Author Topic: EEVblog #978 - Keysight 1000X Hacking  (Read 212899 times)

0 Members and 3 Guests are viewing this topic.

Offline TK

  • Super Contributor
  • ***
  • Posts: 1617
  • Country: us
  • I am a Systems Analyst who plays with Electronics
Re: EEVblog #978 - Keysight 1000X Hacking
« Reply #500 on: May 31, 2018, 10:35:44 am »
The 100MHz option is a software enabled option with the same hardware ID (resistors ID), so the only way I know to go to 200MHz is the infiniivision.lnk method.  But it enables some sort of experimental version with 200MHz but no other options are enabled.  It also shows the unfinished firmware error message.
 

Offline Reprobyte

  • Contributor
  • Posts: 25
  • Country: gb
Re: EEVblog #978 - Keysight 1000X Hacking
« Reply #501 on: June 04, 2018, 01:54:59 am »
The 100MHz option is a software enabled option with the same hardware ID (resistors ID), so the only way I know to go to 200MHz is the infiniivision.lnk method.  But it enables some sort of experimental version with 200MHz but no other options are enabled.  It also shows the unfinished firmware error message.

So I can buy the DSOX1102G 70Mhz and get it to 100Mhz without any resistor mods or opening the unit at all, software only? Can you link me I can't find it in this massive thread
 

Offline TK

  • Super Contributor
  • ***
  • Posts: 1617
  • Country: us
  • I am a Systems Analyst who plays with Electronics
Re: EEVblog #978 - Keysight 1000X Hacking
« Reply #502 on: June 04, 2018, 10:35:46 am »
Sorry if it was confusing... there is no good software hack at this moment.  The only one is the 200MHz experimental version option and I found it to be unreliable.  You are stick with 70MHz, but the scope should be good for viewing 100MHz signals with attenuation.
 
The following users thanked this post: Reprobyte

Offline Reprobyte

  • Contributor
  • Posts: 25
  • Country: gb
Re: EEVblog #978 - Keysight 1000X Hacking
« Reply #503 on: June 04, 2018, 04:14:53 pm »
Ah ok, I understand, thank you!
 

Offline jmw

  • Regular Contributor
  • *
  • Posts: 158
  • Country: us
Re: EEVblog #978 - Keysight 1000X Hacking
« Reply #504 on: June 06, 2018, 01:15:05 am »
What is the procedure for poking around the internal WinCE filesystem? The 2000/3000 hacking thread talks about telnet but that doesn't seem possible with the 1000.

I'm curious if the 1.10 firmware release from March means anything interesting for software hacks since it's a full firmware image you can download.
 

Offline Cesarsound

  • Contributor
  • Posts: 9
  • Country: br
Re: EEVblog #978 - Keysight 1000X Hacking
« Reply #505 on: June 09, 2018, 08:31:40 pm »
I have read all this thread and the conclusion is that it is not possible to hack the DSOX1000 in a reliable and easy way, as it is in Rigol, Hantek and others. Unfortunately :(  :-\
« Last Edit: June 09, 2018, 08:33:27 pm by Cesarsound »
 

Offline luiz_aug

  • Contributor
  • Posts: 9
  • Country: br
Re: EEVblog #978 - Keysight 1000X Hacking
« Reply #506 on: July 27, 2018, 06:02:29 pm »
I read something about a "time travel glitch", to enable the re-activation of the serial decode free 30-day trial license:

https://www.eevblog.com/forum/testgear/time-travelling-on-my-keysight-edux1002g/msg1280254/#msg1280254
https://www.eevblog.com/forum/testgear/problems-registering-promotional-dsox1102g/msg1257164/#msg1257164

Has someone tried this with the latest firmware ? My unit is in transit, I would like to know if this feature will be available...
 

