Author Topic: EEVblog #978 - Keysight 1000X Hacking  (Read 422975 times)

0 Members and 5 Guests are viewing this topic.

Offline EEVblogTopic starter

  • Administrator
  • *****
  • Posts: 37661
  • Country: au
    • EEVblog
EEVblog #978 - Keysight 1000X Hacking
« on: March 08, 2017, 09:07:26 pm »
How to find and inspect hidden serial UART terminal ports inside equipment.
Dave finds the uBoot Windows CE UART part in the new Keysight 1000 X-Series oscilloscope and uses the info to find some of the product mode configuration pins. A hardware hack shows that changing product configuration modes in hardware is possible.

 
The following users thanked this post: suenrod, hmscott

Offline EEVblogTopic starter

  • Administrator
  • *****
  • Posts: 37661
  • Country: au
    • EEVblog
Re: EEVblog #978 - Keysight 1000X Hacking
« Reply #1 on: March 08, 2017, 10:02:04 pm »
Dump from a production DSOX1102G unit:

Code: [Select]
U-Boot 2010.03 (Oct 18 2011 - 14:28:06)Agilent P500

CPU:   SPEAr600
DRAM:  128 MiB
Flash: 512 KiB
NAND:  internal ecc 128 MiB

Debug serial initialized ........OK
RTC: 2024-16-10   7:86:38.44 UTC

Microsoft Windows CE Bootloader Common Library Version 1.4 Built May  7 2015 01:38:03
Microsoft Windows CE 6.0 Ethernet Bootloader for the Agilent P500 board
Adaptation performed by Agilent Technologies (c) 2008

PHY not found.

System ready!
Preparing for download...
RTC: 2024-16-10   7:86:38.44 UTC
 Loading image 1 from memory at 0xD0600000
O
BL_IMAGE_TYPE_BIN

X
XXXXOOOOXXOOOOOOOOXOXOOOOOOOOXOOOXOOOOXXOOOOOOOOOXOOOOXOXXOXOXXOXOXOXOXXXXOOXXXOOOOOOXXOXXOXXXXXXOOOXXXOXXOOOXXXOXXOOOOXOOXXOOOXOOOOXOXOOOOOXOOOXOOXOXXOXOXXXXXXOXXXXOOOXOOOXOXOOOOXOOOOXOXOXOOOOOOXX
OOOXOOXOOOOXOOOOXOOXXOOXOOOOOOOOOXOOOOXOOOOOOXOXOOOOXOXOOOOOOOXXOOXOOXOXOOOXOOOXOOXXOXOXOOOXOXXXXXOXOXXXOXXXXOXOXXOOOXXXXOXXXXOXXXXXXXOXXXXXXOXXOXXOXXOOXXOXXXOXXXXOOOXXX
OOOXXXOXXOOXOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOXXOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOXXXXXOOOXOXOOXOOXXXXXXXXXXXXXrom_offset=0x0.
XXImageStart = 0x80361000, ImageLength = 0x1A80C40, LaunchAddr = 0x80362000

Completed file(s):
-------------------------------------------------------------------------------
[0]: Address=0x80361000  Length=0x1A80C40  Name="" Target=RAM
 Loading image 1 succeeded.
ROMHDR at Address 80361044h
Preparing launch...
RTC: 2024-16-10   7:86:38.47 UTC
Launching windows CE image by jumping at address 0x  362000

