DSOX2000 and 3000 series - licence , have anyone tried to hack that scope ?

[salvagedcircuitry]

I have a dsox 2014 with nand flash corruption. Here's the initial u-boot output from first terminal window:

I followed the titiris method:
https://www.eevblog.com/forum/testgear/dsox2000-and-3000-series-licence-have-anyone-tried-to-hack-that-scope/msg2136181/#msg2136181

I have had some successes, but I keep getting stuck near the final stages of recovery. when entering "go 0x00362000" All I get is:
## Starting application at 0x00362000 ...
nothing ever happens afterwards.

I followed the procedures for USB stick generation and set the file structure the same way, double checked the spelling of the directory folders. I put the same setup on a 64mb fat formatted usb stick and a 16gb exfat formatted usb memory stick. Neither worked. 

I repeated the process with 2.37 firmware but still no change.
I formatted the 16gb usb stick in fat32 and no change. still stuck on "Starting application at 0x00362000 ..."

I noticed that the read/write light on any usb card I use never lights up when in the scope.
I tried the same process without a usb stick inserted and the same thing happens.
Is the scope just not reading any of my usb memory cards? 

Any troubleshooting ideas?
Thanks guys!


Edit: I have solved my problem and will update here with the procedure soon. A dsox2014 has been saved from the bins!

[analogRF]

does anyone have the original (unpatched) FW V2.20 for 3000A scopes?
I am trying to recover a 3000A which has 2.20 on it but my oldest FW is 2.35 and didnt work

thanks

[MarkL]

does anyone have the original (unpatched) FW V2.20 for 3000A scopes?
I am trying to recover a 3000A which has 2.20 on it but my oldest FW is 2.35 and didnt work

thanks

PM sent.

[calvinlove0]

Thank you for your post!
The firmware link you provided is dead however...don't suppose you still have the file you could send my way 

[calvinlove0]

I'm still researching this topic but its unclear to me whether the firmware flash repair is possible with the new v2.66 firmware. If you could pass along the old firmware it would be greatly appreciated.

[maurit]

Hi,
try with other firmware you have up to v2.66

[calvinlove0]

....dumb question...do you still have that .cab file? :3 need v2.35 to fix my scope

[jdubs06]

Hey look, I found a file. Remove jpg

[jdubs06]

Also this one

[jdubs06]

Last one

[cskarto]

Hello,

We also have a boot problem with the DSO-x 2012A, bought a long time ago at Agilent. Can someone give us a simple explanation what is going on here and how we can fix this? I have attached a short video.

Thanks in advance.

Cskarto

[maurit]

Hi Cskarto,
usual problem: NAND Flash corruption.
Read:
https://www.eevblog.com/forum/testgear/dsox2000-and-3000-series-licence-have-anyone-tried-to-hack-that-scope/msg2136181/#msg2136181

Ciao.
Maurizio

[maurit]

Hi Cskarto,
usual problem: NAND Flash corruption.
Read:
https://www.eevblog.com/forum/testgear/dsox2000-and-3000-series-licence-have-anyone-tried-to-hack-that-scope/msg2136181/#msg2136181

Ciao.
Maurizio

[WSAYUN]

So, doing these patches for 2.42 and above, requires going through a bunch of steps, which you really just need to walk through yourself, to see how it all works, versus writing up an entire novel on here trying to explain it...

You need to follow the steps for unpacking the firmware file, de-compressing the 'nk.bin'  WindowsCE image, and locating the DLL within that image, you can just find it by using a hex editor, etc, and finding hex patterns...

As safar explained, the 'nk.bin' has checksums for blocks of data, so when you apply the patches into the DLL spots within the nk.bin (decompressed), you need to also fix the checksum for that block.  It's a standard 'checksum' algorithm, using single byte as input data (ie versus 16-bit, 32-bit etc 'symbols' for checksum), ie in Safar's post he called it 'UByte8Bit', as other programs tend to say that as well..


A trial one I found that makes it easy is the '010 Editor', it does that checksum calc, as well as many others..

If I were you, I'd download the 2.42 firmware, unpack it, and follow the info that Safar mention in his post... once you can understand what he did, and the locations he patched, you can do it to 2.43 as well....

Hi, yes I use IDA for find code and 010 Editor for patch.

I try to explain algorithm (with all steps as it can used by somebody else):
1. Get nk.bin.comp from FW file (ksx = cab) - I use WinRAR, but many arc programs can extract files from CAB.
2. Decompress nk.bin.comp by "bincompress.exe /d nk.bin.comp nk.bin".
3. Extract infiniiVisionCore.dll with Remaker for WinCE5.
4. Open dll in IDA and find asm code for patch - Sorry, but I don't explain how as it need to write lot info here.
5. With sync screens in HexView of IDA I look for patch hex code and for nearest area "signature" code also for find it in nk.bin (12..20 bytes for unique found result).
6. (As I lazy for remember bin structure I just to) Make DataTable with "viewbin.exe -d nk.bin > data.txt" - beware output file is very big - about 113 MB for 2.43.
7. Open nk.bin in Hex Editor and use "signature" code for find patch place (actually I use "find all" and if here is more than 1 result I try to expand "signature" for search).
8. Make patch in this place.
9. Open data.txt and find same "signature" - you found it in some Record [  ] block ([160] for 2.43). Here we need start Record signature for find it in Hex Editor, Record Length And Checksum (checksum is backwards in file as it LittleEndian code). Of course you can look for bin structure and make it more smart.
10. Find Record start signature - 4 bytes before start position is Checksum - compare it with data.txt (remember for back order). Here I bookmarked position.
11. Select block in editor with start on start Record position and Length from data.txt.
12. Calc checksum UByte8Bit.
13. Turn back to bookmark and correct checksum (4 bytes before start, and remember for back order).
14. Save as patched_nk.bin.
15. Compress it to nk.bin.comp by "bincompress.exe /c nk.bin nk.bin.comp".
16. Flash scope, but kill infiniiVision process before.
17. Reboot scope.

I attach all tools here

Thank you very much @Safar and @PhillyFlyers for your awesome work!   

I've went through the patch process myself according to your guide and got the same file (SHA1 hashed).

Flashed the ceimage1, adjusted the lnk-file and now it works on my DSOX2004A!   

Just in case someone is intrested my lnk-file for the DSOX2k :

Code: [Select]

88#infiniivisionLauncher.exe -l MSO -l BW20 -l DIS -l PLUS -l SCPIPS -l VID -l CABLE --perf
Based on the function names, which can be found in the .dll, those arguments should enable all options which currently work on the DSOX2k.