We get access to the WinCE desktop and launch Doom on the Keysight DSOX1102G oscilloscope

Original author: Jason Gin
  • Transfer
Translation of an article from the blog of Jason Gin " Break to pieces "

TL; DR: Yes, on the Keysight 1000 X-Series oscilloscope you really can run Doom! However, it is not easy to do.

Keysight DSOX1102G The

oscilloscope must have in its arsenal any self-respecting electronics enthusiast. Oscilloscopes, in short, allow you to study the waves of electrical signals in a circuit, and digital oscilloscopes (digital storage oscilloscope, DSO) are indispensable because they can find rare errors in the signal that an analog oscilloscope or multimeter does not recognize.

The topic of my article is DSOX1102Gfrom Keysight Technologies (formerly Agilent), from their inexpensive range of oscilloscopes, which have a good price-to-quality ratio compared to their competitors. Like most of their oscilloscopes, the embedded OS Windows Embedded CE 6.0 (also known as Windows CE or WinCE) works on this model , but, like in most WinCE applications, you almost never see its interface - it is hidden behind a specially made user interface.

Stage 1: Awakening

When the Keysight 1000-X series was launched at the beginning of 2017, one of the surveyors from Hackaday noticed that the method of storing data on these oscilloscopes sometimes caused them to fall and reboot, and noted that the mouse pointer could be seen on the screen for several seconds before loading . There was a gif in his post, where he saves a file causing a crash, and I noticed something strange on one of the animation frames - there you could distinguish the Windows taskbar right in front of a black screen with an error. Interesting! ..

Having won my oscilloscope thanks to Keysight's Scope Month competition, I didn’t think about it for a couple of months until I came across the screen with a rejection on my own. In my case, I discovered that the Windows CE header was visible on top of the oscilloscope fault handler; dragging the header trail, and as a result, WinCE was suspended. This happened very rarely, therefore, stumbling upon failures afterwards, I simply allowed the handler to scan the file system and reboot the OS.

However, it intrigued me, and I wanted to learn a lot about what is happening with the underlying WinCE system. I found that the oscilloscope's USB port is quite error-prone, and just reeling in the port could cause a crash. However, this was not enough to collect the necessary amount of information, since it was an unreliable method.

So began my search for access to the WinCE desktop.

At first, I tried a pure software solution, trying to create a firmware update file .ksx (in fact, it’s just a .cab archive) that could shut down the oscilloscope program and open Windows Explorer - it did not work. The oscilloscope software generated an error message, complaining about the inability to open the file. It turns out that such a solution would not work even if I had made him download the update file, because the oscilloscope software does not go to the desktop during the update. Having met this first serious obstacle, I temporarily set aside curiosity and used the oscilloscope for its intended purpose.

Stage 2: look deeper

Because of my curiosity, I once decided to see if the oscilloscope can read and write floppy disks at 3.5 "(or, as the young people say, a printed save icon) via a USB port - and it could! However, I noticed one strange problem; an oscilloscope crashed if I left the drive in the USB port when turned on. Eureka! I found a way to reliably cause a crash.

Here, unfortunately, I was waiting for the second serious obstacle. This failure occurred at boot time only if only one device was plugged into the USB port — a drive. There was no failure if I used a USB hub, which included a drive. This meant that I would have to switch very quickly between the drive and the USB mouse with the keyboard. Haste to remove the drive as quickly as possible and plug the combination of keyboard and touchpad into USB during the boot process was tedious and annoying. I needed a better solution - a hardware solution.

Special A / B switch for USB, made by me for quick replacement of devices

Using an old USB cable, a dead USB hub and a DPDT switch, I created a USB A / B switch to simplify and speed up the process of switching between devices. Using this method, I managed to try to establish contact with WinCE for a split second while the taskbar was visible on the screen, and until the failure handler broke the entire raspberry. With the help of the slow-motion magic of my Samsung Galaxy S9, I was able to determine that I could send keystroke sequences to WinCE and it processes them - even on the system's screensaver! I was able to get information about the system, blindly pressing the keys, and then studying the response in case of a crash of the oscilloscope software. Then I ran into the second obstacle.

The possibility of a very brief interaction with WinCE is good, but it was useless, because I could not take control of it until the fault handler restarts the system. The handler was holding tightly to the OS, and no keyboard chuck and Ctrl + Alt + Delete allowed me back to WinCE.

Stage 3: Looking for a fulcrum

And again, my occasionally playing curiosity came in handy when I decided to use my old Sony Clie PEG-NX73V (handheld on PalmOS from 2003) as a USB drive. He had a data import function that allowed dragging files onto a memory card in the same way as a removable disk.

Just as with the USB drive, the system crashed when I turned on the oscilloscope without pulling out the PDA. However, this time the failure handler decided that the PDA file system is a damaged section of the firmware and suggested downloading the firmware update from an external USB flash drive.

This behavior was not regular, sometimes the oscilloscope software still loaded, and a very strange WinCE window appeared with a bright blue mouse pointer that left traces on the screen. However, in this strange state, I managed to pull the InfiniiVision oscilloscope software window to the side, and I tried to poke around with the OS. But the oscilloscope software behaved very aggressively and returned focus to itself every time after clicking outside the window. After some messing around with a strangely colored OS, I was able to get around it. I could not see the file system, because I could not take control of the oscilloscope software window for a long time, but I was able to open the system properties dialog box, where it was written that the oscilloscope is based on Windows CE 6.00 and it has 100 MB of RAM.

