DSOX2000 and 3000 series - licence , have anyone tried to hack that scope ?

[Sparky]

I'm seeing the same thing. It was fine with 2.39 - not sure if it is 2.41 with a home brew dsox2lan or if it is using the external link. Either way mine still works fine via DHCP even though the IP information on screen is not displayed correctly.

@TheSteve: Thanks for the confirmation.  I'm using the Agilent VGA/LAN module and since the problem exists even in this case it doesn't seem related to the home brew LAN modules.

I've not seen this problem on v2.39 or any earlier firmware.  I will try again tomorrow...  I wonder if this is a bug in v2.41?

[Howardlong]

The LAN interface is configured according to how it was set up in the unanointed setup, but it shows nonsense once anointed. I've only set LAN parameters when in a standard config. I can connect with a browser using the settings originally made, ignoring what's displayed.

I also suspect there may be other things that might be affected, such as cal settings (not yet certain about this) so I only do a cal in basic config as a result.

[memset]

Has anyone seen this before?  Is the IP address shown (92.251.81.2) typical in the case of not being able to obtain IP address from DHCP server?  Other instruments seem to be working fine...

Default, DHCP-failed IP should be 196.254.x.y (/16 subnet mask). Maybe your unit have some static configuration defaulted in.

[TheSteve]

Just to confirm 100% the odd looking LAN settings only occur when using a infiniivision_ext.lnk with firmware 2.41.
The displayed network information will be incorrect but the scope will still grab an IP via DHCP and communicate fine. If you need to use a static IP it should be configured with unpatched firmware(disable the lnk file). You will also find "User Cal Status" is always shown as unprotected when using the infiniivision_ext.lnk file - I believe this was the case with previous patched versions as well. A User Cal will still complete successfully and be displayed properly, if you boot unpatched the scope will show that User Cal Status is protected.

[Sparky]

The LAN interface is configured according to how it was set up in the unanointed setup, but it shows nonsense once anointed...

...Maybe your unit have some static configuration defaulted in.

Just to confirm 100% the odd looking LAN settings only occur when using a infiniivision_ext.lnk with firmware 2.41...

Thanks, Howardlong, memset, TheSteve for the follow-up and confirmations.  I tested again myself by removing the _ext.lnk and the IP configuration is immediately back to normal.  It's not any static configuration I had. 

I set the hostname while 'unanointed' and reserved a static IP on my router so the scope is still using DHCP but will always get the same IP.  I then put back the _ext.lnk.  Sure enough the nonsense network information is back but at least I can communicate with the scope at a known address.  The web interface still works but instead of responsive like it was, it is very sluggish, there is missing data (see picture attached), and somethings don't work any more (e.g. "Identification = On" in the picture attached).

It's unfortunate there is some broken functionality with _ext.lnk   Oh well...it's still much easier than previous methods.

Best,
Sparky

[TheSteve]

The screen you're showing does seem pretty sluggish to respond but I find the screen grab and the full remote control scope seems the same speed as always(the HTML 5 version anyway).

[mischo22]

I found the Problem with the LAN:

Normaly the scope starts the \Windows\infiniivisionlauncher.exe.
The .lnk file points to \secure\infiniivision\infinnivisionlauncher.exe.
The files aren't the same!

if i start the /Windows/infiniivisionlauncher.exe, the command "-l all" is ignored. No lan problem.
if i start the file from the secure-path the "-l all" is accepted, but with the lan Problem.

I copied the infiniivisionlauncher.exe from \Windows to \secure\infiniivision.
The file doesn't start. dll not found.

[memset]

Normaly the scope starts the \Windows\infiniivisionlauncher.exe.
The .lnk file points to \secure\infiniivision\infinnivisionlauncher.exe.
The files aren't the same!

Not 100% correct.

Original startup launcher is:
\Program Files\InfiniiVision\infiniivisionLauncher.exe
Original launcher is .NET-based, other (in \Secure) is native.
I don't know why there are two of them, nor I've tested \Program Files\InfiniiVision\infiniivisionLauncher.exe to work with non-empty command line string.

[mischo22]

The directory \program files\infiniivision is a ramdisk. on boot the files from \Windows are copied to them.
You can see it on the filetimestamp.

It is possible to copy own files to the path. so it isn't a readonly filesystem.

i copied the infiniivisionlauncher.exe from the secure path to the "program files" path and started it manually.
same result: "-l all" accepted, but lan-display-problem.

