DPO3000 Hacks

[FivePoint0]

I know people on here love the Rigols, but . . .

Are there any hacks for the DPO3000?  Been offered one at a reasonable price and it appears the 100 MHz and 500 MHz are the same hardware . . .

[TopLoser]

Well the plug in option modules are easily... erm... replicated!

Not heard of a bandwidth upgrade yet.

[FivePoint0]

Yet all the bandwidth upgrade needs is for the user to type in a key.

Shame.  I'd buy it just for the hack!

[abyrvalg]

Looks like some things (including BW upgrade) can be done over GPIB, but I don't have a scope to verify. Somebody willing to try?

Some interesting commands:
:PASSWord "password"- enable special modes
  Valid passwords:
  "XYZZY" - "user's password"
  "INTEKRITY" - "backdoor password" (this is the right one for other "backdoor" mode commands)
  "PUBLIC" - "public password"
  "TRESPASS" - "developer password"
  "MKTDEMO" -

:SETMODELID id - set model
  Valid IDs:
  0 - MSO/DPO3012 (MSO/DPO is selected by digital channels presense)
  1 - MSO/DPO3014
  2 - MSO/DPO3032
  3 - MSO/DPO3034
  4 - MSO/DPO3052
  5 - MSO/DPO3054

:HWAccountant:SERIAL - get/set serial number

:HWAccountant:INSTRumentid - get instrument id (no set here, it is generated from model+serial)

:HWAccountant:ACQBandwidth bw - bandwidth upgrade
  valid values:
  300
  500

:ARMDEMO pass, num_days - activate demo mode
   pass: "DontMakeTheWookieMad"
   num_days 1-30

[_Sync_]

I cannot get these to work and my IDA skills are too bad to figure out what is happening.

As I said in the other thread, there should also be a debug console avalible that is accessible through TCPIP but I cannot figure out how to connect to it....

[j_hallows]

I cannot get these to work and my IDA skills are too bad to figure out what is happening.

As I said in the other thread, there should also be a debug console avalible that is accessible through TCPIP but I cannot figure out how to connect to it....

This is for the DPO3000/MSO3000 not MDO3000. Different hardware.

These commands can be sent via TekVisa to the DPO3000/MSO3000.

[Jwalling]

I cannot get these to work and my IDA skills are too bad to figure out what is happening.

As I said in the other thread, there should also be a debug console avalible that is accessible through TCPIP but I cannot figure out how to connect to it....

Just a guess, but maybe Telnet? I have an MSO3034 -  I'll give it a try later today and see what happens.

Jay

[Jwalling]

I cannot get these to work and my IDA skills are too bad to figure out what is happening.

As I said in the other thread, there should also be a debug console avalible that is accessible through TCPIP but I cannot figure out how to connect to it....

Just a guess, but maybe Telnet? I have an MSO3034 -  I'll give it a try later today and see what happens.

Jay

OK, so using telnet didn't work, but using my browser (Firefox) brings up a Tektronix menu.
I selected the tab "DATA" and I'm able to talk to the scope using GPIB commands.
I then sent the following per abyrvalg's post:

:SETMODELID 5
:HWAccountant:ACQBandwidth 500

Then power-cycled the unit. It did not make any changes.
So I used the back door password first:

:PASSWord "INTEKRITY"
:SETMODELID 5
:HWAccountant:ACQBandwidth 500

Then power-cycled the unit again. Still no change. I'm probably doing something wrong; I'm an idiot when it comes to stuff like this... 

Jay

[Jwalling]

I cannot get these to work and my IDA skills are too bad to figure out what is happening.

As I said in the other thread, there should also be a debug console avalible that is accessible through TCPIP but I cannot figure out how to connect to it....

Just a guess, but maybe Telnet? I have an MSO3034 -  I'll give it a try later today and see what happens.

Jay

OK, so using telnet didn't work, but using my browser (Firefox) brings up a Tektronix menu.
I selected the tab "DATA" and I'm able to talk to the scope using GPIB commands.
I then sent the following per abyrvalg's post:

:SETMODELID 5
:HWAccountant:ACQBandwidth 500

Then power-cycled the unit. It did not make any changes.
So I used the back door password first:

:PASSWord "INTEKRITY"
:SETMODELID 5
:HWAccountant:ACQBandwidth 500

Then power-cycled the unit again. Still no change. I'm probably doing something wrong; I'm an idiot when it comes to stuff like this... 

