DSOX2000 and 3000 series - licence , have anyone tried to hack that scope ?

[Wilken]

Thank you, sprit. I need old MSOX 3000T series firmware to check length size and re-flash. Please share/post the link....

Found the link: https://www.eevblog.com/forum/testgear/keysight-dso-x-3024t-possible-nand-corruption-baldwin_ddi-ident-error/

Or Please someone or abyrvalg share/post UnKsx.exe tool

2. Ran the UnKsx.exe tool to decrypt the recover.nk.bin.comp (Thank you user: abyrvalg)

[2N3055]

Thank you, sprit. I need old MSOX 3000T series firmware to check length size and re-flash. Please share/post the link....

Found the link: https://www.eevblog.com/forum/testgear/keysight-dso-x-3024t-possible-nand-corruption-baldwin_ddi-ident-error/

Or Please someone or abyrvalg share/post UnKsx.exe tool

2. Ran the UnKsx.exe tool to decrypt the recover.nk.bin.comp (Thank you user: abyrvalg)

What does "old" mean?

Oldest I have is 3000T.7.50.2021102830.ksx

[Artstar]

Hi analogRF
It has been brought to my attention before that it wasn't working under linux, so here's my patching it and the version of bsdiff/patch I am using in cygwin, if that helps someone else. (win11/64, cygwin/64 here).
Congrats on getting it to work tho!
(Attachment Link)

The very critical clue here for me is that Mobaxterm's implementation of cygwin is restricting the bsdiff version to 4.3.5, which fails as well. I was wondering what the hell I was doing wrong with the 2.67 firmware patching and figured it's because it's 2.67 and not 2.66. But then I came across your screenshot of bsdiff  v4.3.6 and that worked right away.

Exciting stuff for me now, considering I was relying on this compressed patch to work since I can't find a copy of bincompress.exe or the WinCE dev environment containing it, despite my best Google-fu muscle flex (and I'm normally really good at it!).

Many thanks PioB!


Edit: ...and then I bricked it. Dang it! I'll have to crack it open and start pulling details from the serial. My guess is applying the 2.66 patch to the 2.67 bin was a bad move.

[wp_wp]

Thank you, sprit. I need old MSOX 3000T series firmware to check length size and re-flash. Please share/post the link....

Found the link: https://www.eevblog.com/forum/testgear/keysight-dso-x-3024t-possible-nand-corruption-baldwin_ddi-ident-error/

Or Please someone or abyrvalg share/post UnKsx.exe tool

2. Ran the UnKsx.exe tool to decrypt the recover.nk.bin.comp (Thank you user: abyrvalg)

Actually,you can write the UnKsx.exe youself.
Steps：
1、Download the 3000T firmware XXX.ksx from Keysight website.
2、get the loadP500Flash.exe from the XXX.ksx
3、RE the loadP500Flash,you will find the decrypt functions.

[wp_wp]

Actually,you can write the UnKsx.exe youself.
Steps：
1、Download the 3000T firmware XXX.ksx from Keysight website.
2、get the loadP500Flash.exe from the XXX.ksx
3、RE the loadP500Flash,you will find the decrypt functions.

The recover.nk.bin.comp actually run the recoverService.exe.
And the recoverService.exe will call recoverInfiniiVision.exe.
When your 3000T/3000G scope run recoverInfiniiVision.exe,it will display like this:

[Wilken]

Thank you, wp_wp. Is it possible you can post UnKsx.exe tool decrypt?

>bincompress.exe /d nk.bin.comp nk.bin

CeCompressDecodeFile: bad file signature
bincompress: command failed

[analogRF]

Actually,you can write the UnKsx.exe youself.
Steps：
1、Download the 3000T firmware XXX.ksx from Keysight website.
2、get the loadP500Flash.exe from the XXX.ksx
3、RE the loadP500Flash,you will find the decrypt functions.

The recover.nk.bin.comp actually run the recoverService.exe.
And the recoverService.exe will call recoverInfiniiVision.exe.
When your 3000T/3000G scope run recoverInfiniiVision.exe,it will display like this:
(Attachment Link)

can you explain how do you run those commands? where?