[georgd]

Two years ago in this thread someone reported a problem with patched firmware running from USB stick and the WEB interface, the link below points to the solution:
https://www.eevblog.com/forum/testgear/dsox2000-and-3000-series-licence-have-anyone-tried-to-hack-that-scope/msg484234/#msg484234

Georg

[mischo22]

Two years ago in this thread someone reported a problem with patched firmware running from USB stick and the WEB interface, the link below points to the solution:
https://www.eevblog.com/forum/testgear/dsox2000-and-3000-series-licence-have-anyone-tried-to-hack-that-scope/msg484234/#msg484234

Georg

This was only necessary, when the program starts from USB-Stick.

[mischo22]

I have tested the following solution to run the Scope with all licenses and without lan-problems:

First, you need telnet access to perform the hack (in future a CAB were nice) und running Firmware 2.41.

1. Login with telnet in your scope
2. Stop software with "processmgr kill infiniivisionlauncher.exe"
3. Copy the file \program files\infiniivision\infiniivisioncore.dll to the usb stick
4. Patch the dll at position 0x027C0E8. Change the bytes from "04 00 a0 e1" to "00 00 a0 e3"
5. Copy the patched dll to "\secure\"
6. Create a file "startinfiniivision.cmd" with this content:

Code: [Select]

processmgr kill infiniivisionlauncher.exe
copy \secure\InfiniiVisionCore.dll "\program files\infiniivision\InfiniiVisionCore.dll"
"\program files\infiniivision\infiniivisionlauncher.exe" -l all -l BW50 -l SCPIPS -l SGMC -l CABLE
7. Copy this file to "\secure\"
8. Create a link file with the following content and install the link with the LinkInstallerCab:

Code: [Select]

50#\windows\cmd.exe /c \Secure\startinfiniivision.cmd9. done!

Your Scope runs without problems and all liceses are activated
 


Uninstall the hack:
1. Remove the link with the linkInstallerCab
2. Login into the scope
3. Delete created files on with "del \secure\startinfiniivision.cmd" and "del \secure\InfiniiVisionCore.dll"
4. Done!


Is it possible to create a CAB-Installfile with this steps like the LinkInstallerCab, but i don't know how i can create the CAB-File

[Sparky]

Normaly the scope starts the \Windows\infiniivisionlauncher.exe.
The .lnk file points to \secure\infiniivision\infinnivisionlauncher.exe.
The files aren't the same!

mischo22: Seems like you've made some important discoveries here!  It's first time I've read that there are two versions of infiniivisionlauncher.exe ...and even more weird they are not the same, and that trying to use one instead of the other causes the LAN problem but allows various license activation (-l switch)!  In summary you found:

1) \Windows\infiniivisionLauncher.exe (is copied to ramdisk \Program Files\InfiniiVision\infiniivisionLauncher.exe) : LAN works, but -l options ignored

2) \Secure\Infiniivision\infinnivisionLuncher.exe : LAN doesn't work, but -l options accepted

It is mystery why there are two versions, but clear that they provide different functionality.  I think you discovered the first version must be used for functioning LAN, and though I don't know how (or my understanding might be wrong) it seems patching the dll allows the -l options to be accepted.  Furthermore, the dll must be in the same directory as infiniivisionLauncher.exe

I have tested the following solution to run the Scope with all licenses and without lan-problems:
...

Wow!  I think it's first time someone showed how to have modified dll on v2.41!

[TheSteve]

Played with the 2.41 patched dll version tonight - it does work as it should. It adds about 10 seconds to the scopes boot time. Cal status still displays as unprotected but that has always occurred when adding options.

Many pages back in this thread there are instructions for connecting to the scope via JTAG to dump the entire flash. Has anyone entertained the idea of dumping the flash and adding our own public key. Perhaps even using the original pair that was leaked years ago. Yes it would mean opening the scope but if it was only a one time operation after that licenses would be permanent and no firmware mods would be needed. It should also survive firmware updates forever.

[memset]

Has anyone entertained the idea of dumping the flash and adding our own public key.

Personally I'm fine with the current solution. I really dislike the possibility of hacking the scopes without clear traces left because that will spoil the second hand market. Just imagine eBay flooded with unlegit scopes...

[TheSteve]

Has anyone entertained the idea of dumping the flash and adding our own public key.

Personally I'm fine with the current solution. I really dislike the possibility of hacking the scopes without clear traces left because that will spoil the second hand market. Just imagine eBay flooded with unlegit scopes...

