Author Topic: DSOX2000 and 3000 series - licence , have anyone tried to hack that scope ?  (Read 1103765 times)

0 Members and 1 Guest are viewing this topic.

Offline ben_r_

  • Frequent Contributor
  • **
  • Posts: 419
  • Country: us
  • A Real Nowhere Man
I don't know the username or password.

Check page 12

Thank you! I was searching for "password" in the thread, not "pass". Happy to report I've been able to modify the built-in files and don't have to boot from USB key anymore.
I have the VGA/LAN module for my MSOX2024, any chance you could write out your steps to doing this? Not having to have the USB drive taking up the port would be very nice.
If at first you don't succeed, redefine success!
 
The following users thanked this post: Andrew

Offline plesa

  • Frequent Contributor
  • **
  • Posts: 965
  • Country: se
I don't know the username or password.

Check page 12

Thank you! I was searching for "password" in the thread, not "pass". Happy to report I've been able to modify the built-in files and don't have to boot from USB key anymore.
I have the VGA/LAN module for my MSOX2024, any chance you could write out your steps to doing this? Not having to have the USB drive taking up the port would be very nice.

Telnet to the scope, run "ProcessMgr.exe kill infiniivisionLauncher.exe" and execute "\Secure\infiniiVision\infiniivisionLauncher.exe" with parameters you would like to enable.
From my perspective the USB drive is the easiest way and there is no reason to have the hack inside scope ( except you are going to pretend it is genuine :-).
Also you cannot brick the scope this way.
 
The following users thanked this post: Andrew

Offline ben_r_

  • Frequent Contributor
  • **
  • Posts: 419
  • Country: us
  • A Real Nowhere Man
I don't know the username or password.

Check page 12
Are you referring to this post?

Some "oil into the fire":
telnet login/pass:
infiniivision
skywalker1977
If at first you don't succeed, redefine success!
 
The following users thanked this post: Andrew

Offline craftycoder

  • Contributor
  • Posts: 16
  • Country: us
    • My YouTube channel
Can this be done over USB? What is the process to do it?
Telnet to the scope
 
The following users thanked this post: Andrew

Offline mwilson

  • Contributor
  • Posts: 42
  • Country: us
I have the VGA/LAN module for my MSOX2024, any chance you could write out your steps to doing this? Not having to have the USB drive taking up the port would be very nice.

Certainly. The way I did it once knowing the telnet username and password (thanks abyrvalg!) was to copy modified files from a USB stick to the internal storage.

I'm assuming you can render your scope unbootable by messing with the internal filesystem. If you have a working boot USB stick you could theoretically boot from it and fix it, but hopefully it doesn't come to that. Obviously proceed at your own risk.

First make a working bootable USB stick to make sure the options you want work and you've modified the DLL correctly as described earlier in this thread.

Once you're sure that's working, move the USB stick back to your PC. I made a directory in the root of my USB stick to store the files I'm going to copy to internal flash for convenience. Let's call it "temp". Copy in the modified infiniiVisionCore.dll. Also make a new modified copy of infiniivision.lnk from the startup folder.

Unlike booting from the USB stick, your new modified infiniivision.lnk needs to refer to the internal storage version of infiniivisionLauncher.exe (so change the "\usb" back to "\Secure" in the infiniivision.lnk that you modified to make your bootable USB stick). I'm using the following on a DSO-X 3014, for example. If you've already made your bootable USB stick you are probably familiar with the options you can use here and can tailor to your liking:

Code: [Select]
196#\Secure\infiniiVision\infiniivisionLauncher.exe -l MSO -l DVM -l ADVMATH -l AERO -l AUDIO -l AUTO -l COMP -l EMBD -l Flex -l Mask -l MEMUP -l PWR -l SGM -l VID -l WAVEGEN -l EDK -l memMax -l BW20
Now you have the files you need in the temp directory of the USB stick.

Boot your scope from the USB stick (if you are running from internal storage you can't replace the DLL since it's in use. There are ways around that like killing the process, but by booting from the USB stick you're also proving to yourself that if you mess something up you still have a fallback plan to boot the thing). Once booted, telnet to the scope and use the username and password provided by abyrvalg (it seems like I always have to try logging in twice. Not sure if I'm that consistently typo-prone or if there's something funny going on).

