Author Topic: Agilent MSO 5000/6000/7000 - anyone hacked these scopes?  (Read 184790 times)

JiriB and 1 Guest are viewing this topic.

Offline dfnr2

  • Regular Contributor
  • *
  • Posts: 229
  • Country: us
Re: Agilent MSO 5000/6000/7000 - anyone hacked these scopes?
« Reply #25 on: January 27, 2014, 06:52:24 pm »
This shell gives complete read/write access to memory, symbol tables, processes, filesystem, etc.
Is there something like this?
/bin/license.lic

Yes, exactly.
 

Offline Carrington

  • Super Contributor
  • ***
  • Posts: 1201
  • Country: es
Re: Agilent MSO 5000/6000/7000 - anyone hacked these scopes?
« Reply #26 on: January 27, 2014, 07:02:48 pm »
Yes, exactly.
Well, I don't know how but I think the hack will be a cinch.
If you can, look for "license" as text in IDA.

Settings:
Processor: PowerPC big-endian.
Assembler: GNU Assembler.
My English can be pretty bad, so suggestions are welcome. ;)
Space Weather.
Lightning & Thunderstorms in Real Time.
 

Offline mikeselectricstuff

  • Super Contributor
  • ***
  • Posts: 12147
  • Country: gb
    • Mike's Electric Stuff
Re: Agilent MSO 5000/6000/7000 - anyone hacked these scopes?
« Reply #27 on: January 27, 2014, 07:06:11 pm »
One warning as & when the licenses get figured out.
Stay away from the SEC option - apparently it disables all methods of saving data and is designed to not be removable - see this thread on the Agilent forums :

http://www.home.agilent.com/owc_discussions/thread.jspa?threadID=36931&tstart=0
Youtube channel:Taking wierd stuff apart. Very apart.
Mike's Electric Stuff: High voltage, vintage electronics etc.
Day Job: Mostly LEDs
 

Offline Carrington

  • Super Contributor
  • ***
  • Posts: 1201
  • Country: es
Re: Agilent MSO 5000/6000/7000 - anyone hacked these scopes?
« Reply #28 on: January 27, 2014, 07:07:47 pm »
I think that SEC is not available as a trial.



I found this IP in the sys6000.bin 130.29.67.163 and "got the time".
http://db-ip.com/130.29.67.163



Note: lib6000.bin also is ELF, the others files, no.
« Last Edit: January 27, 2014, 07:15:27 pm by Carrington »
My English can be pretty bad, so suggestions are welcome. ;)
Space Weather.
Lightning & Thunderstorms in Real Time.
 

Offline mikeselectricstuff

  • Super Contributor
  • ***
  • Posts: 12147
  • Country: gb
    • Mike's Electric Stuff
Re: Agilent MSO 5000/6000/7000 - anyone hacked these scopes?
« Reply #29 on: January 27, 2014, 09:20:59 pm »
Mike,

I've just looked into the newest 6k binary and telnet port is same there - 5024. Are you 100% sure you've tried 5024, not 5042 ocassionally?
Port scan gives
21/tcp   open  ftp
80/tcp   open  http
111/tcp  open  rpcbind
1024/tcp open  kdm
5810/tcp open  unknown
5900/tcp open  vnc
[/quote]

Port 5024 via Telnet accepts SCPI commands
Port 5810 gives vxworks login,  user panther/ pw pictures works, looks a bit low-level though
Quote
help                           Print this list
dbgHelp                        Print debugger help info
edrHelp                        Print ED&R help info
ioHelp                         Print I/O utilities help info
nfsHelp                        Print nfs help info
netHelp                        Print network help info
rtpHelp                        Print process help info
spyHelp                        Print task histogrammer help info
timexHelp                      Print execution timer help info
h         [n]                  Print (or set) shell history
i         [task]               Summary of tasks' TCBs
ti        task                 Complete info on TCB for task
sp        adr,args...          Spawn a task, pri=100, opt=0x19, stk=20000
taskSpawn name,pri,opt,stk,adr,args... Spawn a task
td        task                 Delete a task
ts        task                 Suspend a task
tr        task                 Resume a task
tw        task                 Print pending task detailed info
w         [task]               Print pending task info