Jay

OK, it's confirmed, I am an idiot.  Remove the quotes around the password:
:PASSWord INTEKRITY
:SETMODELID 5
:HWAccountant:ACQBandwidth 500

Voila, it reports that it is a MSO5054!

Thank you very much abyrvalg!  Now to do some bandwidth testing!

Jay

[abyrvalg]

Great! Try ARMDEMO also - my guess it should enable all options for a specified number of days.

[Jwalling]

Great! Try ARMDEMO also - my guess it should enable all options for a specified number of days.

Huh. That didn't seem to work...

I tried both:
:ARMDEMO DontMakeTheWookieMad, 30
:ARMDEMO DontMakeTheWookieMad 30

Wasn't sure about the comma...
My firmware revision is 2.07 - perhaps that may play into the equation as it's rather old.

In other news, with a 500MHz 600mV signal applied from my signal generator to each channel in 50 Ohm mode, all four channels measure a minimum of 520mV, so the scope exceeds the specification of a MSO5054. In fact, the amplitude is not what falls below spec first, but the triggering. at about 550MHz, the trigger starts becoming unstable.
Nice!

As a side note, my scope has a number of errors from 2010 that I'd like to clear. I've looked through the operators, programming, and service manual and did not find anything on what command(s) might do this. Would you or anyone esle ahppen to know how to clear them?
Many thanks again! 
Jay

[j_hallows]

I tried both:
:ARMDEMO DontMakeTheWookieMad, 30
:ARMDEMO DontMakeTheWookieMad 30

Did you do:

Code: [Select]

:PASSWord INTEKRITY
First?

In other news, with a 500MHz 600mV signal applied from my signal generator to each channel in 50 Ohm mode, all four channels measure a minimum of 520mV, so the scope exceeds the specification of a MSO5054.

Does it say MSO5054 or MSO3054?

[Jwalling]

I tried both:
:ARMDEMO DontMakeTheWookieMad, 30
:ARMDEMO DontMakeTheWookieMad 30

Did you do:

Code: [Select]

:PASSWord INTEKRITY
First?

In other news, with a 500MHz 600mV signal applied from my signal generator to each channel in 50 Ohm mode, all four channels measure a minimum of 520mV, so the scope exceeds the specification of a MSO5054.

Does it say MSO5054 or MSO3054?

I tried with :PASSWord INTEKRITY first and that didn't make any difference.
I updated the firmware to 2.40, no difference.
Oops. - that was a typo (or perhaps wishful thinking!  Yes, it reports itself as a MSO3054.

The error logs can be retrieved with:
:ERRlog?
:ERRlog:NEXt?

There's two other references in the firmware with regards to the error logs.
:ERRlog:CLEar and :ERRlog:FILL
The CLEar doesn't seem to work.
FILL does not seem to do anything either.

Jay

[j_hallows]

I just saw this on E-bay, (see attached Picture).

So I guess we have the wrong sequence for activating the modules.

[darkstar49]

Hi together,

HWAccountant:ACQBandwidth 500

indeed works fine, a 100Mhz model suddenly can trigger without problems on a 500Mhz signal, but... when displaying for example the frequency of that signal, it says low resolution (+- 2.5V P2P, and it's from a Rohde&Schwarz generator, quite clean 500Mhz sine wave), so I'm not too sure that hack alone does it... the "low resolution" warning starts at around 155Mhz, which suggests there's another soft-limit somewhere that needs to be 'extended'...
My scope (MSO3014) has a serial > C020000, so definitely one that does NOT need Tek for the upgrade...

The ideal way would be to find out how the key is generated for the 500Mhz upgrade, because the scope's firmware definitely knows what to do when upgrading...
Maybe some similar routines as for the MDO3000 ?? (if I got it right, the MDO3xxx option modules now contain not stupidly the option's name, but some encrypted form of it... so maybe the key generated by Tek for the DPO3K BW upgrade uses similar or identical routines...??)

[Marchello]

Is it possible to hack MSO4034?  (not B version)

Best regards!
Mark

[robert_]

Cant answer to this, but as i have a MSO3014, C02* at work, i did hack it some months ago. Worked fine, and bandwidth did improve, although it doesnt seem to meet the 3054 risetime spec. I measure around 1ns on a fast rise pulse, which measures around 600ns on a HDO6054 (samne on an old TDS7054), which would suggest around 350-400Mhz. Still a huge improvement over the standard 100Mhz, and enough to get my work done properly (where im dealing with around 3ns edges).

