DSOX2000 and 3000 series - licence , have anyone tried to hack that scope ?

[Bud]

Connect to the serial port and capture the log while running Self-Cal, maybe you will find some clues in the log.

[Estaxe]

Understood, thank you!

[PioB]

Does someone have the firmware 7.50 for the 3000T as downloaded from keysight that they could share with me by any chance? ( 3000XSeriesT.7.50.2021102830.ksx )
Thank you very much in advance.

---

Thank you very much Boppeldibop!

[BillCRM]

More proper test of 500MHz mod using tektronix cg5011 calibrator:
Rise time at about 600-640ps which means about 550MHz bandwidth.
Still triggering at 1GHz time mark signal.
Amplitude and frequency measurements both accurate.
I'm very satisfied with this mod!

[PioB]

So I went over the thread, went back, went back some more and I have the general recipe for modifying the firmware figured out:

1 unzip ksx file (7zip, izarc https://www.izarc.org/, it's a cab )
2 copy nk.bin.comp to other directory
3 bincompress /D nk.bin.comp nk.bin_tobepatched

4 patch nk.bin_tobepatched

5 bincompress /C nk.bin_tobepatched nk.bin.comp
6 md5sum nk.bin.comp

7 modify install.xml

45c45
<               <file checksum="originalChecksum">nk.bin.comp</file>
---
>               <file checksum="newChecksumFromStep6">nk.bin.comp</file>
78a79,95
>                       <action>continue</action>
>               </onFailure>
>       </installStep>
>       <installStep>
>               <command>\windows\cmd.exe /c ren \Secure\Startup\infiniivision.lnk infiniivision.lnk.original</command>
>               <onFailure>
>                       <filePath>\usb\errorLog.txt</filePath>
>                       <message>No factory lnk to move away.</message>
>                       <action>continue</action>
>               </onFailure>
>       </installStep>
>       <installStep>
>               <command>\windows\cmd.exe /c copy \usb\infiniivision.lnk \Secure\Startup\infiniivision.lnk</command>
>               <onFailure>
>                       <filePath>\usb\errorLog.txt</filePath>
>                       <message>lnk copy from USB failed.</message>
>                       <!-- continue, without new valid link file -->

8 repack directory to cab file with https://www.izarc.org/
9 rename cab to ksx
10 copy to memory stick
11 add infiniivision.lnk to root of memory stick with
90#"\Program Files\infiniiVision\infiniivisionLauncher.exe" -l D3000BDLA -l SCPIPS -l WAVEGEN

update firmware
Boom!

Now I still have to work out how to find the exact locations for the patch (and how to get the checksum.
A long time ago I got the version 7.50 for the 3000T, patched and there the locations are

Code: [Select]

0x0DD19FB 99 69 -> FE 67
0x127929F 04 00 A0 E1 -> 00 00 A0 A3
0x12F4C9B B4 F1 93 E5 -> 01 00 A0 E3
I tried my hardest to find over what "area" the checksum is taken, why exactly _this_ address needs to change from 04 to 00, and why the third edit is there.
Unfortunately, I haven't come across the "understanding" yet, I tried importing the file into ghidra, but arm v8 little endian 32 seems not to be the expected architecture, ghidra complains a lot about there not being instructions... so even a hint on a correct set of paramenters would help. Binwalk gave me a long list of "file consists of html headers, pictures, program code" and if I let it split up the file (of the un- and the patched 7.50) , I found one file where the md5 differed and in there were the modifications, but I am not sucessful analyzing that file, either.

So some hint on how to understand step 4 would be appreciated, so I can pull it off on the newer firmware

Thank you very much everyone that put in the work! I

[BillCRM]

I think the final solution about hacking this might still be a licence generator, and I believe someone in China had already done this and made some money from it. So if there's a high level hacker could figure out how to generate the licencce and make a software, then there's no need to mod every firmware versions.

