How to find and inspect hidden serial UART terminal ports inside equipment.
Dave finds the uBoot Windows CE UART part in the new Keysight 1000 X-Series oscilloscope and uses the info to find some of the product mode configuration pins. A hardware hack shows that changing product configuration modes in hardware is possible.
Dump from a production DSOX1102G unit:
U-Boot 2010.03 (Oct 18 2011 - 14:28:06)Agilent P500
CPU: SPEAr600
DRAM: 128 MiB
Flash: 512 KiB
NAND: internal ecc 128 MiB
Debug serial initialized ........OK
RTC: 2024-16-10 7:86:38.44 UTC
Microsoft Windows CE Bootloader Common Library Version 1.4 Built May 7 2015 01:38:03
Microsoft Windows CE 6.0 Ethernet Bootloader for the Agilent P500 board
Adaptation performed by Agilent Technologies (c) 2008
PHY not found.
System ready!
Preparing for download...
RTC: 2024-16-10 7:86:38.44 UTC
Loading image 1 from memory at 0xD0600000
O
BL_IMAGE_TYPE_BIN
X
XXXXOOOOXXOOOOOOOOXOXOOOOOOOOXOOOXOOOOXXOOOOOOOOOXOOOOXOXXOXOXXOXOXOXOXXXXOOXXXOOOOOOXXOXXOXXXXXXOOOXXXOXXOOOXXXOXXOOOOXOOXXOOOXOOOOXOXOOOOOXOOOXOOXOXXOXOXXXXXXOXXXXOOOXOOOXOXOOOOXOOOOXOXOXOOOOOOXX
OOOXOOXOOOOXOOOOXOOXXOOXOOOOOOOOOXOOOOXOOOOOOXOXOOOOXOXOOOOOOOXXOOXOOXOXOOOXOOOXOOXXOXOXOOOXOXXXXXOXOXXXOXXXXOXOXXOOOXXXXOXXXXOXXXXXXXOXXXXXXOXXOXXOXXOOXXOXXXOXXXXOOOXXX
OOOXXXOXXOOXOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOXXOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOXXXXXOOOXOXOOXOOXXXXXXXXXXXXXrom_offset=0x0.
XXImageStart = 0x80361000, ImageLength = 0x1A80C40, LaunchAddr = 0x80362000
Completed file(s):
-------------------------------------------------------------------------------
[0]: Address=0x80361000 Length=0x1A80C40 Name="" Target=RAM
Loading image 1 succeeded.
ROMHDR at Address 80361044h
Preparing launch...
RTC: 2024-16-10 7:86:38.47 UTC
Launching windows CE image by jumping at address 0x 362000
Windows CE Kernel for ARM (Thumb Enabled) Built on Mar 8 2013 at 17:05:33
Setting up for a Cold Reboot
Done Setting up for a Cold Reboot
Windows CE Firmware Init
BSP 1.0.0 for the SPEARHEAD600AB board (built Sep 28 2016)
Adaptation performed by ADENEO (c) 2005
+OALIntrInit
-OALIntrInit(rc = 1)
Initialize driver globals Zeros area...
pDrvGlobalArea 0xa0060000 size 0x800 (0xa0060800 -0xa0060000)
Initialize driver globals Zeros area...done
OALKitlStart
Firmware Init Done.
OALIoctlHalEnterI2cCriticalSection init i2c cs
++SER_Init: context Drivers\Active\14
SER_Init, dwIndex:2
SER2 got sysintr:0x00000017
SER2 Serial Port, new baud rate:0x1c200 (UARTCLK:48000000 IBRD:0x1a FBRD:0x2)
OHCI\system.c, GCFG_USBH1_SW_RST
OHCI\system.c, GCFG_USBH2_SW_RST
LAN PHY NOT detected.
DeleteP500EnetRegistry:
\Comm\GMAC 0x0
\Comm\GMAC1 0x0
\Comm\Tcpip\Linkage 0x0
\Drivers\Virtual 0x0
\Drivers\BuiltIn\LIN 0x5
LIN: Data Valid
BALDWIN_DDI: cBaldwinHwIf::Init: Initializing...
BALDWIN_DDI: cBaldwinHwIf::Init: Scope successfully identified.
BALDWIN_DDI: cBaldwinHwIf::Init: Success!
Device load time:
NANDFLASH: 1 ms
SNANDFLASH: 1 ms
SHIM DLL, LoadRealDll [PalIO.dll] for [AgilentPalIO.dll]
SHIM [AgilentPalIO.dll] Get Process Addresses
LaunchInfiniiVision:
=========================================
BLT Product Config 24
Bandwidth : 200MHz
#Channel : 2
Board Rev : FPR
Clk Gating : Baldwin
Sample Rate : 4GSa
LAN PHY : No
BLT Module Config 02
Rev : LP3
Sample Rate : 5GSa/s
=========================================
BLT_PRODUCT_CONFIG_0, 1.251v, ID4
BLT_PRODUCT_CONFIG_1, 0.692v, ID2
BLT_MODULE_CONFIG_0, 0.687v, ID2
BLT_MODULE_CONFIG_1, 0.005v, ID0
CANINE_BOARD_REV, 0.002v, ID0
CANINE_MODEL_NAME: MARSUPIAL, 1.738v, ID6, MARSUPIAL
CANINE_EXTMODULE, 2.488v, ID8, SWID8
CANINE_MSO_REV, 0.628v, ID2, SWID2
SHIM DLL, LoadRealDll [PalSStorage.dll] for [AgilentPalSStorage.dll]
SHIM [AgilentPalSStorage.dll] Get Process Addresses
Released build, Sep 28 2016, 00:17:51
Initializing FPGA...
