Author Topic: DSOX2000 and 3000 series - licence , have anyone tried to hack that scope ?  (Read 598246 times)

0 Members and 2 Guests are viewing this topic.

Offline djghost

  • Contributor
  • Posts: 16
the cab file is signed, so if you try this you brick your scope  :-\
« Last Edit: July 04, 2013, 10:26:12 am by djghost »
 
The following users thanked this post: Andrew

Offline mwsoft

  • Contributor
  • Posts: 22
  • Country: pl
  • Country: pl
Silly me :) I didn't realized that CAB files can be signed, like exe/msi etc. :)

But what about uboot? Which commands are implemented?
Maybe it will be possible, to modify lnk file via directly digging into file system (loading page from nand, modifying in RAM and writing back).
 
The following users thanked this post: Andrew

Offline plesa

  • Frequent Contributor
  • **
  • Posts: 965
  • Country: se
  • Country: se

But I wouldn't be surprised, if they implemented some kind of protection in the FPGA. It has lots of LEs to implement even a small microcontroller in it for a simple verification protocol.


I can confirm that the LAN is working when only the ethernet pins are used. Tested with LAN/VGA module when the rest of pins were covered by Kapton tape.
The oscilloscope does not recognize installed module but the telnet, VNC and LXI are working properly. The IP is configurable only through LXI.
 
The following users thanked this post: Andrew

Offline Hydrawerk

  • Super Contributor
  • ***
  • Posts: 2378
  • Country: 00
  • Country: 00
So we can make a LAN plugin ourselves.
Amazing machines. https://www.youtube.com/user/denha (It is not me...)
 
The following users thanked this post: Andrew

Offline Norleif

  • Newbie
  • Posts: 3
So if I put together a PCB with a magjack and plug it into the scope, presumably it has a default IP?
From there, it remains to break out the RS232 lines to the CPU and add that magic command line option and everything is up for grabs?
 
The following users thanked this post: Andrew

Offline abyrvalg

  • Frequent Contributor
  • **
  • Posts: 350
  • Country: ru
  • Country: ru
I have an idea to try: there is a kind of install batch script - recipe.xml inside the fw update cab. Replace update commands with a single command that starts infiniiVision.exe with that magic parameter, pack that xml into a .cab and try "updating" from it.
Code: [Select]
<?xml version="1.0"?>
<install>
<killProcess>infiniivisionLauncher.exe</killProcess>
<installStep>
        <!-- replace /magicparameter with right one -->
<command>\Secure\infiniiVision\infiniivisionLauncher.exe /magicparameter</command>
</installStep>
</install>

Anyone willing to try? It shouldn't do any harm in any case - no write commands like original "loadP500Flash" there. A quick test can be made without any parameters - it should restart the scope app
 
The following users thanked this post: Andrew

Offline plesa

  • Frequent Contributor
  • **
  • Posts: 965
  • Country: se
  • Country: se
So if I put together a PCB with a magjack and plug it into the scope, presumably it has a default IP?
From there, it remains to break out the RS232 lines to the CPU and add that magic command line option and everything is up for grabs?

Yes, you will need just the PCB and MagJack. If you need the status LEDs working you will need few passives.
Default configuration is automatic IP adress from DHCP, so you need just running DHCP on your computer.

 
The following users thanked this post: Andrew

Offline benemorius

  • Regular Contributor
  • *
  • Posts: 173
So if I put together a PCB with a magjack and plug it into the scope, presumably it has a default IP?
From there, it remains to break out the RS232 lines to the CPU and add that magic command line option and everything is up for grabs?

Yes, you will need just the PCB and MagJack. If you need the status LEDs working you will need few passives.
Default configuration is automatic IP adress from DHCP, so you need just running DHCP on your computer.

Thank you!! Do you already have a pinout for the magjack and LEDs? I think there should be sufficient high resolution photos elsewhere to reconstruct it but it sounds like you can save me the trouble with little inconvenience.

