Author Topic: DPO3000 Hacks  (Read 17769 times)

0 Members and 1 Guest are viewing this topic.

Offline darkstar49

  • Frequent Contributor
  • **
  • Posts: 256
Re: DPO3000 Hacks
« Reply #25 on: January 21, 2016, 07:22:21 pm »

It may sound a bit more difficult than it actually is...

The binaries typically contain a lot of debug stuff, that ease finding the functions of interest, then looking after some forms of "load" instructions preceding function calls (like Encrypt()...), you rapidly can find addresses of interest and find out the AES key, same approach for the option masks, there's usually one function for evaluating an option key, and that function references all the possible option masks at some point... not trivial, but with some reasonable assembler knowledge (32 bit x86 assembler for TDS500B I think ??), and some time, it should be feasible...

Regards
 

Offline darkstar49

  • Frequent Contributor
  • **
  • Posts: 256
Re: DPO3000 Hacks
« Reply #26 on: June 09, 2016, 11:07:51 pm »

For info, same logic applies for DPO3000 than for MDO3000, just one (BW upgrade) at a time...
AES key to be found in the binary, or...   ;-)
So use the mdo3keygen python stuff, works great (change the key) !

Again: only works for BW upgrades on DPO/MSO3K... NO other options via keys...
 
 

Offline FivePoint03

  • Regular Contributor
  • *
  • Posts: 51
  • Country: gb
Re: DPO3000 Hacks
« Reply #27 on: August 23, 2016, 10:04:13 pm »
So you mean the AES key is different between DPO3000 and MDO3000 - help us out - how can I find the AES key for DPO3000 :) ?
 

Offline kazik70

  • Contributor
  • Posts: 19
  • Country: pl
Re: DPO3000 Hacks
« Reply #28 on: January 29, 2018, 03:37:55 pm »
Code: [Select]
DPO/MSP3000 Firmware v2.38   2/29/2012

"New Features:
    - Bandwidth is field upgradeable (up to 500 MHz). 
      This option can be purchased and installed by the customer. 
      (Serial numbers < C020000 or < B020000 must be upgraded by a
      Tektronix service center)."

Not all DPO / MSO3000 can be hacked up to 500Mhz?
What are your serial numbers?
Has someone managed to hack <020000?

 

Offline darkstar49

  • Frequent Contributor
  • **
  • Posts: 256
Re: DPO3000 Hacks
« Reply #29 on: January 31, 2018, 07:10:23 am »
No feedback so far on upgrading serials  < X020000

I don't think you can break something for good... the point is that there's to my knowledge no known way to 'uninstall' the upgrade (regardless if it was done with a key, or with system commands...), so  if you did, and it makes your scope somehow unusable, you're good to send it in for servicing...   :scared:

« Last Edit: January 31, 2018, 09:56:11 am by darkstar49 »
 

Offline kazik70

  • Contributor
  • Posts: 19
  • Country: pl
Re: DPO3000 Hacks
« Reply #30 on: February 08, 2018, 06:21:28 pm »
I made an upgrade from DPO3012 to DPO3052.
Serial number C02XXXX, firmware vesjon 2.40

And there was a difference with the description.

SETMODELID
1 - 3012
2 - 3014
3 - 3032
4 - 3034
5 - 3052
6 - 3054

The model changed in real time, but the bandwich after reboot the scope.


Can you help with the modules?
 

Offline Tardz

  • Newbie
  • Posts: 2
  • Country: ca
Re: DPO3000 Hacks
« Reply #31 on: March 30, 2018, 06:05:14 pm »
Hi, I have a DPO3014 firmware V2.4, how to hack and activate all option ?
 