[wp_wp]

Thank you, wp_wp. Is it possible you can post UnKsx.exe tool decrypt?

>bincompress.exe /d nk.bin.comp nk.bin

CeCompressDecodeFile: bad file signature
bincompress: command failed

Please advise....Thanks

I do not have the UnKsx.exe.
I can not remember clearly.
As I know,the decrypt functions are Windows Crypt functions.
RE the loadP500Flash.exe,and you will see everything.

[wp_wp]

Actually,you can write the UnKsx.exe youself.
Steps：
1、Download the 3000T firmware XXX.ksx from Keysight website.
2、get the loadP500Flash.exe from the XXX.ksx
3、RE the loadP500Flash,you will find the decrypt functions.

The recover.nk.bin.comp actually run the recoverService.exe.
And the recoverService.exe will call recoverInfiniiVision.exe.
When your 3000T/3000G scope run recoverInfiniiVision.exe,it will display like this:
(Attachment Link)

can you explain how do you run those commands? where?

Once you decrypted the recover.nk.bin.comp,you can get the nk.nb0 for recovering the scope.
Upload the nk.nb0 to the RAM of the scope by teraterm or Putty.
go 0x362000
it will run the recoverInfiniiVision.exe automatically.

[Wilken]

Here is what I found from my 3000T series

UART output Length=0x4E79FE8
 
3000XSeriesT.7.10.2117041130.ksx       length = 0x0532E564
3000XSeriesT.04.08.2116071801.ksx     ? got issue below
 
>bincompress.exe /d nk.bin.comp nk.bin
CeCompressDecodeFile: bad file signature
bincompress: command failed

>bincompress.exe /d recover.nk.bin.comp nk.bine
CeCompressDecodeFile: bad file signature
bincompress: command failed

Maybe, I need Unksx.exe tool to decryt them and hope length getting close to UART output. Please post ....many thanks

[onesystem]

Maybe, I need Unksx.exe tool to decryt them and hope length getting close to UART output. Please post ....many thanks

I just checked and I had it stored in my archives. It is a compiled program and the .cpp source file as well.
Additionally, I browsed the web and found an earlier version of the 3000T firmware, maybe it will work for you.

Unksx.exe:
https://drive.proton.me/urls/EWTPNZ2FGR#GcqEpFWyqFWl

3000XSeriesT.04.08.2016071801.ksx:
https://drive.proton.me/urls/XGQJ3JCC3W#gHjwZIrpEBxG

[analogRF]

Actually,you can write the UnKsx.exe youself.
Steps：
1、Download the 3000T firmware XXX.ksx from Keysight website.
2、get the loadP500Flash.exe from the XXX.ksx
3、RE the loadP500Flash,you will find the decrypt functions.

The recover.nk.bin.comp actually run the recoverService.exe.
And the recoverService.exe will call recoverInfiniiVision.exe.
When your 3000T/3000G scope run recoverInfiniiVision.exe,it will display like this:
(Attachment Link)

can you explain how do you run those commands? where?

Once you decrypted the recover.nk.bin.comp,you can get the nk.nb0 for recovering the scope.
Upload the nk.nb0 to the RAM of the scope by teraterm or Putty.
go 0x362000
it will run the recoverInfiniiVision.exe automatically.

oh so it is very different than 2000 and 3000A models!

so does that mean I can recover the scope with any firmware? I mean why do we need a matching fw then? I mean for 3000T and 4000A

[onesystem]

RE the loadP500Flash.exe,and you will see everything.

In the world of electronics not everyone is versed in programming and reverse engineering to the same degree they are skilled in component level repair, analysis, circuit design, etc. Those fine professionals and enthusiasts, however, do deserve a nice working scope.

