Possible GW Instek GDS-1000B hack

[g.assis]

But I also found some minor niggles.. Nothing is perfect.
GDS1054B is actually cheaper. Some things are better on GDS1054B, some on Micsig.

Hey 2N3055, can you elaborate about those niggles and the diferences you spotted between those two?
I'm going to import this scope, and returning and/or replacing is almost impossible, I must be 101% sure about my decision.

[2N3055]

Well in short, all kinds of little things.
It generally works well but...

For  timebase follows normal 1-2-5 pattern except  4ms/div instead of 5ms/div.
Sometimes, when you stop acquisition and change timebase, it will loose buffer.
On some triggers, sometimes stops triggering, and then you change trigger level a little and it starts again..
Not all knob presses have functions, cursors buttons are not very easy to use. There is search button that does nothing.

These are very obscure things and happen only occasionally so it's not a big deal.. But perfect it's not.
Still very good and portable. It already proved very useful to me and I use it very often.

I plan to make a  short review/summary of my findings. Just it's kinda busy now...

[Mr_Bean]

Here is the new license generator for the current FWs of GDS1000B and GDS2000E, based on the wgoeo post (msg #3).

Code: [Select]

        private static void InstekKG(string serial)
        {
            // This works for GDS1000B and GDS2000E
            string[] opt = { "PWR", "BUS", "SRH", "SGM", "BW100", "BW200", "BW300", "SA" };   // Prefixes: "DS1KB-"  or "DS2E-"

            // uint[] ClearCode = { 0x11111111, 0xABABABAB, 0x22222222, 0xCDCDCDCD };  // OLD -- GDS1000B (up to v1.18) and GDS2000E (up to v1.28)
            uint[] ClearCode = { 0x74B0DC51, 0x46E87CCD, 0x25E45D32, 0x515F007C };  // NEW or       
            uint[] ClearCode = { 0x19495CFF, 0x257130A3, 0x3D1B58BA, 0x74B0DC51 };  // v1.23, v1.24, ....

            serial = serial.Trim();
            int serial_int = Int32.Parse(serial.Substring(serial.Length - 4, 4));

            int pid_sum = 0;
            for (int i = 0; i < serial.Length - 4; i++)
                pid_sum += serial[i];

            for (int i = 0; i < opt.Length; i++)
            {
                int[] a = new int[2];
                a[0] = (pid_sum << 24) | ((i << 8) & 0xF00);
                a[1] = (1 << 24) | ((serial_int << 8) & 0xFFFF00) | ((pid_sum >> 8) & 0xFF);

                for (int j = 0, k = -0x61C88647; j < 32; j++, k -= 0x61C88647)
                {
                    a[0] += (int)((16 * a[1] + ClearCode[0]) ^ (a[1] + k) ^ ((a[1] >> 5) + ClearCode[1]));
                    a[1] += (int)((16 * a[0] + ClearCode[2]) ^ (a[0] + k) ^ ((a[0] >> 5) + ClearCode[3]));
                }
                Console.WriteLine("DS1KB-{0}.lic / DS2E-{0}.lic - [{1:x8}{2:x8}]", opt[i], a[1], a[0]);
            }
        }
Those who prefer the javascript version can replace just the ClearCode constants in the script (I leave that as homework). The SA option was also added (only for the 2000E).

Edit1: Tested successfully by some members in DS2E and MSO equipments. This will not work on 2000A because the S/N has a different format.

Edit2: It seems there are more than one new combination of ClearCode(s) so test both.

As an updated data point, I just successfully upgraded from 50 MHz to 100 MHz on a GDS-1054B with firmware 1.28, using the javascript html and ClearCode of {0x19495CFF, 0x257130A3, 0x3D1B58BA, 0x74B0DC51}. No downgrading or safe mode required.

The GDP-070B-4 probes that came with the scope are only rated for up to 70 MHz so I guess now I'll start shopping for upgraded probes 

[tv84]

GDS-1054B with firmware 1.28, using the javascript html and ClearCode of {0x19495CFF, 0x257130A3, 0x3D1B58BA, 0x74B0DC51}.

Thanks for reporting.

[halfwave]

Reporting in: 100MHz option worked on my new GDS-1054B with firmware 1.28, Clearcode line starting with 0x19495CFF is what I used as well. Did not try anything else as decode is enabled now anyway.

Frankly I don't need the bandwidth this moment but thought I'd test the lis file generation and activation procedure.

Thank you wgoeo and all others for you work on this. Really like this GDS-1054B and seems a bargain with the current US pricing ($310).

[Mr_Bean]

It seems you can get SSH back. Rename the attached file to debug.dbg, copy to a USB drive then do the same procedure. The password may have changed but you can probably add a command in the script to change it.

