Author Topic: MDO3000 hacking  (Read 107520 times)

0 Members and 2 Guests are viewing this topic.

Offline analogRF

  • Frequent Contributor
  • **
  • Posts: 954
  • Country: ca
Re: MDO3000 hacking
« Reply #175 on: September 16, 2020, 12:35:12 am »
Hi
I know that 1GHZ option will not upgrade the BW without HW replacement but what exactly happens if one enables this option on a MDO30x4 ?
will the scope be out of cal? will it pass SPC? will is pass self test?
I dont care if the BW does not go higher than 500MHz but I would like to have the 5Gs/s sample rate
 

Offline analogRF

  • Frequent Contributor
  • **
  • Posts: 954
  • Country: ca
Re: MDO3000 hacking
« Reply #176 on: September 22, 2020, 09:47:42 pm »
I got my MDO3014 today and, thanks to the people in this thread, it is now liberated from all that marketing junk  :) :) :-+
I also upgraded the firmware to 1.30 (from 1.22) after the mod and then ran SPC

Before the mod, I measured the 3dB BW and it was actually around 250-260MHz  :o  did anybody notice that before?
After the upgrade it is 570-580MHz on all channels  >:D >:D :-+  the scope can trigger stably up to 700MHz

All other options also work. The SA works up to 3GHz and it is a very nice handy thing to have but it never replaces a real SA at all.
It has a pretty good noise floor and pretty accurate readings. However there are two visible spurs at 1.25GHz and 2.5GHz which is obvious why...

The integrated AFG is very very limited (no sweep and no modulation and low amplitude) clearly it is because they wanted to save their AFG market


However, I am still wondering what happens if 1GHz option is selected? Will the scope fail self test or SPC? Is it possible to exactly go back to the previous state (500MHz) with no consequence?
Did anybody ever try the 1GHz option?

I dont care about not reaching 1GHz but I want to have the 5Gs/s and <1ns/div. is that possible?

 

Offline Howardlong

  • Super Contributor
  • ***
  • Posts: 5313
  • Country: gb
Re: MDO3000 hacking
« Reply #177 on: September 23, 2020, 01:55:08 pm »
I dont care about not reaching 1GHz but I want to have the 5Gs/s and <1ns/div. is that possible?

IME not just by using the 1GHz or bandwidth upgrade options. I believe there's a hardware change on the analog board, but how the scope know I don't know. If you try to use the 1GHz or BW5T10 options for example, it just goes back to 100MHz on my MDO3014.
 

Offline analogRF

  • Frequent Contributor
  • **
  • Posts: 954
  • Country: ca
Re: MDO3000 hacking
« Reply #178 on: September 23, 2020, 01:59:30 pm »
I dont care about not reaching 1GHz but I want to have the 5Gs/s and <1ns/div. is that possible?

IME not just by using the 1GHz or bandwidth upgrade options. I believe there's a hardware change on the analog board, but how the scope know I don't know. If you try to use the 1GHz or BW5T10 options for example, it just goes back to 100MHz on my MDO3014.

oh, so you have tried it? so basically nothing happens and goes back to stock, right?


by the way when I was trying to measure the 3dB BW of the scope,  I realized that it is wrong to rely on the scope's RMS measurement reading. Only rely on the pk-pk reading or even better just rely on the pk-pk with your own eyes. The RMS measurement goes way off as the frequency is increased even way below the 500MHz, this measurement is not accurate anymore
 

Offline analogRF

  • Frequent Contributor
  • **
  • Posts: 954
  • Country: ca
Re: MDO3000 hacking
« Reply #179 on: September 23, 2020, 02:01:53 pm »
I thought only the front end is different than the 1GHz version but the acquisition parts are the same, i mean same ADC etc...so I was hoping to get the 5Gs/s at least...too bad
 

Offline analogRF

  • Frequent Contributor
  • **
  • Posts: 954
  • Country: ca
Re: MDO3000 hacking
« Reply #180 on: September 23, 2020, 02:37:31 pm »
I dont care about not reaching 1GHz but I want to have the 5Gs/s and <1ns/div. is that possible?

IME not just by using the 1GHz or bandwidth upgrade options. I believe there's a hardware change on the analog board, but how the scope know I don't know. If you try to use the 1GHz or BW5T10 options for example, it just goes back to 100MHz on my MDO3014.

probably there are some ID resistors that must be changed too...still I think the only difference must be just he front end, so 5gs/s should be possible...
 

Offline Howardlong

  • Super Contributor
  • ***
  • Posts: 5313
  • Country: gb
Re: MDO3000 hacking
« Reply #181 on: September 23, 2020, 03:26:04 pm »
I thought only the front end is different than the 1GHz version but the acquisition parts are the same, i mean same ADC etc...so I was hoping to get the 5Gs/s at least...too bad

Yes, that's the analog board. Take a look at the service manual. The ADCs are on the main acquisition board.

