EEVblog > EEVblog Specific
EEVblog #978 - Keysight 1000X Hacking
EEVblog:
How to find and inspect hidden serial UART terminal ports inside equipment.
Dave finds the uBoot Windows CE UART part in the new Keysight 1000 X-Series oscilloscope and uses the info to find some of the product mode configuration pins. A hardware hack shows that changing product configuration modes in hardware is possible.
EEVblog:
Dump from a production DSOX1102G unit:
--- Code: ---U-Boot 2010.03 (Oct 18 2011 - 14:28:06)Agilent P500
CPU: SPEAr600
DRAM: 128 MiB
Flash: 512 KiB
NAND: internal ecc 128 MiB
Debug serial initialized ........OK
RTC: 2024-16-10 7:86:38.44 UTC
Microsoft Windows CE Bootloader Common Library Version 1.4 Built May 7 2015 01:38:03
Microsoft Windows CE 6.0 Ethernet Bootloader for the Agilent P500 board
Adaptation performed by Agilent Technologies (c) 2008
PHY not found.
System ready!
Preparing for download...
RTC: 2024-16-10 7:86:38.44 UTC
Loading image 1 from memory at 0xD0600000
O
BL_IMAGE_TYPE_BIN
X
XXXXOOOOXXOOOOOOOOXOXOOOOOOOOXOOOXOOOOXXOOOOOOOOOXOOOOXOXXOXOXXOXOXOXOXXXXOOXXXOOOOOOXXOXXOXXXXXXOOOXXXOXXOOOXXXOXXOOOOXOOXXOOOXOOOOXOXOOOOOXOOOXOOXOXXOXOXXXXXXOXXXXOOOXOOOXOXOOOOXOOOOXOXOXOOOOOOXX
OOOXOOXOOOOXOOOOXOOXXOOXOOOOOOOOOXOOOOXOOOOOOXOXOOOOXOXOOOOOOOXXOOXOOXOXOOOXOOOXOOXXOXOXOOOXOXXXXXOXOXXXOXXXXOXOXXOOOXXXXOXXXXOXXXXXXXOXXXXXXOXXOXXOXXOOXXOXXXOXXXXOOOXXX
OOOXXXOXXOOXOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOXXOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOXXXXXOOOXOXOOXOOXXXXXXXXXXXXXrom_offset=0x0.
XXImageStart = 0x80361000, ImageLength = 0x1A80C40, LaunchAddr = 0x80362000
Completed file(s):
-------------------------------------------------------------------------------
[0]: Address=0x80361000 Length=0x1A80C40 Name="" Target=RAM
Loading image 1 succeeded.
ROMHDR at Address 80361044h
Preparing launch...
RTC: 2024-16-10 7:86:38.47 UTC
Launching windows CE image by jumping at address 0x 362000
Windows CE Kernel for ARM (Thumb Enabled) Built on Mar 8 2013 at 17:05:33
Setting up for a Cold Reboot
Done Setting up for a Cold Reboot
Windows CE Firmware Init
BSP 1.0.0 for the SPEARHEAD600AB board (built Sep 28 2016)
Adaptation performed by ADENEO (c) 2005
+OALIntrInit
-OALIntrInit(rc = 1)
Initialize driver globals Zeros area...
pDrvGlobalArea 0xa0060000 size 0x800 (0xa0060800 -0xa0060000)
Initialize driver globals Zeros area...done
OALKitlStart
Firmware Init Done.
OALIoctlHalEnterI2cCriticalSection init i2c cs
++SER_Init: context Drivers\Active\14
SER_Init, dwIndex:2
SER2 got sysintr:0x00000017
SER2 Serial Port, new baud rate:0x1c200 (UARTCLK:48000000 IBRD:0x1a FBRD:0x2)
OHCI\system.c, GCFG_USBH1_SW_RST
OHCI\system.c, GCFG_USBH2_SW_RST
LAN PHY NOT detected.
DeleteP500EnetRegistry:
\Comm\GMAC 0x0
\Comm\GMAC1 0x0
\Comm\Tcpip\Linkage 0x0
\Drivers\Virtual 0x0
\Drivers\BuiltIn\LIN 0x5
LIN: Data Valid
BALDWIN_DDI: cBaldwinHwIf::Init: Initializing...
BALDWIN_DDI: cBaldwinHwIf::Init: Scope successfully identified.
BALDWIN_DDI: cBaldwinHwIf::Init: Success!
Device load time:
NANDFLASH: 1 ms
SNANDFLASH: 1 ms
SHIM DLL, LoadRealDll [PalIO.dll] for [AgilentPalIO.dll]
SHIM [AgilentPalIO.dll] Get Process Addresses
LaunchInfiniiVision:
=========================================
BLT Product Config 24
Bandwidth : 200MHz
#Channel : 2
Board Rev : FPR
Clk Gating : Baldwin
Sample Rate : 4GSa
LAN PHY : No
BLT Module Config 02
Rev : LP3
Sample Rate : 5GSa/s
=========================================
BLT_PRODUCT_CONFIG_0, 1.251v, ID4
BLT_PRODUCT_CONFIG_1, 0.692v, ID2
BLT_MODULE_CONFIG_0, 0.687v, ID2
BLT_MODULE_CONFIG_1, 0.005v, ID0
CANINE_BOARD_REV, 0.002v, ID0
CANINE_MODEL_NAME: MARSUPIAL, 1.738v, ID6, MARSUPIAL
CANINE_EXTMODULE, 2.488v, ID8, SWID8
CANINE_MSO_REV, 0.628v, ID2, SWID2
SHIM DLL, LoadRealDll [PalSStorage.dll] for [AgilentPalSStorage.dll]
SHIM [AgilentPalSStorage.dll] Get Process Addresses
Released build, Sep 28 2016, 00:17:51
Initializing FPGA...
************************************
FPGA Type: Marsupial
Ver: 1.067 Released
Build Time: Tue Jun 14 17:13:42 2016
Build Machine: 2UA5461ZWH
************************************
cMarsupialCalMgr::cMarsupialUserCalFactors::cMarsupialUserCalFactors size 146412
cMarsupialCalMgr::cMarsupialServiceCalFactors::cMarsupialServiceCalFactors size 704
cMarsupialCalMgr::cMarsupialFactoryCalFactors::cMarsupialFactoryCalFactors size 896
Calibration mode User
Recall \Secure\cal\FactoryCal2.dat - ok
Recall \Secure\cal\ServiceCal1.dat - ok
Recall \Secure\cal\UserCal8.dat - ok
Cal Date Sun Sep 25 15:11:58 2016
will do USB phy workaround: CheckCRC
Startup sequence is complete.
System has been running 16.841095 seconds
Start Up Sequence 7.470958
Memory Load 50%
System Physical Memory 36.441 / 73.465 MB
Process Virtual Memory 46.938 / 1024.000 MB
-----> InfiniiVision is running <-----
--- End code ---
vaualbus:
Where we find the photo of the early non production model?
sasquatch:
Is this Keysight trying to do a Rigol? An unauthorised yet acceptable hack?
EEVblog:
I've found the other product set resistors, playing now... :)
Navigation
[0] Message Index
[#] Next page
Go to full version