DSOX2000 and 3000 series - licence , have anyone tried to hack that scope ?

[Windfall]

Would be nice for us to, sometime, have an account somewhere of those parameters and what they relate to.

Look back in this very thread; here's many of the options:

  https://www.eevblog.com/forum/testgear/dsox2000-and-3000-series-licence-have-anyone-tried-to-hack-that-scope/msg338246/#msg338246

Thanks, that seems very useful.

In case anyone was wondering why the first telnet login fails, I found it's because there are 9 characters already in the input buffer. If you delete these first, the first login will work.

[TK]

It should work as long as you have the 2.41 Firmware.
Not sure if there's any new firmware since then... hmmm

As far as I've remembered, someone with 3000X also tried this method some time back with success, and the command in the switches in the link are taken from the 3000X series with trial and error to see which options works for the 2000X series.

New 1000X series is another different can of worms but might work... who wants to be the sacrificial lamb and test it on their 1000X ? 

Looks like 1000X series has a different firmware update approach.  I tried running the uninstall.cab and 1000X does not know what to do with it.  I changed the extension to .ksx (like the new 2.42 2000X / 3000X firmware) and the same error.  I also created new .cab file trying to verify directory content of \Secure and write the content to \usb and I get the same error.  Until a new firmware is released by Keysight for the 1000X series, it is an unknown territory...

[georges80]

Ok, so thanks to the folk that have gone the 2.41 path. After digesting the various approaches, this is my version of the condensed instructions (note the extra 8a step I needed to do):

This with Firmware 2.41 and on my msox2024a:


1. Login with telnet in your scope, with infiniivision and password skywalker1977
2. Stop software with "processmgr kill infiniivisionlauncher.exe"
3. Copy the file \program files\infiniivision\infiniivisioncore.dll to the usb stick
4. Patch the dll at position 0x027C0E8 with your hex editor of choice. Change the bytes from "04 00 a0 e1" to "00 00 a0 e3"
5. Copy the patched dll to "\secure\"
6. Create a file "startinfiniivision.cmd" with the following content:

processmgr kill infiniivisionlauncher.exe
copy \secure\InfiniiVisionCore.dll "\program files\infiniivision\InfiniiVisionCore.dll"
"\program files\infiniivision\infiniivisionlauncher.exe" -l MSO -l BW20 -l DIS --perf --forcemaxmem

7. Copy this file to "\secure\"
8. Create infiniivision.lnk with contents

50#\windows\cmd.exe /c \Secure\startinfiniivision.cmd

8a. You want to then copy infiniivision.lnk to \Secure\Startup except in my case there was already an infiniivision.lnk file (zero length) in there and a) copy wouldn't overwrite and b) del wouldn't delete. So, I renamed the existing infiniivision.lnk file (the zero length one) to x.txt (just a different name) and that was allowed. Then I copied the infiniivision.lnk file from step 8a into the \Secure\Startup directory and that worked fine.

9. done!


-------------------------------------------------------------------------------------------
Or for folk that don't want to patch the dll (but must be done every re-boot of the scope):

1. Login with telnet in your scope, with infiniivision and password skywalker1977
2. ProcessMgr.exe kill infiniivisionLauncher.exe
3. \Secure\infiniiVision\infiniivisionLauncher.exe -l MSO -l BW20 -l DIS --perf --forcemaxmem

cheers,
george.

[mikeselectricstuff]

Telnet option sounds like job for a dedicated Raspberry Pi.

[TheSteve]

With version 2.41 there is no need for any hex editing of infiniivisioncore.dll.

[georges80]

With version 2.41 there is no need for any hex editing of infiniivisioncore.dll.

You sure of that? Tested? What steps are necessary then?

cheers,
george.

[TK]

With version 2.41 there is no need for any hex editing of infiniivisioncore.dll.

You sure of that? Tested? What steps are necessary then?

cheers,
george.

https://www.eevblog.com/forum/testgear/dsox2000-and-3000-series-licence-have-anyone-tried-to-hack-that-scope/msg1189010/#msg1189010

[georges80]

Ok, so, with a LAN card, all that is 'necessary' then is to rename the infiniivision.lnk file in \secure\startup and copy the 'new/updated' infiniivision.lnk file into \secure\startup ?

This for 2.41.

cheers,
george.

