DSOX2000 and 3000 series - licence , have anyone tried to hack that scope ?

[gamalot]

Firmware version 2.50 was released today for the 2000A/3000A series.

Major release details:

Bug Fixes for both 2000A and 3000A
- Fixed an issue of an unrelated error message showing when adjusting the UART/CAN/LIN
baud-rate.
- Fixed an issue of the Reference Waveform file (.h5) incorrectly saving data with twice the
timebase delay when there is a non-zero delay on the displayed waveform.
- Fixed an issue of the inverted channel mode not displaying the waveform correctly in
Averaging Mode.

Changes for both 2000A and 3000A
- Due to a lack of browser support for Java-based applications, support for the legacy Javabased remote front panel has been removed. A modern HTML5-based remote front panel is available.
- As of version 2.50, the VNC server software for the remote front panel functionality is no
longer bundled with the scope software by default. Upgrading to 2.50 will not delete the
VNC server software from the scope, but new scopes will no longer ship with the VNC
server software installed. For scopes without the software installed, the Browser Web
Control page will provide a link for installing the software.

Enhancements for both 2000A and 3000A
- Added support for High-Speed LAN Instrument Protocol (HiSLIP).

[NorcalNerd]

If anyone could please check my steps/understanding on my Jan 7 post -- a couple of questions I'd appreciate it much

Should I image the 3024A with 2.50 instead of 2.43?

Spring is here, I'll be out hiking...

Thank you,
NN


Re: DSOX2000 and 3000 series - licence , have anyone tried to hack that scope ?
« Reply #2084 on: January 07, 2019, 01:23:31 am »
ReplyQuoteModifyRemove
Hello again, and thanks for your help.

Acquiring a DSOXLAN, I'm finally ready to do the upgrade to my 3024A running "factory" 2.43, applying the latest patched 2.43 (and it is a rainy weekend) -- I have a couple of questions please.

1/ Can anyone clarify the contents of the link file to enable all features available in the patched firmware -- for the 3024A?

From previous responses, I am not clear on if my modified link contents (cmd line) is correct -- specifically, the preceding "211#..." which I  think would have been OK if I had the 350MHz model, and appears to represent the length of the infiniivisionLauncher.exe cmd line not including the preceding "211#".

"211#infiniivisionLauncher.exe -l MSO -l MEMUP -l EMBD -l AUTO -l FLEX -l PWR -l COMP -l SGM -l MASK -l BW50 -l AUDIO -l WAVEGEN -l AERO -l VID -l ADVMATH -l ASV -l SCPIPS -l RML -l VID -l CABLE -l DIS -l TOM -l SGMC"

The above (not for my scope) is indeed 211 characters in length so it makes sense (to me) I need to change that number.

Is the below correct (I removed "-l BW50" alone) -- with the # of characters now being 203? :

"203#infiniivisionLauncher.exe -l MSO -l MEMUP -l EMBD -l AUTO -l FLEX -l PWR -l COMP -l SGM -l MASK -l AUDIO -l WAVEGEN -l AERO -l VID -l ADVMATH -l ASV -l SCPIPS -l RML -l VID -l CABLE -l DIS -l TOM -l SGMC"

As I am now clear I can revert back to the factory v2.43 if I am to sell the scope or send it in for cal, there's just one more thing:

2/ Should I expect the "unsealed instrument" warning to appear after in the liberated 2.43 -- and if so, can I ignore it (will it impact anything) or is there another patch to make that warning disappear?

Thank you kindly for verifying this and your help, best to all in 2019!

NorcalNerd

[schmike]

Hi
Just brought the 3014T
Can you explain the procedure of hack the 3014T?
Thanks

[schmike]

Hi
Will the DSOX3014A HAVE THE FRA Function?

[schmike]

Thanks
I have finish on 3014A
Thanks again
But still have the 3014T want to hack
I need the fra function

[dsmay4]

I'm close to pulling the trigger on a new MSOX4024A, but I wanted to ping the experts here to see if the same hack is feasible on this model before I blow all that money... 

