Author Topic: Possible GW Instek GDS-1000B hack  (Read 72873 times)

0 Members and 2 Guests are viewing this topic.

Offline wgoeoTopic starter

  • Contributor
  • Posts: 10
  • Country: 00
Possible GW Instek GDS-1000B hack
« on: July 10, 2017, 08:02:10 am »
From the old brochure here, options such as serial bus decode, waveform search, and segmented memory are mentioned. But in the newest brochure in the GW Instek site, the options part is removed. I wonder why they stopped advertising that feature.

I looked at the 1.12 firmware I got here. It seems like the options and bandwidth upgrades (up to 300 MHz) can be unlocked using a file in a USB drive. I was wondering if someone is willing to share the newer firmware update (in case the unlock feature is removed) and possibly test the unlock files.

To those who want to do their own analysis, I included a Python script that extracts the files inside a .upg file. Run python extract.py [upg file]; the extracted files will be in the extract directory. You will then see the following:

boot.bin (u-boot)
kernel.img (Linux kernel)
rootfs.img (UBI image)
fpga-core.gz
gds1000b.elf

You can use UBI reader to extract the files from the UBI image.

Code: [Select]
from __future__ import print_function
import sys
import os
import os.path
import struct

OUTDIR = 'extract'

try:
os.mkdir(OUTDIR)
except:
pass

f = open(sys.argv[1], 'rb')
assert f.read(4) == b'\xA5UPG'
f.seek(32)

while True:
assert f.read(4)[:2] == b'GW'
file_size, section_size = struct.unpack('<LL', f.read(8))
file_name = f.read(20).strip(b'\x00')[1:].decode('ascii')
print(file_name, file_size)
open(os.path.join(OUTDIR, file_name), 'wb').write(f.read(file_size))
if section_size != 0xffffffff:
f.seek(section_size - file_size, os.SEEK_CUR)
else:
break
 
The following users thanked this post: saturation, Mortymore, danymogh, tatel, WI_Hedgehog

Offline nctnico

  • Super Contributor
  • ***
  • Posts: 26751
  • Country: nl
    • NCT Developments
Re: Possible GW Instek GDS-1000B hack
« Reply #1 on: July 10, 2017, 08:19:13 am »
Interesting!
What would be more usefull is to figure out how to write your own add-on applications for these scopes.
There are small lies, big lies and then there is what is on the screen of your oscilloscope.
 

Offline saturation

  • Super Contributor
  • ***
  • Posts: 4787
  • Country: us
  • Doveryai, no proveryai
    • NIST
Re: Possible GW Instek GDS-1000B hack
« Reply #2 on: July 10, 2017, 07:00:16 pm »
NICE!!! Looking forward to seeing your results.
Best Wishes,

 Saturation
 

Offline wgoeoTopic starter

  • Contributor
  • Posts: 10
  • Country: 00
Re: Possible GW Instek GDS-1000B hack
« Reply #3 on: July 14, 2017, 11:25:44 am »
Looking for volunteers who would like to test the license generator on their GDS-1000B oscilloscope

I haven't tried this on a real scope since I don't have one. The instructions below are what I would do if I had access. Also your unit may be damaged. Proceed at your own risk and only if you are familiar with messing around a Linux shell.

First make a backup of /home/dso. Do this by connecting to the scope via ssh. Username is root, password is rd2423 (thank you wer). Insert a USB drive, then check that the drive is mounted by listing the files:

ls /mnt/usb

Backup the /home/dso directory to your USB drive:

cd /home
tar cf /mnt/usb/homedso.tar dso
sync


Eject the USB drive then check the homedso.tar.gz file.

Download the attached file named lis.txt, rename it to lis.html, then open it in a browser. Enter the serial number of your unit, click "Generate", then you will be presented with several links. Download them to your USB drive, then insert the drive back to the scope.

Open a .lis file in File Utilities. I'm not sure what happens next, but I think there should be some message. I suggest trying Serial Decode first, then see if that feature will appear. For the bandwidth upgrades, do some rise time/bandwidth tests before and after the upgrade.

I think it is sufficient to restore the /home/dso/OptionConf file if you want to remove the installed licenses.
« Last Edit: July 14, 2017, 02:31:52 pm by wgoeo »
 
The following users thanked this post: saturation, Mortymore, planner29, tatel

Offline nctnico

  • Super Contributor
  • ***
  • Posts: 26751
  • Country: nl
    • NCT Developments
Re: Possible GW Instek GDS-1000B hack
« Reply #4 on: July 14, 2017, 04:27:33 pm »
Maybe we should turn this into a more generic GW Instek Zync scope hacking thread. The root password also works on my GDS2204E!
I've been browsing around a bit and found some interesting things like FRA (bode plot) which is likely applicable for the MSO2000 series. There are also quite a few Lua scripts floating around.
« Last Edit: July 14, 2017, 04:50:01 pm by nctnico »
There are small lies, big lies and then there is what is on the screen of your oscilloscope.
 
The following users thanked this post: saturation, Mortymore

Offline nctnico

  • Super Contributor
  • ***
  • Posts: 26751
  • Country: nl
    • NCT Developments
Re: Possible GW Instek GDS-1000B hack
« Reply #5 on: November 24, 2017, 11:54:46 pm »
Small update: it seems GW Instek has shut the SSH server down in the most recent firmware updates. I guess they are reading EEVblog!
There are small lies, big lies and then there is what is on the screen of your oscilloscope.
 

Offline Fungus

  • Super Contributor
  • ***
  • Posts: 16560
  • Country: 00
Re: Possible GW Instek GDS-1000B hack
« Reply #6 on: November 25, 2017, 09:13:41 am »
Small update: it seems GW Instek has shut the SSH server down in the most recent firmware updates. I guess they are reading EEVblog!

Imagine how many they'd sell if it were hackable...   :palm:
 
The following users thanked this post: WI_Hedgehog

Offline nctnico

  • Super Contributor
  • ***
  • Posts: 26751
  • Country: nl
    • NCT Developments
Re: Possible GW Instek GDS-1000B hack
« Reply #7 on: November 25, 2017, 11:27:37 am »
Small update: it seems GW Instek has shut the SSH server down in the most recent firmware updates. I guess they are reading EEVblog!
Imagine how many they'd sell if it were hackable...   :palm:
Well you don't need to have SSH access to get software onto the scope. The way the firmware packages are put together is quite straightforward and it looks like it is quite possible to write plugins using Lua which add extra functions originally not present in the firmware. I don't know how that works exactly -yet-. Besides that I think it might even be possible to create a firmware update package which enables the SSH login again.
« Last Edit: November 25, 2017, 12:13:52 pm by nctnico »
There are small lies, big lies and then there is what is on the screen of your oscilloscope.
 

Offline wgoeoTopic starter

  • Contributor
  • Posts: 10
  • Country: 00
Re: Possible GW Instek GDS-1000B hack
« Reply #8 on: December 23, 2017, 03:07:30 pm »
Besides that I think it might even be possible to create a firmware update package which enables the SSH login again.
I think it's possible. I was also working on running arbitrary commands using the upgrade mechanism and maybe the ssh daemon can be started using that.

Also the changelog for 1.19 has
Quote
3.Updated the License encoding rule
Not sure what exactly changed but I guess they don't want us hacking their scopes.

By the way, did anyone try the license generator on 1.18 or below?
 
The following users thanked this post: planner29

Offline samsonx

  • Newbie
  • Posts: 1
  • Country: us
Re: Possible GW Instek GDS-1000B hack
« Reply #9 on: March 20, 2018, 07:37:48 pm »
@wgoeo: I have been playing around with the linux image on my GDS-1054B and was curious if you had a py script to repackage a directory to a upg file - perhaps we can run arbitrary commands via that mechanism? 

I have successfully cross-compiled some code as a test

, though not very useful :) .

Thanks,
Sam
 
The following users thanked this post: saturation, SWR, DaJMasta, planner29, WI_Hedgehog

Offline nctnico

  • Super Contributor
  • ***
  • Posts: 26751
  • Country: nl
    • NCT Developments
Re: Possible GW Instek GDS-1000B hack
« Reply #10 on: March 20, 2018, 08:06:08 pm »
, though not very useful :) .
Still more than cool!  :-+  :-+
There are small lies, big lies and then there is what is on the screen of your oscilloscope.
 
The following users thanked this post: saturation, samsonx

Offline SWR

  • Regular Contributor
  • *
  • Posts: 125
  • Country: dk
  • Without engineering science is just philosophy.
Re: Possible GW Instek GDS-1000B hack
« Reply #11 on: April 07, 2018, 08:48:22 pm »
Very cool indeed! :-+ :-+
You should never go down on equipment!
 

Offline killingtime

  • Regular Contributor
  • *
  • Posts: 144
  • Country: gb
Re: Possible GW Instek GDS-1000B hack
« Reply #12 on: April 08, 2018, 09:14:28 pm »
Hello  wgoeo,

Thank you for posting this. Very helpful. I can confrim the html file generator works (bus and search) with firmware version 1.18.

Some general questions for 1000B series owners that have 'upgraded' if I may...

1) Has anyone managed to find the power analysis option? I can't find it on the Apps or Options menu even though the .lis file successfully loaded.
2) Does anyone know how to enable the 'option' button (below the 'menu off' button next to the 'scale' knob)? I still receive 'not supported for this model' when activating this button. I would have thought the power analysis software would be behind by this.
3) Has anyone successfuly used the segmented memory option. Can't find that either.

I've not loaded the BW options yet. I don't have an RF signal generator that goes high enough and I'd like to do a before and after comparison on the roll-off.

Thanks.
 

Offline Distelzombie

  • Frequent Contributor
  • **
  • Posts: 283
  • Country: de
Re: Possible GW Instek GDS-1000B hack
« Reply #13 on: April 09, 2018, 08:05:39 am »
Which HTML file generator? Can't find a link to anything here.
So... Is it hackable? Is it better than a Rigol DS1054Z @100MHz now?

Offline SWR

  • Regular Contributor
  • *
  • Posts: 125
  • Country: dk
  • Without engineering science is just philosophy.
Re: Possible GW Instek GDS-1000B hack
« Reply #14 on: April 09, 2018, 08:17:37 am »
Which HTML file generator? Can't find a link to anything here.
It's in reply #3.
You should never go down on equipment!
 

Offline killingtime

  • Regular Contributor
  • *
  • Posts: 144
  • Country: gb
Re: Possible GW Instek GDS-1000B hack
« Reply #15 on: April 09, 2018, 09:37:00 am »
Which HTML file generator? Can't find a link to anything here.
It's in reply #3.

Yes it is hackable.

In reply 3 (post number4) there is an attachment called lis.txt. Download this, and rename it to lis.html, then run the html file in a web browser. It will prompt for the serial number of your scope (can be found on the back sticker or the System Info screen). All the hackable options will turn to links. Click on the links and you'll be prompted to download individual .lis files. Copy all the .lis files to a USB2 pen drive (USB3 didn't work for me) and insert the pen drive into the scope. Using the File Utilities menu on the scope, navigate to the .lis file of choice (using the 'Variable' knob and then press the 'Select' button below the Variable knob. You'll be asked if you want to load the file. Press Select again and reboot the scope. The option (if it's available on the scope) should now be enabled.

I have a feeling that the power analysis software isn't part of the scope base software image, so although the lic file loads there's nothing to execute.

If you want to increase the bandwidth of the scope then you only need to load the one .lis file for the BW you're after. Three options are available; 100, 200 and 300 MHz. I don't know if these work. Someone with an RF generator needs to try it out and see how flat the response is. I'd also be curious to know if the BW options break the maths functions like FFT beyond the original BW spec of the scope.

Start with the serial decode option and the waveform search option. Both of these worked for me.
 

Offline seronday

  • Regular Contributor
  • *
  • Posts: 93
  • Country: au
Re: Possible GW Instek GDS-1000B hack
« Reply #16 on: April 14, 2018, 02:58:57 am »
The Licence Generator also works for the GDS-2000E series DSO.

I have used it to produce a license file to upgrade the bandwidth of a GDS-2074E (70Mhz) to 200Mhz.

The detailed information is in the thread on GDS-2000E :-
https://www.eevblog.com/forum/testgear/gw-instek-gds2204e-(200mhz-4-channel-dso)-review/msg1478352/#msg1478352
 
The following users thanked this post: Mortymore

Offline Distelzombie

  • Frequent Contributor
  • **
  • Posts: 283
  • Country: de
Re: Possible GW Instek GDS-1000B hack
« Reply #17 on: April 14, 2018, 06:45:54 am »
Very cool. How does a hacked GDS-1054B @ 100Mhz compare to the hacked Rigol 1054 or the unhacked Siglent SDS1104X-E? Price seems similar.
Great, I can get the GDS-1054B with deferred payment - meaning it's a good option against the Rigol. Couldn't find that for the Siglent.
Edit: Damn... the Instek comes with only 70Mhz probes. Why does it always comes back to the Rigol?

Is the hack "real"? Like, real increase in bandwidth etc. What else is software upgradeable?
« Last Edit: April 14, 2018, 06:59:46 am by Distelzombie »
 

Offline rf-loop

  • Super Contributor
  • ***
  • Posts: 4061
  • Country: fi
  • Born in Finland with DLL21 in hand
Re: Possible GW Instek GDS-1000B hack
« Reply #18 on: April 14, 2018, 04:55:38 pm »
Very cool. How does a hacked GDS-1054B @ 100Mhz compare to the hacked Rigol 1054 or the unhacked Siglent SDS1104X-E? Price seems similar.
Great, I can get the GDS-1054B with deferred payment - meaning it's a good option against the Rigol. Couldn't find that for the Siglent.
Edit: Damn... the Instek comes with only 70Mhz probes. Why does it always comes back to the Rigol?

Is the hack "real"? Like, real increase in bandwidth etc. What else is software upgradeable?

If you compare chinese GoodWill GDS-1000B 4 channel models to chinese Siglent SDS1104X-E it is good to note some differencies.

Siglent have max 500MSa/s for all 4 channels simultaneously on and this GoodWill have max 250MSa/s.

With 2 channels on Siglent have both channels 1GSa/s and GW have 500Msa/s.
This is because Siglent have 2 ADC. Each one is shared with 2 channels and GW have one ADC what is shared to all 4 channels. (both use same Hittite ADC)

And some more examples

-Siglent max wfm/s speed is least double.

!-Siglent have continuously always backround running full speed waveform history buffer, up to 80000 last waveforms (stop and look what just previously happend).

!-Siglent have also fast segmented memory (aka sequence) acquisition, up to over 400000 segment/s and up to 80000 segments with relative time stamps.
 
-Siglent fastest display time base is 1ns/div and GW 5ns/div.

-Siglent have full BW full resolution 500uV/div

!-Siglent have 500pts resolution SFRA up to 120MHz (not option, this is default but need external generator).

!-Siglent have Serial decoding (not option, this is default)

!-Siglent is also ready for MSO Option (16ch LA with 4 analog channels)
I drive a LEC (low el. consumption) BEV car. Smoke exhaust pipes - go to museum. In Finland quite all electric power is made using nuclear, wind, solar and water.

Wises must compel the mad barbarians to stop their crimes against humanity. Where have the wises gone?
 

Offline nctnico

  • Super Contributor
  • ***
  • Posts: 26751
  • Country: nl
    • NCT Developments
Re: Possible GW Instek GDS-1000B hack
« Reply #19 on: April 14, 2018, 06:22:18 pm »
However the GW Instek doesn't have bugs and it has features like free-form math, signal filtering, data logging, etc which are very useful when developing circuits and/or hunting for rare events. For 100MHz 250Ms/s is more than enough and high waveforms/s is not really important unless you get into triple digits. Even very high end oscilloscopes don't have high waveforms/s. The same goes for the history buffer. You can always turn on segmented recording and get exactly the same. The GW Instek can also do statistic analysis on the recorded segments.
There are small lies, big lies and then there is what is on the screen of your oscilloscope.
 
The following users thanked this post: WI_Hedgehog

Offline rf-loop

  • Super Contributor
  • ***
  • Posts: 4061
  • Country: fi
  • Born in Finland with DLL21 in hand
Re: Possible GW Instek GDS-1000B hack
« Reply #20 on: April 14, 2018, 08:49:39 pm »
However the GW Instek doesn't have bugs and it has features like free-form math, signal filtering, data logging, etc which are very useful when developing circuits and/or hunting for rare events. For 100MHz 250Ms/s is more than enough and high waveforms/s is not really important unless you get into triple digits. Even very high end oscilloscopes don't have high waveforms/s. The same goes for the history buffer. You can always turn on segmented recording and get exactly the same. The GW Instek can also do statistic analysis on the recorded segments.

GDS1000B ?  Perhaps you are talking some other GoodWill models.

250Msa/s is enough for continuous pure sinewave. Yes, barely. For what you need scope there if you know you have pure 100MHz sinewave. Veery useful to look... ?

History buffer and segmented memory (sequence acq) are same? Really? Looks like you do not even know what they are. Or is it so that 1000B do not have at all fast seg acq.
"However the GW Instek doesn't have bugs"  |O Bug free scopes where FW updates frequently with long list of repaired bugs. Why  need repair if they are bug free.
I drive a LEC (low el. consumption) BEV car. Smoke exhaust pipes - go to museum. In Finland quite all electric power is made using nuclear, wind, solar and water.

Wises must compel the mad barbarians to stop their crimes against humanity. Where have the wises gone?
 

Offline Distelzombie

  • Frequent Contributor
  • **
  • Posts: 283
  • Country: de
Re: Possible GW Instek GDS-1000B hack
« Reply #21 on: April 15, 2018, 12:03:11 am »
Some websites say the GW Instek has 1GSa/s PER channel. So I assumed it will actually have 1GSa/s/channel - like, what that obviously implies, 1GSa/s when using all channel at once. (1GSa/s1GSa/s1GSa/s1GSa/s just to write it a few times more)

rfLoop, you compared the Siglent to the unhacked version? Doesn't it get more memory and stuff, like the Rigol? I really wish I could get the Siglent somewhere, but that is impossible without hire-purchase/installment payment - what is even the correct term? (german)

Offline tautech

  • Super Contributor
  • ***
  • Posts: 28136
  • Country: nz
  • Taupaki Technologies Ltd. Siglent Distributor NZ.
    • Taupaki Technologies Ltd.
Re: Possible GW Instek GDS-1000B hack
« Reply #22 on: April 15, 2018, 12:40:59 am »
Some websites say the GW Instek has 1GSa/s PER channel. So I assumed it will actually have 1GSa/s/channel - like, what that obviously implies, 1GSa/s when using all channel at once. (1GSa/s1GSa/s1GSa/s1GSa/s just to write it a few times more)

rfLoop, you compared the Siglent to the unhacked version? Doesn't it get more memory and stuff, like the Rigol?
Be aware instruments in this class normally only have 1 or 2 ADC's.
So sampling rate is always listed a max in whatever usage configuration allows it. This is commonly just for 1ch in a DSO with a single ADC but those units with 2 will allow use at max sample rate with 2 channels in use, normally 1+3 or 2+4 or an equivalent configuration.
To allow sampling @ 1Gsa/s for all 4 channels you'd need dual 2Gsa/s ADC's or a much more expensive single ADC.

A good rule of thumb for many modern DSO's is the first digit in the model name signifies the GHz sample rate of the ADC/'s used.

Quote
I really wish I could get the Siglent somewhere, but that is impossible without hire-purchase/installment payment - what is even the correct term? (german)
LayBuy is the term used here where you make progressive payments until equipment is paid for in full and then it is dispatched or collected.
Maybe one of the European dealers can accommodate your needs.
https://www.siglenteu.com/how-to-buy/
Avid Rabid Hobbyist
Siglent Youtube channel: https://www.youtube.com/@SiglentVideo/videos
 

Offline rf-loop

  • Super Contributor
  • ***
  • Posts: 4061
  • Country: fi
  • Born in Finland with DLL21 in hand
Re: Possible GW Instek GDS-1000B hack
« Reply #23 on: April 15, 2018, 07:19:28 am »
Some websites say the GW Instek has 1GSa/s PER channel. So I assumed it will actually have 1GSa/s/channel - like, what that obviously implies, 1GSa/s when using all channel at once. (1GSa/s1GSa/s1GSa/s1GSa/s just to write it a few times more)

This is nice example how carefully it need read when you read manufacturer web sites. They try hardly that reader produce wrong imagine in his mind (one leader for this kind of things are Keyshit when you read advertisements and application notes).  Read data sheet, read itroduction, read GDS-1000B user manual. How long it take you get right answer for sampling speed and  that it have exactly 1GSa max for all single channel... yes this pops up to your eyes immediately.  ....but wait a bit... they did not tell that simultaneously. Yes, 1GSa/s for every channel and they did not lie. Take Ch 1 alone...max 1GSa/s and then take Ch2 alone...again max 1GSa/s and so on. All channels have max 1GSa/s. 

GoodWill GDS1000B  4 channel models:
Fact is - and this is true fact. It have single ADC chip. It is Hittite HMCAD1511.  (You can see it also if you look Dave's tear down video, he tell it clearly and ans also show it clearly when he look inside.)

1 channel alone in use: Max 1GSa/s
2 channels in use: Max 500MSa/s for both channels simultaneously.
3 channels in use: Max 250MSa/s for all channels simultaneously.
4 channels in use: Max 250MSa/s for all channels simultaneously.

Siglent SDS1000X-E 4 channel models:

Fact is - and this is true fact. It have two ADC chip. They are Hittite HMCAD1511. 

1 channel  in use: Max 1GSa/s
2 channels in use: Max 1GSa/s for both channels simultaneously.
3 channels in use: Max 500MSa/s for all channels simultaneously.
4 channels in use: Max 500MSa/s for all channels simultaneously.

What need hack in Siglent and then get something more like Riglol 1kZ
Siglent have all out from factory box and lot of more. It beats this Rigol wonder box just hands down in every single corner and after then give also lot of more powerful tool with performance what Rigol Zbox can only dream.
They are like night and day if compare performance as real tool. Just forget this Rigol 1kZ. Only feature there is that it is bit more cheap.
What features you can hack in Rigol DS1000Z series?  All because it is designed for hack as marketing trick.
What features you can hack in GoodWill GDS1000B?  This I do not know.
What features you can hack in Siglent SDS1000X-E series? This I do not know.

(Saelig)
DS1054Z Price: Reg. $399 Sale! $349  -  50MHz out from box, Hackable to 100MHz, single 1GSa ADC
GDS1054B Price: $429.00  - 50MHz out from box (hackable ?  ), single 1GSa ADC
SDS1104X-E Price: $499.00 - 100MHz ready out from box, (hackable ?  ) double  1GSa/s ADC

Yes there is price difference and with true reasons. It is amazing that  price differences are not more.
If Siglent is 2 times Rigol price I think it is still cheap if look features and performance.

ETA: But still, if budget is limited without exeptions to Rigol price and absolutely nothing more and no possible to wait and save bit more, Rigol is not bad choice.  For many kind of hobby and educational use if we set hard top limit to Rigol price,  it is still perhaps best possible what can get if we talk 4 channel stand alone digital oscilloscopes.
« Last Edit: April 15, 2018, 10:07:31 am by rf-loop »
I drive a LEC (low el. consumption) BEV car. Smoke exhaust pipes - go to museum. In Finland quite all electric power is made using nuclear, wind, solar and water.

Wises must compel the mad barbarians to stop their crimes against humanity. Where have the wises gone?
 

Offline Distelzombie

  • Frequent Contributor
  • **
  • Posts: 283
  • Country: de
Re: Possible GW Instek GDS-1000B hack
« Reply #24 on: April 15, 2018, 09:29:47 am »
Quote
Yes, 1GSa/s for every channel and they did not lie. Take Ch 1 alone...max 1GSa/s and then take Ch2 alone...again max 1GSa/s and so on. All channels have max 1GSa/s. 
Very great...
Quote
Fact is - and this is true fact. It have two ADC chip.
knew that
Quote
Rigol DS1000Z series?  All because it is designed for hack as marketing trick.
I think the same. Just can't be a mistake.
Quote
Siglent have all out from factory box and lot of more. It beats this Rigol wonder box just hands down in every single corner and after then give also lot of more powerful tool with performance what Rigol Zbox can only dream.
They are like night and day if compare performance as real tool. Just forget this Rigol 1kZ. Only feature there is that it is bit more cheap.
I really really really wish I could buy that. I kind of knew parts of that already. Also it is cheaper as the Instek where I live. But more expensive than where you live. Including taxes or what VAT is...
instek 545.60 €
siglent 510.51 €
rigol 404.00 €
« Last Edit: April 15, 2018, 09:32:35 am by Distelzombie »
 

Offline tautech

  • Super Contributor
  • ***
  • Posts: 28136
  • Country: nz
  • Taupaki Technologies Ltd. Siglent Distributor NZ.
    • Taupaki Technologies Ltd.
Re: Possible GW Instek GDS-1000B hack
« Reply #25 on: April 15, 2018, 10:59:39 am »
I really really really wish I could buy that. I kind of knew parts of that already. Also it is cheaper as the Instek where I live. But more expensive than where you live. Including taxes or what VAT is...
instek 545.60 €
siglent 510.51 €
rigol 404.00 €
Your sig:
Day 11063 without a scope:
I am starting to feel the effects. I might just go insane.

You already know SDS1104X-E is more than 25% better value but further it's a DSO that can offer more still as your needs grow .....MSO and AWG if/when you need them.

