Update: This has been an amazing demonstration of skill and teamwork. Abyrvalg, without physical hardware in hand, had this nut cracked so quickly I scarcely had time to get coffee. Mike and Carrington supplied lots of useful info and insight.
Full hack summary for v6.16 firmware:Mike has summarized neatly the procedure for the full hack, which allows fine-grained selection of licences using the license dialog, in
this post. v6.20 firmware address changes are listed in
this post.
Service Menu hack summary for firmware v6.16 Alex has written a nice summary of the service-menu hack, which enables multiple options and does not require a modified binary, but doesn't give the undocumented options or allow fine-grained control,
in this thread. To to this on any firmware version: Instead of modifying a memory location, use the function call 'setServiceMode(1)' from the C shell, which works on all firmware versions. (
link here).
Removing the SEC option:The workings of the SEC option were elucidated by abyrvalg, the hero of this thread. The technique for removing the option is detailed
here.
Original Post:I am aware that you can enable all the options and then set back the clock to keep these options enabled indefinitely. That's certainly livable. However, that's not a pretty solution, and it's nice to have the clock set properly for screen shots, etc. The recent thread on hacking the MSO-X-2000/3000 series scopes piqued my curiosity.
Unlike the MSOX-3000 update packages, the MSO5000/6000/7000 packages appear to be packed using a proprietary ZIP-derived format.
Another forum member found an emergency binary for the 5000, which indicates that this is running on VxWorks on a Power PC. He also pointed to some possible telnet login info embedded in the binary, but telnet service doesn't appear to be enabled.
Poking around with a 7000 series scope, I found that FTP is enabled, and you can log in with "panther", "pictures". However, there doesn't seem to be much in the ftp directory--just a subdirectory labeled RAM0, apparently empty. (It would be cool if that were a running RAM image, but no hint that's the case.)
If anyone has any ideas, it would be nice to post in this thread.