34465A and other Keysight Meters - Post Purchase Upgrades & Hacks

[FivePoint03]

Hi Guys,
Thinking of buying a 34465A.  I would be swayed if the 3446DIGU and 3446MEMU options could be turned on after buying it.
Anyone of you experts tackled this yet . . . theres a challenge!
Anyone done the upgrade how did it work?
Thanks

[6thimage]

No hacks are currently known.

The 3446xA series (including the 34470A) uses licenses that are signed by Keysight using a combination of RSA and SHA. The firmware loads the license files from flash (this is the same flash that holds the firmware image and is on the front panel board) on boot and checks their validity. This routine is written in C# and uses the RSACryptoServiceProvider.VerifyData method of the .net libraries - which, as far as I am aware, does not have any flaws in it.

Essentially, they have done their job well and there is no way of signing a license file without Keysight doing it. The only possible way is to modify the firmware, which has inherent risks associated with it as well as the inevitable cat and mouse game with Keysight.

Even without the DIG and MEM options, the 34465A is still a good buy (much better than the 34461A, considering the price difference).

[commie]

With regard to all the 'successful' Rigol hacking, rigol wanted it to be hacked to increase sales.

[TheSteve]

On most modern stuff the best way would be to patch the firmware itself - assuming they haven't added too much security that verifies the firmware integrity.
I don't think too many people have  a unit or two they want to sacrifice to see whats possible.

[6thimage]

With regard to all the 'successful' Rigol hacking, rigol wanted it to be hacked to increase sales.

I'm not sure if they wanted it hacked, I think it is more like what Microsoft did with the first xbox - they wanted a quick solution and they didn't have anyone experienced implementing it.

On most modern stuff the best way would be to patch the firmware itself - assuming they haven't added too much security that verifies the firmware integrity.
I don't think too many people have  a unit or two they want to sacrifice to see whats possible.

With the 3446xA, I don't think you would risk sacrificing it completely. The bootloader doesn't have ethernet abilities like some of Keysight's oscilloscopes, but you can dump the flash contents over a serial interface - this doesn't take as long as you might imagine as the bootloader can crc blocks of data, so you can use this to reduce the amount of data that has to be transferred. This means you should always be able to restore the flash to a known state. However, it is possible that you could corrupt the multimeter's identity with a bad firmware - I believe it is stored in flash, but it is also stored in an eeprom next to the fpga (although its connected to the cortex m3, on the opposite side of the board, rather than the fpga). But you can always dump the eeprom, or spy on its communications, so that you have almost no chance of destroying its data.

The 344x6A also uses two bootloaders and has two firmware images - if the second bootloader detects that the first firmware image is corrupted, it will use the second image, which is very basic (no UI, just a plain white screen - I have a picture of it, if anyone cares) and only allows new firmware to be sent to the multimeter (to fix the corrupted image stored in flash).

[Dr. Frank]

Yes, I am interested.. academic interest only ..

A metamorphose from '465 to 470 would be interesting.. same FW, identical HW on main PCB..
There are a few quirks necessary only, to let it think it'll be the bigger sister.

Frank.

[6thimage]

Yes, I am interested.. academic interest only ..

A metamorphose from '465 to 470 would be interesting.. same FW, identical HW on main PCB..
There are a few quirks necessary only, to let it think it'll be the bigger sister.

Frank.

Indeed - in the factory the model number and serial are set by a SCPI command that then becomes disabled. From a little bit of peeking it seems to be diag:ofinit "SERIAL", "MODEL". Now if a bit of amnesia could be introduced into a 65, perhaps this command would become available again. The difficulty would be how to introduce the amnesia.

From looking at the contents of the eeprom, it stores the model number and serial number, but the manual mentions two errors (821 and 822) where the controller (i.e. front panel) and measurement boards have different identities. Unfortunately, this does not seem to be stored as plain text in the front panels flash memory, with the firmware referring to "SecureStorage".

The 344x6A's firmware is constantly jumping between C# and C, which makes finding where this secure storage is, is quite difficult.