Will you settle for a lesser product and always wonder....what if ?
Avid Rabid Hobbyist
Siglent Youtube channel: https://www.youtube.com/@SiglentVideo/videos
 

Offline nctnico

  • Super Contributor
  • ***
  • Posts: 26751
  • Country: nl
    • NCT Developments
Re: Possible GW Instek GDS-1000B hack
« Reply #26 on: April 15, 2018, 12:11:44 pm »
Define lesser. It comes down to the features you need right now and each scope Distelzombie is looking at has it's pros and cons. There is more to a scope than waveforms/s and bandwidth.
There are small lies, big lies and then there is what is on the screen of your oscilloscope.
 

Offline Distelzombie

  • Frequent Contributor
  • **
  • Posts: 283
  • Country: de
Re: Possible GW Instek GDS-1000B hack
« Reply #27 on: April 16, 2018, 04:59:54 am »
Your sig:
Day 11063 without a scope:
I am starting to feel the effects. I might just go insane.
It is, indeed.  ???
(Yes, I do change it daily. If that is what you are testing here. Otherwise I have no clue at all why you're mention my signature. I tried PHP but that doesn't work.  :( And no, it is not exactly my birthday.)


You already know SDS1104X-E is more than 25% better value but further it's a DSO that can offer more still as your needs grow .....MSO and AWG if/when you need them.

Will you settle for a lesser product and always wonder....what if ?
Yeah, if I can't find it with LayBuy, I have to save money for at least six month, but maybe more like ten.


BTW, I think this thread started to steer in the wrong direction. I just wanted to know what this hack can do and what that means for the GDS-1054B.
Let's hijack this thread instead: https://www.eevblog.com/forum/beginners/is-the-rigol-ds1054z-still-the-best-entry-level-digital-scope-for-the-price/msg1475625/#msg1475625

Offline cyberfish

  • Regular Contributor
  • *
  • Posts: 240
  • Country: gb
Re: Possible GW Instek GDS-1000B hack
« Reply #28 on: July 03, 2018, 02:48:55 pm »
Does anyone have a copy of 1.18 firmware they are willing to share by any chance? :D
 

Offline cyberfish

  • Regular Contributor
  • *
  • Posts: 240
  • Country: gb
Re: Possible GW Instek GDS-1000B hack
« Reply #29 on: July 04, 2018, 12:55:32 am »
The latest pre-1.18 firmware I've been able to find was v1.12, from Tradeport, and it works fine on my GDS-1104B! http://www.tradeport.on.ca/news/72/new-firmware-release-of-digital-storage-oscilloscope-gds1000b-gds1000au

I have only tried serial decode, waveform search, and 300 MHz, they all seem to work. I cannot verify 300 MHz though, but there are now 100 MHz and 200 MHz BW limit options, and they do change the signal.

No idea how this compares to serial decode on other scopes, but with this hack, the GDS-1000B is very good value, especially taking into account the circuit design quality of a certain competitor...
 
The following users thanked this post: Fungus

Offline ripper_pc

  • Newbie
  • Posts: 4
  • Country: us
Re: Possible GW Instek GDS-1000B hack
« Reply #30 on: July 18, 2018, 02:01:20 pm »
Hi!

I just bought a new scope that has 1.21 firmware on it.
The html file does not seem to be working on it.

I get the following message: 'License failed to install, Please check the license version!'

Do i have to downgrade it to 1.12 version using the links in earlier posts for this to work ?

Note: I did use a USB 3.0 pen drive, I'm not sure if that could have caused this ?
 

Offline cyberfish

  • Regular Contributor
  • *
  • Posts: 240
  • Country: gb
Re: Possible GW Instek GDS-1000B hack
« Reply #31 on: July 18, 2018, 02:18:50 pm »
Hi!

I just bought a new scope that has 1.21 firmware on it.
The html file does not seem to be working on it.

I get the following message: 'License failed to install, Please check the license version!'

Do i have to downgrade it to 1.12 version using the links in earlier posts for this to work ?

Note: I did use a USB 3.0 pen drive, I'm not sure if that could have caused this ?

You need to downgrade to 1.18. A very kind forum member sent a copy to me (not sure if they want to be identified). Feel free to PM me with your email addr if you want a copy.
 
The following users thanked this post: ripper_pc

Offline akimmet

  • Contributor
  • Posts: 22
  • Country: us
Re: Possible GW Instek GDS-1000B hack
« Reply #32 on: July 18, 2018, 02:47:26 pm »
I’m glad to hear one of those firmware versions I sent end up being useful.
When it comes to drivers and firmware, I tend to hoard. You never know when a old version will come in handy. Especially when the current trend as of late is to delete first ask questions later.
 

Offline cyberfish

  • Regular Contributor
  • *
  • Posts: 240
  • Country: gb
Re: Possible GW Instek GDS-1000B hack
« Reply #33 on: July 18, 2018, 02:48:32 pm »
I’m glad to hear one of those firmware versions I sent end up being useful.
When it comes to drivers and firmware, I tend to hoard. You never know when a old version will come in handy. Especially when the current trend as of late is to delete first ask questions later.

It was very helpful, thanks! I actually spent a whole afternoon searching online, and could only find 1.12!
 

Offline tonywood

  • Contributor
  • Posts: 10
Re: Possible GW Instek GDS-1000B hack
« Reply #34 on: August 02, 2018, 05:00:24 pm »
Could someone send me the 1.18 firmware also? I would like to try it out. I have the GW Instek GDS-1054B


Thanks in advance  :-+
 

Offline tonywood

  • Contributor
  • Posts: 10
Re: Possible GW Instek GDS-1000B hack
« Reply #35 on: August 09, 2018, 10:39:45 pm »
I got my unit today GDS-1054b, it came with firmware 1.19 so I downgraded to 1.18 and installed the *.lis files and verified they were working. I then upgraded to firmware 1.22 and all the options were still installed and work. Thanks to all for the help on this. Looks like you keep the added features with a firmware update.
 

Offline tonywood

  • Contributor
  • Posts: 10
Re: Possible GW Instek GDS-1000B hack
« Reply #36 on: August 09, 2018, 10:56:21 pm »
Firmware fixes


Version 1.08

1.Fixed the system crash randomly which caused by the ¡§Advance Math¡¨ function
2. Fixed the displaying issue of XY mode under certain circumstances
3. Fixed the time base error when the ¡§AUTOSET¡¨key pressed under ¡§Window Zoom¡¨ mode
4. Fixed the AD malfunction under certain circumstances

Version 1.09
1.Added German & French icons and help menu
2.Adjusted the maximum value of the waveform brightness


Version 1.11
1.Added Korean icons and help menu
2.Added Russian icons
3.Fixed the residue waveform issue
4.Fixed the system freeze bug after the QR code menu activated
5.Added the DVR calibration under distributor mode

Version 1.12
1.Added Russian help menu
2.Fixed the initial value for the ¡§Advance Math default¡¨ expression
3.The output polarity of the Go/No-Go has been adjusted which same as the GDS-2000A series

Version 1.13
1.Fixed the Trigger Filter bug.

Version 1.14
1.Changed the display method for waveform interpolation.
2.Fixed the pictbridge's connectivity issues.
3.The Trigger out function is activated now. (Press UTILITY -> Probe Comp. -> Frequency)

Version 1.15
1.Add Multilanguage: Spanish

Version 1.16
1.Fixed the trigger level offset issue, if the vertical position was shifted out off the screen range.
2.Fixed the ¡§Advance math¡¨ algorithm which caused the system crash.

Version 1.17.001
1.Added USBDelay command in order to solve the USB data leaks for WIN10.
2.Fixed the ext trigger of roll mode which may cause the system crash.
3.Fixed the zoom state malfunction for horizontal position command.
4.Changed the value range of trigger hold off command: the minimum value changed to 4ns from 10ns.

Version 1.18
1.Removed the extra unwanted carriage returns symbol for *LRN? command.
2.Fixed the starting condition of autotrigger for Datalog function (APP funciton)
3.Extended the "Duration" until the 999 hours for Datalog function (APP funciton)

Version 1.19
1.Fixed the Japanese translations error for digital filter menu tree. (APP function)
2.Updated the simplified Chinese menu tree
3.Updated the License encoding rule


Version 1.20
1.The Go/NoGo Invert function is activated now. (Press UTILITY -> System -> more)
2.The firmware upgrade procedure is now ONLY support the ¡§Safe mode¡¨ firmware upgrading from this firmware version.

Version 1.21
1.Fixed the issue that the license file can¡¦t installed properly.
2.Fixed the REF waveform operating issue of interpolation mode for math function.
3.Revised the storage results of average waveform for interpolation mode

Version 1.22
1.Added saved Ref icon.
2.Fixed the system locks up when the multilingual menu was setting in non-English and the ¡§HARDCOPY¡¨ button pressed.
3.Fixed the Go/NoGo Execute SCPI Command settings issue.
4.Fixed the Spanish translations.
5.Fixed the cursor operation which may unable to reactivated within the ¡§zoom¡¨ status.
6.Adjusted the range adjustment behavior within the ¡§Go/NoGo¡¨ status.
7.Fixed the display of ¡§Ratio¡¨ counter which cannot clear completely under non-English Multi-language circumstances.
8.Fixed the specific average number order which cannot be saved as settings file.
 

Offline rhb

  • Super Contributor
  • ***
  • Posts: 3476
  • Country: us
Re: Possible GW Instek GDS-1000B hack
« Reply #37 on: August 23, 2018, 12:54:55 pm »
I bought a Rigol DS1102E some years ago for $400.  It is quite satisfactory for many things.  Even if you spend $20K there will still be limitations.

The DS1054Z is a good 4 channel 50 MHz DSO at a very good price.  In 3- 4 channel mode the 125 MHz Nyquist limit doesn't really support going much higher, though in 1-2 channel mode with 500 MSa/S it can do a decent job at 100 MHz if hacked.

I had the good luck to pick up a GDS-2072E from Amazon for $244 delivered.  They were selling off old stock which they do periodically.  I jumped on it as a test bed for developing  FOSS FW for Zynq based DSOs.  I'd already bought the MSO-2204EA.  But there is no way I was going to risk bricking an $1800 scope.  Yesterday I tried the GDS-2000B BW hack and it worked and now gives me 200 MHz just like the 2204EA.

If your budget is tight, get the Rigol DS1054Z. It will serve you well and you'll have no trouble selling it if you buy a better scope.  It's popular and well established.  At a 25% discount someone like you will buy it in a heartbeat.  You don't often see used Rigol DS1054Zs offered for sale.  I suspect most people selling one sell it to a friend who is looking for a scope.

When I was in grad school in geophysics at Austin all I had was a 5 MHz recurrent sweep Heathkit IO-18.  It didn't even have BNC inputs.  I bought it at a yard sale for $75 and even that was a stretch for my budget.  I learned a great deal using that scope.
 
The following users thanked this post: Mortymore

Offline pa3hfu

  • Contributor
  • Posts: 39
  • Country: nl
Re: Possible GW Instek GDS-1000B hack
« Reply #38 on: October 10, 2018, 11:30:43 am »
Does somebody have Firmware V 1.8 for the Instek 1000 series for me?
In advance many thanks!
 

Offline cyberfish

  • Regular Contributor
  • *
  • Posts: 240
  • Country: gb
Re: Possible GW Instek GDS-1000B hack
« Reply #39 on: October 10, 2018, 11:33:58 am »
Does somebody have Firmware V 1.8 for the Instek 1000 series for me?
In advance many thanks!

Sent!
 

Offline Mortymore

  • Frequent Contributor
  • **
  • Posts: 432
  • Country: pt
Re: Possible GW Instek GDS-1000B hack
« Reply #40 on: October 13, 2018, 11:38:00 am »
Hi

I have a 2074E updated to 1.36 firmware version.
Putty doesn't work with 1.36.
Is there a chance to downgrade to a firmware version suitable to hack? Which one?
I've searched the web for previous firmware for GDS-2000E and found nothing so far.  |O
Can someone be kind to help me out here. I'd be much appreciated.

My scope is not actually a GW-Instek one, but is the same thing, just rebranded as ISO-Tech IDS-2074E.
« Last Edit: October 13, 2018, 11:41:20 am by Mortymore »
 

Offline Mortymore

  • Frequent Contributor
  • **
  • Posts: 432
  • Country: pt
Re: Possible GW Instek GDS-1000B hack
« Reply #41 on: October 13, 2018, 04:08:39 pm »
Thanks to a forum member that provided the necessary firmware to downgrade, and to all others involved in the solution, my scope just went from 70 to 200  :-+
Hope I don't get a speed ticket  :popcorn:

The firmware was afterwards upgraded again to v1.36 and now, some calibration and testing is due.

Offline frogblender

  • Regular Contributor
  • *
  • Posts: 124
Re: Possible GW Instek GDS-1000B hack
« Reply #42 on: November 20, 2018, 11:21:00 pm »
Can anyone confirm that a GDS-1054B works at 300MHz?

According to gwInstek's own website, this series of scope only comes in 50/70/100MHz versions.
 

Offline rhb

  • Super Contributor
  • ***
  • Posts: 3476
  • Country: us
Re: Possible GW Instek GDS-1000B hack
« Reply #43 on: November 21, 2018, 12:59:04 am »
Can anyone confirm that a GDS-1054B works at 300MHz?

According to gwInstek's own website, this series of scope only comes in 50/70/100MHz versions.

What's the sample rate?  Divide by 2 and you have the Nyquist frequency.  That is the maximum frequency possible.  So far as I know, no OEM changes anti-alias filters if you double the sample rate by changing channel count.  The manual and datasheet for the 1000B specify a maximum sample rate, but unlike other models do not specify if there are limitations such as the very common one of requiring you to use channels that use different ADCs in 2 channel mode.

My LeCroy DDA-125/LC684 claims a 1.5 GHz BW.  But sampling 4 channels it has a 1 GHz Nyquist.  So everything above 500 MHz is aliased unless you use 2 channel mode sampling a 4 GSa/S.  But in any case, while it meets the rise time = 0.35/BW it is at the price of 20% overshoot.  I assume that disk drive analysis measuring rise time was more important than an accurate waveform.

My GDS-2072E is hacked for 300 MHz, but the step response is identical to 200 MHz.  I've overlaid the waveforms. To do 300 MHz with the ADCs you would have to switch between two anti-alias filters.  One for 250 MHz Nyquist and one for 500 MHz Nyquist.  This is why GW does not offer a 300 MHz version of the 2000E.

A far more important issue is the amount of EMI the 2000E line emits.  The front panel is shielded and the AFE sections are shielded.  But that's all.  I'm planning to fabricate shielding for the SMPS and the main board.

If you are concerned with BW you need to buy one of Leo Bodnar's excellent 40 pS rise time 10 MHz square wave generators.  These come with a printout of the step response on a 10+ GHz sampling DSO.  Measure the rise time with a single channel and then with each of the other 3 channels.  If it really has 300 MHz BW you will see a different rise time at 1 GSa/S than at 500 MSa/S.  Most likely if you save reference traces for all the permutations of channels, they will all look the same and will have a rise time of 1.75 nS.


As part of my FOSS DSO FW project I am going to do a very detailed review of issues with the 2000E.

Sadly I have come to the conclusion that all the T&M OEMs lie every time their product doesn't quite meet the marketing specs.  For example,  Keysight calculates rise time for the MSOX3104T as 0.35/BW *except* if BW = 1 GHz, then they use 0.45/BW.  HP didn't do such things as far as I can tell.  I've bought a bunch of 20 year old HP gear in the last 18 months.  It's a delight to use and it really does meet expectations.  Keysight still does make really nice gear, but I've learned to be very skeptical of the product brochures and go over  the specifications with a fine tooth comb now.

Modern DSO design commonly  uses dual channel ADCS which will sample one channel at twice the frequency of two channels.  Typical pattern is if you use 1 & 3 both will sample at 1 GSa/S, but if you use 1 & 2 you will sample at 500 MSa/S.
 

Offline TheReverend

  • Newbie
  • Posts: 4
  • Country: de
Re: Possible GW Instek GDS-1000B hack
« Reply #44 on: November 29, 2018, 12:42:28 pm »
Could someone send me the 1.18 Firmware for science purposes so i can contribute too?

Thx in advance
 

Offline toastedcrumpets

  • Regular Contributor
  • *
  • Posts: 175
  • Country: gb
Re: Possible GW Instek GDS-1000B hack
« Reply #45 on: November 29, 2018, 04:22:49 pm »
So, I'm the guy with a GDS-2074A (actually rebranded as a Isotech (RS) IDS-2074A). Sorry for the delay in replying, currently on paternity after the birth of my second child!

Plugging in the device to my linux box using USB I get most of what you're after:

[2604763.960679] usb 3-4: new full-speed USB device number 16 using xhci_hcd
[2604764.113082] usb 3-4: not running at top speed; connect to a high speed hub
[2604764.128062] usb 3-4: New USB device found, idVendor=2184, idProduct=0014, bcdDevice= 2.26
[2604764.128066] usb 3-4: New USB device strings: Mfr=1, Product=2, SerialNumber=3
[2604764.128070] usb 3-4: Product: IDS-2074A
[2604764.128072] usb 3-4: Manufacturer: RS
[2604764.128075] usb 3-4: SerialNumber: 524D093G1
[2604764.135403] cdc_acm 3-4:2.0: ttyACM0: USB ACM device

Hopefully the data you need is in there?

Connecting via RS232 serial, and running the SCPI *IDN? command I get
RS,IDS-2074A,524D093G1,V1.30

Probably RS components, device, serial, and firmware version which is currently 1.30

On reboot, I don't see anything in the RS232 output. Is there some special baud for the message you need? I've tried 19200, 57600, and 115200.

Otherwise, do I have to find a debug header inside the device?

 

Offline toastedcrumpets

  • Regular Contributor
  • *
  • Posts: 175
  • Country: gb
Re: Possible GW Instek GDS-1000B hack
« Reply #46 on: November 29, 2018, 08:41:22 pm »
BTW, with v1.30 can you still generate/insert licenses from the KG that is in this thread?
They don't work, and they also don't work for the first version of the 2000A firmware I have which is v1.18. note this is different firmware to the 2000E series.

I'll dig around inside when I'm back in work on the 12th. I just got a 30ps pulse generator so I should be able to do before and after comparisons on the bandwidth too if I get this working...
 

Offline tv84

  • Super Contributor
  • ***
  • Posts: 3212
  • Country: pt
Re: Possible GW Instek GDS-1000B hack
« Reply #47 on: December 02, 2018, 02:36:11 pm »
Here is the new license generator for the current FWs of GDS1000B and GDS2000E, based on the wgoeo post (msg #3).

Code: [Select]
        private static void InstekKG(string serial)
        {
            // This works for GDS1000B and GDS2000E
            string[] opt = { "PWR", "BUS", "SRH", "SGM", "BW100", "BW200", "BW300", "SA" };   // Prefixes: "DS1KB-"  or "DS2E-"

            // uint[] ClearCode = { 0x11111111, 0xABABABAB, 0x22222222, 0xCDCDCDCD };  // OLD -- GDS1000B (up to v1.18) and GDS2000E (up to v1.28)
            uint[] ClearCode = { 0x74B0DC51, 0x46E87CCD, 0x25E45D32, 0x515F007C };  // NEW or       
            uint[] ClearCode = { 0x19495CFF, 0x257130A3, 0x3D1B58BA, 0x74B0DC51 };  // v1.23, v1.24, ....

            serial = serial.Trim();
            int serial_int = Int32.Parse(serial.Substring(serial.Length - 4, 4));

            int pid_sum = 0;
            for (int i = 0; i < serial.Length - 4; i++)
                pid_sum += serial[i];

            for (int i = 0; i < opt.Length; i++)
            {
                int[] a = new int[2];
                a[0] = (pid_sum << 24) | ((i << 8) & 0xF00);
                a[1] = (1 << 24) | ((serial_int << 8) & 0xFFFF00) | ((pid_sum >> 8) & 0xFF);

                for (int j = 0, k = -0x61C88647; j < 32; j++, k -= 0x61C88647)
                {
                    a[0] += (int)((16 * a[1] + ClearCode[0]) ^ (a[1] + k) ^ ((a[1] >> 5) + ClearCode[1]));
                    a[1] += (int)((16 * a[0] + ClearCode[2]) ^ (a[0] + k) ^ ((a[0] >> 5) + ClearCode[3]));
                }
                Console.WriteLine("DS1KB-{0}.lic / DS2E-{0}.lic - [{1:x8}{2:x8}]", opt[i], a[1], a[0]);
            }
        }

Those who prefer the javascript version can replace just the ClearCode constants in the script (I leave that as homework). The SA option was also added (only for the 2000E).

Edit1: Tested successfully by some members in DS2E and MSO equipments. This will not work on 2000A because the S/N has a different format.

Edit2: It seems there are more than one new combination of ClearCode(s) so test both.
« Last Edit: February 07, 2020, 11:51:50 am by tv84 »
 
The following users thanked this post: Mortymore, Chuck60, Mr_Bean, tatel

Offline nctnico

  • Super Contributor
  • ***
  • Posts: 26751
  • Country: nl
    • NCT Developments
Re: Possible GW Instek GDS-1000B hack
« Reply #48 on: December 02, 2018, 03:30:11 pm »
I can confirm that the license generator with the new values creates valid licenses for more recent firmware. My GDS-2204E accepts and recognises the SA and power analysis options but I can't select these features.
There are small lies, big lies and then there is what is on the screen of your oscilloscope.
 

Offline rhb

  • Super Contributor
  • ***
  • Posts: 3476
  • Country: us
Re: Possible GW Instek GDS-1000B hack
« Reply #49 on: December 03, 2018, 12:48:22 pm »
To access the SA you need to press the button in the lower right corner of the screen area below the small round button. It will then appear as an option on the 3rd button from the left below the screen.  If you do not have an instrument with an AWG, do *not* press the AWG button when in SA mode.  Use the channel select button to exit SA mode.  Pressing the AWG button will crash the DSO and require a power cycle.

As an example of how useful this is here are a couple of screen dumps.

I have a stock Instek 200 MHz probe with the grabber and the ground lead removed.  So it is a 7 mm E field detector.  The cable is stretched out straight and the scope set to 1 mV/div.  I can not detect *any* of the noise on my HP 8560A.

The noise from 40 to 150 KHz is coming from a pair of 4 ft LED T-8 tubes.  There is a Chinese EMI filter in the line which eliminated  a lot of noise.  But my 8560A TG doesn't go below 300 KHz, so I could not test the low frequency effectiveness of the EMI filter.
 
The following users thanked this post: Mortymore

Offline rhb

  • Super Contributor
  • ***
  • Posts: 3476
  • Country: us
Re: Possible GW Instek GDS-1000B hack
« Reply #50 on: December 03, 2018, 02:05:14 pm »
Just to give some idea of how extremely useful the SA function is here are some more screen dumps.

The H field probe is a 3-4 mm loop of copper wire wound on mandrels to be a push on fit to the probe tip and then insulated with several layers of heatshrink tubing.

The E field probe is a probe tip insulator with a bit of heatshrink over the probe tip.

So nothing fancy or expensive.  But safe to poke around without having to worry about causing a short.

I placed the probe about 1 cm from  the SMPS transformer of my GDS-2072E.  For the H field I rotated the probe to find the max and min orientations.  The E field was taken in the same location.

It's very easy to detect signals on ribbon cables, etc, though some shielding of the transformer fields would be needed to not have that dominate the spectrum.
 

Offline toastedcrumpets

  • Regular Contributor
  • *
  • Posts: 175
  • Country: gb
Re: Possible GW Instek GDS-1000B hack
« Reply #51 on: December 18, 2018, 03:56:31 pm »
This will not work on 2000A because the S/N has a different format.
Nooooo! I've just got back to work after four weeks of paternity and found this disappointing news. Is there anything I can do to help fix this? I've cracked the case on the GDS-2074A scope I have and I'm probing for the JTAG/serial interface as we speak....
 

Offline Mortymore

  • Frequent Contributor
  • **
  • Posts: 432
  • Country: pt
Re: Possible GW Instek GDS-1000B hack
« Reply #52 on: January 28, 2019, 06:44:25 pm »
Hope they are OK with this... if not let me know, please.

Summed the parts provided by wgoeo (reply #3) and tv84 (reply #47), and made a "soup" for my 2074E, since I was interested in the Spectrum Analyzer (SA) option.
The "soup" was named lis2.txt, and should be renamed to lis2.html

The SA option was installed with the latest firmware gds2000e_v1.38 (2019-01-26) on the scope.

As rhb explained "To access the SA you need to press the button in the lower right corner of the screen area below the small round button.", the OPTION button. Now I have a use for him.

Hope everything is alright, but it worked for me, as can be seen from the print screens attached.

Thanks for your work

PS: Sorry rhb I had to press AWG button. My scope didn't crash... until I go further, playing with Generators menus that the scope doesn't have.
« Last Edit: January 28, 2019, 07:10:04 pm by Mortymore »
 
The following users thanked this post: seronday

Offline pa3hfu

  • Contributor
  • Posts: 39
  • Country: nl
Re: Possible GW Instek GDS-1000B hack
« Reply #53 on: January 30, 2019, 10:04:50 am »
I updated my 2104E to V1.38, but pressing the 'Option' button the scope says: Not supported for this model!
 

Offline Mortymore

  • Frequent Contributor
  • **
  • Posts: 432
  • Country: pt
Re: Possible GW Instek GDS-1000B hack
« Reply #54 on: January 30, 2019, 10:55:47 am »
I updated my 2104E to V1.38, but pressing the 'Option' button the scope says: Not supported for this model!

The OPTION button accessing the SA option, has no direct relation with the firmware version. You have to install the SA license.

Offline AC360

  • Newbie
  • Posts: 4
  • Country: us
Re: Possible GW Instek GDS-1000B hack
« Reply #55 on: January 30, 2019, 04:15:09 pm »
Hope they are OK with this... if not let me know, please.

