EEVblog > EEVblog Specific

EEVblog #978 - Keysight 1000X Hacking

(1/212) > >>

EEVblog:
How to find and inspect hidden serial UART terminal ports inside equipment.
Dave finds the uBoot Windows CE UART part in the new Keysight 1000 X-Series oscilloscope and uses the info to find some of the product mode configuration pins. A hardware hack shows that changing product configuration modes in hardware is possible.

EEVblog:
Dump from a production DSOX1102G unit:


--- Code: ---U-Boot 2010.03 (Oct 18 2011 - 14:28:06)Agilent P500

CPU:   SPEAr600
DRAM:  128 MiB
Flash: 512 KiB
NAND:  internal ecc 128 MiB

Debug serial initialized ........OK
RTC: 2024-16-10   7:86:38.44 UTC

Microsoft Windows CE Bootloader Common Library Version 1.4 Built May  7 2015 01:38:03
Microsoft Windows CE 6.0 Ethernet Bootloader for the Agilent P500 board
Adaptation performed by Agilent Technologies (c) 2008

PHY not found.

System ready!
Preparing for download...
RTC: 2024-16-10   7:86:38.44 UTC
 Loading image 1 from memory at 0xD0600000
O
BL_IMAGE_TYPE_BIN

X
XXXXOOOOXXOOOOOOOOXOXOOOOOOOOXOOOXOOOOXXOOOOOOOOOXOOOOXOXXOXOXXOXOXOXOXXXXOOXXXOOOOOOXXOXXOXXXXXXOOOXXXOXXOOOXXXOXXOOOOXOOXXOOOXOOOOXOXOOOOOXOOOXOOXOXXOXOXXXXXXOXXXXOOOXOOOXOXOOOOXOOOOXOXOXOOOOOOXX
OOOXOOXOOOOXOOOOXOOXXOOXOOOOOOOOOXOOOOXOOOOOOXOXOOOOXOXOOOOOOOXXOOXOOXOXOOOXOOOXOOXXOXOXOOOXOXXXXXOXOXXXOXXXXOXOXXOOOXXXXOXXXXOXXXXXXXOXXXXXXOXXOXXOXXOOXXOXXXOXXXXOOOXXX
OOOXXXOXXOOXOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOXXOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOXXXXXOOOXOXOOXOOXXXXXXXXXXXXXrom_offset=0x0.
XXImageStart = 0x80361000, ImageLength = 0x1A80C40, LaunchAddr = 0x80362000

Completed file(s):
-------------------------------------------------------------------------------
[0]: Address=0x80361000  Length=0x1A80C40  Name="" Target=RAM
 Loading image 1 succeeded.
ROMHDR at Address 80361044h
Preparing launch...
RTC: 2024-16-10   7:86:38.47 UTC
Launching windows CE image by jumping at address 0x  362000

Windows CE Kernel for ARM (Thumb Enabled) Built on Mar  8 2013 at 17:05:33
Setting up for a Cold Reboot
Done Setting up for a Cold Reboot
Windows CE Firmware Init
BSP 1.0.0 for the SPEARHEAD600AB board (built Sep 28 2016)
Adaptation performed by ADENEO (c) 2005
+OALIntrInit
-OALIntrInit(rc = 1)
Initialize driver globals Zeros area...
pDrvGlobalArea 0xa0060000  size 0x800 (0xa0060800 -0xa0060000)
Initialize driver globals Zeros area...done
 OALKitlStart
Firmware Init Done.
OALIoctlHalEnterI2cCriticalSection init i2c cs
++SER_Init: context Drivers\Active\14
SER_Init, dwIndex:2
SER2 got sysintr:0x00000017
SER2 Serial Port, new baud rate:0x1c200  (UARTCLK:48000000 IBRD:0x1a FBRD:0x2)
OHCI\system.c, GCFG_USBH1_SW_RST
OHCI\system.c, GCFG_USBH2_SW_RST
LAN PHY NOT detected.
DeleteP500EnetRegistry:
   \Comm\GMAC 0x0
   \Comm\GMAC1 0x0
   \Comm\Tcpip\Linkage 0x0
   \Drivers\Virtual 0x0
   \Drivers\BuiltIn\LIN 0x5
LIN: Data Valid
BALDWIN_DDI: cBaldwinHwIf::Init: Initializing...
BALDWIN_DDI: cBaldwinHwIf::Init: Scope successfully identified.
BALDWIN_DDI: cBaldwinHwIf::Init: Success!
Device load time:
   NANDFLASH: 1 ms
   SNANDFLASH: 1 ms
SHIM DLL, LoadRealDll [PalIO.dll] for [AgilentPalIO.dll]
SHIM [AgilentPalIO.dll] Get Process Addresses
LaunchInfiniiVision:
=========================================
BLT Product Config 24
   Bandwidth   : 200MHz
   #Channel    : 2
   Board Rev   : FPR
   Clk Gating  : Baldwin
   Sample Rate : 4GSa
   LAN PHY     : No
BLT Module Config 02
   Rev         : LP3
   Sample Rate : 5GSa/s
=========================================
BLT_PRODUCT_CONFIG_0, 1.251v, ID4
BLT_PRODUCT_CONFIG_1, 0.692v, ID2
BLT_MODULE_CONFIG_0, 0.687v, ID2
BLT_MODULE_CONFIG_1, 0.005v, ID0
CANINE_BOARD_REV, 0.002v, ID0
CANINE_MODEL_NAME: MARSUPIAL, 1.738v, ID6, MARSUPIAL
CANINE_EXTMODULE, 2.488v, ID8, SWID8
CANINE_MSO_REV, 0.628v, ID2, SWID2
SHIM DLL, LoadRealDll [PalSStorage.dll] for [AgilentPalSStorage.dll]
SHIM [AgilentPalSStorage.dll] Get Process Addresses
Released build, Sep 28 2016, 00:17:51
Initializing FPGA...
************************************
FPGA Type: Marsupial
Ver: 1.067 Released
Build Time: Tue Jun 14 17:13:42 2016
Build Machine: 2UA5461ZWH
************************************
cMarsupialCalMgr::cMarsupialUserCalFactors::cMarsupialUserCalFactors size 146412
cMarsupialCalMgr::cMarsupialServiceCalFactors::cMarsupialServiceCalFactors size 704
cMarsupialCalMgr::cMarsupialFactoryCalFactors::cMarsupialFactoryCalFactors size 896
Calibration mode User
Recall \Secure\cal\FactoryCal2.dat - ok
Recall \Secure\cal\ServiceCal1.dat - ok
Recall \Secure\cal\UserCal8.dat - ok
Cal Date Sun Sep 25 15:11:58 2016
will do USB phy workaround: CheckCRC
Startup sequence is complete.
System has been running 16.841095 seconds
Start Up Sequence 7.470958
Memory Load 50%
   System Physical Memory 36.441 / 73.465 MB
   Process Virtual Memory 46.938 / 1024.000 MB
-----> InfiniiVision is running <-----

--- End code ---

vaualbus:
Where we find the photo of the early non production model?

sasquatch:
Is this Keysight trying to do a Rigol? An unauthorised yet acceptable hack?

EEVblog:
I've found the other product set resistors, playing now...  :)

Navigation

[0] Message Index

[#] Next page

There was an error while thanking
Thanking...
Go to full version
Powered by SMFPacks Advanced Attachments Uploader Mod