DSOX2000 and 3000 series - licence , have anyone tried to hack that scope ?

[Bud]

. If I search for the same four bytes in firmware 2.66, I find >500 hits and ghidra tells me that is quite enough, thank you very much.

You should search with a context. Add 8 bytes before and 8 bytes after those 4 bytes. Search for that combination. If not found, reduce the context by 1-2bytes, until only 1 match is found.

[PioB]

You should search with a context. Add 8 bytes before and 8 bytes after those 4 bytes. Search for that combination. If not found, reduce the context by 1-2bytes, until only 1 match is found.

Thank you very much! This brings me a little step further uphill.
I extended the search and with maximal context until things start to differ, I find 6 possible locations for the first string, not even yet the second one in firmwares 2.42 (location known) and 2.66 (exercise).

If I were to guess but not know, I'd assume it'd also be the third occurence in firmware 2.66 (above, 2.42 which I know the offset from the work in this thread below as it's the third occurence there.)
As the firmwares increase a bit in size every release too, it'd stand to reason that the correct one occurs a bit later in the file too but still in the same relative position?

0XFC3A9B would be the address to change "04 00 a0 e1" to "00 00 a0 e3"?

So still not sure what "record" means, is it the nth occurence of (just) the four bytes in the file?, for the checksum that can't be?

I am not sure which location to change in Firmware 7.65 for the DSOX3000T series though, there's only two occurences of the full length string (bottom right).

And the checksum (algorithm and location) I am not understanding yet. (over what range of the nk.bin that needs to be run; and google isn't helpful in identifying the correct crc8 algorithm.)

[Bud]

Can you link that post of Safar.

[PioB]

On phone, took a bit:
https://www.eevblog.com/forum/testgear/dsox2000-and-3000-series-licence-have-anyone-tried-to-hack-that-scope/msg1266429/#msg1266429

Hi,

I maked patch for infiniiVisionCore.dll directly in nk.bin in v2.42 (2017032900) FW for DSOX3000A. There 4 bytes for patch "04 00 a0 e1" to "00 00 a0 e3" in start address FBC7FFh and checksum in address D40457h changed from "EB" to "E9". Actually checksum contain 4 bytes, but changed only this last byte (first in file as it's little endian). Checksum algorithm is UByte8bit.

infiniiVisionCore.dll placed in Record [164]: Start in memory = 81111000h, Length = 55D528h, Chksum  of original nk.bin = 2604E8EBh
In nk.bin file this block started in D4045Bh and ended in 129D982h

Then nk.bin compressed by bincompress

Code: [Select]

bincompress.exe /c patched_nk.bin patched_nk.bin.comp
And flash it by loadP500Flash via telnet in scope

Code: [Select]

\windows\loadP500Flash -u ceImage1 \usb\patched_nk.bin.comp

Think that replace nk.bin.comp in CAB file (with original name of course) should work also, but didn't try.

After this mod scope work normally and LAN also. I just make this start link in \secure\startup

Code: [Select]

211#infiniivisionLauncher.exe -l MSO -l MEMUP -l EMBD -l AUTO -l FLEX -l PWR -l COMP -l SGM -l MASK -l BW50 -l AUDIO -l WAVEGEN -l AERO -l VID -l ADVMATH -l ASV -l SCPIPS -l RML -l VID -l CABLE -l DIS -l TOM -l SGMC

Don't included EDK and DVM as it is standard options in 2.42

Of course scope indicate that this FW is Ufinalized

Thanks laserK and Elik for advices.

[Bud]

You can't replicate that to other firmware versions by just re-using the addresses. He only tells maybe 1/5 of the story. Just to start with you have to learn nk.bin format, what it includes, how it is created, how to read it, etc etc etc. No offence but unless you are absolutely determined this may be outside of your league.

[BillCRM]

The record is about the place of the dll file and only used to find the zone to change, it's not the exact place.

[BillCRM]

The hack is not extremely diffcult, no reverse engineering knowledge required. Just some patience and time.
130+ page is not that much, I read them twice to make sure I got everything.

[caseygross]

Hello!

I have an DSO-X 2024A, with 2.65 firmware. Would someone be so kind to PM me the patched firmware for my scope? I would like to unlock the features for my scope.

Thank you

[Bud]

Noone wants to host firmware packages, understandably. I think the way to address the constant stream of "Please send me a patched version x.xx" is to make diff packages instead, they are small and can be attached to forum posts. I've done it for 1000x series https://www.eevblog.com/forum/blog/eevblog-978-keysight-1000x-hacking/msg5239926 and had not had to deal with "please" requests ever since. People just download the diff and apply it themselves.

