Author Topic: Agilent MSO 5000/6000/7000 - anyone hacked these scopes?  (Read 186838 times)

0 Members and 1 Guest are viewing this topic.

Offline dfnr2

  • Regular Contributor
  • *
  • Posts: 229
  • Country: us
Agilent MSO 5000/6000/7000 - anyone hacked these scopes?
« on: January 14, 2014, 09:16:11 pm »
Update: This has been an amazing demonstration of skill and teamwork.  Abyrvalg, without physical hardware in hand, had this nut cracked so quickly I scarcely had time to get coffee.  Mike and Carrington supplied lots of useful info and insight. 

Full hack summary for v6.16 firmware:Mike has summarized neatly the procedure for the full hack, which allows fine-grained selection of licences using the license dialog, in this post.  v6.20 firmware address changes are listed in this post.

Service Menu hack summary for firmware v6.16 Alex has written a nice summary of the service-menu hack, which enables multiple options and does not require a modified binary, but doesn't give the undocumented options or allow fine-grained control, in this thread.  To to this on any firmware version: Instead of modifying a memory location, use the function call 'setServiceMode(1)' from the C shell, which works on all firmware versions.  (link here).

Removing the SEC option:The workings of the SEC option were elucidated by abyrvalg, the hero of this thread.  The technique for removing the option is detailed here.

Original Post:I am aware that you can enable all the options and then set back the clock to keep these options enabled indefinitely.  That's certainly livable.  However, that's not a pretty solution, and it's nice to have the clock set properly for screen shots, etc.  The recent thread on hacking the MSO-X-2000/3000 series scopes piqued my curiosity. 

Unlike the MSOX-3000 update packages, the MSO5000/6000/7000 packages appear to be packed using a proprietary ZIP-derived format.

Another forum member found an emergency binary for the 5000, which indicates that this is running on VxWorks on a Power PC.  He also pointed to some possible telnet login info embedded in the binary, but telnet service doesn't appear to be enabled. 

Poking around with a 7000 series scope, I found that FTP is enabled, and you can log in with "panther", "pictures".  However, there doesn't seem to be much in the ftp directory--just a subdirectory labeled RAM0, apparently empty.  (It would be cool if that were a running RAM image, but no hint that's the case.)

If anyone has any ideas, it would be nice to post in this thread.
« Last Edit: March 25, 2018, 03:53:12 am by dfnr2 »
 
The following users thanked this post: arhi, carl_lab, analogRF

Offline Carrington

  • Super Contributor
  • ***
  • Posts: 1201
  • Country: es
Re: Agilent MSO 5000/6000/7000 - anyone hacked these scopes?
« Reply #1 on: January 15, 2014, 08:53:38 am »
I'm also interested in this topic.  :D

For the DSO6000 and 7000 series, the MSO is an option. But I think that the 5000 series does not have LA i.e. only DSO version.
And for all of them no option to increase the BW. Moreover I'm not sure that the 100 and 300MHz versions have the same input stage.
Other options are, memory and serial decoders. But I think that the versions with two analog channels don't have available the serial decoding.

Hybrid chip at the DSO5054A and DSO6034A is 1NB7-8453.
« Last Edit: January 15, 2014, 09:18:37 am by Carrington »
My English can be pretty bad, so suggestions are welcome. ;)
Space Weather.
Lightning & Thunderstorms in Real Time.
 

Offline mikeselectricstuff

  • Super Contributor
  • ***
  • Posts: 12178
  • Country: gb
    • Mike's Electric Stuff
Re: Agilent MSO 5000/6000/7000 - anyone hacked these scopes?
« Reply #2 on: January 15, 2014, 09:44:17 am »
That's all pretty much correct.  I recall looking at an "Emergency" update file  which was a lot less compressed/obscured than the normal updates, and appeared to have a service menu function to enable all licenses
Trials only have an expiry time, 14 days after the license is issued, but there is no check on start time, and if it expires it can be reinstalled once the clock is set back before the expiry time.
Although you can request trials for decodes on 2-analogue channel models, they don't work -  decodes are only supported on models with 4 analogue channels.

The scope runs VxWorks, so much less info around than for the  WinCE used on more recent scopes. 

The only potential risk is that as these scopes get more obsolete, at some point the trials may disappear from the Agilent Keysight website.

The actual license keys are quite short - don't recall the length exactly but most of it is the license name and the expiry date, so may be viable to reverse-engineer, or work out from a number of sample licenses & instrument IDs
 
 
 
Youtube channel:Taking wierd stuff apart. Very apart.
Mike's Electric Stuff: High voltage, vintage electronics etc.
Day Job: Mostly LEDs
 

Offline dfnr2

  • Regular Contributor
  • *
  • Posts: 229
  • Country: us
Re: Agilent MSO 5000/6000/7000 - anyone hacked these scopes?
« Reply #3 on: January 20, 2014, 01:17:13 am »
On my MSO7104a, telnet sits on port 5810, and spawns a standard VxWorks shell.  Same login as ftp. 

