Author Topic: DSOX2000 and 3000 series - licence , have anyone tried to hack that scope ?  (Read 774000 times)

0 Members and 7 Guests are viewing this topic.

Offline yocheng

  • Contributor
  • Posts: 8
  • Country: hk
How to hack the firmware
1. Unpack the firmware *.cab by 7zip
2. Unpack infiniiVisionSetup.cab ( e.g. with WinCE CAB Manager 3.0)
    Find \Secure\infiniiVision\infiniiVisionCore.dll
3. Change at location 0x277e50 in infiniiVisionCore.dll
    byte sequence 04 00 a0 e1 to byte sequence 00 00 a0 e3
4. Enable startup Overide by creating USB flash with following structure in root of USB drive (copy structure from Secure folder from point 2)
    Edit in Startup folder file infiniivision.lnk to contains following sequence "62#\usb\infiniiVision\infiniivisionLauncher.exe -l All -l SCPIPS"
    Replace in infiniiVision folder  infiniiVisionCore.dll with patched infiniiVisionCore.dll file
5. Create infiniivisionStartupOverride.txt file in root of USB flash drive containing "True"
6. Plug the USB drive to scope and turn it ON
7. There will be red  message in letf top corner "Unfinalized Software"  and "System Concerns detected: OS version is not correct. Please reload system firmware"

Applications needed:
 WinCE CAB Manager http://www.ocpsoftware.com/products.php
 7Zip http://www.7-zip.org/

These steps can be used in the 2.37 firmware?
 
The following users thanked this post: Andrew

Offline Sparky

  • Frequent Contributor
  • **
  • Posts: 441
  • Country: us
How to hack the firmware
1. Unpack the firmware *.cab by 7zip
2. Unpack infiniiVisionSetup.cab ( e.g. with WinCE CAB Manager 3.0)
    Find \Secure\infiniiVision\infiniiVisionCore.dll
3. Change at location 0x277e50 in infiniiVisionCore.dll
    byte sequence 04 00 a0 e1 to byte sequence 00 00 a0 e3
4. Enable startup Overide by creating USB flash with following structure in root of USB drive (copy structure from Secure folder from point 2)
    Edit in Startup folder file infiniivision.lnk to contains following sequence "62#\usb\infiniiVision\infiniivisionLauncher.exe -l All -l SCPIPS"
    Replace in infiniiVision folder  infiniiVisionCore.dll with patched infiniiVisionCore.dll file
5. Create infiniivisionStartupOverride.txt file in root of USB flash drive containing "True"
6. Plug the USB drive to scope and turn it ON
7. There will be red  message in letf top corner "Unfinalized Software"  and "System Concerns detected: OS version is not correct. Please reload system firmware"

Applications needed:
 WinCE CAB Manager http://www.ocpsoftware.com/products.php
 7Zip http://www.7-zip.org/

These steps can be used in the 2.37 firmware?

No.
 
The following users thanked this post: Andrew

Offline iRad

  • Regular Contributor
  • *
  • Posts: 149
  • Country: us
  • Are you sure it's safe?
These steps can be used in the 2.37 firmware?

No. The structure and length of the new firmware cab is different.
 
The following users thanked this post: Andrew

Offline yocheng

  • Contributor
  • Posts: 8
  • Country: hk
How to hack the firmware
1. Unpack the firmware *.cab by 7zip
2. Unpack infiniiVisionSetup.cab ( e.g. with WinCE CAB Manager 3.0)
    Find \Secure\infiniiVision\infiniiVisionCore.dll
3. Change at location 0x277e50 in infiniiVisionCore.dll
    byte sequence 04 00 a0 e1 to byte sequence 00 00 a0 e3
4. Enable startup Overide by creating USB flash with following structure in root of USB drive (copy structure from Secure folder from point 2)
    Edit in Startup folder file infiniivision.lnk to contains following sequence "62#\usb\infiniiVision\infiniivisionLauncher.exe -l All -l SCPIPS"
    Replace in infiniiVision folder  infiniiVisionCore.dll with patched infiniiVisionCore.dll file
5. Create infiniivisionStartupOverride.txt file in root of USB flash drive containing "True"
6. Plug the USB drive to scope and turn it ON
7. There will be red  message in letf top corner "Unfinalized Software"  and "System Concerns detected: OS version is not correct. Please reload system firmware"

Applications needed:
 WinCE CAB Manager http://www.ocpsoftware.com/products.php
 7Zip http://www.7-zip.org/

These steps can be used in the 2.37 firmware?

No.

My firmware is 2.37 I can drop to 2.35?
 
The following users thanked this post: Andrew

Offline yocheng

  • Contributor
  • Posts: 8
  • Country: hk
These steps can be used in the 2.37 firmware?

No. The structure and length of the new firmware cab is different.

