Author Topic: DSOX2000 and 3000 series - licence , have anyone tried to hack that scope ?  (Read 518738 times)

0 Members and 2 Guests are viewing this topic.

Offline PhillyFlyers

  • Contributor
  • Posts: 27
  • Country: us
Hi All,


I put together a 3-in-1 DSOX LAN board, to incorporate the LAN setup everyone is already using, plus a USB-UART

setup and JTAG buffer, to have all 3 interfaces available via the LAN card faceplate. 

(Thanks to everyone on here that did the real work getting the LAN card figured out, all the hard work.  I just

incorporated those setups, and tacked on an RS232 setup and JTAG setup.)


The USB uart setup pulls the 3.3v power for the chip from the HOST USB 5v power, so that the serial port can be up

and connected to, before the scope is powered on.  This makes it super easy to power on the scope and immediately

halt in UBOOT. (hitting spacebar while you power on the scope)

The JTAG buffer setup just provides a nice buffered setup (same buffer setup that's been used in numerous other

jtag projects, etc)


I found that the 'SEGGER JLINK-EDU' is a very nice and super easy device to use, and it already has defines setup

for the SPEAR600.  (no defined setup for programming flash or reading the NAND flash, as the SPEAR600-FSMC needs to

be setup manually, but you can easily dump the NOR flash, the most important anyhow).

JLINK-EDU is same as JLINK-BASE, but meant for non-commerical use, which is fine for us.  And it's only $60 from

Digi-key and others.


In order to use JTAG, you have to pull up those two pins as was shown way back around page 6 I think of this

thread, so I added a dip-switch onto the board for all 3 locations, and you can actually run wires from those 3

pads to the board, and use the dipswitches to turn on/off those enable pins.

But since they are by default pulled LO by 81 ohm resistors, you have to remove them, and either replace with 10k,

or just leave open, and let the board do the pullup/pulldown.


You can also just build the board and only populate what you want, ie you can leave JTAG un-populated, and also

don't need to populate any of the LEDs, I just did that for fun, and it looks pretty when they light up :)



Attached are some pics of the board, the initial UBOOT menu (when halted via the serial port), etc..

(see the hackaday link for all the files)


https://hackaday.io/project/114593-dsoxlanplus


« Last Edit: April 02, 2018, 10:18:16 am by PhillyFlyers »
 
The following users thanked this post: Sparky, jasonbrent, zucca, januszb, JeffreyLatter, Safar

Offline gamalot

  • Frequent Contributor
  • **
  • Posts: 397
  • Country: au
  • Correct my English
    • GAMALOT
Hi All,


I put together a 3-in-1 DSOX LAN board, to incorporate the LAN setup everyone is already using, plus a USB-UART

setup and JTAG buffer, to have all 3 interfaces available via the LAN card faceplate. 

(Thanks to everyone on here that did the real work getting the LAN card figured out, all the hard work.  I just

incorporated those setups, and tacked on an RS232 setup and JTAG setup.)


The USB uart setup pulls the 3.3v power for the chip from the HOST USB 5v power, so that the serial port can be up

and connected to, before the scope is powered on.  This makes it super easy to power on the scope and immediately

halt in UBOOT. (hitting spacebar while you power on the scope)

The JTAG buffer setup just provides a nice buffered setup (same buffer setup that's been used in numerous other

jtag projects, etc)


I found that the 'SEGGER JLINK-EDU' is a very nice and super easy device to use, and it already has defines setup

for the SPEAR600.  (no defined setup for programming flash or reading the NAND flash, as the SPEAR600-FSMC needs to

be setup manually, but you can easily dump the NOR flash, the most important anyhow).

JLINK-EDU is same as JLINK-BASE, but meant for non-commerical use, which is fine for us.  And it's only $60 from

Digi-key and others.


In order to use JTAG, you have to pull up those two pins as was shown way back around page 6 I think of this

thread, so I added a dip-switch onto the board for all 3 locations, and you can actually run wires from those 3

pads to the board, and use the dipswitches to turn on/off those enable pins.

But since they are by default pulled LO by 81 ohm resistors, you have to remove them, and either replace with 10k,

or just leave open, and let the board do the pullup/pulldown.


You can also just build the board and only populate what you want, ie you can leave JTAG un-populated, and also

don't need to populate any of the LEDs, I just did that for fun, and it looks pretty when they light up :)



Attached are some pics of the board, the initial UBOOT menu (when halted via the serial port), etc..

