DSOX2000 and 3000 series - licence , have anyone tried to hack that scope ?

[The_PCB_Guy]

I'm going to test something out later today, I belive it should work just making the patched 'nk.bin.comp', and then re-packing all the files into a new cab file..

This cab packer seems to work awesome, I see the final created cab files look good.. so I'm going to try this out later today..this way we can just install the patched firmware from a UsB stick..

BUT, that still leaves you with having to modify the lnk file?  so you may have to buy the homebrew lan board...


but if anyone wants to try this now, this tool is pretty sweet..

(you can get the full suite from here)

https://www.softpedia.com/get/File-managers/CabPack.shtml

Sounds good, I'm looking forward to hearing the results of your testing.

[The_PCB_Guy]

FYI..

here's the patches for 2.50 (3000A)

Code: [Select]

3000A series:

firmware: 2.50
------------------
1) options patch:  0x2815f4  --> "04 00 A0 E1" --> "00 00 A0 E3"
2) nag patch:      0x2aae50  --> "CD 59 FF EB" --> "01 00 A0 E3"


This is great. Where exactly are these addresses? Are they on the scope, or are they in one of the files that come with the firmware? Please bear with me, I am a complete noob when it comes to this sort of thing.

[The_PCB_Guy]

Ok Guys, got it all working:

Code: [Select]

1) patching the nk.bin.comp, fixing the two MD5 entries in the 'recipe.xml', and re-building the cab file with little CAB builder I posted worked perfect
(just make sure to choose MSZIP for the compression type)

2) the LAN connection did NOT get shutoff for me after I upgraded to the patched 2.50 FW.. it worked fine after the scope finished bootingup..

3) The initial upgrade wiped out any existing .lnk file, it went back to the stock empty .lnk file, which is why my options disappeared..

4) So I re-copied my .lnk file over to \Secure\Startup, (renamed the orignal empty one to some garbage name to basically get rid of it, or you can just delete it), and all options are back.

So as far as I can tell, there was nothing done to the Telnet session???  at least nothing different occured for me?


If anyone wants, I can post the CAB file patched for 2.50?  you'll still have to fix your .lnk file to enable options again... but telnet works fine as usual...

So PCB GUY, only thing you need to do is buy a homebrew LAN card, guys on here can sell them privately if any still have the parts, or you can make one yourself, I posted the OshPark links for one I did back in this thread, that's the board I use now.. has LAN, USB, and JTAG all on the card..

You are awesome! I'm currently in the process of drawing up my own LAN card in Altium. Is that all it is, just a couple of connectors and a few passives? I don't remember stumbling across your design, though I'm sure I must have at some point (I've been through most of this thread already). I don't know if I'll bother adding all three right away though, depending on the complexity. I'll be getting 10 bare boards for less than $20 delivered from my PCB house, so all I'll need to do is stuff the components.

Best,
Matt

A patched CAB file would be awesome, as it would certainly save a lot of hassle.

[Xavier64]

@PhillyFlyers

very good news. Thanks a lot.

Please be so kind an post the patched .cab file

I would like to install it on my scope too.

[The_PCB_Guy]

Could someone confirm the following steps please?

_________________________________________________________________________

1. On PC, create a file called "infiniivision.lnk" with the following contents (do not include quotes):

   "211#infiniivisionLauncher.exe -l MSO -l MEMUP -l EMBD -l AUTO -l FLEX -l PWR -l COMP -l SGM -l MASK -l BW20 -l AUDIO -l WAVEGEN -l AERO -l VID -l ADVMATH -l ASV -l SCPIPS -l RML -l VID -l CABLE -l DIS -l TOM -l SGMC"

2. Copy "infiniivision.lnk" and "patched_nk.bin.comp" files to an empty flash drive formatted as FAT16

3. On the scope, telnet into Port 23 (user: infiniivision, pw: skywalker1977)
4. Plug in the USB drive containing the "patched_nk.bin.comp" and "infiniivision.lnk" files
5. Run following commands between < > brackets (do not include brackets):

   <processmgr kill infiniivisionlauncher.exe>
   <\windows\loadP500Flash -u ceImage1 \usb\patched_nk.bin.comp>
   <\secure\startup\infiniivision.lnk>

   (third command just checks that file was properly copied)

   <exit>

6. Reboot scope

_________________________________________________________________________

One more question, how exactly do I find the IP address of the scope so that I can telnet into it?

