Author Topic: Possible GW Instek GDS-1000B hack  (Read 72898 times)

0 Members and 1 Guest are viewing this topic.

Offline wgoeoTopic starter

  • Contributor
  • Posts: 10
  • Country: 00
Possible GW Instek GDS-1000B hack
« on: July 10, 2017, 08:02:10 am »
From the old brochure here, options such as serial bus decode, waveform search, and segmented memory are mentioned. But in the newest brochure in the GW Instek site, the options part is removed. I wonder why they stopped advertising that feature.

I looked at the 1.12 firmware I got here. It seems like the options and bandwidth upgrades (up to 300 MHz) can be unlocked using a file in a USB drive. I was wondering if someone is willing to share the newer firmware update (in case the unlock feature is removed) and possibly test the unlock files.

To those who want to do their own analysis, I included a Python script that extracts the files inside a .upg file. Run python extract.py [upg file]; the extracted files will be in the extract directory. You will then see the following:

boot.bin (u-boot)
kernel.img (Linux kernel)
rootfs.img (UBI image)
fpga-core.gz
gds1000b.elf

You can use UBI reader to extract the files from the UBI image.

Code: [Select]
from __future__ import print_function
import sys
import os
import os.path
import struct

OUTDIR = 'extract'

try:
os.mkdir(OUTDIR)
except:
pass

f = open(sys.argv[1], 'rb')
assert f.read(4) == b'\xA5UPG'
f.seek(32)

while True:
assert f.read(4)[:2] == b'GW'
file_size, section_size = struct.unpack('<LL', f.read(8))
file_name = f.read(20).strip(b'\x00')[1:].decode('ascii')
print(file_name, file_size)
open(os.path.join(OUTDIR, file_name), 'wb').write(f.read(file_size))
if section_size != 0xffffffff:
f.seek(section_size - file_size, os.SEEK_CUR)
else:
break
 
The following users thanked this post: saturation, Mortymore, danymogh, tatel, WI_Hedgehog

Online nctnico

  • Super Contributor
  • ***
  • Posts: 26755
  • Country: nl
    • NCT Developments
Re: Possible GW Instek GDS-1000B hack
« Reply #1 on: July 10, 2017, 08:19:13 am »
Interesting!
What would be more usefull is to figure out how to write your own add-on applications for these scopes.
There are small lies, big lies and then there is what is on the screen of your oscilloscope.
 

Offline saturation

  • Super Contributor
  • ***
  • Posts: 4787
  • Country: us
  • Doveryai, no proveryai
    • NIST
Re: Possible GW Instek GDS-1000B hack
« Reply #2 on: July 10, 2017, 07:00:16 pm »
NICE!!! Looking forward to seeing your results.
Best Wishes,

 Saturation
 

Offline wgoeoTopic starter

  • Contributor
  • Posts: 10
  • Country: 00
Re: Possible GW Instek GDS-1000B hack
« Reply #3 on: July 14, 2017, 11:25:44 am »
Looking for volunteers who would like to test the license generator on their GDS-1000B oscilloscope

I haven't tried this on a real scope since I don't have one. The instructions below are what I would do if I had access. Also your unit may be damaged. Proceed at your own risk and only if you are familiar with messing around a Linux shell.

First make a backup of /home/dso. Do this by connecting to the scope via ssh. Username is root, password is rd2423 (thank you wer). Insert a USB drive, then check that the drive is mounted by listing the files:

ls /mnt/usb

Backup the /home/dso directory to your USB drive:

cd /home
tar cf /mnt/usb/homedso.tar dso
sync


Eject the USB drive then check the homedso.tar.gz file.

Download the attached file named lis.txt, rename it to lis.html, then open it in a browser. Enter the serial number of your unit, click "Generate", then you will be presented with several links. Download them to your USB drive, then insert the drive back to the scope.

Open a .lis file in File Utilities. I'm not sure what happens next, but I think there should be some message. I suggest trying Serial Decode first, then see if that feature will appear. For the bandwidth upgrades, do some rise time/bandwidth tests before and after the upgrade.

