Products > Test Equipment

Fluke/Tektronix Bushealth Code: 192C/196C/199C/215C/225C/190 (I & II) THS3000

<< < (4/8) > >>

smaultre:
Yes! Thank you Pat!!
Additionally some data dumps from COM port to explain how application updates firmware Fluke 199 series

You can backup and restore cal data and config by QC\WC on Fluke 199


--- Code: ---0

0
SO
1
PC 19200
0
IS
0
26696
ID
0
FLUKE 199C;V07.06;2008-01-23;ENGLISH,FRENCH,SPANISH,PORTUGUESE
QI 11
0
13150000
.
.
0

0
SO
1
PC 19200
0
IS
0
14408
ID
0
FLUKE 199C;V07.06;2008-01-23;ENGLISH,FRENCH,SPANISH,PORTUGUESE
QI 11
0
13150000
EM
0
MAINTENANCE
0
QI 10
0
199C
QC
0


"HERE CONFIG"

EO
0
EM
0
FLUKEUHM
0
XXXXXXXXXXX0
WW10000000,4,0002000200020002
0


.........

"HERE FLASH"
........

RI
0
.
0

0
PC 19200
0
EM
0
MAINTENANCE
0
WC
0

"HERE CONFIG"

0
0
RC
0
CI 10,199C
0
RC
0
EO
0
ID
0
FLUKE 199C;V08.04;2009-11-05;ENGLISH,FRENCH,SPANISH,PORTUGUESE
EM
0
MAINTENANCE
0
CI 12,0
0
CI 13,confix
0
CI 14,0
0
CI 17,110195
0
CI 18,y
0
CI 320,N
0
RC
0
EO
0
RD
0
1995,1,1
WD 1995,1,1
0
IS
0
24648
WD 1995,1,1
0
GD
0
...
--- End code ---


And from R&S FSH3 series

You can backup and restore cal data and config by QC\WC on R&S FSH3 series



--- Code: ---D
@
0

0
IS
0
24672
EM
0
maintenance
0
PC
0
115200
0
115200
0
IS
0
8289
ID
0
Rohde&Schwarz,03,1340102000,V7.20,2004-08-31 13:39:50,WORLD
QI
0
400
2
QI
0
11
0
1340102000
QC
0

"HERE CONFIG"

EM
0
galaxy
0
XXXXXXXXXXX0
WW10000000,4,0002000200020002
0
WB48000000,200,10402DE91040BDE8FFFFFFEA10402DE9050500EBA00500EBCD0500EBF60500EBD30800EB2A0900EB1040BDE8330900EA00472DE90090A0E1893489E0033189E08331A0E18CC99FE50CC093E700005CE3893089E00331A0E17CC99FE50200000A0C0093E7160000EB140000EA0CA093E70080A0E30A00A0E12F0100EB010050E30100A0030D00000A893489E0033189E08331A0E144299FE502C083E088C18CE028C09CE50AA08CE0018088E21CC082E20CC093E70C0058E1EDFFFF3A0000A0E30087BDE800472DE90080A0E100E0A0E30000A0E3803080E00331A0E1F8189FE5032091E7020058E10B00003A04C081E20CC093E702C08CE00C0058E10400009A08C081E20CC093E702C08CE00C0058E10100008A01E0A0E3010000EA010090E2EBFFFF0A00005EE32800000A2E0200EB020C50E3E50000BAED0000CA2B0000EA03C0C8E398189FE500C081E5FF30A0E3FF3883E200308CE500C091E500308CE55030A0E3053683E200C091E500308CE53030A0E3033683E200C091E500308CE5D030A0E30D3683E200C091E500308CE54C189FE500C091E500209CE58030A0E3023583E2030012E1F8FFFF0AFF30A0E3FF3883E200308CE500C091E500308CE54000A0E3010580E2000012E17300000A0100A0E3040000EA10C0A0E301C68CE20C0012E1F9FFFF1A0000A0E30087BDE803C0C8E3E8179FE500C081E5F030A0E3
0
.........