Offline ginbot86

  • Contributor
  • Posts: 28
  • Country: ca
  • 0x9000
    • My tech blog documenting whatever weird electronic things I feel like doing.
Re: EEVblog #978 - Keysight 1000X Hacking
« Reply #507 on: August 03, 2018, 07:16:39 am »
I've been curious about accessing the file system as well. Having crashed the InfiniiVision software on the scope a few times before, I've noticed that a mouse pointer becomes visible (and usable, but no Windows CE features are accessible). Additionally, I find that if I boot the scope with a USB floppy drive, it crashes as well... but the Windows CE desktop and taskbar become visible for a very short period of time before the "InfiniVision encountered an unexpected error" screen takes over.

In all honesty I don't care for the bandwidth upgrades, I just want to be able to muck around in Windows Explorer.  :-DD
Code: [Select]
Initialization Failed: Insufficient caffeine in system.
 

Offline ginbot86

  • Contributor
  • Posts: 28
  • Country: ca
  • 0x9000
    • My tech blog documenting whatever weird electronic things I feel like doing.
Re: EEVblog #978 - Keysight 1000X Hacking
« Reply #508 on: August 29, 2018, 03:25:59 am »
I was having some more fun with the oscilloscope, and it appears that the Windows CE desktop shell is hidden but active soon after the splash screen appears, and it accepts keyboard input for a brief period of time. I suspect that there is some hidden hardware or software command that switches the oscilloscope's display framebuffer between Windows CE's and what I presume is the MegaZoom IV ASIC, which would explain why the WinCE desktop appears very briefly before crashing.

Pressing the Windows key and U (the shortcut for Windows CE's Suspend option in the Start menu) causes the oscilloscope to hang; note that this is NOT Windows+U, each key is pressed separately. If I use Windows and R to bring up the Run dialog, I can blindly type rebootinfiniivision and the oscilloscope reboots.

This would require further investigation, but this potentially opens the scope up to (non-permanent) infiniivisionLauncher.exe command-line hacks used on the 2000X/3000X series. (see https://www.eevblog.com/forum/testgear/dsox2000-and-3000-series-licence-have-anyone-tried-to-hack-that-scope/msg347345/#msg347345)
Code: [Select]
Initialization Failed: Insufficient caffeine in system.
 

Offline markus-k

  • Supporter
  • ****
  • Posts: 24
  • Country: de
Re: EEVblog #978 - Keysight 1000X Hacking
« Reply #509 on: August 29, 2018, 09:03:57 am »
I also recently discovered that you can crash the scope via the USB interface. I was having a play with pyvisa and the scope suddenly locked up after sending some badly formatted commands. I wasn't able to reproduce it yet, but maybe there is some kind of buffer overflow hiding there. Needs some further investigation.
 

Offline ginbot86

  • Contributor
  • Posts: 28
  • Country: ca
  • 0x9000
    • My tech blog documenting whatever weird electronic things I feel like doing.
Re: EEVblog #978 - Keysight 1000X Hacking
« Reply #510 on: August 29, 2018, 09:50:31 am »
The USB interface(s) on the scope seem to be pretty sensitive to errors. I've managed to crash the scope before by wiggling a USB drive in the front socket (although other times it just disables it until a power cycle).

I built a USB A/B switch cable so I can boot the scope with a USB floppy drive to crash the InfiniiVision software, then switch over to the keyboard and enter commands. In one example, I was able to open Control Panel in WinCE. Soon after the splash screen appears and the front panel LEDs begin cycling, I press Windows, S (for Settings) then C (for Control Panel); the crash handler goes fullscreen within one frame so I can't actually do much past this without an automated USB keyboard emulator - time to break out a nice USB-capable microcontroller! It appears that the crash handler does a pretty good job of blocking me from the Windows GUI but taking slow-motion captures of the screen have allowed me to begin probing into the layout of Windows CE inside the scope.

I think this could be a dedicated topic on its own (or at least a series of blog posts for me)...

Code: [Select]
Initialization Failed: Insufficient caffeine in system.
 
