Author Topic: EEVblog #978 - Keysight 1000X Hacking  (Read 239004 times)

0 Members and 4 Guests are viewing this topic.

Offline hv222

  • Regular Contributor
  • *
  • Posts: 66
  • Country: pl
Re: EEVblog #978 - Keysight 1000X Hacking
« Reply #675 on: May 04, 2020, 08:43:16 pm »
Do you have some experience with fan replacement in 1000x? I'm looking for silence one.
 

Offline markus-k

  • Supporter
  • ****
  • Posts: 24
  • Country: de
Re: EEVblog #978 - Keysight 1000X Hacking
« Reply #676 on: May 04, 2020, 09:08:28 pm »
I swapped mine for a Noctua fan. It’s a fairly simple task doesn’t even need breaking any seals. It’s still quite noticeable, but not nearly as loud as the original one. I later got another 1000X which already came with a much quieter fan, maybe just a little bit louder than the Noctua one. I feel like most of the noise is actually coming from the air being pushed through the vents, not the fan itself, so there isn’t much you can do really to get it super silent. But if anyone had success making a super silent 1000X, I’d be happy to hear.
 

Offline JDubU

  • Frequent Contributor
  • **
  • Posts: 364
  • Country: us
Re: EEVblog #978 - Keysight 1000X Hacking
« Reply #677 on: May 04, 2020, 09:47:53 pm »
I also switched to a Noctua fan (NF-A6x25 FLX) with the same result.

Since the air turbulence through the narrow fan guard slots in the plastic case is making most of the noise, I made the modification shown in the photo.  Much quieter!
It could possibly be improved a little bit further by doing the same mod on the air outlet vents (on the right side of the case) but I didn't want to go to that extreme.
« Last Edit: May 05, 2020, 07:48:20 pm by JDubU »
 

Online tv84

  • Super Contributor
  • ***
  • Posts: 2354
  • Country: pt
Re: EEVblog #978 - Keysight 1000X Hacking
« Reply #678 on: May 31, 2020, 12:35:31 pm »
Hi,

This is my unassuming contribution to this thread that Dave started long ago. I'm sure that if he had had access to this table his life would have been a lot easier (but surely less fun!).  Nonetheless, and for historical/reference reasons, i attach below a table of all the IDs that the 1000X app code (WinCE and Linux) accepts.

(Don't bash me, i know that most of this information is now old news for the more knowledgeable.)

My analysis is based mainly on the appcode analysis and validated with all the information shared by all of you throughout this thread (specially with the videos that started all of this). Unfortunately, I don't have any of these instruments.

All the Product_Configs that are not in the table have no significance whatsoever and result in invalid configurations. (As you see, there aren't so many scenarios as one might think.)

As you all know, executing the resistors_mod sets the voltage levels read by ADCs 0-7 (ADC 4 value is not used anywhere in the code).

Of course, one thing that is possible to do with a software patch, that the resistors_mod is unable to achieve, is that, by tweaking the table params, we can further change the behavior of each Product_Config setup. With that we can try different configurations that have not been tried before...

I marked in red the 2 cases that Dave found strange in his video and the parameters, that in my analysis, affected them. For example, further sample rates of 2.5GHz could be attempted by placing 0 in the SampleRate field of the "usual" Product_Configs 21-24.

It's also perfectly visible which are all the configs "FPR (Final Production Run)".

WinCE versions only go up to Product_Config 27. The remaining ones are only visible in the new Linux software.

As a final note it seems the famous "Baldwin" is a reference to "Matt Baldwin" (whoever he is), according to some info inside the app.

If you see any errors please report. If you would like to test some software tweaks, maybe I can help.
« Last Edit: May 31, 2020, 04:05:59 pm by tv84 »
 
The following users thanked this post: oPossum, rbaleiro, bitseeker, FERCSA, wxqhigh

Offline wp_wp

  • Regular Contributor
  • *
  • Posts: 50
  • Country: cn
Re: EEVblog #978 - Keysight 1000X Hacking
« Reply #679 on: July 25, 2020, 06:32:44 am »
Hello, this is my first post.
I have a DSOX1102G with firmware 1.20 and by reading these threads I understand that the Fercsa mod. is for rev. 1.10.
Is my assumption correct, or have I misunderstood? Is here is a solution rev. 1.20?

ps I can't seem to find rev 1.10 anywhere. Perhaps once rev. 1.20 is installed, there is no downgrade path.
Thanks in advance for the help

Yes you can load Fercsa version over 1.20 .
Please be patient , update wil take more than2 minutes .First splash screen wil be a red bug and after that Keysight splash .
In Help-About you will see all kind of licenses loaded .
Good luck !

