EEVblog #978 - Keysight 1000X Hacking

[Bud]

Use a good quality probes. The 70MHz ones supplied with EDUX are shitty ones, one already quit on me after maybe couple dozen uses.

[liviux]

Use a good quality probes. The 70MHz ones supplied with EDUX are shitty ones, one already quit on me after maybe couple dozen uses.

Yeah...could be but both probes have exact same result on either the channels. I can go on and use it on x10 without issues. But as ive said i cant seem to recall this before the mod. So it feels like a difference and i want to know the cause for my piece of mind.

Thanks.

[liviux]

Tested with more probes on x1... same result.
even on x10 probes, I can barely calibrate them to look perfect.

[hv222]

My modded scope have same issiue. Unfortunatelly I don't have possibility to check what is source o problem - frontend or test signal generator.

[liviux]

My modded scope have same issiue. Unfortunatelly I don't have possibility to check what is source o problem - frontend or test signal generator.

Well, I've tested the 1khz signal from another scope and it looks the same.
My bet is that somewhere on the front end there is a weird thing. Maybe the output filter (after diff amp)
Can someone confirm that on DSO1102 the filter has 47uH and 4.7pF?

[hv222]

Another problem I found last time is a jitter on external trigger. Scope can't align trigger edge with time 0. 

[liviux]

So I think this is just a weird thing happening here. either the input trimmer on the CH input needs to be calibrated again or this is how the scope reacts when using an x1 probe. But it should not right? On x10 probes when calibrated everything is fine.
Oh well the scope performs fine so this is more of an "obsession" for me at least.

What does Santa say?

[Bud]

OK folks, try the attached to do it in a controlled manner    Read the instruction in the attachment and ask if anything is not clear.

Because the full package is too big to send in an attachment, this one instead is using a .diff file patch over the original kernel file. The command line tool for diff file application was borrowed from the DSOX2000 thread.

Edit: I pulled the Diff package for now, will publish the Full one later today.

Update:  here it is. You are welcome 

https://we.tl/t-jeXp74iDxF

[Mwyann]

Hey @Bud, tried installing the patched 1.20, but when I try to load "120patch_install.cab" the scope shows me an "Error: the file did not load correctly." I checked the MD5 and it's all good. I'm using a DSOX1102G, and I already tried to Factory Reset.

Also tried to create a new full .cab install, with both firmwares in it, and changed install.xml to install the patched firmware into ceImage1, with no luck (the upgrade goes well but I don't have the new licences).

[edit] Strange, I got back to patched 1.10 (from Fercsa) and just installed "120patch_install.cab" over it successfuly, new firmware with full licenses! But if I try again from a clean 1.20, it doesn't work... weird.

I tried a bunch of options, but for whatever reason the ceImage1 doesn′t want to flash when I′m already on 1.20. And I don′t want a Frankenstein 1.10/1.20 mix... I′d like to make sure I′ve updated everything that′s inside the original ksx file.

[wp_wp]

Hey @Bud, tried installing the patched 1.20, but when I try to load "120patch_install.cab" the scope shows me an "Error: the file did not load correctly." I checked the MD5 and it's all good. I'm using a DSOX1102G, and I already tried to Factory Reset.

Also tried to create a new full .cab install, with both firmwares in it, and changed install.xml to install the patched firmware into ceImage1, with no luck (the upgrade goes well but I don't have the new licences).

[edit] Strange, I got back to patched 1.10 (from Fercsa) and just installed "120patch_install.cab" over it successfuly, new firmware with full licenses! But if I try again from a clean 1.20, it doesn't work... weird.

I tried a bunch of options, but for whatever reason the ceImage1 doesn′t want to flash when I′m already on 1.20. And I don′t want a Frankenstein 1.10/1.20 mix... I′d like to make sure I′ve updated everything that′s inside the original ksx file.

Maybe the Infiniivision core.dll is not patched correctly for DSOX1102G.

[wp_wp]

Hey @Bud, tried installing the patched 1.20, but when I try to load "120patch_install.cab" the scope shows me an "Error: the file did not load correctly." I checked the MD5 and it's all good. I'm using a DSOX1102G, and I already tried to Factory Reset.

Also tried to create a new full .cab install, with both firmwares in it, and changed install.xml to install the patched firmware into ceImage1, with no luck (the upgrade goes well but I don't have the new licences).