Summed the parts provided by wgoeo (reply #3) and tv84 (reply #47), and made a "soup" for my 2074E, since I was interested in the Spectrum Analyzer (SA) option.
The "soup" was named lis2.txt, and should be renamed to lis2.html

The SA option was installed with the latest firmware gds2000e_v1.38 (2019-01-26) on the scope.

As rhb explained "To access the SA you need to press the button in the lower right corner of the screen area below the small round button.", the OPTION button. Now I have a use for him.

Hope everything is alright, but it worked for me, as can be seen from the print screens attached.

Thanks for your work

PS: Sorry rhb I had to press AWG button. My scope didn't crash... until I go further, playing with Generators menus that the scope doesn't have.

Does it work for GDS-1000B?
 

Offline AC360

  • Newbie
  • Posts: 4
  • Country: us
Re: Possible GW Instek GDS-1000B hack
« Reply #56 on: January 30, 2019, 04:28:04 pm »
Here is the new license generator for the current FWs of GDS1000B and GDS2000E, based on the wgoeo post (msg #3).

Code: [Select]
        private static void InstekKG(string serial)
        {
            // This works for GDS1000B and GDS2000E
            string[] opt = { "PWR", "BUS", "SRH", "SGM", "BW100", "BW200", "BW300", "SA" };   // Prefixes: "DS1KB-"  or "DS2E-"

            // uint[] ClearCode = { 0x11111111, 0xABABABAB, 0x22222222, 0xCDCDCDCD };  // OLD -- GDS1000B (up to v1.18) and GDS2000E (up to v1.28)
            uint[] ClearCode = { 0x74B0DC51, 0x46E87CCD, 0x25E45D32, 0x515F007C };  // NEW

            serial = serial.Trim();
            int serial_int = Int32.Parse(serial.Substring(serial.Length - 4, 4));

            int pid_sum = 0;
            for (int i = 0; i < serial.Length - 4; i++)
                pid_sum += serial[i];

            for (int i = 0; i < opt.Length; i++)
            {
                int[] a = new int[2];
                a[0] = (pid_sum << 24) | ((i << 8) & 0xF00);
                a[1] = (1 << 24) | ((serial_int << 8) & 0xFFFF00) | ((pid_sum >> 8) & 0xFF);

                for (int j = 0, k = -0x61C88647; j < 32; j++, k -= 0x61C88647)
                {
                    a[0] += (int)((16 * a[1] + ClearCode[0]) ^ (a[1] + k) ^ ((a[1] >> 5) + ClearCode[1]));
                    a[1] += (int)((16 * a[0] + ClearCode[2]) ^ (a[0] + k) ^ ((a[0] >> 5) + ClearCode[3]));
                }
                Console.WriteLine("DS1KB-{0}.lic / DS2E-{0}.lic - [{1:x8}{2:x8}]", opt[i], a[1], a[0]);
            }
        }

Those who prefer the javascript version can replace just the ClearCode constants in the script (I leave that as homework). The SA option was also added (only for the 2000E).

Edit1: Tested successfully by some members in DS2E and MSO equipments. This will not work on 2000A because the S/N has a different format.

Does it can upgrade the GDS-1000B to BW200 or BW300 MHz?
 

Offline Mortymore

  • Frequent Contributor
  • **
  • Posts: 432
  • Country: pt
Re: Possible GW Instek GDS-1000B hack
« Reply #57 on: January 30, 2019, 04:51:34 pm »
@AC360

I don't think you can go further than 100MHz on GDS-1000B, since they are available with 50/70/100MHz bandwidth options.

Unless better opinion... I believe the code that tv84 provided, is able to work on the GDS-1000B, but only for the options that can be accepted by the scope. In that manner, the SA, 200MHz, 300MHz licenses among others, will probably not be accepted.

Be aware that the lis2.txt file I attached is "modded" for 2000E series. That was my homework as tv84 "ordered".  :-DD Do yours! 

Offline tv84

  • Super Contributor
  • ***
  • Posts: 3212
  • Country: pt
Re: Possible GW Instek GDS-1000B hack
« Reply #58 on: January 30, 2019, 05:11:32 pm »
You passed the test, Morty. :)

The code works with the GDS-1000B version as stated in the code.

From what I remember, the licenses are generated based on the "option" index. So it's irrelevant the true name of the options.

In the GDS-1000B the BW options are  50/70/100MHz.

These are unlocking licenses, not HW upgrades!
 

Offline AC360

  • Newbie
  • Posts: 4
  • Country: us
Re: Possible GW Instek GDS-1000B hack
« Reply #59 on: January 30, 2019, 06:52:46 pm »
You passed the test, Morty. :)

The code works with the GDS-1000B version as stated in the code.

From what I remember, the licenses are generated based on the "option" index. So it's irrelevant the true name of the options.

In the GDS-1000B the BW options are  50/70/100MHz.

These are unlocking licenses, not HW upgrades!

So the "SA" option only work with GDS2000E series?
 

Offline nctnico

  • Super Contributor
  • ***
  • Posts: 26751
  • Country: nl
    • NCT Developments
Re: Possible GW Instek GDS-1000B hack
« Reply #60 on: January 30, 2019, 06:57:57 pm »
Just try it. I don't think there is much difference in the firmware between the 1000B and 2000E series.
There are small lies, big lies and then there is what is on the screen of your oscilloscope.
 

Offline Gazmon

  • Regular Contributor
  • *
  • Posts: 70
  • Country: gb
Re: Possible GW Instek GDS-1000B hack
« Reply #61 on: March 11, 2019, 01:01:16 am »
Are these hacks in reply 4 still working please

 

Offline nctnico

  • Super Contributor
  • ***
  • Posts: 26751
  • Country: nl
    • NCT Developments
Re: Possible GW Instek GDS-1000B hack
« Reply #62 on: March 11, 2019, 09:40:36 am »
You need to combine reply3 and reply47. This should create a working key generator you can run in your webbrowser.
There are small lies, big lies and then there is what is on the screen of your oscilloscope.
 

Offline Gazmon

  • Regular Contributor
  • *
  • Posts: 70
  • Country: gb
Re: Possible GW Instek GDS-1000B hack
« Reply #63 on: March 11, 2019, 10:22:55 am »
I downloaded the file in reply 3 and followed the instructions, have renamed to an html file , when I opened in a browser it was just code text


How do I combine the code please? cant seem to get any key generator?

Wondered if anyone could maybe help me out in what im  doing wrong?

thanks for any info
« Last Edit: March 11, 2019, 05:27:32 pm by Gazmon »
 

Offline Gazmon

  • Regular Contributor
  • *
  • Posts: 70
  • Country: gb
Re: Possible GW Instek GDS-1000B hack
« Reply #64 on: March 11, 2019, 05:28:22 pm »
Bump..... anyone with a few tips

have a GDS 1000B

appreciate the help
 

Offline nctnico

  • Super Contributor
  • ***
  • Posts: 26751
  • Country: nl
    • NCT Developments
Re: Possible GW Instek GDS-1000B hack
« Reply #65 on: March 11, 2019, 06:01:27 pm »
Try a different browser or check whether you have visible extensions and your file is not actually called html.txt .
There are small lies, big lies and then there is what is on the screen of your oscilloscope.
 
The following users thanked this post: Gazmon

Offline Gazmon

  • Regular Contributor
  • *
  • Posts: 70
  • Country: gb
Re: Possible GW Instek GDS-1000B hack
« Reply #66 on: March 11, 2019, 06:05:19 pm »
ok , but do I just need to combine the code in reply 4 and 47

in an html file?

 

Offline Gazmon

  • Regular Contributor
  • *
  • Posts: 70
  • Country: gb
Re: Possible GW Instek GDS-1000B hack
« Reply #67 on: March 11, 2019, 06:16:12 pm »
Try a different browser or check whether you have visible extensions and your file is not actually called html.txt .

yep that worked, downgraded to 1.12 first... serial decode, waveform search, 200mhz (scope says its upgraded to this in system info), and segmented memory all installed

Bus button and search features have come to life

Upgraded back to 1.23 , all systems still good so far, needs checking to see whats there

cheers
« Last Edit: March 11, 2019, 08:32:36 pm by Gazmon »
 

Offline nctnico

  • Super Contributor
  • ***
  • Posts: 26751
  • Country: nl
    • NCT Developments
Re: Possible GW Instek GDS-1000B hack
« Reply #68 on: March 11, 2019, 09:30:59 pm »
Also thanks for acknowledging that this hack also makes serial decode available on the GDS-1000B. Did you also install the SA license? Pressing the 'option' button should bring up a menu with the spectrum analyser button.
There are small lies, big lies and then there is what is on the screen of your oscilloscope.
 

Offline Gazmon

  • Regular Contributor
  • *
  • Posts: 70
  • Country: gb
Re: Possible GW Instek GDS-1000B hack
« Reply #69 on: March 11, 2019, 09:35:16 pm »
SA button, not sure I can get this on 1000b

correct me if I am wrong

the only option i didnt install was the `power analysis` is that worth having?
« Last Edit: March 11, 2019, 09:40:07 pm by Gazmon »
 

Offline Mortymore

  • Frequent Contributor
  • **
  • Posts: 432
  • Country: pt
Re: Possible GW Instek GDS-1000B hack
« Reply #70 on: March 11, 2019, 10:03:24 pm »

... 200mhz (scope says its upgraded to this in system info)...

What scope exactly do you have?
Can you add a photo please? (or a screen capture of the System info, with the serial number blurred)

It's just that if you have a 1000B, I wasn't expecting it to reach 200MHz. I'm intrigued now  :-//

About the SA option (Spectrum Analyser) that nctnico is talking about, if it's available, you can access it with the "OPTION" button on the lower right corner near LCD screen (below "Menu off" button).

Offline Gazmon

  • Regular Contributor
  • *
  • Posts: 70
  • Country: gb
Re: Possible GW Instek GDS-1000B hack
« Reply #71 on: March 11, 2019, 10:20:05 pm »
photo attached, I have the 1102b 2 channel version

Serial decoding works but is not available for the parallel and SPI options it seems which is a bit disappointing

any idea what power analysis is, I didn't install this tbh


And the option button still does not do anything on my scope after the upgrades I did

Still pretty good scope after the hack
« Last Edit: March 11, 2019, 10:24:38 pm by Gazmon »
 
The following users thanked this post: Mortymore

Offline nctnico

  • Super Contributor
  • ***
  • Posts: 26751
  • Country: nl
    • NCT Developments
Re: Possible GW Instek GDS-1000B hack
« Reply #72 on: March 11, 2019, 10:33:19 pm »
Parallel is for digital channels only and SPI is only available on 4 channel models because you need 4 signals (clock, sel, MISO and MOSI) for SPI.
There are small lies, big lies and then there is what is on the screen of your oscilloscope.
 
The following users thanked this post: Gazmon

Offline Gazmon

  • Regular Contributor
  • *
  • Posts: 70
  • Country: gb
Re: Possible GW Instek GDS-1000B hack
« Reply #73 on: March 11, 2019, 10:45:28 pm »
Ok thats sorts that out, really just need to do a bandwidth check on the so called 200mhz that my scope claims to have now

being fairly new to all this what the easiest way to do this ?

any help appreciated
 

Offline Mortymore

  • Frequent Contributor
  • **
  • Posts: 432
  • Country: pt
Re: Possible GW Instek GDS-1000B hack
« Reply #74 on: March 12, 2019, 12:18:06 am »

any idea what power analysis is, I didn't install this tbh


All I can tell is that power analysis is available for GDS-3000 Series, and it didn't work for me on the 2000E.
If that's just a matter of software or some hardware may be needed, I don't know. A current clamp for scope could be bought separately to deal with current, but I never look for intel on what could be holding the 1000B and 2000E so they can't have the power analysis option working.

Offline Gazmon

  • Regular Contributor
  • *
  • Posts: 70
  • Country: gb
Re: Possible GW Instek GDS-1000B hack
« Reply #75 on: March 12, 2019, 12:35:18 am »
What about the 200mhz bandwidth

 

Offline Mortymore

  • Frequent Contributor
  • **
  • Posts: 432
  • Country: pt
Re: Possible GW Instek GDS-1000B hack
« Reply #76 on: March 12, 2019, 09:37:10 am »
If the scope says now it's 200MHz you can start to be confident that it is.

But you could check that if, for instance, you have access to a know source that achieves the 200MHz, or to a fast pulse generator, with a rise time of at least 1.75ns

RiseTime (nS) = 0.35 / Bandwidth (GHz) so for a BW of 0.2GHz (or 200MHz), the RT = 0.35/0.2 = 1.75 nS

Just for reference see the specs of the 2000E series, and observe the relationship between BW and RT

There's a TDR pulse generator video that is very popular, from a forum member w2aew, but I think it may be not fast enough to test the 200MHz


But don't forget what oscilloscope probes (or test leads) you are using, because they must be suited for those 200MHz. Try to find intel on your probes, since there's cases were they say they'r good up to 100MHz but they are fine even above 200MHz. The probes must not be the limiting factor.



Offline Gazmon

  • Regular Contributor
  • *
  • Posts: 70
  • Country: gb
Re: Possible GW Instek GDS-1000B hack
« Reply #77 on: March 12, 2019, 10:52:07 am »
Ok cheers , I only have a feeltech 3200 24 mhz Sig gen , so  don't think I can test it fully
And my  probes are 100mhz  I might need to upgrade them  to be sure?
« Last Edit: March 12, 2019, 04:13:43 pm by Gazmon »
 

Offline Gazmon

  • Regular Contributor
  • *
  • Posts: 70
  • Country: gb
Re: Possible GW Instek GDS-1000B hack
« Reply #78 on: March 12, 2019, 04:12:41 pm »
Just a note on the 200mhz upgrade

It could be just the software telling me this, and the hardware may not support anything above 100mhz?  as I cannot fully test it at present I cant confirm its really gone 200mhz, but be nice if it was confirmed

In Bandwidth options I now have `20mhz 100mhz+Full`


Where before it was only 20mhz and full
« Last Edit: March 12, 2019, 04:16:07 pm by Gazmon »
 
The following users thanked this post: Mortymore

Offline slodat

  • Contributor
  • Posts: 27
  • Country: us
Re: Possible GW Instek GDS-1000B hack
« Reply #79 on: March 24, 2019, 02:32:13 am »
Does anyone have 1.12 they would be willing to share with me? I have a GDS-1054B.

Thanks in advance!
 

Offline Mortymore

  • Frequent Contributor
  • **
  • Posts: 432
  • Country: pt
Re: Possible GW Instek GDS-1000B hack
« Reply #80 on: March 24, 2019, 10:04:06 am »
Does anyone have 1.12 they would be willing to share with me? I have a GDS-1054B.

Thanks in advance!

Hi slodat

I believe you still can get it following the provided link on the 1st post of this thread.

Offline nctnico

  • Super Contributor
  • ***
  • Posts: 26751
  • Country: nl
    • NCT Developments
Re: Possible GW Instek GDS-1000B hack
« Reply #81 on: March 24, 2019, 10:33:47 am »
Does anyone have 1.12 they would be willing to share with me? I have a GDS-1054B.

Thanks in advance!
A few pages back there is a new key generator so you don;t have to downgrade.
There are small lies, big lies and then there is what is on the screen of your oscilloscope.
 

Offline slodat

  • Contributor
  • Posts: 27
  • Country: us
Re: Possible GW Instek GDS-1000B hack
« Reply #82 on: March 24, 2019, 02:43:44 pm »
I’ve read the thread about thirty times. I can’t get the first lis.html to produce a license file on any browser I have. It just says failed to download.

And, I don’t know where the post 47 code snippet would be used. I’m not following. Anyone up for helping a guy out?
 

Offline Mortymore

  • Frequent Contributor
  • **
  • Posts: 432
  • Country: pt
Re: Possible GW Instek GDS-1000B hack
« Reply #83 on: March 24, 2019, 03:18:57 pm »
You probably are not actually changing the extension file from TXT to HTML. If using Windows you need to enable to show file extensions on folder options.

Don't downgrade the firmware and try to generate licences with the attached file DS1KB.txt, after rename it's extension from txt to html.

Hope I get it right. This should work for firmware above v1.18 of the 1000B, but you must expect that some of the licences won't probably work, like Power Analysis or BW300. You are free to try them all, though. If they don't work, no harm done.

You will need to know the serial number of your oscilloscope to generate licences.
Copy the files with the individual licences to a USB pen drive and install them on scope.
 
The following users thanked this post: wozzer, Triode71

Offline slodat

  • Contributor
  • Posts: 27
  • Country: us
Re: Possible GW Instek GDS-1000B hack
« Reply #84 on: March 24, 2019, 05:26:23 pm »
Thank you for the file. Looks like it's my web browser was causing me problems. I've generated the *.lis files and the scope says the license isn't the right version. hmm.. My GDS-1054B is v1.23. I get the same error on all of the .lis files. I double checked my serial number.

« Last Edit: March 24, 2019, 05:39:08 pm by slodat »
 

Offline Mortymore

  • Frequent Contributor
  • **
  • Posts: 432
  • Country: pt
Re: Possible GW Instek GDS-1000B hack
« Reply #85 on: March 24, 2019, 06:11:05 pm »
According to this piece of code provided by tv48 on Reply #47...

            uint[] ClearCode = { 0x11111111, 0xABABABAB, 0x22222222, 0xCDCDCDCD };  // OLD -- GDS1000B (up to v1.18) and GDS2000E (up to v1.28)
            uint[] ClearCode = { 0x74B0DC51, 0x46E87CCD, 0x25E45D32, 0x515F007C };  // NEW

... for new firmware one should use the data from the 2nd string. For older (GDS1000B up to v1.18), the 1st string data.

In the file I previously provided, the data from 2nd string was used (for newer versions of firmware).

I think you might have missed something (or I went wrong somewhere in the file for 1000B), but if you want, you can try downgrade the firmware (to 1.12) and having modified the file replacing the data from one string with the other, generate new licences for old firmware. (see file attached)

All I can say is that the file I modified for the 2000E worked for me.
 
The following users thanked this post: Triode71

Offline nctnico

  • Super Contributor
  • ***
  • Posts: 26751
  • Country: nl
    • NCT Developments
Re: Possible GW Instek GDS-1000B hack
« Reply #86 on: March 24, 2019, 06:24:36 pm »
It is also possible the serial number was entered incorrectly (letter O instead of number 0 or vice versa).
There are small lies, big lies and then there is what is on the screen of your oscilloscope.
 

Offline frogblender

  • Regular Contributor
  • *
  • Posts: 124
Re: Possible GW Instek GDS-1000B hack
« Reply #87 on: March 25, 2019, 03:27:04 am »
ANYONE with a GDS-1054B:   after applying the hack, what is the actual BW?
 

Offline slodat

  • Contributor
  • Posts: 27
  • Country: us
Re: Possible GW Instek GDS-1000B hack
« Reply #88 on: March 25, 2019, 04:22:33 am »
It won’t unlock any of the features.

I’m having a problem with the filter app. It installed fine. When I go to use it sometimes the settings on the vertical menu are grayed out. Then, out of now where after using the scope they will be there, then another time I look they are greyed out..
 

Offline nctnico

  • Super Contributor
  • ***
  • Posts: 26751
  • Country: nl
    • NCT Developments
Re: Possible GW Instek GDS-1000B hack
« Reply #89 on: March 25, 2019, 10:12:26 am »
It won’t unlock any of the features.

I’m having a problem with the filter app. It installed fine. When I go to use it sometimes the settings on the vertical menu are grayed out. Then, out of now where after using the scope they will be there, then another time I look they are greyed out..
The filtering works for 1Mpts and shorter memory lengths.
There are small lies, big lies and then there is what is on the screen of your oscilloscope.
 

Offline slodat

  • Contributor
  • Posts: 27
  • Country: us
Possible GW Instek GDS-1000B hack
« Reply #90 on: March 25, 2019, 02:25:59 pm »
It won’t unlock any of the features.

I’m having a problem with the filter app. It installed fine. When I go to use it sometimes the settings on the vertical menu are grayed out. Then, out of now where after using the scope they will be there, then another time I look they are greyed out..
The filtering works for 1Mpts and shorter memory lengths.

I had it set at 1Mpts and three channels active. Controls were greyed out.  Hmm
 

Offline Mortymore

  • Frequent Contributor
  • **
  • Posts: 432
  • Country: pt
Re: Possible GW Instek GDS-1000B hack
« Reply #91 on: March 25, 2019, 07:07:18 pm »
I think I see what you're saying...

The "problem" is with the digitalfilter APP. In the screen capture attached I had a 4.1Mhz square signal with a record length of 10M pts and the filter setup is enabled.
Once enabled, it will continue enable above the 4.1 MHz if I don't hit the "autoset" button, but above that frequency (got it by trial and error), if I press the "autoset" the filter menu will be disabled. The actual filter settings seemed that have no effect. On the screen showed is set 60MHz, but I had it in the KHz range with the same result.

The parameters here may be different for you. I didn't bother to change amplitude or shape of the wave, but i tried different frequencies and record length, but in this the fast test I done seemed to me that the limitation was in frequency. If set 4.2MHz the menu was off. There may be a limit related with frequency vs record length but I have not done thorough tests. Just tried to get an idea of what might be going on.

Offline Vytautas

  • Regular Contributor
  • *
  • Posts: 67
Re: Possible GW Instek GDS-1000B hack
« Reply #92 on: March 26, 2019, 11:38:07 am »
Hi, guys,
Thank you all for contributing. I just updated my GDS-2072E to 300MHz plus Spectrum Analizer, using the lis2 file (don't remember, on which page it was). Brilliant! Now it almost became MDO-2302 (official version does not exist, only 2202), except for the AWG hardware, naturally.
I have a question. The scope shows input impedance of 1M in a way that suggests as if there was an option to choose also the 50Ohms. But the button under that option does not do anything. Has anybody investigated whether that is also a matter of software lincense, like kicking in of some relay or is it a hardware limitation. I had not dissasembled my unit (yet), so have not had a chance to sneek in.
 
The following users thanked this post: Mortymore

Offline nctnico

  • Super Contributor
  • ***
  • Posts: 26751
  • Country: nl
    • NCT Developments
Re: Possible GW Instek GDS-1000B hack
« Reply #93 on: March 26, 2019, 12:32:07 pm »
AFAIK the hardware doesn't support 50 Ohm. GW Instek seems to be using a very generic firmware base for their oscilloscopes so some disabled buttons may show up in some places.
There are small lies, big lies and then there is what is on the screen of your oscilloscope.
 

Offline ebastler

  • Super Contributor
  • ***
  • Posts: 6202
  • Country: de
Re: Possible GW Instek GDS-1000B hack
« Reply #94 on: March 26, 2019, 12:38:21 pm »
ANYONE with a GDS-1054B:   after applying the hack, what is the actual BW?
Msg #58

No, not really.  ???
 

Offline nctnico

  • Super Contributor
  • ***
  • Posts: 26751
  • Country: nl
    • NCT Developments
Re: Possible GW Instek GDS-1000B hack
« Reply #95 on: March 26, 2019, 12:53:34 pm »
My GDS2204E goes over 300MHz with the 300MHz uphack. I'd expect the GDS1054B to also achieve the extra bandwidth.
There are small lies, big lies and then there is what is on the screen of your oscilloscope.
 
The following users thanked this post: ebastler

Offline Mortymore

  • Frequent Contributor
  • **
  • Posts: 432
  • Country: pt
Re: Possible GW Instek GDS-1000B hack
« Reply #96 on: March 26, 2019, 06:56:16 pm »
After Vytautas stated that he updated his GDS-2072E to 300MHz, I start thinking about why was my IDS-2074E stuck to 200MHz.

I start playing with the most recent licences, because I updated my scope some time ago, before the latest code released by tv84. Messing around with them, the scope kept stating that the licenses were already installed, until... i tried the 100MHz. Result: my scope downgraded form 200 to 100. Nice!  :palm:
Trying to reinstall 200 or 300 licences didn't work. Scope "said" that they were already installed, but didn't get me there. It was stuck in 100MHz.   |O
OK! Time to play with the scope once again, to fix my mistake.  :box:

Solution:

I think it is sufficient to restore the /home/dso/OptionConf file if you want to remove the installed licenses.

1) Downgraded the firmware to 1.21b6 and establishing an SSL connection to the scope deleted the file OptionConf. EDIT: Be very careful not to delete all files or the folder
2) After that, just a quick check to system info, and the bandwidth info was gone (as expected).
3) Upgraded the firmware to the latest 1.38.
4) Installed licences (2nd version - tv84), among them the 300MHz BW and it was accepted this time.  :-+

I realise now that I certainly did the mistake of install the 200MHz the first time I upgraded my scope and that disabled the possibility to reach the 300MHz back then.
So... avoid playing with lower bandwidth licences if you don't want to restart the hack process again. 

But in the end, if it wasn't for my mistake, my scope would still be stuck in the 200MHz. Another lesson learned. I think   ::)

PS: Now I realize... the TEK P2220 and P2200 probes I was using with the scope, became "short". Any advise for some 300MHz probes?
« Last Edit: March 26, 2019, 08:52:18 pm by Mortymore »
 

Offline Mortymore

  • Frequent Contributor
  • **
  • Posts: 432
  • Country: pt
Re: Possible GW Instek GDS-1000B hack
« Reply #97 on: April 28, 2019, 09:59:48 am »
Not to good input 2 replies in a row but this one has nothing to do with the previous.

