Author Topic: FeelTech FY6600 60MHz 2-Ch VCO Function Arbitrary Waveform Signal Generator  (Read 316589 times)

0 Members and 1 Guest are viewing this topic.

Offline DerKammi

  • Regular Contributor
  • *
  • Posts: 107
  • Country: nl
Re: FeelTech FY6600 60MHz 2-Ch VCO Function Arbitrary Waveform Signal Generator
« Reply #700 on: February 07, 2018, 06:51:39 am »
Had a go with my account for reading only up until now.

https://github.com/DerKammi/FY6600-15-30-50-60M


 

Online skander36

  • Regular Contributor
  • *
  • Posts: 236
  • Country: ro
Re: FeelTech FY6600 60MHz 2-Ch VCO Function Arbitrary Waveform Signal Generator
« Reply #701 on: February 07, 2018, 12:15:54 pm »
I don't see the firmware specified anywhere when ordering one. Any way to be sure I get the latest 3.2 firmware?
Mine has arrived Monday and has 3.2 . It was ordered on 24 Jan.
 

Offline soundtec

  • Regular Contributor
  • *
  • Posts: 194
  • Country: ie
Re: FeelTech FY6600 60MHz 2-Ch VCO Function Arbitrary Waveform Signal Generator
« Reply #702 on: February 07, 2018, 01:34:19 pm »
Wow Skander ,
That was quick ,I ordered on the 15th Jan but still no sign and I have a trail of other packages ordered mid December about half a dozen of which  still havent landed .

I was reading up a few other articles on busting open  Stm32's ,maybe another angle worth looking at might be the update for the sine
wave issue ,there must be a facility to re-write some portion of the code on the device for this to work ,so maybe its another attack vector worth considering .

 

Online skander36

  • Regular Contributor
  • *
  • Posts: 236
  • Country: ro
Re: FeelTech FY6600 60MHz 2-Ch VCO Function Arbitrary Waveform Signal Generator
« Reply #703 on: February 07, 2018, 01:45:44 pm »
Wow Skander ,
That was quick ,I ordered on the 15th Jan but still no sign and I have a trail of other packages ordered mid December about half a dozen of which  still havent landed .

I was reading up a few other articles on busting open  Stm32's ,maybe another angle worth looking at might be the update for the sine
wave issue ,there must be a facility to re-write some portion of the code on the device for this to work ,so maybe its another attack vector worth considering .
I ordered from Banggood and I have paid 1,43 E for option "European Direct Mail" .
Total Price for 60MHz version was 92.13E . Through Dutch Mail , no customs tax .
 

Online DC1MC

  • Super Contributor
  • ***
  • Posts: 1060
  • Country: de
Re: FeelTech FY6600 60MHz 2-Ch VCO Function Arbitrary Waveform Signal Generator
« Reply #704 on: February 07, 2018, 02:21:54 pm »
Wow Skander ,
That was quick ,I ordered on the 15th Jan but still no sign and I have a trail of other packages ordered mid December about half a dozen of which  still havent landed .

I was reading up a few other articles on busting open  Stm32's ,maybe another angle worth looking at might be the update for the sine
wave issue ,there must be a facility to re-write some portion of the code on the device for this to work ,so maybe its another attack vector worth considering .

Some quick clarifications: the FP is master to the FPGA signal board, so there is no way for the SB to tell anything special to the FP. Also all the waveforms are stored in the external flash on the SB.
Busting open the STM32 has been tried for this version, you should look 1-2 pages back, due to the fact that the JTAG interface shares the pins with the SWI interface we're using too much time switching the interfaces and lose the race, there is still a chance to replace the STM32 quarz with external very slow clock source, but the prognosis is not so good.
So far, if there is no hidden external command over the serial line to overwrite the STM32 firmware than the only solution is to write a new one.

  So far, let's hope that our efforts for a new firmware will give results and official fw 3.2 is not too miserable.

  Cheers,
  DC1MC
 

Offline pauluzs

  • Newbie
  • Posts: 2
  • Country: nl
Re: FeelTech FY6600 60MHz 2-Ch VCO Function Arbitrary Waveform Signal Generator
« Reply #705 on: February 07, 2018, 03:37:41 pm »
Just got one from Frankfurt today, FW 3.2

After reading this tread i was curious to see what could be done.
Before doing any of the psu and clock hardware mods, it would be nice to be able to use this device with Sigrok and maybe something like gnuradio on linux.