It is useful for DSOX1102A,but not DSOX1102G.
If your DSOX1102A has 1.20 FW,you can use FERCSA file to hack it.
If your DSOX1102G has 1.20 FW,you can not use FERCSA file to hack it
« Last Edit: July 26, 2020, 10:17:41 am by wp_wp »
 

Offline wp_wp

  • Regular Contributor
  • *
  • Posts: 50
  • Country: cn
Re: EEVblog #978 - Keysight 1000X Hacking
« Reply #680 on: July 25, 2020, 07:06:36 am »
FERCSA file is also useful for EDUX1002A.
If your EDUX1002A has 1.20 FW,you can use FERCSA file to hack it.
 
The following users thanked this post: wxqhigh

Offline wp_wp

  • Regular Contributor
  • *
  • Posts: 50
  • Country: cn
Re: EEVblog #978 - Keysight 1000X Hacking
« Reply #681 on: August 06, 2020, 02:24:18 am »
I see somebody using modified file to hack 2000A 3000A 3000T 4000A OSC,these files modified  Infiniivisioncore.dll.
but FERCSA's file didnot modify the Infiniivisioncore.dll.
 

Offline lc4

  • Newbie
  • Posts: 1
  • Country: hk
Re: EEVblog #978 - Keysight 1000X Hacking
« Reply #682 on: August 26, 2020, 08:04:24 am »
If you're not busy, do i still have to open the shell to access it's serial port? Thanks!
 

Offline rbaleiro

  • Contributor
  • Posts: 9
  • Country: br
Re: EEVblog #978 - Keysight 1000X Hacking
« Reply #683 on: September 03, 2020, 09:06:55 pm »
Here is my contribution. The list of components to replace in the front end (both channels), trigger, product code, and three more resistors (display, edge adj and ext view) .

I also attached a few images from our colleagues in a different organization.

Moreover I'll update the list with the signal generator.

update: it was found an error in two resistors. They were updated.

« Last Edit: January 30, 2021, 08:21:37 pm by rbaleiro »
 
The following users thanked this post: luiz_aug, wxqhigh

Offline Maruku

  • Contributor
  • Posts: 15
  • Country: gb
Re: EEVblog #978 - Keysight 1000X Hacking
« Reply #684 on: October 03, 2020, 02:00:23 pm »
Hi,

Just wanted to add to this thread some tests on my hacked DSOX1102A. Have the 1.01 version, new old stock I received today.
Tested the input sending a sine wave from my HP8640B via BNC with a pass through 50 ohm termination.
Seems to roll off at -3dB close to 290MHz and then drops down until I reach somewhere around 400MHz and then counts backwards and later starts from 0Hz again. Assume something with the sampling rate?
Anyway very happy with this scope  8)

Thanks to all that were involved in the hacking!  :)

 

Offline luiz_aug

  • Contributor
  • Posts: 9
  • Country: br
Re: EEVblog #978 - Keysight 1000X Hacking
« Reply #685 on: October 03, 2020, 05:16:33 pm »
Hi,

Just wanted to add to this thread some tests on my hacked DSOX1102A. Have the 1.01 version, new old stock I received today.
Tested the input sending a sine wave from my HP8640B via BNC with a pass through 50 ohm termination.
Seems to roll off at -3dB close to 290MHz and then drops down until I reach somewhere around 400MHz and then counts backwards and later starts from 0Hz again. Assume something with the sampling rate?
Anyway very happy with this scope  8)

Thanks to all that were involved in the hacking!  :)

Can you confirm that both self test and user cal is passing ?
Did you used the components guide posted before by rbaleiro ?
 