Edit: It's a startup script so you should reboot.

Second update, this method did not work on firmware 1.28. Assuming "do the same procedure" means scroll and push select on the .dbg file the same way licenses are installed, selecting the .dbg file does nothing as far as I can tell: there are no UI notifications or changes and SSH does not get enabled, before or after rebooting the scope. Keeping the USB key in the scope during reboot also seems to have no effect.

[xgx]

I just wanted to share the results of my testing.

Model: GDS-1054B
FW: v1.28
Purchase date: October 2020

Search trigger - Works!
Segmented Acquire - Works!
100 MHz Bandwidth - DOES NOT WORK

After installing BW100, on the "System Information" page it says "Bandwidth upgraded to 100MHz by DS1KB-BW100", however when I measure the actual bandwidth, it didn't change before or after applying the license (I tested with a signal of ~10mV and again at ~1V). I then tried ti apply BW200 and BW300. It says that they are installed correctly, but once I restart, it still says 100 MHz in Sys Info.

[nctnico]

That is correct. The bandwidth is limited to below 100MHz in the hardware. You are not the first to run into this.

[Chuck60]

I’ve tried this hack and it say error loading license check license version my version is 2.3 I’ve tried the 2.3 or newer Clearcode line starting with 0x19495CFF what am I doing wrong?

[danymogh]

Hi,

Could you install the SA license ? I have the GDS-1054B with 1.28 firmware and installed all licenses with this clear code

Code: [Select]

uint[] ClearCode = { 0x19495CFF, 0x257130A3, 0x3D1B58BA, 0x74B0DC51 };
all licesnces were installed except the Spectrum Analyzer which gave me the license error.

is there any trick to that one?

[danymogh]

with the latest firmware 1.28 there's a new option in Utility -> System -> function module , called "fixed 4 measurement" which is not enabled and I believe like other options it needs a licence as well.

[Chuck60]

Ok so apparently when I edited reply 3 and 47 the file I save was just reply 3 and now when I try retrieving the same files. The links won’t turn in to download links. Any help would be great thanks

[danymogh]

Hi Tv48,

can you please check the generator on 1.28 for fix 4 measurments options?

Also I couldn't get a valid license for SA with the latest firmware and latest clearcodes. can you please tell me which files on the firmware I need to reverse enginner to get to the generation routine?

thanks a lot.

Edit : it seems the ClearCode file in the /home/dso directory is not overwritten with firmware downgrades. i can see the clearcode hex sequence in that file but I can't figure out how the key generation routine is related to that. if someone has the old ClearCode file it could really come in handy.

Edit 2 : it seems that the OptionsConf file coding is simple, if anyone with all licenses installed could share only this file it would be great.
also how to enable the SSH on the latest version? the debug.dbg file is just a copy of the \etc\init.d\S50dropbear file. how am i supposed to use it? @wgoeo

Edit 3 : it also seems that the app files downloaded from the website are dummy files. there's no indication of new code in the files and the lua script has just a print statement. i guess the apps were preinstalled in the firmware and the files downloaded as "Apps" from the website just activate them. can anyone else confirm this ?

[akimmet]

Hi Tv48,

can you please check the generator on 1.28 for fix 4 measurments options?

Also I couldn't get a valid license for SA with the latest firmware and latest clearcodes. can you please tell me which files on the firmware I need to reverse enginner to get to the generation routine?

thanks a lot.

Edit : it seems the ClearCode file in the /home/dso directory is not overwritten with firmware downgrades. i can see the clearcode hex sequence in that file but I can't figure out how the key generation routine is related to that. if someone has the old ClearCode file it could really come in handy.

Edit 2 : it seems that the OptionsConf file coding is simple, if anyone with all licenses installed could share only this file it would be great.
also how to enable the SSH on the latest version? the debug.dbg file is just a copy of the \etc\init.d\S50dropbear file. how am i supposed to use it? @wgoeo

Edit 3 : it also seems that the app files downloaded from the website are dummy files. there's no indication of new code in the files and the lua script has just a print statement. i guess the apps were preinstalled in the firmware and the files downloaded as "Apps" from the website just activate them. can anyone else confirm this ?

I am fairly certain you are correct about your statement in Edit 3. I came to the same conclusion when I looked at the app files as well. It seems extremely unlikely the full code for the app to be under 1kb.

[vertical_mammal]

I was also just successful on my GDS-1054B, firmware v1.28. I didn't try unlocking SA since it sounds like my unit won't support it anyways, but if anybody has gotten it working on a 1000b series and I missed it I'm all ears. Thanks folks!

