MDO3000 hacking

[kilohercas]

Today is a good day, i get my MDO3104 oscilloscope with AFG, SA, and MSO options. Based on my experience with MSO2000 i thought that MDO3000 will use simple 24C04 EEPROM. But this assumption was so wrong.

So first step was to take my hacked DPO2EMBD module, and write MDO3EMBD code. And what do you know, MDO3000 will recognize that i have option installed, but i can't move my license to scope, so i could apply another one. That was very strange. Since i have original MDO3000x series app modules, i simply dissemble it, and was expecting simple EEPROM, but no! It get very strange tek part number. I was trying to read it with STM32F429, but it was unresponsive ( 24C04 will have 0xA0 address ).

Next step , i soldered SDA, and SCL, and ground, so i could probe while MDO3104 will check eeprom. And what do you know, address is 0x8C. I google it, and is is very fancy protected EEPROM from Atmel, with advanced security options :-(

• Secure authentication and validation device
• Integrated capability for both Host and Client operations
• Superior SHA-256 Hash algorithm with Message Authentication Code (MAC) and Hash-Based Message Authentication Code (HMAC) options
• Best-in-class, 256-bit key length; storage for up to 16 keys
• Guaranteed unique 72-bit serial number
• Internal, high-quality Random Number Generator (RNG)
• 4.5Kb EEPROM for keys and data
• 512 OTP (One Time Programmable) bits for fixed information
• Multiple I/O options
• High-Speed, Single-Wire Interface
• 1MHz I2C interface

Part number ATSHA204

[abyrvalg]

A quick look into MDO3k firmware update package (outer .img is Linux EXT3 image file - use any EXT3 tool, inner filesystem.img file is SquashFS image - use 7-zip) reveals many interesting things: /usr_1/local/bin/scopeApp.imx6 is an unstripped ELF executable (all debug info like functions/vars names is there), there are functions like cmdSet_Cfg_fixedLicenseKey, there are some AES keys used to decrypt those LicenseKeys 

[kilohercas]

A quick look into MDO3k firmware update package (outer .img is Linux EXT3 image file - use any EXT3 tool, inner filesystem.img file is SquashFS image - use 7-zip) reveals many interesting things: /usr_1/local/bin/scopeApp.imx6 is an unstripped ELF executable (all debug info like functions/vars names is there), there are functions like cmdSet_Cfg_fixedLicenseKey, there are some AES keys used to decrypt those LicenseKeys 

I am no windows or Linux programmer, i don't know any of this stuff 

[tinhead]

A quick look into MDO3k firmware update package

actually they all (DPO/MSO 2000,3000,4000 x/B, GPIB-USB, more?) Linux based, sure different µC and FPGAs (if any) but executables are always with debug informations and fw contains lot of "tools".

[mikeselectricstuff]

Just because a chip has a load of security features, it doesn't necessarily mean they're all used, or used effectively - it's always worth a closer look....

[abyrvalg]

There is enough data inside the scopeApp to talk to ATSHA chip (there are even some keys to initialize a blank module), but it still requires lots of work to implement the protocol/crypto stuff. I would choose straight attacking the option keys check algo instead - this can be even easier. Quick disassembly suggests something like OptionKeyString=base64encode(AES({InstrumentId,OptionsMask,CRC})) with AES key hardcoded and clearly seen. Does anybody have a working option key sample to try decryption?

[kilohercas]

Does anybody have a working option key sample to try decryption?

I have MDO3PWR module. I can transfer license to scope, and after that, I can do what ever I whant with this module. Data should be the same,only part of data will indicate, that license is transferred.

[abyrvalg]

No, I mean different thing: there is some menu to enter an "option key" into the scope (look for "Please enter a valid option key by using the screen controls or a USB keyboard" text) to enable additional features:

Code: [Select]

Aerospace serial bus
Audio serial bus key
Automotive serial bus
Full Automotive serial bus
Computer serial bus
Embedded serial bus
Ethernet serial bus
FlexRay serial bus
USB serial bus
Limit/Mask test
Power analysis
RF triggering
HD and Custom Video
Calibration bit for manufacturing test
Beta release
Internal demo unit
Distribution Demo Unit
70MHz bandwidth
100MHz bandwidth
200MHz bandwidth
300MHz bandwidth
350MHz bandwidth
500MHz bandwidth
1GHz bandwidth
2GHz bandwidth
Upgrade bandwidth from 70MHz to 100MHz
Upgrade bandwidth from 70MHz to 200MHz
Upgrade bandwidth from 100MHz to 200MHz
Upgrade bandwidth from 100MHz to 300MHz
Upgrade bandwidth from 100MHz to 350MHz
Upgrade bandwidth from 100MHz to 500MHz
Upgrade bandwidth from 200MHz to 350MHz
Upgrade bandwidth from 200MHz to 500MHz
Upgrade bandwidth from 300MHz to 500MHz
Upgrade bandwidth from 350MHz to 500MHz
Upgrade bandwidth from 100MHz to 1GHz
Upgrade bandwidth from 200MHz to 1GHz
Upgrade bandwidth from 350MHz to 1GHz
Upgrade bandwidth from 500MHz to 1GHz
Digital Voltmeter
Arbitrary Function Generator
Mixed Signal Oscilloscope
Spectrum analyzer maximum input frequency
Security lockout
It should be possible to calculate these keys "at home" (symmetric cryptography there, no unknown RSA keys as in Agilent 2k/3k)

[kilohercas]

No, I mean different thing: there is some menu to enter an "option key" into the scope (look for "Please enter a valid option key by using the screen controls or a USB keyboard" text) to enable
It should be possible to calculate these keys "at home" (symmetric cryptography there, no unknown RSA keys as in Agilent 2k/3k)

i could give example related to my serial number and Digital Voltmeter option that is free, and yes, it is enabled by code. But i don't know will all functions will work this way, since application modules is usually needed for activating bus decode and so on. same for logic analyzer, spectrum analyzer, and AFG and yes, i have them all ( because why do they bother to make application module upgrade via eeprom, if they could generate code like Agilent, ok for DM option is obvious, only code for single scope, but bus decode and triggers could be used between different scopes, only tric is not at the same time.)

