DSOX2000 and 3000 series - licence , have anyone tried to hack that scope ?

[deanflyer]

This is the output:-

U-B닁’‚Š‚r‚šBz5с‹Â’‚ŠŠjŠ¢Ò’ÂÒ‚²J
u¥±•¹ÑƒÕƒ‚jöÔHhU•šAÉÙÂjöDJªJŠ’Âj¥   5RþFlash: 512 KiB
NAND:  internal ecc 128 MiB

Debug serial initialized ........OK
RTC: 2016-9-26   19:43:43.86 UTC

Microsoft Windows CE Bootloader Common Library Version 1.4 Built MX^ˆ7 2015 01:38:03
Microsoft Windows CE 6.0 Ethernet Bootloader for the Agilent P500 board
Adaptation performed by Agilent Technologies (c) 2008


System ready!
Preparing for download...
RTC: 2016-9-26   19:43:43.90 UTC
 Loading image 1 from memory at 0xD0600000
O
BL_IMAGE_TYPE_BIN

X
XXXXXOOOOXXOOOOOOOOXOXOOOOOOOOXOOXOXOOOOXXXOOOOOOOOOXOOOOXOXXOXXOXOXOXOXOXXXXOOXXXOOOOOOXXOXXOXXXXXXOOOXXXOXXOOXOXXOOOXOXOOOXXOOOXOOOOXOXOOOOOXOOOXOOXOXOXOXXXXXXXOXXXOOOXOOOXOXOOOOXOOOOXOXOXOOOOOOX
OOOXOOXOOOOXOOOOXOXOOOXXOOOOOOOOOXOOOOXOOOOOOXOXOOOOXOXOOOOOOOXXOOOOXOXOOOXOOOXOOXXOXOOOOXXXOXXXXXXOXOXXOXXXXXOXOXXOXXOOXXXOOXXOXXOXOOXXOXXXXOXXOOXOOOXOXXXXOOXXXOOOXOXOOOXOOXXXXXXXX
XXXXXOXrom_offset=0x0.
XXImageStart = 0x80361000, ImageLength = 0x15264A8, LaunchAddr = 0x80362000

Completed file(s):
-------------------------------------------------------------------------------

• : Address=0x80361000  Length=0x15264A8  Name="" Target=RAM

 Loading image 1 succeeded.
ROMHDR at Addres{ 80361044h
Preparing launch...
RTC: 2016-9-26   19:43:46.83 UTC
Launching windows CE image jy jumping at address 0x  362000

Windows CE Kernel for ARM (Thumb Enabled) Bui¶t on Mar  8 2013 at 17:05:33
Setting up for a Cold Reboot
Done Setting up for a Cold Reboot
Windows CE Firmware Init
BSP 1.0.0 for the SPEARHEAD600AB board (built Oct 22 2015)
Adaptation performed by ADENEO (c) 2005
+OALIntrInit
-OALIntrInit(rc = 1)
Initialize driver globals Zeros area...
pDrvGlobalArea 0xa0060000  size"0x800 (0xa0060800 -0xa0060000)
Initialize driver globals Zeros area...done
 OALKitlStart
Firmware Init Done.
OALIoctlHalEnterI2cCriticalSection init i2c cs
++SER_Init: context Drivers\Active\14
SER_Init, dwIndex:2
SER2 got sysintr:0x00000017
SER2 Serial Port, new baud rate:0x1c200  (UARTCLK:48000000 IBRD:0x1a FBRD:0x2)
OHCI\system.c, GCFG_USBH1_SW_RST
OHCI\system.c, GCFG_USBH2_SW_RST
-EDeviceLoadEeprom 00:30:D3:21:28:BB
Phy found addr 31 (ticks=6588)
WaitForLink Start (ticks=6590)
No Link (ticks=7592)
<--EDeviceInitialize

GMAC DMA status register = 0x0
BALDWIN_DDI: cBaldwinHwIf::Init: Initializing...
BALDWIN_DDI: cBaldwinHwIf::Init: Scope successfully identified.
BALDWIN_DDI: cBaldwinHwIf::Init: Success!
Running infiniiVisionInstallHelper
Failed to start/configure network.
Time for NANDFLASH to load: 1 ms.
Time for SNANDFLASH to load: 1 ms.
Our command line is
Performing Startup
Our command line is ⬐l all ⬐l b
Released build, Oct 22 2015, 11:30:59
Initializing FPGA...
****
FPGA Type: Kdaho
Ver: 2.027 Released
Build Time: Tue Oct 13 16:48:05 2015
Build Machine:"TS2404M
****
Performing Startup
Exception 'Raised E|ception' (-1-:Thread-Id=05d5000a(pth=84a19000), Proc-Id=05d4000a(pprc=8419cb08) 'infiniivisionlauncher.exe', VM-active=05d4000a(pprc=8419cb08) 'infiniivisionlauncher.exe'
PC=40068ag0(coredll.dll+0x00058ae0) RA=803782c8(kernel.dll+0x000062c8) SP=0002f9b0, BVA=0002fabc
PARSE ERROR: Argument: ⬐l
  $          Couldn't find match for argument

