EEVblog #978 - Keysight 1000X Hacking

[mtdoc]

This scope, it's distribution to various video bloggers and it's quickly uncovered hackability is clearly a direct response to the success of the Rigol DS series.

It looks like a consumer grade hackable scope race is on!

My guess is the next generation of Chinese branded scopes offers better specs, is also widely distributed to bloggers and wink, wink, nod - is easily hacked.

[Jay_Diddy_B]

This scope, it's distribution to various video bloggers and it's quickly uncovered hackability is clearly a direct response to the success of the Rigol DS series.

It looks like a consumer grade hackable scope race is on!

My guess is the next generation of Chinese branded scopes offers better specs, is also widely distributed to bloggers and wink, wink, nod - is easily hacked.

It is a great success in terms of how much interest it has generated. In some ways I think Keysight has won.
You can do some upgrades by hacking such as bandwidth and memory depth, but the really useful stuff like the Wavegen is still locked by the absent hardware. The serial decode SPI, CAN, I2C would be useful, but this has not been hacked (yet).

Regards,

Jay_Diddy_B

[RossS]

It is really academic, because such a large part of the hardware is missing, but can you access the FRA or the Bode function?

Yup, FRA "works". (It gives an error about voltage overload on the gen out bnc.)

You can plug in a USB keyboard for text entry. I wonder if there are key aliases for the front-panel buttons.

Looks like there are some key combinations (control-a for analyze, control-l for label, etc.), though I didn't find anything mapped to the wavegen function.

[TheSteve]

You can plug in a USB keyboard for text entry. I wonder if there are key aliases for the front-panel buttons.

Any luck with a USB to network adapter? I've been pondering if they happened to support one since it first came out. If it does support one I imagine it may be one specific model though.

Not the one I tried.  As AFAIK there is no "generic" USB-ethernet adapter, it would have to be something that is explicitly supported by the build of WinCE, and would also need to be supported by the Keysight application.
Seems unlikely, and not hugely useful. The only thing I've ever used network connectivity for on any scope is pulling screen images without having to plug in a USB stick

It does have SCPI support over USB, so that would cover a lot of use cases.

Network could mean telnet access like the X2000/X3000 series - which to this point has been the key to "enabling" software licenses.

[mikeselectricstuff]

You can plug in a USB keyboard for text entry. I wonder if there are key aliases for the front-panel buttons.

Any luck with a USB to network adapter? I've been pondering if they happened to support one since it first came out. If it does support one I imagine it may be one specific model though.

Not the one I tried.  As AFAIK there is no "generic" USB-ethernet adapter, it would have to be something that is explicitly supported by the build of WinCE, and would also need to be supported by the Keysight application.
Seems unlikely, and not hugely useful. The only thing I've ever used network connectivity for on any scope is pulling screen images without having to plug in a USB stick

It does have SCPI support over USB, so that would cover a lot of use cases.

Network could mean telnet access like the X2000/X3000 series - which to this point has been the key to "enabling" software licenses.

I wonder if the WinCE build includes RNDIS support. 

[mikeselectricstuff]

My guess is the next generation of Chinese branded scopes offers better specs, is also widely distributed to bloggers and wink, wink, nod - is easily hacked.

I doubt the Chinese are that smart. They're still rubbing numbers off chips FFS 

[TheSteve]

Well, even so, "just" with the already-confirmed(?) hacks, you can turn a 600$-ish 50MHz educational-wavegen one into a 1000$-ish >200MHz fully-fledged one... Which isn't too shabby in itself, imho.

Well, that is, assuming the issue Mike pointed out in his video from today, gets taken care of in the near future, of course 

I'm getting very tempted 

PS: What're the odds this has the same front-end as the DSOX2000 series? That might sort of explain the >200MHz capability, methinks...

The DSOX1000 series has a much "lower buck" front end then the X2000/X3000 series. Both the X2000/X3000 series have a front end processor capable of 1 GHz(actually should be 1.5 GHz).