(see the hackaday link for all the files)


https://hackaday.io/project/114593-dsoxlanplus

WOW, looks much better than mine!  :-+
 

Offline eevfans

  • Newbie
  • Posts: 2
  • Country: cn
Hi guys, I have a DSO-X 3034A, unfortunately the firmware was down. The xloader, pboot and uboot works fine. I have updated the pboot and the uboot with the same file in the update packet 3000XSeries.02.43.2018020635.ksb (use uboot with uart to stop booting pboot progress and use kermit protocol to transfer files to memory and use cp command to overwrite the old pboot and uboot).And the nand memory should flash too, but I don't know how and where to get the nand data? In other words how can I fix it by my hand. Have any ideas? (PS: the nand has been erased and I don't have a lan module)
 

Offline Safar

  • Regular Contributor
  • *
  • Posts: 117
  • Country: ru
Hi guys, I have a DSO-X 3034A, unfortunately the firmware was down. The xloader, pboot and uboot works fine. I have updated the pboot and the uboot with the same file in the update packet 3000XSeries.02.43.2018020635.ksb (use uboot with uart to stop booting pboot progress and use kermit protocol to transfer files to memory and use cp command to overwrite the old pboot and uboot).And the nand memory should flash too, but I don't know how and where to get the nand data? In other words how can I fix it by my hand. Have any ideas? (PS: the nand has been erased and I don't have a lan module)
Not sure but is "start usb" works in uboot prompt? (With USB flash connected)

Otherwise you should take LAN for TFTP upload kernel.

Edit: it should be .NB0 file for upload. You can find convert utilities in this topic.
« Last Edit: April 09, 2018, 11:17:33 pm by Safar »
 

Offline eevfans

  • Newbie
  • Posts: 2
  • Country: cn
Hi guys, I have a DSO-X 3034A, unfortunately the firmware was down. The xloader, pboot and uboot works fine. I have updated the pboot and the uboot with the same file in the update packet 3000XSeries.02.43.2018020635.ksb (use uboot with uart to stop booting pboot progress and use kermit protocol to transfer files to memory and use cp command to overwrite the old pboot and uboot).And the nand memory should flash too, but I don't know how and where to get the nand data? In other words how can I fix it by my hand. Have any ideas? (PS: the nand has been erased and I don't have a lan module)
Not sure but is "start usb" works in uboot prompt? (With USB flash connected)

Otherwise you should take LAN for TFTP upload kernel.
the uboot don't support usb device and I used three versions uboot, the version from the factory (unknown),the version which in 3000XSeries.02.35.2013061800 certainly support boot from usb and the last update packet 3000XSeries.02.43.2018020635 version uboot.All of these cannot boot from the usb disk which can boot on my friend's same DSO-X 3034A with version 02.35.2013061800. I need to modify the lan board and submit to the factory to production, it may be a few days.
 

Offline Safar

  • Regular Contributor
  • *
  • Posts: 117
  • Country: ru



I does not mean boot OS from USB. I know that is impossible in last versions. I mean that some uboot version (in general) can load kernel file from USB and write it to NAND. So is "start usb" command work in uboot? If yes you can try "usb write"
 

Offline jasonbrent

  • Regular Contributor
  • *
  • Posts: 171
DSOX3014T running 07.20.2017102614 "liberated".
Unsure how to get rid of "WARNING: Unsealed Instrument".. which also seems to cause "Hardware Self Test" to fail with "Self test failed: Firmware Status".

Some of my licenses still show a * beside them, but i think that's because it has "valid" trial licenses in place when it was liberated.

Thank you to those who have shared.

-j
 

Offline Safar

  • Regular Contributor
  • *
  • Posts: 117
  • Country: ru



Some of my licenses still show a * beside them, but i think that's because it has "valid" trial licenses in place when it was liberated.

Thank you to those who have shared.

-j

In 3000A scope this sign * is appear if I use group license ("-All").

 

Offline jasonbrent

  • Regular Contributor
  • *
  • Posts: 171



Some of my licenses still show a * beside them, but i think that's because it has "valid" trial licenses in place when it was liberated.

Thank you to those who have shared.

-j

In 3000A scope this sign * is appear if I use group license ("-All").

Ah ha, ok, makes sense.

