EEVblog #978 - Keysight 1000X Hacking

[sprit]

YOU ARE MY HERO BUD. OMG i cant believe that i can do it. Dammmm. What a long story

[sprit]

The usercal fail, maybe i need to restore to original uboot

[sprit]

After restoring uboot to original, the UserCal error continues to fail. I'll try looking around to see if anyone else has this problem.

[Bud]

The thick trace is worrying me. You may have lost your factory calibration data. This could have happened when you were dicking around with Uboot that had wrong checksum, which caused incorrect ECC being used, which caused more NAND corruption. Factory calibration is different from User calibration.

Post a screensot of a sinewave signal. Frequency does not matter.

[sprit]

Exactly, im lost my calibration data. Now i cant click on the user Cal button any more, its crash.

[Bud]

Find my post in this thread where i attached a file that drops the scope into Windows shell. Get the file and practice using it. Do not change anything in Windows, just practice to browse. Let us know when you are comfortable using it.

This is a lesson for all you people out there with itchy fingers: Do Not fuck around with trying to boot your scope if you see ECC  or FPGA errors. They must be fixed first, or you end up with Much worse situation.

Information how to change Uboot so it allows you to interrupt boot was posted in this thread, it is stunning that even instructions were provided, people still screw up.

[sprit]

Thanks Bud, I hope you enjoyed your weekend

I found it on page 32. And I tried to play around with this Windows CE. I saw you uploaded the UserCal data file, can I use that to fix the usercal crash error? I am not sure how I should load it.

Sincerely,
Feng

[Bud]

Do you have a USB hub ? So you can connect a keyboard and USB stick at the same time to the scope's front USB port.

[WS]

 Hi guys!  I've looked through all 46 pages of the forum, but I still don't understand what exactly I need to do to unlock it. Maybe someone who has already done it will write a brief instruction? I have 1002g. I want to increase memory depth and frequency. Is it enough to install this Bud1M firmware (https://drive.google.com/file/d/18rneopltnhKJXVuLmHV0LoR19JnQlt2g/view?usp=drive_link) or do I need to solder resistors or something else? Thanks!

[Anthocyanina]

after quite some time, and a bunch of failed boots, and freezes, and probing around, i noticed that the screws on the BLT module can screw in more than enough to just keep the module in place. upon noticing this, i decided to try removing the module and just put it in lightly, and screw it in just barely a touch past the screws making contact with the module, and well, ever since then it has been working fine. i've left it on for many hours at a time, ran self test multiple times, user cal, probed stuff with it, and it's been so long, and it has not failed a single boot, or frozen, or anything weird. I guess all this was just caused by overtightening the screws?

whatever may have been happening, it think i'm comfortable saying it's fixed now. did i fix it? i wouldn't say so because i don't have absolute certainty of what the problem was, but be it me, or random chance, or whatever, it works again! now i just need to get the USB power switch IC and hope i don't kill it when i solder that in! 

[hakatu]

Hi,

My EDUX1002G keep saying "P-clock failure", and when I use wavegen it says "too high voltage".

I updated the firmware and did a hardware selftest where it failed at "ADC Trigcomp & Mux". When powered on, the DSO keeps ticking the sound of trigger.

Any ideas what's going on with the scope? I attached the image for reference.

Thank you

[sprit]

hi ws

I will send the unlock file link tonight. You just need to download, copy to usb then plug into the usb port of the oscilloscope and proceed to update. All features will be unlocked.

[sprit]

Hi hakatu

This is a hardware issue. If possible, you should reflow the ADC or send it to a local repair service.

[hakatu]

Is it possible to know which ADC to reflow on the PCB? There's one on the 2nd channel that makes the relay of that channel ticking.

[effeffe]

EDUX1002A to DSOX1102G ，11th order Butterworth filter，the parameters are not from DSOX1000G or EDUX1000G。

What are the values of the other resitors and capacitors that are unmarked? Sorry about this, bu t I'm getting a tad crazy after accidentally ordering the wrong components values and size...

[kalustian]

Can't find FERCA's latest hack version for 1102G. Is that 1.2 version ? can you please point me into the right link download ? I am looking for the full upgrade hack- thanks

Only found below link, but not 100% sure if it is the right one or not. Please advise.

https://mega.nz/file/vcF0zZ5Z#6B3GNsS3t1eJuQx6uP3YR7wk3dpoAewSRzmdZuL2szY

[Anthocyanina]

since this basically became the 1000x discussion thread as well as the hacking thread, i'll ask here. I just saw this post https://www.eevblog.com/forum/testgear/upgraded-sdg1000x-plus-awgs-coming/msg5944558/#msg5944558 where this person shows their square waves in their 1204 scope, and i noticed the trace was quite sharp, and remembering my 1102g doesn't have such thin traces, i wonder if this is normal. maybe their 1204 is a lower bandwidth version?

so, could anyone with a healthy 200MHz version of the 1102 show me how their 10MHz square wave looks like on these settings? (20ns/, 1V/, 2.3Vpp, no BW limit, no averaging, all channels turned on)

thank you!

