Author Topic: DSOX2000 and 3000 series - licence , have anyone tried to hack that scope ?  (Read 1106888 times)

dimmog and 6 Guests are viewing this topic.

Offline DavidDLC

  • Frequent Contributor
  • **
  • Posts: 755
  • Country: us
What a lucky me.

I bought a DSO-X-2014A to replace my DSO-X2012A, I got the cheapest price on the internet for it (first part of been lucky)

I was nervous about it having the latest firmware and have to do the hack using the lan, thanks to georges80 for the board, but.....the unit came with software 2.36 ! I was able to downgrade to 2.35 using only the cab file, and since I already had the usb hacked software for my 2012A it was so easy to convert the new one ! Wooooooraleeee.

 O0 :clap: :clap: :clap:

David.
 
The following users thanked this post: Andrew

Offline Hugoneus

  • Frequent Contributor
  • **
  • Posts: 955
  • Country: us
    • The Signal Path Video Blog
Has anyone used the FPGA programming port on the unit? My unit's flash is completely erased (was corrupted). When I turn the unit on, nothing at all happens.
How did you manage to do this? What FPGA programming port do you mean? Are you sure the u-boot bootloader is corrupted, too? If not, you could enter commands with the serial port (see this post for the pins) and flash it again over network. Otherwise you really need to find and use some JTAG port.

Unfortunately it is fully erased. It was really badly corrupted. The RS232 port no longer outputs anything. The u-boot is basically completely gone. But there is another port on the PCB which I assume is the JTAG port of the FPGA...
 
The following users thanked this post: Andrew

Offline abyrvalg

  • Frequent Contributor
  • **
  • Posts: 823
  • Country: es
Hugoneus, check this post for CPU JTAG https://www.eevblog.com/forum/testgear/dsox2000-and-3000-series-licence-have-anyone-tried-to-hack-that-scope/msg274963/#msg274963

Another possibility is BootROM USB flash loader mode:
ST's flash utility http://www.st.com/web/en/catalog/tools/PF257557
This mode should be activated by pulling BOOT_SEL pin (K18, check the picture) low at power on, but no reports on this so far. The PCB picture in JTAG post looks like there is a track in inner layer going to this pin, perhaps you can look closer. If it is tied straight to VCC then bad luck, otherwise try shorting it to GND and turning the scope on with USB cable attached to PC - does something pops up?
Also SPEAr600 RM says that ROM enters USB boot if normal (flash) boot fails regardless of BOOT_SEL state. But this requires primary bootloader in flash to be corrupted "correctly" so ROM doesn't recognize it (briefly shorting some flash DATA lines at power up is common way to simulate this state).
 
The following users thanked this post: Andrew

Offline abyrvalg

  • Frequent Contributor
  • **
  • Posts: 823
  • Country: es
A quick look into xloader_image.bin shows that UBOOT image is loaded from SPI flash rather than from NAND. SOIC8 U3204 25Pxxx (hard to read) near the CPU must be it.
In worst case you can desolder it and program xloader_image.bin (at 0) and u-boot_image.bin (at 0x10000) manually - this should be enough to get u-boot up running.
 
The following users thanked this post: Andrew

Offline rickstar

  • Newbie
  • Posts: 3
Hi, I am loving this thread.

Does anybody have a link to download 2.37 or can I PM them for an email please :-)
 
The following users thanked this post: Andrew

Offline dziobu

  • Newbie
  • Posts: 3
  • Country: pl
Agilent MSO ScreenGrab (freeware on http://xyzyk.pl)
 
The following users thanked this post: Andrew, 77Ribetts

Offline rickstar

  • Newbie
  • Posts: 3
Does anybody have a link to download 2.37 or can I PM them for an email please :-)

https://www.dropbox.com/s/y4y3d2xmj2gmgdb/2000XSeries.02.37.2014052002.cab?dl=0

Thank you very much, so are a good man  :) :clap:  :-+
 
The following users thanked this post: Andrew

Offline oedipe78

  • Newbie
  • Posts: 4
Looks like telnet password is changed too. It is generated from instrument id now (still possible to get it, but I don't have a 3000T to try anyway)

Yes, the telnet password has been changed.
I have a 3000T, what to do to get the password?
 
The following users thanked this post: Andrew

Offline mischo22

  • Newbie
  • Posts: 9
It is possible to extract the programm files from an 3000T (Telnet)? can i run the 3000T-Software an an 3000 scope?
 
The following users thanked this post: Andrew

Offline Neganur

  • Supporter
  • ****
  • Posts: 1138
  • Country: fi
probably not, IIRC there's a bigger FPGA on the T model. I wouldn't mind paying an upgrade fee for the touch though. I keep grabbing the trigger level dial instead of the entry knob >.>
 
The following users thanked this post: Andrew

Offline dianzimi

  • Contributor
  • Posts: 28
firmware 2.39 is successful crack without usb device and the band is 200Mhz.you can crack all option by the  update the  firmware(it is have changed some parameter of original firmware file).
 
