Author Topic: DSOX2000 and 3000 series - licence , have anyone tried to hack that scope ?  (Read 763765 times)

wp_wp, Pinkus, mlloyd1, Svuppe, adamgreig, Bud, dew and 5 Guests are viewing this topic.

Online Wiljan

  • Regular Contributor
  • *
  • Posts: 150
  • Country: dk
Thx kilobyte, you are right the login / pass needs to be typed twice  :)
So now I have access for the promt

Pocket CMD v 6.00
\> dir

    Directory of \

01/01/98  12:00p    <DIR>                    Network
01/26/16  01:27a    <DIR>                    Application Data
01/26/16  01:27a    <DIR>                    profiles
01/26/16  01:27a    <DIR>                    Documents and Settings
01/26/16  01:27a                          23 Control Panel.lnk
01/26/16  01:27a    <DIR>                    My Documents
01/26/16  01:27a    <DIR>                    Program Files
01/26/16  01:27a    <DIR>                    Temp
01/26/16  01:27a    <DIR>                    Windows

    Found 9 file(s). Total size 23 bytes.
    1 Dir(s) 15499264 bytes free


I can kill infiniivisionLauncher and start it again ...
processMgr.exe kill infiniivisionLauncher.exe
infiniiVisionLauncher -l All

When the soft restarts I still only have the few original options

I also tried FTP standard port as well and it only gives access for 2 folders called webdata and webupdate ... both empty

Any idea how to move on from here?

 
The following users thanked this post: Andrew

Online Wiljan

  • Regular Contributor
  • *
  • Posts: 150
  • Country: dk
Ok... got a bit futher  8)

So basic the scope do have FW2.41 installed

I hava a USB stict with the modified FW2.37

From telnet
\windows> cd \usb
\usb> cd infiniiVision
\usb\infiniiVision> processMgr.exe kill infiniivisionLauncher.exe
\usb\infiniiVision> infiniiVisionLauncher -l All
Our command line is -l All
*** Installing License: All Licenses

 
The following users thanked this post: Andrew

Online trevwhite

  • Frequent Contributor
  • **
  • Posts: 847
  • Country: gb
Wiljan, can I just confirm that over Telnet with FW 2.41 you are able to enable all licenses? You have to telnet and do the procedure each time you power up but it does work?
 
The following users thanked this post: Andrew

Online Wiljan

  • Regular Contributor
  • *
  • Posts: 150
  • Country: dk
Wiljan, can I just confirm that over Telnet with FW 2.41 you are able to enable all licenses? You have to telnet and do the procedure each time you power up but it does work?
Yes I have FW2.41 flashed in scope and a USB stick with FW2.37 modified.
I have to Telnet into the scope and run the FW2.37 from USB each time if I want all licenses enabled.

 
The following users thanked this post: Andrew

Online trevwhite

  • Frequent Contributor
  • **
  • Posts: 847
  • Country: gb
That is awesome!
 
The following users thanked this post: Andrew

Offline TopLoser

  • Supporter
  • ****
  • Posts: 1914
  • Country: fr
Awesome indeed, might have to bump up the price of that MSO-X-3054 I've got posted for sale now!
 
The following users thanked this post: Andrew

Offline Howardlong

  • Super Contributor
  • ***
  • Posts: 5070
  • Country: gb
Ok... got a bit futher  8)

So basic the scope do have FW2.41 installed

I hava a USB stict with the modified FW2.37

From telnet
\windows> cd \usb
\usb> cd infiniiVision
\usb\infiniiVision> processMgr.exe kill infiniivisionLauncher.exe
\usb\infiniiVision> infiniiVisionLauncher -l All
Our command line is -l All
*** Installing License: All Licenses

I have a 2.41 scope too, and I took your directions and wrapped it up into a VBScript to do this automatically. Note: I am NOT a VBScript programmer, in fact it's a technology that I've spent a good deal of my career avoiding, mostly but not always successfully. However, if you want to script up a nasty macro key pusher to an async telnet interface, sometimes needs must.