I know a lot of folks have talked about doing it on the 1000/2000/3000 series and on the DSOs, but wasn't sure if the same technique works for the 4000 series and the MSO specifically, especially with recent firmware releases (want to make sure no holes were closed).

Also is the file still available?

TIA, you guys have done some awesome work here!

[Pinkus]

somewhere above the prodedures for the 4000 series is explained. Hint: click on "Print" and then do a search with CRTL-F through all pages looking for 4000 or 4024 etc.

[dsmay4]

Will do and thanks. I should have thought of that.

[The_PCB_Guy]

Greetings folks,

I just purchased a very lightly used DSOX3024A oscilloscope on ebay for $3750 USD (a bargain, I would think). This scope already includes the DSOX3APPBNDL, which includes the following options:

DSOX3ADVMATH Advanced math measurement application
DSOX3AERO A/D trigger and decode (MIL-STD 1553/ARINC 429)
DSOX3AUDIO Audio serial trigger and analysis (I²S)
DSOX3AUTO Automotive trigger and analysis (CAN/LIN)
DSOX3COMP Computer trigger and analysis (RS232/UART)
DSOX3EMBD Embedded trigger and analysis (I²C/SPI)
DSOX3FLEX FlexRay trigger and analysis
DSOX3MASK Mask limit testing
DSOX3MEMUP Memory upgrade to 4 Mpts
DSOX3PWR Power measurements
DSOX3SGM Segmented memory acquisition
DSOX3VID Video trigger and analysis
DSOX3WAVEGEN Integrated 20 MHz function/arbitrary waveform generator

I have read through some of this thread but there is so much to dig through. I would like to hack the scope to add the MSO option at the very least. I would also love to upgrade from 200MHz to 500MHz, but that is not a priority. Anything else beyond that is frosting on the cake. I imagine if any thread has the information required to do this, it would be this one, but like I said there's a lot of pages to pore over. I was wondering if someone happens to have answered this question already, and would be able to point me to that post? In the meantime I'll keep looking on my own.

Thanks very much,
Matt

[Dwaine]

If anyone could please check my steps/understanding on my Jan 7 post -- a couple of questions I'd appreciate it much

Should I image the 3024A with 2.50 instead of 2.43?

Spring is here, I'll be out hiking...

Thank you,
NN


Re: DSOX2000 and 3000 series - licence , have anyone tried to hack that scope ?
« Reply #2084 on: January 07, 2019, 01:23:31 am »
ReplyQuoteModifyRemove
Hello again, and thanks for your help.

Acquiring a DSOXLAN, I'm finally ready to do the upgrade to my 3024A running "factory" 2.43, applying the latest patched 2.43 (and it is a rainy weekend) -- I have a couple of questions please.

1/ Can anyone clarify the contents of the link file to enable all features available in the patched firmware -- for the 3024A?

From previous responses, I am not clear on if my modified link contents (cmd line) is correct -- specifically, the preceding "211#..." which I  think would have been OK if I had the 350MHz model, and appears to represent the length of the infiniivisionLauncher.exe cmd line not including the preceding "211#".

"211#infiniivisionLauncher.exe -l MSO -l MEMUP -l EMBD -l AUTO -l FLEX -l PWR -l COMP -l SGM -l MASK -l BW50 -l AUDIO -l WAVEGEN -l AERO -l VID -l ADVMATH -l ASV -l SCPIPS -l RML -l VID -l CABLE -l DIS -l TOM -l SGMC"

The above (not for my scope) is indeed 211 characters in length so it makes sense (to me) I need to change that number.