Just an idea for those who has patched packages and willing to make a one-time effort to create and post a diff for specific versions. It is not going to be me as I do not have any 2000/3000 scope.

[tv84]

A diff of a packed file is almost as big as the original file.

[Bud]

Why it would be? For the 1000x it was only 20KB.

[wp_wp]

And the checksum (algorithm and location) I am not understanding yet. (over what range of the nk.bin that needs to be run; and google isn't helpful in identifying the correct crc8 algorithm.)

Actually,the checksum(algorithm and location)is very simple.It is not related to crc8 or crc32.

[wp_wp]

I write a program to analyze the nk.bin file:
It is similar to viewbin.exe.
But it display more infomation.

D:\nk-analyzer\Debug>nk-analyzer nk.bin
Great!File open successfully!
Great!nk.bin is a BIN file!
Output content:
B000FF
ImageStart Adress in Memory:0x80361000
ImageLength:0x01AC8668
Record[  0]: start address in nk.bin:0x0000000F RecordStart in memory:0x80361000 RecordLength:0x00000004 RecordCheckSum:0x000001EB RealCheckSum:0x000001EB
Record[  1]: start address in nk.bin:0x0000001F RecordStart in memory:0x80361040 RecordLength:0x00000008 RecordCheckSum:0x000002F7 RealCheckSum:0x000002F7
Record[  2]: start address in nk.bin:0x00000033 RecordStart in memory:0x80361048 RecordLength:0x00000004 RecordCheckSum:0x00000121 RealCheckSum:0x00000121
Record[  3]: start address in nk.bin:0x00000043 RecordStart in memory:0x80362000 RecordLength:0x0000E134 RecordCheckSum:0x00493E10 RealCheckSum:0x00493E10
Record[  4]: start address in nk.bin:0x0000E183 RecordStart in memory:0x80371000 RecordLength:0x00001000 RecordCheckSum:0x00063A00 RealCheckSum:0x00063A00
Record[  5]: start address in nk.bin:0x0000F18F RecordStart in memory:0x80373000 RecordLength:0x0003803C RecordCheckSum:0x0175F932 RealCheckSum:0x0175F932
Record[  6]: start address in nk.bin:0x000471D7 RecordStart in memory:0x803AC000 RecordLength:0x00002220 RecordCheckSum:0x0009320F RealCheckSum:0x0009320F
Record[  7]: start address in nk.bin:0x00049403 RecordStart in memory:0x803AF000 RecordLength:0x0007BCE8 RecordCheckSum:0x031D2962 RealCheckSum:0x031D2962
Record[  8]: start address in nk.bin:0x000C50F7 RecordStart in memory:0x8042ACE8 RecordLength:0x0001A368 RecordCheckSum:0x007644CD RealCheckSum:0x007644CD
Record[  9]: start address in nk.bin:0x000DF46B RecordStart in memory:0x80446000 RecordLength:0x0007AF68 RecordCheckSum:0x031FD61A RealCheckSum:0x031FD61A
Record[ 10]: start address in nk.bin:0x0015A3DF RecordStart in memory:0x804C0F68 RecordLength:0x00035098 RecordCheckSum:0x0126227D RealCheckSum:0x0126227D
Record[ 11]: start address in nk.bin:0x0018F483 RecordStart in memory:0x804F6000 RecordLength:0x0003614C RecordCheckSum:0x0160A7A5 RealCheckSum:0x0160A7A5
Record[ 12]: start address in nk.bin:0x001C55DB RecordStart in memory:0x8052D000 RecordLength:0x000000A4 RecordCheckSum:0x00000AEF RealCheckSum:0x00000AEF
Record[ 13]: start address in nk.bin:0x001C568B RecordStart in memory:0x8052E000 RecordLength:0x00001FFC RecordCheckSum:0x000C2C83 RealCheckSum:0x000C2C83
Record[ 14]: start address in nk.bin:0x001C7693 RecordStart in memory:0x80530000 RecordLength:0x00097014 RecordCheckSum:0x03EAE3A9 RealCheckSum:0x03EAE3A9
Record[ 15]: start address in nk.bin:0x0025E6B3 RecordStart in memory:0x805C8000 RecordLength:0x00038050 RecordCheckSum:0x017C8A7D RealCheckSum:0x017C8A7D
Record[ 16]: start address in nk.bin:0x0029670F RecordStart in memory:0x80601000 RecordLength:0x00012154 RecordCheckSum:0x0071D3F8 RealCheckSum:0x0071D3F8