Thanks,
Matt

[The_PCB_Guy]

So, if you want to use the 'patched' FW image I posted, you don't have to do any of the above steps except for #1 & #2 (and BTW your lnk contents look good)...and for step 2 ONLY need to copy the .lnk' file you don't need to do anything with the 'nk.bin.comp', as that is part of the patched 2.50 FW image...

 but of course you still need to Telnet in.

I have seen two different ways of doing this - one is simply running the OS from the flash drive, which I am not terribly interested in doing because I would like to be able to use a flash drive to capture screenshots. The other is a permanent change that does not require the USB drive to be plugged in for operation. Is this method the former or the latter?

The IP Address of the scope you set yourself, it's in the "I/O" submenu, I think you click "utility" first, then go there, I can't remember exactly, I always just push buttons until I get there


Anyhow, you pick your IP address, gateway, & mask yourself.  I always just LAN cable up my scope right to my laptop, but them both on some fake network segment you make up, obviously both at different IPs, but on the same net..

ie for mike like:

1) scope:  192.168.5.10
2) laptop:  192.168.5.1
3) mask:255.255.255.0

or something along those lines!

Perfect, that clears that up!

BTW, since you are a hardware guy, you should check out the mods on here to push your BW up to 500Mhz, just requires you taking apart the scope, breaking the warranty of course and replacing some surface mount components, it's honestly not bad if you have decent soldering tools?

I did it to mine as was not painful at all..

I considered it but I'm always hesitant to modify the hardware of such an expensive piece of equipment. Maybe someday, but probably not right away. 200MHz bw will most likely meet all of my needs for the near future.

Also, once you get a homebrew LAN board in, it will give you a nag message that pops up about a LAN board malfunction or whatever it says, but that's just because our board doesn't have the VGA chip on it that the real board has, but doesn't matter, all we need is ethernet..

And also, your other prior question, YeS, all that LAN board really needs is the ethernet connector and a few passives, all the other crap I added was just as a bonus, but not necessary at all.  And you have to open up your scope anyhow to connect up any JTAG or USB boot stuff.. so LAN is really all you need.

I can put up with a recurring warning. I'd love to add VGA sometime though. I'll save that for a future rev!

Also, I love Altium, its a bad-ass tool, I'm slowly doing training to try and switch over to it, as I've been using nothing but eagle the last 10+ years.  So i'm sooo used to it, but Altium has so much more power.

My first few PCB designs were done in Eagle and I loved the tool, but once I started using Altium it was hard to look back. Altium has all sorts of functions and features that speed up the design process and significantly improve throughput and efficiency. There are definitely more bugs in Altium than in Eagle, but regardless it is still a great tool. I would highly recommend it to anyone who can afford a license. I am fortunate enough to have a license through my job.

[The_PCB_Guy]

Once again I apologize for the double-post, but I just wanted to attach my LAN module design for review. It would be great to have another set of eyes on the schematic to make sure all of the connections are correct.

The full design will be on GitHub once completed.

[gamalot]

Here ya guys go..

Patched 3000X 2.50 Firmware with 'options' and 'nag' patch already applied..

https://mega.nz/#!eqg0yYJK!l73FwnABwNBNsl_l_2fAC8Md8PCVEEBgZ-u0T1eNZ08

It works on my 2002A, thank you very much!

[odessa]

Edited:

Could I use the above on my 2012A ? and would I need to still telnet in ?

Jay

[PhillyFlyers]

I have seen two different ways of doing this - one is simply running the OS from the flash drive, which I am not terribly interested in doing because I would like to be able to use a flash drive to capture screenshots. The other is a permanent change that does not require the USB drive to be plugged in for operation. Is this method the former or the latter?

The latter method is what you want, installing the OS just like a real one, booting it from a UsB stick would just be annoying, might as well install it permanent like it's supposed to be... basically you are installing the OS just like the real one, except the one file has a few bytes patches to skip those certain things

So just install that update file I posted via USB drive (format it to FAT32)... you just browse to the USB drive via the I/O menu, and select the file and run it...

once it reboots you should be able to telnet in a drop your lnk file, and then reboot,and all should be there...

[The_PCB_Guy]

So just install that update file I posted via USB drive (format it to FAT32)... you just browse to the USB drive via the I/O menu, and select the file and run it...

once it reboots you should be able to telnet in a drop your lnk file, and then reboot,and all should be there...

