DSOX2000 and 3000 series - licence , have anyone tried to hack that scope ?

[TheSteve]

I feel a bit responsible for these recent  'issues', I supplied the 2 scopes that have been troublesome. They were both very recent returns repaired by Keysight and with 2.41 installed by Keysight. They seem to be doing something odd now, I've sold lots of other scopes with Keysight installed 2.41 that people have played with without problems.

The only one responsible for the 'issues' is the person bricking the scope unless you did set up a booby trap

I have one more of these recent 2.41 scopes on my desk. I have a LAN card as well. Is there anything I could look at to see why these recent versions are causing problems? Maybe delete or rename the rogue LNK file and then attempt the option installation?

Use telnet to see if there is a infiniivision.lnk  in Secure\Startup. If so, then using the USB key to copy the infiniivision_ext.lnk will end up in the scope trying to run the infiniivision exe twice and give you the problem we found.

There is always an infiniivision.lnk in \secure\startup with version 2.41.
It is an empty file though, and it doesn't need to be removed for the hack to work, so it being there is not the cause of the problem.
The mod is nothing more then copying infiniivision_ext.lnk to \secure\startup
No files get removed.

From my scope:

    Directory of \secure\startup

07/07/15  07:32p                           0 infiniivision.lnk
08/13/16  10:06p                          53 infiniivision_ext.lnk

[PA0PBZ]

Yes, I should have been more clear. On my scope the infiniivision.lnk was not empty but contained something like "#\folder\infiniivisionLauncher.exe" (forgot what exactly was in there) so that's why it was trying to run the launcher twice after copying the infiniivision_ext.lnk.
So check for a not-empty infiniivision.lnk

[TopLoser]

Just packing some boxes this morning, this afternoon I'll have a poke about in this virgin 2.41 scope thats just come back from Keysight.

[deanflyer]

Just having a look at /secure/startup and I have:-

06/24/16  05:06p                          59 infiniivision.lnk
09/26/16  05:49p                          69 infiniivision_ext.xxx (originally infiniivision_ext.lnk)


As per previous threads, on boot the scope tries booting two instances and hangs.

Interestingly, infiniivision.lnk is not empty on my scope, but contains:-

56#"\Program Files\InfiniiVision\infiniiVisionLauncher.exe"


Also, for some reason the infiniivision_ext.lnk file was corrupted with the - (hyphen) character being a non printable character. Not sure how that happened.

[TopLoser]

Ok...

DSOX2002A with 2.41 just back from Keysight....

Use cheapo LAN card (thanks Trevor White!) and Telnet to get inside it.

Telnet

Code: [Select]

o hostname
infiniivision
skywalker1977
cd \secure\startup
Sure enough, an infiniivision.lnk file 50 something bytes long containing a command line that launches the program.

Lets not be doing that, get it out of the way...

Code: [Select]

ren infiniivision.lnk infiniivision.xxx
Then make a new infiniivision.lnk on USB stick containing

Code: [Select]

63#\secure\infiniivision\infiniivisionlauncher.exe -l all -l bw20
Copy it onto the scope

Code: [Select]

copy usb\infiniivision.lnk
Reboot and job done.

What were you lot playing about at 

[TheSteve]

So maybe there are two versions of 2.41 floating around, or the contents of the original link file depend on how/when 2.41 was installed/upgraded etc.
Perhaps memset can make an upgraded install cab that overwrites that file with an empty one just to make sure.

[trevwhite]

I couldn't be bothered before but I just followed the very helpful instructions and it works straight away. No problems. I think my scope was repaired and updated by Keysight some time this year I think? Maybe it was last year. I cant remember but they put Keysight branding and 2.41 firmware on it.

Many thanks Ian.

[PA0PBZ]

What were you lot playing about at 

That's not fair, we told you what to look for and you did Not much choice for me back when I tried to unlock it because I had no LAN module, so all I could try was the USB stick.
Anyway, maybe it's safer to change the USB stick method to use infiniivision.lnk and not infiniivision_ext.lnk.
A common thing of all the troubled scopes is that they had a short stay at Keysight recently, so my bet is that they are having a lot of fun reading this thread...

[TheSteve]

TopLoser

This is interesting, I don't know why but I was under the impression that 2.41 couldn't be "unlocked" by editing the \secure\startup link as it was done with previous versions of firmware because it was ignored. However based on your post it seems it is working just fine.
Can you confirm if you go to the web interface it will display the IP address properly?
For those using the infiniivision_ext.lnk the web interface has some issues unless a bunch of "work arounds" are done.

