EEVblog #978 - Keysight 1000X Hacking

[rg58]

Thanks Bud!

That sizes looked odd to me as well, but I never changed anything manually - no idea why all this is in there. It must come from somewhere on the Flash itself? Or was it overridden by the Firmware update? Then again, it's not what I found inside 'envVars.txt'.

Just checked the content of my FLASH dump and everything you mentioned looks correct in there, totally different from what 'printenv' spits out.

What happened was that I externally programmed the FLASH chip for a 2nd time after a change, but for some reason (or my stupidity) my software calculated the CRC32 wrong this time, hence I got an error on the next boot. (This was AFTER I notice that Cal data was already lost) So I assume this is another old copy from somewhere that the OS put in place. The whole thing looked like this:

Code: [Select]

U-Boot 2010.03 (May 18 2017 - 11:28:22)Agilent P500

CPU:   SPEAr600
DRAM:  128 MiB
Flash: 512 KiB
NAND:  fsmc-ecc1 128 MiB
*** Warning - bad CRC, using default environment

In:    serial
Out:   serial
Err:   serial
SerNum:serial number not programmed
Chip:  BD Board Rev: 4
Un-Protected 1 sectors
Erasing Flash...
. done
Erased 1 sectors
Writing to Flash... done
Protected 1 sectors
Net:   unknown
BMP data is not valid. Use splash bmp
Press space to stop autoboot:  1

Will give it another try tomorrow. It's been a long day.

The 3rd soldering session on this little puppy, yaaaaayyy! Can't wait!

[rg58]

I have re-written the FLASH externally for the 3rd time now with my modified dump file - and corrected CRC32. This time it all went well, no CRC error on startup anymore. However, massive ECC errors kept rolling down my screen (after SER2 Serial Port, new baud rate:0x1c200...). I then YMODEMed my image (nk.nb0) once again to that RAM location and gave it another 'go'. Scope started up like it did before, after the same procedure.

Now I started the USB FW update from USB stick again. It aborted after only a few lines, again showing several ECC errors. I re-started the process, this time it looked much better. The scope then automatically rebooted, and voilà! Scope is alive! Turned it off/back on again, and it still is! Whoohoo!!

That was a very messy procedure I have to say, with a lot of unknown effects and unpredictable behaviors. It took me several hours, lots of trial and errors, to get the Firmware right. Oh well, at least it works now, so it was worth it in the end.

Now I would like to tackle one last thing: CALIBRATION

Screen currently comes up with:

"System concerns detected: Instrument is uncalibrated."

I tried User cal (after unlocking the protection), but it failed. I would have thought that the user should be allowed to calibrate his own instrument!? It's called "User cal" after all!

The zero-line on Y axis is now sitting on +1.0 div on Ch1 and +0.2 div on Ch2, both on the 5V setting (right after start-up). Changing input voltage settings, and the zero line is jumping up and down like crazy, should of course stay on the 0V center-line.

On the X-axis the 1kHz square wave looked OK. A 50 MHz sine wave has 20ns on the grid - so the time base is correct and doesn't need calibration. Looks like it's all about the voltages at different input divider settings over the whole frequency range, in this case from DC to 50 MHz.

Does anyone know at which address in the NAND the Cal data is stored? Maybe even the length, so I can dump it?

[Bud]

You need to upload a factory calibration file, without one your user cal will be failing. The problem is you do not have a network adapter. If i will have time tomorrow i will post how you could do it through usb.

[rg58]

That would be very helpful, Bud !

Many scopes suffer from corrupted NAND and lost their calibration data, so I guess their owners on this thread would be very happy to get their scopes working properly again.

[rg58]

Is there a way to boot WinCE from the p500> prompt?

[Bud]

Sorry took me a while to dig in my archive to get the files.
You may need a USB hub with a  keyboard/mouse. Unzip the files on a USB stick and run the .ksx from the scope update menu, it should drop to WinCE. Then you can remove the stick and connect it to the USB hub, and connect the hub to the scope. This will give you WinCE with a keyboard, Mouse and USB drive. From WinCE copy the factory cal file to \Secure\cal folder. You may not see that folder because it may be hidden but you can either unhide it or make WinCE display hidden files/folders (can't remember what I did), or I think running a Command Prompt and copying from there will copy to the hidden folder.
To reboot, type from Command Prompt rebootInfiniivision.exe

Reboot and run User Cal again, see if that helped.