Edit: see: https://youtu.be/VFX47ZGOn_o?t=1551

« Last Edit: September 23, 2020, 03:47:27 pm by Howardlong »
 

Offline Howardlong

  • Super Contributor
  • ***
  • Posts: 5313
  • Country: gb
Re: MDO3000 hacking
« Reply #182 on: September 23, 2020, 03:45:14 pm »
I dont care about not reaching 1GHz but I want to have the 5Gs/s and <1ns/div. is that possible?

IME not just by using the 1GHz or bandwidth upgrade options. I believe there's a hardware change on the analog board, but how the scope know I don't know. If you try to use the 1GHz or BW5T10 options for example, it just goes back to 100MHz on my MDO3014.

probably there are some ID resistors that must be changed too...still I think the only difference must be just he front end, so 5gs/s should be possible...

This is different behaviour to the MDO4054C-SA6 I have, I can upgrade that to 1GHz & 5GSa/s by installing the appropriate options, and it works, however it displays a red error at the top of the screen about calibration which can be temporarily disabled, but it comes back on after a reboot.

MDO4000C upgrade to 1GHz:
Code: [Select]
gen.py MDO4054C C012345 500MHz DVM DDU AFG BW5T10 MSO TRIG EMBD COMP ENET USB PWR AUDIO AERO AUTOMAX LMT VID SEC

Edit: I have attempted a calibration on the MDO4000C but it gets stuck at one of the many dozen tests close to the end, and I don't have the right documentation to tell me where I might be going wrong.
« Last Edit: September 23, 2020, 03:55:29 pm by Howardlong »
 

Online uski

  • Frequent Contributor
  • **
  • Posts: 295
  • Country: us
Re: MDO3000 hacking
« Reply #183 on: November 02, 2020, 10:23:17 am »
Hi

Any idea if the source code given for the keygen would work on a modern 3-series MDO32 or MDO34 ?

Thanks
 

Offline darkstar49

  • Frequent Contributor
  • **
  • Posts: 309
Re: MDO3000 hacking
« Reply #184 on: November 02, 2020, 10:43:58 am »
Hi

Any idea if the source code given for the keygen would work on a modern 3-series MDO32 or MDO34 ?

Thanks

despite numerous similarities in the firmware, it doesn't (yet...)
 

Offline tv84

  • Super Contributor
  • ***
  • Posts: 3211
  • Country: pt
Re: MDO3000 hacking
« Reply #185 on: February 26, 2021, 08:14:57 pm »
Any idea if the source code given for the keygen would work on a modern 3-series MDO32 or MDO34 ?

With the right AES key I don't see why not.  ;)
 
The following users thanked this post: analogRF

Offline analogRF

  • Frequent Contributor
  • **
  • Posts: 954
  • Country: ca
Re: MDO3000 hacking
« Reply #186 on: March 03, 2021, 06:24:21 pm »
Has anyone tried to use option MDO3BND (BND) instead of writing down all of them? I wonder how that looks like when it is enabled
currently the script does not recognize it as a valid option. Is there any workaround?

I also tried to make a MDO3BND app module but it seems the format (or maybe the eeprom) for MDO3K is totally different
than other models. I dont know how some people apparently made app modules for MDO3k but it didnt work for me
no matter which option I tried

is it just the format of the content being different? how?
 

Offline salviador

  • Regular Contributor
  • *
  • Posts: 95
  • Country: it
    • https://www.youtube.com/user/mancio92M
Re: MDO3000 hacking
« Reply #187 on: April 18, 2021, 11:16:24 am »
Excuse me.
How to get MDO34 AES key from 3-series FW?

do you have any news about it?
 

Offline Kualker

  • Newbie
  • Posts: 1
  • Country: pt
Re: MDO3000 hacking
« Reply #188 on: April 19, 2021, 08:50:57 am »
Just added the "fix" on a used 3034 with a bundle I bought and it worked!  :D
Thank you guys  :-+
 

Offline wp_wp

  • Regular Contributor
  • *
  • Posts: 59
  • Country: cn
Re: MDO3000 hacking
« Reply #189 on: August 11, 2021, 06:37:00 pm »
I write a C code to generate UID of MDO3 series scopes.
It was tested in WIN10 with tcc-0.9.27-win64-bin and tcc-0.9.25-win32-bin.
Welcome interested friends to download.
Usage:
Input scope model number and serial number according prompt.
Notice:
All letters are capitalized.
See the GenerateUID.c and GenUID.jpg.
« Last Edit: August 13, 2021, 08:29:10 am by wp_wp »
 

Offline luis garcia

  • Regular Contributor
  • *
  • Posts: 83
  • Country: es
Re: MDO3000 hacking
« Reply #190 on: August 30, 2021, 01:41:26 am »
The company i was working for has been sold to another company. They offered some spare material for purchase for workers and i have bought several tek scopes, one dpo, and three mdo. Except the DPO (which is high level) the other three are low range 100Mhz. These are the MDO3014, the MDO32 and MDO34. All of them were working when removed from production.
My main interest would be the MDO34. The official upgrade price is out my reach so my question is: is it possible to upgrade such system to say 500Mhz? The scope has already a lot of other features (bus analysis and afg) that came as a bundle with the original purchase. I have some expereience upgrading my own MDO3000 some years ago. Is this possible with the MDO34 too?