"HERE FLASH"
........

RI
0

t
D
0

0
IS
0
24672
PC
0
19200
0
19200
0
EM
0
maintenance
0
WC
0

"HERE CONFIG"

WD
0
2020,9,11
0
WT
0
1,28,50
0
ID
0
Rohde&Schwarz,03,1340102000,V14.0,2011-01-24 09:59:28,WORLD
RI
0

D
D
0

0
IS
0
24672


--- End code ---

Maybe we can also enable options on R&S as FSH3 -TV??

squadchannel:
helpful information. Thanks. :-+

I am currently working on a flash dump and restore tool for THS.

As you know, Fluke's scopemeter series(early. 5-button), Tek's THS3000 and Rohde's FSH(early. 5-button) are based on the Fluke “Spider” chipset.
Therefore, it is also obvious that they are equipped with the exact same UHM software.
I was convinced when I saw the FSH firmware today. It is exactly the same update tool, Flashtool.ini encryption.

wait a little longer.

Currently, i know that the adjustment data that can be obtained by the QC command after entering the MAINTENANCE mode is slightly different from the data written by the WC command.

The adjustment data sent by the WC command is divided into blocks (3E3h for THS3000), and a header is added to the beginning of each block, and a checksum is added to the end of each block, which is then sent to the scope.
The scope side checks the data received by the WC command against the checksum, and if they match, only the "real" adjustment data without the checksum is written.

Flashtool.exe also generates a file with a .CAL extension in the Temp folder.
In the case of the THS3000 updater, inside you will find the results of QI10, 11, and 12 runs and the adjustment data obtained by the QC command.
It will be deleted after the updater is completed, but if you backup it during the update, it will be useful in case something goes wrong.
It won't mean anything once the update is done, though.

If I go into too much detail, it would get out of the scope of this topic, so I'll leave it at that.

Not sure about the options, maybe they can be unlocked via serial commands, like bushhealth on Fluke's C-series.
Or if there is a menu to enter a code to unlock an option similar to the Fluke scope, there may be a way to generate a key.
I too would like to know how patpat's keygen works.

If you don't mind, could you attach the sniffed data? You may exclude the adjustment data.

patpat:
@smaultre
Not having the units connected now, then you say
QC/WC Query Calibration / Write Calibration
QC and WC deal with pure ASCII or a binary blob? knowing this correctly is critical for developing a good Calibration Backup

Do you know links to current firmware for the R&S FHS3/6 family?
Edit01: Found it.


@squadchannel
I agree with you about the same firmware but to be 100% certain we should compare both
THS3000_FW_v0102_Installer.zip
Flash_190II_V10_41.exe
both versions are "symmetric" because both fix the same "Safety Notice and Recall" of the previous FW version where the voltage
reading could've been wrong by a factor of 10.
We have THS3000_FW_v0102_Installer.zip; so far I couldn't find Flash_190II_V10_41.exe (archive.org is down)

The differences between what QC gives and WC takes are critical for developing any serious back-up software.
I think there should be a binary oriented pair of commands just taking a binary blob, that's what I think we need to find and it seems QC/WC is not the answer.
Do you know if WC takes a binary blob? dividing it in 0x3E3 chunks and adding checksums makes sense in order to validate the unreliable serial connection.
I do not know if this segmentation is also valid for the Fluke 199C family.

BTW when you say -adjustment data- you mean "Calibration Data" right?

About options on the THS3000, I already tried using the serial approach with CI 17, and the rest of CIs commands found encrypted in the cpl file for the 199C family updater but they did not work.
I emailed people owning Fluke190-204 II and they also "cannot" find the Bushealth Code screen, then things are challenging.

Now I'm looking at assembler, I found some phone fw image using a similar version of Nucleus Plus (RTOS) that had debug info on it then that helped a bit
finding the keyboard pipe, function handlers etc, much better than before but still pretty cryptic, let's see.