I think it is sufficient to restore the /home/dso/OptionConf file if you want to remove the installed licenses.
« Last Edit: July 14, 2017, 02:31:52 pm by wgoeo »
 
The following users thanked this post: saturation, Mortymore, planner29, tatel

Online nctnico

  • Super Contributor
  • ***
  • Posts: 26755
  • Country: nl
    • NCT Developments
Re: Possible GW Instek GDS-1000B hack
« Reply #4 on: July 14, 2017, 04:27:33 pm »
Maybe we should turn this into a more generic GW Instek Zync scope hacking thread. The root password also works on my GDS2204E!
I've been browsing around a bit and found some interesting things like FRA (bode plot) which is likely applicable for the MSO2000 series. There are also quite a few Lua scripts floating around.
« Last Edit: July 14, 2017, 04:50:01 pm by nctnico »
There are small lies, big lies and then there is what is on the screen of your oscilloscope.
 
The following users thanked this post: saturation, Mortymore

Online nctnico

  • Super Contributor
  • ***
  • Posts: 26755
  • Country: nl
    • NCT Developments
Re: Possible GW Instek GDS-1000B hack
« Reply #5 on: November 24, 2017, 11:54:46 pm »
Small update: it seems GW Instek has shut the SSH server down in the most recent firmware updates. I guess they are reading EEVblog!
There are small lies, big lies and then there is what is on the screen of your oscilloscope.
 

Offline Fungus

  • Super Contributor
  • ***
  • Posts: 16561
  • Country: 00
Re: Possible GW Instek GDS-1000B hack
« Reply #6 on: November 25, 2017, 09:13:41 am »
Small update: it seems GW Instek has shut the SSH server down in the most recent firmware updates. I guess they are reading EEVblog!

Imagine how many they'd sell if it were hackable...   :palm:
 
The following users thanked this post: WI_Hedgehog

Online nctnico

  • Super Contributor
  • ***
  • Posts: 26755
  • Country: nl
    • NCT Developments
Re: Possible GW Instek GDS-1000B hack
« Reply #7 on: November 25, 2017, 11:27:37 am »
Small update: it seems GW Instek has shut the SSH server down in the most recent firmware updates. I guess they are reading EEVblog!
Imagine how many they'd sell if it were hackable...   :palm:
Well you don't need to have SSH access to get software onto the scope. The way the firmware packages are put together is quite straightforward and it looks like it is quite possible to write plugins using Lua which add extra functions originally not present in the firmware. I don't know how that works exactly -yet-. Besides that I think it might even be possible to create a firmware update package which enables the SSH login again.
« Last Edit: November 25, 2017, 12:13:52 pm by nctnico »
There are small lies, big lies and then there is what is on the screen of your oscilloscope.
 

Offline wgoeoTopic starter

  • Contributor
  • Posts: 10
  • Country: 00
Re: Possible GW Instek GDS-1000B hack
« Reply #8 on: December 23, 2017, 03:07:30 pm »
Besides that I think it might even be possible to create a firmware update package which enables the SSH login again.
I think it's possible. I was also working on running arbitrary commands using the upgrade mechanism and maybe the ssh daemon can be started using that.

Also the changelog for 1.19 has
Quote
3.Updated the License encoding rule
Not sure what exactly changed but I guess they don't want us hacking their scopes.

By the way, did anyone try the license generator on 1.18 or below?
 
The following users thanked this post: planner29

Offline samsonx

  • Newbie
  • Posts: 1
  • Country: us
Re: Possible GW Instek GDS-1000B hack
« Reply #9 on: March 20, 2018, 07:37:48 pm »
@wgoeo: I have been playing around with the linux image on my GDS-1054B and was curious if you had a py script to repackage a directory to a upg file - perhaps we can run arbitrary commands via that mechanism? 

I have successfully cross-compiled some code as a test

, though not very useful :) .

Thanks,
Sam
 
The following users thanked this post: saturation, SWR, DaJMasta, planner29, WI_Hedgehog

Online nctnico

  • Super Contributor
  • ***
  • Posts: 26755
  • Country: nl
    • NCT Developments
Re: Possible GW Instek GDS-1000B hack
« Reply #10 on: March 20, 2018, 08:06:08 pm »
, though not very useful :) .
Still more than cool!  :-+  :-+
There are small lies, big lies and then there is what is on the screen of your oscilloscope.
 