This shell gives complete read/write access to memory, symbol tables, processes, filesystem, etc.
« Last Edit: January 20, 2014, 01:22:16 pm by dfnr2 »
 

Offline Carrington

  • Super Contributor
  • ***
  • Posts: 1201
  • Country: es
Re: Agilent MSO 5000/6000/7000 - anyone hacked these scopes?
« Reply #4 on: January 25, 2014, 05:10:27 pm »
I found this:
http://www.elitepvpers.com/forum/general-coding/103793-what-extension-does-jzp-go.html

But does not seem for Agilent oscilloscopes?



Is this the "Emergency" update file?
http://www.home.agilent.com/agilent/editorial.jspx?ckey=670496&id=670496&lc=eng&cc=US



Key format:
                                                                            Format: OPT-XXXXXXXXXXXX-Expires
POWER MEASUREMENT APPLICATION    ->   License Key: PWR-55284189E48F-10FEB2006
FPGA DYNAMIC PROBE FOR ALTERA        ->   License Key: ALT-4E46465F6684-10FEB2006
« Last Edit: January 25, 2014, 08:05:08 pm by Carrington »
My English can be pretty bad, so suggestions are welcome. ;)
Space Weather.
Lightning & Thunderstorms in Real Time.
 

Offline abyrvalg

  • Frequent Contributor
  • **
  • Posts: 470
  • Country: ru
Re: Agilent MSO 5000/6000/7000 - anyone hacked these scopes?
« Reply #5 on: January 25, 2014, 10:31:54 pm »
JZP is Agilent's implementation of LZSS compression. I have decompressor 99% ready (still have some problem with 3-5 last bytes of some kinds of files), will release it with sources next week.
 

Offline mikeselectricstuff

  • Super Contributor
  • ***
  • Posts: 12178
  • Country: gb
    • Mike's Electric Stuff
Re: Agilent MSO 5000/6000/7000 - anyone hacked these scopes?
« Reply #6 on: January 25, 2014, 10:55:05 pm »
I have  copy of an uncompressed update form 2005 - ISTR this was some sort of "emergency" update to recover a failed normal  update.
It appears to have an "enable all licenses" function in a service menu.

Let me know if anyone wants a copy to investigate
 
Youtube channel:Taking wierd stuff apart. Very apart.
Mike's Electric Stuff: High voltage, vintage electronics etc.
Day Job: Mostly LEDs
 

Offline Carrington

  • Super Contributor
  • ***
  • Posts: 1201
  • Country: es
Re: Agilent MSO 5000/6000/7000 - anyone hacked these scopes?
« Reply #7 on: January 25, 2014, 11:49:49 pm »
ELF = Executable and Linkable Format.

The first four bytes are always 0x7F followed by ELF in ASCII and constitute the magic number.
...

From sys6000.bin:



Source: http://en.wikipedia.org/wiki/Executable_and_Linkable_Format 
There is a lot of information on the web about ELF + VxWorks.  :)
And exactly is running on a Power PC (14). IDA can open it!
« Last Edit: January 26, 2014, 12:39:33 am by Carrington »
My English can be pretty bad, so suggestions are welcome. ;)
Space Weather.
Lightning & Thunderstorms in Real Time.
 

Offline abyrvalg

  • Frequent Contributor
  • **
  • Posts: 470
  • Country: ru
Re: Agilent MSO 5000/6000/7000 - anyone hacked these scopes?
« Reply #8 on: January 26, 2014, 12:52:00 am »
IDA can open it!

Sure. It even has a symbol table inside (not normal ELF symbols, but some OS-specific table). Use this script to apply them:
Code: [Select]
def ApplyVxSymbol(ea):
unk0 = Dword(ea)
name_ea = Dword(ea+4)
target_ea = Dword(ea+8)
flags = Dword(ea+12)

if flags==0x300: # external symbol
return

if isTail(GetFlags(target_ea)):
MakeUnkn(ItemHead(target_ea), DOUNK_EXPAND)

MakeName(target_ea, GetString(name_ea))

if flags==0x500: # code symbol
MakeFunction(target_ea)
elif flags==0x700: # initialized data
pass
elif flags==0x900: # uninitialized data
pass
else:
print "%08X: unknown symbol type %08X" % (ea, flags)


def ApplyVxSymbols(ea, count):
for i in xrange(count):
ApplyVxSymbol(ea+i*16)

Look for "Adding %ld symbols" string ref to find table ea and count.
 