Brief USAGE:
   infiniivision0 [--ExtTalClk] [--IntTalClk] [--4GSa] [--5GSa]
                  [--flushNetwork] [--gpibModule] [--lanModule]
                  [--debugTestAddress <debugTestAddress>] [--noAdcResync]
                  [--noBlanketInit] [--noScreenSaver] [--twoChan] [-f
                  <string>] [--sliceid2] [--sliceid1]([--sliceid]
                  [--mondll] [--disdcc] [--oldadcstartup] [--noadcreset]
 "   $            [--forcemaxmem] [--newVga] [--invsoft] [--probecomp]
                  [/-calChannel <Channel Number>] [--codeSnitch] [-u <3
          0       character string>] ...  [-l <3 character string>] ...
                  [--traceFlags <Base10 number>] [--str] [--ctrlDiagStr
                  <Binary string>] [--ctrlDiagVal <Base10 number>] [--perf]
                  [--msg] [--dflt] [--noScoðe] [--srv] [--] [--version]
                  [-h]

For complete USAGE and HELP type:
   infiniZWkWëËR©   «5{j¤üRelgased build, jŸ$&&H&LLM–11:30:59
Initializing FPGA...
****
FPGA Type: Idaho
Ver: 2.027 Released
Build Tioe: Tue Oct 13 16:48:05 2015
Build Machine: TS2404M
****
ERROR: c:\WRjT”'&W&*ª(*UÅê+‹«ß‹q!AAq
½µµ½¹qÉ¥Ù•ÉÍqÍ¡Ù‚‚ú5•É¥…±q¹âÍ¡Ù‚‚ú5•É¥…±}‘ÉÙ¹ÁÁ±ine 661: SER2 SER Driver: does not support multiple Open()'s
Error opening UART Driver.
No option module detected
No option module"öetected
Front Panel UART driver reset -- Contact ChrisG

[PA0PBZ]

Looks like you have some serial issues, it spits out garbage at the start and randomly further down.
But yes, you have 2 links:
> Our command line is
and
> Our command line is ⬐l all ⬐l b

Not sure what happened there with the -l all -l bw50 though. It complains about it even: PARSE ERROR: Argument: ⬐l so it doesn't look like a serial problem here.
Can you get the output text right using PuTTY or even another interface?

[deanflyer]

HTERM isnt very pretty, heres a dump from PUTTY.

U-Boot ;010.03 (Oct 18 2011 - 14:28:06)Agilent P500

CPU:   SPEAr600
DRAM:  128 MiB
Flash: 512 KiB
NAND:  internal ecc 128 MiB

Debug serial initialized ........OK
RTC: 2016-9-26   20:40:47.62 UTC

Microsoft Windows CE Bootloader Common Librcry Version 1.4 Built May  7 2015 01:38:03
Microsoft Windows CE 6.0 Ethernet Bootloader for the Agilent P500 board
Adaptation performed by Agilent Technologies (c) 2008


System ready!
Preparing for download...
RTC: 2016-9-26   20:40:47.65 UTC
 Loading image 1 from memory at 0xD0600000
O
BL_IMAGE_TYPE_BIN

X
XXXXXOOOOXXOOOOOOOOXOXOOOOOOOOXOOXOXOOOOXXXOOOOOOOOOXOOOOXOXXOXXOXOXOXOXOXXXXOOXXXOOOOOOXXOXXOXXXXXXOOOXXXOXXOOXOXXOOOXOXOOOXXOOOXOOOOXOXOOOOOXOOOXOOXOXOXOXXXXXXXOXXXOOOXOOOXOXOOOOXOOOOXOXOXOOOOOOX
OOOXOOXOOOOXOOOOXOXOOOXXOOOOOO?OOXOOOOXOOOOOOXOXOOOOXOXOOOOOOOXXOOOOXOXOOOXOOOXOOXXOXOOOOXXXOXXXXXXOXOXXOXXXXXOXOXXOXXOOXXXOOXXOXXOXOOXXOXXXXOXXOOXOOOXOXXXXOOXXXOOOXOXOOOXOOXXXXXXXX
XXXXXOXrom_offset=0x0.
XXImageStart = 0x80361000, ImageLength = 0x15264A8, LaunchAddr = 0x80362000