Record[ 17]: start address in nk.bin:0x002A886F RecordStart in memory:0x80614000 RecordLength:0x00000098 RecordCheckSum:0x0000252C RealCheckSum:0x0000252C
Record[ 18]: start address in nk.bin:0x002A8913 RecordStart in memory:0x80615000 RecordLength:0x00016194 RecordCheckSum:0x008D1CF6 RealCheckSum:0x008D1CF6
Record[ 19]: start address in nk.bin:0x002BEAB3 RecordStart in memory:0x8062C000 RecordLength:0x00002110 RecordCheckSum:0x000CC0A4 RealCheckSum:0x000CC0A4
Record[ 20]: start address in nk.bin:0x002C0BCF RecordStart in memory:0x8062F000 RecordLength:0x00002068 RecordCheckSum:0x00085B2E RealCheckSum:0x00085B2E
Record[ 21]: start address in nk.bin:0x002C2C43 RecordStart in memory:0x80632000 RecordLength:0x00019340 RecordCheckSum:0x00A00C23 RealCheckSum:0x00A00C23
Record[ 22]: start address in nk.bin:0x002DBF8F RecordStart in memory:0x8064C000 RecordLength:0x0000C324 RecordCheckSum:0x004BEB02 RealCheckSum:0x004BEB02
Record[ 23]: start address in nk.bin:0x002E82BF RecordStart in memory:0x80659000 RecordLength:0x0000C324 RecordCheckSum:0x004C36A3 RealCheckSum:0x004C36A3
Record[ 24]: start address in nk.bin:0x002F45EF RecordStart in memory:0x80666000 RecordLength:0x000100A0 RecordCheckSum:0x0049791A RealCheckSum:0x0049791A
Record[ 25]: start address in nk.bin:0x0030469B RecordStart in memory:0x80677000 RecordLength:0x000000D8 RecordCheckSum:0x0000260F RealCheckSum:0x0000260F
Record[ 26]: start address in nk.bin:0x0030477F RecordStart in memory:0x80678000 RecordLength:0x000010A0 RecordCheckSum:0x0005E3FB RealCheckSum:0x0005E3FB
Record[ 27]: start address in nk.bin:0x0030582B RecordStart in memory:0x8067A000 RecordLength:0x000000D8 RecordCheckSum:0x000036D4 RealCheckSum:0x000036D4
Record[ 28]: start address in nk.bin:0x0030590F RecordStart in memory:0x8067B000 RecordLength:0x00022278 RecordCheckSum:0x00BF5289 RealCheckSum:0x00BF5289
Record[ 29]: start address in nk.bin:0x00327B93 RecordStart in memory:0x8069E000 RecordLength:0x000020D8 RecordCheckSum:0x000C9DE4 RealCheckSum:0x000C9DE4
Record[ 30]: start address in nk.bin:0x00329C77 RecordStart in memory:0x806A1000 RecordLength:0x00001000 RecordCheckSum:0x00049F2A RealCheckSum:0x00049F2A
Record[ 31]: start address in nk.bin:0x0032AC83 RecordStart in memory:0x806A2000 RecordLength:0x0005BF80 RecordCheckSum:0x025CC4B9 RealCheckSum:0x025CC4B9
Record[ 32]: start address in nk.bin:0x00386C0F RecordStart in memory:0x806FDF80 RecordLength:0x000003EC RecordCheckSum:0x00006379 RealCheckSum:0x00006379
Record[ 33]: start address in nk.bin:0x00387007 RecordStart in memory:0x806FF000 RecordLength:0x0000D39C RecordCheckSum:0x005A2023 RealCheckSum:0x005A2023
Record[ 34]: start address in nk.bin:0x003943AF RecordStart in memory:0x8070D000 RecordLength:0x0000734C RecordCheckSum:0x001899EA RealCheckSum:0x001899EA
Record[ 35]: start address in nk.bin:0x0039B707 RecordStart in memory:0x80715000 RecordLength:0x00009050 RecordCheckSum:0x0036D2A9 RealCheckSum:0x0036D2A9
Record[ 36]: start address in nk.bin:0x003A4763 RecordStart in memory:0x8071F000 RecordLength:0x000001E4 RecordCheckSum:0x00004161 RealCheckSum:0x00004161
Record[ 37]: start address in nk.bin:0x003A4953 RecordStart in memory:0x80720000 RecordLength:0x00001050 RecordCheckSum:0x0003CCD4 RealCheckSum:0x0003CCD4
Record[ 38]: start address in nk.bin:0x003A59AF RecordStart in memory:0x80722000 RecordLength:0x000001E4 RecordCheckSum:0x00004161 RealCheckSum:0x00004161
Record[ 39]: start address in nk.bin:0x003A5B9F RecordStart in memory:0x80723000 RecordLength:0x0000316C RecordCheckSum:0x001482D6 RealCheckSum:0x001482D6