[edit] Strange, I got back to patched 1.10 (from Fercsa) and just installed "120patch_install.cab" over it successfuly, new firmware with full licenses! But if I try again from a clean 1.20, it doesn't work... weird.

I tried a bunch of options, but for whatever reason the ceImage1 doesn′t want to flash when I′m already on 1.20. And I don′t want a Frankenstein 1.10/1.20 mix... I′d like to make sure I′ve updated everything that′s inside the original ksx file.

If you modify ceImage1 and ceImage2，can you hack DSOX1102G？

[Mwyann]

Maybe the Infiniivision core.dll is not patched correctly for DSOX1102G.

Well, the weird thing is I could get the patched 1.20 firmware working but only when installed from the 1.10 firmware, but that doesn't update everything (like infiniiVisionSetup.cab), so I guess my firmware isn't fully up to date and may have problems. I'd like to be able to flash and patch everything.

If you modify ceImage1 and ceImage2，can you hack DSOX1102G？

I wouldn't flash the ceImage2 with the patched version, as the ceImage2 is used as a backup. I'd rather keep the safe "official" version there.

[wp_wp]

I helped my friend hack his DSOX1102G.
But its firmware downgrade from V1.2 to V1.1.

[Bud]

I tested on EDUX 1002A. I do have a full package but need to find a place to upload it to... stay tuned.

[wp_wp]

I tested on EDUX 1002A. I do have a full package but need to find a place to upload it to... stay tuned.

You forgot to write how to change link file.

[Bud]

The LNK method does not work on 1000X.

[Bud]

[edit] Strange, I got back to patched 1.10 (from Fercsa) and just installed "120patch_install.cab" over it successfuly, new firmware with full licenses! But if I try again from a clean 1.20, it doesn't work... weird.

I tried a bunch of options, but for whatever reason the ceImage1 doesn′t want to flash when I′m already on 1.20. And I don′t want a Frankenstein 1.10/1.20 mix... I′d like to make sure I′ve updated everything that′s inside the original ksx file.

Technically, the 1.20 nk.bin is all is needed to put over 1.10, the rest of files is identical except the local language files. You can use a file compare software to see what differred between the official 1.10 and official 1.20.

[Mwyann]

Technically, the 1.20 nk.bin is all is needed to put over 1.10, the rest of files is identical except the local language files. You can use a file compare software to see what differred between the official 1.10 and official 1.20.

Oh, well I guess it′s more or less fine then, but I still don′t know why your package refuses to update from a 1.20 install, but you still can downgrade to patched 1.10. And why my patched full 1.20 install seems to succeed but in fact the ceImage1 is kept unchanged. That sound sketchy, and I′d like to hear from you if you know a reason why this could happen.

[Bud]

Try this link to a full package (~30Mb) with a backup of the original 1.20 in Image2:

https://we.tl/t-GW2QZ3NnjQ

[Bud]

And why my patched full 1.20 install seems to succeed but in fact the ceImage1 is kept unchanged.

  During work I loaded the interim versions into Image 2, keeping Image 1 original (I had a serial connection so I could select at power on which image I want to boot). Then once the work was finished I updated Image 1 as well. Hard to tell. But I did it over FERCSA's version 1.10. Maybe this should be the recommended way to do it.

Sadly I cant try things at this time. After I made the patch I was doing other work that required removing the BLT module a few times, and it seems I may have eventually damaged the module by flexing. Will look into it after the holidays.

[Mwyann]

Try this link to a full package (~30Mb) with a backup of the original 1.20 in Image2:

https://we.tl/t-3ODV5OcpUI

(the link will expire in 7 days)

Well it worked, reinstalled 1.20 stock just to be on the safe side, then flashed your install file and it rebooted just fine with everything patched. That's not fair, I did the same thing! 

Thanks again man!  And Merry Christmas !

[Bud]

Thanks for confirming  Happy 'scoping !

