Of course, the contents of that EEPROM are subject to copyright law, so... >:D
Of course, the contents of that EEPROM are subject to copyright law, so... >:D
really? all one need are these strings, in cleartext: "DPO2COMP", "DPO2AUTO" "DPO2EMBD".
I doubt that Tektronix have copyright on these 3 words.
The original site has been taken down too now, but of course it is still here:
http://web.archive.org/web/20140729081735/https://sites.google.com/site/blinkyoontz/hacktek (http://web.archive.org/web/20140729081735/https://sites.google.com/site/blinkyoontz/hacktek)
After scraping the internet (and Google Translate) for information about this scope, I was able to produce my own Application Modules. It was a whole lot easier than I expected it to be.
So the info is likely widely available for over 12 years already, Tek uses the same stupid technique in their new scopes and wonders that it gets hacked? I think they should lose any lawsuit resulting from this simply based on the fact that the measure doesn't satisfy the "effectiveness" criteria in DMCA. :palm:
Funny thing. I downloaded the files last night because I anticipated this. I don't even have the scope.
Funny thing. I downloaded the files last night because I anticipated this. I don't even have the scope.
Then again , if i post a picture of my house key on the internet and someone files a blank in that shape that does not give him the right to get into my house with it and make off with a bunch of stuff. However .. the judge may throw it out because i did not use caution protecting my key. leaving stuff in plain sight in a car .. don't cry if it gets burglarized. you could actually get sued because you are enticing ...As stories go...
<assuming I'd bought this scope>
Second : you do not have a licence to use that software, even if it came pre-installed
<assuming I'd bought this scope>
Second : you do not have a licence to use that software, even if it came pre-installed
Unlike most PC software, where there is a license agreement shown at install,
I did not agree to any terms that stated I needed a license to use the software.
Nowhere did it explicitly say I was not allowed to use it.
Therefore I do not need a license. If I can make it work, I can use it.
If, for example, there was extra memory fitted that could be enabled by removing a jumper, I don't think anyone could argue that doing so, or telling others how to, was in any way wrong.
It's a scope, not a general purpose computer. The fact that certain functions are implemented in software is irrelevant.
from the mdo2000 users manual page 4 :
"Copyright © Tektronix. All rights reserved. Licensed software products are owned by Tektronix or its subsidiaries or suppliers, and are
protected by national copyright laws and international treaty provisions.
Tektronix products are covered by U.S. and foreign patents, issued and pending. Information in this publication supersedes that in all
previously published material. Speci?cations and price change privileges reserved."
No way would a statement like that in a user manual hold up legally - not worth the paper it's printed on.<assuming I'd bought this scope>
Second : you do not have a licence to use that software, even if it came pre-installed
Unlike most PC software, where there is a license agreement shown at install,
I did not agree to any terms that stated I needed a license to use the software.
Nowhere did it explicitly say I was not allowed to use it.
Therefore I do not need a license. If I can make it work, I can use it.
If, for example, there was extra memory fitted that could be enabled by removing a jumper, I don't think anyone could argue that doing so, or telling others how to, was in any way wrong.
It's a scope, not a general purpose computer. The fact that certain functions are implemented in software is irrelevant.
you may want to read the users manual of the machine... i'm willing to bet there is a software licencing agreement in it in the terms of 'if you power it up , you agree to it ...' and 'you will not reverse engineer , yadda yadda ...'
from the mdo2000 users manual page 4 :So nothing about any restriction on use then.
"Copyright © Tektronix. All rights reserved. Licensed software products are owned by Tektronix or its subsidiaries or suppliers, and are
protected by national copyright laws and international treaty provisions.
Tektronix products are covered by U.S. and foreign patents, issued and pending. Information in this publication supersedes that in all
previously published material. Speci?cations and price change privileges reserved."
from the mdo2000 users manual page 4 :So nothing about any restriction on use then.
"Copyright © Tektronix. All rights reserved. Licensed software products are owned by Tektronix or its subsidiaries or suppliers, and are
protected by national copyright laws and international treaty provisions.
Tektronix products are covered by U.S. and foreign patents, issued and pending. Information in this publication supersedes that in all
previously published material. Speci?cations and price change privileges reserved."
I believe that a Judge (Europe) had ruled that hacking is allowed as long as the hacker doesn't make money (sell compatible Tek modules eg) or the company doesn't loose money. I think it was for software. I will try to find the details.
Alexander.
Careful, there is no "Europe" in the sense of legal system or jurisdiction. EU has 28 member countries and 28 different legal systems. There are some EU directives that have to be implemented by the member states (like the recent "right to be forgotten" rule or RoHS), but the actual implementation is up to the member states and will be different in every country, depending on how the rule is transcribed into the local law.
So be very very careful about these statements - what may hold in one EU state may not be the case in another. E.g. UK is a common law country whereas the rest of EU is civil law. Rulings in Germany will not apply to cases in the UK and vice versa. So sweeping statements about shrinkwrap licenses being unenforceable or "hacking" for no commercial gain being legal could get someone in trouble if they don't check their local laws.
While generally true, the EU laws that the member countries must implement have the advantage that they can be fought for in an EU court if a country did not properly implement it. Also, the consumer protection laws about issues like shrink-wrap stuff (basically an unfair contract) and hacking for private purposes are rather old, so that by now there has been plenty of time for the countries to implement it. Keep in mind that a failure to implement EU directed laws in a timely and sufficient manner can (and usually will) the have EU to impose sanctions against such a country. Just for that reason alone they are often implemented in local law, simply to avoid consequences.
Greetings,
Chris
If you haven't noticed yet, Tektronix has sent a DMCA take-down notice to Hackaday because they posted an article about hacking MSO2000's application modules. You can read the story at https://www.techdirt.com/articles/20140806/07155928127/tektronix-uses-dmca-notice-to-try-to-stop-oscilliscope-hacking.shtml (https://www.techdirt.com/articles/20140806/07155928127/tektronix-uses-dmca-notice-to-try-to-stop-oscilliscope-hacking.shtml) (includes the links to the post and the notice).
just like you having a dvd with the windows install files does not entitle you to use that software. you need the key.In the EU: if you have the disk then you have a valid license.
If you haven't noticed yet, Tektronix has sent a DMCA take-down notice to Hackaday because they posted an article about hacking MSO2000's application modules. You can read the story at https://www.techdirt.com/articles/20140806/07155928127/tektronix-uses-dmca-notice-to-try-to-stop-oscilliscope-hacking.shtml (https://www.techdirt.com/articles/20140806/07155928127/tektronix-uses-dmca-notice-to-try-to-stop-oscilliscope-hacking.shtml) (includes the links to the post and the notice).
Yes, reply #4 on the first page of this thread :-+
It's simple data in an (e)eprom, not even particularly complex data either. The hardest part of the hack is to make the eprom talk to the scope.where is no hard part. I made that module without going to shop, some foam, eeprom from old TV, and sim holder from siemens c25. After that only simple programming is needed to load data to eeprom. Also if you have original app module, you simply can put second eeprom on top of original, and program it with new code. but you have to disconnect address pins, and set them manually, and i2c line will be shared between two eeproms.
Dear Tektronix,
Because of your legal goons' blatant misuse of Section 1201 (http://www.law.cornell.edu/uscode/text/17/1201)* of the DMCA to bully hobbyists and Hackaday, I will no longer purchase or recommend your test equipment to potential customers.
*Section 1201 most certainly does -not- apply to the material Hackaday discussed. cf. Lexmark v. Static Control (https://www.eff.org/cases/lexmark-v-static-control-case-archive) Lexmark International, Inc. v. Static Control Components, Inc. (http://www.scotusblog.com/case-files/cases/lexmark-international-inc-v-static-control-components-inc/)
you simply can put second eeprom on top of original, and program it with new code.not even needed. if you buy a quad size one the pages sit on consecutive i2c addresses...
I don't think this would work. Also, with MSO2024B, oscilloscope will read EEPROM only two times, but where is 3 functions to unlock.
not even needed. if you buy a quad size one the pages sit on consecutive i2c addresses...
essentially a 24c16 is eight 24c02's on consecutive addresses.
simply program the strings on the page offsets. probably will work perfectly fine.
there is a page addressing change once you hit the 24c32
After speaking with one of my clients, I'm expanding my boycott to all test gear and tools made by companies currently owned (http://www.danaher.com/business-directory/our-businesses) by Danaher.
A bit of an overreaction perhaps....
True but the fact is that everyone does it nowadays. Tek, Agilent, Flir, Rigol....A bit of an overreaction perhaps....
Au contraire...
Tektronix has no right to tell people what they can or cannot do with something
2. Tek have seen the sales wins achieved by HP and Rigol etc. as the result of their hacks. They don't need the upgrade sales to pay for the features, because they're making a healthy profit selling an unenhanced model and don't need the high-end buyers to subsidise it. And they want some of the action, so after making it an easy mod and seeing it get reported, they're out to make the most of it by harnessing Streisand-effect publicity.
My money's on 2.
Except that by slapping publicly a site like Hackaday with DMCA notice is not going to bring you a lot of good will among their audience - exactly the people who would be buying the hackable gear otherwise. The Joe Littleguy is a lot more susceptible to going all gaga over crap like this and taking their dollars elsewhere than a big corp that is buying 100 of those scopes for their labs.
So yeah, they will get publicity, but probably not the one they hoped for ...
So, did anybody tried this hack?
I have order the boards, the sim card holder and the memory. Soldered everything. Programmed the memory with the PICkit2.
check that the eeprom is programmed correctly. plug in the module (another small PCB taped to have the right width).
Aaaaand it doesn't work.
Maybe I haven't checked carefully enough if the module makes contact with the scope.
or maybe because I have Firmware version v1.52 PP3 15-Aug-12.
or what other?
Would be nice to hear that someone tried it and it works. . .
DPO2EMBD Embedded Serial Triggering and Analysis
DPO2AUTO Automotive Serial Triggering and Analysis
DPO2COMP Computer Serial Triggering and Analysis
DPO2AUTOMAX Extended Auto Serial Triggering and Analysis
DPO2VID Extended Video
DPO2AUDIO Audio Serial Triggering and Analysi
DPO2PWR Power Analysis
DPO2BTA Beta Enabled
Reading starts at address 04, find the string (terminated with 0) and reads 3 more bytes at FF (thus, ending on a 16 bytes boundary). If the scope reads garbage (or 0xFF), it will say it needs a software update, since value in the key isn't recognized (but supposed to be valid).
All 0xFF, as in an erased eeprom.
I really would like to find someone who has a 2024 and could connect linux console and capture the messages.
Should I send some char to trigger the boot log start?No.
I found this https://github.com/dmitrodem/tek_softhack, and install the modified firmware in my DPO2012B and all modules was unlocked, but i have an issue, without the modified firmware autoset take 2-3 seconds to work with 1M point record, with the modified firmware it takes about 5 and a half second, any one with hardware module can check this. Same for math functions, and i dont know if affect the decode of buses. Can someone confirm, i can share my update image.
Enviado desde mi XT1563 mediante Tapatalk
Does anyone have any info on doing this for a MSO3000b series? I know it is encrypted because it talks about loading keys in the manual. I really want to unlock it to 500mhz but this is the closest info I have found.
Ok, I was under the impression that he hadn't done anything with them.
I'll take a look at the firmware file and see what I can do after I program the eeprom and get that working. Thanks!
U-Boot 1.1.4 (Oct 29 2008 - 14:14:00) Tektronix, Inc. V1.01
CPU: MPC870ZPnn at 133.333 MHz: 8 kB I-Cache 8 kB D-Cache FEC present
Board: Tektronix Fusion MPC870 Main Board
Version: 4 (QUAL) 4 channel MSO
Tek0001A ChipId: 0x1400c
Tek0001A SubBlocksId: 0x0
Tek0001B ChipId: 0x1400c
Tek0001B SubBlocksId: 0x0
CPLD Version: 0x11
I2C: ready
DRAM: 64 MB
FLASH: 32 MB
In: serial
Out: serial
Err: serial
Net: FEC ETHERNET
Enter password - autobooting in 3 seconds
## Booting image at efec0000 ...
Image Name: Linux-2.4.20_mvl31-885ads
Image Type: PowerPC Linux Multi-File Image (gzip compressed)
Data Size: 1278107 Bytes = 1.2 MB
Load Address: 00000000
Entry Point: 00000000
Contents:
Image 0: 868895 Bytes = 848.5 kB
Image 1: 409199 Bytes = 399.6 kB
Verifying Checksum ... OK
Uncompressing Multi-File Image ... OK
cmdline is console=ttyS0,115200 quiet bigphysarea=10570 panic=2 root=/dev/mtdblock4 rw mem=175190k NO_option_board
Loading Ramdisk to 03e3a000, end 03e9de6f ... OK
No option module board found
Checking for firmware update...
No USB mass storage devices found to update from.
