Author Topic: EEVblog #978 - Keysight 1000X Hacking  (Read 510666 times)

rteodor, MarkL and 1 Guest are viewing this topic.

Online Bud

  • Super Contributor
  • ***
  • Posts: 7125
  • Country: ca
Re: EEVblog #978 - Keysight 1000X Hacking
« Reply #1000 on: November 26, 2023, 09:46:04 pm »
Only change bootdelay and pbootdelay to ,say, 3, but only in the env var section 0x00040000 - 0x00043FFF. Do not change anything before 0x00040000.
Facebook-free life and Rigol-free shack.
 

Offline TT-392

  • Contributor
  • Posts: 21
  • Country: nl
Re: EEVblog #978 - Keysight 1000X Hacking
« Reply #1001 on: November 27, 2023, 12:08:58 am »
Only change bootdelay and pbootdelay to ,say, 3, but only in the env var section 0x00040000 - 0x00043FFF. Do not change anything before 0x00040000.

I guess I should set one of those bootdelays back to 0 then (if that one is indeed not in the env vars area). But I kinda doubt that will fix my current problem: If I boot this chip with the correct checksums (and thus not with the fallback env vars) I can't seem to be able to enter into the <p500> shell, thus I can't download the image to ram to attempt another boot.
 (I did also try setting pbootdelay to 3 after my last post).
« Last Edit: November 27, 2023, 12:12:20 am by TT-392 »
 

Online Bud

  • Super Contributor
  • ***
  • Posts: 7125
  • Country: ca
Re: EEVblog #978 - Keysight 1000X Hacking
« Reply #1002 on: November 27, 2023, 12:26:44 am »
Check the original NOR what bootdelay was set to in Uboot area and leave it the same in the modified NOR. Only change stuff in env vars area.
I am pretty sure this was what I had. Do you hit space bar when the scope is powered on? It will not stop for you by itself, you have to hit (if i remember correctly) space bar.
Facebook-free life and Rigol-free shack.
 

Online Bud

  • Super Contributor
  • ***
  • Posts: 7125
  • Country: ca
Re: EEVblog #978 - Keysight 1000X Hacking
« Reply #1003 on: November 27, 2023, 02:02:24 am »
Hold on a sec. This was your log in your reply #985:

Code: [Select]
U-Boot 2010.03 (Oct 18 2011 - 14:28:06)Agilent P500

CPU:   SPEAr600
DRAM:  128 MiB
Flash: 512 KiB
NAND:  internal ecc 128 MiB

Now you are not getting NOR identified:
Code: [Select]
U-Boot 2010.03 (Oct 18 2011 - 14:28:06)Agilent P500

CPU:   SPEAr600
DRAM:  128 MiB
Unknown id: 0x13409d. Using ST_M23P40
Flash: 64 KiB
NAND:  internal ecc 128 MiB

What is going on here?
Facebook-free life and Rigol-free shack.
 

Online Bud

  • Super Contributor
  • ***
  • Posts: 7125
  • Country: ca
Re: EEVblog #978 - Keysight 1000X Hacking
« Reply #1004 on: November 27, 2023, 02:14:17 am »
This is what it should look like when bootdelay variable changed:

Code: [Select]
U-Boot 2010.03 (Oct 18 2011 - 14:28:06)Agilent P500

CPU:   SPEAr600
DRAM:  128 MiB
Flash: 512 KiB
NAND:  internal ecc 128 MiB
In:    serial
Out:   serial
Err:   serial
SerNum:serial number not programmed
Chip:  BD Board Rev: 4
Net:   smsc
Press space to stop autoboot:  4  0 3
p500>

And if you do not interrupt it by pressing space, it will proceed to loading PBOOT. You can againg press space to interrupt PBOOT which gives you that menu to select an image source:

Code: [Select]
## Booting kernel from Legacy Image at f8050000 ...
   Image Name:   PBOOT
   Created:      2015-05-07   8:18:27 UTC
   Image Type:   ARM Linux Kernel Image (gzip compressed)
   Data Size:    37749 Bytes = 36.9 KiB
   Load Address: 00000000
   Entry Point:  00000000
   Uncompressing Kernel Image ... OK

Starting kernel ...

