Author Topic: EEVblog #978 - Keysight 1000X Hacking  (Read 536220 times)

0 Members and 3 Guests are viewing this topic.

Offline cercelynn

  • Newbie
  • Posts: 2
  • Country: ro
Re: EEVblog #978 - Keysight 1000X Hacking
« Reply #1075 on: December 10, 2024, 09:58:03 pm »
This is your image edited, and those are the steps to create one by yourself.
 

Online Bud

  • Super Contributor
  • ***
  • Posts: 7276
  • Country: ca
Re: EEVblog #978 - Keysight 1000X Hacking
« Reply #1076 on: December 10, 2024, 11:23:21 pm »
@Sprit you must get your crc32 right in NOR. Do not even try to boot if it is not correct.
Facebook-free life and Rigol-free shack.
 
The following users thanked this post: sprit

Online Bud

  • Super Contributor
  • ***
  • Posts: 7276
  • Country: ca
Re: EEVblog #978 - Keysight 1000X Hacking
« Reply #1077 on: December 10, 2024, 11:37:48 pm »
@cercelynn not sure what you mean by "scrub" the memory. You should not have erased the NAND because it has calibration data and some other files that are not part of a .bin image. If that data is lost, the scope will be disfunctional and useless.
You get FPGA programming error because the processor is unable to read the NAND, likely because you reformatted with an invalid ECC parameter. Dump the NOR environment variables using printenv to see if there is ECC variable in it.
Facebook-free life and Rigol-free shack.
 

Offline sprit

  • Regular Contributor
  • *
  • Posts: 100
  • Country: vn
Re: EEVblog #978 - Keysight 1000X Hacking
« Reply #1078 on: December 11, 2024, 09:50:44 am »
Hi cercelynn
Wish you have a nice day.

Today i tried your edited bin file. I flashed it to nor chip and re-upload the nk.bn0 file but still get ECC error, same last time. Idk what happened, can u help me.
Sorry my English not good.
Sincerely,
Feng.
 

Online Bud

  • Super Contributor
  • ***
  • Posts: 7276
  • Country: ca
Re: EEVblog #978 - Keysight 1000X Hacking
« Reply #1079 on: December 12, 2024, 02:39:40 am »
Stop the uboot to get p500 prompt and run printenv command. Post the output here.
Facebook-free life and Rigol-free shack.
 
The following users thanked this post: sprit

Offline sprit

  • Regular Contributor
  • *
  • Posts: 100
  • Country: vn
Re: EEVblog #978 - Keysight 1000X Hacking
« Reply #1080 on: December 12, 2024, 05:43:06 am »
Hello cercelynn, hope you have a good day.
Here is the output when I type printenv:
Code: [Select]
U-Boot 2010.03 (May 18 2017 - 11:28:22)Agilent P500

CPU:   SPEAr600
DRAM:  128 MiB
Unknown id: 0xffffff. Using ISSI IS25LQ040B
Flash: 512 KiB
NAND:  fsmc-ecc1 128 MiB
*** Warning - bad CRC, using default environment

In:    serial
Out:   serial
Err:   serial
SerNum:serial number not programmed
Chip:  BD Board Rev: 4
Un-Protected 1 sectors
Erasing Flash...
. done
Erased 1 sectors
Writing to Flash... Outside available Flash
Protected 1 sectors
Net:   unknown
BMP data is not valid. Use splash bmp
FPGA programming FAILED!
Press space to stop autoboot: 2
p500> printenv
bootcmd=tftp 0x4000000 nk.bin;bootm 0xf8050000
ramboot=dhcp 0x4000000 nk.bin;bootm 0xf8050000
bootdelay=3
baudrate=115200
serverip=192.168.1.10
preboot=splash load;fpga;expi
gatewayip=192.168.1.10
netmask=255.255.255.0
usbtty=cdc_acm
fpgadata=0xd0060000
fpgasize=0x75394
splashdata=0xd0000000
dispParm1=0x300 0x400 0x2625A00 0x1 0x3
dispParm2=0x20 0x4c 0x1 0x2 0x3
boardversion=4
ps=0
rtc=0
erase_env=protect off 1:4;erase 1:4
store_uboot=protect off 1:1-3;erase 1:1-3;cp.b 0x800000 0xF8010000 ${filesize};protect on 1:1-3;imi 0xF8010000
get_uboot_eth=dhcp 0x800000 u-boot_image.bin;run store_uboot
get_uboot_uart=loadb 0x800000 115200;run store_uboot
verify=n
ethaddr=00:03:d3:04:10:00
ipaddr=192.168.1.100
serialnum=serial number not programmed
chipversion=BD
ethact=unknown