Offline abyrvalg

  • Frequent Contributor
  • **
  • Posts: 476
  • Country: ru
Re: DPO3000 Hacks
« Reply #32 on: April 02, 2018, 09:18:23 pm »
Back to the "ARMDEMO" thing: the parameter order was wrong, NumOfDays must be first. Somebody please verify:
Code: [Select]
:PASSW INTEKRITY
:ARMDEMO 30,DontMakeTheWookieMad
or:
:ARMDEMO 30,"DontMakeTheWookieMad"
 

Offline abyrvalg

  • Frequent Contributor
  • **
  • Posts: 476
  • Country: ru
Re: DPO3000 Hacks
« Reply #33 on: April 21, 2018, 11:43:15 pm »
ARMDEMO confirmed to work. Use the first version (w/o quotes).
 
The following users thanked this post: RomDump

Offline darkstar49

  • Frequent Contributor
  • **
  • Posts: 256
Re: DPO3000 Hacks
« Reply #34 on: April 23, 2018, 08:58:39 pm »


also for those who think that a frequency upgrade means their model ID changes:

The official Tektronix bandwidth upgrade does NOT modify the model ID !!!!!!!!!!!!!!!!! So this doesn't have any effect, other than showing the world that it's been hacked !!  ::)
 
The following users thanked this post: RomDump

Offline BH3XON

  • Contributor
  • Posts: 12
  • Country: cn
Re: DPO3000 Hacks
« Reply #35 on: July 26, 2019, 04:03:45 am »
No feedback so far on upgrading serials  < X020000

I don't think you can break something for good... the point is that there's to my knowledge no known way to 'uninstall' the upgrade (regardless if it was done with a key, or with system commands...), so  if you did, and it makes your scope somehow unusable, you're good to send it in for servicing...   :scared:

My oscilloscope serial number is C01XXXX.

At present, I found a bug, and the Signal Path Compensation will fail after the hack.

Whether the broadband has really increased, I have not tested it yet.
 

Offline dzseki

  • Frequent Contributor
  • **
  • Posts: 407
  • Country: hu
Re: DPO3000 Hacks
« Reply #36 on: July 26, 2019, 07:08:42 am »
No feedback so far on upgrading serials  < X020000

I don't think you can break something for good... the point is that there's to my knowledge no known way to 'uninstall' the upgrade (regardless if it was done with a key, or with system commands...), so  if you did, and it makes your scope somehow unusable, you're good to send it in for servicing...   :scared:

My oscilloscope serial number is C01XXXX.

At present, I found a bug, and the Signal Path Compensation will fail after the hack.

Whether the broadband has really increased, I have not tested it yet.

I have done the hack on a DPO3034 C01xxxx unit, and it worked fine, we measured the -3dB bandwidth beyond 500MHz, also SPC runs fine. Did you let the scope warm up (10-20 mins.) before performing SPC?
HP 1720A scope with HP 1120A probe, EMG 12563 pulse generator, EMG 1257 function generator, MEV TR-1660C bench multimeter
 

Offline BH3XON

  • Contributor
  • Posts: 12
  • Country: cn
Re: DPO3000 Hacks
« Reply #37 on: July 26, 2019, 10:53:49 am »
No feedback so far on upgrading serials  < X020000

I don't think you can break something for good... the point is that there's to my knowledge no known way to 'uninstall' the upgrade (regardless if it was done with a key, or with system commands...), so  if you did, and it makes your scope somehow unusable, you're good to send it in for servicing...   :scared:

My oscilloscope serial number is C01XXXX.

At present, I found a bug, and the Signal Path Compensation will fail after the hack.

Whether the broadband has really increased, I have not tested it yet.

I have done the hack on a DPO3034 C01xxxx unit, and it worked fine, we measured the -3dB bandwidth beyond 500MHz, also SPC runs fine. Did you let the scope warm up (10-20 mins.) before performing SPC?

Good news!

See your reply, I executed SPC again, and it has been running for 4 hours, but it failed again.

Anyway, This at least proves that it has nothing to do with hacking , Maybe it is a device failure .

Thank you for your reply!


 

Online tv84

  • Super Contributor
  • ***
  • Posts: 1852
  • Country: pt
Re: DPO3000 Hacks
« Reply #38 on: July 28, 2019, 03:57:24 pm »

Once again, if anyone knows of other :HWAccountant:xxxxx commands....  please let us know... there's definitely something missing by setting only the Acquisition bandwidth to 500...

Or alternatively: where did Abyrvalg get this ??? Is there a chance to find more about these commands by disassembling the binaries ?? Or was that some 'insider info' ???

Sorry for reviving this old theme, but I decided to do a search in the app for additional "piBackdoorCmds" as Tek calls them.

Attached is the list of backdoor commands of DPO3000 FW v2.40.

Instead of :HWAccountant:ACQBandwidth did anyone tried the :HWAccountant:BANDWidth command?

The DPO4000B v3.22 also has another password mode:

"XYZZY"
"INTEKRITY"
"PUBLIC"
"TRESPASS"
"MKTDEMO"
"FRANKLYMYDEAR"
« Last Edit: July 28, 2019, 05:27:12 pm by tv84 »
 

Offline sly2538

  • Newbie
  • Posts: 1
  • Country: fr
Re: DPO3000 Hacks
« Reply #39 on: August 01, 2019, 08:47:02 am »
Thanks  for this list !!
Someone can help me to activate DPO3EMBD module and others for ever for DPO / MSO 3000 ?
 

Offline analogRF

  • Frequent Contributor
  • **
  • Posts: 639
  • Country: ca
Re: DPO3000 Hacks
« Reply #40 on: December 25, 2019, 03:36:33 am »
So is it possible to enable all options (serial decoding in particular) on DPO4000 series with the information given in this thread?
I can see it has worked for 3000 series and maybe(?) 4000B but not much about DPO4000

 

Offline Gregory

  • Contributor
  • Posts: 47
  • Country: br
  • Some guys have girls, I have equipments.
    • All Electronics Channel
Re: DPO3000 Hacks
« Reply #41 on: April 12, 2020, 10:49:29 am »
Back to the "ARMDEMO" thing: the parameter order was wrong, NumOfDays must be first. Somebody please verify:
Code: [Select]
:PASSW INTEKRITY
:ARMDEMO 30,DontMakeTheWookieMad
or:
:ARMDEMO 30,"DontMakeTheWookieMad"

This worked for me on a MDO4034-B scope!

Any ideas how to make it not expire in 30 days?

Online smaultre

  • Contributor
  • Posts: 34
  • Country: ru
Re: DPO3000 Hacks
« Reply #42 on: June 30, 2020, 05:05:32 pm »
i'm trying to make DPO4054 to DPO4104
NOT(B) model serial: C020..
Connected via LAN / TEK OPEN CHOICE DT SW.

by sending :PASSWord INTEKRITY;:SETMODELID 3

it shows (in About) dpo4104, b\w 500 -till reboot
After reboot it shows dpo4054, b\w 500

Downgrade SETMODELID 2 -works and stored after reboot.

when try the
:HWAccountant:ACQBandwidth 500 (1000) but ACQ , BANDWidth.. -commands do not applyed at all ..

:HWAccountant(....)  -not work at all

After some research on the web, i found that the 4054 and 4034 series does not upgradeable to 5104 theres no much sampling IC's present.
« Last Edit: July 11, 2020, 04:50:32 am by smaultre »
 

Offline analogRF

  • Frequent Contributor
  • **
  • Posts: 639
  • Country: ca
Re: DPO3000 Hacks
« Reply #43 on: August 07, 2020, 01:22:22 pm »
so, is it definitive that DPO4054 cannot be upgraded to DPO4104? I mean only through software
 

Offline VooDust

  • Contributor
  • Posts: 35
  • Country: ch
Re: DPO3000 Hacks
« Reply #44 on: August 28, 2020, 08:38:04 am »
I upgraded my DPO3012 from 100MHz to 500Mhz. After my initial joy  :scared: I noticed something very odd:



The "zero line" (i.e. measuring ground) is out of alignment - it's always minus half-a-div for vertical divs >= 50mV. So:

  • 10mV - OK
  • 20mV - OK
  • 50mV - minus 1/2 div, AVG is -25mV
  • 100mV - minus 1/2 div, AVG is -50mV
  • 200mV - minus 1/2 div, AVG is -100mV
  • and so on...

