EEVblog #978 - Keysight 1000X Hacking

[hv222]

I'm not sure, but it probably can be adjusted with probe calibration - delay calibration.

[Cesarsound]

FERCSA HACKING firmware.

Some more testings after the hacking of DSOX-1102G. Frequency signal gererated by a Si5351 (clock generator up to 225MHz).

[Bud]

The notation of MHz units is really weird in the frequency counter in the screen left bottom.

[bitseeker]

Wow, you're right on that. It's not like it's using fixed-location neon, incandescent or LED annunciators. Very weird.

[Cesarsound]

Wow, you're right on that. It's not like it's using fixed-location neon, incandescent or LED annunciators. Very weird.

It seems that this was done by the trainee or by a person who is not from the telecom area.

[skander36]

Hi TK,
Mine (EDUX1002A) shows the same , and is not moded in any way. It just pass user calibration .
Below is a Rigol 2102E software moded (licenses).
I did not used Keysight probes , just a coaxial cable from generator to scope .

[Bud]

Schematic of function generator and group of components located between analog front-end and function generator. This group probably handle the signal offset and part of user calibration. Some power supply components like ferrite beads and decoupling capacitors can be missing in power supply lines. I will appreciate I someone can measure capacitors and inductors values in function generator. Is amplitude of generated signal constant while changing frequency? I add generator function to my scope, but signal shape is not satisfied

U31 and U33 are SN74HCT04PW
U46 and U47 are TL274

@hv222 There seemed to be an error in the Gen schematic, the common contacts of the output relay should be swapped, otherwise the Gen output would never connect to the BNC panel connector. I have attached a corrected schematic.

[Mwyann]

FW v1.1: https://bit.ly/dsox1102hack
MD5: ad84976ff2f5b044a21020436751c5c3

Any chance of having the Power application working?

[newbie666]

Hi, I'm about to buy an EDUX102G but I'm still unclear about one thing: will I need an external trigger hack to enable SPI decoding with FERCSA hacked firmware?

[TK]

You can do SPI decoding with 2 analog inputs.  You will have to set to timeout instead of CS or ~CS (not CS). 

[Bud]

You also need to modify memory U701. MAC is located in this flash at address 0x070000 to 0x070005 (6 bajts).Mac is not programmed by default - it value is 0xff 0xff 0xff 0xff 0xff 0xff. 

Is that the right address? ....Seems to be located in a big chunk of unused space in the flash filled with  FF.

[hv222]

You also need to modify memory U701. MAC is located in this flash at address 0x070000 to 0x070005 (6 bajts).Mac is not programmed by default - it value is 0xff 0xff 0xff 0xff 0xff 0xff. 

Is that the right address? ....Seems to be located in a big chunk of unused space in the flash filled with  FF.

As I remember it was away from any other data in memory.

[Bud]

...However at address 0x03E766 I have

ethaddr=00:03:D3:04:XX:XX.ipaddr=192.168.1.5

where I blanked the last two octets with XX:XX. Seems they do set MAC in the SPI flash. Do you have that in yours? (this is for the EDUX100A)

[TK]

You also need to modify memory U701. MAC is located in this flash at address 0x070000 to 0x070005 (6 bajts).Mac is not programmed by default - it value is 0xff 0xff 0xff 0xff 0xff 0xff. 

Is that the right address? ....Seems to be located in a big chunk of unused space in the flash filled with  FF.

MAC address is set in the SPI flash chip.  I think it is the right address, and FF means MAC address is not configured.  I decoded it using a logic analyzer.

[FERCSA]

Any chance of having the Power application working?

I have to take a look one more time in the future. Last time (it was way back in winter) I didn't find anything useful, but I have to admit I don't spend to much time with it.
Also I tried to enable the packet lister menu without any luck. But I made some attempt to hijack some of the push buttons which was successful. So I have to find a way to connect the "dots". After all it looks promising, but currently I don't have time for it.

[jonnyEV]

Hi, - Im in the same situation as you - just purchased a stock 1102g , 

Im struggling with a few things regarding this hack

Firstly, if coming from a 1102g do i need to do any hardware hacks?
Is the firmware hack reversible ?(where would i find the original firmware?) Is it easily changed
Primarily i want to do this hack to get serial decode - but see people/ screenshots suggest this unlocks lots (dozens)  of licenses including PWR. (albeit with some issues) Advanced maths etc. Is it just me but i cant find any info on all these applications. It sounds great to open up all this functionality but i was under the impression that the only options are serial and CAN bus. love to know what these all are

Finally, and this is the real killer the firmware link v1.1 bitly seems dead, I will DM the original poster about this but thought id ask here as you seem to have done this the most recently and suggest it was really simple

Cheers
Jon

[TK]

If you have the stock 1102G, you don't need any hardware mod.  Firmware hack is 100% reversible by installing the latest firmware from Keysight, you don't need to go back to old firmware.

[canteen234]

Can some one tell me working values to ID 23 I got my edux go to 70MHz 2GSa SGM etc but I cant get signal at all
I had 12k on top and 33k on bottom on left side set when connector is up of them so it should get 0.91V
EDIT: that were wrong but bith 15k and 15k I should get ID 24 and no signbal at all also trtied 12k and 8k but no signal either it was  0.98V

Thanks a lot I ll try those also it does put me think if I did actually change wrong resistor set since I didnt find pic what would say which one is ID0 and which one is ID1 but when I did look those values
maybe my 12k vas actually 121k so i did change wrong id bit.

Wait, so you replaced the left 2 resistors with 12k and 33K and your EDUX1002A now reads 70MHz? I've been looking through this forum and I would like to confirm before I commit.

[FERCSA]

New firmware available, v1.20 (1000XSeries.01.20.2019061038.ksx)

Release notes: https://www.keysight.com/upload/cmc_upload/All/Keysight_1000A_X_Series_Oscilloscope_Release_Notes_01_20.pdf

Looks like they don't made any effort to change over to linux.

If you revert back to the original firmware just use the original v1.10, until I update my code for the v1.20

[tudou2048]

EDUX1002A to DSOX1102G ，11th order Butterworth filter，the parameters are not from DSOX1000G or EDUX1000G。

[ted102]

Hello
I need to buy an oscilloscope , better after hacking EDUX1002A or DSOX1102A ??

You up Memory Depth(100 Kpts) in EDUX1002A to 1Mpts?

DSOX1102A  easier to hack ? i need only change software ?

[TK]

Hello
I need to buy an oscilloscope , better after hacking EDUX1002A or DSOX1102A ??

You up Memory Depth(100 Kpts) in EDUX1002A to 1Mpts?

DSOX1102A  easier to hack ? i need only change software ?

Better to hack EDUX1002A.  You get 1Mpts and you need more than a software hack.

[skander36]

Hello
I need to buy an oscilloscope , better after hacking EDUX1002A or DSOX1102A ??

You up Memory Depth(100 Kpts) in EDUX1002A to 1Mpts?

DSOX1102A  easier to hack ? i need only change software ?

Take into account that you will need hardware hack for EDUX . Software hack will not help you too much. Most of the functions will not work properly . If you do not do entire HW hack , auto calibration will not work .

[liuxingkeji]

Is this adding a signal generator function？

[tudou2048]

Yes,but it's not just a singnal generator,it's other parts

more:
https://www.eevblog.com/forum/blog/eevblog-978-keysight-1000x-hacking/525/

The schematic diagram is from hv222