Now you're at the command prompt. If you do a 'dir' you'll see the \usb directory, which is your USB stick, and the other internal flash directories like 'secure'. Note that even though you're booting from USB, the root of the USB stick is mounted at \usb (so you'd see \usb\infiniivision, \usb\startup, etc.) and the internal flash directories are at the root level.

Copy the modified DLL to replace the internal one. If you used the same temp directory name I did, a command like this should work:

Code: [Select]
copy \usb\temp\infiniiVisionCore.dll \Secure\infiniiVision
Then copy the startup shortcut to the startup directory. The file is read-only, so I removed the read-only flag on the destination file first. Not sure if that's necessary or not:

Code: [Select]
attrib -r \Secure\startup\infiniivision.lnk
copy \usb\temp\infiniivision.lnk \Secure\startup

That should do it. Power off the scope, pull out the USB stick, and turn it on again. Hope it boots (and even better, hope it boots with your additional license options enabled).

Like I said... you can break your scope so that it won't boot from internal memory if this goes wrong. Be careful! I don't know if there's a firmware recovery procedure on these scopes (luckily it's a topic I haven't had to research yet).
 
The following users thanked this post: Andrew

Offline abyrvalg

  • Frequent Contributor
  • **
  • Posts: 823
  • Country: es
I can add to mwilson's excellent description that there is almost nothing to fear. The startup override functionality doesn't depend neither on infiniiVisionCore.dll nor on .lnk, so it will be possible to boot form USB even if these files are totally corrupt/deleted. And more - there is U-Boot functionality (explored by FrankBuss earlier in this thread) that works at early boot stages and doesn't depend on any files at all.
 
The following users thanked this post: Andrew

Offline abyrvalg

  • Frequent Contributor
  • **
  • Posts: 823
  • Country: es
mwilson, can you please try this:
edit USB .lnk to
Code: [Select]
33#\windows\cmd.exe \usb\autorun.cmdat USB root create autorun.cmd with
Code: [Select]
copy \usb\temp\infiniiVisionCore.dll \Secure\infiniiVision
attrib -r \Secure\startup\infiniivision.lnk
copy \usb\temp\infiniivision.lnk \Secure\startup
\Secure\infiniiVision\infiniivisionLauncher.exe
(no need to say that files in \temp and all startup override stuff must be present too of course)
The last command (normal scope app startup) is there to prevent boot looping.

This can help people w/o LAN/telnet installing the hack - just boot from such prepared USB stick once.
 
The following users thanked this post: Andrew

Offline mwilson

  • Contributor
  • Posts: 42
  • Country: us
mwilson, can you please try this:
edit USB .lnk to
Code: [Select]
33#\windows\cmd.exe \usb\autorun.cmdat USB root create autorun.cmd with
[...]
This can help people w/o LAN/telnet installing the hack - just boot from such prepared USB stick once.

Yep. Played around with this and it doesn't look like cmd.exe can take a file as an argument. However, you can execute .cmd files directly. So this method works if you make your startup .lnk something like:

Code: [Select]
18#\usb\temp\foo.cmd
So indeed folks can install modified files internally just by booting a properly prepared USB stick once. No need for the LAN module. (And presumably if something gets messed up, you can boot from the working USB stick and re-install the firmware as normal to get the internal filesystem back to factory condition.)
 
The following users thanked this post: Andrew

Offline ben_r_

  • Frequent Contributor
  • **
  • Posts: 419
  • Country: us
  • A Real Nowhere Man
So is it better to try and do a "permanent" hack via the USB port instead of doing it via the network port?
If at first you don't succeed, redefine success!
 
The following users thanked this post: Andrew

Offline mwilson

  • Contributor
  • Posts: 42
  • Country: us
So is it better to try and do a "permanent" hack via the USB port instead of doing it via the network port?

The end result is the same, so it doesn't really matter. The USB method we just discussed is executing the same commands you'd execute from the telnet session.

If you have the LAN module, I'd probably recommend the telnet approach because then you can actually see if the commands worked and adapt as necessary... but really, if you just put the right commands in the cmd file it'll work so it's probably a wash.
 
The following users thanked this post: Andrew

Offline ben_r_

  • Frequent Contributor
  • **
  • Posts: 419
  • Country: us
  • A Real Nowhere Man
But as far as risk goes, you could potentially brick your scope using either method if it were going to happen correct?
If at first you don't succeed, redefine success!
 