As for the options, i did install them the old way. Program one of these option modules (TDS3FFT borrowed from an old TDS3k, not needed anymore) with the option needed, insert in scope and transfer the licence from the module to the scope, reprogram with next option and repeat.

[darkstar49]

And btw, these changes seem impossible to roll-back...  so be careful playing around with this...  ;-
But if anyone has managed to undo such changes, comments are welcome...

[darkstar49]

@Marchello...

Don't think so... DPO4K's are not bandwidth upgradeable, and other Tek models have shown to have high-pass filters in hardware to differentiate models (same board, but a few different components...), so a bandwidth upgrade is possible in theory (up to 500Mhz for the 2.5GS/s models), but definitely requires hardware changes, and to my knowledge, these have never been attempted, nor documented anywhere...

[Marchello]

Ok. Thanks to all!
I activated all options. (sim card holder + 24C08 + PICKITII + few strings)
BW let it be 350 MHz...

Best regards!
Mark

[tmbinc]

I did bandwidth-update my DPO5034 (they have 5GS/s even for the 350MHz models) by removing the lowpass (on one channel), see http://debugmo.de/2013/03/whats-inside-tektronix-dpo5034/ .

I also hacked my DPO4034 (non-B) to "more" bandwidth by hacking the executable - not a nice hack by any means. The DPO4034 has the pre-amp which the DPO4034B and DPO5034(B) lack; but it only has 2.5GHz so that limits the usefulness a bit.

[darkstar49]

Once again, if anyone knows of other :HWAccountant:xxxxx commands....  please let us know... there's definitely something missing by setting only the Acquisition bandwidth to 500...

Or alternatively: where did Abyrvalg get this Is there a chance to find more about these commands by disassembling the binaries ?? Or was that some 'insider info'

[klaus11]

Know any tricks for TDS5000B? 

[darkstar49]

There are "tricks" for the TDS7000B (and others), I can't imagine why the code would be that much different for the TDS5000B...
But it looks like every model series has its own encryption key(s) and options bitmasks, so disassembling the code and finding those would always be step 1...

The logic is always the same... a key is an encryptet version of a bitmask (every bit set being a specific option), coded using the device ID and an (AES) encryption key.

So you (just  ;-) need the bitmasks for the different options, the logic to generate the unique device ID, and the AES key...

[klaus11]

There are "tricks" for the TDS7000B (and others), I can't imagine why the code would be that much different for the TDS5000B...
But it looks like every model series has its own encryption key(s) and options bitmasks, so disassembling the code and finding those would always be step 1...

The logic is always the same... a key is an encryptet version of a bitmask (every bit set being a specific option), coded using the device ID and an (AES) encryption key.

So you (just  ;-) need the bitmasks for the different options, the logic to generate the unique device ID, and the AES key...

Thank

[darkstar49]

It may sound a bit more difficult than it actually is...

The binaries typically contain a lot of debug stuff, that ease finding the functions of interest, then looking after some forms of "load" instructions preceding function calls (like Encrypt()...), you rapidly can find addresses of interest and find out the AES key, same approach for the option masks, there's usually one function for evaluating an option key, and that function references all the possible option masks at some point... not trivial, but with some reasonable assembler knowledge (32 bit x86 assembler for TDS500B I think ??), and some time, it should be feasible...

Regards

[darkstar49]

For info, same logic applies for DPO3000 than for MDO3000, just one (BW upgrade) at a time...
AES key to be found in the binary, or...   ;-)
So use the mdo3keygen python stuff, works great (change the key) !

Again: only works for BW upgrades on DPO/MSO3K... NO other options via keys...
 

[FivePoint03]

So you mean the AES key is different between DPO3000 and MDO3000 - help us out - how can I find the AES key for DPO3000 ?

[kazik70]

Code: [Select]

DPO/MSP3000 Firmware v2.38   2/29/2012

"New Features:
    - Bandwidth is field upgradeable (up to 500 MHz). 
      This option can be purchased and installed by the customer. 
      (Serial numbers < C020000 or < B020000 must be upgraded by a
      Tektronix service center)."

Not all DPO / MSO3000 can be hacked up to 500Mhz?
What are your serial numbers?
Has someone managed to hack <020000?