[PA0PBZ]

For those using the infiniivision_ext.lnk the web interface has some issues unless a bunch of "work arounds" are done.

AFAIK if you just use DHCP the only issue is that it does not display the IP address correctly, but it will work fine.

The _ext part of the lnk is just a name, nothing else. The difference is the launcher exe that is called from the link, either the one in program files (will not respond to the -all and other options) or the one in the secure folder which is fine with the options but gives the wrong display of the IP address.

Correct me if I'm wrong of course...

[TheSteve]

Ahh, ok, so it is just the name of the file. It is more then just the IP not displaying properly. A lot of the web interface is very slow as well.

[TopLoser]

What were you lot playing about at 

That's not fair, we told you what to look for and you did Not much choice for me back when I tried to unlock it because I had no LAN module, so all I could try was the USB stick.
Anyway, maybe it's safer to change the USB stick method to use infiniivision.lnk and not infiniivision_ext.lnk.
A common thing of all the troubled scopes is that they had a short stay at Keysight recently, so my bet is that they are having a lot of fun reading this thread...

There are a lot of very intelligent and creative people on this thread, and you're very much one of them. I just take advantage of what you do, and it's very much appreciated by a lot of people.

[MarkL]

So maybe there are two versions of 2.41 floating around, or the contents of the original link file depend on how/when 2.41 was installed/upgraded etc.
...

...
A common thing of all the troubled scopes is that they had a short stay at Keysight recently, so my bet is that they are having a lot of fun reading this thread...

Hmmm...  this reminded me...

When I had a problem a couple of years ago, Keysight tech support helped me and they told me to download a copy of 2.20 (3000XSeries.02.20.2012110802.cab) from their FTP site because the web site had already been updated to a new version.

I happened to already have a copy of 3000XSeries.02.20.2012110802.cab (because I never delete anything it seems), so I decided to compare them.  Surprisingly, they were different.

There's a precedent by Keysight to change the binaries and call it the same version, AND with the same date code.  So much for version control.


Additional info: I don't think it matters which files were different since this was an ancient version, but someone's going to ask.  The different files were:

  NK.BIN.COMP
  infiniiVisionSetup/build/Secure/infiniiVision/infiniiVisionCore.dll
  infiniiVisionSetup/build/Secure/infiniiVision/infiniiVisionLauncher.exe
  infiniiVisionSetup/build/Secure/infiniiVision/infiniiVisionWebCom.dll
  infiniiVisionSetup/build/Secure/infiniiVision/upgrade/infiniiVisionWebCom.dll
  infiniiVisionSetup/build/Secure/infiniiVision/vncserver.dll

[Uup]

I've been looking at the firmware for the MSOX4k series (4.08). Much like 2.41 for the 2k/3k it has two different infiniivisionlauncher.exe files and the infiniivision.lnk file is not empty either.

Interestingly, the infiniiVisionLauncher.exe file in the secure/infiniivision directory crashes with an error when executed, so it doesn’t appear to be compatible with the 4K series. The infiniivisionlauncher.exe file that is used is located in the Program Files directory.

It appears as though the bytes to change in infiniivisioncore.dll start at location 0x407a50. Can someone confirm that location?

http://www.filedropper.com/4kcore

[[IDC]Dragon]

Hi, I'm "new" to this looong thread and would appreciate a summary, what's the status with unlocking the DSOX3000T scopes? Is it possible, or at least some light at the end of tunnel?
The impression I got is that the older, non-touch predessor can be unlocked by booting an alternative firmware from a USB stick. For the current models, all my googling hasn't found a solution. Is that true?

It's kind of crucial for my buying decision, which scope can/should I get. As a hobbyist, the premium for digital channels, bandwidth unlocks and serial decoding is way out of reach. Currently, I'm close to getting a Tek MDO3014 because of available upgrade ability, althought the scope has inferior (UI) performance compared to Keysight.

Thanks a lot!
(Forgive me if this is kind of RTFM)

[TheSteve]

At the moment the DSOX3000T is not hacked - I'd still recommend reading through this entire thread even though it may take a few hours - there is tons to learn and if you're going to hack something you should spend the time to read about it so you know what you're actually doing and what the potential issues etc might be.

You may want to consider a used DSOX3000A series - deals on them do show up quite often.

[ogoun]

I've been looking at the firmware for the MSOX4k series (4.08). Much like 2.41 for the 2k/3k it has two different infiniivisionlauncher.exe files and the infiniivision.lnk file is not empty either.

