
Re: DSOX2000 and 3000 series - licence , have anyone tried to hack that scope ?
« Reply #3353 on: December 07, 2024, 09:44:04 pm »
Thanks for confirming. As a fun weekend project I just upgraded to v2.66.
Followed the nk.bin patching steps for 2.43, used ghidra to trace original patches, and find their new addresses in v2.66.

Everything working pretty well. But I have noticed the LAN info screen in the UI/web doesn't seem to update, even though the scope does appear correctly on my LAN.  8)
 
The following users thanked this post: BillCRM

Offline BillCRM

  • Contributor
  • Posts: 26
  • Country: cn
Re: DSOX2000 and 3000 series - licence , have anyone tried to hack that scope ?
« Reply #3354 on: December 09, 2024, 03:09:48 am »
Some old splash images in case you don’t like the boring Keysight one.
 

Offline HighVoltage

  • Super Contributor
  • ***
  • Posts: 5558
  • Country: de
Re: DSOX2000 and 3000 series - licence , have anyone tried to hack that scope ?
« Reply #3355 on: December 10, 2024, 10:36:52 am »
Some old splash images in case you don’t like the boring Keysight one.

I have good memories associated with these old splash screens, especially, when I saw them for the first time.
In comparison the new Keysight screens are boring !
There are 3 kinds of people in this world, those who can count and those who can not.
 

Offline Howardlong

  • Super Contributor
  • ***
  • Posts: 5424
  • Country: gb
Re: DSOX2000 and 3000 series - licence , have anyone tried to hack that scope ?
« Reply #3356 on: December 11, 2024, 01:29:48 pm »
What process does

"mod at record xxx, patch as usual. Patch to yy yy yy yy yy yy yy yy"

refer to?

I understand about extracting the .kgx cab files, but then what?
 

Offline BillCRM

  • Contributor
  • Posts: 26
  • Country: cn
Re: DSOX2000 and 3000 series - licence , have anyone tried to hack that scope ?
« Reply #3357 on: December 12, 2024, 04:12:02 am »
Look around page 75, some detailed guide lines was there. All the essential tools was the same as used for firmware recovery.
 

Offline BillCRM

  • Contributor
  • Posts: 26
  • Country: cn
Re: DSOX2000 and 3000 series - licence , have anyone tried to hack that scope ?
« Reply #3358 on: December 12, 2024, 04:15:56 am »
I also created a joking one :popcorn: The tektronix MDO3000 share the same resolution as the DSOX series.
 

Offline BillCRM

  • Contributor
  • Posts: 26
  • Country: cn
Re: DSOX2000 and 3000 series - licence , have anyone tried to hack that scope ?
« Reply #3359 on: December 12, 2024, 04:20:26 am »
More detailed, ksx to cab, then get nk.bin.comp, then decompress, the check record, then put nk.bin to any hex editor and mod. then recalculate the checksum. Recompress the nk.bin to nk.bin.comp, get the new md5 for the file. Modify the recipe.xml. and pack everything together back to the cab. and last cab to ksx. Then it's ready to go :)
 

Offline tabajaralabs

  • Contributor
  • Posts: 44
  • Country: br
    • Tabajara Labs
Re: DSOX2000 and 3000 series - licence , have anyone tried to hack that scope ?
« Reply #3360 on: December 12, 2024, 05:06:31 pm »
Dear ALL
First of all thanks for all the fishes, I learn a lot on this forum and way more in this thread.
I am having a problem that I wasn't able to figure alone the direction to go. Any help would be great
I'm recovering a 4 chan DSO-x 2024A, it was on rev. 02.39.20151022602. I downloaded the corresponding CAB file, loaded on the scope but I'm getting the following error:

I tried to look for it, tried to understand it but unfortunately there is nothing I can infer to direct me
Thanks a lot
73 de PU2SEX Alexandre

Offline tabajaralabs

  • Contributor
  • Posts: 44
  • Country: br
    • Tabajara Labs
Re: DSOX2000 and 3000 series - licence , have anyone tried to hack that scope ?
« Reply #3361 on: December 12, 2024, 08:07:44 pm »
Screen changed, one step ahead. I connected the vga/network adapter, it passed thru the network test stage but locks up here. Using 2.35 firmware, which "seems" to be the last bootable firmware

I feel ashamed, but I just don't know in which direction to go. Any helpers, please?