Completed file(s):
-------------------------------------------------------------------------------

• : Address=0x80361000  Length=0x15264A8  Name="" Target=RAM

 Loading image 1 succeeded.
ROMHDR at Address 80361044h
Preparing launch...
RTC: 2016-9-26   20:40:50.58 UTC
Launching windows CE image by jumping at address 0x  362000

Windows CE Kernel for ARM (Thumb Enabled) Built on Mar  8 2013 at 17:05:33
Setting up for a Cold Reboot
Done Setting up for a Cold Reboot
Windows CE Firmware Init
BSP 1.0.0 for the SPEARHEAD600AB board (built Oct 22 2015)
Adaptation performed by ADENEO (c) 2005
+OALIntrInit
-OALIntrInit(rc = 1)
Initialize driver globals Zeros area...
pDrvGlobalArea 0xa0060000  size 0x800 (0xa0060800 -0xa0060000)
Initialize driver globals Zeros area...done
 OALKitlStart
Firmware Init Done.
OALIoctlHalEnterI2cCriticalSection init i2c cs
++SER_Init: context Drivers\Active\14
SER_Init, dwIndex:2
[ER2(got!sysintr?0x00000017
SER2 Serial Port, new baud rate:0x1c200  (UARTCLK:48000000 I?VE:0xLX??BRD:0x2)
OHCI\system.c, GCFG_USBH1_SW_RST
OHCI\system.c, GCFG_USBH2_SW_RST
-EDeviceLoadEeprom 00:34:D3:21:28:JB
Phy found addr 31 (ticks=6610)
WaitForLink Start (ticks=6612)
No Link (ticks=7614)
<--EDeviceInitmalize

GMAC DMA status register = 0x0
BALDWIN_DDI: cBaldwinHwIf::Init: Initializing...
BALDWIN_DDI: cBamdwi?HwIf::Init: Scope successfully identified.
BALDWIN_DDI: cBaldwinHwIf::Init: Success!
ERROR: c:\WINCE600\PLATFORM\COMMON\SRC\SOC\STM\COMMON\DRIVERS\NandFlash\.\stm_NandFlash.c line 656: Rewrite recommended, internal ECC corrected data at 0xc982
Rewriting Block at Sector Address 0xc982. 9089
ERROR: c:\WINCE600\PLATFORM\COMMON\SRC\SOC\STM\COMMON\DRIVERS\NandFlash\.\stm_NandFlash.c line 656: Rewrite recommended, internal ECC corrected data at 0xc982
Read Block SUCCEEDED 9133
Erased Block SUCCEEDED 9135
Completed rewriting Block SUCCEEDED 9182
Running infiniiVisionInstallHelper
Failed to start/configure network.
Time for NANDFLASH to load: 0 ms.
Time for SNANDFLASH to load: 0 ms.
Our command line is
Performing Startup
Our command line is ?l all ?l b
Performing Startup
Exception 'Raisef Exception' (-1): Thread-Id=05dc000a(pth=84a19000), Proc-Id=05d4000a(pprc=8419caf8) 'infiniivisionlauncher.exe', VM-active=05d4000a(pprc=8419caf8) 'infiniivisionlau?cher.exe'
PC=40068ae0(coredll.dll+0x00058ae0) RA=803782c8(kernel.dll+0x000062c8) SP=0002f9b0, BVA=0002fabc
PARSE ERROR: Argument: ?l
             Couldn't find match for argument

Brief USAGE:
   infiniivision  [--ExtTalClk] [--IntTalClk] [--4GSa] [--5GSa]
        !         [--flushNetwork] [--gpibModule] [--lanModule]
                  [--debugTestAddress <debugTestAddress>] [--noAdcResync]
                  [--noBlanketInit] [--noScreenSaver] [--twoChan] [-f
                  <string>] [--sliceid2] [--sliceid1] [--sliceid]
                  [--mondll] [--disdcc] [--oldadcstartup] [--noadgrmseu]
                  [--forcemaxmem] [--newVga] [--invsoft] [--probecomp]
                  [--calChannel <Channel Number>] [--codeSnitch] [-u <3
                  character string>] ...  [-l <3 character string>] ...
                  [--traceFlags <Base10 number>] [--str] [--ctrlDiagStr
                  <Binary string>] [--ctrlDiagVal <Base10 number>] [--perf]
                  [--msg] [--dflt] [--noScope] [--srv] [--] [--version]
                  [-h]