First, I formatted a USB stick as exFAT and copied the contents of the zip file in this post https://www.eevblog.com/forum/testgear/dsox2000-and-3000-series-licence-have-anyone-tried-to-hack-that-scope/msg535755/#msg535755

I renamed the infiniivisionStartupOverride.txt file on the root of the usb stick with .old on the extension so the scope doesn't just loop at bootup, and I can just leave the USB stick permanently plugged in.

You will need to make sure Windows has its Telnet client installed, you do this from Control Panel -> Programs -> Programs and Features -> Turn Windows features on or off, and select the Telnet client.

Copy the attached file to your computer and remove the .txt extension.

You can run the x3000a.vbs directly from the command line or make up a shortcut, but either way you need to specify on the command line the IP address or hostname of the scope, for example

Code: [Select]
x3000a.vbs a-mx3054a-12345

or

Code: [Select]
x3000a.vbs 192.168.50.123

Note that because it's a dumb key pusher, it has limitations. Firstly you might need to alter the delays for your particular PC, and secondly if you change focus to a different app or window, it'll start pumping in characters into that window rather than the telnet session, so I'd let it do its stuff until someone better than me can come up with something better. You could also significantly reduce the "WScript.Sleep 45000", but I left it like that because there is some useful feedback to the end user.
 
The following users thanked this post: Andrew

Online trevwhite

  • Frequent Contributor
  • **
  • Posts: 847
  • Country: gb
Great work, thanks for this script.
 
The following users thanked this post: Andrew

Online Wiljan

  • Regular Contributor
  • *
  • Posts: 150
  • Country: dk
Thx Howardlong, script works here as well  :) I made a small bat file with the IP address included

I have been thinking when having 2.41 on scope and loaded 2.37 from usb stick.
If it would be save to flash the 2.37 (and if that not possible since it's already loaded than take the FW2.35) first and then 2.37 ?
 
The following users thanked this post: Andrew

Offline plesa

  • Frequent Contributor
  • **
  • Posts: 965
  • Country: se
Ok... got a bit futher  8)

So basic the scope do have FW2.41 installed

I hava a USB stict with the modified FW2.37

From telnet
\windows> cd \usb
\usb> cd infiniiVision
\usb\infiniiVision> processMgr.exe kill infiniivisionLauncher.exe
\usb\infiniiVision> infiniiVisionLauncher -l All
Our command line is -l All
*** Installing License: All Licenses

This can be easily ported to Python and RPi2 platform which can be powered from scope itself. And run on startup or by Cron.
 
The following users thanked this post: Andrew

Offline Howardlong

  • Super Contributor
  • ***
  • Posts: 5070
  • Country: gb
Indeed, this morning I finally found a use for one my original RPi's that's been stuck in a drawer.

It all sits in the probe compartment and runs automatically at scope boot up.

The RPi is powered from a hub that's connected to the rear USB port. This hub also has the USB stick with the 2.37 code.

I wrote an "expect" script (attached) and added it to the rc.local so it runs on boot up.

Quick setup

Install Rasbian Jessie
sudo apt-get install telnet
sudo apt-get install expect

Place the attached x3000a.txt script in your /home/pi directory, and rename it to x3000a.

To run it immediately from your /home/pi directory, run the following (setting your scope's IP address or host name as appropriate):

  expect x3000a 192.168.50.123

Next steps (running automatically at power up)

Power your RPi from one of the USB ports so it powers up and boots when the scope initially boots.

Raspberry pi configuration changes in GUI:
   set to cli only (Note that you can always go back into the gui with startx from the command line)
   wait for network

I recommend using a static IP address on the RPi and the scope so this will work without a DHCP server if you're off your LAN (a straight through CAT5 patch cable between Pi and scope works in this case). It looks like some well meaning individual chose to change how static addresses are set up in RPi, rendering hundreds of pages on the subject obsolete. It's now in /etc/dhcpcd.conf.