Record[ 40]: start address in nk.bin:0x003A8D17 RecordStart in memory:0x80727000 RecordLength:0x00003FF0 RecordCheckSum:0x001BEEBA RealCheckSum:0x001BEEBA
Record[ 41]: start address in nk.bin:0x003ACD13 RecordStart in memory:0x8072B000 RecordLength:0x0002C364 RecordCheckSum:0x011B605D RealCheckSum:0x011B605D
Record[ 42]: start address in nk.bin:0x003D9083 RecordStart in memory:0x80758000 RecordLength:0x00000038 RecordCheckSum:0x000009A2 RealCheckSum:0x000009A2
Record[ 43]: start address in nk.bin:0x003D90C7 RecordStart in memory:0x80759000 RecordLength:0x00000358 RecordCheckSum:0x00007ADE RealCheckSum:0x00007ADE
Record[ 44]: start address in nk.bin:0x003D942B RecordStart in memory:0x8075A000 RecordLength:0x00010FA8 RecordCheckSum:0x006B167D RealCheckSum:0x006B167D
Record[ 45]: start address in nk.bin:0x003EA3DF RecordStart in memory:0x8076AFA8 RecordLength:0x00000054 RecordCheckSum:0x000015C5 RealCheckSum:0x000015C5
Record[ 46]: start address in nk.bin:0x003EA43F RecordStart in memory:0x8076B000 RecordLength:0x000260E8 RecordCheckSum:0x00F94F71 RealCheckSum:0x00F94F71
Record[ 47]: start address in nk.bin:0x00410533 RecordStart in memory:0x80792000 RecordLength:0x000020E8 RecordCheckSum:0x000C72F7 RealCheckSum:0x000C72F7
Record[ 48]: start address in nk.bin:0x00412627 RecordStart in memory:0x80795000 RecordLength:0x0000B010 RecordCheckSum:0x004CE372 RealCheckSum:0x004CE372
Record[ 49]: start address in nk.bin:0x0041D643 RecordStart in memory:0x807A1000 RecordLength:0x0002BFF8 RecordCheckSum:0x011D7A6D RealCheckSum:0x011D7A6D
Record[ 50]: start address in nk.bin:0x00449647 RecordStart in memory:0x807CD000 RecordLength:0x00023000 RecordCheckSum:0x00D894DC RealCheckSum:0x00D894DC
Record[ 51]: start address in nk.bin:0x0046C653 RecordStart in memory:0x807F0000 RecordLength:0x0001F068 RecordCheckSum:0x00CCA859 RealCheckSum:0x00CCA859
Record[ 52]: start address in nk.bin:0x0048B6C7 RecordStart in memory:0x80810000 RecordLength:0x00001068 RecordCheckSum:0x0006DC40 RealCheckSum:0x0006DC40
Record[ 53]: start address in nk.bin:0x0048C73B RecordStart in memory:0x80812000 RecordLength:0x000213FC RecordCheckSum:0x00D69674 RealCheckSum:0x00D69674
Record[ 54]: start address in nk.bin:0x004ADB43 RecordStart in memory:0x80834000 RecordLength:0x0000BE0C RecordCheckSum:0x004DDE16 RealCheckSum:0x004DDE16
Record[ 55]: start address in nk.bin:0x004B995B RecordStart in memory:0x80840000 RecordLength:0x0003E000 RecordCheckSum:0x01A00C24 RealCheckSum:0x01A00C24
Record[ 56]: start address in nk.bin:0x004F7967 RecordStart in memory:0x8087E000 RecordLength:0x0000FDDC RecordCheckSum:0x006AC23B RealCheckSum:0x006AC23B
Record[ 57]: start address in nk.bin:0x0050774F RecordStart in memory:0x8088E000 RecordLength:0x0004DF34 RecordCheckSum:0x020812DD RealCheckSum:0x020812DD
Record[ 58]: start address in nk.bin:0x0055568F RecordStart in memory:0x808DBF34 RecordLength:0x0002C0C8 RecordCheckSum:0x011C32E6 RealCheckSum:0x011C32E6
Record[ 59]: start address in nk.bin:0x00581763 RecordStart in memory:0x80908000 RecordLength:0x0002E12C RecordCheckSum:0x0127BEB7 RealCheckSum:0x0127BEB7
Record[ 60]: start address in nk.bin:0x005AF89B RecordStart in memory:0x80937000 RecordLength:0x00006148 RecordCheckSum:0x00264974 RealCheckSum:0x00264974
Record[ 61]: start address in nk.bin:0x005B59EF RecordStart in memory:0x8093E000 RecordLength:0x00005E7C RecordCheckSum:0x002734F6 RealCheckSum:0x002734F6