The point today is understanding if the Bushealth Code screen is reachable or the access is removed in the 190/THS3000 family
Also if there's some other CI command that is necessary not only the CI 17, for the serial approach to work in this case

What "sniffer" data do you need? you can send me PM (I think).

Best,
Pat

squadchannel:
I would like to see the entire sniffing data that smaultre posted. It would be helpful if you could attach it.

Because the commands in the updater only use 2 (CF,PF) of the 7 EXTENSION COMMAND that are defined.
know if this is only the case for THS3000.

I tried writing the 190II_V11_46 binary to the THS3024. It works fine.
I also tried writing the calibration data to the 11.46'ed 3024. It is recognized normally. No error also appears.
It is safe to assume that the pcb are exactly the same. However, the keypad layout is different from 190II. It is not usable.

At present, are in a situation where I can analyze the data without worrying.
It is no longer necessary to go to the trouble of soldering a flash to write. Everything can be solved with serial commands.

The waybackmachine is provisionally available.
was available to some extent from the archived fluke site., but could not get the 10.41 updater.
11.10 was available, which is the next oldest after 10.41.
The updater I was able to obtain is attached.

Difference between data in qc and wc:

--- Code: ---23 30 80 03 E3
--- End code ---

is added at the beginning.


--- Code: ---03 E3
--- End code ---

is the chunk size.
Then, for each chunk,

--- Code: ---?? ?? 0D 30 0D 23 30 80 03 E3
--- End code ---
continues to the end. The last chunk has a different size.
I believe that the two bytes indicated by "?" are calculated with some kind of checksum. It is different for each chunk.
The updater adds 0D for each completed transmit(each chunk).
This is the same behavior as when writing to flash with the EXTENSION command.


--- Code: ---30 0D
--- End code ---
is not relevant. I believe it is a ACKN response from the scope.

The way I dumped it, I put TX and RX in an AND gate and receive with a separate USB serial adapter. So all data sent and received is sniffed.

Also, the firmware of the internal PIC microcontroller was found to be included in the flash dumps and LDFs.
there seems to have been an update to that in V11.20.
The comma-separated first part of the subversions shown in the scope's VER&CAL is the firmware version of the PIC microcontroller; the second is the firmware version of the FTDI VNC1L.

Just to be safe, I dumped the firmware of the PIC microcontroller with TL866 before applying 11.46 to THS. attaching it in case it fails, but can probably extract it from the updater LDF file.

patpat:
@squadchannel
You uploaded 190II_V11_46 binary to THS3024:
How did you do it? burning Flash or serial?
Remember editing the flashtool.ini of the 190II_V11_46.exe with the decrypting tool
should be enough for flashing the scope in the regular way.
You say that the THS with Fluke FWis unusable: why?
wouldn't be just like using a Fluke 190 only in "Scope" mode (No Meter Button)?


I carefully tried understanding the format of the packet but it is not clear, do you have WC command capture to attach?
In your sniffing capture you should see


--- Code: ---WC20[Header][Payload][Trailer]...[Header][Payload][Trailer]0D
--- End code ---

some ASCII to remember
0D  Carriage Return
20  Space
23  #
30  0
31  1
32  2
...
39  9

Now could you please describe the [header] and the [Trailer]
thanks


@smaultre
I looked at the FHS code I clearly see the following features
1   DEMO
2   B1
3   K2
4   K1
5   K3
6   K21
7   K22
8   K4
9   K60
A   K15

It seems each pin is also a 10 digit number, different pins should enable different feature always based on SN of course,
Are you able to reach the Feature Pin window?

Best,
Pat


 

Navigation

[0] Message Index

[#] Next page

[*] Previous page

There was an error while thanking
Thanking...
Go to full version
Powered by SMFPacks Advanced Attachments Uploader Mod