Author Topic: EEVblog #978 - Keysight 1000X Hacking  (Read 119733 times)

vladsol and 3 Guests are viewing this topic.

Offline skander36

  • Regular Contributor
  • *
  • Posts: 71
  • Country: ro
Re: EEVblog #978 - Keysight 1000X Hacking
« Reply #525 on: November 05, 2018, 03:35:17 am »
« Last Edit: November 05, 2018, 03:37:02 am by skander36 »
 

Offline FERCSA

  • Contributor
  • Posts: 27
  • Country: hu
    • www.fercsa.com
Re: EEVblog #978 - Keysight 1000X Hacking
« Reply #526 on: November 06, 2018, 11:52:10 pm »
Thanks guys. I already added the missing components for the external trigger. The third digital channel came alive and working, but still the hardware test failed. Later, on an another session I'm going to modify the frontend, also I got the PHY controller for networking.

@skander36 The 20MHz more bandwidth is not too much, but the other extra features are gold.
Don't ask. I'm the same guy who gave you ultra fast internet in the '00s..
#FERCSA
 

Offline FERCSA

  • Contributor
  • Posts: 27
  • Country: hu
    • www.fercsa.com
Re: EEVblog #978 - Keysight 1000X Hacking
« Reply #527 on: November 11, 2018, 05:10:28 am »
Unfortunately the frontend mod is postponed due missing resistors.. forget to order and can't find an equivalent on my junk bin |O
Until then I made a little reverse engineering on the missing 36 pin IC, next to the USB-B connector.
Turned out it's a USB HUB controller, not an ethernet controller. Why should they do that? More USB input perhaps? Question is it can handle an USB-ethernet adapter?

Datasheet: http://ww1.microchip.com/downloads/en/devicedoc/00001692c.pdf

And here is some picture:


Don't ask. I'm the same guy who gave you ultra fast internet in the '00s..
#FERCSA
 

Offline skander36

  • Regular Contributor
  • *
  • Posts: 71
  • Country: ro
Re: EEVblog #978 - Keysight 1000X Hacking
« Reply #528 on: November 14, 2018, 06:28:41 am »
The 20MHz more bandwidth is not too much, but the other extra features are gold.

Hi FERCSA , don't get me wrong ,  I think that Keysight make the best scopes on market today , but personally I don't think it worth the effort for transforming this scope . I think that is a better choice to buy one that has the options from factory (I mean calibrated and stable).
Regards .
 

Offline FERCSA

  • Contributor
  • Posts: 27
  • Country: hu
    • www.fercsa.com
Re: EEVblog #978 - Keysight 1000X Hacking
« Reply #529 on: November 22, 2018, 11:17:29 pm »
@skander36
Look, I understand an instrument is good enough until (s)he has your trust, but this scope's mainboard is relatively simple and the PCB quality..  enjoy to work with. Converting to DSOX is already worth it by just replacing one resistor.
Adding missing components for the external trigger and replacing a few components at the front end area also worth it, just look at my nice square wave. Mine is successfully get trough user calibration after I had a few hiccups.

So here is a few interesting errors and clues for others. These are cuts from the serial log under calibration.

External trigger area, mysterious(no one measured it) cap under the comparator(LMV7219):

4.7uF
Code: [Select]
**** External Trigger Level ****                                                                                         
/1 Trig B1 = 5303.000, B0 = 35860.000                                                                                   
/5 Trig B1 = 1071.000, B0 = 35860.000                                                                                   
**** CAL FAILED ***
*

100nF
Code: [Select]
**Xtrig Delay Cal**
Failed.  Could not get a duration trigger to fire.
**** CAL FAILED ****

10nF
Code: [Select]
Cal Satus    : CAL_OK
So looks like a less than 100nF cap is necessary here. You can tell that just the color of the cap from a DSOX picture. And yes that's a misspell by keysight :-DD


Frontend LPF filter after diff amp, before ADC, when the two caps are too big. Basically i got a saw on the screen instead of a perfect square waveform from my source. It was funny to see and also the look on my face..
Code: [Select]
**** Baldwin Trig Time Qual ****
Set CalConfigScope range 1.000000E-005, delay -1.000000E-006
FAILED!  Top meas failed to return good value
**** CAL FAILED ****

One more note. After replacing the diff amp at the frontend with a LMH6552, I got a ~500uV/div offset in minus, but it's gone after user calibration.