My firmware is 2.37 I can drop to 2.35 firmware?
 
The following users thanked this post: Andrew

Offline iRad

  • Regular Contributor
  • *
  • Posts: 149
  • Country: us
  • Are you sure it's safe?
My firmware is 2.37 I can drop to 2.35 firmware?

You should go back and read the last couple of pages...

After getting a request from someone here what I did:
1) Upgrade from 2.35 to 2.37: OK!
2) Test SCPI on port 5024 with FW 2.37 (require LAN Module): OK!
3) downgrade from 2.37 to 2.35: FAILED!
« Last Edit: July 16, 2014, 03:51:57 pm by iRad »
 
The following users thanked this post: Andrew

Online abyrvalg

  • Frequent Contributor
  • **
  • Posts: 540
  • Country: ru
A quick analysis of 2.37 shows that Startup Override functionality is disabled in ProcessStartupFolder.exe: it still looks for infiniivisionStartupOverride.txt file, but instead of executing lnk/exe files it runs "ipconfig.exe /all > ipconfig.txt" (what is it? a "tampered" mark?), then "rebootInfiniiVision.exe", which surprisingly results in reboot  >:D 2.36 has the same problem I guess.
We should focus on downgrade I think.
 
The following users thanked this post: Andrew

Offline kilobyte

  • Regular Contributor
  • *
  • Posts: 67
  • Country: de
    • My Website
So i did some tests with the "Unfinalized Software" Hack on the 2.37 Firmware.

On my Scope is currently the version 2.35 with the most options enabled by DSOAPP Bundle except the MSO Function.

I extracted the cab file of the 2.37 with this tool MSCEInf - CAB Analyzer (No Setup needed and free)
And searched for the same code location and it has moved to 0x27A9A0, changed the 4 byte to 00 00 A0 E3 and put the whole Infiniivision folder to the usb stick.
The Scope boots the 2.37 and the additional features are enabled. (see Screenshots)

A quick analysis of 2.37 shows that Startup Override functionality is disabled in ProcessStartupFolder.exe: it still looks for infiniivisionStartupOverride.txt file, but instead of executing lnk/exe files it runs "ipconfig.exe /all > ipconfig.txt" (what is it? a "tampered" mark?), then "rebootInfiniiVision.exe", which surprisingly results in reboot  >:D 2.36 has the same problem I guess.
We should focus on downgrade I think.
:wtf: Nice find!
Maybe it's posible the change the exe with an older one that supports usb booting
 
The following users thanked this post: Andrew

Offline yocheng

  • Contributor
  • Posts: 8
  • Country: hk
My firmware is 2.37 I can drop to 2.35 firmware?

You should go back and read the last couple of pages...

After getting a request from someone here what I did:
1) Upgrade from 2.35 to 2.37: OK!
2) Test SCPI on port 5024 with FW 2.37 (require LAN Module): OK!
3) downgrade from 2.37 to 2.35: FAILED!

Thank you for your reply, post too long, not scrutiny. Sorry.
 
The following users thanked this post: Andrew

Offline yocheng

  • Contributor
  • Posts: 8
  • Country: hk
So i did some tests with the "Unfinalized Software" Hack on the 2.37 Firmware.

On my Scope is currently the version 2.35 with the most options enabled by DSOAPP Bundle except the MSO Function.

I extracted the cab file of the 2.37 with this tool MSCEInf - CAB Analyzer (No Setup needed and free)
And searched for the same code location and it has moved to 0x27A9A0, changed the 4 byte to 00 00 A0 E3 and put the whole Infiniivision folder to the usb stick.
The Scope boots the 2.37 and the additional features are enabled. (see Screenshots)

A quick analysis of 2.37 shows that Startup Override functionality is disabled in ProcessStartupFolder.exe: it still looks for infiniivisionStartupOverride.txt file, but instead of executing lnk/exe files it runs "ipconfig.exe /all > ipconfig.txt" (what is it? a "tampered" mark?), then "rebootInfiniiVision.exe", which surprisingly results in reboot  >:D 2.36 has the same problem I guess.
We should focus on downgrade I think.
:wtf: Nice find!
Maybe it's posible the change the exe with an older one that supports usb booting

You cracked the 2.37 firmware?
1.I use 4G USB format it FAT16
2.Change at location 0x27A9A0 in infiniiVisionCore.dll byte sequence 04 00 a0 e1 to byte sequence 00 00 a0 e3
3 Edit in Startup folder file infiniivision.lnk to contains following sequence "62#usbinfiniiVisioninfiniivisionLauncher.exe -l All -l SCPIPS"
4.Create infiniivisionStartupOverride.txt file in root of USB flash drive containing "True"
5.5.Plug the USB drive to scope and turn it ON

But I can not hack it , The LED lamp has been circulating blinking, screen also continue to restart.
who can send me the USB file zip. my E-mail: yocheng@163.com      Thank you very much!
               