Environment size: 777/16380 bytes

It's quite strange that the crc32 of the bin file I loaded into NOR doesn't match the output of this:
Code: [Select]
p500> crc 0xf8000000 0x80000
CRC32 for f8000000 ... f807ffff ==> 41c9a653
It is quite strange that the crc32 of the bin file I loaded into NOR does not match the output of this: while the crc32 code of my bin file is 0x4f7f41b3, it seems to be newly generated every time I load the program for U701, could that be the cause?

In answer #978 I saw you mention this:
Did what? Updated the original NOR? Make sure you updated UBoot checksums as well, otherwise Uboot will assume its data is corrupted and will not load the environment variables and that will cause further NAND corruption.
From UBoot prompt type printenv and post the output here. Let us review it before you attempt to boot an image.
Can you explain to me a little?

English is not my first language so I apologize for any inconvenience.
Sincerely,

 Feng
 

Online Bud

  • Super Contributor
  • ***
  • Posts: 7276
  • Country: ca
Re: EEVblog #978 - Keysight 1000X Hacking
« Reply #1081 on: December 12, 2024, 01:03:08 pm »
Quote
*** Warning - bad CRC, using default environment
There is your problem. Whatever NOR image you are using, the one you modified or the one someone gave you, the CRC in the header of the environment variables section is invalid. You have to fix it before you can do anything else. It is not the whole NOR image CRC.
Facebook-free life and Rigol-free shack.
 
The following users thanked this post: sprit

Online Bud

  • Super Contributor
  • ***
  • Posts: 7276
  • Country: ca
Re: EEVblog #978 - Keysight 1000X Hacking
« Reply #1082 on: December 12, 2024, 01:52:40 pm »
Can you explain to me a little?
What specifically?
Facebook-free life and Rigol-free shack.
 

Offline sprit

  • Regular Contributor
  • *
  • Posts: 100
  • Country: vn
Re: EEVblog #978 - Keysight 1000X Hacking
« Reply #1083 on: December 12, 2024, 02:54:32 pm »
Hello, have a nice day.

As you said, I just tried again with the original bin file backed up and uboot no longer complained about the crc. I must have corrected some incorrect variables (perhaps the usb -> serial variable) but I Can't access the uboot menu anymore. I'm trying to modify bootdelay and pbootdelay =4 and upload to see if it's because my usbtty variable is wrong. By the way, I just made a LAN mod to the device using the available LAN8720 adapter, which is quite messy. I want to ask you whether the RX0 RX1 pins must be pinned to GND or not? Thank you very much.
Sincerely,

Feng
 

Online Bud

  • Super Contributor
  • ***
  • Posts: 7276
  • Country: ca
Re: EEVblog #978 - Keysight 1000X Hacking
« Reply #1084 on: December 13, 2024, 03:58:39 am »
This is instructions how to calculate CRC32 for uboot environment variables block.
https://www.eevblog.com/forum/blog/eevblog-978-keysight-1000x-hacking/msg5189118/#msg5189118
Facebook-free life and Rigol-free shack.
 

Online Bud

  • Super Contributor
  • ***
  • Posts: 7276
  • Country: ca
Re: EEVblog #978 - Keysight 1000X Hacking
« Reply #1085 on: December 13, 2024, 04:01:59 am »
This is your image edited, and those are the steps to create one by yourself.
I think your crc32 is wrong, you stopped at 0x43ffd. You must include everything including 0x43fff.
Facebook-free life and Rigol-free shack.
 