USB Hub hack.. I really don't get it why keysight put it there. The hub is for your PC, not for your scope. So I added a usb2serial adapter to the second downstream channel of the hub and no more hanging wire from my scope anymore, very neat.

Also there is a missing pair of protection diode here and there is one at the other usb socket, so no wonder why ginbot crashed the scope by just wiggling an USB drive.

Ohh just to confirm, ginbot's hack worked for the first try, nice job! :clap:

If you really need a second usb port, you have to utilize some pins on the none populated connector at the BLT board. SPEAr600 has 2 host ports. I use this for a permanent usb storage.

So everything looks great, I'm happy with the modifications and it's time to take a look into the firmware. First glace it's not that easy, usb boot not working and without a lan card I have to modify the nk.bin.comp file then flash it under windows to the second image space, then switch to it under uboot.

After all here is a few picture. More to come, but I have to edit them.


second usb

After I added the LMH6552. CH1=new LPF filter, R2=original LPF

frontend before (CH2)

frontend after (CH1)

ext. trigger before

ext. trigger after
« Last Edit: November 26, 2018, 07:15:40 am by FERCSA »
Don't ask. I'm the same guy who gave you ultra fast internet in the '00s..
#FERCSA
 
The following users thanked this post: oPossum

Offline skander36

  • Regular Contributor
  • *
  • Posts: 71
  • Country: ro
Re: EEVblog #978 - Keysight 1000X Hacking
« Reply #530 on: November 23, 2018, 03:54:24 am »
Hi , you have obtained very good result . good for you !
But not all are so skilled like you , for most hobbyists (it's an EDU version) , modifications you did are hard to achieve  needed Frontend and Ext. Trig. modifications  .
Loosing warranty still remain a problem . Dave's scope is now broken and is not the only one that have this  problem .
I like mods very much (I think that all my stuff are moded in some ways) but I concluded that for a precision instrument is better to have manufacturer warranty , other ways you will always have doubt about measurements you did .
Anyway you did a very good job and thank you for posting informations that encourage those they want to try to modify this scope.  :-+
 

Offline FERCSA

  • Contributor
  • Posts: 27
  • Country: hu
    • www.fercsa.com
Re: EEVblog #978 - Keysight 1000X Hacking
« Reply #531 on: November 24, 2018, 05:14:10 am »
Mine is out of warranty since a few weeks now, so it not concerns me.
But I can tell you one thing, comparing my starting point(basic EDUX) and what I got now, there is a massive difference.
And who knows what comes next. At first glance there is a lot of hidden menu in the firmware.

More pix:

First patch, looks like everything is on track :popcorn:


Serial, JTAG and extra USB port (HOST2 on front, HOST1 not connected by default)

In the future if someone open up his/her scope(-G version), I'd really appreciate a hi-res photo from the wavegen area.
Don't ask. I'm the same guy who gave you ultra fast internet in the '00s..
#FERCSA
 

Offline ginbot86

  • Contributor
  • Posts: 26
  • Country: ca
  • 0x9000
    • My tech blog documenting whatever weird electronic things I feel like doing.
Re: EEVblog #978 - Keysight 1000X Hacking
« Reply #532 on: November 24, 2018, 05:19:08 am »
Yeah, when I was doing a string search in infiniiVisionCore.dll there are strings that refer to advanced features not found on the 1000-X series like AC power measurements (reactive power, etc.).
Code: [Select]
Initialization Failed: Insufficient caffeine in system.
 

Offline aryasridhar

  • Regular Contributor
  • *
  • Posts: 86
  • Country: in
Re: EEVblog #978 - Keysight 1000X Hacking
« Reply #533 on: November 29, 2018, 01:54:27 am »
Hey guys,

So I just ended up buying this scope today, it’s in the mail and will reach me by Monday!!

All i need the scope for is to build guitar amps, guitar effects, troubleshoot issues in these devices.

Do you guys believe this would be sufficient.

Oh and what I’ve ordered is the EDUX1002A.