Debug serial initialized ........OK
RTC: 2024-20-12   6:103:32.30 UTC

Microsoft Windows CE Bootloader Common Library Version 1.4 Built May  7 2015 01:38:03
Microsoft Windows CE 6.0 Ethernet Bootloader for the Agilent P500 board
Adaptation performed by Agilent Technologies (c) 2008

Press [ENTER] to launch image stored in flash or [SPACE] to cancel.
Initiating image launch in   3 seconds  2 seconds  1 seconds

P500 Boot Loader Configuration :

Mac address .......... (00:30:D3:20:D7:70)
Ip address ........... (192.168.1.212)
Subnet Mask address .. (255.255.255.0)
DHCP ................. (Enabled)
Boot delay (seconds).. (3)
Load image 1 at startup

Image addresses. (0xdxxxxxxx for NAND, 0x8xxxxxxx for RAM)
        1 (0xd0600000)
        2 (0xd1e00000)

l) Load memory resident image Load image 1 now
1) Load memory resident image 1 now
2) Load memory resident image 2 now
3) Load memory resident image 3 now
d) Download from platform builder now
u) Start u-boot by resetting
v) Verify Images

Something must still be wrong with your setup.
« Last Edit: November 27, 2023, 02:22:36 am by Bud »
Facebook-free life and Rigol-free shack.
 

Offline TT-392

  • Contributor
  • Posts: 21
  • Country: nl
Re: EEVblog #978 - Keysight 1000X Hacking
« Reply #1005 on: November 27, 2023, 06:40:02 am »
Hold on a sec. This was your log in your reply #985:

Code: [Select]
U-Boot 2010.03 (Oct 18 2011 - 14:28:06)Agilent P500

CPU:   SPEAr600
DRAM:  128 MiB
Flash: 512 KiB
NAND:  internal ecc 128 MiB

Now you are not getting NOR identified:
Code: [Select]
U-Boot 2010.03 (Oct 18 2011 - 14:28:06)Agilent P500

CPU:   SPEAr600
DRAM:  128 MiB
Unknown id: 0x13409d. Using ST_M23P40
Flash: 64 KiB
NAND:  internal ecc 128 MiB

What is going on here?


Oh... I think I know what is happening there. When I was buying some extra flash chips to make sure I could leave the original NOR intact as a backup. I noticed that the one that was originally in my scope, the ST25P40VP wasn't available. I did however see someone in another post (I don't remember where exactly) link to the IS2LP040, and I figured that they are probably just using that one in the newer models or something like that, so should probably be fine. So that is what I bought for testing. I guess I was wrong about that.

Either way, I guess I gotta either wait for chips to arrive from aliexpess, or use the original chip and hope I did nothing wrong when dumping the chip.
 

Online Bud

  • Super Contributor
  • ***
  • Posts: 7125
  • Country: ca
Re: EEVblog #978 - Keysight 1000X Hacking
« Reply #1006 on: November 27, 2023, 05:28:45 pm »
Ok. Yes you have to use a proper chip, all sort of funny things may be happening with Uboot making its guesses.
Facebook-free life and Rigol-free shack.
 

Offline TT-392

  • Contributor
  • Posts: 21
  • Country: nl
Re: EEVblog #978 - Keysight 1000X Hacking
« Reply #1007 on: November 27, 2023, 08:24:34 pm »
Ok. Yes you have to use a proper chip, all sort of funny things may be happening with Uboot making its guesses.

Hmm, just tried with the proper chip, once with bootdelay set to 4, and once with both bootdelay and pbootdelay set to 3. It is not complaining about the flash chip anymore, but I am still not getting into the <p500> shell... not sure what else there is to try to try at this point...

Code: [Select]
U-Boot 2010.03 (Oct 18 2011 - 14:28:06)Agilent P500

CPU:   SPEAr600
DRAM:  128 MiB
Flash: 512 KiB
NAND:  internal ecc 128 MiB

Debug serial initialized ........OK
RTC: 2024-19-6   3:84:41.49 UTC

Microsoft Windows CE Bootloader Common Library Version 1.4 Built May  7 2015 01:38:03
Microsoft Windows CE 6.0 Ethernet Bootloader for the Agilent P500 board
Adaptation performed by Agilent Technologies (c) 2008

PHY not found.