Offline mikeselectricstuff

  • Super Contributor
  • ***
  • Posts: 12178
  • Country: gb
    • Mike's Electric Stuff
Re: Agilent MSO 5000/6000/7000 - anyone hacked these scopes?
« Reply #9 on: January 26, 2014, 12:38:22 pm »

Is this the "Emergency" update file?
http://www.home.agilent.com/agilent/editorial.jspx?ckey=670496&id=670496&lc=eng&cc=US

The one I have is about 25% bigger - It was on the mso software updates page along with the first update, but disappeared a while later.
Youtube channel:Taking wierd stuff apart. Very apart.
Mike's Electric Stuff: High voltage, vintage electronics etc.
Day Job: Mostly LEDs
 

Offline mikeselectricstuff

  • Super Contributor
  • ***
  • Posts: 12178
  • Country: gb
    • Mike's Electric Stuff
Re: Agilent MSO 5000/6000/7000 - anyone hacked these scopes?
« Reply #10 on: January 26, 2014, 12:45:01 pm »
On my MSO7104a, telnet sits on port 5810, and spawns a standard VxWorks shell.  Same login as ftp. 

This shell gives complete read/write access to memory, symbol tables, processes, filesystem, etc.
No response from my MSO6034a on that port.
Youtube channel:Taking wierd stuff apart. Very apart.
Mike's Electric Stuff: High voltage, vintage electronics etc.
Day Job: Mostly LEDs
 

Offline Carrington

  • Super Contributor
  • ***
  • Posts: 1201
  • Country: es
Re: Agilent MSO 5000/6000/7000 - anyone hacked these scopes?
« Reply #11 on: January 26, 2014, 04:09:45 pm »
This is the powerpc Mictor debug connector.





« Last Edit: January 26, 2014, 05:15:52 pm by Carrington »
My English can be pretty bad, so suggestions are welcome. ;)
Space Weather.
Lightning & Thunderstorms in Real Time.
 

Offline dfnr2

  • Regular Contributor
  • *
  • Posts: 229
  • Country: us
Re: Agilent MSO 5000/6000/7000 - anyone hacked these scopes?
« Reply #12 on: January 26, 2014, 04:18:43 pm »
I am pretty sure that all the tools are there, if you can log into the VxWorks shell.  Hopefully it's enabled on the 5000 and 6000 series, but at least we know that the 5000 and 6000 can be induced to boot from the USB by switching on and off once (per the web site), and perhaps the BIN can be modified to spawn the telnetd to listen, if it's not already (or perhaps the emergency binary has it enabled).  Have you tried scanning the ports with NMAP for a telnet service?

For the 7000 series, the boot order can be set from the shell; by default it's flash then USB, but this can be reversed, which will allow experimentation without having to modify the working system.

 

Offline Carrington

  • Super Contributor
  • ***
  • Posts: 1201
  • Country: es
Re: Agilent MSO 5000/6000/7000 - anyone hacked these scopes?
« Reply #13 on: January 26, 2014, 05:26:47 pm »
At least we know that the 5000 and 6000 can be induced to boot from the USB by switching on and off once (per the web site), and perhaps the BIN can be modified to spawn the telnetd to listen, if it's not already (or perhaps the emergency binary has it enabled).
Yes, I think it's more than likely. But before we need the abyrvalg's LZSS decompressor, to extract the ELF.
My English can be pretty bad, so suggestions are welcome. ;)
Space Weather.
Lightning & Thunderstorms in Real Time.
 

Offline dfnr2

  • Regular Contributor
  • *
  • Posts: 229
  • Country: us
Re: Agilent MSO 5000/6000/7000 - anyone hacked these scopes?
« Reply #14 on: January 26, 2014, 06:47:16 pm »
A decompressor is available if you log into the scope.  Abyrvalg gets credit for pointing that out.

 

Offline abyrvalg

  • Frequent Contributor
  • **
  • Posts: 470
  • Country: ru
Re: Agilent MSO 5000/6000/7000 - anyone hacked these scopes?
« Reply #15 on: January 26, 2014, 06:58:39 pm »
mikeselectricstuff, 6k ports (as seen in "emergency" 6k bin): 5024 - telnet, 5025 - Sockets (???), 5042 - WebSockets (???).

dfnr2, Agilent's troubleshooting page describes the same USB boot procedure for 7k (turn on for 4sec), the only difference is that 5k/6k's bootloader doesn't support decompression, so it requires a plain ELF (bin), but 7k boot can load JZP directly, so no emergency BIN for it. An interesting question is: does 7k strictly require JZP or can load BIN too? In this case it is possible to start experimenting directly with unpacked BINs (no need to make a compressor).
 