[rg58]

Thanks for your effort, Bud! That looks very promising!

However, I am struggling since several hours now to get the scope to load the .ksx file. I'm getting:

'Error: The file did not load correctly.'

There was no 'errorLog.txt' on the USB drive either. This is the install logfile as defined in 'install.xml'. It didn't even run cehack.cmd as I tried to write a file before/after each step there (like: echo "0">\USB\step0.txt). So no execution, no log.

I have tried all kind of other things in the past few hours. Unpacked/re-packed it (with 2 different tools) and modified the 'install.xml' file. I changed ramdiskSize (in bytes) from 68MB to 32,16,8,4 and even 1 MB. I even took the original 'install.xml' (from the latest firmware update package that I had installed successfully) as a template to build something from scratch. Not even this succeeded.

My last attempt was only these few lines:

Code: [Select]

<?xml version="1.0"?>
<install>
<frameTarget>1002A</frameTarget>
<ramdiskSize>1048576</ramdiskSize>
<killProcess>infiniivisionLauncher.exe</killProcess>
</install>

I reduced ramdiskSize to only 1MB and changed target from 1000A to 1002A. Nothing helped.

This should at least get loaded without error and kill the launcher process (taken from the latest firmware .ksx) I believe.

UPDATE:

Code: [Select]

<?xml version="1.0"?>
<install>
<killProcess>infiniivisionLauncher.exe</killProcess>
</install>

No chance. I am out of luck, once again 

Did Keysight introduce some kind of signature validation, maybe?

[Bud]

Hm... try renaming .ksx to .cab

[rg58]

Nope. Didn't work. I renamed your .ksx file, just to rule out mistakes at my end.

[rg58]

It's not reading from the USB port for some reason. I see the files, but the LED on the stick doesn't blink.
Strange...

Update 1: Although it's possible that the file is simply too small, so the blinking isn't noticeable.

Just ran another Firmware update this way, and it worked. So there's no issue with the USB driver or something, it's something about this file. I'll investigate further.

Update 2: Unpacked and re-packed the original firmware and stored it as 'install.ksx'. It worked. So it's not the packing tool, not the file name and neither the .ksx extension. This firmware must somehow validate the update file, probably checking plausibility and whether it contains all files required or not.

I'll continue tomorrow.

[Bud]

What firmware version are you running?

[Bud]

Try the package from this post

https://www.eevblog.com/forum/blog/eevblog-978-keysight-1000x-hacking/msg3702367/#msg3702367

I can't remember if it is the same one.

[rg58]

Exactly the same.

Now I've re-connected the UART cable again (why I didn't think of that earlier? ). I can now see what's happening. Seems the folks at Keysight changed the handling of the update file completely. It is unpacking install.xml but then looking for infiniiVisionSetup.cab although this is not even mentioned in install.xml at all. The chain goes on like this... Will try to make my way through this process and let you know my findings.

Current FW version is on the photo.

[Bud]

Is there only one way to run files from the scope menu? I do not have one handy to look. I mean if there is a generic file browser and a firmware update menu, then you should use the browser.

Also, do you put the file in the root of the usb drive? Can't remember if it would run from a subfolder.

[rg58]

I made it !!! Took me the whole day though...

Thanks Bud and Jason Gin (ginbot86) for this amazing job!

So here's the result of me analyzing the update process of the *.ksx file on this specific firmware version. It requires at least 1 specific signed file from the original update package, as well as some other minor additions and changes.

This is for firmware version 01.20.2019061038 and works on my EDUX1002A.

Instructions

- unzip the file and put it in a USB stick's root folder
- plug the USB stick in the scope
- press Utility -> File Explorer -> Press to go \usb
- select the unzipped *.ksx file from the USB root folder
- press Load File
- press OK

You will see a message on the screen. After a few seconds the LEDs on the scope should start blinking while another message appears. Then it should drop to a WinCE desktop. You can now connect a USB hub to the scope (after removing the USB stick). Connect mouse, keyboard and USB stick to the USB hub.

Use it at your own risk !

Feedback is welcome!

[Bud]

Interesting. On v1.21 and v1.22 my package runs as is.

Anyway, have you tried to run User calibration after implanting the factory cal file ?

