Thank you for doing this video. I'm pretty clueless when it comes to serial bus stuff and this video has, probably inadvertently, taught me so much about how the clock cycles, data and chip select all works together. So good to see it happening in real time, rather than static, in a book, on a page. Thanks Dave
I was totally screaming at the screen for several minutes from 30:00 "Dave, mate, it's in the middle of reconfiguring its own input, why would you EXPECT it to trigger?!?" :-P
45:30 and you finally figured it out that there were more devices on the bus :-). This time I was indeed almost screaming to my screen... Also about the disabled sampling during bandwidth change. I wonder is if they will also apply the filter when the sample rate is lower than 1 GHz, to ensure nyquist sampling?
because the scope can't capture when you are changing it's settings. The software probably writes out the setting changes, then arms and waits for a trigger source.
Very nice video! Thanks, Dave! I'm just wondering, even though it seems possible to intercept the data going to the frontend chip to hack the bandwidth, wouldn't you still be limited to the fastest time base settings on your particular model of the scope? Or is it the same for all models?
Great video! Waiting for Part 2: Hook up a µC to that chip's 3 serial pins, set scope to 20MHz BW limit via UI and send 1 packet to reconfigure that chip's filter setting via µC. Capture a signal with 300MHz > Signal BW > 20MHz, and compare to a capture on "unlimited" BW setting. With your mod wires still attached and one of the µC demo boards you got in mailbags (or arduino even), I'm sure this would only you take 1-2 hours to set up and record. Would make for a nice Proof of Concept. GO DAVE!
Brilliant video Dave. Absolutely fascinating. Reverse engineering a scope with itself is like shooting someone with their own gun. What are your thoughts on this episode? Should Rohde & Schwarz have made greater effort to proof against such attacks?
Does it fail to trigger because the LMH6518 is not outputting anything during an SPI access? Should hook a probe up to the OUT aux and see if it doesn't trigger when it is switching bandwidth.
+Darren Olafson That would be my guess too. During the channel reconfiguration they probably disable trigger to avoid capturing with intermediate states then re-enable when it's properly configured.
Actually decoding what the package was it captured itself could be a clue. My guess is on its disabling triggering during reconfiguration too; not doing it would make no sense. Oh and what would have been intresting is to input some fast square wave and then send the commands to that chip to limit the bandwidth and see what happens and how it differes between 350 and 750 and full
I think not. For most hobby projects a 100MHz scope is enough and would not need the extra headroom. Therefore the upgrades to 200 or 300MHz costs (without hacking) extra money so 300MHz buyers do not subitize for those only needing 100MHz bandwidth.
Looks like they simply don`t want to trigger when the scale (attenuator) is being changed. That prevents it from possibly triggering every time you change the scale after setting for single cap mode for example. It would be very annoying to have to reset the trigger every time you changed the scale. You could actually check that blackout time with a little breadboard monostable multivibrator (one shot) from the CS and back into the scope and compare the actual one shot pulse width with what is shown on the scope. Might be a good video actually! ;-)
+ElmerFuddGun - also, those additional SPI signals we saw could (would be my guess) be for the other channel`s attenuator (amp) and maybe the input impedance selection (50 or 1M ohm). Simply using the CS lines and thus a single SPI bus for everything in that front end circuit. Easy work around if they are out of SPI buses but have the data lines available for CS lines.
+ElmerFuddGun That's what i was thinking too (common SCK & SDIO between CH1 and CH2) - not much point in having a separate SPI bus for each channel, it's not like they need constant control signals anyway.
+Clóvis Fritzen Companies have been doing this for years with many options, not just bandwidth. It's smart manufacturing but somehow knowing about it on the consumer end can feel deceitful.
I agree - when you look at the business side, segmenting your market like this makes total sense, and they're a business. What's NOT evil about it is that you can hack your cheaper scope into a better one. If I owned that scope I'd be reaching into my drawer for an ATTiny85 right now... Nice simple hack to implement now Dave's done the research... :-)