After playing around with serial the commands as listed in "FY6600 Serial communication protocol" and having a quick glance at the pcb. It seems the ch340 and the tx/rx headers on the back are both connected to the FP. In other words i could not use the serial command with the FP disconnected.

This would be in line with the findings done by cybermaus, fremen67, DC1MC and others. Based on this we would now send all the know serial commands and capture the corresponding spi command from the FP to Winboud?
Would like to know how this communication works, (SERIAL>)FP>WINBOUND and FPGA polls winbound for changes? or does the FP Sends some kind of notification/interrupt to FPGA?

This way it would be possible to replace the FP with something else like a dev board(already done), microcontroller or do a SPI man in the middle between FP and FPGA with something like a rpi that has 2 spi ports.

Last one, if it  could be done. what would it take to have a external clock reference on one of the BNC connectors or header pins instead of modding the pcb clock circuit?
 

Offline scott0999

  • Newbie
  • Posts: 3
  • Country: us
Re: FeelTech FY6600 60MHz 2-Ch VCO Function Arbitrary Waveform Signal Generator
« Reply #706 on: February 07, 2018, 03:40:00 pm »
I don't see the firmware specified anywhere when ordering one. Any way to be sure I get the latest 3.2 firmware?
Mine has arrived Monday and has 3.2 . It was ordered on 24 Jan.

sweet where did you order from?
 

Online skander36

  • Regular Contributor
  • *
  • Posts: 236
  • Country: ro
Re: FeelTech FY6600 60MHz 2-Ch VCO Function Arbitrary Waveform Signal Generator
« Reply #707 on: February 07, 2018, 03:59:18 pm »
Romania.
Two posts above .
 
The following users thanked this post: scott0999

Offline cybermaus

  • Frequent Contributor
  • **
  • Posts: 523
  • Country: nl
Re: FeelTech FY6600 60MHz 2-Ch VCO Function Arbitrary Waveform Signal Generator
« Reply #708 on: February 07, 2018, 06:33:28 pm »
Ok, I think I am ready to close the firmware readout topic.
My 2nd STM32F051 board arrived, and as expected, I can simply reproduce the frauenhofer result, and readout a RDP-1 protected board.
(see images)

It also means my setup is correct, and so the same method cannot be used on a F1 board.
Not unexpected, but at least I now also actually hacked a F051 board, so give my failed F103 attempts some credibility.

tl;dr; some more insight why F0 != F1


Busting open the STM32 has been tried for this version, you should look 1-2 pages back, due to the fact that the JTAG interface shares the pins with the SWI interface we're using too much time switching the interfaces and lose the race, ......

Well, to go into detail: That is not *the* reason, it is merely *one* of the many possible reasons. It could really be any of these:

- F0 vs F1 have different protection implementation, F0 has 2 levels, F1 has 1 level  - (die difference)
- F0 vs F1 have different debug implementations. F0 has only SWD, F1 has JTAG and SWD - (die difference)
- F0 vs F1 have different debug implementations. F0 has only SWD, F1 has JTAG and SWD - (switching to SWD may already trigger the lockdown)
- F0 vs F1 have different core bus matrix design. F0 with M0 core reads flash over shared bus. F1 with M3 code has dedicated ICODE bus (hack is based on bus conflict race)

All 4 of the items above mean that there is a key difference on the section specifically relevant to this attack, so a relevant part of the chip die was redesigned between the two chip families, and so any bug could or could not be there.

So, does that mean the F1 is uncrackable? I do not know. But it does mean that it was rather naive of me to think/hope the F0 debug attack would simply map to the F1.
We may think the chips are similar because we use them similar. But they are really different though and through.

If F1 is hackable, it would need all new top-level base reseach


There is still a chance to replace the STM32 quarz with external very slow clock source, but the prognosis is not so good.
So far, if there is no hidden external command over the serial line to overwrite the STM32 firmware than the only solution is to write a new one.

Alas no. I lol'ed because when this was mentioned, I literally was looking at the clock diagram on my other monitor.
But (apart from the arguments above) the flash controller has its own fixed build in RC clock. To win the race (if one exists on the F1) we would have to make the flash controller slower, and the debug access (APB bus and AHB bus) faster.

