Author Topic: EEVblog #978 - Keysight 1000X Hacking  (Read 136629 times)

0 Members and 1 Guest are viewing this topic.

Online TK

  • Super Contributor
  • ***
  • Posts: 1029
  • Country: us
  • I am a Systems Analyst who plays with Electronics
Re: EEVblog #978 - Keysight 1000X Hacking
« Reply #600 on: March 25, 2019, 01:31:16 am »
I am noticing a triggering issue on my EDUX1002G.  I generate a 1 MHz square wave (it is the same with sinewave), 3.3Vpp, 0V offset.  Edge trigger set to 0V.  It is showing a 350mV -2ns offset from the center (0V, 0ns).  User calibration runs successfully.  I modded this scope from the EDUX to the DSOX frontend.  Any suggestions on what should be changed / calibrated to make it trigger correctly?



 

Offline hv222

  • Regular Contributor
  • *
  • Posts: 53
  • Country: pl
Re: EEVblog #978 - Keysight 1000X Hacking
« Reply #601 on: March 25, 2019, 05:35:13 am »
I'm not sure, but it probably can be adjusted with probe calibration - delay calibration.
 

Offline Cesarsound

  • Newbie
  • Posts: 4
  • Country: br
Re: EEVblog #978 - Keysight 1000X Hacking
« Reply #602 on: March 25, 2019, 08:17:53 am »
FERCSA HACKING firmware.

Some more testings after the hacking of DSOX-1102G. Frequency signal gererated by a Si5351 (clock generator up to 225MHz).
 

Offline Bud

  • Super Contributor
  • ***
  • Posts: 3211
  • Country: ca
Re: EEVblog #978 - Keysight 1000X Hacking
« Reply #603 on: March 25, 2019, 08:45:27 am »
The notation of MHz units is really weird in the frequency counter in the screen left bottom.
 

Offline bitseeker

  • Super Contributor
  • ***
  • Posts: 7297
  • Country: us
  • Lots of engineer-tweakable parts inside!
Re: EEVblog #978 - Keysight 1000X Hacking
« Reply #604 on: March 25, 2019, 01:58:35 pm »
Wow, you're right on that. It's not like it's using fixed-location neon, incandescent or LED annunciators. Very weird.
I TEA.
 

Offline Cesarsound

  • Newbie
  • Posts: 4
  • Country: br
Re: EEVblog #978 - Keysight 1000X Hacking
« Reply #605 on: March 25, 2019, 02:29:17 pm »
Wow, you're right on that. It's not like it's using fixed-location neon, incandescent or LED annunciators. Very weird.
It seems that this was done by the trainee or by a person who is not from the telecom area.
 

Offline skander36

  • Regular Contributor
  • *
  • Posts: 72
  • Country: ro
Re: EEVblog #978 - Keysight 1000X Hacking
« Reply #606 on: March 25, 2019, 11:42:17 pm »
Hi TK,
Mine (EDUX1002A) shows the same , and is not moded in any way. It just pass user calibration .
Below is a Rigol 2102E software moded (licenses).
I was not used Keysight probes , just a coaxial cable from generator to scope .
 
The following users thanked this post: TK

Offline Bud

  • Super Contributor
  • ***
  • Posts: 3211
  • Country: ca
Re: EEVblog #978 - Keysight 1000X Hacking
« Reply #607 on: March 31, 2019, 12:59:18 pm »
Schematic of function generator and group of components located between analog front-end and function generator. This group probably handle the signal offset and part of user calibration. Some power supply components like ferrite beads and decoupling capacitors can be missing in power supply lines. I will appreciate I someone can measure capacitors and inductors values in function generator. Is amplitude of generated signal constant while changing frequency? I add generator function to my scope, but signal shape is not satisfied :(

U31 and U33 are SN74HCT04PW
U46 and U47 are TL274

@hv222 There seemed to be an error in the Gen schematic, the common contacts of the output relay should be swapped, otherwise the Gen output would never connect to the BNC panel connector. I have attached a corrected schematic.
 
The following users thanked this post: hv222

Offline Mwyann

  • Newbie
  • Posts: 1
  • Country: fr
Re: EEVblog #978 - Keysight 1000X Hacking
« Reply #608 on: May 13, 2019, 05:40:31 am »
FW v1.1: https://bit.ly/dsox1102hack
MD5: ad84976ff2f5b044a21020436751c5c3

Any chance of having the Power application working?
« Last Edit: May 13, 2019, 05:42:28 am by Mwyann »
 

Offline newbie666

  • Regular Contributor
  • *
  • Posts: 57
Re: EEVblog #978 - Keysight 1000X Hacking
« Reply #609 on: May 17, 2019, 07:30:48 am »
Hi, I'm about to buy an EDUX102G but I'm still unclear about one thing: will I need an external trigger hack to enable SPI decoding with FERCSA hacked firmware?
 

