Author Topic: DSOX2000 and 3000 series - licence , have anyone tried to hack that scope ?  (Read 1106516 times)

0 Members and 5 Guests are viewing this topic.

Offline Safar

  • Regular Contributor
  • *
  • Posts: 119
  • Country: ru
Hi guys, I have a DSO-X 3034A, unfortunately the firmware was down. The xloader, pboot and uboot works fine. I have updated the pboot and the uboot with the same file in the update packet 3000XSeries.02.43.2018020635.ksb (use uboot with uart to stop booting pboot progress and use kermit protocol to transfer files to memory and use cp command to overwrite the old pboot and uboot).And the nand memory should flash too, but I don't know how and where to get the nand data? In other words how can I fix it by my hand. Have any ideas? (PS: the nand has been erased and I don't have a lan module)
Not sure but is "start usb" works in uboot prompt? (With USB flash connected)

Otherwise you should take LAN for TFTP upload kernel.

Edit: it should be .NB0 file for upload. You can find convert utilities in this topic.
« Last Edit: April 09, 2018, 01:17:33 pm by Safar »
 

Offline eevfans

  • Newbie
  • Posts: 2
  • Country: cn
Hi guys, I have a DSO-X 3034A, unfortunately the firmware was down. The xloader, pboot and uboot works fine. I have updated the pboot and the uboot with the same file in the update packet 3000XSeries.02.43.2018020635.ksb (use uboot with uart to stop booting pboot progress and use kermit protocol to transfer files to memory and use cp command to overwrite the old pboot and uboot).And the nand memory should flash too, but I don't know how and where to get the nand data? In other words how can I fix it by my hand. Have any ideas? (PS: the nand has been erased and I don't have a lan module)
Not sure but is "start usb" works in uboot prompt? (With USB flash connected)

Otherwise you should take LAN for TFTP upload kernel.
the uboot don't support usb device and I used three versions uboot, the version from the factory (unknown),the version which in 3000XSeries.02.35.2013061800 certainly support boot from usb and the last update packet 3000XSeries.02.43.2018020635 version uboot.All of these cannot boot from the usb disk which can boot on my friend's same DSO-X 3034A with version 02.35.2013061800. I need to modify the lan board and submit to the factory to production, it may be a few days.
 

Offline Safar

  • Regular Contributor
  • *
  • Posts: 119
  • Country: ru



I does not mean boot OS from USB. I know that is impossible in last versions. I mean that some uboot version (in general) can load kernel file from USB and write it to NAND. So is "start usb" command work in uboot? If yes you can try "usb write"
 

Offline jasonbrent

  • Regular Contributor
  • *
  • Posts: 176
DSOX3014T running 07.20.2017102614 "liberated".
Unsure how to get rid of "WARNING: Unsealed Instrument".. which also seems to cause "Hardware Self Test" to fail with "Self test failed: Firmware Status".

Some of my licenses still show a * beside them, but i think that's because it has "valid" trial licenses in place when it was liberated.

Thank you to those who have shared.

-j
 

Offline Safar

  • Regular Contributor
  • *
  • Posts: 119
  • Country: ru



Some of my licenses still show a * beside them, but i think that's because it has "valid" trial licenses in place when it was liberated.

Thank you to those who have shared.

-j

In 3000A scope this sign * is appear if I use group license ("-All").

 

Offline jasonbrent

  • Regular Contributor
  • *
  • Posts: 176



Some of my licenses still show a * beside them, but i think that's because it has "valid" trial licenses in place when it was liberated.

Thank you to those who have shared.

-j

In 3000A scope this sign * is appear if I use group license ("-All").

Ah ha, ok, makes sense.

If there are any ambitious folk, Microsoft Research released an API/toolchain called "Detours" (a.k.a. "trampolines") years ago that allows for interception of an API call, inserting your own code, then jumping (trampolining) to the original API call. It's available here: https://www.microsoft.com/en-us/research/project/detours/

Detours API 3.0 apparently works on ARM/WindowsCE.

With some work, the code paths that check for the validity of licenses or the checks or "Unsealed Instrument" could be dynamically skipped instead of the actions of manually patching the checks.

