Author Topic: EEVblog #978 - Keysight 1000X Hacking  (Read 489047 times)

0 Members and 3 Guests are viewing this topic.

Offline Palmer

  • Newbie
  • Posts: 6
  • Country: pl
Re: EEVblog #978 - Keysight 1000X Hacking
« Reply #1050 on: March 15, 2024, 02:09:09 pm »
In memory, I changed pbootdelay and bootdelay to 3, along with CRC correction.
I attach the logs and the memory file.

Try replacing usbtty -> serial 
Recalculate the checksum then.

Thanks !
Now pboot is working.
I tried to upload the soft like the x3000 series and the method described in another thread. Uploading via loady the nk.nb0 file previously prepared and firing from infinivision flash drive.
Unfortunately I only showed the logo on the oscilloscope and a reset occurred :-/.

log_3 - boot procedure
log_4 - printenv
 

Offline Bud

  • Super Contributor
  • ***
  • Posts: 7004
  • Country: ca
Re: EEVblog #978 - Keysight 1000X Hacking
« Reply #1051 on: March 15, 2024, 07:08:17 pm »
You cant use 3000x USB based procedure for 1000x, it is not working on 1000x., forget it.
Something maybe missing in your printenv output, i will look later today.
Facebook-free life and Rigol-free shack.
 

Offline Bud

  • Super Contributor
  • ***
  • Posts: 7004
  • Country: ca
Re: EEVblog #978 - Keysight 1000X Hacking
« Reply #1052 on: March 16, 2024, 11:35:11 pm »
Before doing the 'go' command try 'run preboot'

Edit: ...unplug the USB drive before attempting to boot.
« Last Edit: March 17, 2024, 01:20:09 am by Bud »
Facebook-free life and Rigol-free shack.
 
The following users thanked this post: Palmer

Offline Palmer

  • Newbie
  • Posts: 6
  • Country: pl
Re: EEVblog #978 - Keysight 1000X Hacking
« Reply #1053 on: March 18, 2024, 11:35:18 am »
Before doing the 'go' command try 'run preboot'

Edit: ...unplug the USB drive before attempting to boot.

When I tried to use "run preboot" (between loady and go) then after using the "go" command no action occurred.

I initially tried on firmware version 1.2 from the manufacturer's website and 1.1 patch from the forum. In both cases booting stops at the same point. (The original firmware is 1.1)

What do you mean by "...unplug the USB drive before attempting to boot." ?
After all, the procedure is to upload the nk.nb0 file to memory (it's basically a windows CE image) and have the system fire the application from the flash drive. Am I wrong ?

TT-392 went through a similar procedure so I hope that I will also succeed.
 

Offline Bud

  • Super Contributor
  • ***
  • Posts: 7004
  • Country: ca
Re: EEVblog #978 - Keysight 1000X Hacking
« Reply #1054 on: March 18, 2024, 01:11:29 pm »
Can you point me to  a TT-392's post where he said he started the application from a USB drive ?
Facebook-free life and Rigol-free shack.
 

Offline Palmer

  • Newbie
  • Posts: 6
  • Country: pl
Re: EEVblog #978 - Keysight 1000X Hacking
« Reply #1055 on: March 19, 2024, 10:48:42 am »
eh you are right without a flash drive the application started by itself and could be updated from the flash drive then.

As a thank you, I am preparing a description of the procedure should someone look here in the future with an identical problem and not have to ask questions.

I think that I will finish the description later today max. tomorrow.
 

Offline Palmer

  • Newbie
  • Posts: 6
  • Country: pl
Re: EEVblog #978 - Keysight 1000X Hacking
« Reply #1056 on: March 19, 2024, 11:34:57 am »
If your oscilloscope has a black screen and only the buttons light up probably this tutorial should fix it.

- unscrew the oscilloscope to get at the small board mounted in the motherboard.
- solder out u701 chip  (on back of plate)
- rip the x.bin file with the programmer
- open the file in hexeditor
- edit bootdelay=3 and pbootdelay=3 positions (look for 000402E0 and 00040380)
- change usbtty to serial (00040280 and following)
- calculate (in hexeditor) from addresses (0x00040004 - 0x00043FFF) the value of crc32. Change on the first 4 bytes(0x00040000-0x00040003).
 Remember the reverse order of entry! If the calculated value is 75 4D 12 8E then we type 8E 12 4D 75.
- we save the file, upload to memory, solder.
- solder the wires to the serial port as in the attached video in the 1st post (I also include a photo before cleaning the excess flux ;-)).
 We connect to the computer via usb-uart converter. We install TeraTerm. It will be needed to handle the serial port and the YModem protocol.
From the default settings of the serial port, we change the speed to 115200.
- Now we have access to pboot (prompt p500) on the serial. (If we abort the boot)

Prepare the necessary file.
Download the firmware from the manufacturer's website. Open in totalcommander or change the extension to x.cab then it should open as an archive also in windows.