[darkstar49]

No feedback so far on upgrading serials  < X020000

I don't think you can break something for good... the point is that there's to my knowledge no known way to 'uninstall' the upgrade (regardless if it was done with a key, or with system commands...), so  if you did, and it makes your scope somehow unusable, you're good to send it in for servicing...   

[kazik70]

I made an upgrade from DPO3012 to DPO3052.
Serial number C02XXXX, firmware vesjon 2.40

And there was a difference with the description.

SETMODELID
1 - 3012
2 - 3014
3 - 3032
4 - 3034
5 - 3052
6 - 3054

The model changed in real time, but the bandwich after reboot the scope.


Can you help with the modules?

[Tardz]

Hi, I have a DPO3014 firmware V2.4, how to hack and activate all option ?

[abyrvalg]

Back to the "ARMDEMO" thing: the parameter order was wrong, NumOfDays must be first. Somebody please verify:

Code: [Select]

:PASSW INTEKRITY
:ARMDEMO 30,DontMakeTheWookieMad
or:
:ARMDEMO 30,"DontMakeTheWookieMad"


[abyrvalg]

ARMDEMO confirmed to work. Use the first version (w/o quotes).

[darkstar49]

also for those who think that a frequency upgrade means their model ID changes:

The official Tektronix bandwidth upgrade does NOT modify the model ID !!!!!!!!!!!!!!!!! So this doesn't have any effect, other than showing the world that it's been hacked !! 

[BH3XON]

No feedback so far on upgrading serials  < X020000

I don't think you can break something for good... the point is that there's to my knowledge no known way to 'uninstall' the upgrade (regardless if it was done with a key, or with system commands...), so  if you did, and it makes your scope somehow unusable, you're good to send it in for servicing...   

My oscilloscope serial number is C01XXXX.

At present, I found a bug, and the Signal Path Compensation will fail after the hack.

Whether the broadband has really increased, I have not tested it yet.

[dzseki]

No feedback so far on upgrading serials  < X020000

I don't think you can break something for good... the point is that there's to my knowledge no known way to 'uninstall' the upgrade (regardless if it was done with a key, or with system commands...), so  if you did, and it makes your scope somehow unusable, you're good to send it in for servicing...   

My oscilloscope serial number is C01XXXX.

At present, I found a bug, and the Signal Path Compensation will fail after the hack.

Whether the broadband has really increased, I have not tested it yet.

I have done the hack on a DPO3034 C01xxxx unit, and it worked fine, we measured the -3dB bandwidth beyond 500MHz, also SPC runs fine. Did you let the scope warm up (10-20 mins.) before performing SPC?

[BH3XON]

No feedback so far on upgrading serials  < X020000

I don't think you can break something for good... the point is that there's to my knowledge no known way to 'uninstall' the upgrade (regardless if it was done with a key, or with system commands...), so  if you did, and it makes your scope somehow unusable, you're good to send it in for servicing...   

My oscilloscope serial number is C01XXXX.

At present, I found a bug, and the Signal Path Compensation will fail after the hack.

Whether the broadband has really increased, I have not tested it yet.

I have done the hack on a DPO3034 C01xxxx unit, and it worked fine, we measured the -3dB bandwidth beyond 500MHz, also SPC runs fine. Did you let the scope warm up (10-20 mins.) before performing SPC?

Good news！

See your reply, I executed SPC again, and it has been running for 4 hours, but it failed again.

Anyway, This at least proves that it has nothing to do with hacking , Maybe it is a device failure .

Thank you for your reply！

[tv84]

Once again, if anyone knows of other :HWAccountant:xxxxx commands....  please let us know... there's definitely something missing by setting only the Acquisition bandwidth to 500...

Or alternatively: where did Abyrvalg get this Is there a chance to find more about these commands by disassembling the binaries ?? Or was that some 'insider info'

Sorry for reviving this old theme, but I decided to do a search in the app for additional "piBackdoorCmds" as Tek calls them.

Attached is the list of backdoor commands of DPO3000 FW v2.40.

Instead of :HWAccountant:ACQBandwidth did anyone tried the :HWAccountant:BANDWidth command?

The DPO4000B v3.22 also has another password mode:

"XYZZY"
"INTEKRITY"
"PUBLIC"
"TRESPASS"
"MKTDEMO"
"FRANKLYMYDEAR"

[sly2538]

Thanks  for this list !!
Someone can help me to activate DPO3EMBD module and others for ever for DPO / MSO 3000 ?

[analogRF]

So is it possible to enable all options (serial decoding in particular) on DPO4000 series with the information given in this thread?
I can see it has worked for 3000 series and maybe(?) 4000B but not much about DPO4000

[Gregory]

Back to the "ARMDEMO" thing: the parameter order was wrong, NumOfDays must be first. Somebody please verify:

Code: [Select]

:PASSW INTEKRITY
:ARMDEMO 30,DontMakeTheWookieMad
or:
:ARMDEMO 30,"DontMakeTheWookieMad"


This worked for me on a MDO4034-B scope!

Any ideas how to make it not expire in 30 days?

[smaultre]

i'm trying to make DPO4054 to DPO4104
NOT(B) model serial: C020..
Connected via LAN / TEK OPEN CHOICE DT SW.

by sending :PASSWord INTEKRITY;:SETMODELID 3

it shows (in About) dpo4104, b\w 500 -till reboot
After reboot it shows dpo4054, b\w 500

Downgrade SETMODELID 2 -works and stored after reboot.

when try the
:HWAccountant:ACQBandwidth 500 (1000) but ACQ , BANDWidth.. -commands do not applyed at all ..

:HWAccountant(....)  -not work at all

After some research on the web, i found that the 4054 and 4034 series does not upgradeable to 5104 theres no much sampling IC's present.

[analogRF]

so, is it definitive that DPO4054 cannot be upgraded to DPO4104? I mean only through software

[VooDust]

I upgraded my DPO3012 from 100MHz to 500Mhz. After my initial joy  I noticed something very odd:



The "zero line" (i.e. measuring ground) is out of alignment - it's always minus half-a-div for vertical divs >= 50mV. So:

• 10mV - OK
• 20mV - OK
• 50mV - minus 1/2 div, AVG is -25mV
• 100mV - minus 1/2 div, AVG is -50mV
• 200mV - minus 1/2 div, AVG is -100mV
• and so on...

I ran some checks and this happens for either 500MHz and 300MHz settings, with 300MHz being off minus 1 div instead. Kind of a deal breaker...

Does anyone have a clue what's going on? It happens regardless of input termination, AC/DC coupling (!), trigger settings, or probe attenuation and bandwith settings. I tried adjusting the "Offset" parameter of the probe, but that just shifts the phosphor line, the wrong voltage values remain.

Luckily I was able to downgrade back to 100MHz and everything is back to normal 

[analogRF]

did you run SPC? That should take care of the dc offset. I think that's normal to happen. SPC is required after BW upgrade

[darkstar49]

Back to the "ARMDEMO" thing: the parameter order was wrong, NumOfDays must be first. Somebody please verify:

Code: [Select]

:PASSW INTEKRITY
:ARMDEMO 30,DontMakeTheWookieMad
or:
:ARMDEMO 30,"DontMakeTheWookieMad"


This worked for me on a MDO4034-B scope!

Any ideas how to make it not expire in 30 days?

DPO4BND ? 

[VooDust]

did you run SPC? That should take care of the dc offset. I think that's normal to happen. SPC is required after BW upgrade

First, thanks a lot for explaining. I did not know what SPC was or when to use it. I warmed the oscilloscope up and tried it a few times, but it always failed  error log reported code 280 3 0 0, couldn't find any info about that.

However, I kept trying, turning off all other appliances in hopes to remove anything that could interfere with the process. Still failed, but, believe it or not, when I moved the oscilloscope to another room/power outlet, SPC succeeded! 

I'm very happy, calibration is spot on! In retrospect, in the past it was off by some tiny amount of mV, too, which bothered me but I didn't know why that was or what I could do.

See your reply, I executed SPC again, and it has been running for 4 hours, but it failed again.

Anyway, This at least proves that it has nothing to do with hacking , Maybe it is a device failure .

It's a year late but maybe this post is still of interest to you... 

[analogRF]

I have found (on other tek scopes, not this model here) SPC passing can be sensitive to room and device temperature.
I guess if the offset is too much SPC cannot compensate it and sometimes if the temperature is right the offset may come into a window that SPC can handle it. That's my guess...that's why SPC should be run frequently to keep the offset in a range that can be compensated.

But w.r.t. calibration, did you check the bandwidth? is it in fact >=500MHz?