For complete USAGE and HELP type:
   infiniivision --help

Released build, Oct 22 2015, 11:30:59
Initializing FPGA...
****
FPGA Type: Idaho
Ver: 2.027 ReleX?YYC!?]Z?? Time: Tue Oct 13 16:48:05 2015
Build Machine: TS2404M
****
Released build, Oct :2 2015, 11:30:59
Initializing FPGA...
****
FPGA Type: Idaho
Ver: 2.027 Released
Build Time: Tue Oct 13 16:48:05 2015
Build Machine: TS2404M
****
ERROR: c:\WINCE600\3RDPARTY\Agilent\HPP\Common\Drivers\sh600_serial\.\sh600_serial_drv.cpp line 661: SER2 SER Driver: does not supqort multiple Open()'s
Error opening UART Driver.
No ottio? module detected
No option module detected
Front Panel UART driver reset -- Contact ChrisG
ERROR: c:\WINCE600\3RDPARTY\Agilent\HPP\Common\Drivers\sh600_serial\.\sh604_serial_drv.cpp line 661: SER2 SER Driver: does not support multiple Open()'?C?Q.?K?

[PA0PBZ]

Yes, that looks better although there are still a few framing errors.

Not sure what happened to your lnk file but the '-' changed into a '?' and the bandwidth command is missing apart from the b: Our command line is ?l all ?l b
But the real issue here is that you have 2 lnk files. Easy to fix when you can stop the CE loader.
So switch on the scope and immediately put a foot on the space bar.

[PA0PBZ]

you should see this when you are able to stop the CE bootloader:

Code: [Select]

U-Boot 2010.03 (Oct 18 2011 - 14:28:06)Agilent P500

CPU:   SPEAr600
DRAM:  128 MiB
Flash: 512 KiB
NAND:  internal ecc 128 MiB

Debug serial initialized ........OK
RTC: 2016-9-3   21:5:35.81 UTC

Microsoft Windows CE Bootloader Common Library Version 1.4 Built May  7 2015 01:38:03
Microsoft Windows CE 6.0 Ethernet Bootloader for the Agilent P500 board
Adaptation performed by Agilent Technologies (c) 2008



P500 Boot Loader Configuration :

Mac address .......... (00:30:D3:xx:xx:xx)
Ip address ........... (192.168.1.190)
Subnet Mask address .. (255.255.255.0)
DHCP ................. (Enabled)
Boot delay (seconds).. (0)
Load image 1 at startup

Image addresses. (0xdxxxxxxx for NAND, 0x8xxxxxxx for RAM)
        1 (0xd0600000)
        2 (0xd1600000)

l) Load memory resident image Load image 1 now
1) Load memory resident image 1 now
2) Load memory resident image 2 now
3) Load memory resident image 3 now
d) Download from platform builder now
u) Start u-boot by resetting
v) Verify Images
>

[deanflyer]

Ive tried about 20 times so far to interrupt u-boot, no luck

When do you hit the space bar?

Did you use the same pinouts as shown here (board layout is different on my scope, probably as its a 2 channel version):-

https://www.eevblog.com/forum/testgear/dsox2000-and-3000-series-licence-have-anyone-tried-to-hack-that-scope/msg260895/#msg260895

Im using only the TX and RX lines.

Thanks for all your help.

[TheSteve]

This part is a little concerning:

ERROR: c:\WINCE600\PLATFORM\COMMON\SRC\SOC\STM\COMMON\DRIVERS\NandFlash\.\stm_NandFlash.c line 656: Rewrite recommended, internal ECC corrected data at 0xc982
Rewriting Block at Sector Address 0xc982. 9089
ERROR: c:\WINCE600\PLATFORM\COMMON\SRC\SOC\STM\COMMON\DRIVERS\NandFlash\.\stm_NandFlash.c line 656: Rewrite recommended, internal ECC corrected data at 0xc982
Read Block SUCCEEDED 9133
Erased Block SUCCEEDED 9135
Completed rewriting Block SUCCEEDED 9182

[PA0PBZ]

Ive tried about 20 times so far to interrupt u-boot, no luck

I was not able to interrupt uboot, but I could interrupt the ce loader, see my previous post.

When do you hit the space bar?

