Thank you for doing this video. I'm pretty clueless when it comes to serial bus stuff and this video has, probably inadvertently, taught me so much about how the clock cycles, data and chip select all works together. So good to see it happening in real time, rather than static, in a book, on a page. Thanks Dave
I was totally screaming at the screen for several minutes from 30:00 "Dave, mate, it's in the middle of reconfiguring its own input, why would you EXPECT it to trigger?!?" :-P
because the scope can't capture when you are changing it's settings. The software probably writes out the setting changes, then arms and waits for a trigger source.
45:30 and you finally figured it out that there were more devices on the bus :-). This time I was indeed almost screaming to my screen... Also about the disabled sampling during bandwidth change. I wonder is if they will also apply the filter when the sample rate is lower than 1 GHz, to ensure nyquist sampling?
Great video! Waiting for Part 2: Hook up a µC to that chip's 3 serial pins, set scope to 20MHz BW limit via UI and send 1 packet to reconfigure that chip's filter setting via µC. Capture a signal with 300MHz > Signal BW > 20MHz, and compare to a capture on "unlimited" BW setting. With your mod wires still attached and one of the µC demo boards you got in mailbags (or arduino even), I'm sure this would only you take 1-2 hours to set up and record. Would make for a nice Proof of Concept. GO DAVE!
Very nice video! Thanks, Dave! I'm just wondering, even though it seems possible to intercept the data going to the frontend chip to hack the bandwidth, wouldn't you still be limited to the fastest time base settings on your particular model of the scope? Or is it the same for all models?
Actually decoding what the package was it captured itself could be a clue. My guess is on its disabling triggering during reconfiguration too; not doing it would make no sense. Oh and what would have been intresting is to input some fast square wave and then send the commands to that chip to limit the bandwidth and see what happens and how it differes between 350 and 750 and full
Does it fail to trigger because the LMH6518 is not outputting anything during an SPI access? Should hook a probe up to the OUT aux and see if it doesn't trigger when it is switching bandwidth.
+Darren Olafson That would be my guess too. During the channel reconfiguration they probably disable trigger to avoid capturing with intermediate states then re-enable when it's properly configured.
Brilliant video Dave. Absolutely fascinating. Reverse engineering a scope with itself is like shooting someone with their own gun. What are your thoughts on this episode? Should Rohde & Schwarz have made greater effort to proof against such attacks?
I think not. For most hobby projects a 100MHz scope is enough and would not need the extra headroom. Therefore the upgrades to 200 or 300MHz costs (without hacking) extra money so 300MHz buyers do not subitize for those only needing 100MHz bandwidth.
+Clóvis Fritzen Companies have been doing this for years with many options, not just bandwidth. It's smart manufacturing but somehow knowing about it on the consumer end can feel deceitful.
I agree - when you look at the business side, segmenting your market like this makes total sense, and they're a business. What's NOT evil about it is that you can hack your cheaper scope into a better one. If I owned that scope I'd be reaching into my drawer for an ATTiny85 right now... Nice simple hack to implement now Dave's done the research... :-)
Looks like they simply don`t want to trigger when the scale (attenuator) is being changed. That prevents it from possibly triggering every time you change the scale after setting for single cap mode for example. It would be very annoying to have to reset the trigger every time you changed the scale. You could actually check that blackout time with a little breadboard monostable multivibrator (one shot) from the CS and back into the scope and compare the actual one shot pulse width with what is shown on the scope. Might be a good video actually! ;-)
+ElmerFuddGun - also, those additional SPI signals we saw could (would be my guess) be for the other channel`s attenuator (amp) and maybe the input impedance selection (50 or 1M ohm). Simply using the CS lines and thus a single SPI bus for everything in that front end circuit. Easy work around if they are out of SPI buses but have the data lines available for CS lines.
+ElmerFuddGun That's what i was thinking too (common SCK & SDIO between CH1 and CH2) - not much point in having a separate SPI bus for each channel, it's not like they need constant control signals anyway.
Thank you for doing this video. I'm pretty clueless when it comes to serial bus stuff and this video has, probably inadvertently, taught me so much about how the clock cycles, data and chip select all works together. So good to see it happening in real time, rather than static, in a book, on a page.
Thanks Dave
You cant trigger on the CS because the scope is not sampling while it's reconfiguring it's own channel xD.
+Danny Bokma That sounds pretty reasonable. The hazards of using an instrument to probe itself...
+Danny Bokma Yes, that's exactly what must be happening.