If there are any ambitious folk, Microsoft Research released an API/toolchain called "Detours" (a.k.a. "trampolines") years ago that allows for interception of an API call, inserting your own code, then jumping (trampolining) to the original API call. It's available here: https://www.microsoft.com/en-us/research/project/detours/

Detours API 3.0 apparently works on ARM/WindowsCE.

With some work, the code paths that check for the validity of licenses or the checks or "Unsealed Instrument" could be dynamically skipped instead of the actions of manually patching the checks.

(There are reasonably large projects that use this library to greatly extend the original intended function of some windows softwares...).

-j
 

Offline PhillyFlyers

  • Contributor
  • Posts: 27
  • Country: us



Some of my licenses still show a * beside them, but i think that's because it has "valid" trial licenses in place when it was liberated.

Thank you to those who have shared.

-j

In 3000A scope this sign * is appear if I use group license ("-All").

Ah ha, ok, makes sense.

If there are any ambitious folk, Microsoft Research released an API/toolchain called "Detours" (a.k.a. "trampolines") years ago that allows for interception of an API call, inserting your own code, then jumping (trampolining) to the original API call. It's available here: https://www.microsoft.com/en-us/research/project/detours/

Detours API 3.0 apparently works on ARM/WindowsCE.

With some work, the code paths that check for the validity of licenses or the checks or "Unsealed Instrument" could be dynamically skipped instead of the actions of manually patching the checks.

(There are reasonably large projects that use this library to greatly extend the original intended function of some windows softwares...).

-j


Interesting, quite a neat thing they made.. but only problem with doing that, is you will be changing the size of the module, therefore you now have to rebuild the entire Windows CE packed image, ie the nk.bin...  that will be some fun for sure :)

Anyhow, in case you missed it, I went through the 7.20 firmware for the 4k series (the 07.20.20171026), I didn't realize the 3000T series also use this firmware?  anyhow, these patches should work for the license check and removing that nag...

Code: [Select]

1) options patch:  0x486d00:  change "04 00 A0 E1" -> "00 00 A0 E3"
2) nag patch:       0x4f24e0:   change "A8 F1 93 E5" -> "01 00 A0 E3"

« Last Edit: May 16, 2018, 06:03:35 am by PhillyFlyers »
 
The following users thanked this post: jasonbrent

Offline jasonbrent

  • Regular Contributor
  • *
  • Posts: 171
Cool deal with those offsets, yes, the 3KT firmware version is the same, I can't confirm it's the same _image_ for the 4K series though.

Perhaps I'm missing something, but one could just telnet in, copy from USB and replace the "link" file with a more intelligent executable stub which also handled the detouring. No need to rebuild the image in that scenario, right?

I refreshed my IDA pro license to current yesterday hoping to get some time to have "fun" with all of these images soon-ish.

-j
 

Online TheSteve

  • Supporter
  • ****
  • Posts: 2538
  • Country: ca
  • GHz or bust
Cool deal with those offsets, yes, the 3KT firmware version is the same, I can't confirm it's the same _image_ for the 4K series though.

The download/install images are different but the changes are quite subtle I believe.
VE7FM
 

Online TK

  • Frequent Contributor
  • **
  • Posts: 703
  • Country: us
  • I am a Systems Analyst who plays with Electronics
Has anyone looked at the 1000X firmware patch?  It is not taking the options like the 2000X or the 3000X when loaded from \Secure...  Wondering why Keysight is keeping it more protected than the more expensive 2000X or 3000X series
 

Offline mlloyd1

  • Contributor
  • Posts: 5

That's a good question.
I might guess they'll sell A LOT more 1000 than 2000 & 3000 (combined?).

mlloyd1
 

Offline PhillyFlyers

  • Contributor
  • Posts: 27
  • Country: us

That's a good question.
I might guess they'll sell A LOT more 1000 than 2000 & 3000 (combined?).

mlloyd1

It may be that you're only route is to patch the DLL.... I don't have a 1k series, so can't test anything...

I decided to just go through all of the firmware combos, and find all the patches...

Here's what I have currently..