Record[ 62]: start address in nk.bin:0x005BB877 RecordStart in memory:0x80944000 RecordLength:0x000082A8 RecordCheckSum:0x0034A748 RealCheckSum:0x0034A748
Record[ 63]: start address in nk.bin:0x005C3B2B RecordStart in memory:0x8094D000 RecordLength:0x00011100 RecordCheckSum:0x006EADE6 RealCheckSum:0x006EADE6
Record[ 64]: start address in nk.bin:0x005D4C37 RecordStart in memory:0x8095F000 RecordLength:0x00001058 RecordCheckSum:0x0006FBB4 RealCheckSum:0x0006FBB4
Record[ 65]: start address in nk.bin:0x005D5C9B RecordStart in memory:0x80961000 RecordLength:0x00001080 RecordCheckSum:0x000675F4 RealCheckSum:0x000675F4
Record[ 66]: start address in nk.bin:0x005D6D27 RecordStart in memory:0x80963000 RecordLength:0x0000120C RecordCheckSum:0x0006FA9F RealCheckSum:0x0006FA9F
Record[ 67]: start address in nk.bin:0x005D7F3F RecordStart in memory:0x80965000 RecordLength:0x0000220C RecordCheckSum:0x000EF37F RealCheckSum:0x000EF37F
Record[ 68]: start address in nk.bin:0x005DA157 RecordStart in memory:0x80968000 RecordLength:0x000000C8 RecordCheckSum:0x000035E5 RealCheckSum:0x000035E5
Record[ 69]: start address in nk.bin:0x005DA22B RecordStart in memory:0x80969000 RecordLength:0x00007094 RecordCheckSum:0x002DB80A RealCheckSum:0x002DB80A
Record[ 70]: start address in nk.bin:0x005E12CB RecordStart in memory:0x80971000 RecordLength:0x00000158 RecordCheckSum:0x0000220D RealCheckSum:0x0000220D
Record[ 71]: start address in nk.bin:0x005E142F RecordStart in memory:0x80972000 RecordLength:0x00001038 RecordCheckSum:0x00073B23 RealCheckSum:0x00073B23
Record[ 72]: start address in nk.bin:0x005E2473 RecordStart in memory:0x80974000 RecordLength:0x000020A8 RecordCheckSum:0x000ACCF6 RealCheckSum:0x000ACCF6
Record[ 73]: start address in nk.bin:0x005E4527 RecordStart in memory:0x80977000 RecordLength:0x00033164 RecordCheckSum:0x0161ABDA RealCheckSum:0x0161ABDA
Record[ 74]: start address in nk.bin:0x00617697 RecordStart in memory:0x809AB000 RecordLength:0x0002D164 RecordCheckSum:0x013F8731 RealCheckSum:0x013F8731
Record[ 75]: start address in nk.bin:0x00644807 RecordStart in memory:0x809D9000 RecordLength:0x00013FFC RecordCheckSum:0x007F7321 RealCheckSum:0x007F7321
Record[ 76]: start address in nk.bin:0x0065880F RecordStart in memory:0x809ED000 RecordLength:0x0003F1B0 RecordCheckSum:0x01952694 RealCheckSum:0x01952694
Record[ 77]: start address in nk.bin:0x006979CB RecordStart in memory:0x80A2D000 RecordLength:0x0003FFFC RecordCheckSum:0x01A1BA35 RealCheckSum:0x01A1BA35
Record[ 78]: start address in nk.bin:0x006D79D3 RecordStart in memory:0x80A6D000 RecordLength:0x0000D090 RecordCheckSum:0x005044DB RealCheckSum:0x005044DB
Record[ 79]: start address in nk.bin:0x006E4A6F RecordStart in memory:0x80A7B000 RecordLength:0x00011FF8 RecordCheckSum:0x00781EE0 RealCheckSum:0x00781EE0
Record[ 80]: start address in nk.bin:0x006F6A73 RecordStart in memory:0x80A8D000 RecordLength:0x00061864 RecordCheckSum:0x02709CA8 RealCheckSum:0x02709CA8
Record[ 81]: start address in nk.bin:0x007582E3 RecordStart in memory:0x80AEE864 RecordLength:0x000086E4 RecordCheckSum:0x003B49B1 RealCheckSum:0x003B49B1
Record[ 82]: start address in nk.bin:0x007609D3 RecordStart in memory:0x80AF7000 RecordLength:0x0002A144 RecordCheckSum:0x0112E8B2 RealCheckSum:0x0112E8B2
Record[ 83]: start address in nk.bin:0x0078AB23 RecordStart in memory:0x80B22000 RecordLength:0x0001C000 RecordCheckSum:0x00A70652 RealCheckSum:0x00A70652
Record[ 84]: start address in nk.bin:0x007A6B2F RecordStart in memory:0x80B3E000 RecordLength:0x00045E94 RecordCheckSum:0x01DF7D16 RealCheckSum:0x01DF7D16