(There are reasonably large projects that use this library to greatly extend the original intended function of some windows softwares...).

-j
 

Offline jasonbrent

  • Regular Contributor
  • *
  • Posts: 176
Cool deal with those offsets, yes, the 3KT firmware version is the same, I can't confirm it's the same _image_ for the 4K series though.

Perhaps I'm missing something, but one could just telnet in, copy from USB and replace the "link" file with a more intelligent executable stub which also handled the detouring. No need to rebuild the image in that scenario, right?

I refreshed my IDA pro license to current yesterday hoping to get some time to have "fun" with all of these images soon-ish.

-j
 

Offline TheSteve

  • Supporter
  • ****
  • Posts: 3742
  • Country: ca
  • Living the Dream
Cool deal with those offsets, yes, the 3KT firmware version is the same, I can't confirm it's the same _image_ for the 4K series though.

The download/install images are different but the changes are quite subtle I believe.
VE7FM
 

Offline TK

  • Super Contributor
  • ***
  • Posts: 1722
  • Country: us
  • I am a Systems Analyst who plays with Electronics
Has anyone looked at the 1000X firmware patch?  It is not taking the options like the 2000X or the 3000X when loaded from \Secure...  Wondering why Keysight is keeping it more protected than the more expensive 2000X or 3000X series
 

Offline mlloyd1

  • Contributor
  • Posts: 25

That's a good question.
I might guess they'll sell A LOT more 1000 than 2000 & 3000 (combined?).

mlloyd1
 

Offline utmba95

  • Newbie
  • Posts: 2
  • Country: us
Hi,

On a 3000A model I've tried both 2.42 and 2.43, but I've been unable to make the changes sticky.  I'm using these instructions:

0) Install correct Firmware version first (i.e. in this case 2.43)
1) Download Safar's patched_nk_bin.comp file and copy to a USB stick and plug in.
2) Telnet into the scope.
3) Login infiniivision / skywalker1977
4) processmgr kill infiniivisionlauncher.exe
5) \windows\loadP500Flash -u ceImage1 \usb\patched_nk.bin.comp
6) Create a file on the USB stick called infiniivision.lnk with contents (e.g.)
7a) delete (or rename) any other lnk in \secure\startup folder. Should be only one file with lnk extension here.
7b) copy \usb\infiniivision.lnk to \secure\startup
8 ) reboot and *not* good to go

This is what my infiniivision.lnk looks like:
\secure\startup> type infiniivision.lnk

211#infiniivisionLauncher.exe -l MSO -l MEMUP -l EMBD -l AUTO -l FLEX -l PWR -l COMP -l SGM -l MASK -l BW50 -l AUDIO -l WAVEGEN -l AERO -l VID -l ADVMATH -l ASV -l SCPIPS -l RML -l VID -l CABLE -l DIS -l TOM -l SGMC

When I reboot, it comes up without any licenses enabled.  If I telnet in and run these two commands, I get a session with the licenses enabled.
processmgr kill infiniivisionlauncher.exe
infiniivisionLauncher.exe -l MSO -l MEMUP -l EMBD -l AUTO -l FLEX -l PWR -l COMP -l SGM -l MASK -l BW50 -l AUDIO -l WAVEGEN -l AERO -l VID -l ADVMATH -l ASV -l SCPIPS -l RML -l VID -l CABLE -l DIS -l TOM -l SGMC

Anybody know what I'm doing wrong?  It doesn't seem to be executing the .lnk file.

\> dir \secure\startup

    Directory of \secure\startup

03/03/18  07:18p                         217 infiniivision.lnk
01/27/17  02:51p                           0 orig.sav
 
The following users thanked this post: salvagedcircuitry

Offline Safar

  • Regular Contributor
  • *
  • Posts: 119
  • Country: ru
This is what my infiniivision.lnk looks like:
\secure\startup> type infiniivision.lnk

211#infiniivisionLauncher.exe -l MSO -l MEMUP -l EMBD -l AUTO -l FLEX -l PWR -l COMP -l SGM -l MASK -l BW50 -l AUDIO -l WAVEGEN -l AERO -l VID -l ADVMATH -l ASV -l SCPIPS -l RML -l VID -l CABLE -l DIS -l TOM -l SGMC

\> dir \secure\startup

    Directory of \secure\startup

03/03/18  07:18p                         217 infiniivision.lnk
01/27/17  02:51p                           0 orig.sav

Strange. All looks correct.
Not sure for help but... I have absolutely the same string but file length is 215 bytes, not 217. It may be LFCR in the end disturb?
 