Press [ENTER] to launch image stored in flash or [SPACE] to cancel.
Initiating image launch in   3 seconds

P500 Boot Loader Configuration :

Mac address .......... (00:03:D3:04:10:00)
Ip address ........... (192.168.1.100)
Subnet Mask address .. (255.255.255.0)
DHCP ................. (Enabled)
Boot delay (seconds).. (3)
Load image 1 at startup

Image addresses. (0xdxxxxxxx for NAND, 0x8xxxxxxx for RAM)
        1 (0xd0600000)
        2 (0xd1e00000)

l) Load memory resident image Load image 1 now
1) Load memory resident image 1 now
2) Load memory resident image 2 now
3) Load memory resident image 3 now
d) Download from platform builder now
u) Start u-boot by resetting
v) Verify Images
>

 

Online Bud

  • Super Contributor
  • ***
  • Posts: 7125
  • Country: ca
Re: EEVblog #978 - Keysight 1000X Hacking
« Reply #1008 on: November 27, 2023, 08:36:18 pm »
I guess you could attach the NOR bin dump for us to take a look.
Facebook-free life and Rigol-free shack.
 

Offline TT-392

  • Contributor
  • Posts: 21
  • Country: nl
Re: EEVblog #978 - Keysight 1000X Hacking
« Reply #1009 on: November 27, 2023, 08:42:11 pm »
I guess you could attach the NOR bin dump for us to take a look.

Oh sure, here it is. Though, the forum doesn't seem to like files ending with .bin, so I renamed it .bin.py

edit:
looks like the attachment messed up anyways, 1sec, I'll upload it to my VPS to make a download link
 

Online tautech

  • Super Contributor
  • ***
  • Posts: 29473
  • Country: nz
  • Taupaki Technologies Ltd. Siglent Distributor NZ.
    • Taupaki Technologies Ltd.
Re: EEVblog #978 - Keysight 1000X Hacking
« Reply #1010 on: November 27, 2023, 08:51:32 pm »
I guess you could attach the NOR bin dump for us to take a look.

Oh sure, here it is. Though, the forum doesn't seem to like files ending with .bin, so I renamed it .bin.py

edit:
looks like the attachment messed up anyways, 1sec, I'll upload it to my VPS to make a download link
Just add a .txt extension and it will upload here. Then mention to remove the .txt extension.
Avid Rabid Hobbyist.
Some stuff seen @ Siglent HQ cannot be shared.
 

Offline TT-392

  • Contributor
  • Posts: 21
  • Country: nl
Re: EEVblog #978 - Keysight 1000X Hacking
« Reply #1011 on: November 27, 2023, 08:53:34 pm »
I guess you could attach the NOR bin dump for us to take a look.

Oh sure, here it is. Though, the forum doesn't seem to like files ending with .bin, so I renamed it .bin.py

edit:
looks like the attachment messed up anyways, 1sec, I'll upload it to my VPS to make a download link
Just add a .txt extension and it will upload here. Then mention to remove the .txt extension.

I think I basically did that by renaming it .py, and it didn't like that, or maybe something just went bad when uploading, either way, I ended up just putting them both in a zip. (both being the original dump, and the one with the modified bootdelay)
« Last Edit: November 27, 2023, 08:55:08 pm by TT-392 »
 

Online Bud

  • Super Contributor
  • ***
  • Posts: 7125
  • Country: ca
Re: EEVblog #978 - Keysight 1000X Hacking
« Reply #1012 on: November 27, 2023, 09:25:01 pm »
You were talking about using JTAG at some point. Did you do anything to enable JTAG ? If so, you'd need to roll that back if  want to boot from NOR.
Facebook-free life and Rigol-free shack.
 

Offline TT-392

  • Contributor
  • Posts: 21
  • Country: nl
Re: EEVblog #978 - Keysight 1000X Hacking
« Reply #1013 on: November 27, 2023, 09:28:53 pm »
You were talking about using JTAG at some point. Did you do anything to enable JTAG ? If so, you'd need to roll that back if  want to boot from NOR.