 

Offline brainstorm

  • Regular Contributor
  • *
  • Posts: 59
  • Country: au
Re: MDO3000 hacking
« Reply #191 on: November 15, 2021, 02:01:45 am »
root:$1$yAoxZ14J$A33l9FllNgGwk2s/GAjS8/:0:0:root:/root:/bin/sh

I wonder how far away from root/root this hash is, as we saw with Rigol MSO5000 in https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg2011082/#msg2011082 ?
« Last Edit: November 22, 2021, 11:22:39 pm by brainstorm »
 

Offline RutskoyA

  • Newbie
  • Posts: 2
  • Country: ru
Re: MDO3000 hacking
« Reply #192 on: December 03, 2021, 12:19:32 pm »
I write a C code to generate UID of MDO3 series scopes.
It was tested in WIN10 with tcc-0.9.27-win64-bin and tcc-0.9.25-win32-bin.
Welcome interested friends to download.
Usage:
Input scope model number and serial number according prompt.
Notice:
All letters are capitalized.
See the GenerateUID.c and GenUID.jpg.
Hello!
Can you help me to activate. I go to menu, type the key that was generated by your script but have a message "Invalid license"
So how to use it. Please write step by step.
Thank you!
 

Offline wp_wp

  • Regular Contributor
  • *
  • Posts: 59
  • Country: cn
Re: MDO3000 hacking
« Reply #193 on: December 03, 2021, 01:09:01 pm »
I write a C code to generate UID of MDO3 series scopes.
It was tested in WIN10 with tcc-0.9.27-win64-bin and tcc-0.9.25-win32-bin.
Welcome interested friends to download.
Usage:
Input scope model number and serial number according prompt.
Notice:
All letters are capitalized.
See the GenerateUID.c and GenUID.jpg.
Hello!
Can you help me to activate. I go to menu, type the key that was generated by your script but have a message "Invalid license"
So how to use it. Please write step by step.
Thank you!
My code is not keygen.
It just generate UID.
 

Offline RutskoyA

  • Newbie
  • Posts: 2
  • Country: ru
Re: MDO3000 hacking
« Reply #194 on: December 03, 2021, 01:20:56 pm »
I write a C code to generate UID of MDO3 series scopes.
It was tested in WIN10 with tcc-0.9.27-win64-bin and tcc-0.9.25-win32-bin.
Welcome interested friends to download.
Usage:
Input scope model number and serial number according prompt.
Notice:
All letters are capitalized.
See the GenerateUID.c and GenUID.jpg.
Hello!
Can you help me to activate. I go to menu, type the key that was generated by your script but have a message "Invalid license"
So how to use it. Please write step by step.
Thank you!
My code is not keygen.
It just generate UID.

Oh, I understand, sorry.
Is keygen exist for MDO34?
 

Offline Finderbinder

  • Regular Contributor
  • *
  • Posts: 102
  • Country: lt
Re: MDO3000 hacking
« Reply #195 on: February 14, 2023, 08:36:58 pm »
How to enter generated key to MSO4032 ? There isn't possibility to enter something in "Manage modules & options" section.  :-//
This guide does not work:
https://www.tek.com/en/worldwide-page/how-install-and-access-dvm-option-your-mdo3000-series-product
It seems it should work differently than with MSO3000.
 

Offline Finderbinder

  • Regular Contributor
  • *
  • Posts: 102
  • Country: lt
Re: MDO3000 hacking
« Reply #196 on: February 16, 2023, 01:39:50 pm »
Resolved. The process is identical as with TDS3000B, even application modules are 100% identical.
 

Offline Finderbinder

  • Regular Contributor
  • *
  • Posts: 102
  • Country: lt
Re: MDO3000 hacking
« Reply #197 on: February 16, 2023, 05:40:33 pm »
Only I'm not sure about BW upgrade. Is it possible exactly for my model? I tried few methods without success  :-//
https://www.eevblog.com/forum/testgear/dpo3000-hacks/
this didn't work for me:

:PASSWord INTEKRITY
:SETMODELID 5
:HWAccountant:ACQBandwidth 500

MODELID have effect immediately (but only lasts till reboot).
ACQBandwidth no effect at all.

Anyone there who knows the right method? ???
 

Offline Gorden

  • Newbie
  • Posts: 1
  • Country: us
Re: MDO3000 hacking
« Reply #198 on: May 31, 2023, 02:31:12 am »
Hello,

Can you share as my MSO4104B also does not have the ability to enter a key.

Thank You
 

Offline luis garcia

  • Regular Contributor
  • *
  • Posts: 83
  • Country: es
Re: MDO3000 hacking
« Reply #199 on: June 06, 2023, 03:33:27 am »
Does Engineering Mode enabled still provide the "Backup" feature, after installing firmware 3.0 ??
I believe it was located in the "File Utilities"when Engineering Mode was enabled.
 


Share me

Digg  Facebook  SlashDot  Delicious  Technorati  Twitter  Google  Yahoo
Smf