[rg58]

Sorry to bring up this thread again, but this is probably the most comprehensive thread on this scope.

I am seeing the same error messages as @sprit (ECC errors, FPGA failed) and was unable to fix it, even with all the information provided here.

Seems I have a damaged NAND chip U702 (NQ277 = MT29F1G08ABADAH4-IT:D = 1Gb NAND Flash)

It could be the BGA soldering.

Trying to write data to the NAND via CLI:

printenv:
...
nimages=1
image1=0xd0400000
fsstart=0x2c00000
...

p500> mm 800000
00800000: ffffffff ? 11223344
<CTRL+C>
p500> md 800000
00800000: 11223344 ffffffff ffffffff ffffffff    ................

p500> nand write 800000 400000 4

NAND write: device 0 offset 0x400000, size 0x4
Attempt to write non page aligned data
 4 bytes written: ERROR
 
p500> nand read 800000 400000 80
p500> md 800000
00800000: ffffffff ffffffff ffffffff ffffffff    ................

p500> nand write 800000 400000 10

NAND write: device 0 offset 0x400000, size 0x10
Attempt to write non page aligned data
 16 bytes written: ERROR

p500> nand write 800000 400000 20

NAND write: device 0 offset 0x400000, size 0x20
Attempt to write non page aligned data
 32 bytes written: ERROR

Would someone be able confirm my assumption??? Is the NAND chip (or it's soldering) really damaged?

[Bud]

I think you are "holding it wrong". You cannot write arbitrary amount of data into NAND, you have to write an entire page. And before writing a page you have to erase it. You should be able to find page size during boot, i think it is printed out at the very beginning.
Warning: you may totally mess your scope up with NAND erase/write and lose factory calibration.

[rg58]

Thanks, Bud! Especially for the warning, I am aware of that. Few people on here screwed up their scopes that way.

The NAND datasheet says:
Page size x8: 2112 bytes (2048 + 64 bytes)

Code: [Select]

...
p500> nand write 800000 400000 840
NAND write: device 0 offset 0x400000, size 0x840
Attempt to write non page aligned data
 2112 bytes written: ERROR
 
p500> nand write 800000 400000 800
NAND write: device 0 offset 0x400000, size 0x800
 2048 bytes written: OK

Ah, there you go!

Code: [Select]

p500> nand read 800000 400000 800
NAND read: device 0 offset 0x400000, size 0x800
 2048 bytes read: OK
 
p500> md 800000
 
00800000: 11223344 ffffffff ffffffff ffffffff    D3".............

Yup, that worked!

Now again, if I try to read the FPGA region from the NAND:

Code: [Select]

fpgadata=0xd0060000
fpgasize=0x75394

p500> nand read 800000 60000 800

NAND read: device 0 offset 0x60000, size 0x800
failed: 359 357
NAND read from offset 60000 failed -74
 0 bytes read: ERROR

Is that because the ECC inside the NAND chip cannot recover the corrupted data? I had tried uploading both, the nk.nb0 and then the FPGA1000A.bin, but still getting the same FPGA and ECC errors. But maybe something else went wrong during the upload?

Would it be considered low-risk, trying to write 0x800 bytes of arbitrary data to 0x60000? I mean, it's corrupted anyway....

[rg58]

I managed to update the FPGA section. The key was to FIRST load the FPGA to RAM, SECOND to load the image to RAM, THEN execute 'go 0x00362000' which will then (in the process) write those RAM contents to the NAND (how I understand it).

After the scope booted from RAM after the 'go' command, I initiated the FW update from the USB stick. In the process I already saw that the Cal data was lost.

Initializing FPGA...
************************************
Ver: 1.067 Released
************************************
Calibration mode User
Serial Number file isn't loaded, defaulting to 0
open FAILED
open FAILED
open FAILED
Cal Date Thu Jan 01 00:00:00 1970
Could not load valid cal factors
Startup sequence is complete.
System has been running 136.760651 seconds
Start Up Sequence 5.755151
Memory Load 47%
   System Physical Memory 33.941 / 73.465 MB
   Process Virtual Memory 42.438 / 1024.000 MB
-----> InfiniiVision is running <-----
failed open \Secure\InfiniiVision\LudicrousSpeed.usb


After power cycle, the machine hangs at:

U-Boot 2010.03 (May 18 2017 - 11:28:22)Agilent P500

CPU:   SPEAr600
DRAM:  128 MiB
Flash: 512 KiB
NAND:  fsmc-ecc1 128 MiB
In:    serial
Out:   serial
Err:   serial
SerNum:serial number not programmed
Chip:  BD Board Rev: 4
Net:   unknown
BMP data is not valid. Use splash bmp
Press space to stop autoboot:  0
 no link
Using unknown device
TFTP from server 192.168.1.10; our IP address is 192.168.1.100
Filename 'nk.bin'.
Load address: 0x4000000
Loading: T T T T T T T T T T
Retry count exceeded; starting again
....(repeating)......