Then I decided to rummage through the EEVblog forums.where people are actively trying to hack an oscilloscope to open up additional possibilities. There I discovered that the software is looking for the infiniiVisionStartupOverride.txt file in the root of the USB flash drive, and if it does, it tries to load the oscilloscope software from it. And although, apparently, in fact, the firmware did not download software from the flash drive, this process interrupted the launch of the software of the oscilloscope, and then no one took control of the OS from me. From this point on, everything became more interesting - the failure handler opened the Explorer window, and typing in the file name field "*. *", I was able to start rummaging through the file system of the oscilloscope and USB flash drive! That is what I needed to gain control over WinCE. However, I met another obstacle: the oscilloscope rebooted after 60 seconds, because of which I did not have much time to dig into the operating system.

DSOX1102G firmware update request with flash file selection dialog

Windows CE Task Manager shows running processes on the firmware recovery screen

Having copied several Windows CE tools, for example, the Windows CE Task Manager, I noticed two interesting processes that were started when the failure handler was still visible - recoverInfiniiVision.exe and processStartupFolder.exe; Apparently, the first one was a failure handler, which did not give me access to WinCE after an oscilloscope software crash. Having nailed the second process with iTaskMgr (the free version of the WinCE task manager does not allow to kill the processes) I was able to keep the oscilloscope from rebooting, and when I nailed the first one, I saw a clean WinCE desktop - and here I am! Unfortunately, I was unable to restore the taskbar, which made it rather inconvenient to navigate the OS.

I created a new folder on my desktop to open Explorer, and finally I was able to study the oscilloscope file system. This was greatly helped by Total Commander / CE, which has a built-in text editor that was not in this version of WinCE.

Delving into the file system with Total Commander / CE (no taskbar yet)

Stage 4: full control

Now, having managed to get to the sky-blue desktop, for the full feel of WinCE, I had to restore the taskbar. Googling, having climbed Stack Overflow, I threw in a small program for this. Opening it from Windows Explorer, I got the full version of the WinCE desktop! Finally I had full control over the base OS!

Freedom - a full WinCE desktop on an oscilloscope!

From this point on, I began to rummage through the file system and see what interesting tools can be found there. The command line interpreter did not want to run, but I rummaged through the registry and found the HKEY_LOCAL_MACHINE \ Drivers \ Console \ OutputTo key, the value of which was 0xFFFFFFFF. By changing it to 0, I managed to make the Command Prompt visible on the desktop, so I made another small program that did just that.

Everything went well, I made a batch file with all the commands needed to kill the oscilloscope software, the startup folder handler, the failure handler, restore the taskbar and allow the Command Prompt to start. However, to open the fault handler menu, my PDA was required, which meant that others could not reproduce this effect.

Rummaging further, I discovered that as soon as the splash screen appeared and the LEDs on the panel began to flash, WinCE started processing keystrokes even without a device dropping the software. Pressing win + U hung the oscilloscope because I opened the Start menu and chose the Suspend option (and the OS did not have the ability to return after this control, because the oscilloscope had only a power button). With this in mind, I renamed my file to a.bat to make it easier to type in my name, and tried to launch it when booting with win + R, using the \ usb \ a.bat command and pressing Enter. But as a result, the oscilloscope simply showed the screen saver on the screen, although in the background WinCE was alive, and I just could not see what was happening there. It turns out that the failure handler was a necessary component for demonstrating the desktop OS, and I just needed to add a few lines to the batch file to start and stop the failure handler. Having added these final touches, I was able (semi-automatically) to load the oscilloscope right before the desktop appeared, using only a USB flash drive, a mouse and a keyboard!

Step 4: Yes, it is running DOOM!

Having gained access to WinCE, I was able to finally answer the question: “Is Doom running on it?” And, as it turned out, it really starts up! After launching the oscilloscope, it took a year and a half, but I finally reached this milestone.

This is not a hoax: you can run Doom on your Keysight 1000 X oscilloscope!

Doom II works on my DSOX1102G oscilloscope! (3 frames per second)

Running Doom in a 320 × 240 window allowed us to squeeze enough frames per second to play. See what color palette!

In the next article I will play a little more with this legendary video game on a piece of iron, which was never intended for games.

Doom in action in the resolution of 320 × 240, 256 colors! On the oscilloscope!

Files to download

I posted files that you might need to try the same thing on your oscilloscope - but remember, I am not responsible for turning it into a brick or something else unpleasant! I tested all this only on my DSOX1102G, but I suspect that other 1000 X series models and other Keysight oscilloscopes, which have firmware recovery functions, can also work. The oscilloscope firmware is made in such a way that all WinCE runs in RAM and is not saved after a reboot, so all changes to the OS that break the system will not turn the oscilloscope into a brick (the firmware files are in the NAND flash directories that cannot be opened through the Explorer, but you can only dial by name).

The flash drive will need to be formatted in FAT or FAT32, and unpack the Scope Liberator zip archive into its root.. Instructions are contained in the readme.txt.

If you are interested in the source code of the auxiliary programs that return the taskbar and the command line interpreter, I also posted them.

Also popular now: