Thank you! I'm using Binary Ninja right now.
I believe the license checking function is at 0x0041801c. It seems to set r0 to #0x1 if the user owns the requested license.
At least that's what the -fullopt flag did in the previous versions.
Thanks for the hint, that is indeed a nice tool! I believe you are right and it makes it is super easy to patch it such that it only ever returns 1.
Patch for 01.01.04.04 to always return 1
Superseeded by later work.
EDIT: Just got my scope from Batronix. Comes with firmware 00.01.01.02.03. I would have expected them to ship with the new "unhackable" firmware. However, ,aybe they did not want everyone to return them directly.
EDIT2: I tried an intermediate update to 00.01.01.02.06, and now ssh is gone?! Strange....
EDIT3: Darn, that firmware also already kills sshd, even though it is from December last year! So I effectively shut myself out for now. BTW, the build script is not far enought to repackage the modified file system.