[danymogh]

Has anyone managed to run a working custom written app?

I tried to write a sample app with Lua and tried to keep the structure of other apps which have at least 4 files

Code: [Select]

app.txt
app.lua
app.png
app.inf

the apps supplied by the Gwinstek website have some kind of encoded/encrypted app.txt, app.inf files whereas the default app of GO_NOGO has them all in cleartext. I tied to use the sample from GO_NOGO app but after putting it to USB and trying to install it gives me the

Code: [Select]

App installation error!!
Please contact your dealermessage.
so somehow It is either not possible to write Lua apps or it's possible but some coding scheme has to be applied.

the app.txt file has a short description of the app and the app.inf file seems to have a basic app structure like install location, files, etc.

the Lua interpreter does not exist in the /bin or /usr/bin directories and hence it's not installed. But it seems it's somehow embedded in the main app because the GO_NOGO app is actually running Lua.

any help would be appreciated.

edit 1: the "encoding" I couldn't figure out was just endianness  not endianness !, it's a nibble swap !

[yeager200]

I just got a brand new GDS-1054B with firmware 1.28 and I am running the code in the attached file. Yet it doesn't seem to accept these licenses. The unit gives me an error when I try all the options.

I may not have copied the ClearCode data correctly into the Javascript. I wasn't sure what the value for k should be. Can anyone help?

[nctnico]

Has anyone managed to run a working custom written app?

I tried to write a sample app with Lua and tried to keep the structure of other apps which have at least 4 files

Code: [Select]

app.txt
app.lua
app.png
app.inf

the apps supplied by the Gwinstek website have some kind of encoded/encrypted app.txt, app.inf files whereas the default app of GO_NOGO has them all in cleartext. I tied to use the sample from GO_NOGO app but after putting it to USB and trying to install it gives me the

Code: [Select]

App installation error!!
Please contact your dealermessage.
so somehow It is either not possible to write Lua apps or it's possible but some coding scheme has to be applied.

the app.txt file has a short description of the app and the app.inf file seems to have a basic app structure like install location, files, etc.

the Lua interpreter does not exist in the /bin or /usr/bin directories and hence it's not installed. But it seems it's somehow embedded in the main app because the GO_NOGO app is actually running Lua.

any help would be appreciated.

edit 1: the "encoding" I couldn't figure out was just endianness  not endianness !, it's a nibble swap !

I think you are on the right path. The Lua interpreter is part of the main software so it is logical that you don't find the standalone Lua interpreter. The first step is to figure out how to get a Lua app started and then figure out what kind of API the main program is exposing. I have used Lua to add scripting to C++ programs a couple of times. It is a very neat way to allow flexible extension of a program.

[danymogh]

I bricked my gds-1000b while messing around with the bootloader !

does anyone know any way to flash the Nand flash with the original bootloader ?

[tv84]

If you messed the bootloader then I would say you'll have to desolder the NAND.

[danymogh]

can someone please send me the mtd0 and mtd1 files of their scope using the following commands?

# nanddump -f boot.bin /dev/mtd0
# nanddump -f devtree.bin /dev/mtd1

you can access the SSH in the newer versions by installing the app I wrote for it. I'll get back to writing Lua apps once I've restored my scope.

after installing the app reset oscope, go to apps, open ssh, press start, and also press reset pass. the pass is the same as the one in 1.18 firmware.

[tv84]

Here is the boot.bin from v1.12.

Are you sure you can't find those files inside the FW upgrade packages?

[danymogh]

There's a small chance that the files are modified while being written to the nand flash.
Also the devtree section which is mtd1 is not on the fwupgrade files

[danymogh]

unfortunately flashing the bootloader and the devtree did not solve the problem. it is still not booting.

if anyone has any idea I'm all ears.

be very careful not to run the nandtest and nandwrite commands on any mtd device as they'll brick the scope!

[danymogh]

I think I have a new lead.

according to https://www.xilinx.com/support/documentation/user_guides/ug585-Zynq-7000-TRM.pdf -> page 185
and https://github.com/ARM-software/u-boot/blob/402465214395ed26d6fa72d9b6097c7adbf6a966/drivers/mtd/nand/zynq_nand.c#L214
the Zynq 7000 BOOTROM looks for a Bad Block Table (BBT) with this pattern {'B', 'b', 't', '0' } and the mirror pattern {'1', 't', 'b', 'B' } in the last 4 blocks of the Nand or the OOB area !
I have a full dump of the Nand and there's nothing at the last 4 blocks so I think the information should be in the OOB area of the first block which was corrupted ! that might be why programming it again without OOB didn't boot. although there's no indication of what happens if the BBT is not found.

any ideas ?