Type <CR> to continue, Q<CR> to stop:

d         [adr[,nunits[,width]]] Display memory
m         adr[,width]          Modify memory
mRegs     [reg[,task]]         Modify a task's registers interactively
pc        [task]               Return task's program counter
iam       "user"[,"passwd"]    Set user name and passwd
whoami                         Print user name
devs                           List devices
ld        [syms[,noAbort][,"name"]] Load stdin, or file, into memory
                               (syms = add symbols to table:
                               -1 = none, 0 = globals, 1 = all)
lkup      ["substr"]           List symbols in system symbol table
lkAddr    address              List symbol table entries near address
checkStack  [task]             List task stack sizes and usage
printErrno  value              Print the name of a status value
period    secs,adr,args...     Spawn task to call function periodically
repeat    n,adr,args...        Spawn task to call function n times (0=forever)
version                        Print VxWorks version info, and boot line
shConfig  ["config"]           Display or set shell configuration variables
strFree   [address]            Free strings allocated within the shell (-1=all)

Quote
-> version
VxWorks (for Agilent KOM PPC405, SA27E rev1) version 6.4.
Kernel: WIND version 2.10.
Made on Jun 30 2010, 11:33:12.
Boot line:
tffs;usb(0,0):sys6000 f=0x8 tn=a-m6034a-001360 o=emac0
value = 66 = 0x42 = 'B'



Youtube channel:Taking wierd stuff apart. Very apart.
Mike's Electric Stuff: High voltage, vintage electronics etc.
Day Job: Mostly LEDs
 

Offline abyrvalg

  • Frequent Contributor
  • **
  • Posts: 452
  • Country: ru
Re: Agilent MSO 5000/6000/7000 - anyone hacked these scopes?
« Reply #30 on: January 27, 2014, 09:21:47 pm »
Compressor added to repository. Slow (~1min for sysXXX.bin on modern machine), but working. Also if you do JZP->BIN->JZP, compressed files will be different in most cases (there are many ways to compress), but if you do one more JZP->BIN step, BINs will match (that's important part :D).
 

Offline mikeselectricstuff

  • Super Contributor
  • ***
  • Posts: 12147
  • Country: gb
    • Mike's Electric Stuff
Re: Agilent MSO 5000/6000/7000 - anyone hacked these scopes?
« Reply #31 on: January 27, 2014, 09:40:57 pm »
I think that SEC is not available as a trial.
No, but I don't think we're talking about trials here, are we... 8)
Youtube channel:Taking wierd stuff apart. Very apart.
Mike's Electric Stuff: High voltage, vintage electronics etc.
Day Job: Mostly LEDs
 

Offline Carrington

  • Super Contributor
  • ***
  • Posts: 1201
  • Country: es
Re: Agilent MSO 5000/6000/7000 - anyone hacked these scopes?
« Reply #32 on: January 28, 2014, 12:04:57 am »
Port scan gives
21/tcp     open  ftp
80/tcp     open  http
111/tcp   open  rpcbind
1024/tcp open  kdm
5810/tcp open  unknown
5900/tcp open  vnc

Port 5024 via Telnet accepts SCPI commands
Port 5810 gives vxworks login,  user panther/ pw pictures works, looks a bit low-level though
Great!   8)



Is a PPC405 (Technology: IBM CMOS SA-27E, 0.18?m). Maybe, like this:
http://www.o2xygen.com/photo/PPC405EP-3LB266C/PPC405EP-3LB266C_001.pdf
Or this:
http://www.ic72.com/pdf_file/i/445461.pdf
Or ...

It have 4KB on-chip memory (OCM) static RAM.  ???



Amontec JTAGkey should read the JTAG ID. -> Exact PPC405 model.
« Last Edit: January 28, 2014, 12:53:49 am by Carrington »
My English can be pretty bad, so suggestions are welcome. ;)
Space Weather.
Lightning & Thunderstorms in Real Time.
 

