DSOX2000 and 3000 series - licence , have anyone tried to hack that scope ?

[TheSteve]

Bumping this thread up.

Just wondering if anyone has further experimented with version 2.41. Being all licenses can be enabled without patching the DLL it seems like the only thing needed is an automatic way to restart the infiniivision.exe or to start it initially with -l all.(if it was linux it would be symbolic link time)
I realize 2.41 can have all options enabled via telnet quite easily but it would be much nicer to have it fully automatic.
I'd experiment myself but my scope has version 2.39 on it which is easy to downgrade etc. If I install 2.41 I will be stuck there. Running the newest firmware would be optimal but not at the expense of the ease of "liberation".

btw, I'd like to offer an "Infiniian" of thanks to all of those who pioneered the early work on this, there is amazing and very useful information in this thread.
To anyone who has an official or basic network card I think running the patched files directly off internal flash is a great option and it lets you run version 2.39.

[Sparky]

Bumping this thread up.

Just wondering if anyone has further experimented with version 2.41. Being all licenses can be enabled without patching the DLL it seems like the only thing needed is an automatic way to restart the infiniivision.exe or to start it initially with -l all.(if it was linux it would be symbolic link time)
I realize 2.41 can have all options enabled via telnet quite easily but it would be much nicer to have it fully automatic.
I'd experiment myself but my scope has version 2.39 on it which is easy to downgrade etc. If I install 2.41 I will be stuck there. Running the newest firmware would be optimal but not at the expense of the ease of "liberation".

btw, I'd like to offer an "Infiniian" of thanks to all of those who pioneered the early work on this, there is amazing and very useful information in this thread.
To anyone who has an official or basic network card I think running the patched files directly off internal flash is a great option and it lets you run version 2.39.

Thanks, TheSteve, for your summary post.  I'm in the same boat, so to speak.  I currently have the patched 2.39 booting from flash (I have the official LAN card, and 3000X app bundle so I load just MSO and 500MHz bandwidth options, rather than -l All.)  I find loading the patched firmware from flash most convenient since network access might not always be available (e.g. if working mobile), or I'd prefer not to have a Raspberry Pi hanging on the back. 

I'm not so concerned about the need to downgrade from 2.41, but would prefer a simpler solution for loading options than a restart via an external mechanism (if it were possible).  I really appreciate the great work done [thanks HowardLong and others] in finding a way to boot 2.41 with options --- not having to patch any DLL is a great find and makes some steps much easier!  I may eventually end up going this route since I do have Ethernet where the scope is 90% of the time, and not having any patched DLLs stored in flash permanently has a nice clean feeling to it.

If Keysight offered a heavy discount on MSO and BW options (like they did app bundle) I might bite and go above board...

[benSTmax]

Just bumped into this recently.
I looked for the "WinCE CAB MAnager", however it seems it isn't available anymore? 
Is there another similar tool available?

[TheSteve]

Just bumped into this recently.
I looked for the "WinCE CAB MAnager", however it seems it isn't available anymore? 
Is there another similar tool available?

Which part of the process did you need it for? If you unpack the original cab file and run the python script it extracts the inifiniivision.dll etc which you can use.

[benSTmax]

Thanks.  I just finished reading the 2nd half of this interesting thread and indeed the python script is the one to use.

and there's also this tool mentioned by kilobyte. I tried it just now and it works
https://www.eevblog.com/forum/testgear/dsox2000-and-3000-series-licence-have-anyone-tried-to-hack-that-scope/msg912303/#msg912303

[TheSteve]

Excellent! Glad to hear you got it sorted out. There is a wealth of info in this thread. I think I've gone through it page by page a few times now.

[memset]

Hello!
What's about a real thing - getting some 1GHz 5GSa/s from 100MHz 4GSa/s? Anyone tried that already? I suspect some input circuitry could be different to accomodate new sampling rate. Or even a better grade ADC.

[memset]

Ok, I've found the straps and modified my 100MHz scope to mimic 1GHz 5 GSa model. Of course, it didn't worked as intended.

Setting 5GSa straps on 4GSa board is accepted but software gives out "PLL Unlocked" error. I hope it's a matter of PLL loop or divider setup to enable 5GSa.

1GHz BW is more complicated. Although accepted by software, 1GHz feature is broken. Frontend seem to be much different from it's 200MHz counterpart. I've got 500 ps/div zoom, but 50ohm coupling mode went crazy giving out a blank screen without channel's ground line (like input overload condition). At 1MOhm 700MHz signal was barely seen on the screen with extremely low amplitude due to frontend BW limit and impedance imbalance.

I still think the scope hardware could be carefully modified to turn on 5GSa mode and to improve final bandwidth, at least to 500 MHz.

[TheSteve]

Certainly sounds like you've found some interesting info. Keysight firmly maintains the front ends are not all the same. For the 3000X series there is a 70/100/200 MHz version, a 350/500 MHz version and a 1 GHz version(with the higher sampling rate).
Of course I've also had Keysight firmly maintain there is a hardware different between a certain model spectrum analyzer's 3 and 6 GHz versions when they are in fact the same.
I have a DSOX3014A I may entertain having a go at the mods with - please do share the strapping info and post pics if possible.