Windows CE Kernel for ARM (Thumb Enabled) Built on Mar  8 2013 at 17:05:33
Setting up for a Cold Reboot
Done Setting up for a Cold Reboot
Windows CE Firmware Init
BSP 1.0.0 for the SPEARHEAD600AB board (built Sep 28 2016)
Adaptation performed by ADENEO (c) 2005
+OALIntrInit
-OALIntrInit(rc = 1)
Initialize driver globals Zeros area...
pDrvGlobalArea 0xa0060000  size 0x800 (0xa0060800 -0xa0060000)
Initialize driver globals Zeros area...done
 OALKitlStart
Firmware Init Done.
OALIoctlHalEnterI2cCriticalSection init i2c cs
++SER_Init: context Drivers\Active\14
SER_Init, dwIndex:2
SER2 got sysintr:0x00000017
SER2 Serial Port, new baud rate:0x1c200  (UARTCLK:48000000 IBRD:0x1a FBRD:0x2)
OHCI\system.c, GCFG_USBH1_SW_RST
OHCI\system.c, GCFG_USBH2_SW_RST
LAN PHY NOT detected.
DeleteP500EnetRegistry:
   \Comm\GMAC 0x0
   \Comm\GMAC1 0x0
   \Comm\Tcpip\Linkage 0x0
   \Drivers\Virtual 0x0
   \Drivers\BuiltIn\LIN 0x5
LIN: Data Valid
BALDWIN_DDI: cBaldwinHwIf::Init: Initializing...
BALDWIN_DDI: cBaldwinHwIf::Init: Scope successfully identified.
BALDWIN_DDI: cBaldwinHwIf::Init: Success!
Device load time:
   NANDFLASH: 1 ms
   SNANDFLASH: 1 ms
SHIM DLL, LoadRealDll [PalIO.dll] for [AgilentPalIO.dll]
SHIM [AgilentPalIO.dll] Get Process Addresses
LaunchInfiniiVision:
=========================================
BLT Product Config 24
   Bandwidth   : 200MHz
   #Channel    : 2
   Board Rev   : FPR
   Clk Gating  : Baldwin
   Sample Rate : 4GSa
   LAN PHY     : No
BLT Module Config 02
   Rev         : LP3
   Sample Rate : 5GSa/s
=========================================
BLT_PRODUCT_CONFIG_0, 1.251v, ID4
BLT_PRODUCT_CONFIG_1, 0.692v, ID2
BLT_MODULE_CONFIG_0, 0.687v, ID2
BLT_MODULE_CONFIG_1, 0.005v, ID0
CANINE_BOARD_REV, 0.002v, ID0
CANINE_MODEL_NAME: MARSUPIAL, 1.738v, ID6, MARSUPIAL
CANINE_EXTMODULE, 2.488v, ID8, SWID8
CANINE_MSO_REV, 0.628v, ID2, SWID2
SHIM DLL, LoadRealDll [PalSStorage.dll] for [AgilentPalSStorage.dll]
SHIM [AgilentPalSStorage.dll] Get Process Addresses
Released build, Sep 28 2016, 00:17:51
Initializing FPGA...
************************************
FPGA Type: Marsupial
Ver: 1.067 Released
Build Time: Tue Jun 14 17:13:42 2016
Build Machine: 2UA5461ZWH
************************************
cMarsupialCalMgr::cMarsupialUserCalFactors::cMarsupialUserCalFactors size 146412
cMarsupialCalMgr::cMarsupialServiceCalFactors::cMarsupialServiceCalFactors size 704
cMarsupialCalMgr::cMarsupialFactoryCalFactors::cMarsupialFactoryCalFactors size 896
Calibration mode User
Recall \Secure\cal\FactoryCal2.dat - ok
Recall \Secure\cal\ServiceCal1.dat - ok
Recall \Secure\cal\UserCal8.dat - ok
Cal Date Sun Sep 25 15:11:58 2016
will do USB phy workaround: CheckCRC
Startup sequence is complete.
System has been running 16.841095 seconds
Start Up Sequence 7.470958
Memory Load 50%
   System Physical Memory 36.441 / 73.465 MB
   Process Virtual Memory 46.938 / 1024.000 MB
-----> InfiniiVision is running <-----
 
The following users thanked this post: suenrod

Offline vaualbus

  • Frequent Contributor
  • **
  • Posts: 352
  • Country: it
Re: EEVblog #978 - Keysight 1000X Hacking
« Reply #2 on: March 08, 2017, 10:13:29 pm »
Where we find the photo of the early non production model?
 

Offline sasquatch

  • Contributor
  • Posts: 12
Re: EEVblog #978 - Keysight 1000X Hacking
« Reply #3 on: March 08, 2017, 10:35:34 pm »
Is this Keysight trying to do a Rigol? An unauthorised yet acceptable hack?
 

Offline EEVblogTopic starter

  • Administrator
  • *****
  • Posts: 37661
  • Country: au
    • EEVblog
Re: EEVblog #978 - Keysight 1000X Hacking
« Reply #4 on: March 08, 2017, 10:39:12 pm »
I've found the other product set resistors, playing now...  :)
 

Offline SparkyBruce

  • Contributor
  • Posts: 40
  • Country: gb
Re: EEVblog #978 - Keysight 1000X Hacking
« Reply #5 on: March 08, 2017, 10:47:46 pm »
You just know that a letter from their legal team is inbound now...

Well done :)
BEng(Hons) CEng MIET (MIEE)
 
The following users thanked this post: Free_WiFi

Offline Keysight DanielBogdanoff

  • Supporter
  • ****
  • Posts: 777
  • Country: us
  • ALL THE SCOPES!
    • Keysight Scopes YouTube channel
Re: EEVblog #978 - Keysight 1000X Hacking
« Reply #6 on: March 08, 2017, 10:56:16 pm »
Is this Keysight trying to do a Rigol? An unauthorised yet acceptable hack?