[KhronX]

I meant the analog front-end, not the ADC

At least Farnell "only" have 70 / 100 / 200MHz 2000X-series scopes, hence my hunch.

Well, even so, "just" with the already-confirmed(?) hacks, you can turn a 600$-ish 50MHz educational-wavegen one into a 1000$-ish >200MHz fully-fledged one... Which isn't too shabby in itself, imho.

Well, that is, assuming the issue Mike pointed out in his video from today, gets taken care of in the near future, of course 

I'm getting very tempted 

PS: What're the odds this has the same front-end as the DSOX2000 series? That might sort of explain the >200MHz capability, methinks...

The DSOX1000 series has a much "lower buck" front end then the X2000/X3000 series. Both the X2000/X3000 series have a front end processor capable of 1 GHz(actually should be 1.5 GHz).

[TheSteve]

I am talking about the analog front end and not the ADC. The 2000/3000 series use a custom ASIC in the analog front end that is not present in the 1000X series. The 2000X series is limited to 200 MHz but that simply a choice Keysight has made.

I meant the analog front-end, not the ADC

At least Farnell "only" have 70 / 100 / 200MHz 2000X-series scopes, hence my hunch.

Well, even so, "just" with the already-confirmed(?) hacks, you can turn a 600$-ish 50MHz educational-wavegen one into a 1000$-ish >200MHz fully-fledged one... Which isn't too shabby in itself, imho.

Well, that is, assuming the issue Mike pointed out in his video from today, gets taken care of in the near future, of course 

I'm getting very tempted 

PS: What're the odds this has the same front-end as the DSOX2000 series? That might sort of explain the >200MHz capability, methinks...

The DSOX1000 series has a much "lower buck" front end then the X2000/X3000 series. Both the X2000/X3000 series have a front end processor capable of 1 GHz(actually should be 1.5 GHz).

[mrpackethead]

So given where this is going would you even bother going and buying a Rigol now?

[TheSteve]

So given where this is going would you even bother going and buying a Rigol now?

There are several other new scopes coming it seems, so waiting a little might make sense. Also the 1000X series doesn't have the software licenses hacked and I doubt that will happen anytime soon. For many people the DS1054Z may still be tough to beat - unless they prefer to see a higher end brand name on the bench(and who doesn't?).

[mikeselectricstuff]

- unless they prefer to see a higher end brand name on the bench(and who doesn't?).

..and a nice, responsive UI, proven firmware, support etc. etc....
Price isn't everything - some people just like to have nice things

[comeau]

For the record, I love how they were nice enough to give Dave a bunch of free scopes and he repaid them by hacking the crap out of it on YouTube like a week later.

[mtdoc]

For the record, I love how they were nice enough to give Dave a bunch of free scopes and he repaid them by hacking the crap out of it on YouTube like a week later.

I've no doubt that Dave had tacit permission from Keysight to do this. In fact I wouldn't be surprised if they encouraged it.

[Villain]

Dave stated under the youtube video that keysight did not give him permission to hack the scope, neither did they know he would do it.

[mtdoc]

Dave stated under the youtube video that keysight did not give him permission to hack the scope, neither did they know he would do it.

Of course he did.  He's no fool and I'm sure the lawyers wouldn't have it any other way. That is why I said TACIT approval.

See post #6 in this thread from Daniel from Keysight and read between the lines...

[mrpackethead]

For the record, I love how they were nice enough to give Dave a bunch of free scopes and he repaid them by hacking the crap out of it on YouTube like a week later.

I've no doubt that Dave had tacit permission from Keysight to do this. In fact I wouldn't be surprised if they encouraged it.

Or even provided some hints on how to get started.  Dave?  Care to comment

[mrpackethead]

So given where this is going would you even bother going and buying a Rigol now?