[abyrvalg]

I've just, ehm, found this link http://rghost.ru/download/57060583/0486bdb3f37075a5e1bb5ef3017f9218eb7c0e67/mdo3kgen.zip in a pastebin entry that had self-destructed on Ctrl-C 

[Carrington]

I've just, ehm, found this link http://rghost.ru/download/57060583/0486bdb3f37075a5e1bb5ef3017f9218eb7c0e67/mdo3kgen.zip in a pastebin entry that had self-destructed on Ctrl-C 

Woow nice discovery! 

[TiN]

I wonder if similar exists for older TDS7000 series or DPO7xxxx

[kilohercas]

And it works

[Le_Bassiste]

And it works 

hmmm...
1) your 1st pic says that  the eval period will expire on aug, 20th. wonder whether  the *options* will survive that date. more so, because these options require a hardware dongle to work. or, did you manage to key in the license numbers instead of using the dongles?

2) the 2nd pic shows all *upgrades* are enabled, which seems plausible. did you manage to check the MSO upgrade for functionality? is it by any means useful without having the dedicated logic probe? or did you buy the probe?


cheers!

[mikeselectricstuff]

And it works 

hmmm...
1) your 1st pic says that  the eval period will expire on aug, 20th. wonder whether  the *options* will survive that date. more so, because these options require a hardware dongle to work. or, did you manage to key in the license numbers instead of using the dongles?

Is that maybe just showing that any options with a "!" next to them are temporary?

[Le_Bassiste]

yes, the exclamation mark at the bottom is meant to be an explanantion for exclamation marks that may exist at the beginning of the lines in the options list (at least so on MSO20xx scopes). i wouldn't take the absence of the exclamation marks as a proof of the hack to work properly, though.

[kilohercas]

Since scope is new, out of the box, it has trial period for all modules. It will show exclamation mark to modules that are not installed, but enabled by trial mode. Since i hacked all of them, it still shows that i have some trial time left, but all modules already enabled, so it can't show exclamation mark



Just example from some forum, exclamation mark is showing not installed, but active trial decode options

For MSO,you can make cable yourself, is similar to PCI connector, and it use 16 micro coax cables to end probes, so you could solder just some wires, it will work, since only one bit of resolution.

[Le_Bassiste]

thx for clarifying kilohercas, especially on the logic probe connector.

[EEVblog]

I've just, ehm, found this link http://rghost.ru/download/57060583/0486bdb3f37075a5e1bb5ef3017f9218eb7c0e67/mdo3kgen.zip in a pastebin entry that had self-destructed on Ctrl-C 

Access to the file is restricted: copyright violation.

That was quick?

[tinhead]

copyright violation? the keygenerator has been NOT developed by Tektronix, so how can they claim that?

The AES key and option keys/values are in clear text visible, there is no need to "reverse" anything, therefore nothing
what one could "protect with anti-reverse copyright" whatsoever crap.

It is funny that Tektronix is veeeeery slow when goes to GPL violation or GPL source publishing, but that fast to claim
copyright on code that they haven't developed. There are keygen sources inside, not a single line belongs to Tektronix.

[HAMERMAN409]

From readme2.txt in the src.zip file:
Use validate.exe to extract options lists from option keys you have
Example: validate.exe 9R66P-69MNQ-7EPRD-PHSQ6-W9DDY-B

Not fully understanding this - seems like "validate.exe" and "gen.exe" are tools you would run on a PC. How would "validate.exe" be able to get data from option keys? Is this assuming the scope is connected to the PC?

[es]

You need to have Python installed on your PC.

Skip the validate.py step, it's unnecessary.

On your PC, use gen.py with, as arguments, your scope model and serial number along with the wanted bandwidth and options.

python gen.py <model> <serial> <bandwidth> <options>

[tmbinc]

Oh, so they finally switched to the AES version now? They've been using their custom "SSC" crapto up until recently.

But - since when did the eevblog forum became a keygen exchange platform?

I think it's one thing to hack around crippled hardware and restore functionality that's existing in hardware, but I distinctively feel that distributing tools that are enabling software features that usually sell for $$$ is not ... right. This may not be a popular opinion, I apologize.

This is not an issue of copyright. It's a matter of publicly supporting and encouraging the usage of unlicensed software. For me that crosses an (admittedly fuzzy) line.

[tinhead]

But - since when did the eevblog forum became a keygen exchange platform?

it's not and it will never be. The attached python script is example script of how something can be evaluated,
it does not use any Tektronix code or what so ever. It does not have keygen look&feel, etc. When i publish
a security hole somewhere, and validation script, then that didn't means that i posted trojan horse, here is similar.

This is not an issue of copyright.

right

It's a matter of publicly supporting and encouraging the usage of unlicensed software.

i think Dave mentioned many times how he think about crippled functions, this is not that the python script will
enable "Tektronix serial decoding module" on an e.g. Lecroy (that would be unlicensed), it will only enable what
already on my Tektronix and what i already paid for.

[tmbinc]

Ah, you paid for the serial decoding feature?

Nevermind then. I thought this script enabled features which were not initially enabled (i.e. you didn't pay for). My bad.

[tinhead]

My bad.

no problem

Ah, you paid for the serial decoding feature?
Nevermind then. I thought this script enabled features which were not initially enabled (i.e. you didn't pay for).

yes id did, i paid for what the engineer designed an DSO with all the features enabled. What later has been done by
some marketing people, honestly i don't care about. It is not that i'm changing something, nor installing something,
all i'm doing is to remove "marketing-sticker" from engineering tool 

[trevwhite]

So can I ask and I do not have one so more just curious to understand what is going on in this thread but have these scopes now been hacked to upgrade bandwidth?

[es]

I really don’t want to start a philosophical debate but I can’t resist to answer.

But - since when did the eevblog forum became a keygen exchange platform?

For manufacturers the bottom line is theoretical loss of revenues. It’s clear that the EEVBlog forum has generated a lot of business for Rigol, FLIR and others by popularizing theses hacks.

I think it's one thing to hack around crippled hardware and restore functionality that's existing in hardware

You seem to make a distinction between hardware and software features, I wouldn’t. Hardware is backed by software and vice-versa. It’s all come down to disabled features in crippleware that are enabled back by the rightful owner of the product.

I distinctively feel that distributing tools that are enabling software features that usually sell for $$$ is not ... right.