[tv84]

:HWAccountant(....)  -not work at all

If you mean that all other :HWAccountant commands don't work maybe it's because you have to be in manufacturer/factory mode for them to be accepted.

[analogRF]

can options (not necessarily the BW) be enabled on DPO4000 using the SCPI commands?

[VooDust]

But w.r.t. calibration, did you check the bandwidth? is it in fact >=500MHz?

I probed a 433Mhz carrier signal earlier this week. It allowed me to build a clone of my garage door opener. Since I only own 200 MHz probes, I presume the signal was attenuated heavily.

However, at 100 MHz, or 150 MHz (which is the available low pass setting when running the 500 MHz model) the RF signal was virtually nonexistent! With 500 MHz however, I got 800mV peak-to-peak!

So yes the upgrade is the bomb! I'm not able to provide details like trigger sensitivity, rise time etc. since I lack the equipment (and knowledge).

Cheers.

[VooDust]

If only I could upgrade from 2 to 4 channels... I would trade the 500 Mhz for this 

[smaultre]

Sure i make some research. It works, but there in the 4054 has no much dac's and demux chips on the board physically 
Its the perfect way upgrade 4034 to 4054 !

[analogRF]

I upgraded my DPO3012 from 100MHz to 500Mhz. After my initial joy  I noticed something very odd:



The "zero line" (i.e. measuring ground) is out of alignment - it's always minus half-a-div for vertical divs >= 50mV. So:

• 10mV - OK
• 20mV - OK
• 50mV - minus 1/2 div, AVG is -25mV
• 100mV - minus 1/2 div, AVG is -50mV
• 200mV - minus 1/2 div, AVG is -100mV
• and so on...

I ran some checks and this happens for either 500MHz and 300MHz settings, with 300MHz being off minus 1 div instead. Kind of a deal breaker...

Does anyone have a clue what's going on? It happens regardless of input termination, AC/DC coupling (!), trigger settings, or probe attenuation and bandwith settings. I tried adjusting the "Offset" parameter of the probe, but that just shifts the phosphor line, the wrong voltage values remain.

Luckily I was able to downgrade back to 100MHz and everything is back to normal 

would you mind saying which of the commands/methods you used for BW upgrade? also was your S/N >C020xxxx or <C020xxxx?

[analogRF]

I cannot get these to work and my IDA skills are too bad to figure out what is happening.

As I said in the other thread, there should also be a debug console avalible that is accessible through TCPIP but I cannot figure out how to connect to it....

Just a guess, but maybe Telnet? I have an MSO3034 -  I'll give it a try later today and see what happens.

Jay

OK, so using telnet didn't work, but using my browser (Firefox) brings up a Tektronix menu.
I selected the tab "DATA" and I'm able to talk to the scope using GPIB commands.
I then sent the following per abyrvalg's post:

:SETMODELID 5
:HWAccountant:ACQBandwidth 500

Then power-cycled the unit. It did not make any changes.
So I used the back door password first:

:PASSWord "INTEKRITY"
:SETMODELID 5
:HWAccountant:ACQBandwidth 500

Then power-cycled the unit again. Still no change. I'm probably doing something wrong; I'm an idiot when it comes to stuff like this... 

Jay

OK, it's confirmed, I am an idiot.  Remove the quotes around the password:
:PASSWord INTEKRITY
:SETMODELID 5
:HWAccountant:ACQBandwidth 500

Voila, it reports that it is a MSO5054!

Thank you very much abyrvalg!  Now to do some bandwidth testing!

Jay

Was your serial number >C0200000 or less?
was the upgrade successful both in triggering, amplitude and also in doing measurements?

[KrzysztofB]

I know topic is a bit old, but does anyone know if anything changed?
I was trying to unleash some serial decoding features on our old C01xxx DPO3034 to see if it would be worth purchasing it, but somehow ":ARMDEMO" seems to not work what so ever?
Anyone something about the topic?

[analogRF]

Has anyone tried doing the factory adjustment on DPO3000? Is it possible to do it DIY without Fluke calibrator?

perhaps JWalling can comment on this 

[Jwalling]

Has anyone tried doing the factory adjustment on DPO3000? Is it possible to do it DIY without Fluke calibrator?

perhaps JWalling can comment on this 

I've never tried...

[OYAZI]

Hello,
DPO/MSO3000
I was success that change of a model name and B/W.
Does anyone know the way to change s/n?