Thing now is... casually found that Voltcraft has a series DSO-1000D that is for sure a rebranded  GW-Instek GDS-1000B

In the Conrad website found 2 versions:
VOLTCRAFT DSO-1074D Digital 70 MHz 4-channel 250 MSa/s 10 Mpts 8 Bit Digital storage (DSO), Spectrum analyzer
VOLTCRAFT DSO-1104D Digital 100 MHz 4-channel 250 MSa/s 10 Mpts 8 Bit Digital storage (DSO), Spectrum analyzer

The "title" is curious.
1st advertised as being "4-channel 250 MSa/s", an honest way to put things, since it will be what you get with 4 channels active, but the usual way is more like "4ch and 1GSa/s", being 1GSa/s attained with only 1 channel active.
2nd the Spectrum Analyzer. Was this option available on any of the GW-Instek 1000B variants? Or only by hack added?

Decided to share this information since it could be of interest to someone that has one of this Voltcraft scopes, and through Google may end up here in Eevblog forum.

PS: As far as I know, we have as rebranded GW-Instek 1000B or 2000E the following: Iso-Tech, RS Pro and Voltcraft
« Last Edit: April 28, 2019, 05:13:50 pm by Mortymore »
 
The following users thanked this post: petrinch

Offline Herbertl

  • Contributor
  • Posts: 14
  • Country: at
Re: Possible GW Instek GDS-1000B hack
« Reply #98 on: April 28, 2019, 03:24:19 pm »
It seems like the options and bandwidth upgrades (up to 300 MHz) can be unlocked using a file in a USB drive. I was wondering if someone is willing to share the newer firmware update (in case the unlock feature is removed) and possibly test the unlock files.

Interesting.

Is GwInstek recommendable? The specs sound good, the price too.
 

Offline Mortymore

  • Frequent Contributor
  • **
  • Posts: 432
  • Country: pt
Re: Possible GW Instek GDS-1000B hack
« Reply #99 on: April 28, 2019, 05:27:39 pm »
...
Is GwInstek recommendable? The specs sound good, the price too.

Recommendable as a scope in the $500 range, yes. If it's the best for you, depends on what you are looking for and your preferences.
There are a few threads in the forum about GW-Instek vs Rigol vs Siglent, mostly, since they are probably the brands in this price range that are most searched.
Take a look at them, but don't get scared by some passionate opinions you may find in the way.  :rant: It's all Eevblog family affairs.  :popcorn:

Offline tonywood

  • Contributor
  • Posts: 10
Re: Possible GW Instek GDS-1000B hack
« Reply #100 on: April 29, 2019, 09:36:26 pm »
Can someone send me an unhacked OptionConf file? I need to undo the hack for testing. Thank you
Or if anyone knows a way to undo the bandwidth option?

Thanks again
 

Offline Mortymore

  • Frequent Contributor
  • **
  • Posts: 432
  • Country: pt
Re: Possible GW Instek GDS-1000B hack
« Reply #101 on: April 29, 2019, 09:49:24 pm »
...
Or if anyone knows a way to undo the bandwidth option?
...

See 4 posts back (Reply #96)

Basically, install a firmware that enables you to establishing an SSL connection to the scope and then delete the file OptionConf
Be very careful not to delete all files or the folder
« Last Edit: April 29, 2019, 09:53:01 pm by Mortymore »
 

Offline TK

  • Super Contributor
  • ***
  • Posts: 1722
  • Country: us
  • I am a Systems Analyst who plays with Electronics
Re: Possible GW Instek GDS-1000B hack
« Reply #102 on: April 29, 2019, 09:57:14 pm »
I received my GDS1054B today with firmware 1.23.  License generated by the latest script gives invalid license error.  Trying to downgrade to 1.12 but scope says I need to use SAFE MODE, but there is no documentation about it.  Does anyone know how to downgrade from 1.23 or what SAFE MODE means?

 

Offline tv84

  • Super Contributor
  • ***
  • Posts: 3212
  • Country: pt
Re: Possible GW Instek GDS-1000B hack
« Reply #103 on: April 29, 2019, 10:02:32 pm »
I received my GDS1054B today with firmware 1.23.  License generated by the latest script gives invalid license error.  Trying to downgrade to 1.12 but scope says I need to use SAFE MODE, but there is no documentation about it.  Does anyone know how to downgrade from 1.23 or what SAFE MODE means?

RTFM

https://www.eevblog.com/forum/testgear/possible-gw-instek-gds-1000b-hack/msg2007089/#msg2007089
 

Offline TK

  • Super Contributor
  • ***
  • Posts: 1722
  • Country: us
  • I am a Systems Analyst who plays with Electronics
Re: Possible GW Instek GDS-1000B hack
« Reply #104 on: April 29, 2019, 11:09:33 pm »
The new code does not work for firmware 1.23.  I managed to downgrade to FW 1.12 by using SAFE MODE:

(SAFE MODE Documentation): http://www.gwinstek.com.cn/upload/file/20181119051939962.pdf

0) Clear content of USB Drive
1) Copy firmware to root directory of USB Drive
2) Insert USB Drive to scope (when it is turned off)
3) Turn on scope and immediately start rotating the VARIABLE knob until SAFE MODE shows up.  It will recognize the firmware file and ask user to start installing it.  If there are multiple .upg files, it will show the first one, then ask if user wants to install current one or find next firmware
4) The manual says the scope will reboot automatically, but on mine, it just stopped after showing that NAND flash was completed.
5) Reboot scope and it should boot with the firmware version you copied to the USB Drive

This process is supposed to works also for bricked scopes.

After I downgraded to 1.12, I was able to use the code to enable all the options. 

Now the scope is bricked again when I tried to upgrade to latest firmware 1.23

Will try to unbrick it using the SAFE MODE with 1.12 and try again.

EDIT: Using SAFE MODE I was able to reinstall FW 1.12.  Previously activated licenses are still valid.
EDIT2: upgrading to 1.23 does not work using the Utility option.  It works from SAFE Mode.
EDIT3: SAFE MODE allows you to select different firmware files to use for recovery.
« Last Edit: April 29, 2019, 11:52:57 pm by TK »
 

Offline Fungus

  • Super Contributor
  • ***
  • Posts: 16560
  • Country: 00
Re: Possible GW Instek GDS-1000B hack
« Reply #105 on: April 30, 2019, 07:57:44 am »
My GDS2204E goes over 300MHz with the 300MHz uphack. I'd expect the GDS1054B to also achieve the extra bandwidth.

Is that a good thing when you have such limited sample rate?

With 4 channels on the bandwidth will be higher than the sample rate.
 

Offline Mortymore

  • Frequent Contributor
  • **
  • Posts: 432
  • Country: pt
Re: Possible GW Instek GDS-1000B hack
« Reply #106 on: April 30, 2019, 08:32:39 am »
... I need to use SAFE MODE, but there is no documentation about it.  Does anyone know how to downgrade from 1.23 or what SAFE MODE means?

...
(SAFE MODE Documentation): http://www.gwinstek.com.cn/upload/file/20181119051939962.pdf
...

You don't need to "go to China" to find manuals, firmware, software... just go to Download area @:

https://www.gwinstek.com/en-global/products/detail/GDS-1000B

The documentation for upgrading firmware is there, has everything else

 
The following users thanked this post: TK

Offline tv84

  • Super Contributor
  • ***
  • Posts: 3212
  • Country: pt
Re: Possible GW Instek GDS-1000B hack
« Reply #107 on: April 30, 2019, 10:16:45 am »
The new code does not work for firmware 1.23.

If anyone confirms this I could try to give it another look.
 

Offline TK

  • Super Contributor
  • ***
  • Posts: 1722
  • Country: us
  • I am a Systems Analyst who plays with Electronics
Re: Possible GW Instek GDS-1000B hack
« Reply #108 on: April 30, 2019, 10:43:21 am »
The new code does not work for firmware 1.23.

If anyone confirms this I could try to give it another look.
It was reported one month or so ago, but I don't know what was the outcome

https://www.eevblog.com/forum/testgear/possible-gw-instek-gds-1000b-hack/msg2293365/#msg2293365
 

Offline tv84

  • Super Contributor
  • ***
  • Posts: 3212
  • Country: pt
Re: Possible GW Instek GDS-1000B hack
« Reply #109 on: April 30, 2019, 10:59:05 am »
It was reported one month or so ago, but I don't know what was the outcome

"don't know what was the outcome" <- that was the reason why I didn't pay attention
 

Offline TK

  • Super Contributor
  • ***
  • Posts: 1722
  • Country: us
  • I am a Systems Analyst who plays with Electronics
Re: Possible GW Instek GDS-1000B hack
« Reply #110 on: April 30, 2019, 01:42:41 pm »
I tested the BW after applying the 300MHz hack.

Test setup:

Signal Generator (Marconi 2024) --> SMA cable --> SMA_BNC --> 50ohm passthrough --> Scope input Channel 1 (1X attenuation)

Measured Frequency and Vpp

10MHz 1.2Vpp
100MHz 900mVpp (-3dB)
200MHz 280mVpp
250MHz 110mVpp
300MHz 48mVpp
350MHz 20mVpp (5mV vertical division setting)

Cannot measure reliable frequency at 400MHz and up.  I think officially it is a 100MHz front end.
« Last Edit: April 30, 2019, 01:56:21 pm by TK »
 
The following users thanked this post: tatel

Offline Mortymore

  • Frequent Contributor
  • **
  • Posts: 432
  • Country: pt
Re: Possible GW Instek GDS-1000B hack
« Reply #111 on: April 30, 2019, 03:41:45 pm »
@TK

What are the bandwidth limit options with the 300MHz BW hack?

For the 200MHz, options are 20,100,Full.
Note that GW-Instek has the 1000B with 50/70/100MHz bandwidth selections.

Offline TK

  • Super Contributor
  • ***
  • Posts: 1722
  • Country: us
  • I am a Systems Analyst who plays with Electronics
Re: Possible GW Instek GDS-1000B hack
« Reply #112 on: April 30, 2019, 06:41:12 pm »
@TK

What are the bandwidth limit options with the 300MHz BW hack?

For the 200MHz, options are 20,100,Full.
Note that GW-Instek has the 1000B with 50/70/100MHz bandwidth selections.
For 300MHz, BW limitation options are 20, 100, 200, Full.
 
The following users thanked this post: Mortymore

Offline TK

  • Super Contributor
  • ***
  • Posts: 1722
  • Country: us
  • I am a Systems Analyst who plays with Electronics
Re: Possible GW Instek GDS-1000B hack
« Reply #113 on: May 01, 2019, 12:01:15 am »
I am not liking the refresh rate of the GDS1054B.  I am feeding an AM modulated signal and on both the Keysight 1000X and Rigol DS1054Z I can see a nice AM modulated waveform but on the GDS1054B I see single traces or at most 3-4 traces, but not the nice area filled trace like the other scopes.

The scope UI is very responsive like the Keysight, but I suspect the refresh rate is not near 50,000 wfm/s
 

Offline nctnico

  • Super Contributor
  • ***
  • Posts: 26751
  • Country: nl
    • NCT Developments
Re: Possible GW Instek GDS-1000B hack
« Reply #114 on: May 01, 2019, 08:20:31 am »
The update rate depends on the memory depth setting. But don't expect a very graded signal. The GW Instek goes from like 50% to 100% in order not to hide any rare signal occurence.
There are small lies, big lies and then there is what is on the screen of your oscilloscope.
 

Offline rf-loop

  • Super Contributor
  • ***
  • Posts: 4061
  • Country: fi
  • Born in Finland with DLL21 in hand
Re: Possible GW Instek GDS-1000B hack
« Reply #115 on: May 01, 2019, 08:56:28 am »
I am not liking the refresh rate of the GDS1054B.  I am feeding an AM modulated signal and on both the Keysight 1000X and Rigol DS1054Z I can see a nice AM modulated waveform but on the GDS1054B I see single traces or at most 3-4 traces, but not the nice area filled trace like the other scopes.

The scope UI is very responsive like the Keysight, but I suspect the refresh rate is not near 50,000 wfm/s

Do you mean using time base setting for look AM modulated RF carrier waveform or for look signal LF modulating envelope. Bit different cases.
Then, what ever scope,  these up to wfm/s speeds are mostly valid only with some special settings and signals (including also Keysight).  Very easy true is 50, or 500 or 5000 instead of 50kwfm/s or what ever.

Other question is that how important is beautiful image vs image what still give enough  information about signal under test.

Also in many scopes need some "know your equipment" before can find most optimal settings. (as can see example in tens or hundreds of junktube  nonsense "reviews" when the author's self-criticism and knowledge is not enough to assess whether it is published for the whole world or not. The world is drowning in a shit and in "tube" a small good "golden" part need find from huge amount of waste.)



« Last Edit: May 01, 2019, 09:15:01 am by rf-loop »
I drive a LEC (low el. consumption) BEV car. Smoke exhaust pipes - go to museum. In Finland quite all electric power is made using nuclear, wind, solar and water.

Wises must compel the mad barbarians to stop their crimes against humanity. Where have the wises gone?
 

Offline TK

  • Super Contributor
  • ***
  • Posts: 1722
  • Country: us
  • I am a Systems Analyst who plays with Electronics
Re: Possible GW Instek GDS-1000B hack
« Reply #116 on: May 02, 2019, 09:45:24 pm »
After the hack my GDS1054B is freezing when I try to execute Self Cal.  I connect the BNC cable from the CAL output on the back to CH1, press VERTICAL and it hangs.  Is anyone else experiencing a similar behavior?  My unit came with 1.23, downgraded to 1.12, hacked, then upgraded to 1.23

Signal Path Compensation runs perfectly.
 

Offline Mortymore

  • Frequent Contributor
  • **
  • Posts: 432
  • Country: pt
Re: Possible GW Instek GDS-1000B hack
« Reply #117 on: May 02, 2019, 10:40:02 pm »
The calibration process will take some 5 minutes per channel, or so, and probably during calibration the scope may not respond to buttons pressed (just guessing here).
Have you waited longer than 5 or 6 minutes for him to finish calibrating one of the channels?

Offline TK

  • Super Contributor
  • ***
  • Posts: 1722
  • Country: us
  • I am a Systems Analyst who plays with Electronics
Re: Possible GW Instek GDS-1000B hack
« Reply #118 on: May 03, 2019, 12:01:54 am »
Yes, I waited for 20-30 minutes or more

EDIT: Downgraded to 1.12.  Still not working.  It might be the 300MHz uphack.  Is there any way to remove the licenses?
« Last Edit: May 03, 2019, 01:10:44 pm by TK »
 

Offline nctnico

  • Super Contributor
  • ***
  • Posts: 26751
  • Country: nl
    • NCT Developments
There are small lies, big lies and then there is what is on the screen of your oscilloscope.
 
The following users thanked this post: TK

Offline TK

  • Super Contributor
  • ***
  • Posts: 1722
  • Country: us
  • I am a Systems Analyst who plays with Electronics
Re: Possible GW Instek GDS-1000B hack
« Reply #120 on: May 03, 2019, 03:46:34 pm »
False Alarm... it was a bad BNC cable   |O |O |O.  Self Calibration works OK on firmware 1.23 (and 1.12 as well).
 

Offline nctnico

  • Super Contributor
  • ***
  • Posts: 26751
  • Country: nl
    • NCT Developments
Re: Possible GW Instek GDS-1000B hack
« Reply #121 on: May 03, 2019, 03:48:12 pm »
Cut the cable in half and throw it away. BNC cables are plentyful and cheap on Ebay.
There are small lies, big lies and then there is what is on the screen of your oscilloscope.
 

Offline Mortymore

  • Frequent Contributor
  • **
  • Posts: 432
  • Country: pt
Re: Possible GW Instek GDS-1000B hack
« Reply #122 on: May 03, 2019, 05:25:32 pm »
If I recall correctly, I think Bob Pease once said that he marked bad components with a hammer.
If left lying around unmarked, they tend to be inserted again on a circuit.
 
The following users thanked this post: rf-loop

Offline rf-loop

  • Super Contributor
  • ***
  • Posts: 4061
  • Country: fi
  • Born in Finland with DLL21 in hand
Re: Possible GW Instek GDS-1000B hack
« Reply #123 on: May 03, 2019, 05:29:12 pm »
Cut the cable in half and throw it away. BNC cables are plentyful and cheap on Ebay.

Oh you want more bad crap BNC cables.  :-DD
I drive a LEC (low el. consumption) BEV car. Smoke exhaust pipes - go to museum. In Finland quite all electric power is made using nuclear, wind, solar and water.

Wises must compel the mad barbarians to stop their crimes against humanity. Where have the wises gone?
 

Offline nctnico

  • Super Contributor
  • ***
  • Posts: 26751
  • Country: nl
    • NCT Developments
Re: Possible GW Instek GDS-1000B hack
« Reply #124 on: May 03, 2019, 06:02:47 pm »
Cut the cable in half and throw it away. BNC cables are plentyful and cheap on Ebay.
Oh you want more bad crap BNC cables.  :-DD
Well the cables I get from Ebay are way better then what I bought locally (unless you go for the utterly cheap ones on Ebay). Cables are consumables anyway.
There are small lies, big lies and then there is what is on the screen of your oscilloscope.
 

Offline Herbertl

  • Contributor
  • Posts: 14
  • Country: at
Re: Possible GW Instek GDS-1000B hack
« Reply #125 on: May 05, 2019, 09:28:52 pm »
Is there a chance to configure the GwInstek? Like you can do with other scope?
Would like to configure it individually.
The offers in the store have features I do not need and are missing features I do want.
 

Offline ttyridal

  • Contributor
  • Posts: 16
  • Country: no
Re: Possible GW Instek GDS-1000B hack
« Reply #126 on: May 06, 2019, 04:22:34 pm »
It was reported one month or so ago, but I don't know what was the outcome

"don't know what was the outcome" <- that was the reason why I didn't pay attention

I can confirm that firmware 1.23 does not like the latest codes.   

Downgrading to 1.12, apply desired licenses and upgrading works fine.
 

Offline nctnico

  • Super Contributor
  • ***
  • Posts: 26751
  • Country: nl
    • NCT Developments
Re: Possible GW Instek GDS-1000B hack
« Reply #127 on: May 06, 2019, 05:09:09 pm »
Hmmm... that proves that GW Instek is monitoring EEVblog  ;D
There are small lies, big lies and then there is what is on the screen of your oscilloscope.
 

Offline tv84

  • Super Contributor
  • ***
  • Posts: 3212
  • Country: pt
Re: Possible GW Instek GDS-1000B hack
« Reply #128 on: May 07, 2019, 06:52:16 pm »
Hmmm... that proves that GW Instek is monitoring EEVblog  ;D

The new codes were released after 1.23 release date...

Edit: But it seems I overlooked another code combination...
« Last Edit: May 07, 2019, 08:15:49 pm by tv84 »
 

Offline nctnico

  • Super Contributor
  • ***
  • Posts: 26751
  • Country: nl
    • NCT Developments
Re: Possible GW Instek GDS-1000B hack
« Reply #129 on: May 07, 2019, 07:02:44 pm »
Hmmm... that proves that GW Instek is monitoring EEVblog  ;D
The new codes were released after 1.23 release date...
Well then it seems people are doing things wrong. I was assuming 1.23 was a new firmware version but appearantly it is not.
There are small lies, big lies and then there is what is on the screen of your oscilloscope.
 

Offline ttyridal

  • Contributor
  • Posts: 16
  • Country: no
Re: Possible GW Instek GDS-1000B hack
« Reply #130 on: May 07, 2019, 07:32:18 pm »
It's possible I overlooked something of course.

I just replaced the four numbers in lis.txt (reply #3) with the ones given in reply #47

Reasonably sure I had the serial number correct both times (no homoglyphs in it)
 

Offline TK

  • Super Contributor
  • ***
  • Posts: 1722
  • Country: us
  • I am a Systems Analyst who plays with Electronics
Re: Possible GW Instek GDS-1000B hack
« Reply #131 on: May 07, 2019, 08:04:38 pm »
It did not work on my GDS-1054B with firmware 1.23 

I had to downgrade it to 1.12, apply the hack and upgrade to 1.23

And upgrade does not work when executed from the utility menu, it only works when using SAFE MODE.

But fortunately using SAFE MODE you can downgrade and upgrade from any version to any other version.

I also tested SSH on 1.12 to remove the options file and it works OK.
 

Offline tv84

  • Super Contributor
  • ***
  • Posts: 3212
  • Country: pt
Re: Possible GW Instek GDS-1000B hack
« Reply #132 on: May 07, 2019, 08:11:00 pm »
Sorry guys, maybe I overlooked something and there is another combination...   ::)

uint[] ClearCode = { 0x3D1B58BA, 0x74B0DC51, 0x19495CFF, 0x257130A3 };

Can anyone test this with a v1.23 ?

Edit1:

Thanks wgoeo for the test. It seems i mixed the order...  :palm:  Endianess stuff...

So the correct order is:

uint[] ClearCode = { 0x19495CFF, 0x257130A3, 0x3D1B58BA, 0x74B0DC51 };
« Last Edit: July 21, 2019, 11:11:50 am by tv84 »
 

Offline TK

  • Super Contributor
  • ***
  • Posts: 1722
  • Country: us
  • I am a Systems Analyst who plays with Electronics
Re: Possible GW Instek GDS-1000B hack
« Reply #133 on: May 07, 2019, 09:31:15 pm »
Sorry guys, maybe I overlooked something and there is another combination...   ::)

uint[] ClearCode = { 0x3D1B58BA, 0x74B0DC51, 0x19495CFF, 0x257130A3 };

Can anyone test this with a v1.23 ?
It doesn't work.  I downgraded to 1.12, connected using ssh, removed OptionsConf file to remove previous licenses, upgraded to 1.23 using SAFE MODE, tried applying new license code but it gives the same error.
 
The following users thanked this post: tv84

Offline frogblender

  • Regular Contributor
  • *
  • Posts: 124
Re: Possible GW Instek GDS-1000B hack
« Reply #134 on: May 23, 2019, 05:41:00 pm »
Quote from: TK
TK....  what's the latest with your GDS-1054B?   Is the hack working, and if so, what is your BW?
 

Offline TK

  • Super Contributor
  • ***
  • Posts: 1722
  • Country: us
  • I am a Systems Analyst who plays with Electronics
Re: Possible GW Instek GDS-1000B hack
« Reply #135 on: May 23, 2019, 07:38:33 pm »
Quote from: TK
TK....  what's the latest with your GDS-1054B?   Is the hack working, and if so, what is your BW?
The last time I checked, I was able to measure frequency up to 300-350MHz, highly attenuated.  I don't have it anymore to continue the tests.
 

Offline wgoeoTopic starter

  • Contributor
  • Posts: 10
  • Country: 00
Re: Possible GW Instek GDS-1000B hack
« Reply #136 on: July 20, 2019, 10:56:41 pm »
I think the correct order is

{0x19495cff, 0x257130a3, 0x3d1b58ba, 0x74b0dc51}

I checked with 1.24 (but not with a real scope), maybe it also works with 1.23.
 
The following users thanked this post: tv84

Offline wgoeoTopic starter

  • Contributor
  • Posts: 10
  • Country: 00
Re: Possible GW Instek GDS-1000B hack
« Reply #137 on: July 21, 2019, 02:03:33 am »
It seems you can get SSH back. Rename the attached file to debug.dbg, copy to a USB drive then do the same procedure. The password may have changed but you can probably add a command in the script to change it.

Edit: It's a startup script so you should reboot.
« Last Edit: July 21, 2019, 02:17:58 am by wgoeo »
 

Offline tv84

  • Super Contributor
  • ***
  • Posts: 3212
  • Country: pt
Re: Possible GW Instek GDS-1000B hack
« Reply #138 on: July 21, 2019, 11:13:06 am »
Thankx! I corrected the initial post.
 

Offline frogblender

  • Regular Contributor
  • *
  • Posts: 124
Re: Possible GW Instek GDS-1000B hack
« Reply #139 on: August 21, 2019, 03:04:33 pm »
I got my unit today GDS-1054b, it came with firmware 1.19 so I downgraded to 1.18 and installed the *.lis files and verified they were working. I then upgraded to firmware 1.22 and all the options were still installed and work. Thanks to all for the help on this. Looks like you keep the added features with a firmware update.

@tonywood ... after modding your GDS-1054B...  is it still a 50Mhz scope?
 

Offline frogblender

  • Regular Contributor
  • *
  • Posts: 124
Re: Possible GW Instek GDS-1000B hack
« Reply #140 on: November 01, 2019, 05:29:14 pm »
 :wtf: :-//
I successfully generated the .lic files... but when I select each .lic file I get:

"To install this option you must use the GW USB key."

  Anyone have any ideas?  Help greatly appreciated.


(Both with 1.12 and 1.23.   I'd previously used the wrong ClearCode={xx} for my fw version...  which gave me a different error (something re: "check license!" or some such).   But I corrected the ClearCodes so I get past the "check license!".)
« Last Edit: November 01, 2019, 05:31:02 pm by frogblender »
 

Offline Wintel

  • Regular Contributor
  • *
  • Posts: 52
  • Country: us
Re: Possible GW Instek GDS-1000B hack
« Reply #141 on: November 11, 2019, 03:53:31 pm »
New Frimware v1.26 and a new Fixed 4 Measurement Function Module license for GDS-1000B.
 

Offline wozzer

  • Newbie
  • Posts: 2
  • Country: ca
Re: Possible GW Instek GDS-1000B hack
« Reply #142 on: December 05, 2019, 09:59:03 pm »
Has anyone confirmed whether the hack works with the latest firmware Ver. 1.26 ? I am about to go ahead and purchase my first scope...figured it was time to get one for home use after 35+ years in electronics ::)
 

Offline idolclub

  • Regular Contributor
  • *
  • Posts: 57
  • Country: us
Re: Possible GW Instek GDS-1000B hack
« Reply #143 on: December 07, 2019, 05:10:07 pm »
Has anyone confirmed whether the hack works with the latest firmware Ver. 1.26 ? I am about to go ahead and purchase my first scope...figured it was time to get one for home use after 35+ years in electronics ::)

Works with the latest firmware Ver. 1.26.
 