[Bud]

Here is the boot log of the liberated 1.20

Code: [Select]

U-Boot 2010.03 (Oct 18 2011 - 14:28:06)Agilent P500

CPU:   SPEAr600
DRAM:  128 MiB
Flash: 512 KiB
NAND:  internal ecc 128 MiB

Debug serial initialized ........OK
RTC: 2024-20-12   1:103:51.26 UTC

Microsoft Windows CE Bootloader Common Library Version 1.4 Built May  7 2015 01:
38:03
Microsoft Windows CE 6.0 Ethernet Bootloader for the Agilent P500 board
Adaptation performed by Agilent Technologies (c) 2008


System ready!
Preparing for download...
RTC: 2024-20-12   1:103:51.26 UTC
 Loading image 1 from memory at 0xD0600000
O
BL_IMAGE_TYPE_BIN

X
XXXXOOOOXXOOOOOOOOXOXOOOOOOOOXOOOXOOOOXXXOOOOOOOOOXOOOOXOXXOXOXXOXOXOXOXXXXOOXXX
OOOOOOXXOXXOXXXXXXOOOXXXOOXXOXOXXOXXOOOXOOOXXOOXOXOOOOXOXOOOOOXOOOXOOXOXXOXOXXXX
XXOXXXXOOOXOOOXOXOOOOXOOOOXOXOX
OOOOOOXOOOXOOXOOOOXOOOOXOOXXOOXOOOOOOOOOXOOOOXOOOOOOXOXOOOOXOXOOOOOOOXXOOXOOXOXO
OOXOOOXOOXXOXOXOOOXOXXXXXOXOXXXOXXXOXOXXOOOXXXOXXXXXXXXOXXXXXXXOXXXXOXOXXOXOOOXX
XXXOXXXXOOOXOXXOOX
XXOXXOOXOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO
OOOOOOOOOOOOOOXXOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOXXXXOXOOOX
OXOOOXOOXXXXXXXXXXXXXrom_offset=0x0.
XXImageStart = 0x80361000, ImageLength = 0x1A857C0, LaunchAddr = 0x80362000

Completed file(s):
-------------------------------------------------------------------------------
[0]: Address=0x80361000  Length=0x1A857C0  Name="" Target=RAM
 Loading image 1 succeeded.
ROMHDR at Address 80361044h
Preparing launch...
RTC: 2024-20-12   1:103:51.29 UTC
Launching windows CE image by jumping at address 0x  362000

Windows CE Kernel for ARM (Thumb Enabled) Built on Mar  8 2013 at 17:05:33
Setting up for a Cold Reboot
Done Setting up for a Cold Reboot
Windows CE Firmware Init
BSP 1.0.0 for the SPEARHEAD600AB board (built Jun 10 2019)
Adaptation performed by ADENEO (c) 2005
+OALIntrInit
-OALIntrInit(rc = 1)
Initialize driver globals Zeros area...
pDrvGlobalArea 0xa0060000  size 0x800 (0xa0060800 -0xa0060000)
Initialize driver globals Zeros area...done
 OALKitlStart
Firmware Init Done.
OALIoctlHalEnterI2cCriticalSection init i2c cs
++SER_Init: context Drivers\Active\14
SER_Init, dwIndex:2
SER2 got sysintr:0x00000017
SER2 Serial Port, new baud rate:0x1c200  (UARTCLK:48000000 IBRD:0x1a FBRD:0x2)
OHCI\system.c, GCFG_USBH1_SW_RST
OHCI\system.c, GCFG_USBH2_SW_RST
LAN PHY detected.
-EDeviceLoadEeprom 00:30:D3:20:D7:70
Phy found addr 15 (ticks=3502)
WaitForLink Start (ticks=3504)
Link Detected (ticks=3506)

 GMAC Init : 100 Mbit/s FULL DUPLEX (MII)
Flushed Transmit Buffer
phyCfg->dwSpeed 0x64
phyCfg->bFullDuplex 0x1
<--EDeviceInitialize

GMAC DMA status register = 0x600004
GMAC Device enable interrupt
DriverStart
GMAC Device enable interrupt
LIN: Data Valid
BALDWIN_DDI: cBaldwinHwIf::Init: Initializing...
BALDWIN_DDI: cBaldwinHwIf::Init: Scope successfully identified.
BALDWIN_DDI: cBaldwinHwIf::Init: Success!
Autonegociation Start (ticks=5533)
Autonegociation End (ticks=8038)
WaitForLink Start (ticks=8039)
Link Detected (ticks=8042)

 GMAC Init : 100 Mbit/s FULL DUPLEX (MII)
cable attached
Device load time:
   NANDFLASH: 0 ms
   SNANDFLASH: 0 ms
   USB Hard Disk Drive: 0 ms
Summary of scan:

All FATs on volume agree

Percent Fragmentation: 0
Invalid Directories: 0
Invalid Files: 0
Invalid Clusters: 0
Lost Cluster Chains: 0

ScanVolume \Agilent Flash (NANDFLASH) 0.306000
Summary of scan:

All FATs on volume agree

Percent Fragmentation: 0
Invalid Directories: 0
Invalid Files: 0
Invalid Clusters: 0
Lost Cluster Chains: 0

ScanVolume \Secure (SNANDFLASH) 0.402000
SHIM DLL, LoadRealDll [PalIO.dll] for [AgilentPalIO.dll]
SHIM [AgilentPalIO.dll] Get Process Addresses
LaunchInfiniiVision:
SHIM DLL, LoadRealDll [PalSStorage.dll] for [AgilentPalSStorage.dll]
SHIM [AgilentPalSStorage.dll] Get Process Addresses
Create: \Secure\bin\
Released build, Jun 10 2019, 21:13:39
Initializing FPGA...
************************************
Ver: 1.067 Released
************************************
*** Liberating License: Acq Memory Max
*** Liberating License: Embedded serial decode and trigger
*** Liberating License: Automotive serial decode and trigger
*** Liberating License: Flex Ray serial decode
*** Liberating License: Power application
*** Liberating License: Segmented Memory
*** Liberating License: Mask limit testing
*** Liberating License: Telecom Mask Test
*** Liberating License: 500MHz Bandwidth
*** Liberating License: 200MHz Bandwidth
*** Liberating License: Audio serial decode and trigger
*** Liberating License: Education kit license
*** Liberating License: WaveGen license
*** Liberating License: 1553 & 429 serial decodes
*** Liberating License: Enhanced Video Triggering
*** Liberating License: Advance Math
*** Liberating License: Flex Ray Plus
*** Liberating License: Digital Voltmeter
*** Liberating License: ASV
*** Liberating License: Cable Calibration
*** Liberating License: Infiniium Mode
*** Liberating License: Remote Log
*** Liberating License: Circular Segmented Memory
*** Liberating License: Tomotherapy
*** Liberating License: F8AEAE82
Calibration mode User
Cal Date Sat Nov 07 00:57:51 2020
Startup sequence is complete.
SHIM DLL, LoadRealDll [PalSysManagement.dll] for [AgilentPalSysManagement.dll]
SHIM [AgilentPalSysManagement.dll] Get Process Addresses
SHIM DLL, LoadRealDll [PalCaps.dll] for [AgilentPalCaps.dll]
SHIM [AgilentPalCaps.dll] Get Process Addresses
SHIM DLL, LoadRealDll [PalWin32.dll] for [AgilentPalWin32.dll]
SHIM [AgilentPalWin32.dll] Get Process Addresses
System has been running 22.839304 seconds
Start Up Sequence 10.222012
Memory Load 58%
   System Physical Memory 42.355 / 73.465 MB
   Process Virtual Memory 46.875 / 1024.000 MB
-----> InfiniiVision is running <-----
will do USB phy workaround: CheckCRC


Running the hardware Self-Test after a boot:

Code: [Select]

** self test: PASSED : DDR Mem Bus
** self test: PASSED : Acquisition Memory
** self test: PASSED : ADC
** self test: PASSED : MegaZoom SIPO
** self test: PASSED : TrigComp & Mux
** self test: PASSED : Temp Sensor
** self test: PASSED : FirmwareStatus
** self test: PASSED : Language


I hooked up a LAN chip to the scope so there are associated entries for the network in the log. A stock 1000X would only say "PHY Not found" instead.
I also got the External Trigger mod, all passed.
Not sure if the 2 Megapoints memory is tested in the Acquisition Memory test, but that can be verified by other means.

[Bud]

If you modify ceImage1 and ceImage2，can you hack DSOX1102G？

All 1000X have same firmware, so all of them should work. The package was developed on a EDUX 1002A modified for 200MHz front-end, external trigger, Wavegen and LAN.

[wp_wp]

The LNK method does not work on 1000X.

When I use patched V1.20 file made by PhillyFlyers to hack EDUX1002A，with link file，it display strange options.
So，I think PhillyFlyers’s file patched not correctly or fully.
Maybe there exists Link file method to hack 1000X,but we do not find it so far.