Code: [Select]


** infiniivisioncore.dll patches **



1000x series:

firmware: 01.10
------------------
1) options patch:  0x27A160:  --> "04 00 A0 E1" --> "00 00 A0 E3"
2) nag patch:      0x2A4B74:  --> "E8 F0 93 E5" --> "01 00 A0 E3"




2000x series:

firmware: 2.43
---------------
1) options patch:  0x280940  --> "04 00 A0 E1" --> "00 00 A0 E3"
2) nag patch:      0x2a9f38  --> "66 5A FF EB" --> "01 00 A0 E3"




3000A series:

firmware: 2.43
------------------
1) options patch:  0x280940  --> "04 00 A0 E1" --> "00 00 A0 E3"
2) nag patch:      0x2a9f38  --> "66 5A FF EB" --> "01 00 A0 E3"



3000T series:

firmware 7.20
----------------


1) options patch:  0x486f3c  --> "04 00 A0 E1" --> "00 00 A0 E3"
2) nag patch:      0x4f22c8  --> "A8 F1 93 E5" --> "01 00 A0 E3"



4000x series:

firmware: 7.20
-----------------

1) options patch:  0x486d00  --> "04 00 A0 E1" --> "00 00 A0 E3"
2) nag patch:      0x4f24e0  --> "A8 F1 93 E5" --> "01 00 A0 E3"


*** note, YES 2000x patches ARE same as 3000A series, the DLLs are identical ***


To understand how to apply these patches, best way is to follow safar's post, details here... they seem to have taken the same approach with all of the firmware's now, the DLL is NO longer on disk, it has to be modified directly in the Windows CE image (nk.bin)


http://www.eevblog.com/forum/testgear/dsox2000-and-3000-series-licence-have-anyone-tried-to-hack-that-scope/msg1453285/#msg1453285
 
The following users thanked this post: jasonbrent, JeffreyLatter, TK, skander36

Offline utmba95

  • Newbie
  • Posts: 2
  • Country: us
Hi,

On a 3000A model I've tried both 2.42 and 2.43, but I've been unable to make the changes sticky.  I'm using these instructions:

0) Install correct Firmware version first (i.e. in this case 2.43)
1) Download Safar's patched_nk_bin.comp file and copy to a USB stick and plug in.
2) Telnet into the scope.
3) Login infiniivision / skywalker1977
4) processmgr kill infiniivisionlauncher.exe
5) \windows\loadP500Flash -u ceImage1 \usb\patched_nk.bin.comp
6) Create a file on the USB stick called infiniivision.lnk with contents (e.g.)
7a) delete (or rename) any other lnk in \secure\startup folder. Should be only one file with lnk extension here.
7b) copy \usb\infiniivision.lnk to \secure\startup
8 ) reboot and *not* good to go

This is what my infiniivision.lnk looks like:
\secure\startup> type infiniivision.lnk

211#infiniivisionLauncher.exe -l MSO -l MEMUP -l EMBD -l AUTO -l FLEX -l PWR -l COMP -l SGM -l MASK -l BW50 -l AUDIO -l WAVEGEN -l AERO -l VID -l ADVMATH -l ASV -l SCPIPS -l RML -l VID -l CABLE -l DIS -l TOM -l SGMC

When I reboot, it comes up without any licenses enabled.  If I telnet in and run these two commands, I get a session with the licenses enabled.
processmgr kill infiniivisionlauncher.exe
infiniivisionLauncher.exe -l MSO -l MEMUP -l EMBD -l AUTO -l FLEX -l PWR -l COMP -l SGM -l MASK -l BW50 -l AUDIO -l WAVEGEN -l AERO -l VID -l ADVMATH -l ASV -l SCPIPS -l RML -l VID -l CABLE -l DIS -l TOM -l SGMC

Anybody know what I'm doing wrong?  It doesn't seem to be executing the .lnk file.

\> dir \secure\startup

    Directory of \secure\startup

03/03/18  07:18p                         217 infiniivision.lnk
01/27/17  02:51p                           0 orig.sav
 
The following users thanked this post: salvagedcircuitry

Offline Safar

  • Regular Contributor
  • *
  • Posts: 117
  • Country: ru
This is what my infiniivision.lnk looks like:
\secure\startup> type infiniivision.lnk

211#infiniivisionLauncher.exe -l MSO -l MEMUP -l EMBD -l AUTO -l FLEX -l PWR -l COMP -l SGM -l MASK -l BW50 -l AUDIO -l WAVEGEN -l AERO -l VID -l ADVMATH -l ASV -l SCPIPS -l RML -l VID -l CABLE -l DIS -l TOM -l SGMC

\> dir \secure\startup

    Directory of \secure\startup

03/03/18  07:18p                         217 infiniivision.lnk
01/27/17  02:51p                           0 orig.sav

Strange. All looks correct.
Not sure for help but... I have absolutely the same string but file length is 215 bytes, not 217. It may be LFCR in the end disturb?
 