I also have a Philips PM3213 and soon will have a Tek CRO that I’m working with a friend to procure.

Any inputs are appreciated.
 

Offline ginbot86

  • Contributor
  • Posts: 26
  • Country: ca
  • 0x9000
    • My tech blog documenting whatever weird electronic things I feel like doing.
Re: EEVblog #978 - Keysight 1000X Hacking
« Reply #534 on: November 29, 2018, 02:23:00 am »
For the purposes of troubleshooting audio-frequency electronics I think it's plenty, and the measurement tools in the scope will make it easier to do than with an analog CRO too.
Code: [Select]
Initialization Failed: Insufficient caffeine in system.
 

Offline aryasridhar

  • Regular Contributor
  • *
  • Posts: 86
  • Country: in
Re: EEVblog #978 - Keysight 1000X Hacking
« Reply #535 on: November 29, 2018, 02:27:24 am »
For the purposes of troubleshooting audio-frequency electronics I think it's plenty, and the measurement tools in the scope will make it easier to do than with an analog CRO too.

Oh, Thank you so much, I was a little tense after reading the memory depth thinking 100kpts was going to be a barrier for my audio frequency work.

Just wanted to get a good, reliable scope and went for it, the other options here in India are exorbitantly priced.

Had an OWON SDS7102 about an year back, sold it off as I was planning to move out of the country (that plan has now gone to trash), had to get back a scope, and the same scope now costs double the money I'd paid when i got it about a year and half ago.....madness....
 

Offline skander36

  • Regular Contributor
  • *
  • Posts: 71
  • Country: ro
Re: EEVblog #978 - Keysight 1000X Hacking
« Reply #536 on: November 29, 2018, 05:15:02 am »
Hi aryasridhar ,
For the audio it is far enough , although a big point for audio is the frequency response analyzer(FRA) function which is not found on 1002A.You shall look for G version (with generator) .
I use it for tuning some guitar effects (Electric Mistress was one of them, some type of flangers , etc) . You will need also a signal generator for signal injection . For audio bandwidth are not expensive .
When you will be using, you will find why they say that Keysight is a real scope .

Good luck !
 

Offline FERCSA

  • Contributor
  • Posts: 27
  • Country: hu
    • www.fercsa.com
Re: EEVblog #978 - Keysight 1000X Hacking
« Reply #537 on: November 29, 2018, 12:42:57 pm »
@aryasridhar skander36 is right, for analog development a FRA is a huge plus. If you can change your order, don't hesitate, it's gonna worth it.

@ginbot86 yep that's my goal. Also it's possible to upgrade the scope's firmware with a modified nk.bin, without opening up. It'll makes easier to apply a hack in the future for non-tech people. Sounds cool?

Unfortunately the infiniiVisionCore.dll sit in the nk.bin file as a module, which makes it impossible to replace and makes everything complicated. For example, reflashing the firmware every time just because I made some changes or applying valid checksums. So this weekend I had a idea and I thought let's try it out.. I was able to boot up a customized u-boot/QEMU combo. If I can emulate a serial flash memory, not to mention a nand storage or just the corresponding memory addresses in RAM, that'll be real fun.

Code: [Select]
arm-softmmu/qemu-system-arm -M p500 -cpu arm926 -serial mon:stdio -net tap -net nic -kernel u-boot_image.bin
Running QEMU with GTK 2.x is deprecated, and will be removed
in a future release. Please switch to GTK 3.x instead


U-Boot Keysight-dirty #FERCSA (Nov 29 2018 - 02:09:55)Agilent P500

CPU:   SPEAr600
DRAM:  128 MiB
*** Warning - bad CRC, using default environment

SerNum:serial number not programmed
Chip:  BA Board Rev: x
Error: start and/or end address not on sector boundary
Net:   unknown
Press space to stop autoboot 0 0
p500> help
?       - alias for 'help'
adc     - performs A/D conversion on channel
base    - print or set address offset
bdinfo  - print Board Info structure
boot    - boot default, i.e., run 'bootcmd'
bootd   - boot default, i.e., run 'bootcmd'
bootm   - boot application image from memory
bootp   - boot image via network using BOOTP/TFTP protocol
cdp     - Perform CDP network configuration
cmp     - memory compare
coninfo - print console devices and information
cp      - memory copy
crc32   - checksum calculation
dcache  - enable or disable data cache
dhcp    - boot image via network using DHCP/TFTP protocol
echo    - echo args to console
editenv - edit environment variable
erase   - erase FLASH memory
expi    - program EXPI Clock
flinfo  - print FLASH memory information
fpga    - loadable FPGA image support
fsinfo  - print information about filesystems
fsload  - load binary file from a filesystem image
go      - start application at address 'addr'
help    - print command description/usage
hwreset - Perform HW RESET of the CPU
i2c     - I2C sub-system
icache  - enable or disable instruction cache
iminfo  - print header information for application image
imls    - list all images found in flash
imxtract- extract a part of a multi-image
itest   - return true/false on integer compare
loadb   - load binary file over serial line (kermit mode)
loads   - load S-Record file over serial line
loady   - load binary file over serial line (ymodem mode)
loop    - infinite loop on address range
ls      - list files in a directory (default /)
md      - memory display
mii     - MII utility commands
mm      - memory modify (auto-incrementing address)
mtest   - simple RAM read/write test
mw      - memory write (fill)
nand    - NAND sub-system
nboot   - boot from NAND device
nfs     - boot image via network using NFS protocol
nm      - memory modify (constant address)
ping    - send ICMP ECHO_REQUEST to network host
printenv- print environment variables
protect - enable or disable FLASH write protection
rarpboot- boot image via network using RARP/TFTP protocol
reset   - Perform RESET of the CPU
rtc     - print time from RTC
run     - run commands in an environment variable
saveenv - save environment variables to persistent storage
saves   - save S-Record file over serial line
setenv  - set environment variables
sleep   - delay execution for some time
source  - run script from memory
splash  - load splash image on display
tftpboot- boot image via network using TFTP protocol
version - print monitor version
p500>
Don't ask. I'm the same guy who gave you ultra fast internet in the '00s..
#FERCSA
 
The following users thanked this post: aryasridhar

Offline FERCSA

  • Contributor
  • Posts: 27
  • Country: hu
    • www.fercsa.com
Re: EEVblog #978 - Keysight 1000X Hacking
« Reply #538 on: December 07, 2018, 11:05:47 am »
Maybe later it'll be useful for someone, so I'm gonna share this. I had to make a little detour, because none of my debuger/flasher/jtag cable worked and I have a bunch, believe me.
My first thing was to search trough ebay. I found an used j-link edu with a very reasonable price, of course next day it was gone.. #$+%
What should I do now? I remembered there is a option to upgrade an genuine st-link v2 to a j-link. So let's try it out.
Sure.. my cheapo v2 clone was not supported, but after a few NOPs and JMPs in the reflasher I got this:

Code: [Select]
Firmware: J-Link STLink V2 compiled Jun 26 2017 10:34:41
Hardware version: V1.00
S/N: XXXXXXXXX
VTref=3.300V

Unfortunately it's not supporting the JTAG protocol, only SWD, bummer.. I probed every pins, but I don't find the TDO, TDI pins. Luckly J-link commander has some options to toggle certain pins.

What's next? I thought it's maybe the stm32f101 chip, so I found my blue pill, nope not that, it's a stm32f103 dev board. Flashed the firmware aaand same issue..

I was a little bit disappointed, but what about J-link OB? After I extracted the firmware from ozone I got the following result:

Code: [Select]
Firmware: J-Link OB-STM32F103 V1 compiled Aug 14 2017 12:43:08
Hardware version: V1.00
S/N: -1
VTref=3.300V

Looks promising..
After probing, I finally got every necessary pins, bingooooo!

Code: [Select]
./JLinkExe
SEGGER J-Link Commander V6.40 (Compiled Oct 26 2018 15:07:12)
DLL version V6.40, compiled Oct 26 2018 15:07:03

Connecting to J-Link via USB...O.K.
Firmware: J-Link OB-STM32F103 V1 compiled Aug 14 2017 12:43:08
Hardware version: V1.00
S/N: -1
VTref=3.300V


Type "connect" to establish a target connection, '?' for help
J-Link>connect
Please specify device / core. <Default>: SPEAR600
Type '?' for selection dialog
Device>
Please specify target interface:
  J) JTAG (Default)
TIF>
Device position in JTAG chain (IRPre,DRPre) <Default>: -1,-1 => Auto-detect
JTAGConf>
Specify target interface speed [kHz]. <Default>: 4000 kHz
Speed>auto
Device "SPEAR600" selected.