« Last Edit: July 17, 2014, 06:07:51 am by yocheng »
 
The following users thanked this post: Andrew

Offline iRad

  • Regular Contributor
  • *
  • Posts: 149
  • Country: us
  • Are you sure it's safe?
Thank you for your reply, post too long, not scrutiny. Sorry.

You never know what you might be missing by not reading...
 
The following users thanked this post: Andrew

Offline iRad

  • Regular Contributor
  • *
  • Posts: 149
  • Country: us
  • Are you sure it's safe?
So i did some tests with the "Unfinalized Software" Hack on the 2.37 Firmware.
...
The Scope boots the 2.37 and the additional features are enabled. (see Screenshots)

Nice work!
 
The following users thanked this post: Andrew

Offline Sparky

  • Frequent Contributor
  • **
  • Posts: 441
  • Country: us
A quick analysis of 2.37 shows that Startup Override functionality is disabled in ProcessStartupFolder.exe: it still looks for infiniivisionStartupOverride.txt file, but instead of executing lnk/exe files it runs "ipconfig.exe /all > ipconfig.txt" (what is it? a "tampered" mark?), then "rebootInfiniiVision.exe", which surprisingly results in reboot  >:D 2.36 has the same problem I guess.
We should focus on downgrade I think.

@abyrvalg: How did you located the file ProcessStartupFolder.exe in the 2.37 download?  I looked but could not find it in any .cab file, so I assume it is compressed with other /Windows/* files, perhaps in a .BIN file but I don't know.  If you could provide some idea, I would appreciate it so I can understand how it all fits together.

ProcessStartupFolder.exe is one file I could not copy from the scope when I was on 2.36 firmware.  We suspected that it was fundamental to changing the USB boot process, and now thanks to your efforts we have good idea what is happening!
 
The following users thanked this post: Andrew

Online abyrvalg

  • Frequent Contributor
  • **
  • Posts: 540
  • Country: ru
Tools to extract the firmware/kernel.
 
The following users thanked this post: Andrew

Offline daemon82

  • Newbie
  • Posts: 2
Hello guys!

I seemed to have a FW problem with the oscilloscope and had to upgrade the firmware unfortunately before I found this forum...
Now I have 2.37 fw revision.
I tried to downgrade  by tricking the process into thinking the 2.35 files are 2.37 indeed by changing strings in INFINI~1.028
I have recalculated the MD5 for the infiniVIsionSetup.cab too to set it in the recipe.xml
I unpacked the .cab files with 7zip and packed them back with CABPACK.
It did not work, I get error message about the file loading unsuccessful.
I am not sure though if it was a wrong packing method I used, or something else.

Did anybody approach the downgrade process from this angle?
 
The following users thanked this post: Andrew

Online abyrvalg

  • Frequent Contributor
  • **
  • Posts: 540
  • Country: ru
Looks like the problem is here:
2.35 infiniiVisionCore.dll: infiniiVisionInstallService.exe --minimumVersion 2.20.00.00
2.37 infiniiVisionCore.dll: infiniiVisionInstallService.exe --minimumVersion 2.36.00.00
 
The following users thanked this post: Andrew

Offline plesa

  • Frequent Contributor
  • **
  • Posts: 965
  • Country: se
Hello guys!

I seemed to have a FW problem with the oscilloscope and had to upgrade the firmware unfortunately before I found this forum...
Now I have 2.37 fw revision.
I tried to downgrade  by tricking the process into thinking the 2.35 files are 2.37 indeed by changing strings in INFINI~1.028
I have recalculated the MD5 for the infiniVIsionSetup.cab too to set it in the recipe.xml
I unpacked the .cab files with 7zip and packed them back with CABPACK.
It did not work, I get error message about the file loading unsuccessful.
I am not sure though if it was a wrong packing method I used, or something else.

Did anybody approach the downgrade process from this angle?

You can buy the DSOX3APPBNDL and it will unlock almost the same like any hack....
http://www.home.agilent.com/en/pd-2401593-pn-DSOX3APPBNDL/application-bundle-for-infiniivision-3000-x-series-oscilloscopes
Included options
DSOX3ADVMATH Advanced math measurement application
DSOX3AERO A/D trigger and decode (MIL-STD 1553/ARINC 429)
DSOX3AUDIO Audio serial trigger and analysis (I²S)
DSOX3AUTO Automotive trigger and analysis (CAN/LIN)
DSOX3COMP Computer trigger and analysis (RS232/UART)
DSOX3EMBD Embedded trigger and analysis (I²C/SPI)
DSOX3FLEX FlexRay trigger and analysis
DSOX3MASK Mask limit testing
DSOX3MEMUP Memory upgrade to 4 Mpts
DSOX3PWR Power measurements
DSOX3SGM Segmented memory acquisition
DSOX3VID Video trigger and analysis
DSOX3WAVEGEN Integrated 20 MHz function/arbitrary waveform generator
DSOXDVM Integrated digital voltmeter
DSOXEDK Educator’s training kit
 