This wouldn't be the first time a Keysight InfiniiVision scope has been hacked. In the past it's been a "at your own risk" and "for your use only" activity, anyone trying to sell hacked units got a nice letter from the legal folks.

In no way are we leaking info for or sponsoring a Keysight hackathon scenario.

But  :popcorn:
 
The following users thanked this post: hugos31, thm_w, Relaxe, ElektronikLabor, Harrkev, MrBungle, Jono427

Offline EEVblogTopic starter

  • Administrator
  • *****
  • Posts: 37661
  • Country: au
    • EEVblog
Re: EEVblog #978 - Keysight 1000X Hacking
« Reply #7 on: March 08, 2017, 11:46:57 pm »
I've found the other product set resistors, playing now...  :)

Huge progress, stay tuned!
 
The following users thanked this post: Brumby, 3db, szechyjs

Offline kenshironanto

  • Newbie
  • Posts: 3
  • Country: fr
Re: EEVblog #978 - Keysight 1000X Hacking
« Reply #8 on: March 08, 2017, 11:55:13 pm »
 :D

Wouuah so nice!

As i see in video, changing resistor values change specification, seems a little dumb question but this kind of change can really have an impact on measuring values?

Is hardware not define the specs like acquisition speed or anything?


I really want to seeee mooreeee, can't wait :D

Code: [Select]
SER_Init, dwIndex:2
SER2 got sysintr:0x00000017
SER2 Serial Port, new baud rate:0x1c200  (UARTCLK:48000000 IBRD:0x1a FBRD:0x2)

Another stupid question concerning the pretending 2nd rs232, do you think that also define by values of resistors?

like if scope load a generic image and adapt it in resistor's value?
 

Offline EEVblogTopic starter

  • Administrator
  • *****
  • Posts: 37661
  • Country: au
    • EEVblog
Re: EEVblog #978 - Keysight 1000X Hacking
« Reply #9 on: March 09, 2017, 12:03:14 am »
I've found the other product set resistors, playing now...  :)

Huge progress, stay tuned!

This ain't no 100MHz bandwidth scope  ;D
 
The following users thanked this post: cowana, ElektronikLabor, Brumby, amitchell, szechyjs

Offline ProBang2

  • Frequent Contributor
  • **
  • Posts: 302
  • Country: de
Re: EEVblog #978 - Keysight 1000X Hacking
« Reply #10 on: March 09, 2017, 12:08:24 am »
No review published yet, only a teardown.   
But seems to be hacked very soon...    :o

WOW! That was fast!
 

Offline EEVblogTopic starter

  • Administrator
  • *****
  • Posts: 37661
  • Country: au
    • EEVblog
Re: EEVblog #978 - Keysight 1000X Hacking
« Reply #11 on: March 09, 2017, 12:12:32 am »
No review published yet, only a teardown.   

I've shot some review footage, but good reviews are a lot of work.
I more excited about the hacking at present.
I can currently change the bandwidth and max sample rate  ;D
 

Offline EEVblogTopic starter

  • Administrator
  • *****
  • Posts: 37661
  • Country: au
    • EEVblog
Re: EEVblog #978 - Keysight 1000X Hacking
« Reply #12 on: March 09, 2017, 12:20:55 am »
I now have a 220MHz bandwidth scope  :-+
 

Offline hauptbr09

  • Contributor
  • Posts: 12
Re: EEVblog #978 - Keysight 1000X Hacking
« Reply #13 on: March 09, 2017, 12:32:35 am »
Making quick work of it

Sent from my SM-G935V using Tapatalk

 
The following users thanked this post: hugos31, pkr

Offline hauptbr09

  • Contributor
  • Posts: 12
Re: EEVblog #978 - Keysight 1000X Hacking
« Reply #14 on: March 09, 2017, 12:36:36 am »
It seem like the resistors will change the configuration, but if they sell upgrades there must be data in ROM that can override those settings. That said, they must only be able to upgrade via software, but not downgrade below the configuration set by the resistors or your resistor mod would have no affect.

Sent from my SM-G935V using Tapatalk

 

Offline amitchell

  • Regular Contributor
  • *
  • Posts: 140
  • Country: ca
Re: EEVblog #978 - Keysight 1000X Hacking
« Reply #15 on: March 09, 2017, 12:40:15 am »
I now have a 220MHz bandwidth scope  :-+

How exciting, cant wait to get mine!

What are you getting for sample rates?
« Last Edit: March 09, 2017, 12:44:10 am by amitchell »
 

Offline Fungus

  • Super Contributor
  • ***
  • Posts: 16560
  • Country: 00
Re: EEVblog #978 - Keysight 1000X Hacking
« Reply #16 on: March 09, 2017, 12:44:59 am »
It seem like the resistors will change the configuration, but if they sell upgrades there must be data in ROM that can override those settings. That said, they must only be able to upgrade via software, but not downgrade below the configuration set by the resistors or your resistor mod would have no affect.