Connecting to target via JTAG
TotalIRLen = 8, IRPrint = 0x0011
JTAG chain detection found 2 devices:
 #0 Id: 0x07926041, IRLen: 04, ARM926EJ-S Core
 #1 Id: 0x07926041, IRLen: 04, ARM926EJ-S Core
Auto JTAG speed: 1286 kHz
CP15.0.0: 0x41069265: ARM, Architecure 5TEJ
CP15.0.1: 0x1D152152: ICache: 16kB (4*128*32), DCache: 16kB (4*128*32)
Cache type: Separate, Write-back, Format C (WT supported)
ARM9 identified.
J-Link>

I'm in. Currently I'm dumping the memory and trying to construct a memory map. Looks like "everything is hunky-dory".
Don't ask. I'm the same guy who gave you ultra fast internet in the '00s..
#FERCSA
 
The following users thanked this post: skander36

Offline aryasridhar

  • Regular Contributor
  • *
  • Posts: 86
  • Country: in
Re: EEVblog #978 - Keysight 1000X Hacking
« Reply #539 on: December 14, 2018, 03:34:15 pm »
So I got my EDUX1002A the other day, love it, for my needs it’s more than enough. Much better than the OWON SDS7102 I had back in the day.

Had a query though, the max input voltage into the channels is rated at 170V RMS, does that mean I can’t prove into guitar tube amps? as plate voltage could get upto 400V DC in them. But since I check signal flow, dealing with AC voltages in mV, would it be safe to use the scope in AC coupling?

For now I use my Philips PM3213 scope for tube amp troubleshooting.

« Last Edit: December 14, 2018, 03:36:10 pm by aryasridhar »
 

Offline FERCSA

  • Contributor
  • Posts: 27
  • Country: hu
    • www.fercsa.com
Re: EEVblog #978 - Keysight 1000X Hacking
« Reply #540 on: December 23, 2018, 12:33:59 am »
Looks like santa coming early, not just on rigol land :popcorn:





Don't ask. I'm the same guy who gave you ultra fast internet in the '00s..
#FERCSA
 
The following users thanked this post: oPossum, ginbot86, aryasridhar, TK, skander36, hv222

Offline TK

  • Frequent Contributor
  • **
  • Posts: 792
  • Country: us
  • I am a Systems Analyst who plays with Electronics
Re: EEVblog #978 - Keysight 1000X Hacking
« Reply #541 on: December 23, 2018, 04:08:45 am »
No Santa for the rest of us if you don't share the hack...
 

Offline FERCSA

  • Contributor
  • Posts: 27
  • Country: hu
    • www.fercsa.com
Re: EEVblog #978 - Keysight 1000X Hacking
« Reply #542 on: December 23, 2018, 08:08:55 am »
No Santa for the rest of us if you don't share the hack...

Very soon, don't worry Santa is on it's way to you too, look out for your chimney haha. Enough with the jokes. Give me a little bit of time to test a few more iterations then I'll share it just like my hardware mods. This version was a very crude one, because I had to rewrite the complete licence loading rutin in assembly. Unfortunately there are some new extra features which not behaves as intended, but you'll see, probably it was there for further developments or just leftovers from the 2/3000 series fw, who knows.
Don't ask. I'm the same guy who gave you ultra fast internet in the '00s..
#FERCSA
 
The following users thanked this post: aryasridhar

Offline FERCSA

  • Contributor
  • Posts: 27
  • Country: hu
    • www.fercsa.com
Re: EEVblog #978 - Keysight 1000X Hacking
« Reply #543 on: December 24, 2018, 02:07:10 am »
FW: https://bit.ly/2EOBAGC

Just copy my .ksx file to an usb stick then insert into your scope and open it on file explorer.
A few minutes later, when the screen turned to pitch black and every LED turned on make a cold reset (power off-on). Sometimes soft reset won't work..