I intend to draw up a PCB for this and post the gerbers if no one beats me to it. I guess I'll need to open my scope to get the mechanical dimensions unless someone can provide that as well. That's not a huge deal, but I guess my only hesitation is that if I'm going to make a PCB then I'd much prefer that it be complete with the activation pin to tell the scope to enable the LAN configuration, assuming that even exists.
 
The following users thanked this post: Andrew

Offline mikeselectricstuff

  • Super Contributor
  • ***
  • Posts: 11965
  • Country: gb
  • Country: gb
    • Mike's Electric Stuff
I think before doing a PCB it would be worth checking to see if there is a pullup/pulldown used for option detect. (or at least make sure all the pads are broken out to allow experimentation)
Youtube channel:Taking wierd stuff apart. Very apart.
Mike's Electric Stuff: High voltage, vintage electronics etc.
Day Job: Mostly LEDs
 
The following users thanked this post: Andrew

Offline plesa

  • Frequent Contributor
  • **
  • Posts: 965
  • Country: se
  • Country: se
I think before doing a PCB it would be worth checking to see if there is a pullup/pulldown used for option detect. (or at least make sure all the pads are broken out to allow experimentation)

I'm waiting for used MagJack datasheet, after that I will make some schematic.
If following pins connected LAN is working including LEDs
 43   LAN Green

45   GND
47   LAN
49   LAN
51   GND
53   GND
55   LAN
57   LAN
59   GND
61   GND
63   LAN Yellow
65   GND

46   GND   
48   LAN LED Common   0.2uF to GND
50   LAN LED Common   0.2uF to GND
52   GND   
54   GND   

and everything working, including status LEDs.
I tried to connect also pins
78   GND
80   GND
Where seems to be identification and it resulted in LAN/VGA error on startup.
It is not big deal that the IP cannot be modified from scope itself and needs to be modified through LXI, I think.

The pitch of contacts is 0,8mm, does anyone some tips for protoboard with such a contact spacing?

I just find Dave video related to module:
http://www.eevblog.com/2011/02/17/eevblog-145-agilent-lanvga-module-teardown/



« Last Edit: July 06, 2013, 12:44:44 am by plesa »
 
The following users thanked this post: Andrew

Offline plesa

  • Frequent Contributor
  • **
  • Posts: 965
  • Country: se
  • Country: se
The magjack pinout.
 
The following users thanked this post: Andrew

Offline Norleif

  • Newbie
  • Posts: 3
Nice pinout of the module. If we only knew the TX+, TX÷, RX+ and RX÷ on those LAN pins we're getting there. If someone has access to a genuine module and a calliper, we could get the proper dimensions for that card-edge connector too. Looking at Dave's video it seems there is a key slot in the middle somewhere.

I just got a MSOX3024A (+ free WaveGen and DVM), but I haven't started playing with it beyond installing the latest official FW. Haven't even activated the full-feature trials.
I'm hoping that if I wait, I don't have to reset the date as often to keep them working... Or did I miss something here?
 
The following users thanked this post: Andrew

Offline KTP

  • Frequent Contributor
  • **
  • Posts: 515
Nice pinout of the module. If we only knew the TX+, TX÷, RX+ and RX÷ on those LAN pins we're getting there. If someone has access to a genuine module and a calliper, we could get the proper dimensions for that card-edge connector too. Looking at Dave's video it seems there is a key slot in the middle somewhere.

I just got a MSOX3024A (+ free WaveGen and DVM), but I haven't started playing with it beyond installing the latest official FW. Haven't even activated the full-feature trials.
I'm hoping that if I wait, I don't have to reset the date as often to keep them working... Or did I miss something here?

wait...what?  I have an MSOX3024A also (and have not touched my 30 day trials either).  Do we have an unofficial trial date reset h**k?

(I don't think memup to 4Meg is part of the 30 day trials though...)
 