Considering your work on the FLIR E4, I find your position is arguable in this case. One could argue that it’s not "right" to get an E8 when you pay for a E4.

For me that crosses an (admittedly fuzzy) line.

For me, the line not to cross would be to sell these hacks/upgrades for profit. In the end, each have to decide for himself what is fair.

I favour hackable products, in my case I bought a $4000 scope from Tek and a $1000 E4 from FLIR that I wouldn’t have bought otherwise. That will be followed by further business for Tek such as probes, accessories, etc.

[tmbinc]

If selling a more capable device for less money will make more financial gain (vs. revenue), then it's up to the vendor to do so. We don't have any sales numbers, we did not do the market research other than a poll in a forum full of hacker engineers, and really, it's not our choise to make. Raising the opinion that the vendor would be better off in making their products cheaper is a valid opinion, but does not justify taking "intellectual property" (do I really have to use this word?) and making it free for everybody to use.

I feel there is a distinction between a feature initially was available, and that the vendor then crippled (forced downsampling, bandwidth limitations, noise overlay, memory depth limitations), and between features that had been developed for the sole purpose of selling them (like protocol decoders). The protocol decoders didn't came for free - Tek invested money to develop those only _because_ their "marketing" (wouldn't it rather be sales?) department told them that there's a market for those.

If you look carefully at my E4 hack, they will enable the updated resolution and disable the noise generator, but will not enable the other "improvements" for E8.

I apologize again for my unpopular opinion, and I agree that we should not start a philosophical debate here.

All I want to avoid is giving Tektronix more reasons to actually strip out functionality, and making it harder to obtain firmware upgrades. (For example, they could chose to only let you download after you registered - would THAT be really helpful? It's already hard to get OS reinstallation images, why do you want to make it hard to get actual firmware?)

After all, I _do_ enjoy the additional features very well. But there's a difference between doing this privately and publishing this. It will just provoke a reaction, which - imho - would be well-deserved and should not surprise anyone.

[Motelec]

Well , anyone  have more info about how hack the mdo3000 ? 

[mk_]

Well , anyone  have more info about how hack the mdo3000 ?

you can find all related informations and urls here on eevblog. And yes, that phyton-stuff worked fine.

[Spikee]

So... if one buys the TEKTRONIX  MDO3014  OSCILLOSCOPE, 4CH, 100MHZ, SPEC ANALYSER and uses the keys than he/she as a full option scope with the 3Ghz spectrum analyzer and all digital protocol analyzers including 300/400/500Mhz bandwidth ?

I'have been looking for a spectrum analyzer and a better scope (upgrade from Rigol DS-2072) for a while ....

Rigol products are ... ok but not as good as Keysight? / tek
Also the models I need/want are way out of my price range ...

[Motelec]

Yes i know , but i have some questions , How you can enter the key ? in what part of the menu ? The another question is if you have a MDO3014 can be upgraded to AFG by key also ? or only applies to bus options line usb , can etc... ?

[Spikee]

In the MDO3000 documentation somewhere down is shows which option can be unlocked and which can't.

[mk_]

So... if one buys the TEKTRONIX  MDO3014  OSCILLOSCOPE, 4CH, 100MHZ, SPEC ANALYSER and uses the keys than he/she as a full option scope with the 3Ghz spectrum analyzer and all digital protocol analyzers including 300/400/500Mhz bandwidth ?

I repeat: yes.

Read the MDO3000-related threads here on eevblog. Take care for the attachments in these threads

[ptpsd]

Do you know if this works on the new firmware 1.14 too?

[mk_]

Do you know if this works on the new firmware 1.14 too?

I don`t know, running here V1.10 since 12/2014 without problems. If you try it - pls. report it here in this thread.

[Motelec]

Yes I am running 1.14 firmware and works 

Some interesting points , the MDO3VID , the MDO3TRIG and the MDO3AUTOMAX? this options aren't sold by tek, but are in the firmware ? are this a secret features ?

[kaz911]

Do you know if this works on the new firmware 1.14 too?

I don`t know, running here V1.10 since 12/2014 without problems. If you try it - pls. report it here in this thread.

As I can't / won't comment on what works with special keys I can tell you that Tek firmware is downgrade-able if things does not work. How to force a downgrade is in their firmware release notes (put a file on the USB drive called "forceupgrade.txt") as far as I remember but check the documentation.

My MDO3012 runs 1.14 and I'm very happy with it.

[j_hallows]

Wonder if this work with the DPO3000 and MSO3000 series also, (previous generation)?

Only bandwidth would be upgradeable I guess though because there was no way to transfer license in these units.

[Lunasix]

For MSO/DPO 2000, 3000 and 4000, I have tested with eeprom containing the name of function, and it works ! And with last software version of 3000 and 4000 series (which contains new functions), you don't need to leave the key in the scope.

[blacknoise]

So... if one buys the TEKTRONIX  MDO3014  OSCILLOSCOPE, 4CH, 100MHZ, SPEC ANALYSER and uses the keys than he/she as a full option scope with the 3Ghz spectrum analyzer and all digital protocol analyzers including 300/400/500Mhz bandwidth ?

I repeat: yes.

Read the MDO3000-related threads here on eevblog. Take care for the attachments in these threads

Again (a BIG SORRY, if i'm wrong!): are the MDO3 (not: MSO) options really supported by the keygen?

When i add the options "MDO3AFG", "MDO3MSO", "MDO3SA" and/or "MDO3SEC to the "gen.exe" commandline, the keygen responds: "Unknown option".

And i think this feasible, as no MDO[3xxx] option is mentioned in the python files or the readme of the keygen package.

Many thanks for any enlightenment!

Kind regards

[abyrvalg]

blacknoise, just drop "MDO3" prefix, use AFG, MSO, SA, SEC. These are just symbolic names used in gen.py to assemble a binary mask which goes to the scope inside a key. No names in the keys.

[blacknoise]

blacknoise, just drop "MDO3" prefix, use AFG, MSO, SA, SEC. These are just symbolic names used in gen.py to assemble a binary mask which goes to the scope inside a key. No names in the keys.

Hi abyrvalg,

MANY thanks for teaching a blind fool a new trick! 
I only tried the "combined" option key names (like MDO3AFD) as i found them in the scopes datasheet...