The following users thanked this post: Andrew

Offline gts1991

  • Newbie
  • Posts: 2
Can you gentlemen do as unlock? DSOX2002A instructions with pictures ?  ??? Because I do not fully understand how to do it safely .  ;D
Thank you  8)
« Last Edit: April 21, 2015, 08:23:40 pm by gts1991 »
 
The following users thanked this post: Andrew

Offline klaus11

  • Supporter
  • ****
  • Posts: 156
  • Country: 00
Today I requested budget for DSOX2024 used, and leave a document fragment.

.........Options                                                 
                    DSOX2MASK Mask Limit Testing                           
                    DSOX3VID  DSOX3VID Video Triggering and Analysis       
                    (this is not a std option availble for   
                    DSOX2000 series but a special version)   
HP3458A, HP3245a, Keithley 2000, Fluke 87V, Rigol DP832, TEK TDS5052B, HP33120A
 
The following users thanked this post: Andrew

Offline v1t0r

  • Contributor
  • Posts: 18
  • Country: pt
I'm about to buy a DSOX2004A but before making a purchase I'd like to know if it's still possible to make the hack in recent firmware or is required to hack the hardware?
 
The following users thanked this post: Andrew

Offline klaus11

  • Supporter
  • ****
  • Posts: 156
  • Country: 00
I'm in the same situation, I would buy DSOX2002A.
HP3458A, HP3245a, Keithley 2000, Fluke 87V, Rigol DP832, TEK TDS5052B, HP33120A
 
The following users thanked this post: Andrew

Offline GlowingGhoul

  • Regular Contributor
  • *
  • Posts: 236
Is the 3000T series hackable? I read many posts but the answer doesn't seem clear to me.
 
The following users thanked this post: Andrew

Offline eman (AKA e-lectric-man)

  • Newbie
  • Posts: 7
I've been reading this thread since I got my new MS0-X-3052A about a week ago. I am mostly a hobbyist in my electronics interests and have no commercial use for this equipment. As such I feel fine about using the hacks discussed in this thread.

I wouldn't actually mind paying a fair price to get the scope's features enabled, but I have not found the licenses at anywhere near a reasonable price. So here I am.

The scope I got is apparently been sitting on some shelf for quite a while. It came with FW version 2.10, and it's manufacture date is 2012. It's a fine machine, and I got it for a very good price from eBay. It is completely new and in original packaging, and I'm happy with the purchase. After making my first pass at reading this thread I decided that I needed to upgrade the FW to version 2.35, as this seems to be the most preferred around here. I downloaded a copy from a link provided in https://www.eevblog.com/forum/testgear/dsox2000-and-3000-series-licence-have-anyone-tried-to-hack-that-scope/msg616147/#msg616147 comment. I installed the upgrade, and it went just fine. So the scope now has FW version 2.35.

Next I proceeded to building a USB stick with the hack discussed earlier in the thread. Thanks to all the people involved in this ongoing project. This is one of the best threads on such a technical subject that I've ever seen, and I'm quite impressed with the fact that it is still active.

So my first version of the USB setup was a total mess, and of course it didn't work at all. Then I hunkered down and figured out the layout of the file system that is required, and I found that all the ones described herein have at least a few minor inaccuracies, and some are outright wrong. I started with the _setup.xml file found in the CAB FW file. I converted a copy of this file in stages into a set of commands for building the directory tree required for the USB stick, and populating it with the files appropriately renamed. The structure of the directories is most closely correctly given in the https://www.eevblog.com/forum/testgear/dsox2000-and-3000-series-licence-have-anyone-tried-to-hack-that-scope/msg364171/#msg364171 post. It has just one minor inaccuracy. The web-socket-js folder should be inside the include folder. Thus:

Quote
\
+-infiniiVision
  +-fpga
  +-upgrade
  +-web
     +-css
     +-help
     +-image
     +-include
     +-web-socket-js
     +-lib
     +-Lxi
        +-Identification
     +-navbar
+-Startup
infiniivisionStartupOverride.txt

should be:

\
+-infiniiVision
  +-fpga
  +-upgrade
  +-web
     +-css
     +-help
     +-image
     +-include
          +-web-socket-js
     +-lib
     +-Lxi
        +-Identification
     +-navbar
+-Startup
infiniivisionStartupOverride.txt

I'm not actually sure how important this is, but I added this information in case it helps anybody.

