| Products > Test Equipment |
| Fluke/Tektronix Bushealth Code: 192C/196C/199C/215C/225C/190 (I & II) THS3000 |
| << < (4/8) > >> |
| smaultre:
Yes! Thank you Pat!! Additionally some data dumps from COM port to explain how application updates firmware Fluke 199 series You can backup and restore cal data and config by QC\WC on Fluke 199 --- Code: ---0 0 SO 1 PC 19200 0 IS 0 26696 ID 0 FLUKE 199C;V07.06;2008-01-23;ENGLISH,FRENCH,SPANISH,PORTUGUESE QI 11 0 13150000 . . 0 0 SO 1 PC 19200 0 IS 0 14408 ID 0 FLUKE 199C;V07.06;2008-01-23;ENGLISH,FRENCH,SPANISH,PORTUGUESE QI 11 0 13150000 EM 0 MAINTENANCE 0 QI 10 0 199C QC 0 "HERE CONFIG" EO 0 EM 0 FLUKEUHM 0 XXXXXXXXXXX0 WW10000000,4,0002000200020002 0 WB44000000,200,10402DE9000000EB1080BDE810402DE96E0500EB060600EB2D0600EB5C0600EBEB0900EB440A00EB500A00EB1080BDE8104F2DE90080A0E148999FE524C099E500005CE30500000A883088E038C99FE50331A0E10C0093E7140000EB120000EA883088E020C99FE50331A0E10CB093E700A0A0E30B00A0E11F0100EB010050E30100A0030800000A00C99FE58AC18CE004C09CE501A08AE20BB08CE030C099E50C005AE1F2FFFF3A0000A0E3108FBDE8B04F2DE90080A0E1ED0000EAD0289FE503C0C8E3FF10A0E300C082E5FF1881E200108CE500C092E55030A0E300108CE500C092E5053683E200308CE53030A0E300C092E5033683E200308CE5D030A0E300C092E50D3683E200308CE580B0A0E302B58BE200C092E500909CE50B3009E00B0053E1FBFFFF1A4000A0E300108CE500C092E5010580E2000019E100108CE50700001A20E0A0E302E68EE20E0019E10300001A10C0A0E301C68CE20C0019E10100000A0100A0E3E20000EAE00000EA1C289FE503C0C8E3F010A0E300C082E50F1681E200108CE5FF5FE0E300C092E50F5B45E2559FA0E305C00CE0059B89E2AAE0A0E309708CE1AAE88EE200E087E500C092E5AAAFA0E305C00CE05500A0E30AAB8AE20AC08CE1550880E200008CE500C092E580B0A0E305C00CE009708CE102B58BE200B087E500C092E505C00CE009708CE100E087E500C092E505C00C ......... "HERE FLASH" ........ RI 0 . 0 0 PC 19200 0 EM 0 MAINTENANCE 0 WC 0 "HERE CONFIG" 0 0 RC 0 CI 10,199C 0 RC 0 EO 0 ID 0 FLUKE 199C;V08.04;2009-11-05;ENGLISH,FRENCH,SPANISH,PORTUGUESE EM 0 MAINTENANCE 0 CI 12,0 0 CI 13,confix 0 CI 14,0 0 CI 17,110195 0 CI 18,y 0 CI 320,N 0 RC 0 EO 0 RD 0 1995,1,1 WD 1995,1,1 0 IS 0 24648 WD 1995,1,1 0 GD 0 ... --- End code --- And from R&S FSH3 series You can backup and restore cal data and config by QC\WC on R&S FSH3 series --- Code: ---D @ 0 0 IS 0 24672 EM 0 maintenance 0 PC 0 115200 0 115200 0 IS 0 8289 ID 0 Rohde&Schwarz,03,1340102000,V7.20,2004-08-31 13:39:50,WORLD QI 0 400 2 QI 0 11 0 1340102000 QC 0 "HERE CONFIG" EM 0 galaxy 0 XXXXXXXXXXX0 WW10000000,4,0002000200020002 0 WB48000000,200,10402DE91040BDE8FFFFFFEA10402DE9050500EBA00500EBCD0500EBF60500EBD30800EB2A0900EB1040BDE8330900EA00472DE90090A0E1893489E0033189E08331A0E18CC99FE50CC093E700005CE3893089E00331A0E17CC99FE50200000A0C0093E7160000EB140000EA0CA093E70080A0E30A00A0E12F0100EB010050E30100A0030D00000A893489E0033189E08331A0E144299FE502C083E088C18CE028C09CE50AA08CE0018088E21CC082E20CC093E70C0058E1EDFFFF3A0000A0E30087BDE800472DE90080A0E100E0A0E30000A0E3803080E00331A0E1F8189FE5032091E7020058E10B00003A04C081E20CC093E702C08CE00C0058E10400009A08C081E20CC093E702C08CE00C0058E10100008A01E0A0E3010000EA010090E2EBFFFF0A00005EE32800000A2E0200EB020C50E3E50000BAED0000CA2B0000EA03C0C8E398189FE500C081E5FF30A0E3FF3883E200308CE500C091E500308CE55030A0E3053683E200C091E500308CE53030A0E3033683E200C091E500308CE5D030A0E30D3683E200C091E500308CE54C189FE500C091E500209CE58030A0E3023583E2030012E1F8FFFF0AFF30A0E3FF3883E200308CE500C091E500308CE54000A0E3010580E2000012E17300000A0100A0E3040000EA10C0A0E301C68CE20C0012E1F9FFFF1A0000A0E30087BDE803C0C8E3E8179FE500C081E5F030A0E3 0 ......... "HERE FLASH" ........ RI 0 t D 0 0 IS 0 24672 PC 0 19200 0 19200 0 EM 0 maintenance 0 WC 0 "HERE CONFIG" WD 0 2020,9,11 0 WT 0 1,28,50 0 ID 0 Rohde&Schwarz,03,1340102000,V14.0,2011-01-24 09:59:28,WORLD RI 0 D D 0 0 IS 0 24672 --- End code --- Maybe we can also enable options on R&S as FSH3 -TV?? |
| squadchannel:
helpful information. Thanks. :-+ I am currently working on a flash dump and restore tool for THS. As you know, Fluke's scopemeter series(early. 5-button), Tek's THS3000 and Rohde's FSH(early. 5-button) are based on the Fluke “Spider” chipset. Therefore, it is also obvious that they are equipped with the exact same UHM software. I was convinced when I saw the FSH firmware today. It is exactly the same update tool, Flashtool.ini encryption. wait a little longer. Currently, i know that the adjustment data that can be obtained by the QC command after entering the MAINTENANCE mode is slightly different from the data written by the WC command. The adjustment data sent by the WC command is divided into blocks (3E3h for THS3000), and a header is added to the beginning of each block, and a checksum is added to the end of each block, which is then sent to the scope. The scope side checks the data received by the WC command against the checksum, and if they match, only the "real" adjustment data without the checksum is written. Flashtool.exe also generates a file with a .CAL extension in the Temp folder. In the case of the THS3000 updater, inside you will find the results of QI10, 11, and 12 runs and the adjustment data obtained by the QC command. It will be deleted after the updater is completed, but if you backup it during the update, it will be useful in case something goes wrong. It won't mean anything once the update is done, though. If I go into too much detail, it would get out of the scope of this topic, so I'll leave it at that. Not sure about the options, maybe they can be unlocked via serial commands, like bushhealth on Fluke's C-series. Or if there is a menu to enter a code to unlock an option similar to the Fluke scope, there may be a way to generate a key. I too would like to know how patpat's keygen works. If you don't mind, could you attach the sniffed data? You may exclude the adjustment data. |
| patpat:
@smaultre Not having the units connected now, then you say QC/WC Query Calibration / Write Calibration QC and WC deal with pure ASCII or a binary blob? knowing this correctly is critical for developing a good Calibration Backup Do you know links to current firmware for the R&S FHS3/6 family? Edit01: Found it. @squadchannel I agree with you about the same firmware but to be 100% certain we should compare both THS3000_FW_v0102_Installer.zip Flash_190II_V10_41.exe both versions are "symmetric" because both fix the same "Safety Notice and Recall" of the previous FW version where the voltage reading could've been wrong by a factor of 10. We have THS3000_FW_v0102_Installer.zip; so far I couldn't find Flash_190II_V10_41.exe (archive.org is down) The differences between what QC gives and WC takes are critical for developing any serious back-up software. I think there should be a binary oriented pair of commands just taking a binary blob, that's what I think we need to find and it seems QC/WC is not the answer. Do you know if WC takes a binary blob? dividing it in 0x3E3 chunks and adding checksums makes sense in order to validate the unreliable serial connection. I do not know if this segmentation is also valid for the Fluke 199C family. BTW when you say -adjustment data- you mean "Calibration Data" right? About options on the THS3000, I already tried using the serial approach with CI 17, and the rest of CIs commands found encrypted in the cpl file for the 199C family updater but they did not work. I emailed people owning Fluke190-204 II and they also "cannot" find the Bushealth Code screen, then things are challenging. Now I'm looking at assembler, I found some phone fw image using a similar version of Nucleus Plus (RTOS) that had debug info on it then that helped a bit finding the keyboard pipe, function handlers etc, much better than before but still pretty cryptic, let's see. The point today is understanding if the Bushealth Code screen is reachable or the access is removed in the 190/THS3000 family Also if there's some other CI command that is necessary not only the CI 17, for the serial approach to work in this case What "sniffer" data do you need? you can send me PM (I think). Best, Pat |