I was totally screaming at the screen for several minutes from 30:00 "Dave, mate, it's in the middle of reconfiguring its own input, why would you EXPECT it to trigger?!?" :-P
7 Rohde & Schwarz employees disliked this video.
because the scope can't capture when you are changing it's settings. The software probably writes out the setting changes, then arms and waits for a trigger source.
45:30 and you finally figured it out that there were more devices on the bus :-). This time I was indeed almost screaming to my screen... Also about the disabled sampling during bandwidth change. I wonder is if they will also apply the filter when the sample rate is lower than 1 GHz, to ensure nyquist sampling?
Great video!
Waiting for Part 2: Hook up a µC to that chip's 3 serial pins, set scope to 20MHz BW limit via UI and send 1 packet to reconfigure that chip's filter setting via µC. Capture a signal with 300MHz > Signal BW > 20MHz, and compare to a capture on "unlimited" BW setting.
With your mod wires still attached and one of the µC demo boards you got in mailbags (or arduino even), I'm sure this would only you take 1-2 hours to set up and record. Would make for a nice Proof of Concept. GO DAVE!
10:25 lol the puddle of spit starting to form
+tim turner Dave is a Xenomorph.
Interesting issue/bug for on the R&S, wouldn't have expected that on a $$$ scope. Wonder if it was just the additional loading of the bus?
This is pretty much what I needed at this point. It's 00:23 in the US and I'm a bit on the liq.
Very nice video! Thanks, Dave!
I'm just wondering, even though it seems possible to intercept the data going to the frontend chip to hack the bandwidth, wouldn't you still be limited to the fastest time base settings on your particular model of the scope? Or is it the same for all models?
Actually decoding what the package was it captured itself could be a clue. My guess is on its disabling triggering during reconfiguration too; not doing it would make no sense. Oh and what would have been intresting is to input some fast square wave and then send the commands to that chip to limit the bandwidth and see what happens and how it differes between 350 and 750 and full
Does it fail to trigger because the LMH6518 is not outputting anything during an SPI access? Should hook a probe up to the OUT aux and see if it doesn't trigger when it is switching bandwidth.
I was bored intill dave uploads a new video
Is the R&S disabling the trigger temporarily as it changes the bandwidth?
+Darren Olafson That would be my guess too. During the channel reconfiguration they probably disable trigger to avoid capturing with intermediate states then re-enable when it's properly configured.
Brilliant video Dave. Absolutely fascinating. Reverse engineering a scope with itself is like shooting someone with their own gun.
What are your thoughts on this episode? Should Rohde & Schwarz have made greater effort to proof against such attacks?
So since the hardware is the same between the models, are the buyers of the 300mhz version subitizing the 100mhz version?
I think not.
For most hobby projects a 100MHz scope is enough and would not need the extra headroom.
Therefore the upgrades to 200 or 300MHz costs (without hacking) extra money so 300MHz buyers do not subitize for those only needing 100MHz bandwidth.
+Paul Steenbergen hmmmm good point!
How are you changing the bits
+Tommy Gun and in compliance with the clock signal.
Good stuff...
soft-limiting the bandwidth of an equipment? This is evil at its finest, R&S .
+Clóvis Fritzen Companies have been doing this for years with many options, not just bandwidth. It's smart manufacturing but somehow knowing about it on the consumer end can feel deceitful.
I agree - when you look at the business side, segmenting your market like this makes total sense, and they're a business. What's NOT evil about it is that you can hack your cheaper scope into a better one. If I owned that scope I'd be reaching into my drawer for an ATTiny85 right now... Nice simple hack to implement now Dave's done the research... :-)
Looks like they simply don`t want to trigger when the scale (attenuator) is being changed. That prevents it from possibly triggering every time you change the scale after setting for single cap mode for example. It would be very annoying to have to reset the trigger every time you changed the scale. You could actually check that blackout time with a little breadboard monostable multivibrator (one shot) from the CS and back into the scope and compare the actual one shot pulse width with what is shown on the scope. Might be a good video actually! ;-)
+ElmerFuddGun - also, those additional SPI signals we saw could (would be my guess) be for the other channel`s attenuator (amp) and maybe the input impedance selection (50 or 1M ohm). Simply using the CS lines and thus a single SPI bus for everything in that front end circuit. Easy work around if they are out of SPI buses but have the data lines available for CS lines.
+ElmerFuddGun That's what i was thinking too (common SCK & SDIO between CH1 and CH2) - not much point in having a separate SPI bus for each channel, it's not like they need constant control signals anyway.
Can't sleep.
Got to love weird timing issues becuase of configuration crap like this.