[wp_wp]

V2.66
04 00 A0 E1—>00 00 A0 E3
F0 59 FF EB—>01 00 A0 E3
checksum:
0x25EF95EF->0x25EF943E

[wp_wp]

Code: [Select]

0x0DD19FB 99 69 -> FE 67
0x127929F 04 00 A0 E1 -> 00 00 A0 A3
0x12F4C9B B4 F1 93 E5 -> 01 00 A0 E3

Actually,the 0x0DD19FB 99 69 -> FE 67 is 99 69 08 3F->FE 67 08 3F,this is the Record[172] checksum.
You should focus on the change of infiniivisioncore.dll.
0x127929F 04 00 A0 E1 -> 00 00 A0 A3
0x12F4C9B B4 F1 93 E5 -> 01 00 A0 E3
These two changes actually are modifying the infiniivisioncore.dll.

[wp_wp]

For 3000T V7.65 Firmware nk.bin
04 00 A0 E1->00 00 A0 E3
B4 F1 93 E5->01 00 A0 E3
0A 96 34 3F->6F 94 34 3F

[Bud]

Not much useful info without addresses.

[PioB]

I have something for 3000T, version 7.50, two diff files as proposed by Bud here: https://www.eevblog.com/forum/testgear/dsox2000-and-3000-series-licence-have-anyone-tried-to-hack-that-scope/msg5764693/#msg5764693

The version 7.50 is a bit older and used just as a test whether the md5sums of the individual files work out, and they seem to
$ md5sum nk.bin.comp 750_p/nk.bin.comp
3d064ba7f3f8352f44fbb0ba12d24bff *nk.bin.comp
3d064ba7f3f8352f44fbb0ba12d24bff *750_p/nk.bin.comp

$ md5sum install.xml 750_p/install.xml
93bda73729736e3416a65947d7075be2 *install.xml
93bda73729736e3416a65947d7075be2 *750_p/install.xml



Prerequisites: cygwin, bsdiff, bspatch
nk_bin_comp_3k_7_50diff.bz2 remove extention .7z
oszicab.ddf.txt remove extention.txt
install_patch.txt use as is

Code: [Select]

/cygdrive/c/Windows/System32/expand 3000T.7.50.2021102830.ksx -F:* .
patch install.xml install_patch.txt
bspatch nk.bin.comp  nk.bin.compnew nk_bin_comp_3k_7_50diff.bz2
rm nk.bin.comp
mv nk.bin.compnew nk.bin.comp
/cygdrive/c/Windows/System32/makecab /F oszicab.ddf




I made the patches with
diff 750/install.xml 750_p/install.xml > install_patch.txt
and
bsdiff 750/nk.bin.comp 750_p/nk.bin.comp nk_bin_comp_3k_7_50diff.bz2

cabs expanded with:
/cygdrive/c/Windows/System32/expand 3000T.7.50.2021102830.ksx -F:* .

in 750/ I have the unmodified patches
in 750_p I have the patched version I got from a kind member back in '21

Hope that helps, size of total files is <8 kb


Unfortunately the above changes without addresses didn't work out:

V2.66
04 00 A0 E1—>00 00 A0 E3
F0 59 FF EB—>01 00 A0 E3
checksum:
0x25EF95EF->0x25EF943E

Code: [Select]

40897 entries found: 04 00 A0 E1—>00 00 A0 E3
1 entry @ 0x00FED26B: F0 59 FF EB—>01 00 A0 E3
checksum:
"0 entries found": 0x25EF95EF->0x25EF943E


For 3000T V7.65 Firmware nk.bin
04 00 A0 E1->00 00 A0 E3
B4 F1 93 E5->01 00 A0 E3
0A 96 34 3F->6F 94 34 3F

Code: [Select]

For 3000T V7.65 Firmware nk.bin
48705 entries found: 04 00 A0 E1->00 00 A0 E3
43 entries found: B4 F1 93 E5->01 00 A0 E3
0 entries found: 0A 96 34 3F->6F 94 34 3F


[wp_wp]

V2.66
04 00 A0 E1—>00 00 A0 E3
F0 59 FF EB—>01 00 A0 E3
checksum:
0x25EF95EF->0x25EF943E

Actually
EF 95 EF 25->3E 94 EF 25

[wp_wp]

For 3000T V7.65 Firmware nk.bin
04 00 A0 E1->00 00 A0 E3
B4 F1 93 E5->01 00 A0 E3
0A 96 34 3F->6F 94 34 3F

When I investigate the 3000T,I find that there is no need to do the first change.
So the modification should be more easier.