| squadchannel:
I would like to see the entire sniffing data that smaultre posted. It would be helpful if you could attach it. Because the commands in the updater only use 2 (CF,PF) of the 7 EXTENSION COMMAND that are defined. know if this is only the case for THS3000. I tried writing the 190II_V11_46 binary to the THS3024. It works fine. I also tried writing the calibration data to the 11.46'ed 3024. It is recognized normally. No error also appears. It is safe to assume that the pcb are exactly the same. However, the keypad layout is different from 190II. It is not usable. At present, are in a situation where I can analyze the data without worrying. It is no longer necessary to go to the trouble of soldering a flash to write. Everything can be solved with serial commands. The waybackmachine is provisionally available. was available to some extent from the archived fluke site., but could not get the 10.41 updater. 11.10 was available, which is the next oldest after 10.41. The updater I was able to obtain is attached. Difference between data in qc and wc: --- Code: ---23 30 80 03 E3 --- End code --- is added at the beginning. --- Code: ---03 E3 --- End code --- is the chunk size. Then, for each chunk, --- Code: ---?? ?? 0D 30 0D 23 30 80 03 E3 --- End code --- continues to the end. The last chunk has a different size. I believe that the two bytes indicated by "?" are calculated with some kind of checksum. It is different for each chunk. The updater adds 0D for each completed transmit(each chunk). This is the same behavior as when writing to flash with the EXTENSION command. --- Code: ---30 0D --- End code --- is not relevant. I believe it is a ACKN response from the scope. The way I dumped it, I put TX and RX in an AND gate and receive with a separate USB serial adapter. So all data sent and received is sniffed. Also, the firmware of the internal PIC microcontroller was found to be included in the flash dumps and LDFs. there seems to have been an update to that in V11.20. The comma-separated first part of the subversions shown in the scope's VER&CAL is the firmware version of the PIC microcontroller; the second is the firmware version of the FTDI VNC1L. Just to be safe, I dumped the firmware of the PIC microcontroller with TL866 before applying 11.46 to THS. attaching it in case it fails, but can probably extract it from the updater LDF file. |
| patpat:
@squadchannel You uploaded 190II_V11_46 binary to THS3024: How did you do it? burning Flash or serial? Remember editing the flashtool.ini of the 190II_V11_46.exe with the decrypting tool should be enough for flashing the scope in the regular way. You say that the THS with Fluke FWis unusable: why? wouldn't be just like using a Fluke 190 only in "Scope" mode (No Meter Button)? I carefully tried understanding the format of the packet but it is not clear, do you have WC command capture to attach? In your sniffing capture you should see --- Code: ---WC20[Header][Payload][Trailer]...[Header][Payload][Trailer]0D --- End code --- some ASCII to remember 0D Carriage Return 20 Space 23 # 30 0 31 1 32 2 ... 39 9 Now could you please describe the [header] and the [Trailer] thanks @smaultre I looked at the FHS code I clearly see the following features 1 DEMO 2 B1 3 K2 4 K1 5 K3 6 K21 7 K22 8 K4 9 K60 A K15 It seems each pin is also a 10 digit number, different pins should enable different feature always based on SN of course, Are you able to reach the Feature Pin window? Best, Pat |
| Navigation |
| Message Index |
| Next page |
| Previous page |