It seems weird that they would have both.  :popcorn:

How does software upgrade work? By entering a code like on Rigols?

(ie. is there a menu to enter option codes?)


 

Offline ProBang2

  • Frequent Contributor
  • **
  • Posts: 302
  • Country: de
Re: EEVblog #978 - Keysight 1000X Hacking
« Reply #17 on: March 09, 2017, 12:47:44 am »
No review published yet, only a teardown.   
I've shot some review footage, but good reviews are a lot of work.
Sorry. Really: No offense intended. (English isn´t my first language...)
Quote
I more excited about the hacking at present.
Who isn´t?   :popcorn:
Quote
I can currently change the bandwidth and max sample rate  ;D
I now have a 220MHz bandwidth scope  :-+

Again: WOW! That was fast!   :clap: :-+
 

Offline hauptbr09

  • Contributor
  • Posts: 12
Re: EEVblog #978 - Keysight 1000X Hacking
« Reply #18 on: March 09, 2017, 12:49:30 am »



How does software upgrade work? By entering a code like on Rigols?

(ie. is there a menu to enter option codes?)

That's what it sounded like. Dave mentioned purchasing licenses, which keysight has done in the past for other scopes

Sent from my SM-G935V using Tapatalk

 

Offline TheSteve

  • Supporter
  • ****
  • Posts: 3742
  • Country: ca
  • Living the Dream
Re: EEVblog #978 - Keysight 1000X Hacking
« Reply #19 on: March 09, 2017, 12:58:37 am »
I now have a 220MHz bandwidth scope  :-+

Told ya!!!
VE7FM
 

Offline jackenhack

  • Contributor
  • Posts: 47
  • Country: se
    • Jackenhack Blog
Re: EEVblog #978 - Keysight 1000X Hacking
« Reply #20 on: March 09, 2017, 01:21:57 am »
Very cool! Might see a new oscilloscope on my desk soon...  :-+
 

Offline bitseeker

  • Super Contributor
  • ***
  • Posts: 9057
  • Country: us
  • Lots of engineer-tweakable parts inside!
Re: EEVblog #978 - Keysight 1000X Hacking
« Reply #21 on: March 09, 2017, 01:50:36 am »
Keysight oscilloscope dept.:

"He's almost got it!"
"Really, so soon?"
"Yeah, pretty close. Get ready for sales numbers to shoot up on these babies."
TEA is the way. | TEA Time channel
 
The following users thanked this post: kripton2035, Koen, MyHeadHz

Offline HAL-42b

  • Frequent Contributor
  • **
  • Posts: 423
Re: EEVblog #978 - Keysight 1000X Hacking
« Reply #22 on: March 09, 2017, 02:00:35 am »
Keysight oscilloscope dept.:

"He's almost got it!"
"Really, so soon?"
"Yeah, pretty close. Get ready for sales numbers to shoot up on these babies."

True story.

Unfortunately it is a Danaher. Even worse, it is a bottom of the barrel crippled Danaher running...Windows, so paying actual cash is for it is kinda...not very clever. Lucky for the guys who got it for free though.
 

Offline TheSteve

  • Supporter
  • ****
  • Posts: 3742
  • Country: ca
  • Living the Dream
Re: EEVblog #978 - Keysight 1000X Hacking
« Reply #23 on: March 09, 2017, 02:17:54 am »
Keysight oscilloscope dept.:

"He's almost got it!"
"Really, so soon?"
"Yeah, pretty close. Get ready for sales numbers to shoot up on these babies."

True story.

Unfortunately it is a Danaher. Even worse, it is a bottom of the barrel crippled Danaher running...Windows, so paying actual cash is for it is kinda...not very clever. Lucky for the guys who got it for free though.

Umm, no. Keysight is Keysight. Danaher owns Tektronix.
VE7FM
 
The following users thanked this post: 3db

Offline Fungus

  • Super Contributor
  • ***
  • Posts: 16560
  • Country: 00
Re: EEVblog #978 - Keysight 1000X Hacking
« Reply #24 on: March 09, 2017, 02:24:33 am »
Keysight oscilloscope dept.:

"He's almost got it!"
"Really, so soon?"
"Yeah, pretty close. Get ready for sales numbers to shoot up on these babies."

Not if you have to solder tiny resistors to do it.  :popcorn:

Sales will shoot up after the keygen appears.

 


Share me

Digg  Facebook  SlashDot  Delicious  Technorati  Twitter  Google  Yahoo
Smf