[darkstar49]

That info is at the beginning of the thread…
What’s the point changing the serial ? Do you expect to fool Tek in case you’d use their servicing ?
I’d be careful doing that… the instrument Id, which is if I remember well, derived from the serial, and is used to compute option keys… and I’m’pretty sure the instrument Id is stored at several places, either in the NVRAM, on the file system (flash), or both… and I wouldn’t be too confident that the call to alter the serial will update everything as it should…

[ebastler]

Does anyone know the way to change s/n?

Did you steal your scope or do you plan to use it to commit a crime? 

[OYAZI]

There is DPO3000 which damaged physically and there is other DPO3000 to which the mainboard is failed.
Don't you think to replace a mainboard with other machines?

[ebastler]

No worries, I was just kidding.

If my scope needed repair via a new (used) mainboard, I would not mind if it ended up with a different serial number in firmware vs. the stricker on the enclosure. Same as with an engine swap on a car, I guess. And as others have said, it is probably not so easy to change the serial number.

[analogRF]

No worries, I was just kidding.

If my scope needed repair via a new (used) mainboard, I would not mind if it ended up with a different serial number in firmware vs. the stricker on the enclosure. Same as with an engine swap on a car, I guess. And as others have said, it is probably not so easy to change the serial number.

but it will be an issue if you decide to sell the scope (or the car)

Changing the SN is easy to do either with SCPI or through the UART. But I have a bigger problem at hand which I hope someone can shed some light on

I have had this DPO3054 for about 2 years with a cooked front end board (TEK calls it attenuator board). The FPGA on the attenuator board was literally cooked.
So I finally got my hands on a very broken DPO3034 with broken case, missing PSU, and devoured main board but with good attenuator board. So I replace it and the scope works perfecly albeit totally out of calibration but it even passes SPC. However, it fails the self test (even power on self test) and the only reason is Attenuator board serial number mismatch It shows up as "No Ser" and I have not been able to enter/program the SN of the new atten board into the scope.

Does anybody know what needs to be done?

[darkstar49]

There are two options to address the issue...

The first one would be to patch the firmware to ignore the mismatch, the second is to alter the serial on either side, assuming they're to be identical, and not somehow 'related' via some computation...
A detailed 'system config' dump of a genuinely 'normal' DPO3K could perhaps help clarify this, if someone has one at hand.
Do you know where the FE board's serial is stored ? Is it 'burned' into the FPGA or stored in some NVRAM on the FE board ?

[analogRF]

Do you know where the FE board's serial is stored ? Is it 'burned' into the FPGA or stored in some NVRAM on the FE board ?

How to alter the serial? That was my question. That's what I have been trying to do...

There are no eeprom on that board. Can they store it in a FPGA?


in a good scope, the SN of the atten board appears in the list on the config page. in this scope, it shows "No Ser"

[analogRF]

the thing is I can change SN of all the othe modules, PSU, FP board, Display, Main board...it is just the Attenuator board that cannot be changed 

[lern01]

Very sorry, restart the thread, DPO3000 module crack someone successful?

[lern01]

Looks like some things (including BW upgrade) can be done over GPIB, but I don't have a scope to verify. Somebody willing to try?

Some interesting commands:
:PASSWord "password"- enable special modes
  Valid passwords:
  "XYZZY" - "user's password"
  "INTEKRITY" - "backdoor password" (this is the right one for other "backdoor" mode commands)
  "PUBLIC" - "public password"
  "TRESPASS" - "developer password"
  "MKTDEMO" -

:SETMODELID id - set model
  Valid IDs:
  0 - MSO/DPO3012 (MSO/DPO is selected by digital channels presense)
  1 - MSO/DPO3014
  2 - MSO/DPO3032
  3 - MSO/DPO3034
  4 - MSO/DPO3052
  5 - MSO/DPO3054

:HWAccountant:SERIAL - get/set serial number

:HWAccountant:INSTRumentid - get instrument id (no set here, it is generated from model+serial)

:HWAccountant:ACQBandwidth bw - bandwidth upgrade
  valid values:
  300
  500

:ARMDEMO pass, num_days - activate demo mode
   pass: "DontMakeTheWookieMad"
   num_days 1-30

I successfully connected to the computer through the LAN, and the following situation appears when I entered the command. What is the cause?

[lern01]

My oscilloscope DPO3014,Version:2.38 Serial Number:C02xxxx.