I ran some checks and this happens for either 500MHz and 300MHz settings, with 300MHz being off minus 1 div instead. Kind of a deal breaker...

Does anyone have a clue what's going on? It happens regardless of input termination, AC/DC coupling (!), trigger settings, or probe attenuation and bandwith settings. I tried adjusting the "Offset" parameter of the probe, but that just shifts the phosphor line, the wrong voltage values remain.

Luckily I was able to downgrade back to 100MHz and everything is back to normal  :phew:
« Last Edit: August 28, 2020, 08:41:43 am by VooDust »
 

Offline analogRF

  • Frequent Contributor
  • **
  • Posts: 639
  • Country: ca
Re: DPO3000 Hacks
« Reply #45 on: August 28, 2020, 10:18:48 am »
did you run SPC? That should take care of the dc offset. I think that's normal to happen. SPC is required after BW upgrade
 
The following users thanked this post: VooDust

Offline darkstar49

  • Frequent Contributor
  • **
  • Posts: 256
Re: DPO3000 Hacks
« Reply #46 on: August 28, 2020, 11:00:28 am »
Back to the "ARMDEMO" thing: the parameter order was wrong, NumOfDays must be first. Somebody please verify:
Code: [Select]
:PASSW INTEKRITY
:ARMDEMO 30,DontMakeTheWookieMad
or:
:ARMDEMO 30,"DontMakeTheWookieMad"

This worked for me on a MDO4034-B scope!

Any ideas how to make it not expire in 30 days?

DPO4BND ?  :popcorn:
 

Offline VooDust

  • Contributor
  • Posts: 35
  • Country: ch
Re: DPO3000 Hacks
« Reply #47 on: August 28, 2020, 01:28:13 pm »
did you run SPC? That should take care of the dc offset. I think that's normal to happen. SPC is required after BW upgrade

First, thanks a lot for explaining. I did not know what SPC was or when to use it. I warmed the oscilloscope up and tried it a few times, but it always failed  :'( error log reported code 280 3 0 0, couldn't find any info about that.

However, I kept trying, turning off all other appliances in hopes to remove anything that could interfere with the process. Still failed, but, believe it or not, when I moved the oscilloscope to another room/power outlet, SPC succeeded!  :popcorn:

I'm very happy, calibration is spot on! In retrospect, in the past it was off by some tiny amount of mV, too, which bothered me but I didn't know why that was or what I could do.

See your reply, I executed SPC again, and it has been running for 4 hours, but it failed again.

Anyway, This at least proves that it has nothing to do with hacking , Maybe it is a device failure .

It's a year late but maybe this post is still of interest to you...  :horse:
« Last Edit: August 28, 2020, 01:30:43 pm by VooDust »
 

Offline analogRF

  • Frequent Contributor
  • **
  • Posts: 639
  • Country: ca
Re: DPO3000 Hacks
« Reply #48 on: August 28, 2020, 01:37:35 pm »
I have found (on other tek scopes, not this model here) SPC passing can be sensitive to room and device temperature.
I guess if the offset is too much SPC cannot compensate it and sometimes if the temperature is right the offset may come into a window that SPC can handle it. That's my guess...that's why SPC should be run frequently to keep the offset in a range that can be compensated.

But w.r.t. calibration, did you check the bandwidth? is it in fact >=500MHz?
 

Online tv84

  • Super Contributor
  • ***
  • Posts: 1852
  • Country: pt
Re: DPO3000 Hacks
« Reply #49 on: August 28, 2020, 01:53:57 pm »
:HWAccountant(....)  -not work at all

If you mean that all other :HWAccountant commands don't work maybe it's because you have to be in manufacturer/factory mode for them to be accepted.
 


Share me

Digg  Facebook  SlashDot  Delicious  Technorati  Twitter  Google  Yahoo
Smf