The following users thanked this post: Andrew

Offline mwilson

  • Contributor
  • Posts: 42
  • Country: us
But as far as risk goes, you could potentially brick your scope using either method if it were going to happen correct?

Yes, but to abyrvalg's point, as long as you have a bootable USB stick, anything you can do through telnet/commands you'd be able to undo. If you don't know what you broke, I'm guessing you can boot from your USB stick and just install the original firmware the normal way and it will restore the internal storage.
 
The following users thanked this post: Andrew

Offline tsmith35

  • Frequent Contributor
  • **
  • Posts: 265
  • Country: us
mwilson, can you please try this:
edit USB .lnk to
Code: [Select]
33#\windows\cmd.exe \usb\autorun.cmdat USB root create autorun.cmd with
Should that be "34#\windows\cmd.exe \usb\autorun.cmd"?
 
The following users thanked this post: Andrew

Offline plesa

  • Frequent Contributor
  • **
  • Posts: 965
  • Country: se
mwilson, can you please try this:
edit USB .lnk to
Code: [Select]
33#\windows\cmd.exe \usb\autorun.cmdat USB root create autorun.cmd with
Should that be "34#\windows\cmd.exe \usb\autorun.cmd"?

No, if you use the cmd exe and not directly call the cmd/bat file, the scope will restart.
 
The following users thanked this post: Andrew

Offline abyrvalg

  • Frequent Contributor
  • **
  • Posts: 823
  • Country: es
Code: [Select]
16#\usb\autorun.cmd
 
The following users thanked this post: Andrew

Offline tsmith35

  • Frequent Contributor
  • **
  • Posts: 265
  • Country: us
mwilson, can you please try this:
edit USB .lnk to
Code: [Select]
33#\windows\cmd.exe \usb\autorun.cmdat USB root create autorun.cmd with
Should that be "34#\windows\cmd.exe \usb\autorun.cmd"?
Replying to my own post... ::) I didn't notice the space between the "exe" and the "\usb". Do spaces count for the command line length?
 
The following users thanked this post: Andrew

Offline mwilson

  • Contributor
  • Posts: 42
  • Country: us
mwilson, can you please try this:
edit USB .lnk to
Code: [Select]
33#\windows\cmd.exe \usb\autorun.cmdat USB root create autorun.cmd with
Should that be "34#\windows\cmd.exe \usb\autorun.cmd"?
Replying to my own post... ::) I didn't notice the space between the "exe" and the "\usb". Do spaces count for the command line length?

The space does count. The # doesn't count, though; it's the delimiter between the character count and the command. So 33 is correct in the above example. Although I'm not convinced the system actually uses the number, but I haven't played around with it much to know for sure.

WinCE shortcut file definition is here: http://msdn.microsoft.com/en-us/library/ms861519.aspx

(But note that as previously discussed the WinCE cmd.exe doesn't take a file argument like this, so the question of whether the number is correct for this particular example is rather academic...)
 
The following users thanked this post: Andrew

Offline baljemmett

  • Supporter
  • ****
  • Posts: 665
  • Country: gb
(But note that as previously discussed the WinCE cmd.exe doesn't take a file argument like this, so the question of whether the number is correct for this particular example is rather academic...)

Does adding a /C switch help?  "CMD /C <command>" is the usual way (since DOS days, with COMMAND.COM) to get the command processor to accept a command as a parameter, and the CE docs suggest it's supported...
 
The following users thanked this post: Andrew

Offline tsmith35

  • Frequent Contributor
  • **
  • Posts: 265
  • Country: us
(But note that as previously discussed the WinCE cmd.exe doesn't take a file argument like this, so the question of whether the number is correct for this particular example is rather academic...)