Offline dfnr2

  • Regular Contributor
  • *
  • Posts: 229
  • Country: us
Re: Agilent MSO 5000/6000/7000 - anyone hacked these scopes?
« Reply #33 on: January 28, 2014, 07:01:34 am »
Port 5810 gives vxworks login,  user panther/ pw pictures works, looks a bit low-level though
Great, so that's the same as the 7000.  The shell does have low-level capabilities in that it will allow memory reading and modification, but also allows high-level unix-like commands as well.  You are starting out in the C interpreter mode.  There is a more unix-y flavored mode which you can get to by typing "cmd" at the prompt, and you will get a hash prompt to indicate the cmd mode.  Type "help" and you will get a more compact list of commands; similar capabilities.  You can get back to the c-interpreter mode by typing "C". 
 

Offline abyrvalg

  • Frequent Contributor
  • **
  • Posts: 452
  • Country: ru
Re: Agilent MSO 5000/6000/7000 - anyone hacked these scopes?
« Reply #34 on: January 28, 2014, 07:07:33 pm »
Compressor updated.  Now JZP->BIN->JZP produces exact copy of source JZP, revision string is preserved too (check options).

Some new info: FlexLM v7 is used to verify "magic numbers", worth googling ;)
 

Offline Carrington

  • Super Contributor
  • ***
  • Posts: 1201
  • Country: es
Re: Agilent MSO 5000/6000/7000 - anyone hacked these scopes?
« Reply #35 on: January 28, 2014, 09:10:44 pm »
Quote
Now JZP->BIN->JZP...
Wow, that was fast!  :clap:
My English can be pretty bad, so suggestions are welcome. ;)
Space Weather.
Lightning & Thunderstorms in Real Time.
 

Offline abyrvalg

  • Frequent Contributor
  • **
  • Posts: 452
  • Country: ru
 

Offline Carrington

  • Super Contributor
  • ***
  • Posts: 1201
  • Country: es
Re: Agilent MSO 5000/6000/7000 - anyone hacked these scopes?
« Reply #37 on: January 29, 2014, 02:27:23 pm »
DSO/MSO6000A's options:
Code: [Select]
N5423A I2C AND SPI SERIAL BUS Decode and Triggering.
N5424A CAN AND LIN SERIAL Decode and Triggering.
N5457A RS232/UART SERIAL Decode and Triggering.
N5455A Limit Mask Testing.
N5454A SEGMENTED MEMORY.
N5468A I2S Decode and Triggering.
N5469A Mil-Std 1553  Decode and Triggering.
N5432C FlexRay Decode and Trigger.
N5406A DYNAMIC PROBE APPLICATION FOR XILINX.
U1881A Power measurement application.
N5434A FPGA DYNAMIC PROBE FOR ALTERA. [OBSOLETE]
N2914A DSO to MSO upgrade.
N2911A 8 Mpts memory upgrade.

Note: E00 and MST (N5466A) are now standard.
« Last Edit: January 29, 2014, 02:29:14 pm by Carrington »
My English can be pretty bad, so suggestions are welcome. ;)
Space Weather.
Lightning & Thunderstorms in Real Time.
 

Offline mikeselectricstuff

  • Super Contributor
  • ***
  • Posts: 12147
  • Country: gb
    • Mike's Electric Stuff
Re: Agilent MSO 5000/6000/7000 - anyone hacked these scopes?
« Reply #38 on: January 29, 2014, 02:54:04 pm »
Something that would be interesting is to establish whether the lack of decode support on models with 2 analogue channels is a real hardware limitation, or a software crippling. A hack to enable decodes on 2-channel models would be very handy. 
I do also have a MSO6012A which I can look at to compare hardware  to the MSO6034A - could be the FPGA is smaller.
Youtube channel:Taking wierd stuff apart. Very apart.
Mike's Electric Stuff: High voltage, vintage electronics etc.
Day Job: Mostly LEDs
 

Offline dfnr2

  • Regular Contributor
  • *
  • Posts: 229
  • Country: us
Re: Agilent MSO 5000/6000/7000 - anyone hacked these scopes?
« Reply #39 on: January 29, 2014, 05:19:33 pm »
Amazing abyrvalg--Very elegant.

By the way folks, don't get curious because of Mike's warning and try to enable the "SEC" option!  Don't ask me how I know.