Now i used a small batch file to try different combinations. For example:

Code: [Select]

@echo off
cls
gen.exe MDO3012 C123456 1GHz AFG MSO PWR SA SEC TRIG USB VID > mykey.txt
echo.
echo Key value:
echo.
type mykey.txt
echo.
echo.|set /p =validate.exe > valkey.bat
type mykey.txt >> valkey.bat
echo.
call valkey.bat
del valkey.bat

...and checked the generated keys with "validate.exe" (i still do not own a MDO3xxx). Regarding the batch files output:

Code: [Select]

Key value:
QN5KJ-B78ZD-W8F76-X4HS7-TF3XC-A

This key is for UID: 1F 11 70 64 23 3B
Key is valid, active options:
1GHz    1GHz bandwidth
SEC     Security lockout
USB     USB serial bus
AFG     Arbitrary Function Generator
MSO     Mixed Signal Oscilloscope
SA      Spectrum analyzer maximum input frequency
PWR     Power analysis
VID     HD and Custom Video
TRIG    RF triggering

...everything ist ok.

[TopLoser]

Wow, that worked remarkably well on my £1700 RS pricing cockup MDO3104 that just arrived...

Just make sure you use uppercase for the model number and serial number (MDO3104 C123456 for example) otherwise you get a key that seems ok but doesn't get recognised.

[SeanB]

At least there you definitely got a bargain Ian. Now you can afford the probes for channel 2 as well.

[TopLoser]

At least there you definitely got a bargain Ian. Now you can afford the probes for channel 2 as well.

I hope it was a bargain, I bought 3 of them before they 'discontinued' the special offer!!

Good thing about buying the 1GHz version is that it comes with 4 x 1GHz probes as standard. Those things have a list price of £723 EACH ffs!!

http://uk.farnell.com/tektronix/tpp1000/passive-probe-1ghz/dp/1856713?ost=TPP1000&categoryId=700000037505

[SeanB]

Bet RS is not happy with you, you probably cost them the profit for a week. Wonder if there is suddenly a vacancy on the web side........

[TopLoser]

Thought about asking Farnell to price match, can't imagine that would have ended well though! I did get to know Farnells 'buy in' price for them though, there's not a lot of profit even when they sell them at £9,600...

[666]

Hi, my first post here. 

I am confused with options of :
xxxMHz bandwidth
Upgrade bandwidth from xxxMHz to xxxMHz

What are the difference?

And from the manual ("1 GHz upgrades require Tek Service installation and option IFC...", on page 15) and also the following video at 2:10 to 2:30
https://www.youtube.com/watch?t=130&v=VFX47ZGOn_o

The 1GHz option needs to send to service centre for hardware change.
And MDO3000 max bandwidth is 1GHz, so what is the meaning of 2GHz option
for the key?

And can the key be changed or removed?

[MaxwellsSilverHammer]

Hi, my first post here. 

I am confused with options of :
xxxMHz bandwidth
Upgrade bandwidth from xxxMHz to xxxMHz

What are the difference?

And from the manual ("1 GHz upgrades require Tek Service installation and option IFC...", on page 15) and also the following video at 2:10 to 2:30
https://www.youtube.com/watch?t=130&v=VFX47ZGOn_o

The 1GHz option needs to send to service centre for hardware change.
And MDO3000 max bandwidth is 1GHz, so what is the meaning of 2GHz option
for the key?

And can the key be changed or removed?

Yes, that is correct on some models, for example the 100MHz 3000 model is upgradeable to 500MHz. Beyond this you need to send it in for a hardware upgrade to get 1GHz.

Yes, you can downgrade based on the options you select.

[klaus11]

According to data sheet no distinction between models, if the instrument is less than 1GHz must go through SC.Upgrade 500MHz 2.5GS/s 

"lnslrument bandwidth can be upgreded on any MD03000 Series product after initial purchase. Each
upgrede product inaeases
analog bandwidlh and spaclrum analyzer frequency renga. Bandwidlh upgredes are purchased basad on
the combination of lhe current bandwidth and the desired bandwidth. Bandwidth upgrede products
include new analog probes if applicable. Software oplion key products depend on inslrument model
and serial number oombinalion. Bandwidth upgredes up to 500 MHz can be performed in the field,
while upgrades to 1GHz requireinstallation at a Tektronix service center."

[_Sync_]

Did somebody look at how to activate the debug console?

There is evidence that you can activate one through GPIB. Also there seems to be a physical serial port hidden inside the unit, I suppose they are on the IDC headers. I think there is still a bit more to explore in those scopes....

[AlefSin]

Hi,

I found some good promotions for MDO3014 on few websites. So to be clear, all I need is the python script plus the procedure documented here to enter the key?

http://www.tek.com/worldwide-page/how-install-and-access-dvm-option-your-mdo3000-series-product

If yes, then all I need is a set of 500 MHz probes

[TopLoser]

Yes, very quick and simple. Plug in a USB keyboard to make it even easier because the generated key is quite long!

[Howardlong]

Is anyone aware of the hardware makeup of the LA probe option (MDO3MSO) on this scope?

For example. is it active, or a passive solution similar to the Agilent/Keysight 54620-61601 pods? The loading looks almost identical (100k//8pF) if that's anything to go by, but I fear that's seems to be a semi-standard LA probe loading specification.

[TopLoser]

It's the connector that seems to be the main problem, very deeply recessed. Send one to Fraser/Aurora and get it xrayed to confirm what's lurking inside?

[Howardlong]

It looks like the option is a liberation stick plus a P6316 probe. If that's the case, the probe on its own is 1/3 the price of the liberation stick plus probe option.

[TopLoser]

You can buy the probe on its own? That's interesting... please confirm if you manage to order one.

[TopLoser]

I've bought a few new ones for £300 ish from Farnell, they didn't come with anything other than the probe and grabbers.

[Howardlong]

I've bought a few new ones for £300 ish from Farnell, they didn't come with anything other than the probe and grabbers.

That was where I looked for pricing between the MDO3MSO and just the P6316, I am sure a man of your position is able to organise a reasonable discount anyway ;-)

[TopLoser]

I've bought a few new ones for £300 ish from Farnell, they didn't come with anything other than the probe and grabbers.