Well I don't see there being any flood of scopes with bogus licenses added. Not that many people will open their scope, jtag it to read the flash, alter it and then rewrite the flash. It could happen though. To that end I've already seen a DSOX2K on ebay that had all options enabled in firmware and they were open about advertising it - not something I support obviously. In my case my scope will never look 100% legit as the model # is DSOX3014A yet it will always show bandwidth as 350 or 500 MHz. The current hacks are easy enough and simple - but it seems the biggest issue with the DSOX2K/3K series is corrupted flash images or bad flash parts altogether, so anything we can do to help prevent that might be in our own best interest. I know I wouldn't mind having a 100% backup of my flash image.

[Keysight DanielBogdanoff]

Well I don't see there being any flood of scopes with bogus licenses added. Not that many people will open their scope, jtag it to read the flash, alter it and then rewrite the flash. It could happen though. To that end I've already seen a DSOX2K on ebay that had all options enabled in firmware and they were open about advertising it - not something I support obviously. In my case my scope will never look 100% legit as the model # is DSOX3014A yet it will always show bandwidth as 350 or 500 MHz. The current hacks are easy enough and simple - but it seems the biggest issue with the DSOX2K/3K series is corrupted flash images or bad flash parts altogether, so anything we can do to help prevent that might be in our own best interest. I know I wouldn't mind having a 100% backup of my flash image.

Trying to buy & flip hacked scopes is a good way to get a nasty-gram from our legal department. Don't do it. We can tell when a scope's been hacked and will fight to stop people from making money off of hacking our scopes.

I personally am all for buying and ...er... upgrading a scope, but don't try to make money off of it. It's been tried before and we intervened.

[TheSteve]

Well I don't see there being any flood of scopes with bogus licenses added. Not that many people will open their scope, jtag it to read the flash, alter it and then rewrite the flash. It could happen though. To that end I've already seen a DSOX2K on ebay that had all options enabled in firmware and they were open about advertising it - not something I support obviously. In my case my scope will never look 100% legit as the model # is DSOX3014A yet it will always show bandwidth as 350 or 500 MHz. The current hacks are easy enough and simple - but it seems the biggest issue with the DSOX2K/3K series is corrupted flash images or bad flash parts altogether, so anything we can do to help prevent that might be in our own best interest. I know I wouldn't mind having a 100% backup of my flash image.

Trying to buy & flip hacked scopes is a good way to get a nasty-gram from our legal department. Don't do it. We can tell when a scope's been hacked and will fight to stop people from making money off of hacking our scopes.

I personally am all for buying and ...er... upgrading a scope, but don't try to make money off of it. It's been tried before and we intervened.

I agree someone hacking scopes to resell for profit does deserve a nasty-gram from your legal department - that hasn't been suggested in this thread at all though Daniel.

[matthieu.e]

Hi,

I just receive my used DSOX 2002 scope and I like it a lot !  I am in version 1.00.20 and I think it as never been updated.
I read the whole thread but I am a little confuse on how to unlock it.
Is there only a software hack to do on the scope or a software and hardware update to do ? (I am no afraid to do a hardware update in second time).

Can someone could resume me how to do the software update on my scope (I do not have the ethernet card for now, I plan to make one...). Thanks !

[matthieu.e]

Do I have to make the Ethernet card first or is there a pre hacked software I can put into a USB key ?
Thanks a lot 

[HighVoltage]

Do I have to make the Ethernet card first or is there a pre hacked software I can put into a USB key ?
Thanks a lot 

All the information is in this thread.
Read carefully everything!

[mischo22]

You can update to firmware version 2.35 and run the hacked software on USB-Stick. On this solution, you don't need a lan-card.
For the newer firmware, you need the lan-card.

[matthieu.e]

Thanks for the answer 

Where can I find the 2.35 firmware ? There only 2.41 and and previous version on the keysight website.
http://www.keysight.com/main/software.jspx?cc=FR&lc=fre&nid=-32542.1150180&id=2014479&pageMode=CV

[aholtzma]

Somewhere in this thread is a link to a zip file on Dropbox. You just need to unzip this file to a USB key and you're done.

[plesa]

Thanks for the answer 

Where can I find the 2.35 firmware ? There only 2.41 and and previous version on the keysight website.
http://www.keysight.com/main/software.jspx?cc=FR&lc=fre&nid=-32542.1150180&id=2014479&pageMode=CV

try this
http://www.filedropper.com/3000xseries02352013061800
Link few pages back is not working.