Add to the bottom of /etc/dhcpcd.conf file your Pi's static IP address details:

   interface eth0
   static ip_address=192.168.50.123/24
   static routers=192.168.50.1
   static domain_name_servers=192.168.50.1

To make it work automatically at boot* add the following to your /etc/rc.local file before the "exit 0", setting the IP address to your scope's, and note the "&" on the end, it is not a typo!

  /usr/bin/expect /home/pi/x3000a 192.168.50.123 &

*I strongly recommend getting it to work from the command line first with a monitor before setting it up to work "headless" at boot time in case some of the timings don't work out for you.

One caveat: remove any USB stick in the front before boot, that appears as \usb with the rear one \usb2.

Edit: added some clarifications and one correction to a typo on the static IP address config.
« Last Edit: January 31, 2016, 11:59:35 am by Howardlong »
 
The following users thanked this post: Andrew

Offline plesa

  • Frequent Contributor
  • **
  • Posts: 965
  • Country: se
Indeed, this morning I finally found a use for one my original RPi's that's been stuck in a drawer.

It all sits in the probe compartment and runs automatically at scope boot up.

The RPi is powered from a hub that's connected to the rear USB port. This hub also has the USB stick with the 2.37 code.

I wrote an "expect" script (attached) and added it to the rc.local so it runs on boot up.

In brief:

Install Rasbian Jessie
sudo apt-get install telnet
sudo apt-get install expect

Raspberry pi configuration in GUI (Note that you can always go back into the gui with startx from the command line)
   set to cli only
   wait for network

Place the attached x3000a.txt script in your /home/pi directory, and rename it to x3000a.

I recommend using a static IP address on the RPi and the scope so this will work without a DHCP server if you're off your LAN. It looks like some well meaning individual chose to change how static addresses are set up in RPi, rendering hundreds of pages on the subject obsolete. It's now in /etc/dhcpcd.conf

   add to the bottom of /etc/dhcpcd.conf file

   interface wlan0
   static ip_address=192.168.50.123/24
   static routers=192.168.50.1
   static domain_name_servers=192.168.50.1

To make it work at boot, add the following to your /etc/rc.local file before the "exit 0", setting the IP address to your scope's:

  /usr/bin/expect /home/pi/x3000a 192.168.50.123 &

One caveat: remove any USB stick in the front before boot, that appears as \usb with the rear one \usb2.

You are pretty fast, well done!!  :-+
 
The following users thanked this post: Andrew

Offline Howardlong

  • Super Contributor
  • ***
  • Posts: 5070
  • Country: gb
Edit: the following only applies if your scope already has 2.41 installed.

Interestingly, the telnet kill-and-launch-from-USB method works with a USB key made with the current 2.41 3000XSeries.02.41.2015102200.cab firmware directly downloaded from Keysight extracted with the Python script too.

But, with 2.41, there is apparently no need to add any additional files to the USB root, patch a dll, or change any .lnk file.

In short, copy just the infiniiVision directory generated by the dosetup.py script to the USB root.

dosetup.py is in the agilent.zip attachment in this post.

Here are modified instructions to prepare a clean FAT32 formatted USB stick (my modifications in bold italics), and assumes that you have Python 2.7 installed in the default C:\Python27 in Windows.

* extract Agilent .cab firmware with you favorite program (I used 7zip)
* extract infiniiVisionSetup.cab file : you have now an infiniiVisionSetup folder
* chdir to infiniivisionSetup  folder, copy dosetup.py to this folder
* c:\Python27\python dosetup.py (linux users should chande \ by / in _setup.xml file !!!)
* then chdir to Secure/infiniiVision
* copy all the infiniiVision and Startup directories directory to an USB key (ie, there should be a single infiniiVision directory on the root of the USB key with a bunch of files and directories within it)

To run:

  • Insert only the prepared USB stick, remove any other sticks
  • Boot the scope up as normal, connected to your LAN
  • Run either the Linux escape script here or for Windows the vbscript here.