That was where I looked for pricing between the MDO3MSO and just the P6316, I am sure a man of your position is able to organise a reasonable discount anyway ;-)

I felt like I was being anally raped paying almost punter prices! Send me a pm if you can't get a discount elsewhere.

[Howardlong]

I haven't decided to get the scope yet! Farnell out of stock of the MDO3014 for a couple of months it would appear.

It's not like I need another scope, but that hasn't stopped me before.

[nctnico]

I don't see how the MDO3000 can match up with the Agilent MSO7104 you have. 

[Howardlong]

I took a P6316 MSO/LA probe apart this afternoon. This is a 16 channel probe designed to work with a number of Tek MSO/MDOs, including the MDO3000 with the MSO option. It can be purchased either with the appropriate option or on its own separately from the MSO option.

http://www.farnell.com/datasheets/1797423.pdf

In the short space of time I've used it on the MDO3000, there are pros and cons.

On the plus side, the cable has colour coded pins adhering to the resistor colour code with just tiny ring clips on each probe end, rather than larger markings sometimes used which get in the way when probing closely spaced and/or dense connections. The 10Mpts is pretty good, I was looking at > 22,000 frame listing of 16 bytes of 50MHz SPI earlier today.

On the negative side, the length of the probe leads isn't great if you operate the scope above your monitor rather than on the bench as I do, it's a choice of either having the cable get in the way in front of the monitor, or try to dress it around the side but then the DUT is placed a bit inconveniently. The sample rate on the digital side on the MDO3000 is marginal for me, at 500MSa/s, occasionally I do look at clock rates just beyond 200MHz in the digital domain. Most irritating is the sluggishness of the scope particularly when dealing with long record lengths. Sluggishness seems to be the order of the day though, even something simple like moving traces up and down has a very noticeable lag on this scope, but I digress.

Back to the P6316 Digital Probe.

It comprises of a scope connector (40 pin 0.8mm pitch double sided PCB), then two separate ~84cm 8 channel cable pairs to the logic probe interface 2x8 pin 0.1" receptacle. I assumed they were each individually coaxially screened, but on closer inspection there was no visible evidence of this, although the cables are glued down impeding better viewing: they look simply to be twisted pair. Finally there's a short "Lead Set", part number 196-3508-00, for each 8 channel cable, comprising of a 2x8 pin 0.1" mating jack, two 8cm ground leads and eight 15cm probe leads.

Taking each part apart demands some patience with a selection of spudgers. The cases are all two part, and the halves are glued together with a small amount of super glue, so care is needed. The enclosures on the main cable aren't too hard to prise apart but the "Lead Set" box I had to put in a spare 0.1" 2x8 mating receptacle to get enough purchase with the spudgers to prise the halves apart without bending the pins.

Inside the scope end connector there's nothing other than a PCB with the cables connected. Good so far.

Inside the enclosure at the other end, there's a small passive circuit comprising of two resistors and a capacitor for each channel.

For the Lead Set, there is nothing component-wise.

I also checked to see if there was anything not quite so obvious, as can be the case in scope probe voodoo. It turns out that the 84cm cable has an inline 200 ohm DC resistance on the signal connections, and the 15cm leads on the Lead Sets have a 100 ohm DC resistance. All ground returns are zero ohms.

I would imagine that it would be possible to be able to fabricate a board up to make an old LA probe work reasonably well, the impedance matching and 10:1 factor seem to be similar features between this and Agilent LA probes such as the venerable 54620 probes that are still very common today and are still used on current Keysight MSOs. You might even get away with fabricating an entire probe, but that inline resistance is in there for a reason, there's a really old Tek document about it somewhere that I can't locate right now, but it's also covered here http://www.dfad.com.au/links/THE%20SECRET%20WORLD%20OF%20PROBES%20OCt09.pdf. I don't know if the Agilent/Keysight probes have this distributed resistance too, they do have a fancy woven cable on the two examples I have so I wouldn't be surprised.

Teardown...

Scope connector, nothing much to see here other than 0.8mm pitch, double sided PCB connector.


Top of scope connector is for group 2 inputs, D8-D15


Bottom of scope connector is for group 1 inputs, D1-D7


Top of one of the two probe ends of scope lead, showing the three passives.


Bottom of one of the two probe ends of scope lead: the "B" was written on by me, but the soldering is a bit "how you doin'"


Top of the "Lead Set"


Bottom of the Lead Set for completeness, I didn't take this bit apart, too much glue to take off and re-apply.


DaveCAD

[Carrington]

Yeah! Take it apart!

Edit:

It is a coaxial cable!    Isn't a twisted pair?

I assumed they were each individually coaxially screened, but on closer inspection there was no visible evidence of this, although the cables are glued down impeding better viewing: they look simply to be twisted pair.

Sorry, it was the excitement. 


Very similar to Agilent LA probes:



No idea about the cable resistance.

[Howardlong]

If anyone's in the market for the ACD3000 soft carry case for the MDO3000, there are a couple of demo ones left at substantial discount (£92 down from £186 ex VAT) at http://www.sjelectronics.co.uk, product code "ACD3000/DEMO". Still not "cheap", but then neither is the scope.

[Howardlong]

This is a link to that old Tek article (from 1969) that I referred to that talks about using lossy coax http://www.davmar.org/TE/TekConcepts/TekProbeCircuits.pdf

[coflynn]

The sample rate on the digital side on the MDO3000 is marginal for me, at 500MSa/s, occasionally I do look at clock rates just beyond 200MHz in the digital domain.

Did you look at the MagniVu feature too? While it limits your number of samples considerably (I think 10k), you get around 8GS/s sample rate according to their literature. Curious how well it works in practice, don't have the probe set/option enabled to try out myself.

[Howardlong]

The sample rate on the digital side on the MDO3000 is marginal for me, at 500MSa/s, occasionally I do look at clock rates just beyond 200MHz in the digital domain.

Did you look at the MagniVu feature too? While it limits your number of samples considerably (I think 10k), you get around 8GS/s sample rate according to their literature. Curious how well it works in practice, don't have the probe set/option enabled to try out myself.