Offline wozzer

  • Newbie
  • Posts: 2
  • Country: ca
Re: Possible GW Instek GDS-1000B hack
« Reply #144 on: December 07, 2019, 07:12:58 pm »
Thank you for confirming :)
 

Offline Mortymore

  • Frequent Contributor
  • **
  • Posts: 432
  • Country: pt
Re: Possible GW Instek GDS-1000B hack
« Reply #145 on: February 07, 2020, 10:13:51 am »
New Frimware v1.26 and a new Fixed 4 Measurement Function Module license for GDS-1000B.

On 2000E there's also the Function Module "Fixed 4 Measurement"
The firmware version installed on 2000E is 1.40 but I think this option came from a previous firmware version, I just haven't acknowledge his existence back then.
 
Anyone has this unlocked, or even know what does this do?
Thanks for any enlightenment.


Offline tv84

  • Super Contributor
  • ***
  • Posts: 3212
  • Country: pt
Re: Possible GW Instek GDS-1000B hack
« Reply #146 on: February 07, 2020, 11:57:10 am »
Anyone has this unlocked, or even know what does this do?

Try to unlock it using the KG. The only thing the KG uses is the option_index not it's name. So you can try different indexes even if the name doesn't seem to be related.
 
The following users thanked this post: Mortymore

Offline planner29

  • Newbie
  • Posts: 3
  • Country: us
Re: Possible GW Instek GDS-1000B hack
« Reply #147 on: March 08, 2020, 01:36:08 pm »
New/updated brochure as of March 6, 2020 shows bus triggering/decode again! hmmm...  Also lists 200MHz 2 channel model.  New/updated datasheets and manuals also made available on same date.
 
The following users thanked this post: Mortymore

Offline TK

  • Super Contributor
  • ***
  • Posts: 1722
  • Country: us
  • I am a Systems Analyst who plays with Electronics
Re: Possible GW Instek GDS-1000B hack
« Reply #148 on: March 08, 2020, 01:55:53 pm »
New/updated brochure as of March 6, 2020 shows bus triggering/decode again! hmmm...  Also lists 200MHz 2 channel model.  New/updated datasheets and manuals also made available on same date.
links to the updated datasheet and manuals?
 

Offline idolclub

  • Regular Contributor
  • *
  • Posts: 57
  • Country: us
Re: Possible GW Instek GDS-1000B hack
« Reply #149 on: March 08, 2020, 02:26:26 pm »
New/updated brochure as of March 6, 2020 shows bus triggering/decode again! hmmm...  Also lists 200MHz 2 channel model.  New/updated datasheets and manuals also made available on same date.
links to the updated datasheet and manuals?

https://www.gwinstek.com/en-GB/products/detail/GDS-1000B


 
The following users thanked this post: TK

Offline TK

  • Super Contributor
  • ***
  • Posts: 1722
  • Country: us
  • I am a Systems Analyst who plays with Electronics
Re: Possible GW Instek GDS-1000B hack
« Reply #150 on: March 08, 2020, 03:04:32 pm »
When I click on the link, I get directed to the page with the old specifications. 
 

Offline idolclub

  • Regular Contributor
  • *
  • Posts: 57
  • Country: us
Re: Possible GW Instek GDS-1000B hack
« Reply #151 on: March 08, 2020, 03:19:27 pm »
When I click on the link, I get directed to the page with the old specifications.

https://www.gwinstek.com/en-global/products/detail/GDS-1000B


 
The following users thanked this post: nctnico, TK

Offline Mortymore

  • Frequent Contributor
  • **
  • Posts: 432
  • Country: pt
Re: Possible GW Instek GDS-1000B hack
« Reply #152 on: March 08, 2020, 07:34:49 pm »
The manual though, is yet to talk about the BUS. Maybe it will be updated in the meantime

Offline stafil

  • Regular Contributor
  • *
  • Posts: 205
  • Country: us
Re: Possible GW Instek GDS-1000B hack
« Reply #153 on: April 02, 2020, 11:35:41 pm »
Sorry, I got lost. If I get GDS-2074E can I use the keygen to upgrade it to 200Mhz?
 

Offline nctnico

  • Super Contributor
  • ***
  • Posts: 26751
  • Country: nl
    • NCT Developments
Re: Possible GW Instek GDS-1000B hack
« Reply #154 on: April 03, 2020, 12:15:07 am »
Sorry, I got lost. If I get GDS-2074E can I use the keygen to upgrade it to 200Mhz?
It should work. I have used the generator keys on my GDS-2204E without a problem.
There are small lies, big lies and then there is what is on the screen of your oscilloscope.
 
The following users thanked this post: stafil

Offline Mortymore

  • Frequent Contributor
  • **
  • Posts: 432
  • Country: pt
Re: Possible GW Instek GDS-1000B hack
« Reply #155 on: April 03, 2020, 11:12:31 am »
Sorry, I got lost. If I get GDS-2074E can I use the keygen to upgrade it to 200Mhz?

If you wish to go to 300MHz, install that license. If you go to 200MHz it will not be straightforward to upgrade to 300MHz afterwords.

Check my experience on that

Don't forget to install the Spectrum Analyzer also. It will give that OPTION button some good use.
Good luck  :-+
 
The following users thanked this post: stafil

Offline idolclub

  • Regular Contributor
  • *
  • Posts: 57
  • Country: us
Re: Possible GW Instek GDS-1000B hack
« Reply #156 on: April 07, 2020, 01:21:57 pm »
GW Instek Releases New Firmware v1.27 for GDS-1000B series.

Firmware v1.27 Release Notes:

1.Enabled BUS Features.

2.Fixed UART minor bug.

3.Fixed Datalog error at low frequency signals.

4.Fixed the Portuguese translations.

5.Fixed the Japanese translations.


https://www.gwinstek.com/en-GB/products/detail/GDS-1000B

 
The following users thanked this post: Mortymore

Offline Mortymore

  • Frequent Contributor
  • **
  • Posts: 432
  • Country: pt
Re: Possible GW Instek GDS-1000B hack
« Reply #157 on: April 08, 2020, 07:07:40 pm »
They also added a new version 1.03 of OpenWave for the GDS-1000B

And new firmware v1.41 for the GDS-2000E  :-+

Offline paul002

  • Regular Contributor
  • *
  • Posts: 52
  • Country: nl
Re: Possible GW Instek GDS-1000B hack
« Reply #158 on: May 05, 2020, 03:13:01 pm »
Took some time to read all the post, but now 300 Mhz !! :)
« Last Edit: May 07, 2020, 09:34:25 am by paul002 »
 
The following users thanked this post: Mortymore

Offline 77algernon

  • Newbie
  • Posts: 9
  • Country: ro
Re: Possible GW Instek GDS-1000B hack
« Reply #159 on: May 07, 2020, 11:20:49 am »
 :) I can confirm that the 200MHz upgrade works on the MDO-2074EG with 1.41 firmware (I used the data from reply #47)
985862-0

Thanks to all the good ppl contributing to this thread!

Just a quick question: anyone tried to enable the FFT entries from the Function Module menu? It has something to do with the option_index?
985866-1

L.E.

It seems the FFT entries from the Function Module menu are in fact apps, which you can download from the GDS-2000E section: https://www.gwinstek.com/en-global/products/detail/GDS-2000E It seems it requires one to register with GWInstek, though.

Just unzip and copy the .fun file on the USB stick, then install it by selecting twice in the File Utilities menu. I installed only the dual display app.
« Last Edit: May 07, 2020, 12:52:16 pm by 77algernon »
 

Offline nctnico

  • Super Contributor
  • ***
  • Posts: 26751
  • Country: nl
    • NCT Developments
Re: Possible GW Instek GDS-1000B hack
« Reply #160 on: May 07, 2020, 12:31:46 pm »
Took some time to read all the post, but now 300 Mhz !! :)
Did you also try to enable protocol decoding (serial decode option)?
There are small lies, big lies and then there is what is on the screen of your oscilloscope.
 

Offline 77algernon

  • Newbie
  • Posts: 9
  • Country: ro
Re: Possible GW Instek GDS-1000B hack
« Reply #161 on: May 07, 2020, 12:58:38 pm »
Did you also try to enable protocol decoding (serial decode option)?

Hi, the MDO-s seem to have a dedicated button for bus decoding, guess it's already enabled? Or it seems that way, at least :)
 

Offline nctnico

  • Super Contributor
  • ***
  • Posts: 26751
  • Country: nl
    • NCT Developments
Re: Possible GW Instek GDS-1000B hack
« Reply #162 on: May 07, 2020, 01:03:00 pm »
Did you also try to enable protocol decoding (serial decode option)?

Hi, the MDO-s seem to have a dedicated button for bus decoding, guess it's already enabled? Or it seems that way, at least :)
You can try to press it... AFAIK decoding is not available on the MDO2000 series but it could be GW Instek has enabled it anyway.
There are small lies, big lies and then there is what is on the screen of your oscilloscope.
 

Offline 77algernon

  • Newbie
  • Posts: 9
  • Country: ro
Re: Possible GW Instek GDS-1000B hack
« Reply #163 on: May 07, 2020, 01:24:25 pm »
I have the MDO-2074EG and pressing the "Bus" button shows the following:
985884-0

I have no experience with any other GWInstek scope, so I don't know if it's the same feature as the one that serial bus decoding unlocks on the DSO models.
 

Offline nctnico

  • Super Contributor
  • ***
  • Posts: 26751
  • Country: nl
    • NCT Developments
Re: Possible GW Instek GDS-1000B hack
« Reply #164 on: May 07, 2020, 02:33:13 pm »
OK, the MDO series seems to have decoding as well. Thanks for trying!
There are small lies, big lies and then there is what is on the screen of your oscilloscope.
 

Offline paul002

  • Regular Contributor
  • *
  • Posts: 52
  • Country: nl
Re: Possible GW Instek GDS-1000B hack
« Reply #165 on: May 27, 2020, 10:49:46 am »
Sorry for late reply, but I think it serial decoding is already enabled. I could decode SPI as in attached picture.
 

Offline robohead

  • Newbie
  • Posts: 1
  • Country: us
Re: Possible GW Instek GDS-1000B hack
« Reply #166 on: June 09, 2020, 12:38:56 am »
Has anyone come up with a solution to the "To install this option you must use the GW USB key." error?

I just got a 1054B and wanted to install the 100MHz upgrade.

In case it helps I'm using firmware v1.12 and the safe mode screen says I have FPGA version 77
 

Offline espenfjo

  • Newbie
  • Posts: 3
  • Country: no
Re: Possible GW Instek GDS-1000B hack
« Reply #167 on: July 18, 2020, 05:37:00 pm »
So.. with these upgrades.. Does this mean that we can upgrade an GDS-1054B to an eg. an GDS-1104B, or even an GDS-2204E? Or are there other differences between these scopes that we are not able to upgrade? Such as rise time, memory, sw features etc?
 

Offline 2N3055

  • Super Contributor
  • ***
  • Posts: 6446
  • Country: hr
Re: Possible GW Instek GDS-1000B hack
« Reply #168 on: July 18, 2020, 06:18:05 pm »
So.. with these upgrades.. Does this mean that we can upgrade an GDS-1054B to an eg. an GDS-1104B, or even an GDS-2204E? Or are there other differences between these scopes that we are not able to upgrade? Such as rise time, memory, sw features etc?

GDS-1054B is same as GDS-1104B
GDS-2204E is different scope..
 
The following users thanked this post: espenfjo

Offline idolclub

  • Regular Contributor
  • *
  • Posts: 57
  • Country: us
Re: Possible GW Instek GDS-1000B hack
« Reply #169 on: August 03, 2020, 02:18:32 pm »
GW Instek Releases New Firmware v1.28 for GDS-1000B series.

Firmware v1.28 Release Notes:

1. Fixed a freeze issue that could occur when switching to PictBridge printing.

2. Fixed a bug for the BUS trigger mode.


https://www.gwinstek.com/en-GB/products/detail/GDS-1000B
 
The following users thanked this post: TK

Offline g.assis

  • Newbie
  • Posts: 3
  • Country: br
Re: Possible GW Instek GDS-1000B hack
« Reply #170 on: September 22, 2020, 02:00:40 pm »
Hi everyone! ;D
I'm on the quest for a "budget" 4 channel scope, the USD300 range is very attractive. My current one is the laggy Tek TDS1052B, it get the job done, but the two extra channels and some fancy features will facilitate A LOT.

How is it going with the GDS-1000B? Are the hacks still working?
Any considerations on Rigol DS1054Z vs GDS-1054B? GW is 50USD cheaper on Tequipment.

I've came accross the SDS1104X-E as an "alternative" but its 200USD more, not sure if it fits in this comparison.

Anyway, just to know how is it going with GW Instek, it's look like not a very popular brand, so here I'm kindly asking for updated considerations :)

Cheers!
 

Offline Fungus

  • Super Contributor
  • ***
  • Posts: 16560
  • Country: 00
Re: Possible GW Instek GDS-1000B hack
« Reply #171 on: September 22, 2020, 02:20:16 pm »
Any considerations on Rigol DS1054Z vs GDS-1054B? GW is 50USD cheaper on Tequipment.

Definitely get the Instek.

it's look like not a very popular brand, so here I'm kindly asking for updated considerations :)

It used to be a lot more expensive than the Rigol so not many people bought them. Now they're cheaper so it's a no-brainer to get the Instek instead. Better 'scope, less money.

PS: For 200 more I wouldn't get a Siglent, I'd get a Micsig.

https://www.eevblog.com/forum/testgear/micsig-sto1000-smart-oscilloscope-operation-video/msg3238008/#msg3238008


« Last Edit: September 22, 2020, 03:20:39 pm by Fungus »
 

Offline g.assis

  • Newbie
  • Posts: 3
  • Country: br
Re: Possible GW Instek GDS-1000B hack
« Reply #172 on: September 22, 2020, 03:12:05 pm »

PS: For 200 more I wouldn't get a Siglent, I'd get a Micsig.

https://www.eevblog.com/forum/testgear/micsig-sto1000-smart-oscilloscope-operation-video/msg3238008/#msg3238008

That's what I call a fast reply!
Thanks and dammit, I was about to get my decision and now this Micsig came up. I do work with aftermarket car accessories development and this handheld like scope with battery is some very nice feature to consider. I'll do some research on the internet and on my bank account :-DD maybe it now worth the extra 200USD
 

Offline Fungus

  • Super Contributor
  • ***
  • Posts: 16560
  • Country: 00
Re: Possible GW Instek GDS-1000B hack
« Reply #173 on: September 22, 2020, 03:35:35 pm »
If you're going to be moving it around then Micsig is a clear winner.

Even if you're not, it's a better 'scope overall IMHO. I'm seriously thinking of selling my Rigol to get one of those instead.

(anybody in Spain want a well-cared-for Rigol?)

 

Offline 2N3055

  • Super Contributor
  • ***
  • Posts: 6446
  • Country: hr
Re: Possible GW Instek GDS-1000B hack
« Reply #174 on: September 22, 2020, 04:08:06 pm »
If you're going to be moving it around then Micsig is a clear winner.

Even if you're not, it's a better 'scope overall IMHO. I'm seriously thinking of selling my Rigol to get one of those instead.

(anybody in Spain want a well-cared-for Rigol?)

Micsig is fantastic, but not "better scope overall than"  GDS1054B.
Very recently I got STO1104C Plus and like it a lot. But I also found some minor niggles.. Nothing is perfect.
GDS1054B is actually cheaper. Some things are better on GDS1054B, some on Micsig.
I would say they are close, Micsig being portable, and Gw Instek more of a classical scope.

I think both are good choice..
 

Offline g.assis

  • Newbie
  • Posts: 3
  • Country: br
Re: Possible GW Instek GDS-1000B hack
« Reply #175 on: September 22, 2020, 05:19:18 pm »
But I also found some minor niggles.. Nothing is perfect.
GDS1054B is actually cheaper. Some things are better on GDS1054B, some on Micsig.

Hey 2N3055, can you elaborate about those niggles and the diferences you spotted between those two?
I'm going to import this scope, and returning and/or replacing is almost impossible, I must be 101% sure about my decision.
 

Offline 2N3055

  • Super Contributor
  • ***
  • Posts: 6446
  • Country: hr
Re: Possible GW Instek GDS-1000B hack
« Reply #176 on: September 22, 2020, 09:47:41 pm »
Well in short, all kinds of little things.
It generally works well but...

For  timebase follows normal 1-2-5 pattern except  4ms/div instead of 5ms/div.
Sometimes, when you stop acquisition and change timebase, it will loose buffer.
On some triggers, sometimes stops triggering, and then you change trigger level a little and it starts again..
Not all knob presses have functions, cursors buttons are not very easy to use. There is search button that does nothing.

These are very obscure things and happen only occasionally so it's not a big deal.. But perfect it's not.
Still very good and portable. It already proved very useful to me and I use it very often.

I plan to make a  short review/summary of my findings. Just it's kinda busy now...
 
The following users thanked this post: g.assis

Offline Mr_Bean

  • Newbie
  • Posts: 8
  • Country: ca
Re: Possible GW Instek GDS-1000B hack
« Reply #177 on: October 16, 2020, 07:55:59 pm »
Here is the new license generator for the current FWs of GDS1000B and GDS2000E, based on the wgoeo post (msg #3).

Code: [Select]
        private static void InstekKG(string serial)
        {
            // This works for GDS1000B and GDS2000E
            string[] opt = { "PWR", "BUS", "SRH", "SGM", "BW100", "BW200", "BW300", "SA" };   // Prefixes: "DS1KB-"  or "DS2E-"

            // uint[] ClearCode = { 0x11111111, 0xABABABAB, 0x22222222, 0xCDCDCDCD };  // OLD -- GDS1000B (up to v1.18) and GDS2000E (up to v1.28)
            uint[] ClearCode = { 0x74B0DC51, 0x46E87CCD, 0x25E45D32, 0x515F007C };  // NEW or       
            uint[] ClearCode = { 0x19495CFF, 0x257130A3, 0x3D1B58BA, 0x74B0DC51 };  // v1.23, v1.24, ....

            serial = serial.Trim();
            int serial_int = Int32.Parse(serial.Substring(serial.Length - 4, 4));

            int pid_sum = 0;
            for (int i = 0; i < serial.Length - 4; i++)
                pid_sum += serial[i];

            for (int i = 0; i < opt.Length; i++)
            {
                int[] a = new int[2];
                a[0] = (pid_sum << 24) | ((i << 8) & 0xF00);
                a[1] = (1 << 24) | ((serial_int << 8) & 0xFFFF00) | ((pid_sum >> 8) & 0xFF);

                for (int j = 0, k = -0x61C88647; j < 32; j++, k -= 0x61C88647)
                {
                    a[0] += (int)((16 * a[1] + ClearCode[0]) ^ (a[1] + k) ^ ((a[1] >> 5) + ClearCode[1]));
                    a[1] += (int)((16 * a[0] + ClearCode[2]) ^ (a[0] + k) ^ ((a[0] >> 5) + ClearCode[3]));
                }
                Console.WriteLine("DS1KB-{0}.lic / DS2E-{0}.lic - [{1:x8}{2:x8}]", opt[i], a[1], a[0]);
            }
        }

Those who prefer the javascript version can replace just the ClearCode constants in the script (I leave that as homework). The SA option was also added (only for the 2000E).

Edit1: Tested successfully by some members in DS2E and MSO equipments. This will not work on 2000A because the S/N has a different format.

Edit2: It seems there are more than one new combination of ClearCode(s) so test both.

As an updated data point, I just successfully upgraded from 50 MHz to 100 MHz on a GDS-1054B with firmware 1.28, using the javascript html and ClearCode of {0x19495CFF, 0x257130A3, 0x3D1B58BA, 0x74B0DC51}. No downgrading or safe mode required.

The GDP-070B-4 probes that came with the scope are only rated for up to 70 MHz so I guess now I'll start shopping for upgraded probes  :-DD
 

Offline tv84

  • Super Contributor
  • ***
  • Posts: 3212
  • Country: pt
Re: Possible GW Instek GDS-1000B hack
« Reply #178 on: October 16, 2020, 08:25:39 pm »
GDS-1054B with firmware 1.28, using the javascript html and ClearCode of {0x19495CFF, 0x257130A3, 0x3D1B58BA, 0x74B0DC51}.

Thanks for reporting.
 

Offline halfwave

  • Newbie
  • Posts: 3
  • Country: us
Re: Possible GW Instek GDS-1000B hack
« Reply #179 on: October 18, 2020, 07:43:24 pm »
Reporting in: 100MHz option worked on my new GDS-1054B with firmware 1.28, Clearcode line starting with 0x19495CFF is what I used as well. Did not try anything else as decode is enabled now anyway.

Frankly I don't need the bandwidth this moment but thought I'd test the lis file generation and activation procedure.

Thank you wgoeo and all others for you work on this. Really like this GDS-1054B and seems a bargain with the current US pricing ($310).
 

Offline Mr_Bean

  • Newbie
  • Posts: 8
  • Country: ca
Re: Possible GW Instek GDS-1000B hack
« Reply #180 on: October 23, 2020, 07:51:40 pm »
It seems you can get SSH back. Rename the attached file to debug.dbg, copy to a USB drive then do the same procedure. The password may have changed but you can probably add a command in the script to change it.

Edit: It's a startup script so you should reboot.

Second update, this method did not work on firmware 1.28. Assuming "do the same procedure" means scroll and push select on the .dbg file the same way licenses are installed, selecting the .dbg file does nothing as far as I can tell: there are no UI notifications or changes and SSH does not get enabled, before or after rebooting the scope. Keeping the USB key in the scope during reboot also seems to have no effect.
 

Offline xgx

  • Newbie
  • Posts: 1
  • Country: ca
Re: Possible GW Instek GDS-1000B hack
« Reply #181 on: November 01, 2020, 09:21:28 pm »
I just wanted to share the results of my testing.

Model: GDS-1054B
FW: v1.28
Purchase date: October 2020

Search trigger - Works!
Segmented Acquire - Works!
100 MHz Bandwidth - DOES NOT WORK

After installing BW100, on the "System Information" page it says "Bandwidth upgraded to 100MHz by DS1KB-BW100", however when I measure the actual bandwidth, it didn't change before or after applying the license (I tested with a signal of ~10mV and again at ~1V). I then tried ti apply BW200 and BW300. It says that they are installed correctly, but once I restart, it still says 100 MHz in Sys Info.

1101404-0
 

Offline nctnico

  • Super Contributor
  • ***
  • Posts: 26751
  • Country: nl
    • NCT Developments
Re: Possible GW Instek GDS-1000B hack
« Reply #182 on: November 01, 2020, 09:50:26 pm »
That is correct. The bandwidth is limited to below 100MHz in the hardware. You are not the first to run into this.
There are small lies, big lies and then there is what is on the screen of your oscilloscope.
 

Offline Chuck60

  • Newbie
  • Posts: 5
Re: Possible GW Instek GDS-1000B hack
« Reply #183 on: November 02, 2020, 12:14:07 am »
I’ve tried this hack and it say error loading license check license version my version is 2.3 I’ve tried the 2.3 or newer Clearcode line starting with 0x19495CFF what am I doing wrong?
« Last Edit: November 03, 2020, 02:30:06 am by Chuck60 »
 

Offline danymogh

  • Regular Contributor
  • *
  • Posts: 51
  • Country: ge
Re: Possible GW Instek GDS-1000B hack
« Reply #184 on: November 02, 2020, 09:44:56 am »
Hi,

Could you install the SA license ? I have the GDS-1054B with 1.28 firmware and installed all licenses with this clear code

Code: [Select]
uint[] ClearCode = { 0x19495CFF, 0x257130A3, 0x3D1B58BA, 0x74B0DC51 };
all licesnces were installed except the Spectrum Analyzer which gave me the license error.

is there any trick to that one?
 

Offline danymogh

  • Regular Contributor
  • *
  • Posts: 51
  • Country: ge
Re: Possible GW Instek GDS-1000B hack
« Reply #185 on: November 02, 2020, 10:00:04 am »
with the latest firmware 1.28 there's a new option in Utility -> System -> function module , called "fixed 4 measurement" which is not enabled and I believe like other options it needs a licence as well.
 

Offline Chuck60

  • Newbie
  • Posts: 5
Re: Possible GW Instek GDS-1000B hack
« Reply #186 on: November 03, 2020, 02:32:33 am »
Ok so apparently when I edited reply 3 and 47 the file I save was just reply 3 and now when I try retrieving the same files. The links won’t turn in to download links. Any help would be great thanks
 

Offline danymogh

  • Regular Contributor
  • *
  • Posts: 51
  • Country: ge
Re: Possible GW Instek GDS-1000B hack
« Reply #187 on: November 03, 2020, 10:08:38 am »
Hi Tv48,

can you please check the generator on 1.28 for fix 4 measurments options?

Also I couldn't get a valid license for SA with the latest firmware and latest clearcodes. can you please tell me which files on the firmware I need to reverse enginner to get to the generation routine?

thanks a lot.

Edit : it seems the ClearCode file in the /home/dso directory is not overwritten with firmware downgrades. i can see the clearcode hex sequence in that file but I can't figure out how the key generation routine is related to that. if someone has the old ClearCode file it could really come in handy.