And that is the opposite of what we can do. Officially, we can make APB/AHB slower. I guess we could try overclocking. But we do not even know if there is a race condition at all, the F1 is just too different. So I repeat, it would need all new research from the bare basics, not buiding on top of Frauenhofer. Where do we stop, I was not planning on promoting on this.

So, not to be negative, but I am calling it quits.
« Last Edit: February 07, 2018, 06:41:51 pm by cybermaus »
 

Offline cybermaus

  • Frequent Contributor
  • **
  • Posts: 523
  • Country: nl
Re: FeelTech FY6600 60MHz 2-Ch VCO Function Arbitrary Waveform Signal Generator
« Reply #709 on: February 07, 2018, 06:48:20 pm »
BTW: I have two barely used STM32F051 Discovery boards for sale, if anyone is interested    ;D
Unlocked with factory default blink program loaded.   :P
 

Offline DerKammi

  • Regular Contributor
  • *
  • Posts: 107
  • Country: nl
Re: FeelTech FY6600 60MHz 2-Ch VCO Function Arbitrary Waveform Signal Generator
« Reply #710 on: February 07, 2018, 07:34:43 pm »
Ahh that is a pitty Cybermaus. Great goings never the less. A lot more has to be discovered then. Would you share the code you used?

I'm resuming the schematic entry now :)
 

Offline DerKammi

  • Regular Contributor
  • *
  • Posts: 107
  • Country: nl
Re: FeelTech FY6600 60MHz 2-Ch VCO Function Arbitrary Waveform Signal Generator
« Reply #711 on: February 07, 2018, 09:14:45 pm »
Frontpanel schematic are done :) Offcourse some faults can be there and the PA0 signal going to the FPGA is unknown to me as of yet.

The transistors for driving the buzzer and backlight are probably MOSFETs, but I found these first :)

On to the main PCB :D
« Last Edit: February 07, 2018, 09:26:47 pm by DerKammi »
 

Offline soundtec

  • Regular Contributor
  • *
  • Posts: 194
  • Country: ie
Re: FeelTech FY6600 60MHz 2-Ch VCO Function Arbitrary Waveform Signal Generator
« Reply #712 on: February 07, 2018, 09:35:28 pm »
Oh well Cybermaus ,
thats a pity but a great effort you made all the same . Even though you didnt reach the finish line I guess its all part of the fun and some lessons were learned at least .
 

Offline fremen67

  • Frequent Contributor
  • **
  • Posts: 346
  • Country: fr
Re: FeelTech FY6600 60MHz 2-Ch VCO Function Arbitrary Waveform Signal Generator
« Reply #713 on: February 08, 2018, 12:36:08 am »
Frontpanel schematic are done :) Offcourse some faults can be there and the PA0 signal going to the FPGA is unknown to me as of yet.

The transistors for driving the buzzer and backlight are probably MOSFETs, but I found these first :)

On to the main PCB :D
:-+
The model I have on my FP is STM32F103c8t6. You have a STM32F103cbt6?
I'm a machine! And I can know much more! I can experience so much more. But I'm trapped in this absurd body!
 

Offline DerKammi

  • Regular Contributor
  • *
  • Posts: 107
  • Country: nl
Re: FeelTech FY6600 60MHz 2-Ch VCO Function Arbitrary Waveform Signal Generator
« Reply #714 on: February 08, 2018, 06:16:57 am »
That is correct, this is what is in the library, Lazy mode.

Only difference is flash size, the c8 has 64k instead of the 128k in de cb. Pinout is the same.

fremen67: Do you have any documentation for the FPGA comms. to share for on the Git? Or some code even? Don't mind if it is tidy or not. Just want to have a look.
 

Offline cybermaus

  • Frequent Contributor
  • **
  • Posts: 523
  • Country: nl
Re: FeelTech FY6600 60MHz 2-Ch VCO Function Arbitrary Waveform Signal Generator
« Reply #715 on: February 08, 2018, 06:47:22 am »
As mentioned, the only difference between the C8T6 and CBT6 is 64KB vs 128KB flash
But in fact, most C8T6 (blue-pill) users (almost all) report it has 128KB anyway..