The following users thanked this post: utmba95

Offline TK

  • Super Contributor
  • ***
  • Posts: 1722
  • Country: us
  • I am a Systems Analyst who plays with Electronics
5) \windows\loadP500Flash -u ceImage1 \usb\patched_nk.bin.comp
Can this step be run from a custom made install script instead of telnet?  1000X series does not have LAN interface.
 
The following users thanked this post: utmba95

Offline Safar

  • Regular Contributor
  • *
  • Posts: 119
  • Country: ru


5) \windows\loadP500Flash -u ceImage1 \usb\patched_nk.bin.comp
Can this step be run from a custom made install script instead of telnet?  1000X series does not have LAN interface.

Think it possible, you need make some fake cab file with xml script.
 

Offline TK

  • Super Contributor
  • ***
  • Posts: 1722
  • Country: us
  • I am a Systems Analyst who plays with Electronics


5) \windows\loadP500Flash -u ceImage1 \usb\patched_nk.bin.comp
Can this step be run from a custom made install script instead of telnet?  1000X series does not have LAN interface.

Think it possible, you need make some fake cab file with xml script.
Is the patch just to avoid the unfinished software error message or open all options?  the infiniivisionLauncher application (or infiniivisionCore.DLL) on the 1000X does not take any options
 

Offline Safar

  • Regular Contributor
  • *
  • Posts: 119
  • Country: ru




5) \windows\loadP500Flash -u ceImage1 \usb\patched_nk.bin.comp
Can this step be run from a custom made install script instead of telnet?  1000X series does not have LAN interface.

Think it possible, you need make some fake cab file with xml script.
Is the patch just to avoid the unfinished software error message or open all options?  the infiniivisionLauncher application (or infiniivisionCore.DLL) on the 1000X does not take any options

Just avoid error message only (and patch network subsystem). Options opens by start infiniivisionLauncher with switches
 

Offline utmba95

  • Newbie
  • Posts: 2
  • Country: us
This is what my infiniivision.lnk looks like:
\secure\startup> type infiniivision.lnk

211#infiniivisionLauncher.exe -l MSO -l MEMUP -l EMBD -l AUTO -l FLEX -l PWR -l COMP -l SGM -l MASK -l BW50 -l AUDIO -l WAVEGEN -l AERO -l VID -l ADVMATH -l ASV -l SCPIPS -l RML -l VID -l CABLE -l DIS -l TOM -l SGMC

\> dir \secure\startup

    Directory of \secure\startup

03/03/18  07:18p                         217 infiniivision.lnk
01/27/17  02:51p                           0 orig.sav

Strange. All looks correct.
Not sure for help but... I have absolutely the same string but file length is 215 bytes, not 217. It may be LFCR in the end disturb?

Thanks!  I had a *leading* LFCR that I hadn't noticed.  :-[  I had actually checked for one at the end.
« Last Edit: April 17, 2018, 01:04:22 am by utmba95 »
 

Offline edyno

  • Newbie
  • Posts: 8
  • Country: sk
Hi All,
I have a new DSOX2002A. During the short time I needed upgrade from 2ch to 4ch. After disassembly the device, I did investigate what all I need to buy. Semiconductors, relays and resistors are clear. But, for example, I do not know all the capacitor values now. If you ever know the order numbers or values, I'll be happy. Thanks in advance for every tip.