We proceed to:

X:\yourfolder>bincompress /d nk.bin.comp nk.bin

Check the length of the file.

X:yourfolder>viewbin nk.bin

Image Start = 0x80361000, length = 0x01A857C0
                Start address = 0x80362000
Checking record #45 for potential TOC (ROMOFFSET = 0xFE992E44)
Checking record #50 for potential TOC (ROMOFFSET = 0xFE9C3E44)
Checking record #126 for potential TOC (ROMOFFSET = 0xFF1F0E3C)
Checking record #189 for potential TOC (ROMOFFSET = 0x00000000)
NOTICE! Record 189 looked like a TOC except DLL first = 0x4001C001, and DLL last = 0x4192C095.
Done.

X:yourfolder>cvrtbin.exe -r -a 0x80361000 -w 32 -l 0x01A857C0 nk.bin

This will result in a nk.nb0 in the same folder.

- Now we can upload the prepared file to memory.
p500> loady 0x00361000 115200

In Tera Term go to File->Transfer->YMODEM->Send.... and open the nk.nb0 that you have prepared before.

The uploading process will take about 50 minutes.

# Ready for binary (ymodem) download to 0x00361000 at 115200 bps....
CCCxyzModem - CRC mode, 1(SOH)/27158(STX)/0(CAN) packets, 10 retries
## Total Size = 0x01a857c0 = 27809728 Bytes

-Now we can boot the system. You need to remember that nothing is inserted in the USB port.
p500> go 0x00362000

## Starting application at 0x00362000 ...
Windows CE Kernel for ARM (Thumb Enabled) Built on Mar 8 2013 at 17:05:33
Setting up for a Cold Reboot
Done Setting up for a Cold Reboot
Windows CE Firmware Init
BSP 1.0.0 for the SPEARHEAD600AB board (built Jun 10 2019)
Adaptation performed by ADENEO (c) 2005
+OALIntrInit
-OALIntrInit(rc = 1)
Initialize driver globals Zeros area....
pDrvGlobalArea 0xa0060000 size 0x800 (0xa0060800 -0xa0060000)
Initialize driver globals Zeros area...done
 OALKitlStart
Firmware Init Done.
OALIoctlHalEnterI2cCriticalSection init i2c cs
++SER_Init: context Drivers.
SER_Init, dwIndex:2
SER2 got sysintr:0x00000017
SER2 Serial Port, new baud rate:0x1c200 (UARTCLK:48000000 IBRD:0x1a FBRD:0x2)
OHCI\system.c, GCFG_USBH1_SW_RST
OHCI\system.c, GCFG_USBH2_SW_RST
LAN PHY NOT detected.
DeleteP500EnetRegistry:
   \_CommGMAC 0x0.
   \_CommGMAC1 0x0.
   \_CommTcpipLinkage 0x0.
   \n-Virtual 0x0.
   \■DriversBuiltInLIN 0x5
LIN: Data Valid
BALDWIN_DDI: cBaldwinHwIf::Init: Initializing...
BALDWIN_DDI: cBaldwinHwIf::Init: Scope successfully identified.
BALDWIN_DDI: cBaldwinHwIf::Init: Success!
ERROR: c:WINCE600PLATFORMCOMMONDIVERS.c line 656: Rewrite recommended, internal ECC corrected data at 0xbe15.
Rewrite Block at Sector Address 0xbe15. 4541
Read Block SUCCEEDED 4572
Erased Block SUCCEEDED 4574
Completed rewriting Block SUCCEEDED 4623
Device load time:
   NANDFLASH: 0 ms
   SNANDFLASH: 0 ms
ERROR: OALIoCtlHalGetDeviceInfo: Device doesn't support IOCTL_HAL_GET_DEVICE_INFO::SPI_GETBOOTMENAME
SHIM DLL, LoadRealDll [PalIO.dll] for [AgilentPalIO.dll].
SHIM [AgilentPalIO.dll] Get Process Addresses
LaunchInfiniiVision:
SHIM DLL, LoadRealDll [PalSStorage.dll] for [AgilentPalSStorage.dll].
SHIM [AgilentPalSStorage.dll] Get Process Addresses