Linux 2.4.20_mvl31-885ads V 1.06 Tektronix Fusion Tue Apr 26 14:44:49 PDT 2011
Warning: loading NiDKEng-1.6 will taint the kernel: non-GPL license - Proprietary
See http://www.tux.org/lkml/#export-tainted for information about tainted modules
Warning: loading NiDUsb-1.6 will taint the kernel: non-GPL license - Proprietary
See http://www.tux.org/lkml/#export-tainted for information about tainted modules
Warning: loading tek will taint the kernel: non-GPL license - Proprietary
See http://www.tux.org/lkml/#export-tainted for information about tainted modules
Scope application starting (normal mode)
-----------------------------------------------------------------
Running Init code
versionBuildFWVersionString(), TimestampString: 17-Jul-14 11:00
versionBuildFWVersionString(), VersionFIRMWAREVERSIONversion: v1.56
versionBuildFWVersionString(), Major ver num: 1 Minor ver num: 56
hwInit
mpc8xx GPIO open successful
Initializing Mpc8xx[0]
adg420a open successful.
adg420b open successful.
Initializing Adg420[3]
Initializing Adg420[2]
Initializing Adg420[1]
Initializing Adg420[0]
adg420b open successful.
Initializing ExtTrig[0]
adc08d1020a open successful.
adc08d1020b open successful.
Initializing Adc08D1000[1]
Initializing Adc08D1000[0]
Initializing Dac121s101[1]
Initializing Dac121s101[0]
Initializing ad5160[0]
ad5305 open successful.
Initializing ad5300[0]
tek0001 detected, patching device offsets.
lm95241[0] open successful.
lm95241[1] not present.
Initializing Lm95241[1]
Initializing Lm95241[0]
Initializing ResetCpld[0]
Factory Checksum: Stored: 29892, Calculated: 29892 - OK
Spc CheckSum: stored: 64237 calculated: 64237 - OK
Starting POST diags
Finished POST diags
Fp Id response: 6 4 19
Front Panel Software Rev 19 - no update needed.
cfgGetBoardModel: modelID 6 idStr MSO2024B
hcPtpInit: Starting PictBridge PTP subsystem
fusadInit
utilInit
-----------------------------------------------------------------
Running Start code
diagStart
fusionTrigStart(): calibrateTrigIf() ran 1 times and passed
fusionTrigStart(): testTrigIf() for TEK0001A returned 0
fusionTrigStart(): testTrigIf() for TEK0001B returned 0
fusadStart
-----------------------------------------------------------------
Running Run code
wfmMgr OK for diags
diagRun
fusadRun
eth0: unknown interface: No such device
eth0: unknown interface: No such device
enetLinkPresent: ioctl failed, errno 19
enetLinkPresent: ioctl failed, errno 19
-----------------------------------------------------------------
Scope startup complete; duration = 22.829660 seconds
=================================================================
PID to Task info:
PID: 62 ThrdID: 16386 Task: tUsrRoot
PID: 63 ThrdID: 32771 Task: tExcTask
PID: 64 ThrdID: 49156 Task: errSuspendAllThread
PID: 65 ThrdID: 65541 Task: hwIntReceiver
PID: 66 ThrdID: 81926 Task: fpIntTask
PID: 67 ThrdID: 98311 Task: fpIrqMonitor
PID: 68 ThrdID: 114696 Task: usbHotplug
PID: 0 ThrdID: 131081 Task: probesSharedUnloadCmdQueueThread
PID: 70 ThrdID: 147466 Task: fusad executive
PID: 71 ThrdID: 163851 Task: UsbTmcOutputMgr
PID: 72 ThrdID: 180236 Task: piUsb
PID: 73 ThrdID: 196621 Task: piVGpib
PID: 74 ThrdID: 213006 Task: Nios A listener
PID: 75 ThrdID: 229391 Task: Nios B listener
PID: 76 ThrdID: 245776 Task: exec
PID: 77 ThrdID: 262161 Task: autoset
PID: 78 ThrdID: 278546 Task: cal
PID: 79 ThrdID: 294931 Task: diag
PID: 80 ThrdID: 311316 Task: fp
PID: 81 ThrdID: 327701 Task: hc
PID: 82 ThrdID: 344086 Task: UsbSicInputMsgMgr
PID: 83 ThrdID: 360471 Task: wfmMgrTest
PID: 84 ThrdID: 376856 Task: search
PID: 85 ThrdID: 393241 Task: periodicZoom
PID: 86 ThrdID: 409626 Task: periodicClockAnimation
PID: 87 ThrdID: 426011 Task: periodicBusyIndicAnimation
PID: 88 ThrdID: 442396 Task: math
PID: 89 ThrdID: 458781 Task: meas
PID: 90 ThrdID: 475166 Task: measImmed
PID: 91 ThrdID: 491551 Task: piCmdIntfc
PID: 92 ThrdID: 507936 Task: probes
PID: 93 ThrdID: 524321 Task: ref
PID: 94 ThrdID: 540706 Task: rtl
PID: 0 ThrdID: 557091 Task: thttpd
PID: 112 ThrdID: 573476 Task: tVxi11SRQd
PID: 0 ThrdID: 589861 Task: tVxi11Rpcd
PID: 114 ThrdID: 606246 Task: tVxi11FlushThread
PID: 0 ThrdID: 622631 Task: bus
PID: 0 ThrdID: 639016 Task: debugConsole