The following users thanked this post: saturation, samsonx

Offline SWR

  • Regular Contributor
  • *
  • Posts: 125
  • Country: dk
  • Without engineering science is just philosophy.
Re: Possible GW Instek GDS-1000B hack
« Reply #11 on: April 07, 2018, 08:48:22 pm »
Very cool indeed! :-+ :-+
You should never go down on equipment!
 

Offline killingtime

  • Regular Contributor
  • *
  • Posts: 144
  • Country: gb
Re: Possible GW Instek GDS-1000B hack
« Reply #12 on: April 08, 2018, 09:14:28 pm »
Hello  wgoeo,

Thank you for posting this. Very helpful. I can confrim the html file generator works (bus and search) with firmware version 1.18.

Some general questions for 1000B series owners that have 'upgraded' if I may...

1) Has anyone managed to find the power analysis option? I can't find it on the Apps or Options menu even though the .lis file successfully loaded.
2) Does anyone know how to enable the 'option' button (below the 'menu off' button next to the 'scale' knob)? I still receive 'not supported for this model' when activating this button. I would have thought the power analysis software would be behind by this.
3) Has anyone successfuly used the segmented memory option. Can't find that either.

I've not loaded the BW options yet. I don't have an RF signal generator that goes high enough and I'd like to do a before and after comparison on the roll-off.

Thanks.
 

Offline Distelzombie

  • Frequent Contributor
  • **
  • Posts: 283
  • Country: de
Re: Possible GW Instek GDS-1000B hack
« Reply #13 on: April 09, 2018, 08:05:39 am »
Which HTML file generator? Can't find a link to anything here.
So... Is it hackable? Is it better than a Rigol DS1054Z @100MHz now?

Offline SWR

  • Regular Contributor
  • *
  • Posts: 125
  • Country: dk
  • Without engineering science is just philosophy.
Re: Possible GW Instek GDS-1000B hack
« Reply #14 on: April 09, 2018, 08:17:37 am »
Which HTML file generator? Can't find a link to anything here.
It's in reply #3.
You should never go down on equipment!
 

Offline killingtime

  • Regular Contributor
  • *
  • Posts: 144
  • Country: gb
Re: Possible GW Instek GDS-1000B hack
« Reply #15 on: April 09, 2018, 09:37:00 am »
Which HTML file generator? Can't find a link to anything here.
It's in reply #3.

Yes it is hackable.

In reply 3 (post number4) there is an attachment called lis.txt. Download this, and rename it to lis.html, then run the html file in a web browser. It will prompt for the serial number of your scope (can be found on the back sticker or the System Info screen). All the hackable options will turn to links. Click on the links and you'll be prompted to download individual .lis files. Copy all the .lis files to a USB2 pen drive (USB3 didn't work for me) and insert the pen drive into the scope. Using the File Utilities menu on the scope, navigate to the .lis file of choice (using the 'Variable' knob and then press the 'Select' button below the Variable knob. You'll be asked if you want to load the file. Press Select again and reboot the scope. The option (if it's available on the scope) should now be enabled.

I have a feeling that the power analysis software isn't part of the scope base software image, so although the lic file loads there's nothing to execute.

If you want to increase the bandwidth of the scope then you only need to load the one .lis file for the BW you're after. Three options are available; 100, 200 and 300 MHz. I don't know if these work. Someone with an RF generator needs to try it out and see how flat the response is. I'd also be curious to know if the BW options break the maths functions like FFT beyond the original BW spec of the scope.

Start with the serial decode option and the waveform search option. Both of these worked for me.
 

Offline seronday

  • Regular Contributor
  • *
  • Posts: 93
  • Country: au
Re: Possible GW Instek GDS-1000B hack
« Reply #16 on: April 14, 2018, 02:58:57 am »
The Licence Generator also works for the GDS-2000E series DSO.

I have used it to produce a license file to upgrade the bandwidth of a GDS-2074E (70Mhz) to 200Mhz.