    invalid clock reading: Sat Jan 01 01:00:00 2000
Released build, Jun 10 2019, 21:13:39
Initializing FPGA...
************************************
Ver: 1.067 Released
************************************
ERROR: c:\WINCE600\PLATFORM\COMMON\SRC\SOC\STM\COMMON\DRIVERS\NandFlash\.\stm_NandFlash.c line 656: Rewrite recommended, internal ECC corrected data at 0xbfc8
Rewriting Block at Sector Address 0xbfc8. 11622
ERROR: c:\WINCE600\PLATFORM\COMMON\SRC\SOC\STM\COMMON\DRIVERS\NandFlash\.\stm_NandFlash.c line 656: Rewrite recommended, internal ECC corrected data at 0xbfc8
Read Block SUCCEEDED 11667
Erased Block SUCCEEDED 11668
Completed rewriting Block SUCCEEDED 11703
Calibration mode User
Cal Date Mon Apr 08 13:10:31 2019
Startup sequence is complete.
Saved configuration invalid
System has been running 16.266155 seconds
Start Up Sequence 6.680450
Memory Load 52%
   System Physical Memory 37.832 / 73.465 MB
   Process Virtual Memory 46.688 / 1024.000 MB
-----> InfiniiVision is running <-----

- Now on the flash drive (FAT32) place the firmware from the manufacturer's website and run the update procedure.
It is important to remove the flash drive after restarting, otherwise the system will not boot.

Thanks again Bud for the information ! With your help and information about the repair procedure for the x2000 and x3000 oscilloscopes, I was able to repair this model as well.

 

Offline Bud

  • Super Contributor
  • ***
  • Posts: 7004
  • Country: ca
Re: EEVblog #978 - Keysight 1000X Hacking
« Reply #1057 on: March 19, 2024, 01:21:32 pm »
 :-+
Facebook-free life and Rigol-free shack.
 

Offline Anthocyanina

  • Frequent Contributor
  • **
  • Posts: 364
  • Country: 00
  • The Sara
Re: EEVblog #978 - Keysight 1000X Hacking
« Reply #1058 on: March 24, 2024, 09:32:53 am »
ok! i checked every solder joint on the BLT connectors and the components with visible solder joints, nothing looked suspect, but as a just in case, i used the hot air station on the spear600 and the memory ICs. i noticed some flux residue was left near the damaged connector, so i just basically bathed that side of the BLT in isopropyl, making sure tehre was no residue at all, then i placed the BLT back where it belongs, but i didn't fully press it in, just enough that there would be contact, and to my surprise, i got a full boot! still don't have a proper USB adapter, but i captured the data with an analog discovery 2, which was a lot easier to read than scrolling the rigol capture. there were a couple of differences on the log between what i got and one log someone posted years ago on this thread, but i read it all and there were no errors this time.

i then fully seated the BLT and turned it back on, and i got a few more full boot sequences. it boots up much more consistently than before, but it some times takes significantly more time for a full boot, and sometimes it does boot at its regular speed, and sometimes it doesn't boot at all.

 

Offline is9582

  • Newbie
  • Posts: 3
  • Country: us
Re: EEVblog #978 - Keysight 1000X Hacking
« Reply #1059 on: May 01, 2024, 05:33:39 am »
I just received a used DSOX1102G today (eBay purchase) and unknowingly crapped all over it. I saw it was running FW 1.10, and there was a nice shiny new FW 1.20, just calling out my name.  |O I snapped a shot of the "About This Oscilloscope" page, prior to engaging my stupidity, which displayed a whole host of installed licenses, and displayed the BW as 200MHz. I just thought the seller had purchased licenses and upgrades (MSO, FPG, memMax, EMBD, AUTO, ALT, FLEX, PWR, SGM, MASK, TEL, BW50, BW20, BW10, BW7, FRC, AUDIO, DIS, EDK, WAVEGEN, AERO, VID, ADVMATH, FLEXC, DIS, DIS, VID, DVM, ASV, CABLE, SCPIPS, RML, SGMC, TOM, FWD), not knowing 200MHz wasn't even an offered BW for this scope.  :-//

So, as I'm quite sure, everyone that has been on this ride for any time at all, already knows that my new shiny gem is now just a kinda dull penny. 70MHz with four or five items listed in licenses! Doh! Any guidance that might help me get back to whence my scope once was??