[Luminax]

From link_install recipe.xml :

<command>\windows\cmd.exe /c copy \usb\infiniivision.lnk \Secure\Startup\infiniivision_ext.lnk</command>
<command>\windows\cmd.exe /c ren \Secure\Startup\infiniivision.lnk infiniivision.lnk.original</command>

and link_uninstall recipe.xml :

<command>\windows\cmd.exe /c del /f \Secure\Startup\infiniivision_ext.lnk</command>
<command>\windows\cmd.exe /c ren \Secure\Startup\infiniivision.lnk.original infiniivision.lnk</command>

The answer to your question would be a yes.
Although, following the steps above by backing up the existing .lnk before copying yours over would be a safer option than overwriting.
Also, no idea why it's named as infiniivision_ext.lnk but still launches. My guess would be an argument procedure in the start-up of the scopes that looks for certain sets of .lnk and the _ext.lnk is one of them? hmmm

[viki2000]

For the LAN card hack, why don’t you follow these video tutorials?
https://goo.gl/E57hPM
https://goo.gl/DNfZdv
The 2nd one helps with garbage on IP, you could see proper IP address. The 1st one gives garbage on IP.
It should work also with 2.42 according with kyílobyte, but I have tested only with 2.41:
https://www.eevblog.com/forum/testgear/dsox2000-and-3000-series-licence-have-anyone-tried-to-hack-that-scope/msg1181607/#msg1181607
Don’t forget to add “--perf” to the .lnk file if need a bit more functions:
https://www.eevblog.com/forum/testgear/dsox2000-and-3000-series-licence-have-anyone-tried-to-hack-that-scope/msg1166295/#msg1166295
And the warning message can be removed if you patch the “infiniivisioncore.dll” ina HEX editor:
https://www.eevblog.com/forum/testgear/dsox2000-and-3000-series-licence-have-anyone-tried-to-hack-that-scope/msg1161897/#msg1161897

[georges80]

So, again, the consensus for a fully operational 'upgrade' with NO Lan IP garbage etc., is to follow the steps with including patching the inifi....dll file.

Which is the choice I made and works perfectly (for 2.41 on my msox2024a). Essentially the equivalent of the 2nd video above but with the 'optimised' option flags: -l MSO -l BW20 -l DIS --perf --forcemaxmem

cheers,
george.

[Daxxin]

got 2012a stuck on splash and pairs of led cycling from bottom to top

[PA0PBZ]

got 2012a stuck on splash and pairs of led cycling from bottom to top

Something you did? Still warranty?

[Daxxin]

Something you did? Still warranty?
[/quote]

None i did nothing it started itself like this and  warranty expired alredy ,  just ask here because i read all 3ad seems a lot of very expert hope somebody might help me
i guess leds is diagnostic routines but cannot find any info about

[PA0PBZ]

What firmware version are you on, can you remember? If it is anything like the flash problem with the 3000A series it could be warranty.

[Daxxin]

What firmware version are you on, can you remember? If it is anything like the flash problem with the 3000A series it could be warranty.

Sorry i can't remember but i guess old release , want to try to upgrade if ever corrupted flash , its enough to put cab image on usb stick
and switch on or better unpack and boot ? yesterday i tried with cab on usb stick no more image splash but ''Agilent Tecnologies'' text in the middle of lcd .. but stuck too
without leds cycling.

[plesa]

What firmware version are you on, can you remember? If it is anything like the flash problem with the 3000A series it could be warranty.

Sorry i can't remember but i guess old release , want to try to upgrade if ever corrupted flash , its enough to put cab image on usb stick
and switch on or better unpack and boot ? yesterday i tried with cab on usb stick no more image splash but ''Agilent Tecnologies'' text in the middle of lcd .. but stuck too
without leds cycling.

For proper booting from USB you needs the same nor similar version. It was not possible to boot from USB when on flash was older or newer firmware ( I assume you have version <2.4). Also try different USB flash.
Do you remember if you firmware was with Keysight or Agilent logo?

[Daxxin]

For proper booting from USB you needs the same nor similar version. It was not possible to boot from USB when on flash was older or newer firmware ( I assume you have version <2.4). Also try different USB flash.
Do you remember if you firmware was with Keysight or Agilent logo?

Agilent logo and scope production is 2013

[plesa]

For proper booting from USB you needs the same nor similar version. It was not possible to boot from USB when on flash was older or newer firmware ( I assume you have version <2.4). Also try different USB flash.
Do you remember if you firmware was with Keysight or Agilent logo?
[/quote]

Agilent logo and scope production is 2013
[/quote]

OK, so try all firmware which you will be able to download since 1.10 through 2.10, 2.20, 2.30, 2.35 and 2.35.

[Daxxin]

OK, so try all firmware which you will be able to download since 1.10 through 2.10, 2.20, 2.30, 2.35 and 2.35.