Offline Maruku

  • Contributor
  • Posts: 15
  • Country: gb
Re: EEVblog #978 - Keysight 1000X Hacking
« Reply #686 on: October 03, 2020, 06:19:18 pm »
I only did the software hack by FERCSA, no hardware changes. But yes, self test and user cal passed.
 

Offline TK

  • Super Contributor
  • ***
  • Posts: 1675
  • Country: us
  • I am a Systems Analyst who plays with Electronics
Re: EEVblog #978 - Keysight 1000X Hacking
« Reply #687 on: October 03, 2020, 07:19:56 pm »
Hi,

Just wanted to add to this thread some tests on my hacked DSOX1102A. Have the 1.01 version, new old stock I received today.
Tested the input sending a sine wave from my HP8640B via BNC with a pass through 50 ohm termination.
Seems to roll off at -3dB close to 290MHz and then drops down until I reach somewhere around 400MHz and then counts backwards and later starts from 0Hz again. Assume something with the sampling rate?
Anyway very happy with this scope  8)

Thanks to all that were involved in the hacking!  :)

Can you confirm that both self test and user cal is passing ?
Did you used the components guide posted before by rbaleiro ?
DSOX1102A already has the 100MHz BW frontend, no mod is needed.
 

Offline regged

  • Contributor
  • Posts: 5
  • Country: am
Re: EEVblog #978 - Keysight 1000X Hacking
« Reply #688 on: October 23, 2020, 04:50:57 pm »
Is there any news about new software?
 

Offline FERCSA

  • Contributor
  • Posts: 39
  • Country: hu
    • www.fercsa.com
Re: EEVblog #978 - Keysight 1000X Hacking
« Reply #689 on: October 25, 2020, 11:16:33 pm »


I'm surprised no one tried this but there is a loadP500Flash.exe in one of the directory on winCE and you can update the firmware to whatever you want. At this point I assume the windows hack still works on the latest fw.

I found it in my notes. The command line is smt like this:
Code: [Select]
\windows\loadP500Flash -u ceImage1 \usb\nk.bin.comp
So I'm pretty sure you can downgrade the fw with an old non modified nk.bin.comp file.

Also I advise to flash the ceImage2 first as a failsafe so if you screw up the ceImage1 then you have a chance to boot up your scope from u-boot. OR. You can flash the old nk.bin.comp to ceImage2 in the first place then boot it up from u-boot. After that you can upload my ksx file through the interface as a normal update.

Should be this:
Code: [Select]
\windows\loadP500Flash -u ceImage2 \usb\nk.bin.comp
And on the next reboot:
Code: [Select]
U-Boot 2010.03 (Oct 18 2011 - 14:28:06)Agilent P500

CPU:   SPEAr600
DRAM:  128 MiB
Flash: 512 KiB
NAND:  internal ecc 128 MiB

Debug serial initialized ........OK
RTC: 2024-18-11   4:98:4.59 UTC

Microsoft Windows CE Bootloader Common Library Version 1.4 Built May  7 2015 01:38:03
Microsoft Windows CE 6.0 Ethernet Bootloader for the Agilent P500 board
Adaptation performed by Agilent Technologies (c) 2008

PHY not found.


P500 Boot Loader Configuration :

Mac address .......... (00:01:02:03:04:05)
Ip address ........... (192.168.1.100)
Subnet Mask address .. (255.255.255.0)
DHCP ................. (Enabled)
Boot delay (seconds).. (0)
Load image 1 at startup

Image addresses. (0xdxxxxxxx for NAND, 0x8xxxxxxx for RAM)
        1 (0xd0600000)
        2 (0xd1e00000)

l) Load memory resident image Load image 1 now
1) Load memory resident image 1 now
2) Load memory resident image 2 now
3) Load memory resident image 3 now
d) Download from platform builder now
u) Start u-boot by resetting
v) Verify Images
>

Then choose 2) option.

Right now I can't confirm this but theoretically should work. Currently I don't have time for this or for any hack may be during xmas.
Don't ask. I'm the same guy who gave you ultra fast internet in the '00s..
#FERCSA
 

Offline Bud

  • Super Contributor
  • ***
  • Posts: 4919
  • Country: ca
Re: EEVblog #978 - Keysight 1000X Hacking
« Reply #690 on: November 03, 2020, 05:02:36 pm »
Wow! Yay!