The following users thanked this post: sprit

Offline sprit

  • Regular Contributor
  • *
  • Posts: 100
  • Country: vn
Re: EEVblog #978 - Keysight 1000X Hacking
« Reply #1086 on: December 13, 2024, 09:34:31 am »
Thanks for the hint. I'll check it tonight. Last night I tried to connect LAN8720 module to BLT board. Now pboot has successfully recognized LAN PHY but I don't know how to connect it to my PC. And can you guide to download NK.bn0 file by LAN?Thank you very much.

Edit 1: I just edited the NOR file from the original and resoldered it. Now Uboot doesn't complain about CRC anymore. But when uploading nk.bn0 file from keysight firmware 1.2, the screen still stops at scope success indentify, no more output. I will attach the printenv entry below. Hope you can help. Sincerely, Feng
 

Offline sprit

  • Regular Contributor
  • *
  • Posts: 100
  • Country: vn
Re: EEVblog #978 - Keysight 1000X Hacking
« Reply #1087 on: December 13, 2024, 12:23:23 pm »
Hi

Its still stuck at this point
Code: [Select]
U-Boot 2010.03 (May 18 2017 - 11:28:22)Agilent P500

CPU:   SPEAr600
DRAM:  128 MiB
Flash: 512 KiB
NAND:  internal ecc 128 MiB
In:    serial
Out:   serial
Err:   serial
SerNum:serial number not programmed
Chip:  BD Board Rev: 4
Net:   unknown
FPGA programming FAILED!
Press space to stop autoboot: 1
p500> loady 0x00361000 115200\
## Ready for binary (ymodem) download to 0x00361000 at 115200 bps...
CCxyzModem - CRC mode, 1(SOH)/27158(STX)/0(CAN) packets, 3 retries
## Total Size      = 0x01a857c0 = 27809728 Bytes
p500> go 0x00362000
## Starting application at 0x00362000 ...
Windows CE Kernel for ARM (Thumb Enabled) Built on Mar  8 2013 at 17:05:33
Setting up for a Cold Reboot
Done Setting up for a Cold Reboot
Windows CE Firmware Init
BSP 1.0.0 for the SPEARHEAD600AB board (built Jan 28 2018)
Adaptation performed by ADENEO (c) 2005
+OALIntrInit
-OALIntrInit(rc = 1)
Initialize driver globals Zeros area...
pDrvGlobalArea 0xa0060000  size 0x800 (0xa0060800 -0xa0060000)
Initialize driver globals Zeros area...done
 OALKitlStart
Firmware Init Done.
OALIoctlHalEnterI2cCriticalSection init i2c cs
++SER_Init: context Drivers\Active\14


after waiting 50mins still got nothing :( here is printenv code
 
Code: [Select]
U-Boot 2010.03 (May 18 2017 - 11:28:22)Agilent P500

CPU:   SPEAr600
DRAM:  128 MiB
Flash: 512 KiB
NAND:  internal ecc 128 MiB
In:    serial
Out:   serial
Err:   serial
SerNum:serial number not programmed
Chip:  BD Board Rev: 4
Net:   unknown
FPGA programming FAILED!
Press space to stop autoboot: 2
p500> printenv
ramboot=dhcp 0x4000000 nk.bin;bootm 0xf8050000
baudrate=115200
gatewayip=192.168.1.10
netmask=255.255.255.0
usbtty=cdc_acm
splashdata=0xd0000000
dispParm1=0x300 0x400 0x2625A00 0x1 0x3
dispParm2=0x20 0x4c 0x1 0x2 0x3
boardversion=4
ps=0
rtc=0
erase_env=protect off 1:4;erase 1:4
store_uboot=protect off 1:1-3;erase 1:1-3;cp.b 0x800000 0xF8010000 ${filesize};protect on 1:1-3;imi 0xF8010000
get_uboot_eth=dhcp 0x800000 u-boot_image.bin;run store_uboot
get_uboot_uart=loadb 0x800000 115200;run store_uboot
ethaddr=00:03:d3:04:10:00
serialnum=serial number not programmed
ethact=unknown
ecc=4
stdin=serial
stdout=serial
stderr=serial
guid=0A1B6C88-4F07-459A-8BAD-F20000A04EC2
bootdelay=3
bootaddr=0x700
filesize=3148e9
loadaddr=0x00800000
fileaddr=0x00800000
chipversion=BD
nimages=2
image1=0xd0600000
image2=0xd1e00000
fpgadata=0xd0060000
fimage=1
pbootdelay=3
numfilesystems=2
lengthfilesystem1=0x2800000
lengthfilesystem2=0x2800000
fsstart=0x02e00000
bootCeFlash=bootm 0xf8050000
bootcmd=run bootMarsupial
bootJackal=run keyrst;run bootCeFlash
bootMarsupial=run bootCeFlash
preboot=fpga; expi 62500
keyrst=mw d8100400 6 1;mw d8100008 0 1;mw d8100008 2 1
fpgasize=45480
loadComplete=2019-07-11 1344
serverip=192.168.1.3
verify=n
ipaddr=192.168.1.100