Brilliant, that's way easier than I thought it was going to be. So to be clear:

1. COn PC, create file called "infiniivision.lnk" with the following contents (do not include quotes):

   "211#infiniivisionLauncher.exe -l MSO -l MEMUP -l EMBD -l AUTO -l FLEX -l PWR -l COMP -l SGM -l MASK -l BW20 -l AUDIO -l WAVEGEN -l AERO -l VID -l ADVMATH -l ASV -l SCPIPS -l RML -l VID -l CABLE -l DIS -l TOM -l SGMC"

2. Copy the update file and the .lnk file to a flash drive formatted as FAT32.
3. Make sure LAN card is installed in the scope. Turn on the scope and enter the Utility menu. Go into the I/O settings and configure the scope's IP address.
4. Plug in the flash drive. Navigate to the USB drive from within the I/O menu.
5. Run the update file saved on the flash drive.
6. Allow the scope to reboot. When finished, connect a cable between the PC and the LAN module.
7. Telnet into Port 23 using the IP address configured in Step #3. Log in with the username infiniivision and the password skywalker1977.

Is this correct so far?

Finally, having absolutely zero experience with telnet, what command do I use to copy over the .lnk file from the flash drive into the \secure\startup\ folder on the scope? is it simply:

copy \usb\infiniivision.lnk \secure\startup\

?

Thanks again for your help (and your patience with a noob).

Best,
Matt

[Joee]

Firmware 2.43

@Xavier64
Thank you very much

I couldt install the old firmware without any problems.
Telnet is working again like before I updated to 2.50.

[The_PCB_Guy]

My homebrew LAN PCB is on order from China, along with the components. Should be here in about a week. My scope arrived yesterday and seems to work great. Once I receive the board I'll be able to try the hack. I'm still not sure how to copy files from the flash drive to the scope's startup folder though.

Thanks,
Matt

[odessa]

There's a list of the Telnet instructions here

https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/ren

I think what you posted looks correct, but I would try and rename the old one first by navigating to the secure folder then renaming it using the rename command.

I've ordered the stuff for the DIY LAN too. I have hacked my scope but want to get rid of the nag messages.

[The_PCB_Guy]

There's a list of the Telnet instructions here

https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/ren

I think what you posted looks correct, but I would try and rename the old one first by navigating to the secure folder then renaming it using the rename command.

I've ordered the stuff for the DIY LAN too. I have hacked my scope but want to get rid of the nag messages.

That's very helpful. The syntax looks familiar, I've used something very similar. So if I'm not mistaken, the commands I want to execute are:

ren \secure\startup\infiniivision.lnk \secure\startup\infiniivision.lnk.bak
copy \usb\infiniivision.lnk \secure\startup\

Does that look about right?

[odessa]

Yes looks ok to me, I would rename to:

ren \secure\startup\infiniivision.lnk \secure\startup\infiniivision.bak   ... probably makes no difference but just in case having 2 file extensions causes problems

I'm sure someone will correct it if its wrong.

[mlan]

You can just add a new start.lnk file (any name you want) next to the empty official infiniiVision.lnk file.

[The_PCB_Guy]

You can just add a new start.lnk file (any name you want) next to the empty official infiniiVision.lnk file.

I already have the DSOX3APPBNDL installed, so I'm not sure my official infiniivision.lnk file is empty....

Don't know if that makes any difference whatsoever.

[Safar]

I got the re-built CAB file to work

Hi Mike,
Its very good news

just allow me for two suggestions

- May be flush modified nk.bin.comp in one area only (not in backup) as it more robust solution I think. But in this case backup area should be flushed first with non modified nk.bin.comp. Or user should flush original FW first.

- It is possible make CAB with lnk installer commands in script like in "old usb installer" (new lnk should be in USB root) - then all hack can make without LAN.

But of course this can be left in different "installer".

Code: [Select]

<command>\windows\cmd.exe /c copy \usb\infiniivision.lnk \Secure\Startup\infiniivision_ext.lnk</command>
-<onFailure>
<filePath>\usb\errorLog.txt</filePath>
<message>lnk copy from USB failed.</message>
<!-- do not continue, without new valid link file -->
<action>reboot</action>
</onFailure>
</installStep>
<!-- Move away a perhaps existing factory link -->
-<installStep>
<command>\windows\cmd.exe /c ren \Secure\Startup\infiniivision.lnk infiniivision.lnk.original</command>
-<onFailure>
<filePath>\usb\errorLog.txt</filePath>
<message>No factory lnk to move away.</message>
<action>continue</action>
</onFailure>
</installStep>


[gaminn]

Hi,
I have MSOX2024A with 02.43.2018020635 firmware.