The following users thanked this post: lowimpedance, JPortici

Offline ginbot86

  • Contributor
  • Posts: 28
  • Country: ca
  • 0x9000
    • My tech blog documenting whatever weird electronic things I feel like doing.
Re: EEVblog #978 - Keysight 1000X Hacking
« Reply #511 on: August 30, 2018, 09:34:14 pm »
It's done! I have managed to gain full WinCE GUI access. Now I can use my oscilloscope as a very expensive PDA...  :scared:

Details to come, but one key part was using my Sony Clie NX73V's Data Import (USB drive emulation) mode which seems to crash InfiniiVision, but also make the crash handler think the firmware is corrupted. This brings us a Windows Explorer-esque prompt, and after entering "*.lnk" and opening a specially crafted .lnk to a batch file, the crash handler is taken down and a quick-and-dirty program I wrote restores the taskbar that the crash handler disabled.

Also, it appears the InfiniiVision Launcher hack on the 2000/3000 series might not be usable (or at least I haven't bothered testing this yet). The shortcut itself in the latest firmware (01.10.2018012838) \Secure\Startup\infiniivision.lnk is zero bytes, just like in the .ksx update package.
« Last Edit: August 30, 2018, 10:36:21 pm by ginbot86 »
Code: [Select]
Initialization Failed: Insufficient caffeine in system.
 
The following users thanked this post: skander36

Offline TheSteve

  • Supporter
  • ****
  • Posts: 3226
  • Country: ca
  • Living the Dream
Re: EEVblog #978 - Keysight 1000X Hacking
« Reply #512 on: August 31, 2018, 12:56:13 am »
Hah, that is pretty cool!
I thought the .lnk was already tested and proven to not work on the 1000X series. Or maybe it will but nobody has patched the runtime yet.
I wonder what other WinCE devices your crashing technique might be able to be used on :)
VE7FM
 

Offline ginbot86

  • Contributor
  • Posts: 28
  • Country: ca
  • 0x9000
    • My tech blog documenting whatever weird electronic things I feel like doing.
Re: EEVblog #978 - Keysight 1000X Hacking
« Reply #513 on: August 31, 2018, 02:22:50 am »
Given that the 1000X series derives its functionality from the same InfiniiVision software used on their higher tier scopes, I bet other models might be susceptible to a similar glitch. I don't have any other models to test, however.

I apologize for the (maybe excessive) updates, but I must say this... Yes, it runs Doom!
Code: [Select]
Initialization Failed: Insufficient caffeine in system.
 

Offline lowimpedance

  • Super Contributor
  • ***
  • Posts: 1093
  • Country: au
  • Watts in an ohm?
Re: EEVblog #978 - Keysight 1000X Hacking
« Reply #514 on: August 31, 2018, 03:00:01 am »
I apologize for the (maybe excessive) updates, but I must say this... Yes, it runs Doom!
No need to apologize ... DOOM on a scope how cool is that  :-+
The odd multimeter or 2 or 3 or 4...or........can't remember !.
 
The following users thanked this post: ginbot86

Offline TheSteve

  • Supporter
  • ****
  • Posts: 3226
  • Country: ca
  • Living the Dream
Re: EEVblog #978 - Keysight 1000X Hacking
« Reply #515 on: August 31, 2018, 03:36:01 am »
A USB floppy plugged into my 3000t when powered on causes it to restart over and over, the screen is never initialized though. If you then unplug the floppy it boots with an error. My other WinCE devices ignored the floppy.
VE7FM
 

Offline ginbot86

  • Contributor
  • Posts: 28
  • Country: ca
  • 0x9000
    • My tech blog documenting whatever weird electronic things I feel like doing.
Re: EEVblog #978 - Keysight 1000X Hacking
« Reply #516 on: August 31, 2018, 03:38:08 am »
Does the floppy drive work if the scope is already powered on? On my scope it enumerates as "Floppy Drive" and is usable like any other mass storage (minus the crash on boot).
Code: [Select]
Initialization Failed: Insufficient caffeine in system.
 

Offline TheSteve

  • Supporter
  • ****
  • Posts: 3226
  • Country: ca
  • Living the Dream
Re: EEVblog #978 - Keysight 1000X Hacking
« Reply #517 on: August 31, 2018, 03:52:46 am »
Does the floppy drive work if the scope is already powered on? On my scope it enumerates as "Floppy Drive" and is usable like any other mass storage (minus the crash on boot).