The following users thanked this post: Andrew

Online abyrvalg

  • Frequent Contributor
  • **
  • Posts: 540
  • Country: ru
Update: not 100% sure, but it looks like this version is checked against the FileVersion field of VS_VERSION_INFO resource of infiniivisionLauncher.exe inside the cab. This exe looks similar for 2.35 and 2.37, just the version string, timestamps and digital signature differs. Anyone to try putting a 2.37 launcher into 2.35 cab and updating? Somebody from Agilent?  >:D
 
The following users thanked this post: Andrew

Offline kilobyte

  • Regular Contributor
  • *
  • Posts: 67
  • Country: de
    • My Website
So I did the update to 2.37 and tried how to downgrad to V2.35.
The first step was a modified cab based on V2.35 and Infiniivision.cab from 2.37 to change the Windows folder with the ProcessStartupFolder.exe
The 2.37 Firmware has loaded the Firmware Update successfully but it takes a couple of minutes before the scope reboots.
This is the simples way to restore the \windows folder to an older version because ist write protected.

The next Step was to rename the 2.37 to 2.35 in the infiniiVisionLauncher and infiniiVisionCore and replaced these files directly over telnet from usb to the \sercure folder.
after a reboot i tried to load a V2.35 Firmware but this didn't works maybe the timestamp was also checked. :(

After I replaced the newest files in the \secure\infiniivision folder direcly with the 2.35 Files I was able to load the old v2.35 setup.

So its posible to go back to the V2.35 with the help of telnet access.

Because i did this with try&error i don't have more details at the moment. For the moment I'm happy that my scope is run with V2.35 again an working Usb Startup. :phew:

btw It's easy the change the Splash Screen \windows\compileImageForSplashScreen.exe \usb\SplashImage.png \Secure\InfiniiVision\splashImage.bin
 
The following users thanked this post: Andrew

Online abyrvalg

  • Frequent Contributor
  • **
  • Posts: 540
  • Country: ru
kilobyte, good news!

If someone with telnet access wants to experiment with cab versioning, there seems to be a quick way to test is it accepted w/o installing it: run infiniiVisionInstallService.exe --validateOnly --minimumVersion 2.36.00.00 \usb\your_cab_file
I don't have a scope to try, use infiniiVisionInstallService.exe --help to get more info on that
 
The following users thanked this post: Andrew

Offline Sparky

  • Frequent Contributor
  • **
  • Posts: 441
  • Country: us
So i did some tests with the "Unfinalized Software" Hack on the 2.37 Firmware.

On my Scope is currently the version 2.35 with the most options enabled by DSOAPP Bundle except the MSO Function.

I extracted the cab file of the 2.37 with this tool MSCEInf - CAB Analyzer (No Setup needed and free)
And searched for the same code location and it has moved to 0x27A9A0, changed the 4 byte to 00 00 A0 E3 and put the whole Infiniivision folder to the usb stick.
The Scope boots the 2.37 and the additional features are enabled...

Thanks kilobyte! I'm in the same boat as you --- have 2.35 and most options enabled by DSOAPP bundle, except BW and MSO.  I was able to reproduce your finding by modifying 2.37 as you instruct, and the MSO and BW options activated.  Thanks for the updated memory location to edit.

Tools to extract the firmware/kernel.

Thank you abyrvalg! I appreciate the nice instructions :)
 
The following users thanked this post: Andrew

Offline mischo22

  • Contributor
  • Posts: 9
I tested the Version 2.37 installed on my usb-stick.

Warning: It change the Telnet Password!
 
The following users thanked this post: Andrew

Offline plesa

  • Frequent Contributor
  • **
  • Posts: 965
  • Country: se
It is weird with 2.37 installed on scope telnet password remain unchanged.
 
The following users thanked this post: Andrew

Online abyrvalg

  • Frequent Contributor
  • **
  • Posts: 540
  • Country: ru
Telnet password is set at every startup by /windows/createUserAccounts.exe program, which lives inside nk.bin.comp - no way to change it.
 
The following users thanked this post: Andrew

Offline kilobyte

  • Regular Contributor
  • *
  • Posts: 67
  • Country: de
    • My Website
I don't have any problems with Telnet login.

But here the first login fail and the second login is working with putty.
 
The following users thanked this post: Andrew


Share me

Digg  Facebook  SlashDot  Delicious  Technorati  Twitter  Google  Yahoo
Smf