Does adding a /C switch help?  "CMD /C <command>" is the usual way (since DOS days, with COMMAND.COM) to get the command processor to accept a command as a parameter, and the CE docs suggest it's supported...

http://msdn.microsoft.com/en-us/library/aa453925.aspx
 
The following users thanked this post: Andrew

Offline plesa

  • Frequent Contributor
  • **
  • Posts: 965
  • Country: se
All structure is created automatically by CAB Manager ( just press right mouse button on files and select Extract).
The structure which is in extracted folder subfolder Secure needs to be copied to USB flash.
Attribused does not matter.
LAN module is not necessary, but can be useful if you are gong to investigate further options.
« Last Edit: December 20, 2013, 10:41:06 pm by plesa »
 
The following users thanked this post: Andrew

Offline heynow

  • Newbie
  • Posts: 1
A few previous posts said you need a fast usb stick to get this hack to work.  I found the same issue and booting off slow sticks ends in a black screen and hang.  During the boot and right before the hang I saw there were several infiniivisionLauncher.exe processes running.  I only see one during a normal boot.
I came up with this way.  The changes in the other posts are still needed.  On the usb drive, in Startup\infiniivision.lnk:
Code: [Select]
17#\usb\autorun.cmdIn \usb\autorun.cmd:
Code: [Select]
dir /s \
\windows\processMgr.exe kill infiniivisionLauncher.exe
dir /s \
\windows\processMgr.exe kill infiniivisionLauncher.exe
dir /s \
\windows\processMgr.exe kill infiniivisionLauncher.exe
dir /s \
\windows\processMgr.exe kill infiniivisionLauncher.exe
dir /s \
\windows\processMgr.exe kill infiniivisionLauncher.exe
dir /s \
\windows\processMgr.exe kill infiniivisionLauncher.exe
dir /s \
\usb\infiniiVision\infiniiVisionLauncher.exe -l DIS -l SGMC -l CABLE
The "kills" get rid of any other infiniivisionLauncher.exe that may have started up.  It could be the booting is taking too long and the scope decided to start the built in infiniivisionLauncher.exe as a back up.  But I don't really know.
The "dir /s \" slow things down.  I can't find a sleep or delay command, but then again I know absolutely nothing about windows.  A delay is needed.
Other "-l" options can be used if you want.
The worst possible slowest 64MB USB stick I could find now works.
 
The following users thanked this post: Andrew

Offline taemun

  • Regular Contributor
  • *
  • Posts: 110
  • Country: au
 
The following users thanked this post: Andrew

Offline plesa

  • Frequent Contributor
  • **
  • Posts: 965
  • Country: se
Any news/comments about the 2.36 FW shipping on newer scopes (as per https://www.eevblog.com/forum/testgear/dsox2000-and-3000-series-licence-have-anyone-tried-to-hack-that-scope/msg340097/#msg340097)?

No, but the user who reported this firmware has only three post and seems to be no longer online. He did not tried the downgrade to 2.35.
According to number it is minor change.
Scope itself is quite robust if you are going to downgrade FW version, e.g you can downgrade from 2.35 only to the 2.30 and not to previous versions.
This firmware is not available on Agilent website which is weird.
Is there anyone else with firmware 2.36 or scope manufactured in Q3/2013 and later? Does not matter if 2000 or 3000 series.
« Last Edit: January 06, 2014, 04:34:53 pm by plesa »
 
The following users thanked this post: Andrew

Offline plesa

  • Frequent Contributor
  • **
  • Posts: 965
  • Country: se
Agilent DSOX2k, MSOX2k. DSOX3k, MSOX3k hack
« Reply #323 on: January 08, 2014, 09:27:00 pm »
There were several request for hack DSOX2k and MSOX2k. The hack of this scope is also possible, the description of hack is same which were published for DSO3k and MSOX3k.
Whole hack is tested with firmware 2.35 and is fully working.
The whole hack is on USB drive and there is no modification of fles inside scope, so there is no risk of bricking the scope.
When the USB flash is removed the scope use the purchased licenses and not the hacked firmware from USB flash.
After hacked files loading there is message informn about firmware issue. Ths does not affect the performance, only prevent some jerks to sell hacked scope as a fully licensed one.
In forum reported firmware 2.36 by one user has been not tested due to the poor availability of scope with this FW verson.

For hack we higly reccomends to use really fast USB flah drive.
There is also way how to pernamently load hacked firmware into the scope (batch file on USB drive will rewrite the files in internal scope flash with the hacked one)




 
The following users thanked this post: Andrew

Offline georgd

  • Regular Contributor
  • *
  • Posts: 61
  • Country: cs
The warning message about firmware issue remains on screen all the time, or only seen after boot?

Georg

P.S. I waiting for my DSOX3032.
 
The following users thanked this post: Andrew


Share me

Digg  Facebook  SlashDot  Delicious  Technorati  Twitter  Google  Yahoo
Smf