Is the below correct (I removed "-l BW50" alone) -- with the # of characters now being 203? :

"203#infiniivisionLauncher.exe -l MSO -l MEMUP -l EMBD -l AUTO -l FLEX -l PWR -l COMP -l SGM -l MASK -l AUDIO -l WAVEGEN -l AERO -l VID -l ADVMATH -l ASV -l SCPIPS -l RML -l VID -l CABLE -l DIS -l TOM -l SGMC"

As I am now clear I can revert back to the factory v2.43 if I am to sell the scope or send it in for cal, there's just one more thing:

2/ Should I expect the "unsealed instrument" warning to appear after in the liberated 2.43 -- and if so, can I ignore it (will it impact anything) or is there another patch to make that warning disappear?

Thank you kindly for verifying this and your help, best to all in 2019!

NorcalNerd

Does the new firmware 2.50 work with the hack?

[KC0PPH]

I searched this thread looking for info on a 1204G but do not see that in here. Is it too new to have been hacked? It is a bit above what I wanted to spend but thinking its much better than the MSO5000 from Rigol. If the Keysight one is hackable to full specs id gladly go for it over the Rigol as its having some issues.

[TK]

I don't think the 1204G is at the level of the Rigol MSO5000 in terms of features (sample rate, memory, math, serial decode options, etc).  I was attracted to the MSO5074 features, purchased it but ended up returning it... having all the fancy features but the basic stuff not working reliably was a big NO for me. 

I would consider a used 4 channel 2000X or 3000X instead of the MSO5074 or 1204G, but it is not easy to get hand on a cheap one these days... the used test equipment market these days is crazy expensive.

[Joee]

Hello guys,

I managed to telnet to port 23 on oscilloscope startup but after boot the session quits. What am I doing wrong?

I got a MSO-X 3034A, FW 2.50

[PhillyFlyers]

Hello guys,

I managed to telnet to port 23 on oscilloscope startup but after boot the session quits. What am I doing wrong?

I got a MSO-X 3034A, FW 2.50

Hi,

wait until the scope is all booted up, then attempt to telnet in, remember, the first telnet attempt always immediately disconnects.
Just telnet in again and try the usual login/pwd...

Also, I don't know if anyone on here has taken the 2.50 SW upgrade yet and tried it with the hacks, to see if it still works?

I haven't taken a look at it myself yet.... so hopefully you can still get in and do the usual magic

[Joee]

I tried many times. Only at the first boot seconds I get a connection.

Does anybody still have the 2.43 Firmware file?

[PhillyFlyers]

I tried many times. Only at the first boot seconds I get a connection.

Does anybody still have the 2.43 Firmware file?

I have it at home if no one else is able to post it here beforehand, I can put it up later...

Wow, I wonder if they actually went on the aggressive and are attempting to put down this hacking path? 

Although I still think we can get in from the uboot menu and write flash that way, but then that would require the executable to still be patchable with the options enables, that could be changed as well?

it's been so long since I played with this now, anyone remember if it's easy to go back to lower firmware versions? 

[kilobyte]

I updated a DSOX2024A (no hack needed because the APP Bundle and MSO option is installed) to 2.50 and did a port scan.
The result was that the telnet port 23 is no longer active. No further investigation yet.

So i will not update the 2.43 firmware on my own DSOX3024A.
I only use the hack to enable the MSO option because I already have the APP Bundle installed.

[Xavier64]

Firmware 2.43

https://mega.nz/#!lSJwDAzK!YQSZ0AnbJ7rloFFBDppx7iaGKqcftTBsGBUjhnez_bk


and the patched nk.bin for 2.43

https://mega.nz/#!1GIAlaqY!AbS8cnGSqtntFIgGVGeTM3YNNWoBcHaEUNvuj80B7kg




@kilobyte

Can you double check the telnet issue please ?!
If this is correct than no more hacks possible. Maybe Telnet is only on a different port now...

[The_PCB_Guy]

Firmware 2.43

https://mega.nz/#!lSJwDAzK!YQSZ0AnbJ7rloFFBDppx7iaGKqcftTBsGBUjhnez_bk


and the patched nk.bin for 2.43

https://mega.nz/#!1GIAlaqY!AbS8cnGSqtntFIgGVGeTM3YNNWoBcHaEUNvuj80B7kg

You, Sir, are a gentleman and a scholar!