Notes:

  • You get a "WARNING: Unfinalized Software" in red on the splash screen when it's loading from the USB stick.
  • "System concerns detected: OS version is not correct. Please reload system firmware." once booted can be ignored.
  • It appears that settings get lost on starting, and it's reset back to defaults, although you can still load up stored setups.
  • For 2.39, it looks like you still need to use a hacked dll, but not for 2.41.
  • Boot time to the native 2.41 is 40s, and a further 18s is needed to start the liberated 2.41: it is much longer for older versions as they boot the large DLL from USB rather than flash
« Last Edit: February 01, 2016, 06:02:28 pm by Howardlong »
 
The following users thanked this post: Andrew

Offline Howardlong

  • Super Contributor
  • ***
  • Posts: 5070
  • Country: gb
Thx Howardlong, script works here as well  :) I made a small bat file with the IP address included

I have been thinking when having 2.41 on scope and loaded 2.37 from usb stick.
If it would be save to flash the 2.37 (and if that not possible since it's already loaded than take the FW2.35) first and then 2.37 ?

I haven't figured out how to downgrade a 2.41 scope's flash, it doesn't seem to like it from USB stick or via the web interface as far as I can see, operator error excepted of course!
 
The following users thanked this post: Andrew

Offline Howardlong

  • Super Contributor
  • ***
  • Posts: 5070
  • Country: gb
This has turned out to be even easier than I thought on a 2.41 scope, you don't even need a USB stick, just a telnet connection.

A VBscript "x3000aV2.vbs.txt" is attached. Remove the ".txt' from the file name. Setup a shortcut to x3000aV2.vbs with the IP address or hostname of your scope as the first parameter. You will need Windows' Telnet client installed (in Windows Features).

It turns out that the \secure folder is still there but hidden, the script runs the following from telnet:

Code: [Select]
cd \secure\infiniivision
processmgr kill infiniivisionlauncher.exe
infiniivisionlauncher -l all


 
The following users thanked this post: Andrew

Online Mark

  • Regular Contributor
  • *
  • Posts: 223
  • Country: gb
Thanks for your hard work Howard!  I have one possibly stupid question, is this all possible without a DSOXLAN or home-made equivalent? 
 
The following users thanked this post: Andrew

Offline plesa

  • Frequent Contributor
  • **
  • Posts: 965
  • Country: se
Thanks for your hard work Howard!  I have one possibly stupid question, is this all possible without a DSOXLAN or home-made equivalent?

No, because you cannot connect to telnet over USB :( Homemade DSOXLAN adapter will work.
 
The following users thanked this post: Andrew

Offline Howardlong

  • Super Contributor
  • ***
  • Posts: 5070
  • Country: gb
Thanks for your hard work Howard!  I have one possibly stupid question, is this all possible without a DSOXLAN or home-made equivalent?

I don't know what's available on the board itself other than a serial line that I am sure will work with u-boot. Whether it offers a serial terminal in Windows CE, I don't know, but Windows isn't Linux so I wouldn't be at all surprised if that's not available. The last time I did anything seriously with Windows CE was about 1997 when it first came out! I do have two Windows CE 6.0 dev boards here gathering dust, if I get chance I'll try to blow off the cobwebs.
 
The following users thanked this post: Andrew

Offline chromex

  • Contributor
  • Posts: 13
  • Country: ca
Do these hacks work on the DSOX3000T series?
No

Did someone manage to make these hacks work on the DSOX3000T series now?  ::)
 
The following users thanked this post: Andrew

Online trevwhite

  • Frequent Contributor
  • **
  • Posts: 847
  • Country: gb
I followed the instructions HowardLong put up using the Lan connector and the VB script. Interestingly my scope is a 3024A but when I did the -l all option it downgraded me to 100Mhz. I had to change the command to "-l BW20 l-all"

This then worked. When I reboot after the script the network card needs its configuration reset to auto as all the options are lost. Within a few seconds though all is back up again.