The following users thanked this post: Andrew

Offline jmole

  • Regular Contributor
  • *
  • Posts: 211
  • Country: us
  • Country: us
    • My Portfolio
I've got access to an official LAN/VGA module. Will high-res photos of the boards help at all? I can't do anything electrical to the boards, as they're not mine and I can't afford to F it up.

Going on vacation for a week and a half or so, but I should be able to get some 25MP pics when I'm back in the last week of July.
 
The following users thanked this post: Andrew

Offline plesa

  • Frequent Contributor
  • **
  • Posts: 965
  • Country: se
  • Country: se
Nice pinout of the module. If we only knew the TX+, TX÷, RX+ and RX÷ on those LAN pins we're getting there. If someone has access to a genuine module and a calliper, we could get the proper dimensions for that card-edge connector too. Looking at Dave's video it seems there is a key slot in the middle somewhere.

I just got a MSOX3024A (+ free WaveGen and DVM), but I haven't started playing with it beyond installing the latest official FW. Haven't even activated the full-feature trials.
I'm hoping that if I wait, I don't have to reset the date as often to keep them working... Or did I miss something here?

I have a the genuine module, so the PCB dimensions are not problem, if someone is going to  make PCB.
Don not forget that we will also need a plastic container, otherwise there will be no mechanical support of the PCB in the scope.
Today I will finish the schematic with passives.

Currenly I have unpacked image and need to modify the registry file default.fdf. For this I tried script fdf2reg.pl from mkrom 1.36, but it only decode few lines of registry file and end up with error message.
If someone know different way how to extract registry from RAM based file it will be helpful.
Registry contains the commads for automatic startup of the appplication. The modifiing the recipe.xml, seem to be the dead end and not working.

For accessing the scope we need to know the telnet password or disable the telnet autentication in the registry and build up the whole image.

« Last Edit: July 10, 2013, 04:07:11 am by plesa »
 
The following users thanked this post: Andrew

Offline ve7xen

  • Frequent Contributor
  • **
  • Posts: 660
  • Country: ca
  • Country: ca
    • VE7XEN Blog
I've got access to an official LAN/VGA module. Will high-res photos of the boards help at all? I can't do anything electrical to the boards, as they're not mine and I can't afford to F it up.

Going on vacation for a week and a half or so, but I should be able to get some 25MP pics when I'm back in the last week of July.
If you can get photos as straight on as you can (or scans) alongside a ruler they should be usable for duplicating the board shape. The board photos might be enough to figure out the pinout. I'd guess it's two layers?
73 de VE7XEN
 
The following users thanked this post: Andrew

Offline ben_r_

  • Frequent Contributor
  • **
  • Posts: 411
  • Country: us
  • Country: us
  • A Real Nowhere Man
Another owner of the VGA/LAN module. I have a high end digital caliper too for dimensioning. Let me know if you guys need that info.
If at first you don't succeed, redefine success!
 
The following users thanked this post: Andrew

Offline FrankBuss

  • Supporter
  • ****
  • Posts: 2216
  • Country: de
  • Country: de
    • Frank Buss
Why so complicated? Drill a hole in the scope for a magjack, mount it with some hot glue and solder some wires to it :) While you have it open: solder some more wires for the UART connector, maybe even a MAX3232 converter board, because it is 3.3V digital level UART, and then a standard d-sub 9 connector for the case.
So Long, and Thanks for All the Fish
Electronics, hiking, retro-computing, electronic music etc.: https://www.youtube.com/c/FrankBussProgrammer
 
The following users thanked this post: Andrew

Offline benemorius

  • Regular Contributor
  • *
  • Posts: 173
Who's getting complicated?
 
