Hey guys. Thank You for Your positive feedback!
I kept trying out a little bit and found out one more point that seems to be important - the EEPROM!
Mine is a MICROCHIP one marked with
4L64I. The manufacturer's datasheet (
http://ww1.microchip.com/downloads/en/devicedoc/21189f.pdf) says on p. 13, that it is a 24LC64 I²C device ( 8K x 8 ).
So I cross-compiled the linux i²c tools and read it out with eeprog
./eeprog /dev/i2c-0 0x50 -r 0x0000:0x2000 -16 > EEPROM.bin
You can find it at
https://github.com/WiZZteXX/DSO4xx4c/blob/master/EEPROM.bin. Here comes the plot:
They programmed the bandwidth from 0x0006 in as "80M" . By just wanting to know what happens, i desoldered the EEPROM - no difference. By reading the startup outputs, which say that the scope is 250M i guess that it is just a kind of backup.
What else is coded:
The [Lans] value starting at 0x020c and the [Language] value starting at 0x0216. That's it. No serial number.
The rest are patterns of 0x00's and 0xFF's. The funny thing about this is, that they updated the [Lans] in their last update to 255 - but the did not change it in the EEPROM.
Unfortunately, it would not be the first time a Chinese company hard-copies some stuff and later tries to use it to deactivate the device (had that experience with a hacked MiniPRO EEPROM programmer, too).
So better be careful with updates, until this is cleared!So I am of course interested in changing the values to the current settings, but I am not sure, if 3-digit bandwidth values would also start @ 0x0006 or already at 0x0005. Maybe someone, who bought a 100 MHz scope could read out the EEPROM and tell me that. I would then script a shell file that corrects the value using the i²c tools. I uploaded the compiled tools to https://github.com/WiZZteXX/DSO4xx4c/tree/i2c-tools/usr/ so you can simply copy them to a flash drive an run the instruction mentioned before. I just made a simple test: I first modified the EEPROM starting at 0x0005 to "250M" and renamed the
/dso/root/system.inf. Starting the device and checking the bootlog it said, it is 50M. So i just cropped the 2.
Next try: I wrote the "250M" starting at 0x0006 and once more deleted the newly created system.inf.
The scope autocreated a new
/dso/root/system.inf as a kind of template with the speed "250M" added (see attachment).
So to complete the hacking process You will also have to change the eeprom contents as follows:
1 .Download the compiled i²c tools from my
github and save them to a flash drive.
2. Open the scope and start a terminal as described in pt. 3 of my
Hacking guide3. Run the following instructions
cd /mnt/udisk/usr/local/sbin
cat 250M | ./eeprog /dev/i2c-0 0x50 -f -w 0x0006 -16
./eeprog /dev/i2c-0 0x50 -f -w 0x0000:16 -16
(The file 250M just contains the string "250M" without any control signals what makes it easier than an echo instruction)
4. The last output should now show the hex values for 250M like this:
0000| 00 00 00 00 00 00 32 35 30 4d 00 00 00 00 00 00
The scope should now be hacked completely
and should be safe for future updates.
[/list]
I will compare with a calibrated 200MHz Agilent DSO I have at work and will come back after this measurements with more pictures.
I am really interested in the results!