[rg58]

Yes, user calibration worked! Forgot to mention that. The 0 line stays at 0 on all input settings. Just now I have measured the accuracy of DC input on Ch1 and 2 in the range 100mv to 30V. It is very accurate now! The trace and esp. DVM display on Ch1 was only off by tiny mV in comparison to my DMM.  The measured analog input bandwidth is 63 MHz (-3dB) on both channels.

I might look into hacking the specs now. Not sure what the front-end is capable of. Need to read through ~45 pages of this thread maybe. I think maybe increasing sample rate to 2GSa/s is the most feasible option.

Where did you get v1.21 and v1.22 from? Is it for the 1000x series? The latest that I found on the Keysight website is 1.20. 

[rg58]

[Bud]

OK thanks for confirming that calibration has worked, nice.
Can't remember re versions, may well be it was our "internal" forum versions 

Edit: or the versions for DSOX, not EDUX. But installing on EDUX may need the resistors mod performed, to update the scope ID.

[rg58]

I am not sure what the benefits would be to install a DSOX firmware on an EDUX scope. Is it worth the trouble?

[sprit]

I am not sure what the benefits would be to install a DSOX firmware on an EDUX scope. Is it worth the trouble?

If I remember correctly, this EDU line is limited by hardware. That means you have to modify both the hardware and the software. I think it's not worth it, but if it's for research purposes, then it's fine; who's going to stop you? Let's go!

[rg58]

Conversion successful! Was definitely worth it 

Thanks to everyone involved, especially Aussie-Dave, Bud and Daniel/Keysight of course for making this possible laissez-faire!

Did I already mention that KEYSIGHT makes great oscilloscopes?

I've read through all 47 pages of this thread. Few things I found a bit confusing/misleading/unclear/wrong, but I decided to give it a try.

Changed Product ID 20 => 23 by adding 1 resistor (after doing some calculations). Worked right away.

EDUX1002A - ID 20 - 50 MHz, 1 GSa/s (min 5ns/div), 100 kpts, no wave gen
DSOX1102A - ID 23 - 200 MHz, 2 GSa/s (min 2ns/div), 1 Mpts, no wave gen

After that I updated the FW with the *nicer* version from this thread.

The 'About' screen still shows the original model EDUX1002A, but 200 MHz underneath.

Result:
The sampling rate doubled from 1GSa/s to 2GSa/s and the minimum time base changed from 5ns to 2ns. The -3dB bandwidth increased from 63 MHz to 131 MHz with no further changes to the input stages or other hardware. The scope is now able to show sinus signals of up to approx. 280 MHz (input +10dBm/2.00Vpp @ 50 Ohm). At 100 MHz the attenuation/error is -1dB, at 150 MHz -4,7dB and at 200 MHz it is -14,4dB. Knowing those values, I can basically add those dBs to my future measurements at frequencies >100 MHz, given the input voltage is sufficiently high. So I think I will not be going through the hassle of modifying the input stages of CH1 & 2. The OpAmps are not easy to get here in Germany. I looked through all distributors, big and small, eBay, but they are only available at Mouser and DigiKey, making it very expensive (shipping from US/UK) or even impossible for me to order. So I think I'll pass on that one.

Note: All measurements taken with a Rohde & Schwarz signal generator (calibrated 2022), 1.5m RG58 BNC-cable, properly terminated with 50 Ohms at the scope input (BNC-T). Output level +10dBm (2.00Vpeak-peak) on 50 ohm. The flickering Vpp measurement of the scope might be the source of a small error (curve is not smooth). Scope has been re-calibrated (USER CAL) right before modification.

We must avoid running the USER CAL without doing any further hardware modification (adding missing components to the trigger stage, possibly more). The hardware self test fails with 'Self test failed (TrigComp & Mux)' and user calibration only fails with 'User Cal failed.' Running USER CAL on an incompletely modified/converted device results in (now permanent) storage of the failed calibration in the CAL STATUS dialog, plus a nag screen upon power-up, saying the unit is uncalibrated. The only way to get rid of this message again is to revert all changes, back to the original firmware AND revert changes to the resistor divider(s) for setting the product ID. The ID reversal in hardware might be the only thing required, but only reverting to the original software was not enough.

All in all...

Just beautiful!!!  Have I already mentioned that KEYSIGHT makes great oscilloscopes?