Ok i can do that no problems , but where to download all of them?

here short video with 2.35 on usb stick with led cycling and stuck boot  https://drive.google.com/open?id=0B7SMkPohCf_AN0p1OUpob0FhRGc

[grenert]

Daxxin, you need to check out this thread:
https://www.eevblog.com/forum/testgear/agilent-dsox2024-won't-boot/

This is a known problem with earlier firmware revisions.  You can see that they are currently repairing these scopes with this problem regardless of warranty status.  I had the same problem and contacted Keysight.  They agreed to free repair (my warranty had expired already), I sent it to them and had it back in perfect working order in a week or so.  Excellent service!   

[Daxxin]

Thanks for the hints maybe i contact soon keysight , anyway i tried to boot with all fw's only with 2.37 different situation no more leds cycling but screen remain black
just arrived the usb - serial 3.3v converter now i try to log

[Daxxin]

U-Boot 2010.03 (Jan 26 2011 - 12:37:34)Agilent P500

CPU:   SPEAr600
DRAM:  128 MiB
Flash: 512 KiB
NAND:  128 MiB
In:    serial
Out:   serial
Err:   serial
SerNum:serial number not programmed
Chip:  BD Board Rev: 4
Net:   smsc
Press space to stop autoboot:  0
## Booting kernel from Legacy Image at f8050000 ...
   Image Name:   PBOOT
   Created:      2011-01-27  11:38:14 UTC
   Image Type:   ARM Linux Kernel Image (gzip compressed)
   Data Size:    36703 Bytes = 35.8 KiB
   Load Address: 00000000
   Entry Point:  00000000
   Uncompressing Kernel Image ... OK

Starting kernel ...


Debug serial initialized ........OK

Microsoft Windows CE Bootloader Common Library Version 1.4 Built Jan 27 2011 02:04:15
Microsoft Windows CE 6.0 Ethernet Bootloader for the Agilent P500 board
Adaptation performed by Agilent Technologies (c) 2008


System ready!
Preparing for download...
 Loading image 1 from memory at 0xD0600000
O
BL_IMAGE_TYPE_BIN

X
XXXXXOOOOXOOOOOOOOXOXOOOOOOOOXOOOXOOOOXXOOOOOOOOOXOOOOXOXOXXXOOXOXXOXXXXXXOOOXXXOOOOOXOOXOXXXOOOXXOOOXXOOOOXOOXOOXXOOOXOOOOOXOOOXOOOXXXXXXOXOXXOXXXXXXXOXXXXOOOXOOOOXOXOOOXOOOOXOXOXOOOOOOXOOOOXOXOOOOOXXOOOOOXX
OOOOXXOOOOOOOOOXOXOOOXOOOOOOOXXOOOOOXXOOOOXOXOXOOXOXOOOXOOOXOOOXXXOXOOOXOXXXXOXOOXXOXXOXXOOOXXOXOXXOXXXXXOOXOXXXXOXOOXOXOOOOXOOOOXOOOXOOXOOXOOOXOOXXXXXXXXXXXXXXOXrom_offset=0x0.
XXImageStart = 0x80361000, ImageLength = 0x1248684, LaunchAddr = 0x80362000

Completed file(s):
-------------------------------------------------------------------------------

• : Address=0x80361000  Length=0x1248684  Name="" Target=RAM

 Loading image 1 succeeded.
ROMHDR at Address 80361044h
Preparing launch...
Launching windows CE image by jumping at address 0x  362000

Windows CE Kernel for ARM (Thumb Enabled) Built on Jun 16 2009 at 10:08:15
Setting up for a Cold Reboot
Done Setting up for a Cold Reboot
Windows CE Firmware Init
BSP 1.0.0 for the SPEARHEAD600AB board (built Apr 18 2012)
Adaptation performed by ADENEO (c) 2005
+OALIntrInit
-OALIntrInit(rc = 1)
Initialize driver globals Zeros area...
pDrvGlobalArea 0xa0060000  size 0x800 (0xa0060800 -0xa0060000)
Initialize driver globals Zeros area...done
 OALKitlStart
Firmware Init Done.
OALIoctlHalEnterI2cCriticalSection init i2c cs
-EDeviceLoadEeprom 00:30:D3:20:E7:70
Phy found addr 31 (ticks=2789)
WaitForLink Start (ticks=2790)
No Link (ticks=3793)
<--EDeviceInitialize