[wp_wp]

Not much useful info without addresses.

Actually,for V2.66,there is no need to post the addresses.

[PioB]

V2.66
04 00 A0 E1—>00 00 A0 E3
F0 59 FF EB—>01 00 A0 E3
checksum:
0x25EF95EF->0x25EF943E

Actually
EF 95 EF 25->3E 94 EF 25

Code: [Select]

40897 entries found: 04 00 A0 E1—>00 00 A0 E3
1 entry @ 0x00FED26B: F0 59 FF EB—>01 00 A0 E3
checksum:
1 entry @ 0x00D42137 0x25EF95EF->0x25EF943E
So is the 04 00 A0 E1 -> 00 00 A0 E3 @ 0x00FC3A9B? (cf comparison in attached png?)

So to understand better what I am looking for:
I were to understand the file structure of the nk.bin better, it would be evident? What architecture do I need to tell Ghidra to load the file with? arm v8 little endian 32 bit leads to "bad instructions, garbledmess"
If I search for "infiniivisioncore.dll" i find that string at 0x012A4126, which is after all the above addresses, so that doesn't seem to be the start of the file.
I admit, I am not yet that deep in my understanding of how the nk.bin is structured

[msuthar]

For 2.66   ../dump/infiniivisioncore.dll   also asks for  ../dump/coredll.dll.
.text:40DB1000 ; Processor           : ARM
.text:40DB1000 ; ARM architecture: metaarm
.text:40DB1000 ; Target assembler: Generic assembler for ARM
.text:40DB1000 ; Byte sex            : Little endian


nk.bin uncompressed open in 10 editior

Options Patch

00FC3A9B 04 change it to 00
00FC3A9C 00 change it to 00
00FC3A9D A0 change it to A0
00FC3A9E E1 change it to E3

Nag Patch (corrected address)

00FED26B 05 change it to 01   
00FED26C 59 change it to 00
00FED26D FF change it to A0
00FED26E EB change it to E3

Checksum Patch

in file data.txt
Original Un Patched:
Record [168] : Start = 0x81114000, Length = 0x005615C8, Chksum = 0x25EF95EF


Patched :
@Record [168] : Start = 0x81114000, Length = 0x005615C8, Chksum = 0x25EF943E

10 editor: for nk.bin
Select > Select Range > Select Start [D42137]  Size [5615C8]
Tools > CheckSum > Checksum-UByte(8bit)

 Chksum = 0x25EF943E   is shown in reverse order in nk.bin is there before at start of data block Record[168]


locations in nk.bin

00D42137 EF change it to 3E
00D42138 95 change it to 94
00D42139 EF change it to EF
00D4213A 25 change it to 25

73

[PioB]

Hi MSuthar, thank you! I tried implementing all the info I had so far, but if I went with the info given above: The nag patch is at 0x00FED26B , you have written "0x00EFD26B" ?

And are my cab options

;*** MAKECAB Directive file
.Set Cabinet=on
.Set Compress=on
.Set CabinetName1=2k_266_patched.ksx
.Set MaxDiskSize=CDROM

correct?
I tried to work through this yesterday and got a message saying that the update went wrong and the scope was booting of the standard firmware.

Little by little...
Thank you very much!

[hk4sva@gmail.com]

Hello and thank you very much for the help.
Could someone confirm where I downloaded the nk.bin files for the MSO-X 3014A because the following LINK seems to be out of service?