Edit 2 : it seems that the OptionsConf file coding is simple, if anyone with all licenses installed could share only this file it would be great.
also how to enable the SSH on the latest version? the debug.dbg file is just a copy of the \etc\init.d\S50dropbear file. how am i supposed to use it? @wgoeo

Edit 3 : it also seems that the app files downloaded from the website are dummy files. there's no indication of new code in the files and the lua script has just a print statement. i guess the apps were preinstalled in the firmware and the files downloaded as "Apps" from the website just activate them. can anyone else confirm this ?
« Last Edit: November 12, 2020, 09:17:29 pm by danymogh »
 

Offline akimmet

  • Contributor
  • Posts: 22
  • Country: us
Re: Possible GW Instek GDS-1000B hack
« Reply #188 on: November 13, 2020, 04:13:10 pm »
Hi Tv48,

can you please check the generator on 1.28 for fix 4 measurments options?

Also I couldn't get a valid license for SA with the latest firmware and latest clearcodes. can you please tell me which files on the firmware I need to reverse enginner to get to the generation routine?

thanks a lot.

Edit : it seems the ClearCode file in the /home/dso directory is not overwritten with firmware downgrades. i can see the clearcode hex sequence in that file but I can't figure out how the key generation routine is related to that. if someone has the old ClearCode file it could really come in handy.

Edit 2 : it seems that the OptionsConf file coding is simple, if anyone with all licenses installed could share only this file it would be great.
also how to enable the SSH on the latest version? the debug.dbg file is just a copy of the \etc\init.d\S50dropbear file. how am i supposed to use it? @wgoeo

Edit 3 : it also seems that the app files downloaded from the website are dummy files. there's no indication of new code in the files and the lua script has just a print statement. i guess the apps were preinstalled in the firmware and the files downloaded as "Apps" from the website just activate them. can anyone else confirm this ?

I am fairly certain you are correct about your statement in Edit 3. I came to the same conclusion when I looked at the app files as well. It seems extremely unlikely the full code for the app to be under 1kb.
 

Offline vertical_mammal

  • Newbie
  • Posts: 1
  • Country: us
Re: Possible GW Instek GDS-1000B hack
« Reply #189 on: November 18, 2020, 09:47:29 pm »
I was also just successful on my GDS-1054B, firmware v1.28. I didn't try unlocking SA since it sounds like my unit won't support it anyways, but if anybody has gotten it working on a 1000b series and I missed it I'm all ears. Thanks folks!
 

Offline danymogh

  • Regular Contributor
  • *
  • Posts: 51
  • Country: ge
Re: Possible GW Instek GDS-1000B hack
« Reply #190 on: December 08, 2020, 04:32:55 pm »
Has anyone managed to run a working custom written app?

I tried to write a sample app with Lua and tried to keep the structure of other apps which have at least 4 files

Code: [Select]
app.txt
app.lua
app.png
app.inf

the apps supplied by the Gwinstek website have some kind of encoded/encrypted app.txt, app.inf files whereas the default app of GO_NOGO has them all in cleartext. I tied to use the sample from GO_NOGO app but after putting it to USB and trying to install it gives me the
Code: [Select]
App installation error!!
Please contact your dealer
message.
so somehow It is either not possible to write Lua apps or it's possible but some coding scheme has to be applied.

the app.txt file has a short description of the app and the app.inf file seems to have a basic app structure like install location, files, etc.

the Lua interpreter does not exist in the /bin or /usr/bin directories and hence it's not installed. But it seems it's somehow embedded in the main app because the GO_NOGO app is actually running Lua.

any help would be appreciated.

edit 1: the "encoding" I couldn't figure out was just endianness  |O not endianness !, it's a nibble swap !
« Last Edit: December 08, 2020, 05:57:24 pm by danymogh »
 

Offline yeager200

  • Newbie
  • Posts: 1
  • Country: us
Re: Possible GW Instek GDS-1000B hack
« Reply #191 on: December 12, 2020, 05:34:06 am »
I just got a brand new GDS-1054B with firmware 1.28 and I am running the code in the attached file. Yet it doesn't seem to accept these licenses. The unit gives me an error when I try all the options.

I may not have copied the ClearCode data correctly into the Javascript. I wasn't sure what the value for k should be. Can anyone help?
 

Offline nctnico

  • Super Contributor
  • ***
  • Posts: 26751
  • Country: nl
    • NCT Developments
Re: Possible GW Instek GDS-1000B hack
« Reply #192 on: December 12, 2020, 08:13:39 am »
Has anyone managed to run a working custom written app?

I tried to write a sample app with Lua and tried to keep the structure of other apps which have at least 4 files

Code: [Select]
app.txt
app.lua
app.png
app.inf

the apps supplied by the Gwinstek website have some kind of encoded/encrypted app.txt, app.inf files whereas the default app of GO_NOGO has them all in cleartext. I tied to use the sample from GO_NOGO app but after putting it to USB and trying to install it gives me the
Code: [Select]
App installation error!!
Please contact your dealer
message.
so somehow It is either not possible to write Lua apps or it's possible but some coding scheme has to be applied.

the app.txt file has a short description of the app and the app.inf file seems to have a basic app structure like install location, files, etc.

the Lua interpreter does not exist in the /bin or /usr/bin directories and hence it's not installed. But it seems it's somehow embedded in the main app because the GO_NOGO app is actually running Lua.

any help would be appreciated.

edit 1: the "encoding" I couldn't figure out was just endianness  |O not endianness !, it's a nibble swap !
I think you are on the right path. The Lua interpreter is part of the main software so it is logical that you don't find the standalone Lua interpreter. The first step is to figure out how to get a Lua app started and then figure out what kind of API the main program is exposing. I have used Lua to add scripting to C++ programs a couple of times. It is a very neat way to allow flexible extension of a program.
There are small lies, big lies and then there is what is on the screen of your oscilloscope.
 

Offline danymogh

  • Regular Contributor
  • *
  • Posts: 51
  • Country: ge
Re: Possible GW Instek GDS-1000B hack
« Reply #193 on: December 29, 2020, 06:54:53 pm »
I bricked my gds-1000b while messing around with the bootloader !

does anyone know any way to flash the Nand flash with the original bootloader ?

 

Offline tv84

  • Super Contributor
  • ***
  • Posts: 3212
  • Country: pt
Re: Possible GW Instek GDS-1000B hack
« Reply #194 on: December 29, 2020, 07:14:05 pm »
If you messed the bootloader then I would say you'll have to desolder the NAND.
 

Offline danymogh

  • Regular Contributor
  • *
  • Posts: 51
  • Country: ge
Re: Possible GW Instek GDS-1000B hack
« Reply #195 on: January 09, 2021, 07:13:31 pm »
can someone please send me the mtd0 and mtd1 files of their scope using the following commands?

# nanddump -f boot.bin /dev/mtd0
# nanddump -f devtree.bin /dev/mtd1

you can access the SSH in the newer versions by installing the app I wrote for it. I'll get back to writing Lua apps once I've restored my scope.

after installing the app reset oscope, go to apps, open ssh, press start, and also press reset pass. the pass is the same as the one in 1.18 firmware.
« Last Edit: January 19, 2021, 07:27:03 pm by danymogh »
 

Offline tv84

  • Super Contributor
  • ***
  • Posts: 3212
  • Country: pt
Re: Possible GW Instek GDS-1000B hack
« Reply #196 on: January 09, 2021, 07:50:18 pm »
Here is the boot.bin from v1.12.

Are you sure you can't find those files inside the FW upgrade packages?
 

Offline danymogh

  • Regular Contributor
  • *
  • Posts: 51
  • Country: ge
Re: Possible GW Instek GDS-1000B hack
« Reply #197 on: January 10, 2021, 06:43:57 am »
There's a small chance that the files are modified while being written to the nand flash.
Also the devtree section which is mtd1 is not on the fwupgrade files
 

Offline danymogh

  • Regular Contributor
  • *
  • Posts: 51
  • Country: ge
Re: Possible GW Instek GDS-1000B hack
« Reply #198 on: January 10, 2021, 05:17:50 pm »
unfortunately flashing the bootloader and the devtree did not solve the problem. it is still not booting.

if anyone has any idea I'm all ears.

be very careful not to run the nandtest and nandwrite commands on any mtd device as they'll brick the scope!
« Last Edit: January 11, 2021, 07:34:14 am by danymogh »
 

Offline danymogh

  • Regular Contributor
  • *
  • Posts: 51
  • Country: ge
Re: Possible GW Instek GDS-1000B hack
« Reply #199 on: January 11, 2021, 03:56:20 pm »
I think I have a new lead.

according to https://www.xilinx.com/support/documentation/user_guides/ug585-Zynq-7000-TRM.pdf -> page 185
and https://github.com/ARM-software/u-boot/blob/402465214395ed26d6fa72d9b6097c7adbf6a966/drivers/mtd/nand/zynq_nand.c#L214
the Zynq 7000 BOOTROM looks for a Bad Block Table (BBT) with this pattern {'B', 'b', 't', '0' } and the mirror pattern {'1', 't', 'b', 'B' } in the last 4 blocks of the Nand or the OOB area !
I have a full dump of the Nand and there's nothing at the last 4 blocks so I think the information should be in the OOB area of the first block which was corrupted ! that might be why programming it again without OOB didn't boot. although there's no indication of what happens if the BBT is not found.

any ideas ?
 

Offline nctnico

  • Super Contributor
  • ***
  • Posts: 26751
  • Country: nl
    • NCT Developments
Re: Possible GW Instek GDS-1000B hack
« Reply #200 on: January 11, 2021, 04:14:14 pm »
A guess: You might need to format the NAND with the UBI-fs first (which is a wear levelling layer) and then create the mtd partitions.
There are small lies, big lies and then there is what is on the screen of your oscilloscope.
 

Offline danymogh

  • Regular Contributor
  • *
  • Posts: 51
  • Country: ge
Re: Possible GW Instek GDS-1000B hack
« Reply #201 on: January 11, 2021, 07:35:57 pm »
A guess: You might need to format the NAND with the UBI-fs first (which is a wear levelling layer) and then create the mtd partitions.

thanks a lot for your reply!

Unfortunately, UBI-fs is only used for Linux. MTD partitions are defined from the bootloader and then passed to Linux.

I found out that I was mistaken and the BBT information is actually in the dump and in the last 4 blocks. I still think this is a software issue but have no clue how it has come to this.
 

Offline nctnico

  • Super Contributor
  • ***
  • Posts: 26751
  • Country: nl
    • NCT Developments
Re: Possible GW Instek GDS-1000B hack
« Reply #202 on: January 11, 2021, 08:11:03 pm »
A guess: You might need to format the NAND with the UBI-fs first (which is a wear levelling layer) and then create the mtd partitions.

thanks a lot for your reply!

Unfortunately, UBI-fs is only used for Linux. MTD partitions are defined from the bootloader and then passed to Linux.
On the system I have worked on both bootloader and the Linux kernel use UBI fs. The bootloader has to in order to read the kernel from the filesystem and boot it. In general it makes no sense to use NAND flash directly unless you have (more expensive and rare) NAND flash with a 'known good' boot area. Having a wear levelling / error correcting layer in between makes a lot more sense. IOW: it would surprise me if the bootloader uses raw NAND flash.
There are small lies, big lies and then there is what is on the screen of your oscilloscope.
 

Offline danymogh

  • Regular Contributor
  • *
  • Posts: 51
  • Country: ge
Re: Possible GW Instek GDS-1000B hack
« Reply #203 on: January 12, 2021, 06:37:56 am »
A guess: You might need to format the NAND with the UBI-fs first (which is a wear levelling layer) and then create the mtd partitions.

thanks a lot for your reply!

Unfortunately, UBI-fs is only used for Linux. MTD partitions are defined from the bootloader and then passed to Linux.
On the system I have worked on both bootloader and the Linux kernel use UBI fs. The bootloader has to in order to read the kernel from the filesystem and boot it. In general it makes no sense to use NAND flash directly unless you have (more expensive and rare) NAND flash with a 'known good' boot area. Having a wear levelling / error correcting layer in between makes a lot more sense. IOW: it would surprise me if the bootloader uses raw NAND flash.

based on the boot.bin file from the upgrade files and a dump from another scope I'd say the bootloader used raw Nand flash. also in the Zynq 7000 docs, there's no indication of UBI-fs for the bootloader. however, it seems the Zynq first enables the internal ECC and then starts to read the flash. this might be why the boot is failing. I've programmed the bootloader with the ECC disabled which means the OOB area is not the same as in a working scope. that is the last thing that I've found and I'm going to try it and see If it works.

Edit: unfortunately the programmer I have doesn't support enabling the ECC feature. If one of the forum members would be kind to send me the dump of their bootloader including the OOB data i'd be delighted.
the command is : nanddump -f booloader.bin -o /dev/mtd0
any bootloader version would do
« Last Edit: January 12, 2021, 07:32:44 am by danymogh »
 

Offline Fungus

  • Super Contributor
  • ***
  • Posts: 16560
  • Country: 00
Re: Possible GW Instek GDS-1000B hack
« Reply #204 on: January 12, 2021, 09:13:10 am »
based on the boot.bin file from the upgrade files and a dump from another scope I'd say the bootloader used raw Nand flash.

You don't really need wear-levelling for firmware and it's a whole layer of extra complexity for a low-level bootloader.
 

Offline nctnico

  • Super Contributor
  • ***
  • Posts: 26751
  • Country: nl
    • NCT Developments
Re: Possible GW Instek GDS-1000B hack
« Reply #205 on: January 12, 2021, 09:16:19 am »
based on the boot.bin file from the upgrade files and a dump from another scope I'd say the bootloader used raw Nand flash.

You don't really need wear-levelling for firmware and it's a whole layer of extra complexity for a low-level bootloader.
You do because nand flash is that bad. Wear levelling is also about checking the contents and in case a sector is very bad it needs to be mapped out. See the problems Keysight has with their oscilloscopes. And nowadays bootloaders are very advanced pieces of software. Not just a few lines of code but close to being an OS in themselves.
« Last Edit: January 12, 2021, 09:22:56 am by nctnico »
There are small lies, big lies and then there is what is on the screen of your oscilloscope.
 

Offline tv84

  • Super Contributor
  • ***
  • Posts: 3212
  • Country: pt
Re: Possible GW Instek GDS-1000B hack
« Reply #206 on: January 12, 2021, 09:54:11 am »
You said you had a NAND dump?

If so, share it with us to have a look.
 

Offline danymogh

  • Regular Contributor
  • *
  • Posts: 51
  • Country: ge
Re: Possible GW Instek GDS-1000B hack
« Reply #207 on: January 12, 2021, 11:42:50 am »
You said you had a NAND dump?

If so, share it with us to have a look.

Yes, I have a full dump including the OOB data but after the firmware is corrupted. so the bootloader section OOB is useless.
Also, the other dumps I got from the other working scope don't include OOB data and unfortunately, I bricked that scope as well  |O because I had no Idea the "nandtest" command messes up the block content.

here is the full dump including OOB after bootloader being messed up
https://mega.nz/file/EwhBHK5Z#iWaQYef7AYeb_-1wFezzOjsCgKbDqYcK72qOQfp7sz4

as you can see on page 65472 and 65408  there is the BBT according to Zynq documents (in the last 4 blocks)
also, I have a boot log that points to them as well

Code: [Select]
Bad block table found at page 65472, version 0x01
Bad block table found at page 65408, version 0x01

according to Micron ECC the OOB area is 64 bytes and the table explains each part. however, that table (should?) be valid only when the internal ECC is used. It seems the Zynq uses address 0x804 - 0x807 to store the BBT signature (spare 0) and address 0x808 - 0x80F are the calculated ECC parity bits based on the content of main0 and spare 0 the subsequent addresses are similar.

to sum it up, the last 8 bytes in each row are the parity bits, the first 8 bytes of each row are the Bad block information (2 bytes) + 6 byte user data (from that 6 bytes 2 bytes are not ECC protected (User metadata II) and 4 bytes are ECC protected (user metadata I))
 

Offline nctnico

  • Super Contributor
  • ***
  • Posts: 26751
  • Country: nl
    • NCT Developments
Re: Possible GW Instek GDS-1000B hack
« Reply #208 on: January 12, 2021, 12:56:15 pm »
Perhaps a better way is to let the bootloader boot a Linux image (from Xilinx) over the network and use that to create the MTD partitions which are missing and then populate them with data from an extracted firmware image.
There are small lies, big lies and then there is what is on the screen of your oscilloscope.
 

Offline danymogh

  • Regular Contributor
  • *
  • Posts: 51
  • Country: ge
Re: Possible GW Instek GDS-1000B hack
« Reply #209 on: January 12, 2021, 01:59:25 pm »
Perhaps a better way is to let the bootloader boot a Linux image (from Xilinx) over the network and use that to create the MTD partitions which are missing and then populate them with data from an extracted firmware image.

unfortunately, that's not possible since it is the bootloader that loads the device tree which has the definition of all connected peripherals.

if only one of the people who has the GDS-1054b could provide a dump from their bootloader using the command I specified, that's a great help to me.
 

Offline nctnico

  • Super Contributor
  • ***
  • Posts: 26751
  • Country: nl
    • NCT Developments
Re: Possible GW Instek GDS-1000B hack
« Reply #210 on: January 12, 2021, 02:32:47 pm »
What if you use the Xilinx devicetree as well? Basically set the oscilloscope up as if it is a Xilinx Zync development board and go from there. Likely a lot of the peripherals will be taken from a development board design so ethernet might just work.
There are small lies, big lies and then there is what is on the screen of your oscilloscope.
 
The following users thanked this post: tv84

Offline danymogh

  • Regular Contributor
  • *
  • Posts: 51
  • Country: ge
Re: Possible GW Instek GDS-1000B hack
« Reply #211 on: January 12, 2021, 03:41:34 pm »
What if you use the Xilinx devicetree as well? Basically set the oscilloscope up as if it is a Xilinx Zync development board and go from there. Likely a lot of the peripherals will be taken from a development board design so ethernet might just work.

that might work but I need a Xilinx Jtag and also I need to know the pinout on the board which I don't. also, I don't have the files of the device tree o just saw them in the bootloader dump. I've started working on the programmer to implement the enable ECC part.
 

Offline 450bush

  • Newbie
  • Posts: 6
  • Country: us
Re: Possible GW Instek GDS-1000B hack
« Reply #212 on: January 12, 2021, 04:08:34 pm »
What if you use the Xilinx devicetree as well? Basically set the oscilloscope up as if it is a Xilinx Zync development board and go from there. Likely a lot of the peripherals will be taken from a development board design so ethernet might just work.

that might work but I need a Xilinx Jtag and also I need to know the pinout on the board which I don't. also, I don't have the files of the device tree o just saw them in the bootloader dump. I've started working on the programmer to implement the enable ECC part.

You may try the Pluto SDR github repository for some help... https://github.com/analogdevicesinc/plutosdr-fw . The firmware can be found at the link and it is basec on a Zync processor. The u-boot code/configuration is posted there!

good luck...
 

Offline danymogh

  • Regular Contributor
  • *
  • Posts: 51
  • Country: ge
Re: Possible GW Instek GDS-1000B hack
« Reply #213 on: January 15, 2021, 01:48:59 pm »
I finally got it working !!

here is the correct image for version 1.28 from offset 0x000000000000 to 0x0000033c0000.
which includes the following :

0x000000000000-0x0000001c0000 : "boot"
0x0000001c0000-0x0000001e0000 : "devtree"
0x0000001e0000-0x000000200000 : "env"
0x000000200000-0x000000280000 : "fpga-core"
0x000000280000-0x000000580000 : "kernel"
0x000000580000-0x0000033c0000 : "rootfs"

it should be programmed to the Nand which has no bad blocks in that address range. be careful not to erase the rest of the address space since valuable user data like calibration data and serial number, etc are in there! basically, always have a backup of the /home/dso directory.
also, the last 4 blocks (2 of them) contain the Zynq BBT information in their OOB area which is important for the boot to happen successfully.
« Last Edit: January 21, 2021, 04:53:27 pm by danymogh »
 
The following users thanked this post: edavid, Mortymore

Offline nctnico

  • Super Contributor
  • ***
  • Posts: 26751
  • Country: nl
    • NCT Developments
Re: Possible GW Instek GDS-1000B hack
« Reply #214 on: January 15, 2021, 03:52:50 pm »
Great news! I hope you can make some progress with the Lua scripting.
There are small lies, big lies and then there is what is on the screen of your oscilloscope.
 

Offline tv84

  • Super Contributor
  • ***
  • Posts: 3212
  • Country: pt
Re: Possible GW Instek GDS-1000B hack
« Reply #215 on: January 15, 2021, 04:45:17 pm »
0x00000000-0x001c0000 : "boot"
0x001c0000-0x001e0000 : "devtree"
0x001e0000-0x00200000 : "env"
0x00200000-0x00280000 : "fpga-core"
0x00280000-0x00580000 : "kernel"
0x00580000-0x033c0000 : "rootfs"
0x033c0000-0x07000000 : "user"

Parsings:

0x000000000000-0x0000001c0000 : "boot"

Code: [Select]
**********  Zynq-7000 SoC Boot Header  **********
00000000 -            ARM Vector Table: 8 x EAFFFFFE
00000020 -             Width Detection: AA995566
00000024 -            Header Signature: XLNX
00000028 -                  Key Source: 00000000  -  Not Encrypted
0000002C -                     Version: 01010000  (0x01010000)
00000030 -           FSBL Image Offset: 00000D40
00000034 -           FSBL Image Length: 00014014
00000038 -     FSBL Load Address (RAM): 00000000
0000003C -     FSBL Exec Address (RAM): 00000000
00000040 -           Total FSBL Length: 00014014
00000044 -          QSPI Configuration: 00000001  (0x00000001)
00000048 -        Boot Header Checksum: FC16CED8  CHKSUM OK
0000004C -                User Defined: 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
00000098 -   Image Header Table Offset: 000008C0
0000009C - Partit. Header Table Offset: 00000C80
**********  Zynq-7000 SoC Device Register Initialization Table  **********
000000A0 - Register Initialization Pairs  [000000A0-0000089F]
**********  Zynq-7000 SoC Device Image Header Table  **********
000008C0 -                     Version: 01020000  (0x01020000)
000008C4 -             # Image Headers: 00000002
000008C8 - 1st Partition Header Offset: 00000C80
000008CC -     1st Image Header Offset: 00000900
000008D0 -   Header Auth Certif Offset: 00000000
000008D4 -                    Reserved: FFFFFFFF
**********  Zynq-7000 SoC Device Image Headers  **********
           Partitio Reserved  Length  Name
00000900 - 00000C80 00000000 00000001 fsbl_nand.elf
00000940 - 00000CC0 00000000 00000001 u-boot.Ap3RNQMM.elf
**********  Zynq-7000 SoC Device Partition Headers  **********
           EncryLen UnencLen TotalLen DestLoad DestExec ImgOffst AttrBits Sections Checksm  ImHdOffs AuthOffs HdChkSum
00000C80 - 00014014 00014014 00014014 00000000 00000000 00000D40 00000010 00000000 00000000 00000900 00000000 FFFF0A50   CHKSUM OK
00000CC0 - 000F321C 000F321C 000F321C 04000000 04000000 00014D80 00000010 00000001 00000000 00000940 00000000 F7F444A9   CHKSUM OK

Your devtree is empty...