This is a good point, and as I've delved further into this scope, it's been largely a case of swings and roundabouts. The 500MS/s has been sufficient for what I've used it for so far in the few days I've had it, so I haven't needed to use MagniVu, but I understand it only works within 10k pts of the trigger. Whether that's a limitation practically for me I don't know yet, and to be fair it is only occaionally I would benefit from an LA sampling rate over 500MSa/s.

I've been making a quite extensive list of pros and cons on this scope, I'll do a post on it soon, but for now here is the worst and best thing...

Worst has to be the UI, is Tek incapable of coming up with an intuitive and performant UI on a DSO? The last of the Tek analogue scopes were just so good in this respect (apart from understanding some of those lesser used delayed timebase modes). But the DSOs apart from the entry level units have never been well organized or responsive in my experience. The MDO3000's UI is quite modal, lacks consistency and frequently obscure the trace with unnecessary windows.

What is the best thing about it I found so far? The VESA mount at the back! I have the scope on a quick release gas spring monitor arm and can position it anywhere on the bench, and take up no desk space. Awesome, all TE of this form factor should have a VESA mount as standard IMHO.

[steffenmauch]

Can someone tell me how I can activate the DEBUG console via GPIB or how to get the real signals from a header inside the scope?

[G33KatWork]

There is a debug shell on the MDO3000, but be careful what you do there! You may delete your calibration data.

Connect to the GPIB Shell on Port 4000 using telnet or netcat.

Code: [Select]

:PASSWord INTEKRITY
:MFG:MODe 1
:MFG:MODe?The last command should return a 1. This indicates, you are in MFG-Mode. You can leave it again with the parameter 0 when setting the mode.
You can also leave it via the menu: Utility -> Self test -> Error Log -> Manufacturing Mode -> Off.

There is an even more privileged mode which gives you a few more menus. The engineering mode. Once you enabled the MFG-Mode, go to: Utility -> Self test -> Warm Up Timer & Monitor -> Engineering Mode -> On
Doesn't gain you that much I think, it's been a while since I enabled it.

Anyway, a more interesting feature in MFG-Mode is the debug shell. You can reach it via telnet on port 1072.
If you want to execute Linux commands, you can do so on this shell if you redirect stdout and stderr beforehand:

Code: [Select]

utilConsoleRedirect 1 1
utilConsoleRedirect 2 1
After that you can execute arbitrary commands (replace spaces with a backslash):

Code: [Select]

utilShell cat\/proc/cmdline
I've been reversing the Tek-Firmware for quite some time now.
I also reversed their boot procedure and misused their updating mechanism to create a USB-stick from which the scopes boots with an ssh server and all that jazz. It's almost unbrickable now (as long as I don't touch the bootenv, u-boot or the kernel) and I have a backup of all the sensitive data like the calibration data and so on. The USB-stick thing is not something you need if you don't know exactly what you do, to be honest.

Please be careful with everything you do. The possibility for a brick is pretty high and I'm not going to fix your stuff!

edit: Oh, I think that there is a feature in the engineering mode in the File Utilities to make a backup of your filesystem on an USB-stick. But when I looked at the code, it does the weirdest things. While doing the backup, it ERASES the calibration data. After the backup, the calibration data is restored from the backup. So again: BE CAREFUL. If you cannnot resist the urge to hit that button, DO NOT TURN OFF YOUR SCOPE! Wait for the operation to finish!

The best thing to do is to disassemble the firmware and look at every command before you execute it, so that you know at least roughly know what it does.

[steffenmauch]

Well thank you very much.
I do not want to execute commands in the shell instead I want to see the debug strings which are visible in the binary.
I hope to find some hints about the checksum of the 1-wire chip of the passive probes.
Or do you know the mechanism or where to start digging?

[Howardlong]

The sample rate on the digital side on the MDO3000 is marginal for me, at 500MSa/s, occasionally I do look at clock rates just beyond 200MHz in the digital domain.

Did you look at the MagniVu feature too? While it limits your number of samples considerably (I think 10k), you get around 8GS/s sample rate according to their literature. Curious how well it works in practice, don't have the probe set/option enabled to try out myself.

The MagniVu feature I tried yesterday. It does indeed take the sampling down to a 121ps period (an impressive 8.2GSa/s), but at the expense of memory: only 10k points are used around the trigger pont, there is nothing else displayed, so it's a case of either using 10k points MagniVu or up to 10Mpts 500MSa/s, but not both att he same time. In practical terms I don't see this as a problem for what I do, becuase if I'm digging into that sort of time granularity I'd be looking at things like setup and hold times which don't often need deep memory. For long serial decodes, there's typically no need for >500MSa/s. The scope slows down markedly when in MagniVu, in particular when zoomed, which is going to be a very typical use case. I am not sure why this slowing down occurs, as I understand it MagniVu is a real time hardware oversampling technology, not software.

Typically when using MagniVu you'll notice significantly less jitter on the edges. In retrospect, it's a nice additional feature, but as with a lot of things on this scope, when you start digging into the detail, it becomes quite modal, in other words you can use a given feature x, but not at the same time as feature y. In this case, you get 8.2GSa/s sample rate but only with a maximum 10kpts.

[Romedp]

All hello!
Excuse for my English.
I want to buy MDO3014. I have the "mdo 3k gen" file (compiled).
In the menu of an oscillograph there are two lists of options:
1 Application Modules (MDO3AERO,MDO3AUDIO, MDO3AUTO etc.)
2 Options (MDO3AFG,MDO3MSO, etc.)
I don't understand their difference. What can I activate keys and what I can't?

[G33KatWork]

The application modules are modules to be inserted into the scope. As long as it is present, the feature of the module is activated. You can remove the module and use it in another scope. You can also copy the license to a scope and later back to a module.
The options are bound to *one specific* scope. As soon as you activated it, you can't transfer it to another scope.

The keygen just activates everything (except the 1GHz Bandwidth-Option - you need another frontend for that). You don't need to care.

[Howardlong]

To add to what has already been stated, if you choose to use the script

Code: [Select]

python gen.py MDO3014 C123456 500MHz AERO AFG AUDIO AUTOMAX COMP DVM EMBD ENET FLEX LMT MSO PWR SA TRIG USB VID AUTO SEC

replacing C123456 with your serial number, that is all you need. Note that some of these options like ENET don't add anything of value.