Back then, I soldered on a JTAG connector, and before I could do the hardware mod to enable JTAG, I figured out how to use that ST tool. So I ended up never doing that mod.
 

Online Bud

  • Super Contributor
  • ***
  • Posts: 7125
  • Country: ca
Re: EEVblog #978 - Keysight 1000X Hacking
« Reply #1014 on: November 27, 2023, 10:16:54 pm »
You have to change this variable value. Note the Offset.
Do not forget to update the checksum.
« Last Edit: November 27, 2023, 10:20:59 pm by Bud »
Facebook-free life and Rigol-free shack.
 
The following users thanked this post: TT-392

Offline TT-392

  • Contributor
  • Posts: 21
  • Country: nl
Re: EEVblog #978 - Keysight 1000X Hacking
« Reply #1015 on: November 27, 2023, 10:34:54 pm »
You have to change this variable value. Note the Offset.
Do not forget to update the checksum.

Wait wut.... I guess, after having tried with both bootdelay, and pbootdelay set to 3, when I wanted to test with bootdelay=4 and pbootdelay=0, I accidentally mixed up pbootdelay and bootdelay. I can't believe I messed that up.... Guess I'll try again after school tomorrow (really need to sleep rn)
 

Offline TT-392

  • Contributor
  • Posts: 21
  • Country: nl
Re: EEVblog #978 - Keysight 1000X Hacking
« Reply #1016 on: November 30, 2023, 09:07:04 pm »
You have to change this variable value. Note the Offset.
Do not forget to update the checksum.

I just uploaded a new image (attached) through ymodem in <p500> (I got into <p500> because of a previous messed up crc). After uploading I also did a checksum, on the scope, to confirm everything was in place.
Code: [Select]
<p500> crc 0xf8000000 0x80000
CRC32 for f8000000 ... f807ffff ==> c7bc2d68
which matches what I get on my desktop:
Code: [Select]
> cat bootdelay.bin | crc32
c7bc2d68

But I am once again getting that same boot menu and no <p500>:

Code: [Select]
U-Boot 2010.03 (Oct 18 2011 - 14:28:06)Agilent P500

CPU:   SPEAr600
DRAM:  128 MiB
Flash: 512 KiB
NAND:  internal ecc 128 MiB

Debug serial initialized ........OK
RTC: 2024-19-6   6:85:19.21 UTC

Microsoft Windows CE Bootloader Common Library Version 1.4 Built May  7 2015 01:38:03
Microsoft Windows CE 6.0 Ethernet Bootloader for the Agilent P500 board
Adaptation performed by Agilent Technologies (c) 2008

PHY not found.


P500 Boot Loader Configuration :

Mac address .......... (00:03:D3:04:10:00)
Ip address ........... (192.168.1.100)
Subnet Mask address .. (255.255.255.0)
DHCP ................. (Enabled)
Boot delay (seconds).. (0)
Load image 1 at startup

Image addresses. (0xdxxxxxxx for NAND, 0x8xxxxxxx for RAM)
        1 (0xd0600000)
        2 (0xd1e00000)

l) Load memory resident image Load image 1 now
1) Load memory resident image 1 now
2) Load memory resident image 2 now
3) Load memory resident image 3 now
d) Download from platform builder now
u) Start u-boot by resetting
v) Verify Images
>

I included the file again, and bootdelay really is set in there this time.... (that or I really am going crazy)
 

Offline TT-392

  • Contributor
  • Posts: 21
  • Country: nl
Re: EEVblog #978 - Keysight 1000X Hacking
« Reply #1017 on: November 30, 2023, 09:47:23 pm »
Found the problem. So I tried setting the env vars by hand, and noticed that after typing: "setenv stdin usbtty", I could no longer input anything. Then it occured to me that the countdown was actually happening on a different output, through the usb port on the back. So I connected that, reflashed the chip with the bin I tried before, and I was able to interrupt the boot properly through the usb that port.
 