GMAC DMA status register = 0x0
BALDWIN_DDI: cBaldwinHwIf::Init: Initializing...
BALDWIN_DDI: cBaldwinHwIf::Init: Scope successfully identified.
BALDWIN_DDI: cBaldwinHwIf::Init: Success!
Running infiniiVisionInstallHelper
Failed to start/configure network.
Starting ProcessStartupFolder
running \Secure\Startup\infiniivision.lnk...
Ending ProcessStartupFolder
                           Before P/Invoke
Exception 'Undefined Instruction' (1): Thread-Id=03530006(pth=837d0a5c), Proc-Id=03500006(pprc=837d0744) 'infiniivisionLauncher.exe', VM-active=03500006(pprc=837d0744) 'infiniivisionLauncher.exe'
PC=4122dcf0(infiniivisioncore.dll+0x0051dcf0) RA=411b557c(infiniivisioncore.dll+0x004a557c) SP=0002f1d4, BVA=00000000
Exception 'Undefined Instruction' (1): Thread-Id=03530006(pth=837d0a5c), Proc-Id=03500006(pprc=837d0744) 'infiniivisionLauncher.exe', VM-active=03500006(pprc=837d0744) 'infiniivisionLauncher.exe'
PC=4122dcf0(infiniivisioncore.dll+0x0051dcf0) RA=411b557c(infiniivisioncore.dll+0x004a557c) SP=0002f1d4, BVA=00000000
System.MissingMethodException: Can't find PInvoke DLL 'infiniiVisionCore.dll'.
   at Agilent.InfiniiVision.infiniiVisionLauncher.Main(String[] args)

[PA0PBZ]

Looks to me that it can't find the infiniiVisionCore.dll, do you get the same when booting 2.37 from USB?
Contact Keysight and try to find out if this (likely flash corruption) is covered by warranty, I know they do this for the 3000X series. If that is a dead end we can find other ways to boot the scope but you will need the LAN option or one of the clones.

[Daxxin]

Looks to me that it can't find the infiniiVisionCore.dll, do you get the same when booting 2.37 from USB?
Contact Keysight and try to find out if this (likely flash corruption) is covered by warranty, I know they do this for the 3000X series. If that is a dead end we can find other ways to boot the scope but you will need the LAN option or one of the clones.

with the 2.37 same messages with 2.35 the following ..im not in hurry to contact keysight and this scope not my primary instruments i m using older scopes as primary..lets experiments

U-Boot 2010.03 (Jan 26 2011 - 12:37:34)Agilent P500

CPU:   SPEAr600
DRAM:  128 MiB
Flash: 512 KiB
NAND:  128 MiB
In:    serial
Out:   serial
Err:   serial
SerNum:serial number not programmed
Chip:  BD Board Rev: 4
Net:   smsc
Press space to stop autoboot:  0
## Booting kernel from Legacy Image at f8050000 ...
   Image Name:   PBOOT
   Created:      2011-01-27  11:38:14 UTC
   Image Type:   ARM Linux Kernel Image (gzip compressed)
   Data Size:    36703 Bytes = 35.8 KiB
   Load Address: 00000000
   Entry Point:  00000000
   Uncompressing Kernel Image ... OK

Starting kernel ...


Debug serial initialized ........OK

Microsoft Windows CE Bootloader Common Library Version 1.4 Built Jan 27 2011 02:04:15
Microsoft Windows CE 6.0 Ethernet Bootloader for the Agilent P500 board
Adaptation performed by Agilent Technologies (c) 2008


System ready!
Preparing for download...
 Loading image 1 from memory at 0xD0600000
O
BL_IMAGE_TYPE_BIN

X
XXXXXOOOOXOOOOOOOOXOXOOOOOOOOXOOOXOOOOXXOOOOOOOOOXOOOOXOXOXXXOOXOXXOXXXXXXOOOXXXOOOOOXOOXOXXXOOOXXOOOXXOOOOXOOXOOXXOOOXOOOOOXOOOXOOOXXXXXXOXOXXOXXXXXXXOXXXXOOOXOOOOXOXOOOXOOOOXOXOXOOOOOOXOOOOXOXOOOOOXXOOOOOXX
OOOOXXOOOOOOOOOXOXOOOXOOOOOOOXXOOOOOXXOOOOXOXOXOOXOXOOOXOOOXOOOXXXOXOOOXOXXXXOXOOXXOXXOXXOOOXXOXOXXOXXXXXOODeCompressFlash: CeCompressDecode() failed
 CeDecompressFlashBlock failed
****** Data record 123 corrupted, ABORT!!! ******

Completed file(s):
-------------------------------------------------------------------------------

• : Address=0x80361000  Length=0x1248684  Name="" Target=RAM

 Loading image 1 failed, trying next one
 Loading image 2 from memory at 0xD1600000

BL_IMAGE_TYPE_UNKNOWN

 Loading image 2 failed, trying next one
 All images failed

Press r to reset