The detailed information is in the thread on GDS-2000E :-
https://www.eevblog.com/forum/testgear/gw-instek-gds2204e-(200mhz-4-channel-dso)-review/msg1478352/#msg1478352
 
The following users thanked this post: Mortymore

Offline Distelzombie

  • Frequent Contributor
  • **
  • Posts: 283
  • Country: de
Re: Possible GW Instek GDS-1000B hack
« Reply #17 on: April 14, 2018, 06:45:54 am »
Very cool. How does a hacked GDS-1054B @ 100Mhz compare to the hacked Rigol 1054 or the unhacked Siglent SDS1104X-E? Price seems similar.
Great, I can get the GDS-1054B with deferred payment - meaning it's a good option against the Rigol. Couldn't find that for the Siglent.
Edit: Damn... the Instek comes with only 70Mhz probes. Why does it always comes back to the Rigol?

Is the hack "real"? Like, real increase in bandwidth etc. What else is software upgradeable?
« Last Edit: April 14, 2018, 06:59:46 am by Distelzombie »
 

Offline rf-loop

  • Super Contributor
  • ***
  • Posts: 4064
  • Country: fi
  • Born in Finland with DLL21 in hand
Re: Possible GW Instek GDS-1000B hack
« Reply #18 on: April 14, 2018, 04:55:38 pm »
Very cool. How does a hacked GDS-1054B @ 100Mhz compare to the hacked Rigol 1054 or the unhacked Siglent SDS1104X-E? Price seems similar.
Great, I can get the GDS-1054B with deferred payment - meaning it's a good option against the Rigol. Couldn't find that for the Siglent.
Edit: Damn... the Instek comes with only 70Mhz probes. Why does it always comes back to the Rigol?

Is the hack "real"? Like, real increase in bandwidth etc. What else is software upgradeable?

If you compare chinese GoodWill GDS-1000B 4 channel models to chinese Siglent SDS1104X-E it is good to note some differencies.

Siglent have max 500MSa/s for all 4 channels simultaneously on and this GoodWill have max 250MSa/s.

With 2 channels on Siglent have both channels 1GSa/s and GW have 500Msa/s.
This is because Siglent have 2 ADC. Each one is shared with 2 channels and GW have one ADC what is shared to all 4 channels. (both use same Hittite ADC)

And some more examples

-Siglent max wfm/s speed is least double.

!-Siglent have continuously always backround running full speed waveform history buffer, up to 80000 last waveforms (stop and look what just previously happend).

!-Siglent have also fast segmented memory (aka sequence) acquisition, up to over 400000 segment/s and up to 80000 segments with relative time stamps.
 
-Siglent fastest display time base is 1ns/div and GW 5ns/div.

-Siglent have full BW full resolution 500uV/div

!-Siglent have 500pts resolution SFRA up to 120MHz (not option, this is default but need external generator).

!-Siglent have Serial decoding (not option, this is default)

!-Siglent is also ready for MSO Option (16ch LA with 4 analog channels)
I drive a LEC (low el. consumption) BEV car. Smoke exhaust pipes - go to museum. In Finland quite all electric power is made using nuclear, wind, solar and water.

Wises must compel the mad barbarians to stop their crimes against humanity. Where have the wises gone?
 

Online nctnico

  • Super Contributor
  • ***
  • Posts: 26755
  • Country: nl
    • NCT Developments
Re: Possible GW Instek GDS-1000B hack
« Reply #19 on: April 14, 2018, 06:22:18 pm »
However the GW Instek doesn't have bugs and it has features like free-form math, signal filtering, data logging, etc which are very useful when developing circuits and/or hunting for rare events. For 100MHz 250Ms/s is more than enough and high waveforms/s is not really important unless you get into triple digits. Even very high end oscilloscopes don't have high waveforms/s. The same goes for the history buffer. You can always turn on segmented recording and get exactly the same. The GW Instek can also do statistic analysis on the recorded segments.
There are small lies, big lies and then there is what is on the screen of your oscilloscope.
 
The following users thanked this post: WI_Hedgehog

Offline rf-loop

  • Super Contributor
  • ***
  • Posts: 4064
  • Country: fi
  • Born in Finland with DLL21 in hand
Re: Possible GW Instek GDS-1000B hack
« Reply #20 on: April 14, 2018, 08:49:39 pm »
However the GW Instek doesn't have bugs and it has features like free-form math, signal filtering, data logging, etc which are very useful when developing circuits and/or hunting for rare events. For 100MHz 250Ms/s is more than enough and high waveforms/s is not really important unless you get into triple digits. Even very high end oscilloscopes don't have high waveforms/s. The same goes for the history buffer. You can always turn on segmented recording and get exactly the same. The GW Instek can also do statistic analysis on the recorded segments.