1) I downloaded patched 2.43 file: https://www.eevblog.com/forum/testgear/dsox2000-and-3000-series-licence-have-anyone-tried-to-hack-that-scope/msg1453247/#msg1453247 on my flash drive.
2) I created infiniivision.lnk file that contains: 69#infiniivisionLauncher.exe -l MSO -l BW20 -l DIS --perf --forcemaxmem
3) I telnet my scope via LAN.
4) I run ProcessMgr.exe kill infiniivisionLauncher.exe
5) I run \windows\loadP500Flash -u ceImage1 \usb\patched_nk.bin.comp
 - it writes and verifies the file
6) I renamed /secure/startup/infiniivision.lnk to xxx.xxx
7) I copied my .lnk file: cd \usb          copy infiniivision.lnk \secure\startup\
I verify that \secure\startup contains xxx.xxx and my new infiniivision.lnk file.
9) I reboot. It displays " System concerns detected: OS version is not correct. Please reload system firmware." and no new options are installed. I can use my scope.

How can I upgrade my scope?

I can temporarily enable options by:
ProcessMgr.exe kill infiniivisionLauncher.exe
\Secure\infiniiVision\infiniivisionLauncher.exe -l MSO -l BW20 -l DIS --perf --forcemaxmem

If it is not possible to upgrade my scope how can I restore the changes I made? I deleted my inifiinivision.lnk and renamed xxx.xxx to infiniivision.lnk but still "System concerns detected:..." is displayed.

[Xavier64]

For all Keysight 3000A uses who have the startupmessage:

Firmware OS error detected



this infiniivision.lnk is the solution:


119#\Windows\cmd.exe /c infiniivisionlauncher.exe -l ALL -l BW50 -l SCPIPS -l SGMC -l CABLE -l PERF -l TOM -l CABLE --perf




I assume you followed this steps



0) Install correct Firmware version first (i.e. in this case 2.43)
1) Download Safar's patched_nk_bin.comp file and copy to a USB stick and plug in.
2) Telnet into the scope.
3) Login infiniivision / skywalker1977
4) processmgr kill infiniivisionlauncher.exe
5) \windows\loadP500Flash -u ceImage1 \usb\patched_nk.bin.comp
6) Create a file on the USB stick called infiniivision.lnk with contents (e.g.) "88#infiniivisionLauncher.exe -l MSO -l BW20 -l DIS -l PLUS -l SCPIPS -l VID -l CABLE --perf"
7a) delete (or rename) any other lnk in \secure\startup folder. Should be only one file with lnk extension here.
7b) copy \usb\infiniivision.lnk to \secure\startup
8 ) reboot and good to go



I did it with Firmware 2.43


LAN module is working fine and NO red warning appears.

Thanks to all who made this possible.


Quote from: Xavier64 on April 05, 2019, 07:51:03 pm

    Firmware 2.43

    https://mega.nz/#!lSJwDAzK!YQSZ0AnbJ7rloFFBDppx7iaGKqcftTBsGBUjhnez_bk


    and the patched nk.bin for 2.43

    https://mega.nz/#!1GIAlaqY!AbS8cnGSqtntFIgGVGeTM3YNNWoBcHaEUNvuj80B7kg

[gaminn]

For all Keysight 3000A uses who have the startupmessage:

Is there any solution for Keysight 2000A users?

[odessa]

In the last 3 pages of this thread there are versions 2.43 and 2.5 with the nag patch applied already. I've run both these on my 2102A and my 2004A and both worked without a problem. Just waiting for my LAN pcb's to telnet in and fix the nag issue.

[gaminn]

OK, I tried to revert all back. I loaded original nk.bin.comp from 2000XSeries.02.43.2018020635.ksx archive to USB. Using telnet and usb drive I loaded it in the scope:

\windows\loadP500Flash -u ceImage1 \usb\nk.bin.comp

I restored original /secure/startup/infiniivision.lnk

Stil "....OS version is not correct...."

Please advise how to restore it, it is quite a problem for me.

[gaminn]

It seems I partially bricked my scope. I'm unable to upgrade firmware to 2000XSeries.02.50.2019022736.ksx. I always get: "Error: The file did not load correctly"... :/

EDIT: It is weird, but another USB flash drive solved this issue. I upgraded my scope to 2.50.