Author Topic: Possible GW Instek GDS-1000B hack  (Read 27805 times)

0 Members and 2 Guests are viewing this topic.

Offline g.assis

  • Newbie
  • Posts: 3
  • Country: br
Re: Possible GW Instek GDS-1000B hack
« Reply #175 on: September 22, 2020, 05:19:18 pm »
But I also found some minor niggles.. Nothing is perfect.
GDS1054B is actually cheaper. Some things are better on GDS1054B, some on Micsig.

Hey 2N3055, can you elaborate about those niggles and the diferences you spotted between those two?
I'm going to import this scope, and returning and/or replacing is almost impossible, I must be 101% sure about my decision.
 

Offline 2N3055

  • Super Contributor
  • ***
  • Posts: 2912
  • Country: hr
Re: Possible GW Instek GDS-1000B hack
« Reply #176 on: September 22, 2020, 09:47:41 pm »
Well in short, all kinds of little things.
It generally works well but...

For  timebase follows normal 1-2-5 pattern except  4ms/div instead of 5ms/div.
Sometimes, when you stop acquisition and change timebase, it will loose buffer.
On some triggers, sometimes stops triggering, and then you change trigger level a little and it starts again..
Not all knob presses have functions, cursors buttons are not very easy to use. There is search button that does nothing.

These are very obscure things and happen only occasionally so it's not a big deal.. But perfect it's not.
Still very good and portable. It already proved very useful to me and I use it very often.

I plan to make a  short review/summary of my findings. Just it's kinda busy now...
 
The following users thanked this post: g.assis

Offline Mr_Bean

  • Newbie
  • Posts: 3
  • Country: ca
Re: Possible GW Instek GDS-1000B hack
« Reply #177 on: October 16, 2020, 07:55:59 pm »
Here is the new license generator for the current FWs of GDS1000B and GDS2000E, based on the wgoeo post (msg #3).

Code: [Select]
        private static void InstekKG(string serial)
        {
            // This works for GDS1000B and GDS2000E
            string[] opt = { "PWR", "BUS", "SRH", "SGM", "BW100", "BW200", "BW300", "SA" };   // Prefixes: "DS1KB-"  or "DS2E-"

            // uint[] ClearCode = { 0x11111111, 0xABABABAB, 0x22222222, 0xCDCDCDCD };  // OLD -- GDS1000B (up to v1.18) and GDS2000E (up to v1.28)
            uint[] ClearCode = { 0x74B0DC51, 0x46E87CCD, 0x25E45D32, 0x515F007C };  // NEW or       
            uint[] ClearCode = { 0x19495CFF, 0x257130A3, 0x3D1B58BA, 0x74B0DC51 };  // v1.23, v1.24, ....

            serial = serial.Trim();
            int serial_int = Int32.Parse(serial.Substring(serial.Length - 4, 4));

            int pid_sum = 0;
            for (int i = 0; i < serial.Length - 4; i++)
                pid_sum += serial[i];

            for (int i = 0; i < opt.Length; i++)
            {
                int[] a = new int[2];
                a[0] = (pid_sum << 24) | ((i << 8) & 0xF00);
                a[1] = (1 << 24) | ((serial_int << 8) & 0xFFFF00) | ((pid_sum >> 8) & 0xFF);

                for (int j = 0, k = -0x61C88647; j < 32; j++, k -= 0x61C88647)
                {
                    a[0] += (int)((16 * a[1] + ClearCode[0]) ^ (a[1] + k) ^ ((a[1] >> 5) + ClearCode[1]));
                    a[1] += (int)((16 * a[0] + ClearCode[2]) ^ (a[0] + k) ^ ((a[0] >> 5) + ClearCode[3]));
                }
                Console.WriteLine("DS1KB-{0}.lic / DS2E-{0}.lic - [{1:x8}{2:x8}]", opt[i], a[1], a[0]);
            }
        }

Those who prefer the javascript version can replace just the ClearCode constants in the script (I leave that as homework). The SA option was also added (only for the 2000E).

Edit1: Tested successfully by some members in DS2E and MSO equipments. This will not work on 2000A because the S/N has a different format.

Edit2: It seems there are more than one new combination of ClearCode(s) so test both.

As an updated data point, I just successfully upgraded from 50 MHz to 100 MHz on a GDS-1054B with firmware 1.28, using the javascript html and ClearCode of {0x19495CFF, 0x257130A3, 0x3D1B58BA, 0x74B0DC51}. No downgrading or safe mode required.

The GDP-070B-4 probes that came with the scope are only rated for up to 70 MHz so I guess now I'll start shopping for upgraded probes  :-DD
 

Offline tv84

  • Super Contributor
  • ***
  • Posts: 1813
  • Country: pt
Re: Possible GW Instek GDS-1000B hack
« Reply #178 on: October 16, 2020, 08:25:39 pm »
GDS-1054B with firmware 1.28, using the javascript html and ClearCode of {0x19495CFF, 0x257130A3, 0x3D1B58BA, 0x74B0DC51}.

Thanks for reporting.
 

Offline halfwave

  • Newbie
  • Posts: 1
  • Country: us
Re: Possible GW Instek GDS-1000B hack
« Reply #179 on: October 18, 2020, 07:43:24 pm »
Reporting in: 100MHz option worked on my new GDS-1054B with firmware 1.28, Clearcode line starting with 0x19495CFF is what I used as well. Did not try anything else as decode is enabled now anyway.

Frankly I don't need the bandwidth this moment but thought I'd test the lis file generation and activation procedure.

Thank you wgoeo and all others for you work on this. Really like this GDS-1054B and seems a bargain with the current US pricing ($310).
 

Offline Mr_Bean

  • Newbie
  • Posts: 3
  • Country: ca
Re: Possible GW Instek GDS-1000B hack
« Reply #180 on: October 23, 2020, 07:51:40 pm »
It seems you can get SSH back. Rename the attached file to debug.dbg, copy to a USB drive then do the same procedure. The password may have changed but you can probably add a command in the script to change it.

Edit: It's a startup script so you should reboot.

Second update, this method did not work on firmware 1.28. Assuming "do the same procedure" means scroll and push select on the .dbg file the same way licenses are installed, selecting the .dbg file does nothing as far as I can tell: there are no UI notifications or changes and SSH does not get enabled, before or after rebooting the scope. Keeping the USB key in the scope during reboot also seems to have no effect.
 


Share me

Digg  Facebook  SlashDot  Delicious  Technorati  Twitter  Google  Yahoo
Smf