It's a bit confusing, but there is no need for any physical modules, Tek have two concurrent licensing models, one with the physical modules (that can be moved between scopes) and one without. The script above requires no physical modules.

The probes are still limited to 250MHz, but they are pretty good probes, only 3.9pF loading. There is some information on these probes here https://www.eevblog.com/forum/testgear/tektronix-probes-tpp0250-and-tpp0500b-whats-the-difference-teardown-time

Information on the LA probe for MSO use is here https://www.eevblog.com/forum/testgear/mdo3000-hacking/msg765377/#msg765377.

Under Windows, use the 2.7 Python as the latest 3.x fell over with the script. In addition there is a pycrypto toolkit required.

[Howardlong]

I was getting a tad frustrated today when I had the scope crash on me a couple of times, at the same place. I've narrowed it down to the following steps, and they're completely repeatable.

o Boot up
o Default Setup
o Trigger Menu
o Select trigger Source D0 digital channel for trigger (digital channels do not need to be showing)
o Select trigger Type
o Turn Multipurpose A counter clockwise down the list

Crashed. Sometimes mine crashes at Pulse Width, sometimes at Timeout trigger type. Needs a cold boot.

Firmware is v1.20, dated 13 May 2015, I believe this is the latest firmware.

Anyone else care to confirm whether or not they're seeing this feature?

Edit: there are entries in the Error Log (Utility, Self Test, Error Log) for each of these occasions.

[TopLoser]

I have an MDO3000 series scope that crashes if I repeat those steps, same firmware 1.20

[Howardlong]

The only way around this I could find is to temporarily set the source to an analogue channel first before selecting the appropriate trigger type.

Typically, the use case for me has been SPI, using the /CS falling edge on a digital channel as a trigger first then using a bus trigger to select specific SPI frames: hardly an uncommon scenario.

I guess I'll just have to remember to switch the trigger source for now, it's mighty irritating though when the scope just hangs in the middle of things and you have to spend five minutes rebooting it, and setting it up all over again: not good for your workflow. A bit surprised to see this in a Tek scope to be honest, maybe that Danaher Business System is a bit to much about processing inefficiencies out and lean operating, but not enough about common sense and taking care. But to be fair, these days understanding and maintaining intangibles like reputation that won't fit on a spreadsheet is a difficult concept to your average MBA.

[Howardlong]

Here's a vid showing the MDO3000 crash/hang I found in Firmware 1.20.

[startronic]

So... if one buys the TEKTRONIX  MDO3014  OSCILLOSCOPE, 4CH, 100MHZ, SPEC ANALYSER and uses the keys than he/she as a full option scope with the 3Ghz spectrum analyzer and all digital protocol analyzers including 300/400/500Mhz bandwidth ?

I repeat: yes.

Read the MDO3000-related threads here on eevblog. Take care for the attachments in these threads

Hello friend you could help me with my MDO3014, do not know how to use the python script,

[startronic]

You need to have Python installed on your PC.

Skip the validate.py step, it's unnecessary.

On your PC, use gen.py with, as arguments, your scope model and serial number along with the wanted bandwidth and options.

python gen.py <model> <serial> <bandwidth> <options>

Hello friend you could help me with my MDO3014, do not know how to use the python script,

[luisprata]

startronic,

I'll help you. I`ve bought a MDO3014 and it didn't arrived yet. But I think I could help you. I`ll send you a pvt msg.

PS: I`m brazilian too. Valeu.

[Howardlong]

You need Python 2.7 installed and the python.exe in your path. (Unless you explicitly state where it is on the command line)

[startronic]

startronic,

I'll help you. I`ve bought a MDO3014 and it didn't arrived yet. But I think I could help you. I`ll send you a pvt msg.

PS: I`m brazilian too. Valeu.

Thank you, my already arrived is a beautiful machine, I have a MSOX3024T, more like a lot of the TEKETRONIX machines, have not compared the two most superficially and are equivalent.
The script could already solve, and have a good friend here in Brazil Forum.
Hugs, thank you
Muito

[startronic]

You need Python 2.7 installed and the python.exe in your path. (Unless you explicitly state where it is on the command line)

Thank you friend, for the tip, already managed to work, my mdo is already full, thanks

[kappa_am]

Hi all,
I have bought an MDO 3014 with P6316 probe. These cost me a fortune still all needed functions are not available. Not only I am out of money, also, I feel assaulted. I need MSO feature. could you please help me to unlock this function.

Your help is appreciated.

[natman69]

An used MDO3012 is on my way… 
I've read the messages of Howardlong regarding the crash/hang of his scope.
A new firmware (1.22) was recently published by Tektronix and maybe it fixes this problem even if it's not explictly listed in the fixed bug list.

I'll receive the MDO next week and I'll test the new firmware asap… 

http://www.tek.com/oscilloscope/mdo3012-software-4

v1.22 3/30/2016
Enhancement:
- Added control for readout transparency

Defects Fixed:
- Fixed an issue with CAN bus and zoom with large numbers of packets
resulting in slow performance for pan across record
- Fix an issue where DVM DC Autorange would not settle properly
- Fixed "flicker" between RF manual and peak markers when they
overlap
- Fixed an issue with manual markers not displaying in the correct
location on Frequeny Domain Reference waveforms
- Fixed an issue with Peak markers not working if Stop Frequency was
greater than maximum frequency range
- Fixed an issue with recalling Frequeny Domain Reference waveforms
not drawing in the correct position
- Fixed an issue with channel 4 waveforms saving to Reference when
saving after a single sequence acquisition
- Fixed issue with frequency domain math waveforms being improperly
converted to dBm during save to .csv files
- Fixed issue with Save All with multiple frequency domain traces
causing overwritten data values
- Improved save operation where frequency domain waveforms are
previewed
- Fixed a case where frequency domain units did not match the saved
data by forcing all RF trace data to be saved as dBm
- Fixed an issue where RF saved setups would not properly recall
vertical units
- Fixed an issue with saved References not allowing very small
vertical scales
- Fixed a case where completing an acquisition with Roll Mode on
Long Records could result in the first portion of the waveform
being overwritten
- Fixed an issue with RMS measurement with vertical position moved
away from center screen
- Fixed an issue where measurements would not complete after undoing
an autoset
- Fixed an issue with NPULSECOUNT measurement type not counting
correctly
- Fixed an issue with immediate measurement on math when stopped
- Fixed a case where math units for absolute value were being cleared
- Fixed an issue with attachments for ePrint
- Fixed an issue with AC Coupled Trigger losing trigger with
vertical position changes
- Fixed an issue with a legacy command 'HARDCOPY STARt'
- Fixed an issue with where pan range was locked in zoom mode
- Fixed an issue where an Application Error could appear with Roll
Mode, 5M records, and HiRes acquisition modes. Under these
conditions, acquisition trigger mode is forced to Normal
- Fixed an issue with RF Pre-Amp always downloading cal constants
on attach
- Fixed an issue where RF Pre-Amp is in the wrong state on re-attach
- Fixed incorrect value displayed for digital sample rate
- Fixed an issue where Signal Path Compensation could fail if
run after Diagnostics. An instrument reboot is recommended after
running Diagnostics
- Improved edge trigger alignment for MagniVu on digital channels