The following users thanked this post: utmba95

Online TK

  • Frequent Contributor
  • **
  • Posts: 703
  • Country: us
  • I am a Systems Analyst who plays with Electronics
5) \windows\loadP500Flash -u ceImage1 \usb\patched_nk.bin.comp
Can this step be run from a custom made install script instead of telnet?  1000X series does not have LAN interface.
 
The following users thanked this post: utmba95

Offline Safar

  • Regular Contributor
  • *
  • Posts: 117
  • Country: ru


5) \windows\loadP500Flash -u ceImage1 \usb\patched_nk.bin.comp
Can this step be run from a custom made install script instead of telnet?  1000X series does not have LAN interface.

Think it possible, you need make some fake cab file with xml script.
 

Online TK

  • Frequent Contributor
  • **
  • Posts: 703
  • Country: us
  • I am a Systems Analyst who plays with Electronics


5) \windows\loadP500Flash -u ceImage1 \usb\patched_nk.bin.comp
Can this step be run from a custom made install script instead of telnet?  1000X series does not have LAN interface.

Think it possible, you need make some fake cab file with xml script.
Is the patch just to avoid the unfinished software error message or open all options?  the infiniivisionLauncher application (or infiniivisionCore.DLL) on the 1000X does not take any options
 

Offline Safar

  • Regular Contributor
  • *
  • Posts: 117
  • Country: ru




5) \windows\loadP500Flash -u ceImage1 \usb\patched_nk.bin.comp
Can this step be run from a custom made install script instead of telnet?  1000X series does not have LAN interface.

Think it possible, you need make some fake cab file with xml script.
Is the patch just to avoid the unfinished software error message or open all options?  the infiniivisionLauncher application (or infiniivisionCore.DLL) on the 1000X does not take any options

Just avoid error message only (and patch network subsystem). Options opens by start infiniivisionLauncher with switches
 

Offline utmba95

  • Newbie
  • Posts: 2
  • Country: us
This is what my infiniivision.lnk looks like:
\secure\startup> type infiniivision.lnk

211#infiniivisionLauncher.exe -l MSO -l MEMUP -l EMBD -l AUTO -l FLEX -l PWR -l COMP -l SGM -l MASK -l BW50 -l AUDIO -l WAVEGEN -l AERO -l VID -l ADVMATH -l ASV -l SCPIPS -l RML -l VID -l CABLE -l DIS -l TOM -l SGMC

\> dir \secure\startup

    Directory of \secure\startup

03/03/18  07:18p                         217 infiniivision.lnk
01/27/17  02:51p                           0 orig.sav

Strange. All looks correct.
Not sure for help but... I have absolutely the same string but file length is 215 bytes, not 217. It may be LFCR in the end disturb?

Thanks!  I had a *leading* LFCR that I hadn't noticed.  :-[  I had actually checked for one at the end.
« Last Edit: April 17, 2018, 11:04:22 am by utmba95 »
 

Offline edyno

  • Contributor
  • Posts: 7
  • Country: sk
Hi All,
I have a new DSOX2002A. During the short time I needed upgrade from 2ch to 4ch. After disassembly the device, I did investigate what all I need to buy. Semiconductors, relays and resistors are clear. But, for example, I do not know all the capacitor values now. If you ever know the order numbers or values, I'll be happy. Thanks in advance for every tip.

I attach some photos DSOX2002A  if someone wants to do a similar job in the future.
** I am working on list of parts **
« Last Edit: April 19, 2018, 03:50:28 am by edyno »
DSOX2002A
 
The following users thanked this post: Relaxe

Offline mlloyd1

  • Contributor
  • Posts: 5
Very interesting stuff here.
Has anybody successfully hacked the DSO-X 3024T running FW version 7.20.20171026?

mlloyd1

 

Offline Netroman

  • Contributor
  • Posts: 10
  • Country: at
Hi guys - please allow me to ask one question: If I update my MSOX3024T with latest firmware 2.43 - is logging in via telnet still possible? Or possibly they modified the updates to prevent telnet access?

Absolutely great work! Because of this thread I just ordered this (for hobby) not very cheap puppy ;-)

Thanks, best regards Josef
 


Share me

Digg  Facebook  SlashDot  Delicious  Technorati  Twitter  Google  Yahoo
Smf