************************************
FPGA Type: Marsupial
Ver: 1.067 Released
Build Time: Tue Jun 14 17:13:42 2016
Build Machine: 2UA5461ZWH
************************************
cMarsupialCalMgr::cMarsupialUserCalFactors::cMarsupialUserCalFactors size 146412
cMarsupialCalMgr::cMarsupialServiceCalFactors::cMarsupialServiceCalFactors size 704
cMarsupialCalMgr::cMarsupialFactoryCalFactors::cMarsupialFactoryCalFactors size 896
Calibration mode User
Recall \Secure\cal\FactoryCal2.dat - ok
Recall \Secure\cal\ServiceCal1.dat - ok
Recall \Secure\cal\UserCal8.dat - ok
Cal Date Sun Sep 25 15:11:58 2016
will do USB phy workaround: CheckCRC
Startup sequence is complete.
System has been running 16.841095 seconds
Start Up Sequence 7.470958
Memory Load 50%
System Physical Memory 36.441 / 73.465 MB
Process Virtual Memory 46.938 / 1024.000 MB
-----> InfiniiVision is running <-----
Where we find the photo of the early non production model?
Is this Keysight trying to do a Rigol? An unauthorised yet acceptable hack?
I've found the other product set resistors, playing now...
You just know that a letter from their legal team is inbound now...
Well done
Is this Keysight trying to do a Rigol? An unauthorised yet acceptable hack?
This wouldn't be the first time a Keysight InfiniiVision scope has been hacked. In the past it's been a "at your own risk" and "for your use only" activity, anyone trying to sell hacked units got a nice letter from the legal folks.
In no way are we leaking info for or sponsoring a Keysight hackathon scenario.
But
I've found the other product set resistors, playing now...
Huge progress, stay tuned!
Wouuah so nice!
As i see in video, changing resistor values change specification, seems a little dumb question but this kind of change can really have an impact on measuring values?
Is hardware not define the specs like acquisition speed or anything?
I really want to seeee mooreeee, can't wait
SER_Init, dwIndex:2
SER2 got sysintr:0x00000017
SER2 Serial Port, new baud rate:0x1c200 (UARTCLK:48000000 IBRD:0x1a FBRD:0x2)
Another stupid question concerning the pretending 2nd rs232, do you think that also define by values of resistors?
like if scope load a generic image and adapt it in resistor's value?
I've found the other product set resistors, playing now...
Huge progress, stay tuned!
This ain't no 100MHz bandwidth scope
No review published yet, only a teardown.
But seems to be hacked very soon...
WOW! That was fast!
No review published yet, only a teardown.
I've shot some review footage, but good reviews are a lot of work.
I more excited about the hacking at present.
I can currently change the bandwidth and max sample rate
I now have a 220MHz bandwidth scope
Making quick work of it
Sent from my SM-G935V using Tapatalk
It seem like the resistors will change the configuration, but if they sell upgrades there must be data in ROM that can override those settings. That said, they must only be able to upgrade via software, but not downgrade below the configuration set by the resistors or your resistor mod would have no affect.
Sent from my SM-G935V using Tapatalk
I now have a 220MHz bandwidth scope
How exciting, cant wait to get mine!
What are you getting for sample rates?
It seem like the resistors will change the configuration, but if they sell upgrades there must be data in ROM that can override those settings. That said, they must only be able to upgrade via software, but not downgrade below the configuration set by the resistors or your resistor mod would have no affect.
It seems weird that they would have both.
How does software upgrade work? By entering a code like on Rigols?
(ie. is there a menu to enter option codes?)
How does software upgrade work? By entering a code like on Rigols?
(ie. is there a menu to enter option codes?)
That's what it sounded like. Dave mentioned purchasing licenses, which keysight has done in the past for other scopes
Sent from my SM-G935V using Tapatalk
Very cool! Might see a new oscilloscope on my desk soon...
Keysight oscilloscope dept.:
"He's almost got it!"
"Really, so soon?"
"Yeah, pretty close. Get ready for sales numbers to shoot up on these babies."
Keysight oscilloscope dept.:
"He's almost got it!"
"Really, so soon?"
"Yeah, pretty close. Get ready for sales numbers to shoot up on these babies."
True story.
Unfortunately it is a Danaher. Even worse, it is a bottom of the barrel crippled Danaher running...Windows, so paying actual cash is for it is kinda...not very clever. Lucky for the guys who got it for free though.
Keysight oscilloscope dept.:
"He's almost got it!"
"Really, so soon?"
"Yeah, pretty close. Get ready for sales numbers to shoot up on these babies."
True story.
Unfortunately it is a Danaher. Even worse, it is a bottom of the barrel crippled Danaher running...Windows, so paying actual cash is for it is kinda...not very clever. Lucky for the guys who got it for free though.
Umm, no. Keysight is Keysight. Danaher owns Tektronix.
Keysight oscilloscope dept.:
"He's almost got it!"
"Really, so soon?"
"Yeah, pretty close. Get ready for sales numbers to shoot up on these babies."
Not if you have to solder tiny resistors to do it.
Sales will shoot up after the keygen appears.