I attach some photos DSOX2002A  if someone wants to do a similar job in the future.
** I am working on list of parts **
« Last Edit: April 18, 2018, 05:50:28 pm by edyno »
DSOX2002A
 
The following users thanked this post: Relaxe

Offline mlloyd1

  • Contributor
  • Posts: 25
Very interesting stuff here.
Has anybody successfully hacked the DSO-X 3024T running FW version 7.20.20171026?

mlloyd1

 

Offline Netroman

  • Contributor
  • Posts: 10
  • Country: at
Hi guys - please allow me to ask one question: If I update my MSOX3024T with latest firmware 2.43 - is logging in via telnet still possible? Or possibly they modified the updates to prevent telnet access?

Absolutely great work! Because of this thread I just ordered this (for hobby) not very cheap puppy ;-)

Thanks, best regards Josef
 

Offline JeffreyLatter

  • Contributor
  • Posts: 28
  • Country: dk
  • Electronics Technician
The 3000T X-series runs the 7.xx firmwares and at least with the 7.20.20171026 firmware, telnet access and modification is possible  :-+
 
The following users thanked this post: mlloyd1, Relaxe

Offline Safar

  • Regular Contributor
  • *
  • Posts: 119
  • Country: ru
Hi guys - please allow me to ask one question: If I update my MSOX3024T with latest firmware 2.43 - is logging in via telnet still possible? Or possibly they modified the updates to prevent telnet access?

2.43 is a latest FW for "A" version (not for T). Telnet still here:
infiniivision/skywalker1977
« Last Edit: May 05, 2018, 10:34:51 am by Safar »
 

Offline Netroman

  • Contributor
  • Posts: 10
  • Country: at
Thanks a lot for your important hint - I did get the wrong firmware though searched for my scope on keysight site.

Now I downloaded the 7.20 from keysight.

So I guess, it will be much more difficult to patch the soft for my scope - because I have to find the right Hex-Locations for patching? Your tutorials were related most to the other variants  :(

Thanks again, Josef
 

Offline mlloyd1

  • Contributor
  • Posts: 25
Thanks again Jeffrey.
 :-+
I suspected this would work.
I'll try this on mine in a few weeks and report back.
In the middle of a move right now.

mlloyd1
 

Offline jasonbrent

  • Regular Contributor
  • *
  • Posts: 176

...snip....

Code: [Select]

3000T series:

firmware 7.20
----------------


1) options patch:  0x486f3c  --> "04 00 A0 E1" --> "00 00 A0 E3"
2) nag patch:      0x4f22c8  --> "A8 F1 93 E5" --> "01 00 A0 E3"




To understand how to apply these patches, best way is to follow safar's post, details here... they seem to have taken the same approach with all of the firmware's now, the DLL is NO longer on disk, it has to be modified directly in the Windows CE image (nk.bin)


https://www.eevblog.com/forum/testgear/dsox2000-and-3000-series-licence-have-anyone-tried-to-hack-that-scope/msg1453285/#msg1453285

@PhillyFlyers, @Safar - Thank you.

7.20 on 3KT now has the nag gone.. I patched "options" and "nag".

Using Safar's instructions, it took me a bit to realize that I needed to use the offsets provided by Philly in infiiniivision.dll to get a signature to match in the uncompressed.bin, plus the viewbin's data dump to get the "Record" (Record[173 for 7.2/3KT), use the hex in that data dump to get the offset in nk.bin to find the beginning/end of the dll in the bin, patch up the 2 locations, update checksum, compress, copy to usb, flash via telnet... (hopefully this very quick chain of thought helps someone else later...).

What is unexpected is on boot I'm now seeing "System concerns detected: - Secure Storage is uninitialized. Please set instrument serial and licensing model numbers." as a per-boot popup. Once I close that, about shows the proper serial#/model/bandwidth and all options.

I'm using the simple loader that jeffrey helped with along with the patched offsets.

I don't see any direct reference to that string/message in the (printed) thread, although there are some similar messages.... I didn't get this before patching nk.bin -- did I hose the patch or just needed to expect "secure storage is uninitialized"?

Thanks,

-j

 
The following users thanked this post: mlloyd1


Share me

Digg  Facebook  SlashDot  Delicious  Technorati  Twitter  Google  Yahoo
Smf