GDS1000B ?  Perhaps you are talking some other GoodWill models.

250Msa/s is enough for continuous pure sinewave. Yes, barely. For what you need scope there if you know you have pure 100MHz sinewave. Veery useful to look... ?

History buffer and segmented memory (sequence acq) are same? Really? Looks like you do not even know what they are. Or is it so that 1000B do not have at all fast seg acq.
"However the GW Instek doesn't have bugs"  |O Bug free scopes where FW updates frequently with long list of repaired bugs. Why  need repair if they are bug free.
I drive a LEC (low el. consumption) BEV car. Smoke exhaust pipes - go to museum. In Finland quite all electric power is made using nuclear, wind, solar and water.

Wises must compel the mad barbarians to stop their crimes against humanity. Where have the wises gone?
 

Offline Distelzombie

  • Frequent Contributor
  • **
  • Posts: 283
  • Country: de
Re: Possible GW Instek GDS-1000B hack
« Reply #21 on: April 15, 2018, 12:03:11 am »
Some websites say the GW Instek has 1GSa/s PER channel. So I assumed it will actually have 1GSa/s/channel - like, what that obviously implies, 1GSa/s when using all channel at once. (1GSa/s1GSa/s1GSa/s1GSa/s just to write it a few times more)

rfLoop, you compared the Siglent to the unhacked version? Doesn't it get more memory and stuff, like the Rigol? I really wish I could get the Siglent somewhere, but that is impossible without hire-purchase/installment payment - what is even the correct term? (german)

Online tautech

  • Super Contributor
  • ***
  • Posts: 28138
  • Country: nz
  • Taupaki Technologies Ltd. Siglent Distributor NZ.
    • Taupaki Technologies Ltd.
Re: Possible GW Instek GDS-1000B hack
« Reply #22 on: April 15, 2018, 12:40:59 am »
Some websites say the GW Instek has 1GSa/s PER channel. So I assumed it will actually have 1GSa/s/channel - like, what that obviously implies, 1GSa/s when using all channel at once. (1GSa/s1GSa/s1GSa/s1GSa/s just to write it a few times more)

rfLoop, you compared the Siglent to the unhacked version? Doesn't it get more memory and stuff, like the Rigol?
Be aware instruments in this class normally only have 1 or 2 ADC's.
So sampling rate is always listed a max in whatever usage configuration allows it. This is commonly just for 1ch in a DSO with a single ADC but those units with 2 will allow use at max sample rate with 2 channels in use, normally 1+3 or 2+4 or an equivalent configuration.
To allow sampling @ 1Gsa/s for all 4 channels you'd need dual 2Gsa/s ADC's or a much more expensive single ADC.

A good rule of thumb for many modern DSO's is the first digit in the model name signifies the GHz sample rate of the ADC/'s used.

Quote
I really wish I could get the Siglent somewhere, but that is impossible without hire-purchase/installment payment - what is even the correct term? (german)
LayBuy is the term used here where you make progressive payments until equipment is paid for in full and then it is dispatched or collected.
Maybe one of the European dealers can accommodate your needs.
https://www.siglenteu.com/how-to-buy/
Avid Rabid Hobbyist
Siglent Youtube channel: https://www.youtube.com/@SiglentVideo/videos
 

Offline rf-loop

  • Super Contributor
  • ***
  • Posts: 4064
  • Country: fi
  • Born in Finland with DLL21 in hand
Re: Possible GW Instek GDS-1000B hack
« Reply #23 on: April 15, 2018, 07:19:28 am »
Some websites say the GW Instek has 1GSa/s PER channel. So I assumed it will actually have 1GSa/s/channel - like, what that obviously implies, 1GSa/s when using all channel at once. (1GSa/s1GSa/s1GSa/s1GSa/s just to write it a few times more)

This is nice example how carefully it need read when you read manufacturer web sites. They try hardly that reader produce wrong imagine in his mind (one leader for this kind of things are Keyshit when you read advertisements and application notes).  Read data sheet, read itroduction, read GDS-1000B user manual. How long it take you get right answer for sampling speed and  that it have exactly 1GSa max for all single channel... yes this pops up to your eyes immediately.  ....but wait a bit... they did not tell that simultaneously. Yes, 1GSa/s for every channel and they did not lie. Take Ch 1 alone...max 1GSa/s and then take Ch2 alone...again max 1GSa/s and so on. All channels have max 1GSa/s. 