 EEVBlog's 1000X hack is featured on the Vendor's blog

https://blogs.keysight.com/blogs/tech/bench.entry.html/2018/08/22/oscilloscope_s_frequ-IqBG.html

Thanks for the frequency counter tip, Daniel  :D
Facebook-free life and Rigol-free shack.
 

Offline Bud

  • Super Contributor
  • ***
  • Posts: 4919
  • Country: ca
Re: EEVblog #978 - Keysight 1000X Hacking
« Reply #691 on: November 05, 2020, 04:55:24 am »

Serial, JTAG and extra USB port (HOST2 on front, HOST1 not connected by default)

An error in USB HOST1 pinout on J104. The D+ and D- signals should be swapped on the unpopulated connector on the BLT module. A copy of the corrected photo is attached.
Caused me some grief before I figured that out  :D

Also added HOST1 VBUS and HOST1 OVRC signals.
« Last Edit: November 05, 2020, 05:03:50 am by Bud »
Facebook-free life and Rigol-free shack.
 

Offline Bud

  • Super Contributor
  • ***
  • Posts: 4919
  • Country: ca
Re: EEVblog #978 - Keysight 1000X Hacking
« Reply #692 on: November 06, 2020, 07:24:42 pm »
I was able to boot up a customized u-boot/QEMU combo. If I can emulate a serial flash memory, not to mention a nand storage or just the corresponding memory addresses in RAM, that'll be real fun.

Code: [Select]
arm-softmmu/qemu-system-arm -M p500 -cpu arm926 -serial mon:stdio -net tap -net nic -kernel u-boot_image.bin
Running QEMU with GTK 2.x is deprecated, and will be removed
in a future release. Please switch to GTK 3.x instead


U-Boot Keysight-dirty #FERCSA (Nov 29 2018 - 02:09:55)Agilent P500

CPU:   SPEAr600
DRAM:  128 MiB
*** Warning - bad CRC, using default environment

SerNum:serial number not programmed
Chip:  BA Board Rev: x
Error: start and/or end address not on sector boundary
Net:   unknown
Press space to stop autoboot 0 0
p500> help
?       - alias for 'help'
adc     - performs A/D conversion on channel
base    - print or set address offset
bdinfo  - print Board Info structure
boot    - boot default, i.e., run 'bootcmd'
bootd   - boot default, i.e., run 'bootcmd'
bootm   - boot application image from memory
bootp   - boot image via network using BOOTP/TFTP protocol
cdp     - Perform CDP network configuration
cmp     - memory compare
coninfo - print console devices and information
cp      - memory copy
crc32   - checksum calculation
dcache  - enable or disable data cache
dhcp    - boot image via network using DHCP/TFTP protocol
echo    - echo args to console
editenv - edit environment variable
erase   - erase FLASH memory
expi    - program EXPI Clock
flinfo  - print FLASH memory information
fpga    - loadable FPGA image support
fsinfo  - print information about filesystems
fsload  - load binary file from a filesystem image
go      - start application at address 'addr'
help    - print command description/usage
hwreset - Perform HW RESET of the CPU
i2c     - I2C sub-system
icache  - enable or disable instruction cache
iminfo  - print header information for application image
imls    - list all images found in flash
imxtract- extract a part of a multi-image
itest   - return true/false on integer compare
loadb   - load binary file over serial line (kermit mode)
loads   - load S-Record file over serial line
loady   - load binary file over serial line (ymodem mode)
loop    - infinite loop on address range
ls      - list files in a directory (default /)
md      - memory display
mii     - MII utility commands
mm      - memory modify (auto-incrementing address)
mtest   - simple RAM read/write test
mw      - memory write (fill)
nand    - NAND sub-system
nboot   - boot from NAND device
nfs     - boot image via network using NFS protocol
nm      - memory modify (constant address)
ping    - send ICMP ECHO_REQUEST to network host
printenv- print environment variables
protect - enable or disable FLASH write protection
rarpboot- boot image via network using RARP/TFTP protocol
reset   - Perform RESET of the CPU
rtc     - print time from RTC
run     - run commands in an environment variable
saveenv - save environment variables to persistent storage
saves   - save S-Record file over serial line
setenv  - set environment variables
sleep   - delay execution for some time
source  - run script from memory
splash  - load splash image on display
tftpboot- boot image via network using TFTP protocol
version - print monitor version
p500>

@FERCSA is an easy way to load your custom Uboot? I need to play with mii commands.
Facebook-free life and Rigol-free shack.
 