Environment size: 1249/16380 bytes
Hope you can help

 

Online Bud

  • Super Contributor
  • ***
  • Posts: 7276
  • Country: ca
Re: EEVblog #978 - Keysight 1000X Hacking
« Reply #1088 on: December 13, 2024, 01:47:55 pm »
Your FPGA image may be corrupted. You can compare CRC of the FPGA image that is on the scope at address 0x60000 against CRC of fpga.bin on your computer.
Facebook-free life and Rigol-free shack.
 
The following users thanked this post: sprit

Offline sprit

  • Regular Contributor
  • *
  • Posts: 100
  • Country: vn
Re: EEVblog #978 - Keysight 1000X Hacking
« Reply #1089 on: December 13, 2024, 01:55:29 pm »
Hi. Thanks for the hint. I'll check it now. In the case of real fpga If it fails, can I re-upload that file to the fpga using the file in the firmware folder that I unzipped? Can that be done over UART? Thank you very much.
Sincerely, Feng
 

Offline sprit

  • Regular Contributor
  • *
  • Posts: 100
  • Country: vn
Re: EEVblog #978 - Keysight 1000X Hacking
« Reply #1090 on: December 13, 2024, 02:05:31 pm »
Idk Did I do it right. Can you tell me if the command line I wrote is correct? Its CRC32 is not the same as the FPGA file extracted from the firmware.
 

Online Bud

  • Super Contributor
  • ***
  • Posts: 7276
  • Country: ca
Re: EEVblog #978 - Keysight 1000X Hacking
« Reply #1091 on: December 13, 2024, 04:00:13 pm »
No it is not correct. Type Help from p500 prompt to understand the crc command parameters. Fpga start address is 0x60000 and fpga image size is given in printenv output.
Facebook-free life and Rigol-free shack.
 
The following users thanked this post: sprit

Offline sprit

  • Regular Contributor
  • *
  • Posts: 100
  • Country: vn
Re: EEVblog #978 - Keysight 1000X Hacking
« Reply #1092 on: December 13, 2024, 04:17:39 pm »
Code: [Select]
U-Boot 2010.03 (Jan 26 2011 - 12:37:34)Agilent P500

CPU:   SPEAr600
DRAM:  128 MiB
Flash: 512 KiB
NAND:  128 MiB
In:    serial
Out:   serial
Err:   serial
SerNum:serial number not programmed
Chip:  BD Board Rev: 4
Net:   unknown
FPGA programming FAILED!
Press space to stop autoboot:  0
p500>               printenv
ramboot=dhcp 0x4000000 nk.bin;bootm 0xf8050000
baudrate=115200
usbtty=cdc_acm
splashdata=0xd0000000
dispParm1=0x300 0x400 0x2625A00 0x1 0x3
dispParm2=0x20 0x4c 0x1 0x2 0x3
boardversion=4
ps=0
rtc=0
erase_env=protect off 1:4;erase 1:4
store_uboot=protect off 1:1-3;erase 1:1-3;cp.b 0x800000 0xF8010000 ${filesize};protect on 1:1-3;imi 0xF8010000
get_uboot_eth=dhcp 0x800000 u-boot_image.bin;run store_uboot
get_uboot_uart=loadb 0x800000 115200;run store_uboot
serialnum=serial number not programmed
bootdelay=0
bootaddr=0x700
loadaddr=0x00800000
chipversion=BD
nimages=2
image1=0xd0600000
image2=0xd1600000
fpgadata=0xd0060000
fimage=1
pbootdelay=0
numfilesystems=2
lengthfilesystem1=0x2800000
lengthfilesystem2=0x2800000
fsstart=0x2c00000
bootCeFlash=bootm 0xf8050000
uart2=115200
bootcmd=run keyrst;run bootCeFlash
preboot=fpga; expi 62500
keyrst=mw d8100400 6 1;mw d8100008 0 1;mw d8100008 2 1
bootfile=nk.bin.comp
filesize=C3668D
blocksize=0xc40000
fileaddr=800000
gatewayip=146.223.229.1
netmask=255.255.255.0
serverip=146.223.229.80
stdout=serial
stdin=serial
stderr=serial
infiniiVisionCabFile=
infiniiVisionHostname=
infiniiVisionNetworkAdapter=
infiniiVisionInstallStatus=installing cab file
ethaddr=00:30:d3:1d:a6:bd
fpgasize=0x45480
verify=n
ipaddr=192.168.1.161
ethact=unknown