Probably a way to sell failed CBT6 chips, and not having enough production fail.
Quite possible Feeltech is buying the cheaper one, but using all 128KB anyway.

Just for fun, I check all my C8T6: both unlocked ones have 128KB usable
The one in my Feeltech I think too, but it reports "inaccurate probe":

Code: [Select]
Open On-Chip Debugger
> reset halt
target state: halted
target halted due to debug-request, current mode: Thread
xPSR: 0x01000000 pc: 0x08000144 msp: 0x20004bb8
> flash banks
#0 : stm32f1x.flash (stm32f1x) at 0x08000000, size 0x00000000, buswidth 0, chipwidth 0
> flash probe 0
device id = 0x20036410
STM32 flash size failed, probe inaccurate - assuming 128k flash
flash size = 128kbytes
flash 'stm32f1x' found at 0x08000000
>

I think it means the chip reports 128K, but he cannot validate it by reading the 2nd half.
They do all 3 give the same device id of 0x20036410
« Last Edit: February 08, 2018, 06:55:30 am by cybermaus »
 

Offline DerKammi

  • Regular Contributor
  • *
  • Posts: 107
  • Country: nl
Re: FeelTech FY6600 60MHz 2-Ch VCO Function Arbitrary Waveform Signal Generator
« Reply #716 on: February 08, 2018, 10:40:57 am »
Do I read it correctly in a way that 64k is fully guaranteed to work and 128k is not 100% validated?
 

Offline cybermaus

  • Frequent Contributor
  • **
  • Posts: 523
  • Country: nl
Re: FeelTech FY6600 60MHz 2-Ch VCO Function Arbitrary Waveform Signal Generator
« Reply #717 on: February 08, 2018, 11:35:14 am »
Yes, if you follow the link, you find at 2 users Sylvan_YZY and pokemon99 reported a C8T6 with the nominal 64KB. But both of them also had the chip only report 64K, so if the chip reports 128K, you can assume it is usable. Assume, but I guess no warranty from ST :)
 

Offline fremen67

  • Frequent Contributor
  • **
  • Posts: 346
  • Country: fr
Re: FeelTech FY6600 60MHz 2-Ch VCO Function Arbitrary Waveform Signal Generator
« Reply #718 on: February 08, 2018, 11:08:14 pm »
That is correct, this is what is in the library, Lazy mode.
Only difference is flash size, the c8 has 64k instead of the 128k in de cb. Pinout is the same.
As mentioned, the only difference between the C8T6 and CBT6 is 64KB vs 128KB flash
But in fact, most C8T6 (blue-pill) users (almost all) report it has 128KB anyway..
Yes I also have a mix of C8T6 and CBT6 boards. Not a big deal when you are insured to have the minimum specs.
For us it does matter in the way that we should target 64k as the maximum program size and not 128k.
I guess this is not a problem with real code size as there won't be a lot of code in our case but this could be more important for bitmaps and fonts storage. The UI usually needs some room for cool stuff (well... some UIs do, some others don't ;))
fremen67: Do you have any documentation for the FPGA comms. to share for on the Git? Or some code even? Don't mind if it is tidy or not. Just want to have a look.
Sure. All my "working" notes are in an excel file. The summary sheet is the pdf file I posted some days ago. Maybe not the best format to put on a github... but I suppose for the moment beeing you can post the pdf file as is...
For the code you can post the FPGA Library (FPGA.c) plus a module I used for testing puposes (Tests.c surprisingly  :)) This might help understand the FPGA library which should already be understandable by itself. At least I hope :P
The next module I will post will be the serial protocol which will be less interesting as already documented by Feeltech. Maybe you could also post the original document from Feeltech ...
I'm a machine! And I can know much more! I can experience so much more. But I'm trapped in this absurd body!
 

