DSOX2000 and 3000 series - licence , have anyone tried to hack that scope ?

[TopLoser]

I still have many questions. 

Where you find the version 2.35? (it is not available on the official website)

3000 series 2.35 CAB here:
https://dl.dropboxusercontent.com/u/2063383/3000XSeries.02.35.2013061800.cab

Use this CAB file as a source of the two files that will replace the ones on your scope. Then use it to downgrade your scope to 2.35

No need to edit or modify the contents of any of the files yet. That will come later when you have downgraded to 2.35.

[cassiopeia]

Dear all,

I confirmed that it is possible to launch the 2.38 version from USB stick, with 2.35 firmware inside. Anyway, I have a question about changing the splash screen : I found the new one more, humm... serious.
I have of course read the whole thread, but it did not work. I have no LAN adapter, so I try to do this with the USB key.
What I did :
put

Code: [Select]

21#\usb\img.cmd in the Startup\infiniiVision.lnk file of the usb key.
create an img.cmd file, at the root of the USB key, with :

Code: [Select]

\Windows\compileImageForSplashScreen.exe \usb\img.png \Secure\infiniiVision\splashImage.binBut nothing append... Any clue ? Thanks !

[kilobyte]

Hi,

I did a test on my scope and it should work.

My Steps:

1. create a bat file in usb root dir (create_splashscreen.bat)
2. I've insert the following text \windows\compileImageForSplashScreen.exe \usb\splashImage.png \Secure\InfiniiVision\splashImage.bin
3. rename the existing infiniivision.lnk (like infiniivision2.lnk)
4. create a new infiniivision.lnk with 28#\usb\create_splashscreen.bat

Plug the flashdrive into the scope and power up.

Now It takes some time.
Interesting effect is that the hacked Infiniivision Software will be loaded too.
After a reboot with an unplugged usb stick it should show up the new spalshscreen (It's a stupid idea to use a scope screenshot as a splashscreen  )

If you want to try it with my files you can download it here http://kaibareis.de/dsox/Splashscreen_change.zip

Best Regards
Kai

[cassiopeia]

Thank you !

Your script works, mine does not... the only differences are some case in path name (Windows vs windows and infiniivision vs Infiniivision). I'll dig into that...

[abyrvalg]

Try changing .cmd extensions to .bat

[Pinkus]

Please, is anyone able to provide me with the 2.35 files for DSOX2000 series?
Thanks!!!!
Solved - 2000 firmware seems to be identical to the 3000 Firmware, thus Toplosers link above is fine.

[yocheng]

I modified the keysight logo to a more known brand 

A real HP/Agilent/Keysight product now 

I wrote a little tool to extract the Bitmap data and the location from the dll, not finished yet but it works with 4byte aligned Bitmap data.

I upgraded to firmware 2.38, but the Keysight brand too ugly, want to switch back to Agilent, such as the picture red circle place. I would like to ask how to operate?

[srhelio]

I still have many questions. 

Where you find the version 2.35? (it is not available on the official website)

3000 series 2.35 CAB here:
https://dl.dropboxusercontent.com/u/2063383/3000XSeries.02.35.2013061800.cab

Use this CAB file as a source of the two files that will replace the ones on your scope. Then use it to downgrade your scope to 2.35

No need to edit or modify the contents of any of the files yet. That will come later when you have downgraded to 2.35.

Hello everyone, I have readed all the post and I have some questions:

 I have got a MSOX-2014A with old firmware 2.20.2012110802. I found  only the above firmware but I don't know if 3000xSeries is the same that 2000xSeries.

First i will update the scope to 2.35 firmware and then i will continue all the process that you wrote, right?

Thanks for your work !!!

[Pinkus]

First i will update the scope to 2.35 firmware and then i will continue all the process that you wrote, right?

YES

[kilobyte]

Does anyone want to change the firmware new scope DSOX/MSOX 3000T ?

The 3000T looks to be not hackable.
The nk.bin.comp is encrypted (Verisign DIGITAL ID) and it looks like the infiniivisioncore.dll is integrated in the nk.bin.comp file.

I modified the keysight logo to a more known brand 

A real HP/Agilent/Keysight product now 

I wrote a little tool to extract the Bitmap data and the location from the dll, not finished yet but it works with 4byte aligned Bitmap data.

I upgraded to firmware 2.38, but the Keysight brand too ugly, want to switch back to Agilent, such as the picture red circle place. I would like to ask how to operate?

It's a bit complicated but i will create a short guide and some necessary file how to change the logo.

[Neganur]

kilobyte, how difficult would you think it would be to add USB mouse support to the 2000A/3000A ? Is it a matter of adding a driver to the embedded 6CE?
Even though the GUI probably has no click-able items, I'd love to be able to use the mouse-wheel. Unfortunately, only very few keys on the keyboard have any function outside of the text entry mode (ESC, arrow keys)

[srhelio]

Hello.

Can someone confirm the  firmware 3000XSeries.02.35.2013061800.cab is compatibility for my MSOX 2014A?

If NO, where can I download?

KILOBYTE, I readed that you has got it  in your website but  I don't find it.

Thanks.

[yocheng]

Does anyone want to change the firmware new scope DSOX/MSOX 3000T ?

The 3000T looks to be not hackable.
The nk.bin.comp is encrypted (Verisign DIGITAL ID) and it looks like the infiniivisioncore.dll is integrated in the nk.bin.comp file.

I modified the keysight logo to a more known brand 

A real HP/Agilent/Keysight product now 

I wrote a little tool to extract the Bitmap data and the location from the dll, not finished yet but it works with 4byte aligned Bitmap data.

I upgraded to firmware 2.38, but the Keysight brand too ugly, want to switch back to Agilent, such as the picture red circle place. I would like to ask how to operate?

It's a bit complicated but i will create a short guide and some necessary file how to change the logo.

Look forward to your tutorial

[oedipe78]

The 3000T looks to be not hackable.
The nk.bin.comp is encrypted (Verisign DIGITAL ID) and it looks like the infiniivisioncore.dll is integrated in the nk.bin.comp file.

Hi,
I bought a DSOX3014T and I'm ready to make tests for crack.
I checked too, the files are encrypted  (Verisign DIGITAL ID).
Can you modify the file may be for 30 days license? 
what do you think?

[Pinkus]

If the 30 day period would mean 30x24 = 720 scope working hours, this would be fine for many peoples.

I did not check the PCB pictures (andy maybe something similar was mentioned in the 49 pages above), but somewhere there probably will be a real time clock running. What if this clock is being stopped? Or running very sloooooooooow by changing its crystal?
Then at least the off-time of the scope would not count, which could be sufficent in many cases.

[Sbampato12]

If the 30 day period would mean 30x24 = 720 scope working hours, this would be fine for many peoples.

I did not check the PCB pictures (andy maybe something similar was mentioned in the 49 pages above), but somewhere there probably will be a real time clock running. What if this clock is being stopped? Or running very sloooooooooow by changing its crystal?
Then at least the off-time of the scope would not count, which could be sufficent in many cases.

Even if this could work, and the software are great tools, you still missing the MSO and BW upgrade...

[deadbeef]

The 30 day trial option that comes with the scope is a kind of a "hack" from Agilent's side to give you the options without generating the licences and compromising the private keys used for signing the licenses. At least it was so in fw 2.38...
The scope uses some variables in its "secure storage" (which seems to be encrypted part of the flash).

When starting it checks if the demo was never used before. Then when you start it it remembers when the demo should expire, how many days you have left and current date.
When the scope starts up it checks the time difference between stored "current date" and current time and figures out how many days have passed.
It also checks if you are past the "demo expiry date"

It also remembers the "current date" if you manually set the clock. So dialing forward to 2176 or something like that ans starting the demo, dialing clock back... will not trick it.

So... 30 days trial period does not mean 720 working hours it means 30 realtime days (counted in seconds if I remember correctly)

if infinivision.dll is in the nk.bin.comp and this is encrypted/signed and verified somewhere in the boot process this means that hacking will be very difficult with high potential to brick the scope...

Oh... and the "Unfinalized software" message does not come from any signature and/or checksum failure... it is a side of patching the dll. You basically modify a function to always return false. The true value of that function is otherwise stored in the "secure storage"...

[ben_r_]

Soo glad to see this thread is still alive and kicking and people are still working on hacking these scopes! Thank you to everyone! Now we just need to get it all consolidated in one tutorial thread/post and itll be complete!

[Sparky]

Firmware revision 2.39 has been released March 10, 2015.

The release notes do not report new features or bug fixes.  Instead only two enhancements are listed:
- Bit rate measurement units have been improved.
- Reference memory skew behavior is improved in some situations.

The update seems rather minor and obscure...I wonder if it contains undocumented changes to the protection mechanisms, or blocking firmware downgrades etc.

[abyrvalg]

3000T nk.bin.comp decryptor with source. No "illegal numbers" inside, they key is derived from file data.

[abyrvalg]

More info on kernel/encryption/etc: there are two WinCE images in the scope - main one (nk.bin.comp) and recovery (recover.nk.bin.comp). It is unknown yet when recovery gets activated (this functionality is in bootloader which is not available for study). As far as I can see, recovery asks for USB stick with .ksx/.agx (firmware) file and installs it.
nk.bin.comp is signed and encrypted - can't modify it straight way. recover.nk.bin.comp is neither signed nor encrypted - can be modified.
nk.bin.comp decryption/verification takes place at install time (by LoadP500Flash.exe flasher), signature is not written into flash, so bootloader doesn't verify anything.
Conclusion: modify LoadP500Flash.exe in recovery to bypass sig check, flash modded recovery, enter recovery mode (how?), flash modded main via modded recovery... PROFIT.

[georgd]

Uboot is released under GPL license.

In the following post tnt wrote:

[url=https://www.eevblog.com/forum/testgear/dsox2000-and-3000-series-licence-have-anyone-tried-to-hack-that-scope/msg253106/#msg253106]https://www.eevblog.com/forum/testgear/dsox2000-and-3000-series-licence-have-anyone-tried-to-hack-that-scope/msg253106/#msg253106
[/url]
Not quite true. I addressed a request to Agilent directly to get the source for the GPL software distributed with the scope (u-boot mostly) and I received the source package back. I also posted a link to it in the first topic about this scope, probably more than a year ago.


Georg

[abyrvalg]

Looks like telnet password is changed too. It is generated from instrument id now (still possible to get it, but I don't have a 3000T to try anyway)

[DavidDLC]

Has anyone tried 2.39 ?

I want to buy an oscilloscope and the vendor has this version.

David.

[iankellogg]

I managed to get this hack to work with 200mhz bandwidth on my scope but has any one ever figured out how to load the hack to the internal flash?