Interestingly, the infiniiVisionLauncher.exe file in the secure/infiniivision directory crashes with an error when executed, so it doesn’t appear to be compatible with the 4K series. The infiniivisionlauncher.exe file that is used is located in the Program Files directory.

It appears as though the bytes to change in infiniivisioncore.dll start at location 0x407a50. Can someone confirm that location?

http://www.filedropper.com/4kcore

I can confirm that the 4K series operates the same way as the 2k and 3k series. V3.21 can be patched and operates as per the descriptions here. Patch location for DSOX40x4A  infiniivisioncore.dll is 0x355180. As with the 2k and 3k series, replace 04 00 a0 e1  to 00 00 a0 e3.

Will be testing v4.08 soon.

Can anyone confirm that v4.08 has the same telnet user/pass as the 2k and 3k series? V3.21 is the same (I want to avoid flashing the new firmware into it if I will lose telnet access...).

Also, for those who have old versions of the firmware, for any model (2k, 3k, 4k).. PLEASE post them somewhere that doesn't delete the files after a couple of weeks.. All the filedropper links older than a few weeks are dead.

l8r,
o

[Uup]

I can confirm that the telnet login is unchanged on 4.08.

[Uup]

Also, for those who have old versions of the firmware, for any model (2k, 3k, 4k).. PLEASE post them somewhere that doesn't delete the files after a couple of weeks.. All the filedropper links older than a few weeks are dead.

This link should stay valid. The password is: eevblog

https://mega.nz/#!LEJDBAyJ!wZrQn57wSkuRRLZ5bRvVrPOqpfyWcZ1r-Mclo07hVSQ

[[IDC]Dragon]

The tread convinced my to buy a DSOX3014A.
(Read this, Keysight, I bought your product because of the marvellous findings in this thread)
Currently there is a buy-in discount of 30%, which helped the decision even more.
The A model is still available, although for pretty much the same price as the T (touchscreen) model, which unfortunately AFAICT can't be unlocked as of now. Feels subobtimal to buy a brand new older model, but I didn't want to bet on achievements about the T.
A used one would have been fine with me, I've looked for quite some time, but haven't found a good offer.

Anyway, shiny new scope arrived today. I briefly tested it. Quickly came the urge to uncripple it. It has firmware 2.41.something, so I went ahead with memset's link method. I used a command line another user already reported working:

Code: [Select]

72#\Secure\infiniiVision\infiniivisionLauncher.exe -l all -l BW20 -l SCPIPSMainly because of all options plus 200MHz bandwidth, admittedly I don't know what SCPIPS is supposed to do.
But nooo, the scope is bricked now. The restart after the firmware update was already unsuccessful, hanging with the greet splashscreen but a "light show" of the front panel LEDs. I turned it off after a while, on further attempts it was showing a black screen with Keysight logo, and the somewhat comforting "unfinalized software" warning, on another attempt the warning quickly went away. Currently, it always does the splash screen light show.

I have no network interface yet. Hopefully that can fix it. Would it work straight away without ever being configured?
The magjack is ordered, no PCB yet. Does anybody have a leftover one to sell, or the other way round: If I have to order a couple, any other takers? Less urgent: did anybody bother to construct a 3D model for the module enclosure?

Would the serial port help to unlock me? I've opened the device to connect it, but the header J3402 is unpopulated, instead its neighbor.

(Bummer, I feel so stupid about bricking this thing on its very first day...  )

[TopLoser]

The previous couple of pages of this thread contain all the information you need about your problem and the solution. It's really unfortunate you didn't read it all first, but you can bring it back to life the hard way.

3D models are available, in fact you can buy the parts directly from Shapeways if you want.

[TheSteve]

There is a 3D printed faceplate and spacers available for one of the PCB's that has been designed. It isn't a full enclosure but fits and looks great. The files can be downloaded so you can print it yourself.
Your scope will come back to life once you get a network card.

I don't recommend anyone try enabling features unless they have a network card.

[TopLoser]

http://www.shapeways.com/search?q=dsoxlan&type=product

[deanflyer]

Dont feel too bad, I did the same. Read my previous posts (PAOPBZ did all the hard work after he bricked his). Basically you will need to use the serial port to get the scope in a position to download an image over Ethernet.

Where are you? I can loan you my LAN card if you are stuck.

[TheSteve]

http://www.shapeways.com/search?q=dsoxlan&type=product

Here is a link with the .stl files so you can print your own. Again be sure the PCB you get matches, there are many different dsoxlan PCB designs out there.
http://anagram.net/nuts/DSOXLAN/