Another minor problem I found was the case difference between some file names and references to them. One in particular seemed like a potential deal breaker is the one pointing to the infiniivisionLauncher.exe file in the infiniivision.lnk file in the Startup folder. Either the file was originally spelled with "vision" and the link with "Vision" or the other way around. I can't remember which at the moment. I'm aware that WinCE is most likely case insensitive like Windows, but I remember back in the ancient time when I was a Windows programmer I ran into a variety of exceptions to this rule. So I think some care should be taken here to match the cases properly. As a matter of fact some experimenting I did with testing this match led to USB stick configurations that behaved quite differently as I tried to boot the scope.

At any rate, I am now at the stage that I can produce USB sticks that will either seem to do nothing as I boot the scope, or else they hang it in a boot flashing-lights loop. I don't think I have yet successfully booted from a USB stick, partly because I haven't seen any error messages when I  boot the scope. I also have not seen the list of enabled licenses change. Finally, I can always remove the USB stick after a successful boot without the scope rebooting, which seems to indicate that the scope must have booted from the internal FW.

In the meantime I've also enabled the 30 day trial, which may be affecting me in some way I don't understand yet.

I'll keep playing with this stuff until I get it to work. I think my next step is to setup some way to allow me to telnet to the scope. Then I can play with the internal code, which I have not yet done.

This is a lot of fun. Thanks to all participants!

 
The following users thanked this post: Andrew

Offline TopLoser

  • Supporter
  • ****
  • Posts: 1922
  • Country: fr
Try lots and lots of different USB sticks, it's hit and miss which types work. For me it's been seriously hit and miss which sticks work with any particular scope. Never found one particular make that works with all scopes.
 
The following users thanked this post: Andrew

Offline eman (AKA e-lectric-man)

  • Newbie
  • Posts: 7
I also initially thought that different sticks behaved differently. However, it seems to me that if I populate a stick in the proper order right after I format it, I get much more consistent behavior. Here's what I do now all the time:

  • I always format the stick before populating it.
  • I copy the infiniivisonStartupOverride.txt file onto the stick first. I often get the hanging loop behavior if I don't do this.
  • Next I copy the Startup folder. This also helps avoid the loop-di-loops, although to a lesser extent.
  • The last thing I copy onto the stick is the infiniiVision folder.
 
The following users thanked this post: Andrew

Offline TopLoser

  • Supporter
  • ****
  • Posts: 1922
  • Country: fr
I can send you a link to a doenload for a known good and working file structure for a 3000 series scope if you think that would take out one more variable?
 
The following users thanked this post: Andrew

Offline eman (AKA e-lectric-man)

  • Newbie
  • Posts: 7
Sure! I think I've got it right, but I don't really have a way to verify this. It would help either eliminate one avenue, or fix the problem altogether.

I appreciate your offer, and I will look forward to the link.
 
The following users thanked this post: Andrew

Offline plesa

  • Frequent Contributor
  • **
  • Posts: 965
  • Country: se
Try lots and lots of different USB sticks, it's hit and miss which types work. For me it's been seriously hit and miss which sticks work with any particular scope. Never found one particular make that works with all scopes.

My success rate with USB stick was 5 working like charm and one type not. All working units were Kingston. But there were people with USB stick from same vendor, exactly same type only small difference in size (eg 32G and 32G) and the boot does not work at all.
So it is really strange behavioral.
 
The following users thanked this post: Andrew

Offline Sbampato12

  • Regular Contributor
  • *
  • Posts: 221
  • Country: it
For me, the best rates were with Sandisk ones. And Kingston but the OLD ones, relly old (the first 'generation' of DataTravelers).
 
The following users thanked this post: Andrew

Offline TopLoser

  • Supporter
  • ****
  • Posts: 1922
  • Country: fr
Sure! I think I've got it right, but I don't really have a way to verify this. It would help either eliminate one avenue, or fix the problem altogether.

I appreciate your offer, and I will look forward to the link.

https://dl.dropboxusercontent.com/u/2063383/Agilent%20DSOX3000%20237%20cracked.zip
 
The following users thanked this post: Andrew

Offline eman (AKA e-lectric-man)

  • Newbie
  • Posts: 7
Quote
Quote
Sure! I think I've got it right, but I don't really have a way to verify this. It would help either eliminate one avenue, or fix the problem altogether.

I appreciate your offer, and I will look forward to the link.
https://dl.dropboxusercontent.com/u/2063383/Agilent%20DSOX3000%20237%20cracked.zip

Thanks for the link. As it turns out, my USB setup was exactly the same as the one in the link. Not :o by this!

So my results are still the same, meaning: I may have a working hack, but I can't tell for sure because of the 30 day trial being active. On the other hand I may be playing the game of "Find the Right USB Stick", since I can in some circumstances get the loop-di-loop behavior.

Thanks a bunch anyway. You have helped me eliminate some variables here!
 
The following users thanked this post: Andrew


Share me

Digg  Facebook  SlashDot  Delicious  Technorati  Twitter  Google  Yahoo
Smf