There are several other new scopes coming it seems, so waiting a little might make sense. Also the 1000X series doesn't have the software licenses hacked and I doubt that will happen anytime soon. For many people the DS1054Z may still be tough to beat - unless they prefer to see a higher end brand name on the bench(and who doesn't?).

What 'software' licences are you talking about specifically?

[KhronX]

The serial decode options - that's pretty much all that's left.

[TheSteve]

So given where this is going would you even bother going and buying a Rigol now?

There are several other new scopes coming it seems, so waiting a little might make sense. Also the 1000X series doesn't have the software licenses hacked and I doubt that will happen anytime soon. For many people the DS1054Z may still be tough to beat - unless they prefer to see a higher end brand name on the bench(and who doesn't?).

What 'software' licences are you talking about specifically?

DSOX1EMBD which is I2C, SPI, UART
DSOX1AUTO which is CAN/LIN

EDUX1EMBD which is I2C, UART for EDU models.

There are also software bandwidth upgrades(so far only to 100 MHz that we know of) which could mean easier upgrades without having to open the case of the scope.

Keysight can also easily disable any/all 200 MHz performance in firmware in the future if they want no matter the jumper settings.

[Brumby]

For the record, I love how they were nice enough to give Dave a bunch of free scopes and he repaid them by hacking the crap out of it on YouTube like a week later.

I've no doubt that Dave had tacit permission from Keysight to do this. In fact I wouldn't be surprised if they encouraged it.

Or even provided some hints on how to get started.  Dave?  Care to comment

IF this were even remotely true, I would not expect Dave to make any comment - and if he did, I can't see him offering anything other than denial.


As for Daniel's comment, he simply indicated that whatever a person does with their own scope is up to them.  After all, what they do in their own lab would be impossible to police.

Their legal department would start taking an active interest if someone was trying to sell hacked scopes.  I would think that is pretty obvious - as this would directly impact Keysight's sales.

[hauptbr09]

For the record, I love how they were nice enough to give Dave a bunch of free scopes and he repaid them by hacking the crap out of it on YouTube like a week later.

I've no doubt that Dave had tacit permission from Keysight to do this. In fact I wouldn't be surprised if they encouraged it.

Or even provided some hints on how to get started.  Dave?  Care to comment

IF this were even remotely true, I would not expect Dave to make any comment - and if he did, I can't see him offering anything other than denial.


As for Daniel's comment, he simply indicated that whatever a person does with their own scope is up to them.  After all, what they do in their own lab would be impossible to police.

Their legal department would start taking an active interest if someone was trying to sell hacked scopes.  I would think that is pretty obvious - as this would directly impact Keysight's sales.

Yes, this would be the case. Legally speaking, it is your property. Legal from Keysight would nail anyone redistributing scopes that were hacked, the same as they would nail anyone selling knockoffs rebranded as Keysight.

Sent from my SM-G935V using Tapatalk

[mrpackethead]

The serial decode options - that's pretty much all that's left.

Which is of not a lot of interest to me. Thats so easy to do with a Logic Analyser and a PC.. 

[mrpackethead]

Their legal department would start taking an active interest if someone was trying to sell hacked scopes.  I would think that is pretty obvious - as this would directly impact Keysight's sales.

[/quote]
Yes, this would be the case. Legally speaking, it is your property. Legal from Keysight would nail anyone redistributing scopes that were hacked, the same as they would nail anyone selling knockoffs rebranded as Keysight.

Sent from my SM-G935V using Tapatalk
[/quote]

If i took a 'red led flasher' and replaced the led with a green led and then resold it. ( it was my property, i am allowed to sell it ), would i be breaking any law?     Is the situation not the same with this scope? Its your property, you can do what you want with it,  change it, paint it, etc etc.

What law would you be breaching..  Your not hacking any code. Your just using the scope in a way it was'tn possibly intended to be done.


Note: I'm not even contemplaing becoming a scope mod resale shp.. but thats not the point.

[Brumby]

IANAL.  The Keysight legal department would be the people to ask.