[memset]

These series use 8 resistor-divider based analog pinstraps. Each strap configures one integer value in 0-8 interval. I'll annotate and post pictures asap.
Straps are indeed indicate differencies in hardware. For example, with 1GHz version you don't need any license to activate full bandwidth. With 500Mhz version I think no-license BW would be 350Mhz with possible software extension.
The question is how big these hardware differencies are. If it's the matter of passive component values, why not try to change them. Sure, intervention to test and control equipment's sensitive paths is the last thing you would like to do. That's a kind of dirty practice. But for a home use the prize could be quite challenging.

Too bad there are no 3104A teardown photos, heh.

Here are Dave's VCO photos from 3024A (4GSa) and 4024A (5GSa) scopes.
Can you notice the difference between VCO's inductors? 4GSa version is a Coilcraft's 0603CS (?) inductor with a yellow dot. For 5GSa version I can't identify this black V-marked inductor. What do you think about it? Is it Coilcraft's too?

[memset]

I've noticed range reduction in 1 GHz mode for 50 Ohm coupling. Its now 1V/div MAX compared to previous 5V/div.
Indeed, following datasheet:
100 MHz ~ 500 MHz models: 1 mV/div to 5 V/div (1 M? and 50 Ohm)
1 GHz models: 1 mV/div to 5 V/div (1 M?), 1 mV/div to 1 V/div (50 Ohm)

50 Ohm coupling must be different in 1 GHz model, that's why I'm loosing signal in 50 Ohm mode. Need to try 500MHz strapping now.

[memset]

Here is 3000 series board strapping info. 2000 series and 4000 series are pretty much the same. Pin strapping is done with 8 pairs of resistors. Each pair encode an integer value in 0 to 8 range.
Attached photos were annotated with strap resistor positions. Ln stands for Low (GND) side resistor and Hn is High (2V5) side resistor.
Based on analysis of Dave's teardown photos and my own board I've filled full resistor encoding table and believe it to be correct.
Note the L7 resistor is missing. I think it's routed to external module connector and it's encoding is fixed with 10k ohm high side on the main board.

You can't upgrade your scope just by altering these settings! Strapping represents the real difference in hardware!

Code: [Select]

Strapping resistor encoding
Value - Voltage - Lr/Hr
0 - 0.00V - 10k / none
1 - 0.23V - 10k / 100k
2 - 0.69V - 46,4k / 121k
3 - 0.98V - 64,9k / 100k
4 - 1.25V - 100k / 100k
5 - 1.52V - 100k / 64,9k
6 - 1.81V - 121k / 46,4k
7 - 2.27V - 10k / 100k
8 - 2.50V - none / 10k

Incomplete table of strap functions:

Code: [Select]

Strap 0 (CH 0) Channels:
  0 - 2 Channels
  1 - 4 Channels
Strap 1 (CH 1) Bandwidth
  0 - 100MHz
  1 - 200MHz
  2 - 500MHz
  3 - 1GHz
  4 - 1.5GHz (4000 series only)
Strap 2 (CH 2) Sample Rate:
  0 - 5GSa
  1 - 4GSa
Strap 3 (CH 3) Gating ?
Strap 4 (CH 4) Board Revision ?
Strap 5 (CH 5) Family:
  1 - 3000 series
  2 - 4000 series
  3 - 2000 series
Strap 6 (CH 7) MSO revision ? - not for 4000 series
Strap 7 (CH 6) External module - not for 4000 series:
  0 - LAN
  1 - GPIB
  8 - No External Module

On external module 0 Ohm to GND should set LAN module (pin short on the DIY LAN may be for this strap) and 1k should be for GPIB module.

For experiments you only want to alter Strap 1 and Strap 2 to update the Sample Rate and Bandwidth.
Have fun!

[TheSteve]

Excellent information - thank you!
It does seem like you could go 100 to 200 MHz without needing to alter the firmware at all, and possibly enable the MSO option. For the MSO it may just change the model number and still require the license though.

I assume you tried leaving the sample rate at 4 and only updating the bandwidth to 500 MHz?

[memset]

It does seem like you could go 100 to 200 MHz without needing to alter the firmware at all, and possibly enable the MSO option.

No. My 3014A was already strapped to 200MHz. Straps are set to indicate hardware features. 20MHz hardware BW was downgraded by software to 100 MHz allowing the license-based upgrade.
Same with MSO, MSO strap is always 0 (no other options supported). Looks like it's just a revision of MSO hardware. You need a license to enable it.

My next steps are to try 500MHz strap and to replace VCO inductors. I assume VCO frequency is 1GHz for 4GSa models, so I'll try to set it to 1.25GHz. Bad thing I can't directly check VCO output frequency so 1GHz is just a guess. And inductor's yellow color coding doesn't fit well to that guess.