I guess I'm so used to snagging and loading the newest FW onto my Fractal Audio AF3, on the regular, that the other scenarios never even crossed my older brain.

Hell of an introduction, huh??
Cheers,
Lee
 

Offline Anthocyanina

  • Frequent Contributor
  • **
  • Posts: 364
  • Country: 00
  • The Sara
Re: EEVblog #978 - Keysight 1000X Hacking
« Reply #1060 on: May 01, 2024, 07:53:54 am »
I just received a used DSOX1102G today (eBay purchase) and unknowingly crapped all over it. I saw it was running FW 1.10, and there was a nice shiny new FW 1.20, just calling out my name.  |O I snapped a shot of the "About This Oscilloscope" page, prior to engaging my stupidity, which displayed a whole host of installed licenses, and displayed the BW as 200MHz. I just thought the seller had purchased licenses and upgrades (MSO, FPG, memMax, EMBD, AUTO, ALT, FLEX, PWR, SGM, MASK, TEL, BW50, BW20, BW10, BW7, FRC, AUDIO, DIS, EDK, WAVEGEN, AERO, VID, ADVMATH, FLEXC, DIS, DIS, VID, DVM, ASV, CABLE, SCPIPS, RML, SGMC, TOM, FWD), not knowing 200MHz wasn't even an offered BW for this scope.  :-//

So, as I'm quite sure, everyone that has been on this ride for any time at all, already knows that my new shiny gem is now just a kinda dull penny. 70MHz with four or five items listed in licenses! Doh! Any guidance that might help me get back to whence my scope once was??

I guess I'm so used to snagging and loading the newest FW onto my Fractal Audio AF3, on the regular, that the other scenarios never even crossed my older brain.

Hell of an introduction, huh??
Cheers,
Lee

it's been a lot of pages since then, but maybe that scope has FERCSA's firmware installed? had? (it's not clear in your post what's wrong with the scope)

does the scope work fine? by the title of the thread you might already be aware that this scope does support 200MHz bandwidth but not through official means. those unofficial means include FERCSA's firmware, Bud's firmware, resistors setting the hardware configuration, and who knows if anyone else hacked their own firmware to unlock the options.

if the firmware you installed was from keysight's website, it could be that the previous firmware installed was FERCSA's. you could try installing Bud's 1.20 unlocked firmware and get all the working options back. if it was another custom firmware+hardware modifications, maybe ask the seller to send you the modified firmware and install it again?
 

Offline is9582

  • Newbie
  • Posts: 3
  • Country: us
Re: EEVblog #978 - Keysight 1000X Hacking
« Reply #1061 on: May 01, 2024, 11:54:15 am »
@anthocyanina

The scope does work presently, at a slower bandwidth, and less features. I didn’t explain well, but do believe it was hacked prior to me purchasing. I don’t know if the person that sold this scope, bought it new, or second-hand (like me). I’ll reach out to the seller first, and if unsuccessful, try Bud’s 1.20 unlocked firmware. Fingers crossed! I appreciate your input and assistance.

Cheers,

Lee
 

Offline is9582

  • Newbie
  • Posts: 3
  • Country: us
Re: EEVblog #978 - Keysight 1000X Hacking
« Reply #1062 on: May 01, 2024, 08:32:12 pm »
Just wanted to share that I was successful obtaining a previous backup of my scope from the seller. Whew, a learning event.  :phew: Let’s see if I can keep my goof-ups to a minimum from this point forward!  :-[  :-+

Lee
 

Offline Anthocyanina

  • Frequent Contributor
  • **
  • Posts: 364
  • Country: 00
  • The Sara
Re: EEVblog #978 - Keysight 1000X Hacking
« Reply #1063 on: May 03, 2024, 01:56:01 am »
Just wanted to share that I was successful obtaining a previous backup of my scope from the seller. Whew, a learning event.  :phew: Let’s see if I can keep my goof-ups to a minimum from this point forward!  :-[  :-+

Lee

great! do you know if it was FERCSA's firmware? or another custom one?
 


Share me

Digg  Facebook  SlashDot  Delicious  Technorati  Twitter  Google  Yahoo
Smf