[BillCRM]

And the checksum (algorithm and location) I am not understanding yet. (over what range of the nk.bin that needs to be run; and google isn't helpful in identifying the correct crc8 algorithm.)

Actually,the checksum(algorithm and location)is very simple.It is not related to crc8 or crc32.

For those can‘t get the checksum right, just download a 010 editor, the software could do the checksum calculation.

[wp_wp]

In 010 Editor
Check Sum - UByte(8 bit)

[TheKellerman]

I think your FPGA is not getting loaded.
Is a reason you go to USB first? Have you tried to boot normally?
The thing is that the Uboot you send over USB may not have the environment variables, which are stored in NOR.

Edit: That is exactly what the boot log in the post you referenced said:

Code: [Select]

FPGA programming FAILED!
And also:

Code: [Select]

Could not copy from NAND offset 0x60000. Error -74 With ECC
Address 0x60000 is where the FPGA image is stored in NAND

So if the FPGA program in NAND is corrupted, the recovery will hang at

Code: [Select]

GMAC DMA status register = 0x0
BALDWIN_DDI: cBaldwinHwIf::Init: Initializing...
BALDWIN_DDI: cBaldwinHwIf::Init: Scope successfully identified.
correct?

Thats where I am stuck at the repair of my MSOX4000. Is there any way to program the FPGA using u-boot, before loading recover.nb0?

[BillCRM]

After some preparing and waiting, I finally have time and tools to perform the hardware modification!
Thanks to all the previous works done by memset, Howardlong and others. The mod works great!
The rise time goes to 680-700ps, the sample rate goes to 5G with still great time accuracy.
After the user cal, everything is great!

[Estaxe]

Hello Bill,

this is freaking amazing. I tried to do this, but gave up quickly Can i ask you to make a PDF manual file describing this modification process, please? That would be extremely helpful for a lot of people, i think. If it is possible, of course. Thank you so much in advance!

[Bud]

So if the FPGA program in NAND is corrupted, the recovery will hang at

Code: [Select]

GMAC DMA status register = 0x0
BALDWIN_DDI: cBaldwinHwIf::Init: Initializing...
BALDWIN_DDI: cBaldwinHwIf::Init: Scope successfully identified.
correct?

You should check the log for fpga failed message at the very beginning of boot process.

Code: [Select]

FPGA programming FAILED!

Thats where I am stuck at the repair of my MSOX4000. Is there any way to program the FPGA using u-boot, before loading recover.nb0?

See my post in the 1000x thread
https://www.eevblog.com/forum/blog/eevblog-978-keysight-1000x-hacking/msg5746541/#msg5746541

Same should work for other scopes but you will need to replace the fpga .bin length with your scope's fpga size length.

[PioB]

So, I am a tiny bit further in my quest: User Olento posted a python 2 script for generating the password for the DSOX3000T series back in 2020. As that doesn't run on python 3 anymore, I modified it.
The results match for two Mac-addresses I tested.