Online TK

  • Super Contributor
  • ***
  • Posts: 1029
  • Country: us
  • I am a Systems Analyst who plays with Electronics
Re: EEVblog #978 - Keysight 1000X Hacking
« Reply #610 on: May 17, 2019, 09:27:30 am »
You can do SPI decoding with 2 analog inputs.  You will have to set to timeout instead of CS or ~CS (not CS). 
 

Offline Bud

  • Super Contributor
  • ***
  • Posts: 3211
  • Country: ca
Re: EEVblog #978 - Keysight 1000X Hacking
« Reply #611 on: May 20, 2019, 03:28:40 pm »
You also need to modify memory U701. MAC is located in this flash at address 0x070000 to 0x070005 (6 bajts).Mac is not programmed by default - it value is 0xff 0xff 0xff 0xff 0xff 0xff. 
Is that the right address? ....Seems to be located in a big chunk of unused space in the flash filled with  FF.
 

Offline hv222

  • Regular Contributor
  • *
  • Posts: 53
  • Country: pl
Re: EEVblog #978 - Keysight 1000X Hacking
« Reply #612 on: May 21, 2019, 12:36:32 am »
You also need to modify memory U701. MAC is located in this flash at address 0x070000 to 0x070005 (6 bajts).Mac is not programmed by default - it value is 0xff 0xff 0xff 0xff 0xff 0xff. 
Is that the right address? ....Seems to be located in a big chunk of unused space in the flash filled with  FF.
As I remember it was away from any other data in memory.
 

Offline Bud

  • Super Contributor
  • ***
  • Posts: 3211
  • Country: ca
Re: EEVblog #978 - Keysight 1000X Hacking
« Reply #613 on: May 21, 2019, 11:49:45 am »
...However at address 0x03E766 I have
Quote
ethaddr=00:03:D3:04:XX:XX.ipaddr=192.168.1.5

where I blanked the last two octets with XX:XX. Seems they do set MAC in the SPI flash. Do you have that in yours? (this is for the EDUX100A)
 

Online TK

  • Super Contributor
  • ***
  • Posts: 1029
  • Country: us
  • I am a Systems Analyst who plays with Electronics
Re: EEVblog #978 - Keysight 1000X Hacking
« Reply #614 on: May 21, 2019, 12:38:16 pm »
You also need to modify memory U701. MAC is located in this flash at address 0x070000 to 0x070005 (6 bajts).Mac is not programmed by default - it value is 0xff 0xff 0xff 0xff 0xff 0xff. 
Is that the right address? ....Seems to be located in a big chunk of unused space in the flash filled with  FF.
MAC address is set in the SPI flash chip.  I think it is the right address, and FF means MAC address is not configured.  I decoded it using a logic analyzer.
 
The following users thanked this post: Bud

Offline FERCSA

  • Contributor
  • Posts: 35
  • Country: hu
    • www.fercsa.com
Re: EEVblog #978 - Keysight 1000X Hacking
« Reply #615 on: May 27, 2019, 05:06:34 am »
Any chance of having the Power application working?

I have to take a look one more time in the future. Last time (it was way back in winter) I didn't find anything useful, but I have to admit I don't spend to much time with it.
Also I tried to enable the packet lister menu without any luck. But I made some attempt to hijack some of the push buttons which was successful. So I have to find a way to connect the "dots". After all it looks promising, but currently I don't have time for it.

Don't ask. I'm the same guy who gave you ultra fast internet in the '00s..
 #FERCSA
 

Offline jonnyEV

  • Newbie
  • Posts: 1
  • Country: gb
Re: EEVblog #978 - Keysight 1000X Hacking
« Reply #616 on: Yesterday at 06:22:22 am »
Hi, - Im in the same situation as you - just purchased a stock 1102g , 

Im struggling with a few things regarding this hack

Firstly, if coming from a 1102g do i need to do any hardware hacks?
Is the firmware hack reversible ?(where would i find the original firmware?) Is it easily changed
Primarily i want to do this hack to get serial decode - but see people/ screenshots suggest this unlocks lots (dozens)  of licenses including PWR. (albeit with some issues) Advanced maths etc. Is it just me but i cant find any info on all these applications. It sounds great to open up all this functionality but i was under the impression that the only options are serial and CAN bus. love to know what these all are

Finally, and this is the real killer the firmware link v1.1 bitly seems dead, I will DM the original poster about this but thought id ask here as you seem to have done this the most recently and suggest it was really simple

Cheers
Jon



 

Online TK

  • Super Contributor
  • ***
  • Posts: 1029
  • Country: us
  • I am a Systems Analyst who plays with Electronics
Re: EEVblog #978 - Keysight 1000X Hacking
« Reply #617 on: Yesterday at 07:11:47 am »
If you have the stock 1102G, you don't need any hardware mod.  Firmware hack is 100% reversible by installing the latest firmware from Keysight, you don't need to go back to old firmware.
 


Share me

Digg  Facebook  SlashDot  Delicious  Technorati  Twitter  Google  Yahoo
Smf