0x000000200000-0x000000280000 : "fpga-core"

00200000-0026C4DC  fpga-core.gz    CRC32: 61485AD2  DecompSize: 001FCB9C

IDCODE = 03722093      => Zynq XC7Z010
Code: [Select]
00000030 - AA995566             Sync Word (BPI/SPI Mode)
00000034 - 20000000             T1 - 00000000  NOP      (1x)
00000038 - 30022001 00000000    T1 W 00000001  TIMER
00000040 - 30020001 00000000    T1 W 00000001  WBSTAR
00000048 - 30008001 00000000    T1 W 00000001  CMD      NULL - No Operation
00000050 - 20000000             T1 - 00000000  NOP      (1x)
00000054 - 30008001 00000007    T1 W 00000001  CMD      RCRC - Reset CRC
0000005C - 20000000             T1 - 00000000  NOP      (2x)
00000064 - 30026001 00000000    T1 W 00000001  FALL_EDGE
0000006C - 30012001 02003FE5    T1 W 00000001  COR0
00000074 - 3001C001 00000000    T1 W 00000001  COR1
0000007C - 30018001 03722093    T1 W 00000001  IDCODE
00000084 - 30008001 00000009    T1 W 00000001  CMD      SWITCH - Switch CCLK Frequency
0000008C - 20000000             T1 - 00000000  NOP      (1x)
00000090 - 3000C001 00000401    T1 W 00000001  MASK
00000098 - 3000A001 00000401    T1 W 00000001  CTL0
000000A0 - 3000C001 00000000    T1 W 00000001  MASK
000000A8 - 30030001 00000000    T1 W 00000001  CTL1
000000B0 - 20000000             T1 - 00000000  NOP      (8x)
000000D0 - 30002001 00000000    T1 W 00000001  FAR
000000D8 - 30008001 00000001    T1 W 00000001  CMD      WCFG - Write Config Data
000000E0 - 20000000             T1 - 00000000  NOP      (1x)
000000E4 - 30004000             T1 W 00000000  FDRI
000000E8 - 5007F0A0             T2 W 0007F0A0
001FC374 - 20000000             T1 - 00000000  NOP      (2x)
001FC37C - 30008001 0000000A    T1 W 00000001  CMD      GRESTORE - Pulse GRESTORE Signal
001FC384 - 20000000             T1 - 00000000  NOP      (1x)
001FC388 - 30008001 00000003    T1 W 00000001  CMD      DGHIGH/LFRM - Last Frame
001FC390 - 20000000             T1 - 00000000  NOP      (100x)
001FC520 - 30008001 00000005    T1 W 00000001  CMD      START - Begin Startup Sequence
001FC528 - 20000000             T1 - 00000000  NOP      (1x)
001FC52C - 30002001 03BE0000    T1 W 00000001  FAR
001FC534 - 3000C001 00000501    T1 W 00000001  MASK
001FC53C - 3000A001 00000401    T1 W 00000001  CTL0
001FC544 - 30000001 15E91D43    T1 W 00000001  CRC
001FC54C - 20000000             T1 - 00000000  NOP      (2x)
001FC554 - 30008001 0000000D    T1 W 00000001  CMD      DESYNC - Reset DALIGN Signal
001FC55C - 20000000             T1 - 00000000  NOP
001FCB98 - 00000000           ... give time for internal startup

0x000000280000-0x000000580000 : "kernel"

Code: [Select]
00280000                 Magic: 27051956    uImage File OK
00280004         Header CRC-32: 13203039  [00280000-0028003F]    CRC OK
00280008               Created: 07/01/2020 04:02:12
0028000C             Data Size: 002F8A58
00280010     Data Load Address: 00008000
00280014   Entry Point Address: 00008000
00280018           Data CRC-32: 3044F5BF  [00280040-00578A97]    CRC OK
0028001C      Operating System: Linux
0028001D      CPU Architecture: ARM
0028001E                  Type: OS Kernel Image
0028001F           Compression: None
00280020                  Name: Linux-3.12.0-xilinx
00280040 - Image 0 [00280040-00578A97]  002F8A58 bytes


So as I see it, before you ruined MTD0 and MTD1. Now you have corrected only MTD0 (boot.bin) and it seems the scope is working without the devtree flashed. Interesting...  ::)
« Last Edit: January 15, 2021, 08:58:40 pm by tv84 »
 

Offline danymogh

  • Regular Contributor
  • *
  • Posts: 51
  • Country: ge
Re: Possible GW Instek GDS-1000B hack
« Reply #216 on: January 15, 2021, 07:25:39 pm »
So as I see it, before you ruined MTD0 and MTD1. Now you have corrected only MTD0 (boot.bin) and it seems the scope is working without the devtree flashed. Interesting...  ::)

yes, that is what I thought but I checked "devtree" with the dump I got from another working scope with the same model, and as it turns out it actually is empty! I think they didn't name the partitions correctly perhaps? the devtree seems to be loaded either from bootloader or "env" partition.

btw, what tools did you use to make the parsings? for the boot.bin I had to write my own tool for analysis here:

https://github.com/danyhm/Xilinx-BIF-Tool

but yours seems like a lot better!
« Last Edit: January 15, 2021, 07:40:16 pm by danymogh »
 

Offline tv84

  • Super Contributor
  • ***
  • Posts: 3212
  • Country: pt
Re: Possible GW Instek GDS-1000B hack
« Reply #217 on: January 15, 2021, 08:41:36 pm »
yes, that is what I thought but I checked "devtree" with the dump I got from another working scope with the same model, and as it turns out it actually is empty! I think they didn't name the partitions correctly perhaps? the devtree seems to be loaded either from bootloader or "env" partition.

btw, what tools did you use to make the parsings? for the boot.bin I had to write my own tool for analysis here:

https://github.com/danyhm/Xilinx-BIF-Tool

but yours seems like a lot better!

I've verified all the FW files I have and none has the .DTB.   |O   But the env refers to them. I think it should exist.

I have my own parsers. My Zynq boot parser already does the CRC validations.  ;)

That was one of the reasons why I passed all your FW through the parser: to check that all CRCs were correct and everything in order.

Then I noticed that you really messed up your MTD0 and 1 (all the rest was/is good). How did you do that?
 

Offline danymogh

  • Regular Contributor
  • *
  • Posts: 51
  • Country: ge
Re: Possible GW Instek GDS-1000B hack
« Reply #218 on: January 15, 2021, 09:07:51 pm »
I ran the "nandtest" command on them without knowing it actually changes the data in the partitions if not instructed to keep the original date.
then after a reboot .... boom!! no boot. luckily I didn't run it on the user partition or else there would have been no way to recover from that!

the .DTB file is used in the Zynq project. after being compiled to binary you can only see the definitions inside it and can't get the file back directly. but I think it's possible to write a script for that to recover the original .DTB is the case it's needed
 

Offline tv84

  • Super Contributor
  • ***
  • Posts: 3212
  • Country: pt
Re: Possible GW Instek GDS-1000B hack
« Reply #219 on: January 15, 2021, 09:15:46 pm »
Here is the .DTB.  :)

It's inside the bootloader (offset 0xFA154) and, most probably, it's loaded by it.

Parsing:
Code: [Select]
000FA154                 Magic: D00DFEED    FDT File OK
000FA158             File Size: 00002868
000FA15C      DT Struct Offset: 000FA18C
000FA160     DT Strings Offset: 000FC430
000FA164     Mem RsvMap Offset: 000FA17C
000FA168               Version: 00000011
000FA16C  Last Compatible Vers: 00000010
000FA170           Boot CPU_ID: 00000000
000FA174       DT Strings Size: 0000058C
000FA178        DT Struct Size: 000022A4
000FA18C
000FA194     #address-cells = 0x00000001
000FA1A4     #size-cells = 0x00000001
000FA1B4     compatible = xlnx,zynq-7000
000FA1D0     model = Xilinx Zynq
000FA1E8     aliases
000FA1F4        ethernet0 = /amba@0/ps7-ethernet@e000b000
000FA220        serial0 = /amba@0/serial@e0001000
000FA244        i2c0 = /amba@0/ps7-i2c@e0004000
000FA270     chosen
000FA27C        bootargs = console=ttyPS0,115200n8 ubi.mtd=5,2048 root=ubi0:rootfs rootfstype=ubifs ro earlyprintk mem=124M memmap=4M$0x7C00000 memmap=128M$0x08000000
000FA314        linux,stdout-path = /amba@0/ps7-uart1@e0001000
000FA340     cpus
000FA34C        #address-cells = 0x00000001
000FA35C        #size-cells = 0x00000000
000FA36C        cpu@0
000FA378           bus-handle = 0x00000001
000FA388           compatible = arm,cortex-a9
000FA3A4           d-cache-line-size = 0x00000020
000FA3B4           d-cache-size = 0x00008000
000FA3C4           device_type = cpu
000FA3D4           i-cache-line-size = 0x00000020
000FA3E4           i-cache-size = 0x00008000
000FA3F4           interrupt-handle = 0x00000002
000FA404           reg = 00000000
000FA418        cpu@1
000FA424           bus-handle = 0x00000001
000FA434           compatible = arm,cortex-a9
000FA450           d-cache-line-size = 0x00000020
000FA460           d-cache-size = 0x00008000
000FA470           device_type = cpu
000FA480           i-cache-line-size = 0x00000020
000FA490           i-cache-size = 0x00008000
000FA4A0           interrupt-handle = 0x00000002
000FA4B0           reg = 00000001
000FA4C8     pmu
000FA4D0        compatible = arm,cortex-a9-pmu
000FA4F0        interrupt-parent = 0x00000002
000FA500        interrupts = 000000000000000500000004000000000000000600000004
000FA524        reg = F889100000001000F889300000001000
000FA540        reg-names = cpu0
000FA55C     memory@0
000FA56C        device_type = memory
000FA580        reg = 0000000010000000
000FA598     amba@0
000FA5A4        #address-cells = 0x00000001
000FA5B4        #size-cells = 0x00000001
000FA5C4        compatible = xlnx,ps7-axi-interconnect-1.00.a
000FA5FC        ranges =
000FA608        linux,phandle = 0x00000001
000FA618        phandle = 0x00000001
000FA628        ps7-afi@f8008000
000FA640           compatible = xlnx,ps7-afi-1.00.a
000FA660           reg = F800800000001000
000FA678        ps7-afi@f8009000
000FA690           compatible = xlnx,ps7-afi-1.00.a
000FA6B0           reg = F800900000001000
000FA6C8        ps7-afi@f800a000
000FA6E0           compatible = xlnx,ps7-afi-1.00.a
000FA700           reg = F800A00000001000
000FA718        ps7-afi@f800b000
000FA730           compatible = xlnx,ps7-afi-1.00.a
000FA750           reg = F800B00000001000
000FA768        ps7-ddrc@f8006000
000FA780           compatible = xlnx,ps7-ddrc-1.00.a
000FA7B0           reg = F800600000001000
000FA7C4           xlnx,has-ecc = 0x00000000
000FA7D8        ps7-dev-cfg@f8007000
000FA7F4           clock-names = ref_clk
000FA820           clocks =
000FA854           compatible = xlnx,ps7-dev-cfg-1.00.a
000FA878           interrupt-parent = 0x00000002
000FA888           interrupts = 000000000000000800000004
000FA8A0           reg = F800700000000100
000FA8B8        ps7-dma@f8003000
000FA8D0           #dma-cells = 0x00000001
000FA8E0           #dma-channels = 0x00000008
000FA8F0           #dma-requests = 0x00000004
000FA900           arm,primecell-periphid = 0x00041330
000FA910           clock-names = apb_pclk
000FA928           clocks =
000FA93C           compatible = xlnx,ps7-dma-1.00.a
000FA974           interrupt-names = abort
000FA9B0           interrupt-parent = 0x00000002
000FA9C0           interrupts = 000000000000000D00000004000000000000000E00000004000000000000000F00000004000000000000001000000004000000000000001100000004000000000000002800000004000000000000002900000004000000000000002A00000004000000000000002B00000004
000FAA38           reg = F800300000001000
000FAA50        ps7-ethernet@e000b000
000FAA6C           #address-cells = 0x00000001
000FAA7C           #size-cells = 0x00000000
000FAA8C           clock-names = ref_clk
000FAAAC           clocks =
000FAAC8           compatible = xlnx,ps7-ethernet-1.00.a
000FAAF0           interrupt-parent = 0x00000002
000FAB00           interrupts = 000000000000001600000004
000FAB18           local-mac-address =
000FAB2C           phy-handle = 0x00000004
000FAB3C           phy-mode = rgmii-id
000FAB54           reg = E000B00000001000
000FAB68           xlnx,eth-mode = 0x00000001
000FAB78           xlnx,has-mdio = 0x00000001
000FAB88           xlnx,ptp-enet-clock = ♠?k?
000FAB98           mdio
000FABA4              #address-cells = 0x00000001
000FABB4              #size-cells = 0x00000000
000FABC4              phy@0
000FABD0                 compatible = micrel,ksz9031
000FABEC                 device_type = ethernet-phy
000FAC08                 reg = 00000000
000FAC18                 linux,phandle = 0x00000004
000FAC28                 phandle = 0x00000004
000FAC44        ps7-gpio@e000a000
000FAC5C           #gpio-cells = 0x00000002
000FAC6C           clocks =
000FAC80           compatible = xlnx,ps7-gpio-1.00.a
000FACA4           emio-gpio-width = 0x00000040
000FACB4           gpio-controller =
000FACC0           gpio-mask-high = 0x00000000
000FACD0           gpio-mask-low = ☼►?☻
000FACE0           interrupt-parent = 0x00000002
000FACF0           interrupts = 000000000000001400000004
000FAD08           reg = E000A00000001000
000FAD1C           linux,phandle = 0x00000005
000FAD2C           phandle = 0x00000005
000FAD40        ps7-i2c@e0004000
000FAD58           bus-id = 0x00000000
000FAD68           clocks =
000FAD7C           compatible = xlnx,ps7-i2c-1.00.a
000FAD9C           input-clk = ♠?k?
000FADAC           i2c-clk = 0x000186A0
000FADBC           i2c-reset =
000FADD4           interrupt-parent = 0x00000002
000FADE4           interrupts = 000000000000001900000004
000FADFC           reg = E000400000001000
000FAE10           xlnx,has-interrupt = 0x00000000
000FAE20           #address-cells = 0x00000001
000FAE30           #size-cells = 0x00000000
000FAE40           touch@38
000FAE50              compatible = edt-ft5x06
000FAE68              reg = 00000038
000FAE80        ps7-iop-bus-config@e0200000
000FAEA0           compatible = xlnx,ps7-iop-bus-config-1.00.a
000FAECC           reg = E020000000001000
000FAEE4        ps7-pl310@f8f02000
000FAEFC           arm,data-latency =
000FAF14           arm,tag-latency =
000FAF2C           cache-level = 0x00000002
000FAF3C           cache-unified =
000FAF48           compatible = xlnx,ps7-pl310-1.00.a
000FAF7C           interrupt-parent = 0x00000002
000FAF8C           interrupts = 000000000000000200000004
000FAFA4           reg = F8F0200000001000
000FAFBC        ps7-ocmc@f800c000
000FAFD4           compatible = xlnx,ps7-ocmc-1.00.a
000FB008           interrupt-parent = 0x00000002
000FB018           interrupts = 000000000000000300000004
000FB030           reg = F800C00000001000
000FB048        ps7-scugic@f8f01000
000FB060           #address-cells = 0x00000002
000FB070           #interrupt-cells = 0x00000003
000FB080           #size-cells = 0x00000001
000FB090           compatible = xlnx,ps7-scugic-1.00.a
000FB0D0           interrupt-controller =
000FB0DC           num_cpus = 0x00000002
000FB0EC           num_interrupts = 0x00000060
000FB0FC           reg = F8F0100000001000F8F0010000000100
000FB118           linux,phandle = 0x00000002
000FB128           phandle = 0x00000002
000FB13C        ps7-scutimer@f8f00600
000FB158           clocks =
000FB16C           compatible = xlnx,ps7-scutimer-1.00.a
000FB1AC           interrupt-parent = 0x00000002
000FB1BC           interrupts = 000000010000000D00000301
000FB1D4           reg = F8F0060000000020
000FB1EC        ps7-scuwdt@f8f00620
000FB204           clocks =
000FB218           compatible = xlnx,ps7-scuwdt-1.00.a
000FB23C           device_type = watchdog
000FB254           interrupt-parent = 0x00000002
000FB264           interrupts = 000000010000000E00000301
000FB27C           reg = F8F00620000000E0
000FB294        ps7-slcr@f8000000
000FB2AC           compatible = xlnx,ps7-slcr-1.00.a
000FB2DC           reg = F800000000001000
000FB2F0           clocks
000FB2FC              #address-cells = 0x00000001
000FB30C              #size-cells = 0x00000000
000FB31C              clkc
000FB328                 #clock-cells = 0x00000001
000FB338                 clock-output-names = armpll
000FB4B0                 compatible = xlnx,ps7-clkc
000FB4CC                 fclk-enable = 0x0000000F
000FB4DC                 ps-clk-frequency = ☻bZ
000FB4EC                 linux,phandle = 0x00000003
000FB4FC                 phandle = 0x00000003
000FB518        ps7-smcc@e000e000
000FB530           #address-cells = 0x00000001
000FB540           #size-cells = 0x00000001
000FB550           clock-names = ref_clk
000FB570           clocks =
000FB58C           compatible = xlnx,ps7-smcc-1.00.a
000FB5BC           interrupt-parent = 0x00000002
000FB5CC           interrupts = 000000000000001200000004
000FB5E4           ranges =
000FB5F0           reg = E000E00000001000
000FB604           xlnx,addr25 = 0x00000000
000FB614           xlnx,nor-chip-sel0 = 0x00000000
000FB624           xlnx,nor-chip-sel1 = 0x00000000
000FB634           xlnx,sram-chip-sel0 = 0x00000000
000FB644           xlnx,sram-chip-sel1 = 0x00000000
000FB654           ps7-nand@e1000000
000FB66C              compatible = xlnx,ps7-nand-1.00.a
000FB690              reg = E100000001000000
000FB6A4              xlnx,nand-clk-freq-hz = ♣??
000FB6B4              xlnx,nand-cycle-t0 = 0x0000000F
000FB6C4              xlnx,nand-cycle-t1 = 0x0000000F
000FB6D4              xlnx,nand-cycle-t2 = 0x00000007
000FB6E4              xlnx,nand-cycle-t3 = 0x00000007
000FB6F4              xlnx,nand-cycle-t4 = 0x00000007
000FB704              xlnx,nand-cycle-t5 = 0x00000007
000FB714              xlnx,nand-cycle-t6 = 0x0000000F
000FB724              xlnx,nand-width = 0x00000008
000FB734              #address-cells = 0x00000001
000FB744              #size-cells = 0x00000001
000FB754              partition@0x0
000FB768                 label = boot
000FB77C                 gw_part_type = 0x00000001
000FB78C                 reg = 00000000001C0000
000FB7A4              partition@0x1c0000
000FB7BC                 label = devtree
000FB7D0                 gw_part_type = 0x00000002
000FB7E0                 reg = 001C000000020000
000FB7F8              partition@0x1e0000
000FB810                 label = env
000FB820                 gw_part_type = 0x00000000
000FB830                 reg = 001E000000020000
000FB848              partition@0x200000
000FB860                 label = fpga-core
000FB878                 gw_part_type = 0x0000000B
000FB888                 reg = 0020000000080000
000FB8A0              partition@0x280000
000FB8B8                 label = kernel
000FB8CC                 gw_part_type = 0x00000014
000FB8DC                 reg = 0028000000300000
000FB8F4              partition@0x580000
000FB90C                 label = rootfs
000FB920                 gw_part_type = 0x0000001E
000FB930                 reg = 0058000002E40000
000FB948              partition@0x33C0000
000FB960                 label = user
000FB974                 gw_part_type = 0x00000064
000FB984                 reg = 033C000003C40000
000FB9A4        ps7-spi@e0006000
000FB9BC           clock-names = ref_clk
000FB9DC           clocks =
000FB9F8           compatible = xlnx,ps7-spi-1.00.a
000FBA18           interrupt-parent = 0x00000002
000FBA28           interrupts = 000000000000001A00000004
000FBA40           num-chip-select = 0x00000002
000FBA50           reg = E000600000001000
000FBA64           #address-cells = 0x00000000
000FBA74           #size-cells = 0x00000001
000FBA88        ps7-ttc@f8001000
000FBAA0           clocks =
000FBAB4           compatible = xlnx,ps7-ttc-1.00.a
000FBAE0           interrupt-names = ttc0
000FBAFC           interrupt-parent = 0x00000002
000FBB0C           interrupts = 000000000000000A00000004000000000000000B00000004000000000000000C00000004
000FBB3C           reg = F800100000001000
000FBB54        serial@e0001000
000FBB68           clock-names = ref_clk
000FBB88           clocks =
000FBBA4           compatible = xlnx,ps7-uart-1.00.a
000FBBD4           current-speed = 0x0001C200
000FBBE4           device_type = serial
000FBBF8           interrupt-parent = 0x00000002
000FBC08           interrupts = 000000000000003200000004
000FBC20           port-number = 0x00000000
000FBC30           reg = E000100000001000
000FBC44           xlnx,has-modem = 0x00000000
000FBC58        ps7-usb@e0002000
000FBC70           clocks =
000FBC84           compatible = xlnx,ps7-usb-1.00.a
000FBCA4           dr_mode = otg
000FBCB4           interrupt-parent = 0x00000002
000FBCC4           interrupts = 000000000000001500000004
000FBCDC           phy_type = ulpi
000FBCF0           reg = E000200000001000
000FBD04           xlnx,usb-reset = ????
000FBD18        ps7-usb@e0003000
000FBD30           clocks =
000FBD44           compatible = xlnx,ps7-usb-1.00.a
000FBD64           dr_mode = host
000FBD78           interrupt-parent = 0x00000002
000FBD88           interrupts = 000000000000002C00000004
000FBDA0           phy_type = ulpi
000FBDB4           reg = E000300000001000
000FBDC8           xlnx,usb-reset = ????
000FBDDC        ps7-xadc@f8007100
000FBDF4           clocks =
000FBE08           compatible = xlnx,ps7-xadc-1.00.a
000FBE2C           interrupt-parent = 0x00000002
000FBE3C           interrupts = 000000000000000700000004
000FBE54           reg = F800710000000020
000FBE6C        gw-lcdc@88800000
000FBE84           compatible = gw,gds-lcdc
000FBE9C           reg = 8880000000002000
000FBEB0           num-of-layers = 0x00000003
000FBEC0           row-stride = 0x00000320
000FBED0           column-stride = 0x000005A0
000FBEE0           use-background = 0x00000000
000FBEF0           buffer-0-offset = 0x00000000
000FBF00           layer-0-data-width = 0x00000010
000FBF10           layer-0-offset = 0x00000000
000FBF20           vmem-baseaddr = ?
000FBF30           vmem-highaddr = ???
000FBF44        gds_video_params
000FBF5C           pixel-component-format = RGB
000FBF6C           pixel-component-layer =
000FBF80           active-layer = 0x00000000
000FBF90           videomode = 800x480
000FBFA4           800x480
000FBFB0              refresh = 0x0000003C
000FBFC0              xres = 0x00000320
000FBFD0              yres = 0x000005A0
000FBFE0              vmode = 0x00000000
000FBFF4           800x600
000FC000              refresh = 0x0000003C
000FC010              xres = 0x00000320
000FC020              yres = 0x00000708
000FC030              vmode = 0x00000000
000FC048        gds_wfrm_swctl
000FC05C           compatible = gw,gds-wfrm-swctl
000FC07C           seginfo-base = ☼??
000FC08C           channel-source = ch1
000FC0CC        gds_iofpga
000FC0DC           compatible = gw,gds-iofpga
000FC0F8           iofpga-base = x??
000FC108           dvr0
000FC114              compatible = gds-iofpga,ad5207
000FC134              dev-id = 0x00000000
000FC144              create-dev-node = 0x00000001
000FC158           dvr1
000FC164              compatible = gds-iofpga,ad5207
000FC184              dev-id = 0x00000001
000FC194              create-dev-node = 0x00000001
000FC1A8           dvr2
000FC1B4              compatible = gds-iofpga,ad5207
000FC1D4              dev-id = 0x00000002
000FC1E4              create-dev-node = 0x00000001
000FC1F8           dvr3
000FC204              compatible = gds-iofpga,ad5207
000FC224              dev-id = 0x00000003
000FC234              create-dev-node = 0x00000001
000FC248           adc
000FC250              compatible = gds-iofpga,hmcad1511
000FC274              dev-id = 0x00000004
000FC284              create-dev-node = 0x00000001
000FC298           vco
000FC2A0              compatible = gds-iofpga,adf4360
000FC2C0              dev-id = 0x00000006
000FC2D0              create-dev-node = 0x00000001
000FC2E4           sensor
000FC2F0              compatible = gds-iofpga,lm95071
000FC310              dev-id = 0x00000007
000FC320              create-dev-node = 0x00000001
000FC334           led
000FC33C              compatible = gds-iofpga,gds_led
000FC35C              dev-id = 0x00000008
000FC36C              create-dev-node = 0x00000001
000FC380           fram
000FC38C              compatible = gds-iofpga,fm25cl
000FC3AC              dev-id = 0x00000009
000FC3BC              create-dev-node = 0x00000001
000FC3D0           fe
000FC3D8              compatible = gds-iofpga,gds1000b_fe
000FC3FC              dev-id = 0x0000000E
000FC40C              create-dev-node = 0x00000001
End of file!
 

Offline danymogh

  • Regular Contributor
  • *
  • Posts: 51
  • Country: ge
Re: Possible GW Instek GDS-1000B hack
« Reply #220 on: January 16, 2021, 04:30:22 am »
dude! you gotta share that parser of yours, it's pretty neat!
 

Offline danymogh

  • Regular Contributor
  • *
  • Posts: 51
  • Country: ge
Re: Possible GW Instek GDS-1000B hack
« Reply #221 on: January 16, 2021, 06:54:25 pm »
A basic info about the Lua App plugins:

The app consists of at least 4 files:
Code: [Select]
[app.png]        -- App Icon
[app.lua]         -- App main lua file
[app.txt] -- App Description
[app.inf] -- App install information (more below)

first of all, we need a script to swap the nibbles of 2 files.
1- app.txt
2- app.inf

I've created a simple nibbleswap.py python script that does that. for some reason, GW people thought of this as a way to obfuscate the app's info.

the app needs to be GunZipped in a folder with the apps' name just like the examples from the website or the SSH app I wrote as an example.

the [app.txt] is a brief explanation you see on the apps menu before opening the app.
the [app.inf] contains the install information with the following parameters:

Code: [Select]
[0x32453030] -- Fix value(most probably)
[0x03] -- App Id - must be unique among all apps (see below)
[0x0] -- UNKNOWN
[/home/dso/DigitalFilter] -- App install location
[DigitalFilter.png] -- App Icon
[DigitalFilter.lua] -- App main lua file
[DigitalFilter.txt] -- App Description
[DigitalFilter.log] -- App log (not sure what the use is)?
[0x0] -- App run mode - 0x3-> embedded(not lua -> e.g. DVM , DataLog) , 0x0 -> from app lua file.
[0x1] -- UNKNOWN
[0x1] -- App uninstall-able flag. setting to 0 disables uninstall!
[V0.00] -- App version. increasing this seems to install another app apparently.


the App Ids already occupied are :
Code: [Select]
0 - Go-nogo
1 - DVM
2 - DataLog
3 - [empty]
4 - [empty]
5 - DigitalFilter
So if you install the GW website apps you can't use the 0,1,2 and 5 for the ID parameter.
I've used #3 for the SSH app.

some more notes:

editing .inf files from SSH has no effect. the app has to be uninstalled and installed again.
installed information is stored in /home/dso/lua/NewLuaAPPInfo.txt
removing and creating an empty file causes all apps to be removed from the menu. (Excluding GO_NOGO App)

as an example of what can be done with the Lua, you can see the GO_NOGO.lua file which gives a pretty good understanding of how the app runs. the exposed Lua functions are in the /home/dso/lua directory. Also, I think doing a reflection like programming can give more insight into what functions are available on the Lua side.
 