Download firmware v2.35 from here:
https://cal.equipment/doc/HP_Agilent_Keysight/DSOX/

Thanks

[PioB]

There's a link on
https://salvagedcircuitry.com/2000a-nand-recovery.html with a bunch of firmwares:
https://salvagedcircuitry.com/docs/2000a-nand-recovery/2000a-3000a-firmware.zip

This website was tremendously helpful in getting started down the dsox rabbit hole 👍

[PioB]

Standing on the shoulders of giants.
Here's the diffs to patch the recipe.xml and the nk.bin.comp for the 2000 series.

Code: [Select]

/cygdrive/c/Windows/System32/expand 2000XSeries.02.66.20240123001.ksx -F:* .
patch recipe.xml 2k_266_recipe_patch.txt
mv nk_bin_comp_2k_266diff.bz2.7z  nk_bin_comp_2k_266diff.bz2
bspatch nk.bin.comp  nk.bin.compnew nk_bin_comp_2k_266diff.bz2
rm nk.bin.comp
mv nk.bin.compnew nk.bin.comp

make a cab file with Cabpack 1.4, chose MSZIP. *
(Files to add, the same as were there in the first place:
recipe.xml
FPGA2000A.bin
FPGA3000A.bin
updateBootLoaders2.exe
cleanupFileSystem.exe
xloader_image.bin
u-boot_image.bin
pboot_rel.bin
p500_ddrdriver.bin
envVars.txt
auxInstallStep.exe
LGPL.COPYRIGHT.TXT
splashImage.png
nk.bin.comp
infiniiVisionSetup.cab
)

move .cab to .ksx

Add the .ksx and any of the infiniivision.lnk files to the root of the memory stick
eg
88#infiniivisionLauncher.exe -l MSO -l BW20 -l DIS -l PLUS -l SCPIPS -l VID -l CABLE --perf

enjoy

Thank you very much to everyone that helped me in understanding the mechanics (addresses and contents) of the patch.
The inner workings, I need to work my way through them as well, the _understanding_ of the file is still elusive. I hope at some point it'll fall into place. I'll probably be back with more questions on my way up the mountain, a sincere thank you very much!

*https://www.softpedia.com/get/File-managers/CabPack.shtml

[FrancescoChino]

Have anyone the compiled driver of the Spear600  for Windows 10?

Thank you

[FrancescoChino]

Have you the spear600 driver compiled for Windoes 10?

Tahnk you

Francesco

[onesystem]

As per this amazing post, I am trying to use spearload to revive DSOX2024A.

Made some progress while waiting for a LAN adapter, which ended up making getting one redundant. ....

Code: [Select]

$ spearload -t spear600 p500_ddrdriver.bin u-boot_image.bin
spearload: opening device...
spearload: sending DDR driver p500_ddrdriver.bin...
.
......
spearload: sending firmware u-boot_image.bin...
.
...


But in my case, when I run the spearload program, I get the following error:

Code: [Select]

C:\spearload>spearload -t spear600 p500_ddrdriver.bin u-boot_image.bin
spearload: read_file: p500_ddrdriver.bin: could not read: Invalid argument
spearload: could not read DDR driver file
So my question is: is there anyone here who would be so nice to share their working copy of spearload.exe program, for a Windows machine?

My oscilloscope is experiencing a corrupted file which causes it to reboot constantly, all the way after booting into running screen (see image).

I am sure there is more to handle after I load the u-boot, but it is not accessible - I only get into p-boot if I hold space bar on power-on.

[ShQ]

That's a known bug with that version of spearload you can grab the updated one here and that should work properly! I've updated that original post now too to point to it, since you are not the first to run into this.

[onesystem]

Thanks! I tried the pre-made .exe version and it was giving usblib error, so I built one from source on my pc, usblb error stopped, but this one is coming up:

Code: [Select]

C:\spearload>spearload -t spear600 p500_ddrdriver.bin u-boot_image.bin
spearload: opening device...
spearload: st_find: could not find suitable USB device for VID = 0483, PID = 7261
spearload: device not found, is it powered on and in recovery?
I checked my computer settings and it does list the usb device with VID = 0483, PID = 7261. Is there something else I need to do? - I tried every USB port, and made sure nothing else is plugged in.