Offline mikeselectricstuff

  • Super Contributor
  • ***
  • Posts: 12178
  • Country: gb
    • Mike's Electric Stuff
Re: Agilent MSO 5000/6000/7000 - anyone hacked these scopes?
« Reply #16 on: January 26, 2014, 07:24:13 pm »
mikeselectricstuff, 6k ports (as seen in "emergency" 6k bin): 5024 - telnet
That seems to work I get a "Welcome to Agilent MSO6034A" and >> prompt
Now what...?
Doesn't seem to respond to any obvious commands - just get the >> prompt back and "unidentified header" on the scope screen
Youtube channel:Taking wierd stuff apart. Very apart.
Mike's Electric Stuff: High voltage, vintage electronics etc.
Day Job: Mostly LEDs
 

Offline dfnr2

  • Regular Contributor
  • *
  • Posts: 229
  • Country: us
Re: Agilent MSO 5000/6000/7000 - anyone hacked these scopes?
« Reply #17 on: January 27, 2014, 05:14:05 am »
Mike,

Could that be the LXI port?  Do SCPI commands work?  Do you get that just by connecting, or do you have to enter the login and password?

Have you tried scanning the ports for another telnet protocol port?

Once you have a VxWorks shell, you should get some info by typing "help", but this doesn't seem to behave like the shell.
« Last Edit: January 27, 2014, 06:20:22 am by dfnr2 »
 

Offline mikeselectricstuff

  • Super Contributor
  • ***
  • Posts: 12178
  • Country: gb
    • Mike's Electric Stuff
Re: Agilent MSO 5000/6000/7000 - anyone hacked these scopes?
« Reply #18 on: January 27, 2014, 03:16:23 pm »
Mike,

Could that be the LXI port?  Do SCPI commands work?  Do you get that just by connecting, or do you have to enter the login and password?

Have you tried scanning the ports for another telnet protocol port?

Once you have a VxWorks shell, you should get some info by typing "help", but this doesn't seem to behave like the shell.
That would make sense - didn't try any SCPI commands but the error message on the scope screen would tally with that  - will try port scan when I get a chance
Youtube channel:Taking wierd stuff apart. Very apart.
Mike's Electric Stuff: High voltage, vintage electronics etc.
Day Job: Mostly LEDs
 

Offline abyrvalg

  • Frequent Contributor
  • **
  • Posts: 470
  • Country: ru
Re: Agilent MSO 5000/6000/7000 - anyone hacked these scopes?
« Reply #19 on: January 27, 2014, 03:32:18 pm »
Mike,

I've just looked into the newest 6k binary and telnet port is same there - 5024. Are you 100% sure you've tried 5024, not 5042 ocassionally?
 

Offline abyrvalg

  • Frequent Contributor
  • **
  • Posts: 470
  • Country: ru
 
The following users thanked this post: zitt

Offline Carrington

  • Super Contributor
  • ***
  • Posts: 1201
  • Country: es
Re: Agilent MSO 5000/6000/7000 - anyone hacked these scopes?
« Reply #21 on: January 27, 2014, 05:50:34 pm »
This shell gives complete read/write access to memory, symbol tables, processes, filesystem, etc.
Is there something like this?
/bin/license.lic
My English can be pretty bad, so suggestions are welcome. ;)
Space Weather.
Lightning & Thunderstorms in Real Time.
 

Offline Carrington

  • Super Contributor
  • ***
  • Posts: 1201
  • Country: es
Re: Agilent MSO 5000/6000/7000 - anyone hacked these scopes?
« Reply #22 on: January 27, 2014, 05:53:46 pm »
JZP LZSS unpacker with sources
Good job, the JZP LZSS unpacker works perfectly, thank you very much.  :-+
My English can be pretty bad, so suggestions are welcome. ;)
Space Weather.
Lightning & Thunderstorms in Real Time.
 

Offline abyrvalg

  • Frequent Contributor
  • **
  • Posts: 470
  • Country: ru
Re: Agilent MSO 5000/6000/7000 - anyone hacked these scopes?
« Reply #23 on: January 27, 2014, 06:29:26 pm »
Latest experiments had shown that 7k doesn't accept raw BIN for boot, so JZP compressor is needed too, working...
 

Offline dfnr2

  • Regular Contributor
  • *
  • Posts: 229
  • Country: us
Re: Agilent MSO 5000/6000/7000 - anyone hacked these scopes?
« Reply #24 on: January 27, 2014, 06:51:45 pm »
Nice work, abyrvalg!  The compressor works perfectly on the mso7000.bin file here.  Of course it perfectly matches the .bin produced by the native uncompress routine.

 


Share me

Digg  Facebook  SlashDot  Delicious  Technorati  Twitter  Google  Yahoo
Smf