Online Bud

  • Super Contributor
  • ***
  • Posts: 7125
  • Country: ca
Re: EEVblog #978 - Keysight 1000X Hacking
« Reply #1018 on: November 30, 2023, 10:12:09 pm »
You can set it back to "serial" now so you have a single console for input and output.
Facebook-free life and Rigol-free shack.
 

Offline TT-392

  • Contributor
  • Posts: 21
  • Country: nl
Re: EEVblog #978 - Keysight 1000X Hacking
« Reply #1019 on: December 01, 2023, 03:36:30 pm »
Successful boot, and firmware upgrade with the right env vars, and boot from NAND!!!
Thanks so much for all the help!!!!!!

Also did a rough calibration with my bench top PSU, should be good enough for most of the stuff I do usually do with my scope.


(yes, I am aware that probe comp needs some work)

It is still still complaining about a few things, but I'm sure I'll be able to do something about those. Also, nice bandwidth. Either way, I have a working scope now.


I guess next up is trying to get some of the info on that screen correct, and then, of course, to do some hacks :). (Also, I broke off the power button from its stem at some point, but I'm sure I'll be able to figure something out to fix that.)

Either way, kinda out of time to work on the scope today. Will look into it more later.

edit:
the power button bit of plastic apparently just fits snugly in its place, and works just fine even when not physically connected.
« Last Edit: December 01, 2023, 03:46:09 pm by TT-392 »
 

Online Bud

  • Super Contributor
  • ***
  • Posts: 7125
  • Country: ca
Re: EEVblog #978 - Keysight 1000X Hacking
« Reply #1020 on: December 01, 2023, 06:49:37 pm »
Great. So your jorney is a demonstration that Keysight 1000x scopes can be restored even if the firmware was completely gone. Pretty impressive.
Facebook-free life and Rigol-free shack.
 

Offline TT-392

  • Contributor
  • Posts: 21
  • Country: nl
Re: EEVblog #978 - Keysight 1000X Hacking
« Reply #1021 on: December 01, 2023, 06:55:40 pm »
Great. So your jorney is a demonstration that Keysight 1000x scopes can be restored even if the firmware was completely gone. Pretty impressive.

Oh, right, I didn't realize that this was the first documented case of that happening... That is pretty cool. Either way, I am planning to put together a guide to have all of the information available in one place, so that people don't have to dig through a bunch of messages to figure out how to recover their own scope. Though, idk when I'll get around to doing this yet.
 

Online Bud

  • Super Contributor
  • ***
  • Posts: 7125
  • Country: ca
Re: EEVblog #978 - Keysight 1000X Hacking
« Reply #1022 on: December 25, 2023, 03:38:57 am »
It is a Christmas night of 2023 and it's been three years since the 1000x Liberated firmware became available. By now though, access to the fully patched liberated firmware update file has become a problem due to its size and hosting problem. To address the issue and in celebration of the 3 years of 1000x Liberation, attached is a small package with a set of tools that new users who missed the train can now use to create a liberated v1.20 firmware by themselves.

This package uses Diff method to apply a difference data blob to the official v1.20 firmware for 1000x scopes. Because of this method, the package size is small which makes it possible to  attach it to a forum post.

I have verified that the tool creates a patched file that matches the one in fully patched firmware package, so the tool seems to work properly. But I did not try to install. Please report your experience.  :popcorn:

Have fun and Happy Holidays!  :-+
Facebook-free life and Rigol-free shack.
 
The following users thanked this post: hugo, Anthocyanina, tsirvoulis, the Chris

Offline TScarlet

  • Newbie
  • Posts: 6
  • Country: cn
Re: EEVblog #978 - Keysight 1000X Hacking
« Reply #1023 on: January 24, 2024, 06:08:18 am »
I'm wandering that how did KS write model and SN into the scope? If there are any tools or scripts? :-\
 

Offline TScarlet

  • Newbie
  • Posts: 6
  • Country: cn
Re: EEVblog #978 - Keysight 1000X Hacking
« Reply #1024 on: January 24, 2024, 10:15:12 am »
After the installation of "1000X patched 1.20 with backup Image2.ksx", there is only 1Mpts can be caped. That is odd.
 


Share me

Digg  Facebook  SlashDot  Delicious  Technorati  Twitter  Google  Yahoo
Smf