Offline tabajaralabs

  • Contributor
  • Posts: 44
  • Country: br
    • Tabajara Labs
Re: DSOX2000 and 3000 series - licence , have anyone tried to hack that scope ?
« Reply #3362 on: December 12, 2024, 08:33:17 pm »
Is there anything that can be done if you erase the u-boot code?
I just did that to mine, in a lapse of reason :(

Online Bud

  • Super Contributor
  • ***
  • Posts: 7269
  • Country: ca
Re: DSOX2000 and 3000 series - licence , have anyone tried to hack that scope ?
« Reply #3363 on: December 12, 2024, 09:03:33 pm »
Does DSOX2000 have a separate NOR chip? You can unsolder and reprogram it.
The other way is to reprogram it via USB port. If Uboot not loading, the CPU will switch to USB boot mode. You need to download STM32 Flashing Utility, follow instructions in it to install it on a computer, get access to the scope's memory and reflash the NOR image to the respective memory address.
Facebook-free life and Rigol-free shack.
 
The following users thanked this post: tabajaralabs

Offline BillCRM

  • Contributor
  • Posts: 26
  • Country: cn
Re: DSOX2000 and 3000 series - licence , have anyone tried to hack that scope ?
« Reply #3364 on: December 13, 2024, 01:48:53 am »
Is there anything that can be done if you erase the u-boot code?
I just did that to mine, in a lapse of reason :(
No worry, theres the uboot dump.
Change txt to bin as Dave not allowed to upload a bin file there.
 
The following users thanked this post: tabajaralabs

Offline BillCRM

  • Contributor
  • Posts: 26
  • Country: cn
Re: DSOX2000 and 3000 series - licence , have anyone tried to hack that scope ?
« Reply #3365 on: December 13, 2024, 02:23:16 am »
If you need,  I could also provide a dump of the whole nand,  but this might be the last solution as using other's nand dump will cause a serial number change and wrong cal data.
However, I believe your condition is due to wrong usb file structure.
 

Offline BillCRM

  • Contributor
  • Posts: 26
  • Country: cn
Re: DSOX2000 and 3000 series - licence , have anyone tried to hack that scope ?
« Reply #3366 on: December 18, 2024, 10:22:22 am »
Keysight released new firmware for 3000T/G & 4000X series, version 7.65.
Hack is still the old fashion way, 3000 at record 175, 4000 at record 178. The data sequences are still the same as old versions.
The new version fixed bugs and added support for new probes. :-+
 

Offline lampask

  • Newbie
  • Posts: 3
  • Country: sk
Re: DSOX2000 and 3000 series - licence , have anyone tried to hack that scope ?
« Reply #3367 on: December 18, 2024, 11:49:14 am »
Would there be someone willing to provide an uboot dump from 3000T/3000G? The xloader partition there is different, because of a diferent ram chip (MT47H128M16RT-25E:C / D9MTD) and the scope cannot perform memory training otherwise.

Or alternatively does someone have the xloader source for arm spear600 laying around? The only thing I found in regards to this was a chinese site https://www.codebus.net/2159210.html. And that also doesn't seem to have this chip between the files. The original ST Linux project (with the xloader source) in which ST provided tools for the SPEAr series seems to be gone from the internet unfortunately :-//
 

Offline tabajaralabs

  • Contributor
  • Posts: 44
  • Country: br
    • Tabajara Labs
Re: DSOX2000 and 3000 series - licence , have anyone tried to hack that scope ?
« Reply #3368 on: December 18, 2024, 07:13:19 pm »
If you need,  I could also provide a dump of the whole nand,  but this might be the last solution as using other's nand dump will cause a serial number change and wrong cal data.
However, I believe your condition is due to wrong usb file structure.