GoodWill GDS1000B  4 channel models:
Fact is - and this is true fact. It have single ADC chip. It is Hittite HMCAD1511.  (You can see it also if you look Dave's tear down video, he tell it clearly and ans also show it clearly when he look inside.)

1 channel alone in use: Max 1GSa/s
2 channels in use: Max 500MSa/s for both channels simultaneously.
3 channels in use: Max 250MSa/s for all channels simultaneously.
4 channels in use: Max 250MSa/s for all channels simultaneously.

Siglent SDS1000X-E 4 channel models:

Fact is - and this is true fact. It have two ADC chip. They are Hittite HMCAD1511. 

1 channel  in use: Max 1GSa/s
2 channels in use: Max 1GSa/s for both channels simultaneously.
3 channels in use: Max 500MSa/s for all channels simultaneously.
4 channels in use: Max 500MSa/s for all channels simultaneously.

What need hack in Siglent and then get something more like Riglol 1kZ
Siglent have all out from factory box and lot of more. It beats this Rigol wonder box just hands down in every single corner and after then give also lot of more powerful tool with performance what Rigol Zbox can only dream.
They are like night and day if compare performance as real tool. Just forget this Rigol 1kZ. Only feature there is that it is bit more cheap.
What features you can hack in Rigol DS1000Z series?  All because it is designed for hack as marketing trick.
What features you can hack in GoodWill GDS1000B?  This I do not know.
What features you can hack in Siglent SDS1000X-E series? This I do not know.

(Saelig)
DS1054Z Price: Reg. $399 Sale! $349  -  50MHz out from box, Hackable to 100MHz, single 1GSa ADC
GDS1054B Price: $429.00  - 50MHz out from box (hackable ?  ), single 1GSa ADC
SDS1104X-E Price: $499.00 - 100MHz ready out from box, (hackable ?  ) double  1GSa/s ADC

Yes there is price difference and with true reasons. It is amazing that  price differences are not more.
If Siglent is 2 times Rigol price I think it is still cheap if look features and performance.

ETA: But still, if budget is limited without exeptions to Rigol price and absolutely nothing more and no possible to wait and save bit more, Rigol is not bad choice.  For many kind of hobby and educational use if we set hard top limit to Rigol price,  it is still perhaps best possible what can get if we talk 4 channel stand alone digital oscilloscopes.
« Last Edit: April 15, 2018, 10:07:31 am by rf-loop »
I drive a LEC (low el. consumption) BEV car. Smoke exhaust pipes - go to museum. In Finland quite all electric power is made using nuclear, wind, solar and water.

Wises must compel the mad barbarians to stop their crimes against humanity. Where have the wises gone?
 

Offline Distelzombie

  • Frequent Contributor
  • **
  • Posts: 283
  • Country: de
Re: Possible GW Instek GDS-1000B hack
« Reply #24 on: April 15, 2018, 09:29:47 am »
Quote
Yes, 1GSa/s for every channel and they did not lie. Take Ch 1 alone...max 1GSa/s and then take Ch2 alone...again max 1GSa/s and so on. All channels have max 1GSa/s. 
Very great...
Quote
Fact is - and this is true fact. It have two ADC chip.
knew that
Quote
Rigol DS1000Z series?  All because it is designed for hack as marketing trick.
I think the same. Just can't be a mistake.
Quote
Siglent have all out from factory box and lot of more. It beats this Rigol wonder box just hands down in every single corner and after then give also lot of more powerful tool with performance what Rigol Zbox can only dream.
They are like night and day if compare performance as real tool. Just forget this Rigol 1kZ. Only feature there is that it is bit more cheap.
I really really really wish I could buy that. I kind of knew parts of that already. Also it is cheaper as the Instek where I live. But more expensive than where you live. Including taxes or what VAT is...
instek 545.60 €
siglent 510.51 €
rigol 404.00 €
« Last Edit: April 15, 2018, 09:32:35 am by Distelzombie »
 


Share me

Digg  Facebook  SlashDot  Delicious  Technorati  Twitter  Google  Yahoo
Smf