There are a few known bugs like the PWR, Power application, you can't select certain menu items.
Another one is BW50, I found some sub routines which relying on different frequencies like 50-70-100-200 but no mention of 500. It's not a big deal anyway because you get go way beyond 200-220Mhz.
If you find something else just report it, then maybe it's fixable on assembly level without a bunch of work.
I loaded every possible options so no difference between "normal" and -G version.

Also I put the original non-modified fw to the second image location as a safe-fail. You can switch to it with a serial cable then pressing space then 2 under u-boot.
Don't ask. I'm the same guy who gave you ultra fast internet in the '00s..
#FERCSA
 
The following users thanked this post: hugo, TopLoser, newbie666, targit, TK, skander36, hv222

Offline TK

  • Frequent Contributor
  • **
  • Posts: 792
  • Country: us
  • I am a Systems Analyst who plays with Electronics
Re: EEVblog #978 - Keysight 1000X Hacking
« Reply #544 on: December 24, 2018, 02:47:05 am »
Everything seems to work as described.  Training signal menu is missing i2c and SPI.  I will continue testing.

Amazing hack  :-+ :-+ :-+  Santa arrived before Christmas!

Is there any way to go back to normal firmware reinstalling it from the USB drive?
 

Offline FERCSA

  • Contributor
  • Posts: 27
  • Country: hu
    • www.fercsa.com
Re: EEVblog #978 - Keysight 1000X Hacking
« Reply #545 on: December 24, 2018, 03:20:30 am »
Sure, but I only tested the downgrade functionality with an older(2016) firmware which is works perfectly, thanks to the FWD option. Should be fine with the latest too.
Don't ask. I'm the same guy who gave you ultra fast internet in the '00s..
#FERCSA
 

Offline TK

  • Frequent Contributor
  • **
  • Posts: 792
  • Country: us
  • I am a Systems Analyst who plays with Electronics
Re: EEVblog #978 - Keysight 1000X Hacking
« Reply #546 on: December 25, 2018, 12:27:59 am »
With the FWD option installed with the hack, it is possible to downgrade by reflashing the original firmware.  I assume it works with firmware 1.10 as well.  Nice to have the option to downgrade!!
 

Offline hv222

  • Contributor
  • Posts: 47
  • Country: pl
Re: EEVblog #978 - Keysight 1000X Hacking
« Reply #547 on: December 27, 2018, 03:56:22 am »
Complete front-end schematic for CH1. CH2 is similar, but have different connections going to other blocks in scope.
 
The following users thanked this post: ginbot86, bitseeker, FERCSA

Offline TK

  • Frequent Contributor
  • **
  • Posts: 792
  • Country: us
  • I am a Systems Analyst who plays with Electronics
Re: EEVblog #978 - Keysight 1000X Hacking
« Reply #548 on: December 27, 2018, 06:11:22 am »
I tested the bandwidth after installing the FERCSA hack on the EDUX-1002G unit.  It has the DSOX-1102G front end mod.

-3dB is around 150-160MHz

It can reliably measure frequency up to 360-380MHz but with significant signal attenuation.
 

Offline FERCSA

  • Contributor
  • Posts: 27
  • Country: hu
    • www.fercsa.com
Re: EEVblog #978 - Keysight 1000X Hacking
« Reply #549 on: December 27, 2018, 09:05:14 am »
I tested the bandwidth after installing the FERCSA hack on the EDUX-1002G unit.  It has the DSOX-1102G front end mod.

-3dB is around 150-160MHz

It can reliably measure frequency up to 360-380MHz but with significant signal attenuation.
Did you replace the LP filter too? After the LMH6552, because the 150-160MHz a little bit low, I can measure a 200-205MHz pulse without any attenuation. Unfortunately I can't go above this right now, but looks like the scope still has some juice in it.

I had to dig into my notes, but I found it, so these are the components what I used:
LQP18MN47NG02D (47nH)
CL10C4R7BB8NNND (4.7pF C0G)
Don't ask. I'm the same guy who gave you ultra fast internet in the '00s..
#FERCSA
 


Share me

Digg  Facebook  SlashDot  Delicious  Technorati  Twitter  Google  Yahoo
Smf