PID: 117 ThrdID: 655401 Task: VgpibRead
PID: 118 ThrdID: 671786 Task: VgpibWrite
PID: 119 ThrdID: 688171 Task: UsbTmcEventDispatcher
PID: 0 ThrdID: 704556 Task: probesHandleBulkPowerChangeThread
Power Up Completed at 20:28:37
Enter 'ctrl-\' twice to quit scopeApp
Received testTrigIfcMsgAck, nios = 1, payload = 10
OK to connect by: telnet MSO2024B-05NTD7 1072
Received testTrigIfcMsgAck, nios = 0, payload = 10
20:28:37 fusadSetNiosUsable
20:28:42 --- Power Up Phase Cal - PASSED
Gooood!!!
Now you can prepare a root blank password firmware.... mount firmware.img, untar filesystem.tar.gz, edit /etc/passwd to remove root password... tar filesystem.tar.gz again... calc m5sum... update md5sum.txt with new filesysytem.tar.gz md5 and unmount firmware.img. ;)
Then after boot serial messages press ctrl \ twice and you can get accesss to internal linux.
Well I managed to brick my mso2014b so thats fun. Any ideas on how to repair? I was attempting to install a firmware version with no password and it stayed on the splash screen for hours so I had no choice but to unplug it. Now it just has a white screen. Any ideas?
Anyway did you try to load the original unmodified firmware on a fresh USB key and retry flashing from scratch?
I haven't messed around with decoding passwords so i figured it would be easier to just remove it completely. I saw your post about the password earlier but it didn't click when I worked on it tonight.
I have tried re-flashing the original firmware but it won't even go to the splash screen.
Messing with embedded linux on a device with onboard memory is new to me as most of my experience is using development boards that boot from either usb or sd card so I have never had something that's not easily revertible to an older, working version. I'm just pissed at myself because I had all the modules working with the soft hack and I wanted to mess around with upgrading it to a 2024b for the hell of it. I have no use for the extra 100mhz, I just wanted to max the device out for the hell of it.
One would think that it wouldn't overwrite the boot loader first, but I don't know exactly how the upgraded works. It obviously copies the installer into to ram. Judging by the white screen and lack of serial data, I suspect it may wipe flash before copying the new bootloader and OS over.
If this is the case, the machine obviously wiped the flash and then encountered a silent error while copying the new data over.
If that's the case, then the only way to get the thing going may be through some sort of JTAG process.
Don't beat yourself up. I've bricked plenty of routers in my day. It's easy to do when upgrading embedded firmware.
I'm going to try and help you get your scope back in action. As soon as I get back to my lab in a couple of days, I can dismantle my 2024B and start looking for programming pads, what type of flash it uses, etc.
I'm taking this as a personal challenge, mainly because my original unit bricked in the same way, with a factory firmware upgrade. So I'm curious how that can be fixed. Because there *has* to be an easy way to fix it. (If it's happened to two people, you can bet it's happened to many more.)
One would think that it wouldn't overwrite the boot loader first, but I don't know exactly how the upgraded works. It obviously copies the installer into to ram. Judging by the white screen and lack of serial data, I suspect it may wipe flash before copying the new bootloader and OS over.
If this is the case, the machine obviously wiped the flash and then encountered a silent error while copying the new data over.
If that's the case, then the only way to get the thing going may be through some sort of JTAG process.
In fwUpdate.sh it talks about uBootExtract Tool (line 326) checking the bootloader on the device and on the update. It says "If we can't extract the version from the scope, then update." But since it is clearly not getting to this step, do you know how to JTAG the bootloader partition (in bootloader.img I assume) to the partition /dev/mtd0 (line 53). I have never loaded anything through JTAG.
VGA output works, but can't do any scaling, so it's basically useless anyway. :--