 

Offline Carrington

  • Super Contributor
  • ***
  • Posts: 1201
  • Country: es
Re: Agilent MSO 5000/6000/7000 - anyone hacked these scopes?
« Reply #40 on: January 29, 2014, 05:43:35 pm »
@mikeselectricstuff:

Do you know if there is any 1K "ROM"/eeprom near of the ppc405?



Anyone have photographs of the mainboard of an DSO/MSO6054A or an DSO/MSO6104A?
I have searched but can not find anything ...
« Last Edit: January 29, 2014, 06:02:54 pm by Carrington »
My English can be pretty bad, so suggestions are welcome. ;)
Space Weather.
Lightning & Thunderstorms in Real Time.
 

Offline jahonen

  • Super Contributor
  • ***
  • Posts: 1046
  • Country: fi
Re: Agilent MSO 5000/6000/7000 - anyone hacked these scopes?
« Reply #41 on: January 29, 2014, 05:45:48 pm »
Abyrvalg, thanks! That indeed worked like a charm.

Regards,
Janne
 

Offline abyrvalg

  • Frequent Contributor
  • **
  • Posts: 452
  • Country: ru
Re: Agilent MSO 5000/6000/7000 - anyone hacked these scopes?
« Reply #42 on: January 29, 2014, 06:06:24 pm »
7000:
000 - Dummy license
ALL - All licenses (not all from this list actually)
REM - Remove all licenses
FMS - Factory MSO
MSO - MSO
FPG - FPGA Probe
001 - Acq Memory 1M
002 - Acq Memory 2M
004 - Acq Memory 4M
008 - Acq Memory 8M
AMM - Acq Memory Max
LSS - Low speed serial decode
AMS - Automotive serial decode
CAN - CAN trigger
SEC - Secure environment (!!! NONVOLATILE !!! Can't be removed with REM !!! STAY AWAY !!!)
BAT - Battery operation
ALT - FPGA Altera
FRS - Flex Ray serial decode
PWR - Power application
232 - UART/RS232 serial decode
DSW - Distributor license (package)
SGM - Segmented Memory
LMT - Limit Mask Test
TEL - Telecom Mask Test
1MV - 1mv Chan Scale Lmt
FRC - Flex Ray Compliance (package)
MST - Measurement Statistics
E00 - Enhancement 00
SND - I2S serial decode
FLX - Flex Ray serial decode package
DIS - Distributor license (package)
TOM - Tomotherapy LAN reset license
553 - MIL-STD-1553 serial decode
CIR - Circular segmented memory license
 

Offline free_electron

  • Super Contributor
  • ***
  • Posts: 7509
  • Country: us
    • SiliconValleyGarage
Re: Agilent MSO 5000/6000/7000 - anyone hacked these scopes?
« Reply #43 on: January 29, 2014, 07:49:29 pm »
if you need keys : i have a bunch enabled in mine (MSO7104A)
if there is a way through the LAN to grab them please explain how to do it. i will dump them and post. it could be of help

i have i2c , segmented memory , max memory and a few other.
Professional Electron Wrangler.
Any comments, or points of view expressed, are my own and not endorsed , induced or compensated by my employer(s).
 

Offline mikeselectricstuff

  • Super Contributor
  • ***
  • Posts: 12147
  • Country: gb
    • Mike's Electric Stuff
Re: Agilent MSO 5000/6000/7000 - anyone hacked these scopes?
« Reply #44 on: January 29, 2014, 08:03:01 pm »
if you need keys : i have a bunch enabled in mine (MSO7104A)
if there is a way through the LAN to grab them please explain how to do it. i will dump them and post. it could be of help

i have i2c , segmented memory , max memory and a few other.
They live in the bin\licence.lic file - Telnet in with user:panther pw:pictures
cmd
file concat bin/lincense.lic

Youtube channel:Taking wierd stuff apart. Very apart.
Mike's Electric Stuff: High voltage, vintage electronics etc.
Day Job: Mostly LEDs
 

Offline mikeselectricstuff

  • Super Contributor
  • ***
  • Posts: 12147
  • Country: gb
    • Mike's Electric Stuff
Re: Agilent MSO 5000/6000/7000 - anyone hacked these scopes?
« Reply #45 on: January 29, 2014, 08:13:32 pm »
A few things of possible interest poking around the vxworks console
Quote

set deploy          Set or display the system debug flag.
..
[vxWorks]# set deploy
The system policy mode is set to 'field' (deployed mode is on).
[vxWorks]#
Is there an interesting debug mode?
Quote
set bootline        Change the boot line
show bootline       Display the boot line
show bootline
boot device          : tffs;usb
Maybe possible to change boot order?

