The following users thanked this post: Andrew

Offline tru

  • Contributor
  • Posts: 23
  • Country: gb
  • Country: gb
Why so complicated? Drill a hole in the scope for a magjack, mount it with some hot glue and solder some wires to it :) While you have it open: solder some more wires for the UART connector, maybe even a MAX3232 converter board, because it is 3.3V digital level UART, and then a standard d-sub 9 connector for the case.
You're kidding right, you own one of these scopes? These scopes aren't budget range, they are £1061 upwards. I don't know who here is willing to drill such a beautiful and expensive machine, but I wouldn't do to mine!   >:D

Best method is to route or saw a pcb of same dimensions as LAN module and then etch, that's why we are waiting for needed pinouts of LAN module connector, so it's nothing to do with complications.
 
The following users thanked this post: Andrew

Offline benemorius

  • Regular Contributor
  • *
  • Posts: 173
Well, to be fair, only the little plastic cover for the expansion port would need a hole drilled in it. That may be what I choose to do since I don't have a 3d printer to make a case for my LAN module.
 
The following users thanked this post: Andrew

Offline Norleif

  • Newbie
  • Posts: 3
Hmm... In addition to the MagJack on the cheat PCB we might drop in some pin headers (for wiring to the secret UART), a MAX3232 and a DSUB9 connector instead of the VGA port. It might even fit in the original LAN module case :P

I only wish FrankBuss would elaborate on how to utilize that UART...
« Last Edit: July 11, 2013, 11:09:21 pm by Norleif »
 
The following users thanked this post: Andrew

Offline benemorius

  • Regular Contributor
  • *
  • Posts: 173
Hmm... In addition to the MagJack on the cheat PCB we might drop in some pin headers (for wiring to the secret UART), a MAX3232 and a DSUB9 connector instead of the VGA port. It might even fit in the original LAN module case :P

I only wish FrankBuss would elaborate on how to utilize that UART...

 :-+ Great idea. (or maybe ft232 and usb instead...)
 
The following users thanked this post: Andrew

Offline FrankBuss

  • Supporter
  • ****
  • Posts: 2216
  • Country: de
  • Country: de
    • Frank Buss
I only wish FrankBuss would elaborate on how to utilize that UART...

The serial port location:



All you need are some jumper wires, if you don't want to drill a hole. Fits nicely through the USB connector hole 8)



You can then stop the u-boot with space (can be difficult, you have to be fast, use something like HTerm which has a useful "repeat" function to send a sequence automatically until you stop it, or just hold down space while you boot it). Then you can boot the image from network like this:

Code: [Select]
set serverip 192.168.11.108
dhcp 0x4000000 nk.bin;bootm 0xf8050000

Where 192.168.11.108 is your own server, where TFTP is running and providing nk.bin. You should see something like this:

Code: [Select]
BOOTP broadcast 1
DHCP client bound to address 192.168.11.106
Using smsc device
TFTP from server 192.168.11.108; our IP address is 192.168.11.106
Filename 'nk.bin'.
Load address: 0x4000000
Loading: **#################################################################
#################################################################
...

You get the nk.bin from the nk.bin.comp from the firmware update cab-file with the bincompress.exe tool, which is included in the evaluation version of the WindowsCE development environment. Use http://www.t-hack.com/wiki/index.php/NK.BIN_toolset to take a look at the content of nk.bin and to modify it.
So Long, and Thanks for All the Fish
Electronics, hiking, retro-computing, electronic music etc.: https://www.youtube.com/c/FrankBussProgrammer
 
The following users thanked this post: [IDC]Dragon

Offline mikeselectricstuff

  • Super Contributor
  • ***
  • Posts: 11965
  • Country: gb
  • Country: gb
    • Mike's Electric Stuff
I only wish FrankBuss would elaborate on how to utilize that UART...

The serial port location:



All you need are some jumper wires, if you don't want to drill a hole. Fits nicely through the USB connector hole 8)
..or an IDC ribbon cable with  IDC D connector, as found on old PCs.
Youtube channel:Taking wierd stuff apart. Very apart.
Mike's Electric Stuff: High voltage, vintage electronics etc.
Day Job: Mostly LEDs
 
The following users thanked this post: Andrew


Share me

Digg  Facebook  SlashDot  Delicious  Technorati  Twitter  Google  Yahoo
Smf