Code: [Select]

#!/usr/bin/env python
from hashlib import md5
from base64 import b64encode

#Original Version from olento:
# [url]https://www.eevblog.com/forum/testgear/dsox2000-and-3000-series-licence-have-anyone-tried-to-hack-that-scope/msg3385608/#msg3385608[/url]
#
# "Get the IP and MAC addresses from DHCP page of your WiFi/LAN router/DHCP server
# (the scope uses a DHCP client name such as "k-dx3014t-12345").  Modify the python
# script and run it.  Use the same username (infiniivision) and the generated password and you can log in."

# Type in the real parameters here
#modified for python 3
MODEL  = "DSOX3014T"
SERIAL = "MY12345678"
MAC    = "00-12-34-56-78-90"

def makepwd( model, serial, mac ):
    mac=(mac.translate({ord(i): None for i in ':-'})).upper()
    toencode=model + serial + mac
    print("String to encode: ",toencode)
    hstr=md5(toencode.encode('utf-8')).digest()
    pwd=str(b64encode(hstr)[7::-1])[2:-1]  #to remove b and '
    print('Model : {0}\nSerial: {1}\nMAC   : {2}\nPasswd: {3}'.format(model, serial, mac, pwd))
    return pwd

makepwd( MODEL, SERIAL, MAC )

Hope that helps someone.

[PioB]

And I am trying to get the script for the DSOX2000A/DSOX3000A modernized for python 3, But Exscript fails with a timeout.
I don't seem to be able to tell it the prompt to wait for '\>'

Original script by gammoriginal by gaminn
https://www.eevblog.com/forum/testgear/dsox2000-and-3000-series-licence-have-anyone-tried-to-hack-that-scope/msg2336781/#msg2336781

I'd be grateful for any hint.

Code:

Code: [Select]

from Exscript.util.start import start
from Exscript import Account, Host
from ping3 import ping

from Exscript.util.match import any_match
from Exscript.util.template import eval_file



#telnet script to connect to DSOX2000A/3000A
#original by gaminn
# [url]https://www.eevblog.com/forum/testgear/dsox2000-and-3000-series-licence-have-anyone-tried-to-hack-that-scope/msg2336781/#msg2336781[/url]
# conversion to python3
# "Just launch it and then turn on the scope."

def do_something(job, host, conn):
#    conn.expect_prompt('\\>')
    conn.set_prompt('\\>')
    print('starting')
    conn.guess_os()
    print('killing')
    conn.execute('processmgr kill infiniivisionlauncher.exe\r\n')
    print('launching')
    conn.execute('\\Secure\\infiniiVision\\infiniivisionLauncher.exe -l MSO -l BW20 -l DIS --perf --forcemaxmem\r\n')
    print('launched')
    conn.execute('exit\r\n')

   
scopeIP = "192.168.1.23"
user = "infiniivision"
password = "skywalker1977"
accounts=[Account(user, password)]

hosts=Host('telnet://'+scopeIP)

print("Waiting for ping response")
while not ping(scopeIP):
    pass
print("Ping received")

print('Starting connection')
start(accounts,hosts, do_something)


Answer:

Code: [Select]

$ python telnet_dsox_py3exscript.py
Waiting for ping response
Ping received
Starting connection
Welcome to the Windows CE Telnet Service on a-dx2002a-xyzabc

login:
infiniivision
Password:


Pocket CMD v 6.00
\>

**** This Telnet Session is being shutdown.  ****
192.168.1.23 error: Buffer: '\r\n\r\n\r\nPocket CMD v 6.00\r\n\\> \r\n\r\n**** This Telnet Session is being shutdown.  ****\r\n'
Traceback (most recent call last):
  File "/home/baettig/.local/lib/python3.13/site-packages/Exscript/protocols/protocol.py", line 769, in _app_authenticate
    index, match = self._waitfor(prompt_list)
                   ~~~~~~~~~~~~~^^^^^^^^^^^^^
  File "/home/baettig/.local/lib/python3.13/site-packages/Exscript/protocols/protocol.py", line 986, in _waitfor
    result = self._domatch(re_list, False)
  File "/home/baettig/.local/lib/python3.13/site-packages/Exscript/protocols/telnet.py", line 99, in _domatch
    raise TimeoutException(error)
Exscript.protocols.exception.TimeoutException: Error while waiting for response from device