During update I saw this:

** BEGIN ** ProcessRecipeStep: \windows\loadP500Flash -u ceImage2 \TEMP\{0E75FAA6-D6F7-A209-56EA-023FE3820191}\nk.bin.comp
SHIM DLL, LoadRealDll [PalSysManagement.dll] for [AgilentPalSysManagement.dll]
SHIM [AgilentPalSysManagement.dll] Get Process Addresses
FWUpdate: image 2 value not defined
FWUpdate: image 2 value not defined
fwUpdateOffset error: Too Big Error
** END   ** ProcessRecipeStep: \windows\loadP500Flash -u ceImage2 \TEMP\{0E75FAA6-D6F7-A209-56EA-023FE3820191}\nk.bin.comp: 432 ms

p500> printenv
...
nimages=1
image1=0xd0400000
fsstart=0x2c00000
numfilesystems=1
lengthfilesystem1=0x5400000
lengthfilesystem2=0x0
...

Filesystem2 has length 0. I think this is why above error occured. It is missing 'image 2'.

When I first got this faulty scope, it always showed up as 1 filesystem only. So I believe it was messed up before, also no-one worked on it before.

Now, looking at my extracted *.ksx file, there is a file named 'envVars.txt' which contains:

nimages=2
image1=0xd0600000
image2=0xd1e00000

image1=0xd0600000 is also different from the current image1=0xd0400000

When I load 1e0 0000h from NAND into RAM, I only see FFFFFFFF...

When I load  40 0000h from NAND into RAM, I see my compressed image 'nk.bin.comp' (XPRS...)

When I load   6 0000h from NAND into RAM, I see my FPGA image 'FPGA1000A.bin' (ffffffff 665599aa....)

What goes into image2 and how do I get it in there?

[Bud]

Image2 is a copy of Image1. The idea was if Image1 fails, the scope would go load Image2. Simple redundancy.
Not sure why the scope now defaults to using tftp at startup. I would envprint and examine the logic to see why.

What scope model is it? Are you loading proper firmware?

[rg58]

Clever idea by the engineers to have a 2nd image for redundancy. But unfortunately this wasn't enough in this case. I wonder what happened to all those scopes of the same series, all showing the same corrupted file systems and failed redundancy images. Maybe the file system JFFS2 itself has some kind of bug? Or is it, because it runs on Bill's Windows? 

Anyway, I've YMODEMed the images over to RAM again, gave it a 'go', it booted, so I've done the FW update via USB stick again. Result is the same. It still gets stuck at the same point for several seconds, maybe even a minute, then tries to boot via TFTP. The USB stick is out btw.

It's an EDUX1002A. FW version I downloaded is '1000XSeries.01.20.2019061038.ksx'.

printenv

Code: [Select]

bootcmd=tftp 0x4000000 nk.bin;bootm 0xf8050000
ramboot=dhcp 0x4000000 nk.bin;bootm 0xf8050000
bootdelay=3
baudrate=115200
serverip=192.168.1.10
preboot=splash load;fpga;expi
gatewayip=192.168.1.10
netmask=255.255.255.0
usbtty=cdc_acm
fpgadata=0xd0060000
fpgasize=0x75394
splashdata=0xd0000000
dispParm1=0x300 0x400 0x2625A00 0x1 0x3
dispParm2=0x20 0x4c 0x1 0x2 0x3
boardversion=4
ps=0
rtc=0
erase_env=protect off 1:4;erase 1:4
store_uboot=protect off 1:1-3;erase 1:1-3;cp.b 0x800000 0xF8010000 ${filesize};p
rotect on 1:1-3;imi 0xF8010000
get_uboot_eth=dhcp 0x800000 u-boot_image.bin;run store_uboot
get_uboot_uart=loadb 0x800000 115200;run store_uboot
ethaddr=00:03:d3:04:10:00
serialnum=serial number not programmed
chipversion=BD
nimages=1
image1=0xd0400000
fsstart=0x2c00000
numfilesystems=1
lengthfilesystem1=0x5400000
lengthfilesystem2=0x0
ecc=1
verify=n
ipaddr=192.168.1.100
ethact=unknown

Environment size: 896/16380 bytes
p500>

No idea what's wrong with it. I am stuck at the moment.

[Bud]

Well it goes to tftp at boot because this is what bootcmd is telling it to do.
Change bootcmd=bootm 0xf8050000

[Bud]

BTW is that the right fpgasize? And lengthfilesystem1  size?  Seems too big to me.
For image 2 you can add environment variable image2=d1e00000.
And lengthfilesystem2 same size as lengthfilesystem1.