DSOX2000 and 3000 series - licence , have anyone tried to hack that scope ?

[PA0PBZ]

I'm not able to execute "taskkill" ? If I search for taskkill as an exe it is not found, and it is also not listed as a builtin command in the telnet ??

Sorry, not sure what OS was in my mind when I typed that, it should be:

ProcessMgr.exe kill infiniivisionLauncher.exe

[cgroen]

I'm not able to execute "taskkill" ? If I search for taskkill as an exe it is not found, and it is also not listed as a builtin command in the telnet ??

Sorry, not sure what OS was in my mind when I typed that, it should be:

ProcessMgr.exe kill infiniivisionLauncher.exe

No worries
This is the result:

\> ProcessMgr.exe kill infiniivisionLauncher.exe
\> \windows\infiniivisionlauncher.exe -bw35
Our command line is -bw35
cCanineCalMgr::cCanineUserCalFactors::cCanineUserCalFactors size 27872
cCanineCalMgr::cCanineServiceCalFactors::cCanineServiceCalFactors size 704
cCanineCalMgr::cCanineFactoryCalFactors::cCanineFactoryCalFactors size 708
System has been running 2459.378906 seconds


But the "about" screen still says 200 MHz (assuming thats were you want me to look)

[PA0PBZ]

But the "about" screen still says 200 MHz (assuming thats were you want me to look)

Yes, I sort of expected that to change. Did you see the 350MHz in the listed options?
Can you try:

\windows\infiniivisionlauncher.exe --help?

That should show the valid options

[cgroen]

But the "about" screen still says 200 MHz (assuming thats were you want me to look)

Yes, I sort of expected that to change. Did you see the 350MHz in the listed options?
Can you try:

\windows\infiniivisionlauncher.exe --help?

That should show the valid options

Unfortunately not! it just gives:

\> ProcessMgr.exe kill infiniivisionLauncher.exe
\> \windows\infiniivisionlauncher.exe --help
Our command line is --help
cCanineCalMgr::cCanineUserCalFactors::cCanineUserCalFactors size 27872
cCanineCalMgr::cCanineServiceCalFactors::cCanineServiceCalFactors size 704
cCanineCalMgr::cCanineFactoryCalFactors::cCanineFactoryCalFactors size 708
System has been running 119.515244 seconds

also tried -help and -?, both with same result!

Just noticed that there also is a infiniivisionlauncher.exe in the "program files\infiniivision" folder, but same size as the one in the windows folder (5632 bytes)

[PA0PBZ]

Just noticed that there also is a infiniivisionlauncher.exe in the "program files\infiniivision" folder, but same size as the one in the windows folder (5632 bytes)

Yes, that is the one that is started when you boot the scope, it is in the .lnk file in startup remember?

Well, I'm out of ideas for the moment, let's wait for a few other eyes, but it looks like the process is different in the T series.

[cgroen]

Just noticed that there also is a infiniivisionlauncher.exe in the "program files\infiniivision" folder, but same size as the one in the windows folder (5632 bytes)

Yes, that is the one that is started when you boot the scope, it is in the .lnk file in startup remember?

Well, I'm out of ideas for the moment, let's wait for a few other eyes, but it looks like the process is different in the T series.

Yup, got it! (its been 20 years since I have been messing with WinCE 

Lets see if some other have any ideas, I can copy files from the scope to a USB stick if anything can help in the process...
(just don't want to brick my scope  )

[FrankBuss]

Unfortunately not! it just gives:

\> ProcessMgr.exe kill infiniivisionLauncher.exe
\> \windows\infiniivisionlauncher.exe --help
Our command line is --help
cCanineCalMgr::cCanineUserCalFactors::cCanineUserCalFactors size 27872
cCanineCalMgr::cCanineServiceCalFactors::cCanineServiceCalFactors size 704
cCanineCalMgr::cCanineFactoryCalFactors::cCanineFactoryCalFactors size 708
System has been running 119.515244 seconds

also tried -help and -?, both with same result!

Just noticed that there also is a infiniivisionlauncher.exe in the "program files\infiniivision" folder, but same size as the one in the windows folder (5632 bytes)

On my version (an old 2.35 firmware) the "--help" option works, see below for some interesting options to play with. On my scope you could enable all licences with "-l All", but maybe this was changed in later versions, and probably for the bandwidth you need some extra parameters.