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/home/baettig/.local/lib/python3.13/site-packages/Exscript/workqueue/job.py", line 78, in run
    self.function(self)
    ~~~~~~~~~~~~~^^^^^^
  File "/home/baettig/.local/lib/python3.13/site-packages/Exscript/queue.py", line 102, in _wrapped
    result = func(job, host, conn, *args, **kwargs)
  File "/home/baettig/.local/lib/python3.13/site-packages/Exscript/util/decorator.py", line 117, in decorated
    conn.login(flush=flush)
    ~~~~~~~~~~^^^^^^^^^^^^^
  File "/home/baettig/.local/lib/python3.13/site-packages/Exscript/protocols/protocol.py", line 675, in login
    self.authenticate(account, flush=False)
    ~~~~~~~~~~~~~~~~~^^^^^^^^^^^^^^^^^^^^^^
  File "/home/baettig/.local/lib/python3.13/site-packages/Exscript/protocols/protocol.py", line 701, in authenticate
    self.app_authenticate(app_account, flush=flush)
    ~~~~~~~~~~~~~~~~~~~~~^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/home/baettig/.local/lib/python3.13/site-packages/Exscript/protocols/protocol.py", line 870, in app_authenticate
    self._app_authenticate(account, password, flush, bailout)
    ~~~~~~~~~~~~~~~~~~~~~~^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/home/baettig/.local/lib/python3.13/site-packages/Exscript/protocols/protocol.py", line 774, in _app_authenticate
    raise TimeoutException(msg)
Exscript.protocols.exception.TimeoutException: Buffer: '\r\n\r\n\r\nPocket CMD v 6.00\r\n\\> \r\n\r\n**** This Telnet Session is being shutdown.  ****\r\n'

192.168.1.23 finally failed.


I'd be grateful for any hint.

[TheKellerman]

See my post in the 1000x thread
https://www.eevblog.com/forum/blog/eevblog-978-keysight-1000x-hacking/msg5746541/#msg5746541

Same should work for other scopes but you will need to replace the fpga .bin length with your scope's fpga size length.

Thank you! It worked on my MSOX4000A

[Bud]

Awesome 

[PioB]

Ok, I got it working on python 3, the script telnets to the scope and liberates the options for the current session.
Should work for DSOX2000A and 3000A, for 3000T use the password generator from a couple of posts above.

The script connects to the scope and the scope then complains about "unfinalized software" but works.

-l MSO -l BW20 -l DIS --perf --forcemaxmem
yields: MSO, memMax, EMBD, AUTO, COMP, SGM, MASK, BW20, EDK, WAVEGEN, DIS, DVM, ASV, RML, PLUS
-l All -l SCPIPS -l BW20
yields:
DS2000AUTA*, D2000GENA*, D2000BDLA*, All, MSO*, memMax*, SGM*, BW20, EDK, WAVEGEN*, DIS*, DVM, ASV*, SCPIPS, RML, PLUS*

So I am not sure which one of the two is preferable...

Original script by gammoriginal by gaminn
https://www.eevblog.com/forum/testgear/dsox2000-and-3000-series-licence-have-anyone-tried-to-hack-that-scope/msg2336781/#msg2336781

Code: [Select]

$ python conn_pexpect.py
Waiting for Scope to wake up
ping received
Trying 192.168.1.23...
Connected to 192.168.1.23.
Escape character is '^]'.








Welcome to the Windows CE Telnet Service on a-dx2002a-ABCDE

login: infiniivision
infiniivision
Password: skywalker1977



Pocket CMD v 6.00
\>
\> processmgr kill infiniivisionlauncher.exe
Killing Launcher
\Secure\infiniiVision\infiniivisionLauncher.exe -l MSO -l BW20 -l DIS --perf --forcemaxmem
Restarting Launcher
exit


Thank you everyone for the work and the time to document. I am still motivated to learn how to modify the firmware to have the options permanently enabled, but am taking this stepping stone

Still, should someone have an idea how to get my above script with exscript working to recognize the prompt, I'd be grateful.

The script was tested under fedora 41, I needed to install telnet (and the ping3 library).

[Estaxe]

Hello, guys.

Sorry for some off-topic, but maybe someone there could help me. We have an old MSO-X 3012A in our lab, malfunctioned (seems to be NAND problem - i fixed it, now it powers on), but after finishing the repairing procedure i notice that "Auto-set" function doesn't work. Obviously, the oscilloscope requires a new calibration procedure - now i will have to assemble a calibration fixture. But i'm afraid it will be not possible because of the error that appeared after hardware self-checking procedure - there is a message "Self test failed: ExtTrigComp", look at the attached picture. So, could you tell me please, is it a hardware problem and i will have to locate damaged component on the PCB, or maybe it's a software issue? Thank you very much for your help!