Environment size: 1288/16380 bytes
p500> crc 0xd0060000 0x60000
CRC32 for d0060000 ... d00bffff ==> 02f44371
 

Offline sprit

  • Regular Contributor
  • *
  • Posts: 100
  • Country: vn
Re: EEVblog #978 - Keysight 1000X Hacking
« Reply #1093 on: December 13, 2024, 04:20:02 pm »
So now can I upload the FPGA image via loady command? What address should I send it to?
 

Offline sprit

  • Regular Contributor
  • *
  • Posts: 100
  • Country: vn
Re: EEVblog #978 - Keysight 1000X Hacking
« Reply #1094 on: December 13, 2024, 04:23:14 pm »
my bad
its result:
Code: [Select]
p500> crc 0xd0060000 0x45480
CRC32 for d0060000 ... d00a547f ==> 8fade21a
 

Online Bud

  • Super Contributor
  • ***
  • Posts: 7276
  • Country: ca
Re: EEVblog #978 - Keysight 1000X Hacking
« Reply #1095 on: December 13, 2024, 05:16:11 pm »
So now can I upload the FPGA image via loady command? What address should I send it to?
You can upload using loady but do not rush to update. Use crc to compare first to figure out if the existing image has problem or not.
« Last Edit: December 13, 2024, 05:24:01 pm by Bud »
Facebook-free life and Rigol-free shack.
 

Online Bud

  • Super Contributor
  • ***
  • Posts: 7276
  • Country: ca
Re: EEVblog #978 - Keysight 1000X Hacking
« Reply #1096 on: December 13, 2024, 05:22:53 pm »
my bad
its result:
Code: [Select]
p500> crc 0xd0060000 0x45480
CRC32 for d0060000 ... d00a547f ==> 8fade21a
Start address for fpga image should be 0x60000
Facebook-free life and Rigol-free shack.
 

Offline sprit

  • Regular Contributor
  • *
  • Posts: 100
  • Country: vn
Re: EEVblog #978 - Keysight 1000X Hacking
« Reply #1097 on: December 13, 2024, 05:59:42 pm »
Hi. Did i do it right?
 

Offline sprit

  • Regular Contributor
  • *
  • Posts: 100
  • Country: vn
Re: EEVblog #978 - Keysight 1000X Hacking
« Reply #1098 on: December 13, 2024, 06:04:27 pm »
The actual crc of bin file is 5F15252C
 

Online Bud

  • Super Contributor
  • ***
  • Posts: 7276
  • Country: ca
Re: EEVblog #978 - Keysight 1000X Hacking
« Reply #1099 on: December 13, 2024, 06:30:35 pm »
Ok, to double check you can transfer fpga.bin with loady and then rum memory compare command against the two images, the existing one in NAND and the uploaded one. Use help command in p500 prompt to find and learn memory compare command.
You can transfer the bin file to 0x800000 and use the respective addresses for memory compare command. I cant remember if you have to load the existing image from 0x60000 into RAM for memory compare to work , hope this is not needed.
Facebook-free life and Rigol-free shack.
 


Share me

Digg  Facebook  SlashDot  Delicious  Technorati  Twitter  Google  Yahoo
Smf