Code: [Select]

\secure\infiniivision> infiniivisionlauncher.exe --help
Our command line is --help

USAGE:

   infiniivision  [--ExtTalClk] [--IntTalClk] [--4GSa] [--5GSa]
                  [--flushNetwork] [--gpibModule] [--lanModule]
                  [--debugTestAddress <debugTestAddress>] [--noAdcResync]
                  [--noBlanketInit] [--noScreenSaver] [--twoChan] [-f
                  <string>] [--sliceid2] [--sliceid1] [--sliceid]
                  [--mondll] [--disdcc] [--oldadcstartup] [--noadcreset]
                  [--forcemaxmem] [--newVga] [--invsoft] [--probecomp]
                  [--calChannel <Channel Number>] [--codeSnitch] [-u <3
                  character string>] ...  [-l <3 character string>] ...
                  [--traceFlags <Base10 number>] [--str] [--ctrlDiagStr
                  <Binary string>] [--ctrlDiagVal <Base10 number>] [--perf]
                  [--msg] [--dflt] [--noScope] [--srv] [--] [--version]
                  [-h]


Where:

   --ExtTalClk


   --IntTalClk


   --4GSa


   --5GSa


   --flushNetwork


   --gpibModule


   --lanModule


   --debugTestAddress <debugTestAddress>
     debug test address

   --noAdcResync
     disables periodic adc resync

   --noBlanketInit
     disables blanket init

   --noScreenSaver
     disables screen saver

   --twoChan


   -f <string>,  --family <string>
     product family

   --sliceid2
     enable slice id

   --sliceid1
     enable slice id

   --sliceid
     enable slice id

   --mondll
     enable monDLL

   --disdcc
     enable disDCC

   --oldadcstartup
     old ADC startup

   --noadcreset


   --forcemaxmem


   --newVga


   --invsoft


   --probecomp


   --calChannel <Channel Number>
     Channel to calibrate (0 = ALL CHANS, 1=CHAN1, ect.)

   --codeSnitch
     collapse thread priorities for CodeSnitch

   -u <3 character string>,  --disableLicense <3 character string>
      (accepted multiple times)
     disable licence XXX

   -l <3 character string>,  --enableLicense <3 character string>
      (accepted multiple times)
     enable licence XXX

   --traceFlags <Base10 number>
     mask for DebugPrint

   --str
     CMD_LINE_STR_DEFAULT_STR_DB

   --ctrlDiagStr <Binary string>
     control system diagnostics

   --ctrlDiagVal <Base10 number>
     control system diagnostics

   --perf
     make entry like performance

   --msg
     logs generic diagnostics

   --dflt
     default setup

   --noScope
     no scope mode

   --srv
     runs scope in service mode

   --,  --ignore_rest
     Ignores the rest of the labeled arguments following this flag.

   --version
     Displays version information and exits.

   -h,  --help
     Displays usage information and exits.


   infiniiVision



[PA0PBZ]

On my version (an old 2.35 firmware) the "--help" option works, see below for some interesting options to play with. On my scope you could enable all licences with "-l All", but maybe this was changed in later versions, and probably for the bandwidth you need some extra parameters.

Frank,

Did you notice that his scope is the T version? I think they changed the way we could fool adjust the system... 

[TheSteve]

Has anyone archived the older firmware revs for the T series?
Current is 4.08 and that is the only rev on the Keysight website.

[memset]

I predict a rapid sales rise in the MSOX3014T.

I think the best prize in mid-class would be for DSOX4024A. This model could possibly go all the way up to 1.5GHz.

[abyrvalg]

Try exe from 3000(non-T) copied to usb? The main part of the software is in infiniivision.dll, so there is a chance

[TheSteve]

But the "about" screen still says 200 MHz (assuming thats were you want me to look)

Yes, I sort of expected that to change. Did you see the 350MHz in the listed options?
Can you try:

\windows\infiniivisionlauncher.exe --help?

That should show the valid options

With the A version I thought if you tried a bandwidth option higher then the board strapping would allow it would ignore it.
So the same test might need to be re-run with a different option.

[adranp]

I can confirm that the hashing script worked for me also and I'm able to access the T model through telnet. Running 4.06 here.
I can also confirm all the details :cgroen posted already referring to the fact that there is no --help or -?.

As I did not upgrade any A series scope, I do have a few questions for you guys.

Killing the running instance of infinnilauncher.exe and running it again with other options, can brick the scope? As I'm an IT guy, I presume this might just either not work or just throw an exception about not recognising other parameters i might try.
Does this interfere in any way with the booting process? I do understand that Windows CE executes the value from the .lnk file. Unless I change that, just by killing the running instance and trying different parameters might get me in trouble? I assume not, but it's better to ask.

As I don't have the APPBNDL I'm looking to try the options for enabling different scope options.

Does anyone have the infiniivisionlauncher.exe from the A series at hand so I can try that as well, or should I just extract it from the latest .bin file?

Also I'm in the process of doing the hardware mod for upgrading to 350/500 Mhz as my parts just arrived. Will keep you updated on this also.

[FrankBuss]

Killing the running instance of infinnilauncher.exe and running it again with other options, can brick the scope? As I'm an IT guy, I presume this might just either not work or just throw an exception about not recognising other parameters i might try.

Yes, in theory it can brick your scope, or it can catch fire etc., because some options might be just for a special debug hardware, we don't know. But it is not likely, I guess worst case might be that you have to reboot it because it locks up, unless you don't overwrite the flash. Then you might need to restore it from the bootloader over the serial port, or even with JTAG.

Does anyone have the infiniivisionlauncher.exe from the A series at hand so I can try that as well, or should I just extract it from the latest .bin file?

There is not much in infiniivisionlauncher.exe, IIRC most of the functionality is in the DLLs. And you shouldn't mix different versions of the program, and the DLLs and image.

[TheSteve]

If you manually kill the process and just try restarting it with options yourself it should be quite safe to do. Just don't delete anything
As for your mod I think your first step is to try strapping the board for a 350/500 MHz unit. Then boot it up and verify it thinks it should be 350 MHz. At that point you can also try enabling 500 MHz via telnet and added the -BW 50 option.(same as the 3000A series).

For now if you may want try the following after logging in via telnet:

ProcessMgr.exe kill infiniivisionLauncher.exe
\windows\infiniivisionlauncher.exe -l all

I doubt it will enable all licenses though without a file being patched(the same dll that needs to be patched on most firmware versions from the A series).

I wouldn't run any files from the A series at this point.

btw do you have the 4.06 install file?

[memset]

Looking for /Secure/cal folder contents from DSOX20x2A and DSOX20x4A (both of them). MSO will also be good. If you have one of these scopes and can share cal, please PM.

[adranp]

:FrankBuss Thanks for the message. I was just interested in known cases of bricking.

I saw an earlier post by :ogoun after my message regarding no success on passing options through infiniivisionlauncher.exe. I'll try as :TheSteve suggested after hw strapping. I'll look into 4kinfiniiVisionCore.dll with IDA soon if I have some time.

If anyone looked at that DLL and has any ideas please let me know.

Does anyone have any un-bricking procedure through serial or JTAG?  Just in case.

:TheSteve Thanks and that was exactly what I had in mind. Will try that and I'll keep everyone updated. I don't have the 4.06 install file unfortunately. This is what the scope came with.

[adranp]

Just FYI:

ProcessMgr.exe kill infiniivisionLauncher.exe
\windows\infiniivisionlauncher.exe -l all

has no effect on enabled options without other changes.

[memset]

\windows\infiniivisionlauncher.exe -l all

has no effect on enabled options without other changes.

You can try to copy infiniivisionLauncher.exe from 3000A (not sure if it works for T) to USB, attach USB flash and run:

ProcessMgr.exe kill infiniivisionLauncher.exe
\usb\infiniivisionlauncher.exe -l all

[TheSteve]

Adranp - I do think a full JTAG backup of the flash would be great. I know others have done it with the 3000a series.

[arlvaljr]

Does anyone still have the original update file "3000XSeries.01.10.2011031600.cab to provide?

All references are broken by now and I would like to study it a litle.

Thanks

[adranp]

Happy to report that strapping works as in 3000A series mod. I've been able to mod to 350/500 Mhz version as previously reported.
Going to mod 1 channel tonight and will report back the results.

[TheSteve]

Sounds good - any questions you know how to get ahold of me.

[Howardlong]

I think the Teledyne relay is actually a 20dB switchable attenuator with a 12V coil.

A150-20-12

http://www.teledynerelays.com/pdf/electromechanical/a150.pdf

Avnet have them unstocked at $61, single unit MOQ, 16 week lead time.

Edit: I see someone beat me to it.

[Howardlong]

The 5v coil version, A150-20-5, is showing availabilty, it's not beyond the wit of man to pop a resistor in there.