Youtube channel:Taking wierd stuff apart. Very apart.
Mike's Electric Stuff: High voltage, vintage electronics etc.
Day Job: Mostly LEDs
 

Offline dfnr2

  • Regular Contributor
  • *
  • Posts: 229
  • Country: us
Re: Agilent MSO 5000/6000/7000 - anyone hacked these scopes?
« Reply #46 on: January 29, 2014, 08:46:29 pm »
A few things of possible interest poking around the vxworks console
Quote

set deploy          Set or display the system debug flag.
..
[vxWorks]# set deploy
The system policy mode is set to 'field' (deployed mode is on).
[vxWorks]#
Is there an interesting debug mode?
Quote
set bootline        Change the boot line
show bootline       Display the boot line
show bootline
boot device          : tffs;usb
Maybe possible to change boot order?

The boot order can be changed using (cmd)#set bootline , just as you suspect.  It doesn't seem to make much difference, as you can force the USB boot using the power cycle trick.

I am not certain about the deploy flag, but the VxWorks shell has some pretty potent debug capabilities, including searching the symbol table, stopping and restarting running processes, setting breakpoints, executing loaded functions directly from the command line with parameter passing, examining and modifying memory, disassembling functions that are loaded in RAM, and more.

By the way, for moving small files, you can log in via ftp and telnet; you can ftp small files to/from /ram0, and then within the shell move files between the /ram0 and the "bin" directory or elsewhere.  For larger files, such as a .bin file, a small usb stick works the same.


« Last Edit: January 29, 2014, 08:58:37 pm by dfnr2 »
 

Offline dfnr2

  • Regular Contributor
  • *
  • Posts: 229
  • Country: us
Re: Agilent MSO 5000/6000/7000 - anyone hacked these scopes?
« Reply #47 on: January 29, 2014, 08:58:52 pm »
Also by the way, placing a .bin file in the /bin directory results in a faster boot, if that's important.  However, there's not much room in the filesystem, so the .jzp file would have to be deleted first, and the .bin file copied from a usb stick (which could put there by ftp, if convenient.)  However, using a .bin instead of .jzp potentially reduces the available internal flash space for setups and mask files from about 700K to about 200K.

Note that .bin files apparently can not be used to boot from USB or for firmware updates, so the .jzp compressor is a crucial tool for making the process smooth.

« Last Edit: January 29, 2014, 09:03:53 pm by dfnr2 »
 

Offline mikeselectricstuff

  • Super Contributor
  • ***
  • Posts: 12147
  • Country: gb
    • Mike's Electric Stuff
Re: Agilent MSO 5000/6000/7000 - anyone hacked these scopes?
« Reply #48 on: January 30, 2014, 01:06:52 am »
Can you clarify - if I put a .(hacked) .jzp file on a  USB stick, will it boot from that at startup, or install it ?
Youtube channel:Taking wierd stuff apart. Very apart.
Mike's Electric Stuff: High voltage, vintage electronics etc.
Day Job: Mostly LEDs
 

Offline dfnr2

  • Regular Contributor
  • *
  • Posts: 229
  • Country: us
Re: Agilent MSO 5000/6000/7000 - anyone hacked these scopes?
« Reply #49 on: January 30, 2014, 05:49:06 am »
Can you clarify - if I put a .(hacked) .jzp file on a  USB stick, will it boot from that at startup, or install it ?
Yes, exactly.  Just like the original .jzp, if you preserve the header text when you unjzp and restore it when you packjzp (by specifying a file to store/retrieve it from).

 


Share me

Digg  Facebook  SlashDot  Delicious  Technorati  Twitter  Google  Yahoo
Smf