Offline songchenyu

  • Newbie
  • Posts: 1
  • Country: cn
Re: EEVblog #978 - Keysight 1000X Hacking
« Reply #693 on: November 11, 2020, 11:50:35 am »
Really? EDUX1002A with 1.20FW can be hack?
 

Offline Bud

  • Super Contributor
  • ***
  • Posts: 4919
  • Country: ca
Re: EEVblog #978 - Keysight 1000X Hacking
« Reply #694 on: November 11, 2020, 08:40:44 pm »
You can apply FERCSA hack on top of 1.20 but your scope will become 1.10.
Facebook-free life and Rigol-free shack.
 

Offline Bud

  • Super Contributor
  • ***
  • Posts: 4919
  • Country: ca
Re: EEVblog #978 - Keysight 1000X Hacking
« Reply #695 on: November 11, 2020, 08:48:42 pm »
Everything seems to work as described.  Training signal menu is missing i2c and SPI.  I will continue testing.

Amazing hack  :-+ :-+ :-+  Santa arrived before Christmas!

Is there any way to go back to normal firmware reinstalling it from the USB drive?

SPI training signal is applied to the digital pod , which 1000X do not have, so this is likely the reason it is not in the hacked menu. Perhaps I2C is the same.
Facebook-free life and Rigol-free shack.
 

Offline Bud

  • Super Contributor
  • ***
  • Posts: 4919
  • Country: ca
Re: EEVblog #978 - Keysight 1000X Hacking
« Reply #696 on: November 11, 2020, 08:53:53 pm »
Any chance of having the Power application working?

I have to take a look one more time in the future. Last time (it was way back in winter) I didn't find anything useful, but I have to admit I don't spend to much time with it.
Also I tried to enable the packet lister menu without any luck. But I made some attempt to hijack some of the push buttons which was successful. So I have to find a way to connect the "dots". After all it looks promising, but currently I don't have time for it.
Power Analysis feature is not programmatically accessible through the VISA interface either on the hacked scope. Chances are it may not work alltogether. Or it may not had been activated properly.
Facebook-free life and Rigol-free shack.
 

Offline FERCSA

  • Contributor
  • Posts: 39
  • Country: hu
    • www.fercsa.com
Re: EEVblog #978 - Keysight 1000X Hacking
« Reply #697 on: November 11, 2020, 10:25:44 pm »
@FERCSA is an easy way to load your custom Uboot? I need to play with mii commands.

Just install a general QEMU for ARM processors and use the same command line options as above.
My U-boot binary is here: link

It's not gonna work, just tried. Looks like I compiled a custom qemu back then :palm:
« Last Edit: November 11, 2020, 10:45:37 pm by FERCSA »
Don't ask. I'm the same guy who gave you ultra fast internet in the '00s..
#FERCSA
 
The following users thanked this post: Bud

Offline Bud

  • Super Contributor
  • ***
  • Posts: 4919
  • Country: ca
Re: EEVblog #978 - Keysight 1000X Hacking
« Reply #698 on: November 12, 2020, 02:25:12 am »
It is alright, i have solved the problem i was having.
« Last Edit: November 15, 2020, 07:30:54 pm by Bud »
Facebook-free life and Rigol-free shack.
 

Offline Bud

  • Super Contributor
  • ***
  • Posts: 4919
  • Country: ca
Re: EEVblog #978 - Keysight 1000X Hacking
« Reply #699 on: December 09, 2020, 05:50:01 pm »
A little birdie told me one early morning that Santa will be bringing the liberated v1.20 to all of 1000X loyal fans  :)

Facebook-free life and Rigol-free shack.
 
The following users thanked this post: Mwyann


Share me

Digg  Facebook  SlashDot  Delicious  Technorati  Twitter  Google  Yahoo
Smf