The following users thanked this post: nctnico

Offline kcbrown

  • Frequent Contributor
  • **
  • Posts: 880
  • Country: us
Re: Possible GW Instek GDS-1000B hack
« Reply #222 on: February 04, 2021, 03:40:15 am »
I just got a brand new GDS-1054B with firmware 1.28 and I am running the code in the attached file. Yet it doesn't seem to accept these licenses. The unit gives me an error when I try all the options.

I may not have copied the ClearCode data correctly into the Javascript. I wasn't sure what the value for k should be. Can anyone help?

The file you attached is identical to what worked for me.  The serial number you enter is case-sensitive.  The serial number is what shows up on your scope in the dialog box that it shows when you hit Utility -> System -> System Info.  You should enter it exactly as that box shows, case and all. Mine was all upper-case, and worked correctly.

Note that the GDS-1054B will not accept the spectrum analyzer.  I didn't try any of the bandwidth keys because it looks like it's not going to have any effect, as it appears that the bandwidth is limited in hardware (see https://www.eevblog.com/forum/testgear/possible-gw-instek-gds-1000b-hack/msg3306636/#msg3306636).
 

Offline Grifto45

  • Newbie
  • Posts: 1
  • Country: ca
Re: Possible GW Instek GDS-1000B hack
« Reply #223 on: March 10, 2021, 01:35:01 am »
Hi I know it's been a while and I'm probably out of luck but is it still possible to hack it even after they locked the SSH acess?
 

Offline ResistorRob

  • Regular Contributor
  • *
  • Posts: 115
  • Country: us
Re: Possible GW Instek GDS-1000B hack
« Reply #224 on: March 10, 2021, 03:34:26 am »
Hi I know it's been a while and I'm probably out of luck but is it still possible to hack it even after they locked the SSH acess?

I read the first 2 pages of replies and it said you could downgrade the Firmware to version 1.8. Hack it, and then update the firmware to current.
You might want to read all 9 pages to see what all the latest developments are.

The Instek scope I would really like to hack is their MDO 2000. I've seen 1 comment ever with a guy claiming he did it, but never a post saying how to do it!
If I could get a MDO 4 channel scope for $1,400 then do a free update to unlock the 200MHz and all the decoding that would be very tempting indeed!
For my 10th Birthday I got a Fisher Price oscilloscope!
 

Offline nctnico

  • Super Contributor
  • ***
  • Posts: 26751
  • Country: nl
    • NCT Developments
Re: Possible GW Instek GDS-1000B hack
« Reply #225 on: March 10, 2021, 05:46:32 am »
Hi I know it's been a while and I'm probably out of luck but is it still possible to hack it even after they locked the SSH acess?

I read the first 2 pages of replies and it said you could downgrade the Firmware to version 1.8. Hack it, and then update the firmware to current.
You might want to read all 9 pages to see what all the latest developments are.

The Instek scope I would really like to hack is their MDO 2000. I've seen 1 comment ever with a guy claiming he did it, but never a post saying how to do it!
If I could get a MDO 4 channel scope for $1,400 then do a free update to unlock the 200MHz and all the decoding that would be very tempting indeed!
A different route is to buy a GDS2000-E series (IIRC there is a 4 channel 70MHz model) and enable the MDO feature. That will work.
There are small lies, big lies and then there is what is on the screen of your oscilloscope.
 

Offline danymogh

  • Regular Contributor
  • *
  • Posts: 51
  • Country: ge
Re: Possible GW Instek GDS-1000B hack
« Reply #226 on: March 10, 2021, 07:12:10 am »
Hi I know it's been a while and I'm probably out of luck but is it still possible to hack it even after they locked the SSH acess?

you can use my SSH enable app, however, the SSH has nothing to do with the license.

 
The following users thanked this post: tatel

Offline Mortymore

  • Frequent Contributor
  • **
  • Posts: 432
  • Country: pt
Re: Possible GW Instek GDS-1000B hack
« Reply #227 on: March 10, 2021, 11:50:25 am »
Hi I know it's been a while and I'm probably out of luck but is it still possible to hack it even after they locked the SSH acess?

I read the first 2 pages of replies and it said you could downgrade the Firmware to version 1.8. Hack it, and then update the firmware to current.
You might want to read all 9 pages to see what all the latest developments are.

The Instek scope I would really like to hack is their MDO 2000. I've seen 1 comment ever with a guy claiming he did it, but never a post saying how to do it!
If I could get a MDO 4 channel scope for $1,400 then do a free update to unlock the 200MHz and all the decoding that would be very tempting indeed!
A different route is to buy a GDS2000-E series (IIRC there is a 4 channel 70MHz model) and enable the MDO feature. That will work.

And unlock it up to 300MHz, that's something that they don't even sell.
EDIT: Only 2000A series goes up to 300MHz, not the 2000E's ("officially" up to 200MHz)

« Last Edit: March 10, 2021, 12:04:13 pm by Mortymore »
 

Offline tatel

  • Frequent Contributor
  • **
  • Posts: 427
  • Country: es
Re: Possible GW Instek GDS-1000B hack
« Reply #228 on: April 19, 2021, 11:34:20 pm »
Got my GDS-1054B this afternoon. It has firmware 1.28. Serial decoding was already enabled. Firmware 1.29 just adds a couple translations so I'm leaving it out.

Downgrade wasn't needed. All done straight in FW 1.28.

Upgraded with the file posted by Mortymore (reply #83). Edited to change lines 26-27 so it gets the last clear code posted by wgoeo (reply #136)

Code: [Select]
a[0] = (a[0] + ((16 * a[1] + 0x19495CFF) ^ (a[1] + k) ^ ((a[1] >> 5) + 0x257130A3)))|0;
a[1] = (a[1] + ((16 * a[0] + 0x3D1B58BA) ^ (a[0] + k) ^ ((a[0] >> 5) + 0x74B0DC51)))|0;

Changes saved. Extension changed to .html. Loaded in web browser (up-to-date firefox). Worked like a charm.

SA option doesn't work. I wasn't expecting it to work, but after reading some previous post, I tried it. So it didn't worked for me, either.

BW upgraded to 100 MHz. Segmented memory and search enabled, too.

Apps installed, too. Datalog, digital filter, DVM... and SSH (last one has been somewhat orgasmic) :-+

SSH app installed with Danymog's SSH.7z file posted in reply #226. However, I'm not sure how password reset is supposed to work. I tried setting a user password in I/O->ethernet menu, also resetting (to what?) password in SSH app, but I was unable to log in until I tried the password posted by wgoeo in reply #3

Now I'm in >:D

@Danymog: so now it's known how to write Lua apps that work in these scopes, I guess...  :clap:

Many thanks to all contributors.
 
The following users thanked this post: Mortymore

Offline danymogh

  • Regular Contributor
  • *
  • Posts: 51
  • Country: ge
Re: Possible GW Instek GDS-1000B hack
« Reply #229 on: April 20, 2021, 05:58:42 pm »

Apps installed, too. Datalog, digital filter, DVM... and SSH (last one has been somewhat orgasmic) :-+

SSH app installed with Danymog's SSH.7z file posted in reply #226. However, I'm not sure how password reset is supposed to work. I tried setting a user password in I/O->ethernet menu, also resetting (to what?) password in SSH app, but I was unable to log in until I tried the password posted by wgoeo in reply #3

Now I'm in >:D

@Danymog: so now it's known how to write Lua apps that work in these scopes, I guess...  :clap:

Many thanks to all contributors.

reset to wgoeo password. I didn't state it intentionally. also you can choose a password of your choosing by editing the lua file ;)
 

Offline tatel

  • Frequent Contributor
  • **
  • Posts: 427
  • Country: es
Re: Possible GW Instek GDS-1000B hack
« Reply #230 on: April 20, 2021, 09:09:22 pm »
Understood. Thank you!
 

Offline fbugallo

  • Newbie
  • Posts: 1
  • Country: ar
Re: Possible GW Instek GDS-1000B hack
« Reply #231 on: May 26, 2021, 03:10:33 pm »
Hello :),
I am from Argentina, I just bought the GDS-1202b equipment.
I have no previous experience with an oscilloscope.

It came with Firmware version 1.29.
The script works perfect and enable all the functions except the one titled "fixed 4 measurement".
What is this function for?
can it be enabled?

Greetings.
 

Offline woodbinka

  • Newbie
  • Posts: 1
  • Country: cz
  • Wubba-lubba dub dub
Re: Possible GW Instek GDS-1000B hack
« Reply #232 on: July 17, 2021, 02:44:41 pm »
Hello there. I have a GW Instek 1104B and I wanted to install the hacks. I managed to downgrade to 1.12 (boy, the scope is picky with USB flashdiscs), install most of the licenses and upgrade back to 1.29 successfully. However I couldn't install the Spectrum Analyzer. Is there a way to get it working or is it simply not supported at all on 1104B?

Also is there a way to enable the Fix 4 Measurement setting?
 

Offline kcbrown

  • Frequent Contributor
  • **
  • Posts: 880
  • Country: us
Re: Possible GW Instek GDS-1000B hack
« Reply #233 on: July 19, 2021, 05:34:42 pm »
Hello there. I have a GW Instek 1104B and I wanted to install the hacks. I managed to downgrade to 1.12 (boy, the scope is picky with USB flashdiscs), install most of the licenses and upgrade back to 1.29 successfully. However I couldn't install the Spectrum Analyzer. Is there a way to get it working or is it simply not supported at all on 1104B?

Looks to me like it's not supported at all.  I also attempted to install it and it failed.


Quote
Also is there a way to enable the Fix 4 Measurement setting?

I think I tried to do that as well and failed.  This is different from the DMM app, right?  It's been long enough that I just don't remember.

 
The following users thanked this post: nctnico

Offline rauldm

  • Regular Contributor
  • *
  • Posts: 155
  • Country: mx
Re: Possible GW Instek GDS-1000B hack
« Reply #234 on: March 25, 2022, 01:48:23 am »
I like this scope because it has Arctan in math mode, I want test resolver sensor, this sensor has sin and cos output, you can get electric angle with arctan(sin/cos), someone has test this? other intersanting feature can be filtering app, I have an Agilent DSOX2002a and this has filter on Math mode, is nice because in modulated signals like VFD you can get sin waveform for example.
 

Offline meppr

  • Newbie
  • Posts: 3
  • Country: gb
Re: Possible GW Instek GDS-1000B hack
« Reply #235 on: March 25, 2022, 09:36:27 pm »
Does anyone know how to enable SSH on the GDS-2000E with latest firmware (1.42)?

I've tried the SSH.7z file from a few messages back but no luck.  Trying the .7z file directly I can't even select it to install; if I unpack that first and install the extracted .gz I get an error "App installation error! Please contact your dealer."

Feel like I'm missing something obvious  :-\

[EDIT] Figured it out, I needed to:

* unpack SSH.7z's contents into a folder called SSH
* run nibbleswap.py (earlier message) on SSH.inf
* Change the magic number on line 1 to 0x32453030
* Change the app Id on line 2, as it seems some more Ids have been used up (I used 0x20)
* run nibbleswap again to produce a new SSH.inf
* tar up SSH folder and call it SSH.gz

That then installed and works :D
« Last Edit: March 26, 2022, 12:53:03 am by meppr »
 
The following users thanked this post: edavid

Offline mjgillen

  • Newbie
  • Posts: 5
  • Country: us
Re: Possible GW Instek GDS-1000B hack
« Reply #236 on: May 23, 2022, 05:27:31 pm »
Hey guys, I've had my GW Instek GDS-1054B for about a year and just now getting around to the hacks in this thread. Thank you very much for all that contributed!

I installed the license keys one at a time, restarting in between, and I notice something weird. If I left the USB stick in when I powered back on I got the "error loading license check license version" error however if I left it out and inserted it after I was in the File menu it worked just fine no error. Weird stuff I just wanted to mention in case anyone else ran into this issue.

My system is a Mac Mini running the latest (as of this post) macOS Monterey v12.3.1 and using the default Safari browser. Just so if anyone wants to know if this process will run on a Mac yes it does.

Cheers!
Michael
 

Offline silar

  • Contributor
  • Posts: 10
  • Country: us
Re: Possible GW Instek GDS-1000B hack
« Reply #237 on: July 27, 2022, 01:52:52 am »
Got my GDS-1054B this afternoon. It has firmware 1.28. Serial decoding was already enabled. Firmware 1.29 just adds a couple translations so I'm leaving it out.

Downgrade wasn't needed. All done straight in FW 1.28.

Upgraded with the file posted by Mortymore (reply #83). Edited to change lines 26-27 so it gets the last clear code posted by wgoeo (reply #136)

Code: [Select]
a[0] = (a[0] + ((16 * a[1] + 0x19495CFF) ^ (a[1] + k) ^ ((a[1] >> 5) + 0x257130A3)))|0;
a[1] = (a[1] + ((16 * a[0] + 0x3D1B58BA) ^ (a[0] + k) ^ ((a[0] >> 5) + 0x74B0DC51)))|0;

Changes saved. Extension changed to .html. Loaded in web browser (up-to-date firefox). Worked like a charm.

SA option doesn't work. I wasn't expecting it to work, but after reading some previous post, I tried it. So it didn't worked for me, either.

BW upgraded to 100 MHz. Segmented memory and search enabled, too.

Apps installed, too. Datalog, digital filter, DVM... and SSH (last one has been somewhat orgasmic) :-+

SSH app installed with Danymog's SSH.7z file posted in reply #226. However, I'm not sure how password reset is supposed to work. I tried setting a user password in I/O->ethernet menu, also resetting (to what?) password in SSH app, but I was unable to log in until I tried the password posted by wgoeo in reply #3

Now I'm in >:D

@Danymog: so now it's known how to write Lua apps that work in these scopes, I guess...  :clap:

Many thanks to all contributors.

Followed this and all worked correctly on a GDS-1054B with 1.29 firmware.
 

Offline ufpl

  • Newbie
  • Posts: 2
  • Country: ar
Re: Possible GW Instek GDS-1000B hack
« Reply #238 on: October 03, 2022, 04:48:16 am »
Hi, i want to buy a gds1072b, it can be upgraded to 200mhz?
 

Offline idolclub

  • Regular Contributor
  • *
  • Posts: 57
  • Country: us
Re: Possible GW Instek GDS-1000B hack
« Reply #239 on: November 21, 2022, 10:54:03 pm »
GW Instek GDS-1000B New Firmware v1.30 ~ 2022-11-21

Release Notes:

1. Updated Russian translation.

2. Fixed the issue that the data is not synchronized when the "DataLog" function saves pictures and waveforms together. 

3. Fixed the FFT calculation when the memory length is 1k.

4. Fixed the related SCPI return string of measurement function.

5. Improved internal memory usage.

6. The EXT trigger level is limited to +/-2.5V (specification revision).

7. Updated the display issue of the attenuation factor.

8. Fixed an issue with the "Math" function in calculating values containing Deskew value.

9. The Vertical scale display changed to 3 digits (supplemental change).

 

Offline tatel

  • Frequent Contributor
  • **
  • Posts: 427
  • Country: es
Re: Possible GW Instek GDS-1000B hack
« Reply #240 on: February 08, 2023, 10:34:17 am »
There are contradictory reports about GDS1054B bandwidth on this thread. So I got one of Leo Bodnar's pulsers, just because curiosity got the best of me.

I tried the pulser on my improved GDS1054B. Used 50R inline termination. 1x attenuation. Capture is attached.

Since I'm not sure I did it all right,  if you have any suggestions, I will try to put in practice. I'm on a hurry now, I have to get out for some days, but I'll do once back at home
 

Offline Fungus

  • Super Contributor
  • ***
  • Posts: 16560
  • Country: 00
Re: Possible GW Instek GDS-1000B hack
« Reply #241 on: February 08, 2023, 10:44:22 am »
How old is your GDS1054B?

Maybe older ones "upgrade" better.
 

Offline tatel

  • Frequent Contributor
  • **
  • Posts: 427
  • Country: es
Re: Possible GW Instek GDS-1000B hack
« Reply #242 on: February 08, 2023, 11:19:08 am »
Got it on April, 19, 2021. You can see my report a few posts above this
 

Offline 2N3055

  • Super Contributor
  • ***
  • Posts: 6446
  • Country: hr
Re: Possible GW Instek GDS-1000B hack
« Reply #243 on: February 08, 2023, 11:59:56 am »
There are contradictory reports about GDS1054B bandwidth on this thread. So I got one of Leo Bodnar's pulsers, just because curiosity got the best of me.

I tried the pulser on my improved GDS1054B. Used 50R inline termination. 1x attenuation. Capture is attached.

Since I'm not sure I did it all right,  if you have any suggestions, I will try to put in practice. I'm on a hurry now, I have to get out for some days, but I'll do once back at home

2.8 ns risetime is 100MHz+ BW ... We can safely assume it is not 50 MHz anymore... You did unlock something...
 

Offline Fungus

  • Super Contributor
  • ***
  • Posts: 16560
  • Country: 00
Re: Possible GW Instek GDS-1000B hack
« Reply #244 on: February 08, 2023, 12:10:26 pm »
2.8 ns risetime is 100MHz+ BW ... We can safely assume it is not 50 MHz anymore... You did unlock something...

I'd zoom in as far as possible to make sure the number is accurate.
 

Offline tatel

  • Frequent Contributor
  • **
  • Posts: 427
  • Country: es
Re: Possible GW Instek GDS-1000B hack
« Reply #245 on: February 15, 2023, 07:29:58 pm »
I'm back at home. Just calibrated the scope and got some screenshots

@ fungus: By zooming, I guess you mean to have the lowest timing per division, am I right?

I see rise time oscillating between 2,9 and 3,2 ns on all channels.

The more channels I activate, the (much) worse rise times... 5 ns and more with all channels activated? I could gladly take more screenshots if (any of) you have more suggestions

Screenshots attached
 

Offline tatel

  • Frequent Contributor
  • **
  • Posts: 427
  • Country: es
Re: Possible GW Instek GDS-1000B hack
« Reply #246 on: February 15, 2023, 09:56:16 pm »
FW 1.31 available:

Version 1.31
The channel's deskew range are expanded to +/- 1us.
 

Offline Fungus

  • Super Contributor
  • ***
  • Posts: 16560
  • Country: 00
Re: Possible GW Instek GDS-1000B hack
« Reply #247 on: February 15, 2023, 10:16:59 pm »
The more channels I activate, the (much) worse rise times... 5 ns and more with all channels activated? I could gladly take more screenshots if (any of) you have more suggestions

more channels = lower sample rate.
 

Offline tatel

  • Frequent Contributor
  • **
  • Posts: 427
  • Country: es
Re: Possible GW Instek GDS-1000B hack
« Reply #248 on: February 16, 2023, 11:17:55 am »
more channels = lower sample rate.

Yep.

Anyway I think 3,2 ns rise time mean bandwidth could be a little > 100 MHz. It would agree with numbers reported by TK in reply #110 https://www.eevblog.com/forum/testgear/possible-gw-instek-gds-1000b-hack/msg2378559/#msg2378559
 

Offline danymogh

  • Regular Contributor
  • *
  • Posts: 51
  • Country: ge
Re: Possible GW Instek GDS-1000B hack
« Reply #249 on: March 12, 2023, 04:51:44 pm »
FW 1.31 available:

Version 1.31
The channel's deskew range are expanded to +/- 1us.

is it me or is their website download speed super slow?! can you upload the 1.31 firmware somewhere please?
 

Offline coromonadalix

  • Super Contributor
  • ***
  • Posts: 5795
  • Country: ca
Re: Possible GW Instek GDS-1000B hack
« Reply #250 on: March 12, 2023, 05:32:00 pm »
their registation sucks

shared folder here
https://uploadnow.io/f/K39prWR

7 days before it dies
 

Offline danymogh

  • Regular Contributor
  • *
  • Posts: 51
  • Country: ge
Re: Possible GW Instek GDS-1000B hack
« Reply #251 on: March 14, 2023, 03:08:53 pm »
their registation sucks

shared folder here
https://uploadnow.io/f/K39prWR

7 days before it dies

the website doesn't fully load. can you please upload to mega.nz ?
 

Offline tatel

  • Frequent Contributor
  • **
  • Posts: 427
  • Country: es
Re: Possible GW Instek GDS-1000B hack
« Reply #252 on: April 10, 2023, 01:15:02 pm »
Just got some Testec TT-LF  312 150 MHz-rated probes. Compared against GTP-070B-4 that came with my oscilloscope. AWG is upgraded Rigol DG811. HighZ was on, attenuation was 10x, probes were connected to DG811 via BNC adapters that came with Testec probes. Oscilloscope was calibrated for SPC and vertical accuracy just before the test, and probes compensated

It turns out that original GW Instek probe seems to hit -3dB at about 65 MHz. So I guess anyone looking to upgrade GDS1054B should think about getting new probes.  Testec one seems to hit -3dB at 85 MHz, wich is odd. I guess upgraded DG811 (lack of) calibration above 60 MHz is to be blamed for that. What do you guys think?

@danymogh: Did you got 1.31 firmware?
 

Offline nctnico

  • Super Contributor
  • ***
  • Posts: 26751
  • Country: nl
    • NCT Developments
Re: Possible GW Instek GDS-1000B hack
« Reply #253 on: April 10, 2023, 02:42:22 pm »
Probes are always tested from a 25 Ohm source. So put a 50 terminator on the generator and set it to 50 Ohm. But if you want to measure the GDS-1000B's bandwidth, you need to use a 50 Ohm feedthrough terminator and BNC cable. Otherwise you include the probe which isn't the goal of the measurement.
There are small lies, big lies and then there is what is on the screen of your oscilloscope.
 

Offline tatel

  • Frequent Contributor
  • **
  • Posts: 427
  • Country: es
Re: Possible GW Instek GDS-1000B hack
« Reply #254 on: April 10, 2023, 06:41:17 pm »
Probes are always tested from a 25 Ohm source.

Wow. This really has puzzled me. Right now I can't understand why probes are tested at 25 Ohm. I just did a fast Google search but results are unsatisfactory, first of all , because I can't find any explanation about why testing probes at should be done at 25 Ohm output impedance, but also because I see three testing methods mentioned:

a) use a VNA. I don't have that thing, which seems to be expensive, and it's said it doesn't add up very well with the need to have 1 Mohm termination. Also not sure if the same nuance applies to my AWG ouput impedance if set a 25 or 50 Ohm.

b) quote:  "to use a sine wave source, splitter, and power meter to sweep the response. This method requires a remote interface such as GPIB or USB and programing skills in MATLAB". Well both my oscilloscope and AWG can be controlled from my PC and I could learn some MATLAB programming. But the part about "splitter and power meter" isn't clear to me. BTW, wouldn't this be something like curve tracing?

c) the "easy way", quote: "utilizing only an oscilloscope with a built-in step signal source, and ‘differentiate’ and ‘FFT’ functions". Well I'm not sure if my oscilloscope has that step signal source.

Either way, it turns out that testing probe's bandwidth is not as easy a task as i thought it would be. But perhaps this is all moot, since I found that equation about system bandwidth. So, if my oscilloscope's bandwith after upgrading is 109 MHz  (3,2 ns worst case rise time) and probe's bandwidth is 150 MHz, then system bandwith would be 88 MHz, which looks a lot like the result in the previous post.

Now, perhaps should  I  have ordered 300 MHz probes instead?  After the equation, it look his could put my system near the 100 MHz bandwidth. |O |O |O Not sure about that. Well, I learned from my father that there is no better experience that the one you pay with your own money. You can be sure this lesson will not be forgotten  :-DD

Quote
So put a 50 terminator on the generator and set it to 50 Ohm.

I guess this makes a voltage divider to get that 25 Ohm output impedance. Done. See attachment. Terminators are feedthrough. However DG811's output impedance can be set to 25 Ohm directly. Wouldn't that be easier/simpler? Not a big difference with the previous result anyway

Quote
But if you want to measure the GDS-1000B's bandwidth, you need to use a 50 Ohm feedthrough terminator and BNC cable. Otherwise you include the probe which isn't the goal of the measurement.

No, I did measured risetime some posts ago and took that as oscilloscope's bandwidth. Now i was testing just the new probes. It turns out that I found system's bandwidth instead. It looks like DG811's calibration above 60 MHz isn't that bad after all.

Thank you very much for this piece of information. May I ask for some link you consider relevant? Preferably one whose author foreshaw having Forrest Gump in the classroom. This is what I have consulted so far:

https://edadocs.software.keysight.com/kkbopen/how-can-you-avoid-selecting-an-oscilloscope-probe-with-the-wrong-bandwidth-587208673.html
http://www.oscopes.info/background/1808-a-simple-method-to-verify-the-bandwidth-of-your-probe
https://download.tek.com/document/60W_18324_0_0.pdf

« Last Edit: April 10, 2023, 06:43:58 pm by tatel »
 

Offline nctnico

  • Super Contributor
  • ***
  • Posts: 26751
  • Country: nl
    • NCT Developments
Re: Possible GW Instek GDS-1000B hack
« Reply #255 on: April 10, 2023, 06:58:18 pm »
However DG811's output impedance can be set to 25 Ohm directly. Wouldn't that be easier/simpler? Not a big difference with the previous result anyway
That is because the DG811's output impedance will remain at 50 Ohm like most function generators. The only thing the output impedance setting changes is the scaling of the amplitude shown on the display.
There are small lies, big lies and then there is what is on the screen of your oscilloscope.
 

Offline jcortina

  • Newbie
  • Posts: 1
  • Country: es
Re: Possible GW Instek GDS-1000B hack
« Reply #256 on: July 02, 2023, 02:29:01 pm »
Has anyone tried the KG on the GDS-3000 family?

I have an IDS-3154 with firmware v1.29 and had no luck trying to enable the bus feature.

Any feedback would be very helpful!

Thanks.
 


Share me

Digg  Facebook  SlashDot  Delicious  Technorati  Twitter  Google  Yahoo
Smf