Offline rhb

  • Super Contributor
  • ***
  • Posts: 3083
  • Country: us
Re: FeelTech FY6600 60MHz 2-Ch VCO Function Arbitrary Waveform Signal Generator
« Reply #719 on: February 09, 2018, 12:11:29 am »
I just came across this:

https://www.aliexpress.com/item/High-Precision-Digital-Dual-channel-DDS-Function-Signal-Generator-Arbitrary-Waveform-Pulse-Signal-Generator-1Hz-100MHz/32835207150.html

I very well think I might get one at $75.   It uses a resistor ladder instead of an IC for the DAC.   I ran across a 5 V linear supply I built long ago which should do just fine powering the METERK JDS6600.  I might enjoy having a unit that didn't require work to be able to use it properly.  But one is paying about $35 for the 4 BNCs on the back of the FeelTech.  Plus the aggravation factor.  I wonder how many other names it sells under on AliExpress.

 

Offline bitseeker

  • Super Contributor
  • ***
  • Posts: 8687
  • Country: us
  • Lots of engineer-tweakable parts inside!
Re: FeelTech FY6600 60MHz 2-Ch VCO Function Arbitrary Waveform Signal Generator
« Reply #720 on: February 09, 2018, 12:18:41 am »
I think I've seen the JDS-looking version being sold under several names. I don't know if they're rebadged or just look-alike.
I TEA.
 

Offline Candid

  • Regular Contributor
  • *
  • Posts: 138
  • Country: de
Re: FeelTech FY6600 60MHz 2-Ch VCO Function Arbitrary Waveform Signal Generator
« Reply #721 on: February 09, 2018, 12:53:59 am »
I just came across this:

https://www.aliexpress.com/item/High-Precision-Digital-Dual-channel-DDS-Function-Signal-Generator-Arbitrary-Waveform-Pulse-Signal-Generator-1Hz-100MHz/32835207150.html
This is the 30MHz version. You may search for "rd jds6600" on Aliexpress and you will find the 5 models 15, 30, 40, 50 and 60MHz of this JDS6600 series products. The psu is 5V/2A. It needs at least stable 5V/1200mA to start and run properly. I have this rd JDS6600 and the FeelTech FY6600.

From the technical side as a signal generator the FeelTech is better. You may compare the technical data. But with an external linear 5V psu you can easily omit the known high voltage to earth problem with the JDS6600. The mechanical user interface is way better than that of the FeelTech.
 

Offline rhb

  • Super Contributor
  • ***
  • Posts: 3083
  • Country: us
Re: FeelTech FY6600 60MHz 2-Ch VCO Function Arbitrary Waveform Signal Generator
« Reply #722 on: February 09, 2018, 01:06:39 am »
One of the JDS sellers claims that the engineer who designed the series, and another engineer involved in later work, work for them. And that the JDS is the most recent version.

So it would appear that a designer has created a design, sold it to a manufacturer, then sold sold lower cost designs to other companies. It may well be something like:

Bored engineer in LCD factory designs FPGA/MCU AWG in spare time.  Convinces management to market it.  But management gets weird and puts a super cheap front panel on the units because the 4 BNCs out the back cost so much. So engineer gets ticked off quits and gets job designing similar product.  He goes the opposite end of the feature spectrum, gets a decent front panel and eliminates the back BNCs and we have the JDS6600.  FeelTech and FD make and sell instruments to order with whatever features you are willing to pay for added.

How true I don't know, but it seems like a reasonable fit to the facts.  FeelTech as jerks is quite obvious.
 

Offline Candid

  • Regular Contributor
  • *
  • Posts: 138
  • Country: de
Re: FeelTech FY6600 60MHz 2-Ch VCO Function Arbitrary Waveform Signal Generator
« Reply #723 on: February 09, 2018, 01:39:00 am »
Something like this. The user interface of the two products is nearly identical so the engineers behind these products may come from one company or is identical. The JD6600 has the DC2DC converters on the mainboard. It's a pitty that they use a smpsu and not a linear one. Could be so easy.
 

Offline cybermaus

  • Frequent Contributor
  • **
  • Posts: 523
  • Country: nl
Re: FeelTech FY6600 60MHz 2-Ch VCO Function Arbitrary Waveform Signal Generator
« Reply #724 on: February 09, 2018, 07:23:01 am »
But with an external linear 5V psu you can easily omit the known high voltage to earth problem with the JDS6600.
Not sure if that is true. An external switched PSU has the same problem as an internal one. The only thing is you can more easily switch out a cheap one for a better one, but they both will have leakage through the mandatory capacitor.
 


Share me

Digg  Facebook  SlashDot  Delicious  Technorati  Twitter  Google  Yahoo
Smf