I tried it on a 3000A and 3000T, the floppy doesn't appear to be supported under either if connected after boot. On the 3000A I do get a screen saying it is checking the file system integrity and that it will restart if it is connected when it is powered on. While at that screen there is a mouse pointer if I have a USB keyboard/mouse connected. I haven't noticed it accepting any keyboard commands but if the timing was right it might. I suppose on the 3000 series it isn't needed anyway so lets get back to the 1000X show. Looking forward to seeing what you do next.
VE7FM
 

Offline ginbot86

  • Contributor
  • Posts: 28
  • Country: ca
  • 0x9000
    • My tech blog documenting whatever weird electronic things I feel like doing.
Re: EEVblog #978 - Keysight 1000X Hacking
« Reply #518 on: October 17, 2018, 06:52:42 pm »
« Last Edit: October 17, 2018, 10:06:45 pm by ginbot86 »
Code: [Select]
Initialization Failed: Insufficient caffeine in system.
 
The following users thanked this post: tv84, JPortici

Offline FERCSA

  • Contributor
  • Posts: 39
  • Country: hu
    • www.fercsa.com
Re: EEVblog #978 - Keysight 1000X Hacking
« Reply #519 on: October 28, 2018, 10:53:19 pm »
Hi!
I got a basic EDUX model to play with and ofc run DOOM on it 8)
Before I made any software modification I would you like to make some necessary hardware mod.
I already gather every components for the ext. trigger region, but I have trouble with the generator area.
Someone can help me identify the components for it? Unfortunately nor TK's, nor Dave's pictures are sharp enough on that area.
For starter a good picture would be helpful.

Thanks!
Don't ask. I'm the same guy who gave you ultra fast internet in the '00s..
#FERCSA
 

Offline skander36

  • Regular Contributor
  • *
  • Posts: 236
  • Country: ro
Re: EEVblog #978 - Keysight 1000X Hacking
« Reply #520 on: November 01, 2018, 12:53:59 pm »
Hi,
Ask directly users TK or HV22 about values used .
But until you will not remove the limiter circuit from frontend you will not see any improvement on screen .

Good luck !
 

Offline FERCSA

  • Contributor
  • Posts: 39
  • Country: hu
    • www.fercsa.com
Re: EEVblog #978 - Keysight 1000X Hacking
« Reply #521 on: November 04, 2018, 10:55:11 am »
I already see a few improvements just changing the product config from 21 to 23.

Increased bandwidth from 50Mhz to 70Mhz with 2GSa/s sample rate, enabled segmented memory(SGM), mask testing(MASK) and also SPI decoding if you have a installed licence.

Of course hardware self test gonna fail, because the lack of ext. trigger circuity. Just until I add every missing parts, already on order.

Or do you mean more bandwidth than 70Mhz? because that's right, but I'm already happy with it, EDUX series just limited as ..
Don't ask. I'm the same guy who gave you ultra fast internet in the '00s..
#FERCSA
 

Offline skander36

  • Regular Contributor
  • *
  • Posts: 236
  • Country: ro
Re: EEVblog #978 - Keysight 1000X Hacking
« Reply #522 on: November 04, 2018, 12:11:53 pm »
Yes , I mean bandwidth , you see any improvement from 50 to 70 ? 
 

Offline TK

  • Super Contributor
  • ***
  • Posts: 1617
  • Country: us
  • I am a Systems Analyst who plays with Electronics
Re: EEVblog #978 - Keysight 1000X Hacking
« Reply #523 on: November 04, 2018, 03:44:02 pm »
 

Offline skander36

  • Regular Contributor
  • *
  • Posts: 236
  • Country: ro
Re: EEVblog #978 - Keysight 1000X Hacking
« Reply #524 on: November 04, 2018, 04:35:17 pm »
« Last Edit: November 04, 2018, 04:37:02 pm by skander36 »
 


Share me

Digg  Facebook  SlashDot  Delicious  Technorati  Twitter  Google  Yahoo
Smf