Immediately after turning on the scope, just keep it pressed down for the auto repeat.

Did you use the same pinouts as shown here (board layout is different on my scope, probably as its a 2 channel version):-
https://www.eevblog.com/forum/testgear/dsox2000-and-3000-series-licence-have-anyone-tried-to-hack-that-scope/msg260895/#msg260895

Im using only the TX and RX lines.

Yes, I used the same pinout but... I hope you are also using the GND....?

[PA0PBZ]

This part is a little concerning:

I've seen the same, not sure why and with a normal boot it does not show up.
There is some kind of trick where after a number of unsuccessful boots it tries an alternative.

[deanflyer]

Ive tried about 20 times so far to interrupt u-boot, no luck

I was not able to interrupt uboot, but I could interrupt the ce loader, see my previous post.

When do you hit the space bar?

Immediately after turning on the scope, just keep it pressed down for the auto repeat.

Did you use the same pinouts as shown here (board layout is different on my scope, probably as its a 2 channel version):-
https://www.eevblog.com/forum/testgear/dsox2000-and-3000-series-licence-have-anyone-tried-to-hack-that-scope/msg260895/#msg260895

Im using only the TX and RX lines.

Yes, I used the same pinout but... I hope you are also using the GND....?

Im using a laptop, no mains.

I've tried keeping the space key pressed down, nothing happens.

Worst case I send it back to Agilent I suppose.....

[PA0PBZ]

Im using a laptop, no mains.

I mean the GND connection on the header in the scope, where you have the TX and RX connections. You need to connect the GND too!

[deanflyer]

yes Ive got that too. Been a long day!

Might try another UART board, just trying a cheapy FTDI I had lying around.

[PA0PBZ]

Might try another UART board, just trying a cheapy FTDI I had lying around.

I used kind of the same, but I see errors in your RX data so it's not perfect. Maybe the TX <space> does not make it to the scope? Did you try holding down the space bar before switching on the scope?

[deanflyer]

Found another FTDI board, worked first time! 

So im assuming I now have to use "download from platform builder", the scope picks up a DHCP address and I upload the compiled file (unfortunately im a Windows man, so will have to dig out a copy of Linux to compile it)?

Edit - Skip that, realised this is a Win source file (CE, doh!). So just a quick compile with Visual C then?

[PA0PBZ]

Found another FTDI board, worked first time! 

Finally! 

So im assuming I now have to use "download from platform builder", the scope picks up a DHCP address and I upload the compiled file (unfortunately im a Windows man, so will have to dig out a copy of Linux to compile it)?

No... the compiled version is in this post: https://www.eevblog.com/forum/testgear/dsox2000-and-3000-series-licence-have-anyone-tried-to-hack-that-scope/msg1022267/#msg1022267

Put it in a folder together with the nk.bin (how to get it is here: https://www.eevblog.com/forum/testgear/dsox2000-and-3000-series-licence-have-anyone-tried-to-hack-that-scope/msg1022248/#msg1022248 ) run the executable and it will wait for the scope asking for the nk.bin. Switch on the scope, halt the CE loader and use the Download from platform builder. The scope will boot and maybe or maybe not hang at the splash screen. Now you can get a telnet connection to remove the malicious .lnk file you copied over from the USB stick. Now the scope should boot as it did before. If you get this far we'll discuss the next step 

[tomaz]

Is it possible to load 2.41 on USB, if you have 2.35,2.37,2.39 firmware version?

Found tools online how to extract nk.bin.comp to nk.bin and then extract all files in nk.bin:
Tools used: https://www.samkear.com/hardware/depth-analysis-motorola-vip2250-dvr-receiver (search for "nkbintools and CreateDump.bat")
splashce.zip->\splashce\SplashGenerator\Resources\bincompress.exe from http://www.java2s.com/Open-Source/CSharp_Free_Code/File/Download_Windows_CE_Splash_Generator.htm

d:\temp>bincompress.exe /d nk.bin.comp nk.bin
d:\temp>CREATEDUMP.bat

I have tried to prepare bootable USB but don't know file structure of nk.bin. CreateDump will dump all files in one folder. Now I have two files with same name:
size: 11.584 infiniiVisionLauncher.exe (in .cab)
size: 5.632 infiniiVisionLauncher.exe (in nb.bin.comp)

I tried copying files from 2.41 to USB, but USB didn't boot on 2.35 fw
Also tried copying all .dll's from (nb.bin) to USB (\Secure\infiniiVision\)

Any idea how would convince infiniiVisionLauncher.exe to launch new infiniiVisionCore.dll (v2.41, size: 10.472.256).
Tried to use infiniiVisionLauncher.exe from older versions with new 2.41 infiniiVisonCore.dll - also didn't work

[deanflyer]

Found another FTDI board, worked first time! 