[wp_wp]

oh so it is very different than 2000 and 3000A models!

so does that mean I can recover the scope with any firmware? I mean why do we need a matching fw then? I mean for 3000T and 4000A

Good question.
Maybe you can downgrade the 3000T/4000A firmware version by using this method.
As I know,when you get that interface,you can choose any version firmware.
But I have not tried reloading the older version.

Once you press OK.you will get the window as following:

[analogRF]

oh so it is very different than 2000 and 3000A models!

so does that mean I can recover the scope with any firmware? I mean why do we need a matching fw then? I mean for 3000T and 4000A

Good question.
Maybe you can downgrade the 3000T/4000A firmware version by using this method.
As I know,when you get that interface,you can choose any version firmware.
But I have not tried reloading the older version.

Once you press OK.you will get the window as following:
(Attachment Link)

thanks. I need to try that.
the problem is not to downgrade the FW though. the problem in my case and almost everybody else is that
you want to do the recovery on a scope that has old FW and it is not available anywhere. so if it can be done by a higher version it would be awesome
I have done many many recoveries on 2000 and 3000A but never on 4000A/3000T. Now I have a 4034A and I dont even know what FW version it has
but the scope is made in 2013. I am not sure if it has ever had a FW upgrade...
 

[minolta]

Hello,
has anybody for share patched firmware for DSOX3000 by  PhillyFlyers?

DSOX 3000A Series:  FW:  02.50.2019022736_patched https://mega.nz/#!zmBkHCba!TK5Vf0N0LCeR3vYwx1fa41OekFXqg1psCYN-eagnvdY
md5: <CB931D537544D51D4EFFF44633506780>

??

All links are currently deleted.

Thank you!

[onesystem]

2.66 - patched, with instructions:
https://drive.proton.me/urls/1K0PPRF874#FXGQ6VhVbNJK

[gamalot]

2.66 - patched, with instructions:

Does the BW30 option really work, or is it just a mock example?

[onesystem]

It is a mock example typo (I fixed it now not to confuse people). If your machine is 2014/3014-2024/3024, it will go to 2034/3034 only if you add components as discussed elsewhere above in this thread:
https://www.eevblog.com/forum/testgear/dsox2000-and-3000-series-licence-have-anyone-tried-to-hack-that-scope/msg987126/#msg987126

And in that case you will use BW50.

[vmendes]

2.66 - patched, with instructions:
https://drive.proton.me/urls/1K0PPRF874#FXGQ6VhVbNJK

Hi onesystem, I don't know why, but I tried this firmware on the 3014A and now the scope can't initialize; it's stuck on the InfiniiVision Logo and blinking the LED of channel / wevegen / run/stop and single.
Someone have a procedure for recovery or restore ?


regards guys

[onesystem]

Try this method. It worked well for me:
https://www.eevblog.com/forum/testgear/dsox2000-and-3000-series-licence-have-anyone-tried-to-hack-that-scope/msg5804239/#msg5804239

[vmendes]

Try this method. It worked well for me:
https://www.eevblog.com/forum/testgear/dsox2000-and-3000-series-licence-have-anyone-tried-to-hack-that-scope/msg5804239/#msg5804239

Thanks for the quick reply!! It works; I'm back to 2.67
I can't understand what I do wrong. May I put too much licenses?
Tomorrow morning I will try more...

Regards onesystem

[gamalot]

It is a mock example typo (I fixed it now not to confuse people). If your machine is 2014/3014-2024/3024, it will go to 2034/3034 only if you add components as discussed elsewhere above in this thread:
https://www.eevblog.com/forum/testgear/dsox2000-and-3000-series-licence-have-anyone-tried-to-hack-that-scope/msg987126/#msg987126

And in that case you will use BW50.

Thank you for your detailed reply.

My oscilloscope is a 2002. After I modified the configuration resistors years ago, it’s been recognized as a 4-channel, 500 MHz unit.   

[TheSteve]

The command in that video is interesting - but the scope still isn't 1 GHz, even though that is a nice thought.

[gamalot]

The command in that video is interesting - but the scope still isn't 1 GHz, even though that is a nice thought.

That was just an April Fool's video and the command was meant to be a joke.