[memset]

Just tried 500MHz strapping. Results are exactly as expected - 350MHz of reported BW (unlicensed base for 500MHz model).
Real BW at -3 dB is about 240MHz on 50 ohm direct coax. 50 Ohm coupling works well.
Conclusions:
- 500MHz model must have the same input topology with alternative LPF.
- LPF upgrade is required to try to get the real BW.
- 1GHz model differs in input topology at least in 50 ohm portion.
- 5GSa/s mode leads to non-locking PLL (VCO tuning may be required).

100 MHz -> 500 MHz upgrade should be doable. Input filter schematic and component values are to be reversed.
1GHz / 5GSa/s looks to be more complicated but not impossible atm. Need an input stage photos from 1GHz model to see the difference.

[TheSteve]

When the DSOX3000A series was released by Agilent it only went to 500 MHz with 4 GS/s. Sometime later they released the 1 GHz model with 5 GS/s. This does back up the theory that there are more significant changes to the 1 GHz hardware. 200 to 500 MHz would already be an amazing upgrade. Finding someone to open a 500 MHz model and take some detailed front end pics/measurements is what we need.

[Pinkus]

Finding someone to open a 500 MHz model and take some detailed front end pics/measurements is what we need.

... or a 350 Mhz model, as it is the same hardware as the 500 Mz model, just the firmware is crippling the scope to 350 Mhz.

[memset]

4000 series scopes share that 50 Ohm range difference: 5V/div for 100-500MHz and 1V/div for 1-1.5GHz versions.
I doubt they use different PCBs to implement that. Too bad no 1GHz model teardowns were made.

[Howardlong]

When the DSOX3000A series was released by Agilent it only went to 500 MHz with 4 GS/s. Sometime later they released the 1 GHz model with 5 GS/s. This does back up the theory that there are more significant changes to the 1 GHz hardware. 200 to 500 MHz would already be an amazing upgrade. Finding someone to open a 500 MHz model and take some detailed front end pics/measurements is what we need.

I did start taking mine apart yesterday, but was short of time. Do I need to take the PSU off, or can you get to the board just by taking off the four screws that hold the back on, then the 8 or 9 T10 screws plus the 2xBNC nuts? That's what I tried but it didn't want to budge much, I then ran out of time.

[TheSteve]

I haven't pulled my DSOX3014A apart yet to know for sure. I also suspect to know the true differences we'll need to remove the covers from the front ends(something Dave didn't do).

I'm thinking the 100/200 and 350/500 MHz models must only have a few passive part differences between them. I know if we get info on the 350/500 MHz models I have no problem removing the cans from the front ends of my scope to compare detailed notes.

[memset]

I did start taking mine apart yesterday, but was short of time. Do I need to take the PSU off, or can you get to the board just by taking off the four screws that hold the back on, then the 8 or 9 T10 screws plus the 2xBNC nuts? That's what I tried but it didn't want to budge much, I then ran out of time.

3000 series could be taken apart as easy as 1-2-3. Just screws and BNC nuts and ATX-like power connector. No need to remove PSU or line filter.
If you'll go further to remove the main board, be sure to remove 13 more screws and detach 3 flex cables.
Service guide:
http://cp.literature.agilent.com/litweb/pdf/75019-97084.pdf

What model do you plan to look inside?

[memset]

I haven't pulled my DSOX3014A apart yet to know for sure. I also suspect to know the true differences we'll need to remove the covers from the front ends(something Dave didn't do).

I'll remove them on my 3014A and take photos. Too bad you can't read marking off any chip capacitor inside.

[memset]

I also suspect to know the true differences we'll need to remove the covers from the front ends(something Dave didn't do).

Do you have a 1GHz scope or SA to check PLL output clock (should be in 500-1000Mhz range)?
PLL is on the top layer, just between two ADC chips. No need to remove the main board.
See the photo (circled). Both single-ended or differential probe will catch the frequency.

That could be acq. clock (1GHz) or memory clock (667MHz) PLL.

[Howardlong]

I did start taking mine apart yesterday, but was short of time. Do I need to take the PSU off, or can you get to the board just by taking off the four screws that hold the back on, then the 8 or 9 T10 screws plus the 2xBNC nuts? That's what I tried but it didn't want to budge much, I then ran out of time.

3000 series could be taken apart as easy as 1-2-3. Just screws and BNC nuts and ATX-like power connector. No need to remove PSU or line filter.
If you'll go further to remove the main board, be sure to remove 13 more screws and detach 3 flex cables.
Service guide:
http://cp.literature.agilent.com/litweb/pdf/75019-97084.pdf

What model do you plan to look inside?

Aha, RTFM! Looks like there's a screw inside the LAN/VGA module receptacle area that I missed.

Unit is MSOX3054A.

I have a 20GHz sampling scope, and a 22GHz spec an, both boat anchors but they should just about cope 

If I get time I'll take a look later today.

[memset]

Unit is MSOX3054A.

Nice! For this scope a closeup photo of anti-aliasing filter would be very useful. You don't need to remove main board or desolder channel frontend shields. At the top of the shielding there are two thick diff traces going to ADC. Just under the shields there are 3-pole filter on these traces: cap + two inductors + another cap. Would be very good to get a sharp photo of these inductors to see a color of their dots and number of turns. There are plenty of room and a big side opening in the input shield.