Finally! 

So im assuming I now have to use "download from platform builder", the scope picks up a DHCP address and I upload the compiled file (unfortunately im a Windows man, so will have to dig out a copy of Linux to compile it)?

No... the compiled version is in this post: https://www.eevblog.com/forum/testgear/dsox2000-and-3000-series-licence-have-anyone-tried-to-hack-that-scope/msg1022267/#msg1022267

Put it in a folder together with the nk.bin (how to get it is here: https://www.eevblog.com/forum/testgear/dsox2000-and-3000-series-licence-have-anyone-tried-to-hack-that-scope/msg1022248/#msg1022248 ) run the executable and it will wait for the scope asking for the nk.bin. Switch on the scope, halt the CE loader and use the Download from platform builder. The scope will boot and maybe or maybe not hang at the splash screen. Now you can get a telnet connection to remove the malicious .lnk file you copied over from the USB stick. Now the scope should boot as it did before. If you get this far we'll discuss the next step 

Okay, got that. Do I need to use 2.35, seeing as the original firmware was 2.41?

[PA0PBZ]

@tomaz:

I'm not familiar with creating a bootable USB stick because I started tinkering with version 2.41 which doesn't support booting from USB. If you want to know how to do it read this thread from the beginning, it is explained very clearly. The tools I used to decompress nk.bin can also be found in this thread.
So, if you want to experiment read the whole thread and you will find all the information you need.

[PA0PBZ]

Okay, got that. Do I need to use 2.35, seeing as the original firmware was 2.41?

I used 2.35 and it worked for me, so if you want to play safe just use that version. Having said that I did choose it randomly, I'm sure other versions will work also.

[deanflyer]

Okay, stupid question time. Which tool do I use to extract mk.bin from mk.bin.comp.

[PA0PBZ]

Okay, stupid question time. Which tool do I use to extract mk.bin from mk.bin.comp.

See attached.

[deanflyer]

Woohoo! Im in, new image transferred across. I can now telnet into the scope using standard user/pass.

Wnet to Secure/Startup, deleted the additional .lnk and its now working.

Cant thank you enough PAOPBZ. Was sweating for a while.

[TopLoser]

I feel a bit responsible for these recent  'issues', I supplied the 2 scopes that have been troublesome. They were both very recent returns repaired by Keysight and with 2.41 installed by Keysight. They seem to be doing something odd now, I've sold lots of other scopes with Keysight installed 2.41 that people have played with without problems.

I have one more of these recent 2.41 scopes on my desk. I have a LAN card as well. Is there anything I could look at to see why these recent versions are causing problems? Maybe delete or rename the rogue LNK file and then attempt the option installation?

[TheSteve]

I feel a bit responsible for these recent  'issues', I supplied the 2 scopes that have been troublesome. They were both very recent returns repaired by Keysight and with 2.41 installed by Keysight. They seem to be doing something odd now, I've sold lots of other scopes with Keysight installed 2.41 that people have played with without problems.

I have one more of these recent 2.41 scopes on my desk. I have a LAN card as well. Is there anything I could look at to see why these recent versions are causing problems? Maybe delete or rename the rogue LNK file and then attempt the option installation?

I don't think you should feel responsible for people hacking their scopes, lol. I also can't help but wonder why it seems to work 99% of the time but now and then it fails.
Is it possible people aren't waiting long enough at some point and rebooting too soon? I know that if you have a lan card it seems much better to copy the link file manually.

[PA0PBZ]

I feel a bit responsible for these recent  'issues', I supplied the 2 scopes that have been troublesome. They were both very recent returns repaired by Keysight and with 2.41 installed by Keysight. They seem to be doing something odd now, I've sold lots of other scopes with Keysight installed 2.41 that people have played with without problems.

The only one responsible for the 'issues' is the person bricking the scope unless you did set up a booby trap

I have one more of these recent 2.41 scopes on my desk. I have a LAN card as well. Is there anything I could look at to see why these recent versions are causing problems? Maybe delete or rename the rogue LNK file and then attempt the option installation?

Use telnet to see if there is a infiniivision.lnk  in Secure\Startup. If so, then using the USB key to copy the infiniivision_ext.lnk will end up in the scope trying to run the infiniivision exe twice and give you the problem we found.