[kilobyte]

A portscan and testing the other ports showed no other telnet port except the SCPI Telnet port.

With V2.50 the Telnet port is only available for a short time before the infiniiVisionLauncher kills the service and starts the scope app.
But it is possible to kill the launcher if the login and process kill command is handled by a python script running directly after the network connection has been established. (ping /t)

using the launcher from here still allows to start the App with different Options
\Secure\infiniiVision\infiniiVisionLauncher.exe

[The_PCB_Guy]

Firmware 2.43

https://mega.nz/#!lSJwDAzK!YQSZ0AnbJ7rloFFBDppx7iaGKqcftTBsGBUjhnez_bk


and the patched nk.bin for 2.43

https://mega.nz/#!1GIAlaqY!AbS8cnGSqtntFIgGVGeTM3YNNWoBcHaEUNvuj80B7kg

I have read back quite a ways and unfortunately I am still unclear as to how to apply this firmware and patch. My new DSOX3024A will be here early next week. It currently has firmware version 2.37, and has the DSOX3APPBUNDL installed. I want to add the MSO option using the hack. How exactly would I do that with the above files?

Thanks,
Matt

[Xavier64]

The hack works without the patched file, but with the patched file all RED errors will be NOT shown.

Ok, so I assume the minimal steps are:

0) Install correct Firmware version first (i.e. in this case 2.43)
1) Download Safar's patched_nk_bin.comp file and copy to a USB stick and plug in.
2) Telnet into the scope.
3) Login infiniivision / skywalker1977
4) processmgr kill infiniivisionlauncher.exe
5) \windows\loadP500Flash -u ceImage1 \usb\patched_nk.bin.comp
6) Create a file on the USB stick called infiniivision.lnk with contents (e.g.) "88#infiniivisionLauncher.exe -l MSO -l BW20 -l DIS -l PLUS -l SCPIPS -l VID -l CABLE --perf"
7a) delete (or rename) any other lnk in \secure\startup folder. Should be only one file with lnk extension here.
7b) copy \usb\infiniivision.lnk to \secure\startup
8 ) reboot and good to go

[kilobyte]

Attached is the litte script, mostly the telnet client example from the python documentation, to login and kill the process.
If the program doesn't exit with an error message then its a good sign that the launcher was kill successfully and you can login with the known credentials.

[The_PCB_Guy]

The hack works without the patched file, but with the patched file all RED errors will be NOT shown.

Ok, so I assume the minimal steps are:

0) Install correct Firmware version first (i.e. in this case 2.43)
1) Download Safar's patched_nk_bin.comp file and copy to a USB stick and plug in.
2) Telnet into the scope.
3) Login infiniivision / skywalker1977
4) processmgr kill infiniivisionlauncher.exe
5) \windows\loadP500Flash -u ceImage1 \usb\patched_nk.bin.comp
6) Create a file on the USB stick called infiniivision.lnk with contents (e.g.) "88#infiniivisionLauncher.exe -l MSO -l BW20 -l DIS -l PLUS -l SCPIPS -l VID -l CABLE --perf"
7a) delete (or rename) any other lnk in \secure\startup folder. Should be only one file with lnk extension here.
7b) copy \usb\infiniivision.lnk to \secure\startup
8 ) reboot and good to go

Thanks a ton, this is very helpful. I guess I'm hung up on how to Telnet into the scope though. Without having it here next to me (still being half way across the country) I'm a bit confused about the connections required. I admit I know absolutely nothing about Telnet....

[The_PCB_Guy]

Apologies for the double-post, but something I forgot to mention (probably a biggie) is that the scope I'm getting does not have a network module. Telnet will be a bit tricky without an internet connection 

Perhaps I should focus on how to apply the hack permanently through USB. I think that was mentioned earlier in this thread but I couldn't find enough details to allow me to replicate the process accurately.