Bill, are you talking about the entire program memory area or just the uboot? Unfortunately, my knowledge about this scope is VERY limited. It would be nice if I could get an entire dump from a good osciloscope and install on mine. I tried 6 different firmware versions (all old versions and the 2.50 cracked one) and wasn't able to make it boot.  It tries to boot, load the (ugly) keysight boot screen and returns a segfault in many appls.

Tried to run MTEST but it locks up. Got a good, working (2 channel) dso-x2002A and it locks up on the MTEST too. So I don't believe the problem is RAM bound.

I confess I am completely lost, and I cannot find a line of logic. Begging for help, I cannot let this scope let go. It looks like to be SO near!

BTW, I have the LAN interface, so I can load and boot way faster than serial.

Maybe if someone created a correct USB boot drive image + NK.NB0 file for me to try to load...If you can do that feel free to send me a private message

Thanks and sorry for being so noob

Online Bud

  • Super Contributor
  • ***
  • Posts: 7269
  • Country: ca
Re: DSOX2000 and 3000 series - licence , have anyone tried to hack that scope ?
« Reply #3369 on: December 18, 2024, 07:54:09 pm »
Post your USB file structure and the launching command line. Let people take a  look at it.
Facebook-free life and Rigol-free shack.
 

Offline tabajaralabs

  • Contributor
  • Posts: 44
  • Country: br
    • Tabajara Labs
Re: DSOX2000 and 3000 series - licence , have anyone tried to hack that scope ?
« Reply #3370 on: December 18, 2024, 08:21:07 pm »
Post your USB file structure and the launching command line. Let people take a  look at it.

Got a 1GB (gift from keysight! =D) pen drive, formatted in FAT, did the same as here:

Quote
USB folder procedure:
    copy the contents of the Secure folder in your USB root.
    copy the Temp folder in your USB root.
    make a folder name Startup in your USB root.
    create a file inside the folder Startup, named infiniivision.lnk, containing 51#\usb\Secure\infiniiVision\infiniivisionLauncher.exe
    create a file in your USB root, named infiniivisionStartupOverride.txt, containing "True"
    copy the stock firmware .cab file form keysight to your USB root. Use 02.40 or above. 2.41.cab is in the above archive.



Command line: After booting the scope and running...
spearload -t spear600 p500_ddrdriver.bin u-boot_image.bin

this opens a serial port on the computer, I go to the terminal program and type:
TFTP 0x00361000

It loads the nk.nb0 binary I generated as described in
https://salvagedcircuitry.com/2000a-nand-recovery.html

When the load finishes, i type
GO 0x00362000

And it boots some of the code or, what is happening now, locks up.

I am regenerating for the nth time the usb drive and trying again.


Online Bud

  • Super Contributor
  • ***
  • Posts: 7269
  • Country: ca
Re: DSOX2000 and 3000 series - licence , have anyone tried to hack that scope ?
« Reply #3371 on: December 18, 2024, 11:18:13 pm »
Which uboot image you are uploading?
Facebook-free life and Rigol-free shack.
 

Offline tabajaralabs

  • Contributor
  • Posts: 44
  • Country: br
    • Tabajara Labs
Re: DSOX2000 and 3000 series - licence , have anyone tried to hack that scope ?
« Reply #3372 on: December 19, 2024, 12:20:23 am »
Which uboot image you are uploading?

U-Boot 2010.03 (Oct 18 2011 - 14:28:06)Agilent P500

Online Bud

  • Super Contributor
  • ***
  • Posts: 7269
  • Country: ca
Re: DSOX2000 and 3000 series - licence , have anyone tried to hack that scope ?
« Reply #3373 on: December 19, 2024, 12:25:24 am »
I do not know what that means. Are you using the uboot from a 2000x scope or some other variant?
Facebook-free life and Rigol-free shack.
 

Offline tabajaralabs

  • Contributor
  • Posts: 44
  • Country: br
    • Tabajara Labs
Re: DSOX2000 and 3000 series - licence , have anyone tried to hack that scope ?
« Reply #3374 on: December 19, 2024, 12:45:41 am »
I do not know what that means. Are you using the uboot from a 2000x scope or some other variant?
As far as I know, yes!


Share me

Digg  Facebook  SlashDot  Delicious  Technorati  Twitter  Google  Yahoo
Smf