Regarding the DIY Lan card. After reading through this thread I picked up the bit about the DIY lan cards and found the difference between the center tap configurations. My original card had a 1uF connected to ground and was rebooting the scope. It seems the more successful versions have the 10R and 1nF circuit connected to the center tap. I modded my card to that configuration and the card does work but I get the message indicating the card is faulty upon boot. My wiring is the same has georges80 circuit but maybe its because its a 3000 series and not the 2000? Has anyone got a 3000 series scope working with a diy lan card and do not get the error message?


« Last Edit: February 04, 2016, 01:56:00 pm by trevwhite »
 
The following users thanked this post: Andrew

Offline Howardlong

  • Super Contributor
  • ***
  • Posts: 5070
  • Country: gb
I followed the instructions HowardLong put up using the Lan connector and the VB script. Interestingly my scope is a 3024A but when I did the -l all option it downgraded me to 100Mhz. I had to change the command to "-l BW20 l-all"

This then worked. When I reboot after the script the network card needs its configuration reset to auto as all the options are lost. Within a few seconds though all is back up again.


Doh! Schoolboy error, sorry. My 3054A dropped to 350MHz. "-l bw50" added after the "-l all" fixed it. Sorry for missing that.
 
The following users thanked this post: Andrew

Online trevwhite

  • Frequent Contributor
  • **
  • Posts: 847
  • Country: gb
What you created is fantastic, thank you.

Howard, did you buy the proper LAN adapter? Does the scope forget its network setting when you execute the script?

 
The following users thanked this post: Andrew

Offline Howardlong

  • Super Contributor
  • ***
  • Posts: 5070
  • Country: gb
What you created is fantastic, thank you.

I merely follow in the footsteps of giants. Almost all of the work was already done.

Quote
Howard, did you buy the proper LAN adapter? Does the scope forget its network setting when you execute the script?

I do have a proper Keysight DSOXLAN. I don't know where it's getting the LAN data from, it's showing nonsense but I can still telnet into the address I originally set up in the standard boot. It prints too, so I guess there's something else going on which is cosmetic only as far as I can see, but stand to be corrected.

I have a CE 6.0 dev environment up now, and an ARM demo board running it which it doesn't matter if I brick, I can always bring that back to life. I can create my own .exe's that run fine on the scope, in console mode at any rate. To their credit Agilent/Keysight threw out the standard Windows UI and copied pretty faithfully their awesome Ui from their previous vxWorks scopes, so I'm not even sure yet if they use the Windows GDI, the consistent API that sits between programmer and graphics device.

The problem of the IP address and the way the scope starts up in default mode I feel maybe related, perhaps it's simple and just needs to be started in a particular directory to pick up the settings, I don't know.
« Last Edit: February 04, 2016, 10:41:19 pm by Howardlong »
 
The following users thanked this post: Andrew

Online trevwhite

  • Frequent Contributor
  • **
  • Posts: 847
  • Country: gb
Okay, I think I have gotten to the bottom of the DIY Lan cards.

From reading back through this thread ( again ) I noticed that some people who did not see the error message regarding the LAN card were running hacked software.

I find that after I did the mod to correct the centre tap of the transformers and shorted pins 78/80 my lan card works perfectly but I get the error message on first boot for firmware 2.41 ( unhacked ). But when I run Howards script, the scope reboots with all licenses and does not display the error.

So I think the error is software related and not hardware. Not sure if anyone else can prove this but I feel comfortable the LAN card is working fine on 3000x scopes
 
The following users thanked this post: Andrew

Offline ECEdesign

  • Regular Contributor
  • *
  • Posts: 173
  • Country: us
What would be the best firmware version to upgrade a DSOx2000 scope with current firmware version 1.21.2011072803?  The only firmware on Keysight's page is 2.41 and that firmware does not seem to be hack-able.
 
The following users thanked this post: Andrew


Share me

Digg  Facebook  SlashDot  Delicious  Technorati  Twitter  Google  Yahoo
Smf