Known Issues:
- Previewed spectrum data may save previewed header values instead of
acquired data. This can result in incorrect save file data.
To workaround: save frequency domain waveforms prior to
making changes to horizontal or vertical parameters
 

[Howardlong]

I just did the firmware update, the crash still occurs. Firmware options are persisted.

[natman69]

My used MDO3012 has arrived

It was loaded with 1.10 firmware. I tested it to see if the bug was present also in this early firmware version and it freezed...
So this bug was present from the beginning and it wasn't never fixed by Tektronix (maybe it was never submitted to the support desk?)

[G33KatWork]

I can't reproduce the bug at all.

I did it exactly like in the video and it just doesn't crash. Also variants with different channels or bus decoders enabled or disabled didn't trigger a lockup.
Same on Version 1.22 and 1.20.

[Howardlong]

I can't reproduce the bug at all.

I did it exactly like in the video and it just doesn't crash. Also variants with different channels or bus decoders enabled or disabled didn't trigger a lockup.
Same on Version 1.22 and 1.20.

It is only when changing the trigger on a digital channel, can you confirm it was a digital channel you were changing the trigger on?

[G33KatWork]

It is only when changing the trigger on a digital channel, can you confirm it was a digital channel you were changing the trigger on?

Yes. D0.
I just tried a few other digital channels as trigger sources. Same thing. It does not lock up.

• Default Setup
• Trigger Menu
• Set Source to D0
• Select type and scroll through the list
• Scope doesn't crash
• ???
• Profit

[Howardlong]

Interesting! You've got a special one! You're the first I've heard whose scope isn't afflicted.

Do you know about how old it is? I am wondering if there's been a board change of some sort down the line.

[G33KatWork]

It is exactly one year old now.
There is no manufacturing date on the back unfortunately.

It's an MDO3014 with a bandwidth "upgrade" to 500MHz and all the other stuff. It's not much different from other scopes I guess.

I really wanted to get a coredump or some debug messages out of the scope when it crashes and have a look. And now the thing doesn't crash. I'm a bit sad

[Howardlong]

Perhaps my work patten is unique, but the sequence seems a reasonable thing to do.

I'm sitting there one day debugging an SPI or I2C bus using the digital channels, I'd only just received the scope a day or two earlier. I use the digital channels, and because I don't fully know what I'm looking for yet I use an edge trigger rather than a bus trigger to get started.

Once I delve a little deeper, I realise I need a more selective trigger, and that's when I found the feature. At the time I didn't realise what the sequence of events were, but once it'd crashed half a dozen times over a few days I realised there was a pattern.

Anyway, I don't consider it an edge case, it's a reasonably common scenario as far as I'm concerned.

But it's strange that it now appears to be inconsistent between examples of the same model.

Mine's about six monts old, but like you I don't know what the manufacturing date is or the hardware level.

The entire UI crashes: the waveform stops and I can no longer access the screen via a browser, although the scope's browser homepage still responds. I can reproduce the fault through the browser interface, but if use the "medium" skip arrow when selecting the trigger type, it doesn't crash. It sems that it's the Runt selection that's doing it (whihc makes no sense for a digital channel anyway).

[es]

I can reproduce the crash on mine. MDO3014 unlocked with firmware v1.22. It does it even if I stop the scope before changing the trigger Type.

There is an error logged in Utility/Self Test/Error Log:

41: 20 0 320 User Interface ... plus date and time

[Howardlong]

Some news:

I believe that this crash is caused by the TRIG option...... let's put it this way, I no longer get the crash if I remove the TRIG option.

[es]

I believe that this crash is caused by the TRIG option...... let's put it this way, I no longer get the crash if I remove the TRIG option.

Make sense, AUTOMAX, ENET, VID and TRIG are not valid options and should probably be omitted.

Check this: https://forum.tek.com/viewtopic.php?t=138432

[G33KatWork]

Funfact: ENET kinda is a valid option but not really at the same time.

The code for Ethernet analysis and triggering is in the firmware. I still need to figure out how to actually enable it, because the license key alone is not sufficient.
Didn't have the time to look closer at this yet.

[natman69]

I've noticed that a new firmware was released a couple of months ago.

http://www.tek.com/oscilloscope/mdo3012-software-4

I've installed it and all works as always...

v1.24 10/19/2016
New Features:
- CAN FD support added to MDO3AUTO

Enhancements:
- Expanded decode event table from 800 to 4000 maximum entries

Defects Fixed:
- Fix issue with file download in e*Scope
- Fix issue with CAN number of data bytes not being limited to actual
number of supported bytes based on selected Trigger When condition
- Fixed an issue where old waveform data is not cleared after
a Default Setup
- Fixed an issue where histogram on math is reset when stopped
- Fix a case where CAN Missing Ack at end of frame with an end of frame
error will trigger but does not decode or search
- Fix .CSV timestamp resolution for large records
- Fix case where changes to horizontal scale when stopped and using
large records would result in the waveform being cleared on screen
- Fix a case where scope would transition to PreVu when entering zoom
mode after running for a long period of time
- Fix a case where loading setups with screen cursors on may result
in an error reported from processing the setup file
- Fix a case where, in some settings, waveforms would appear in dots only
- Fix an issue with USB bus CRC calculation for a zero length data packet

[snoopy]

Is it possible to upgrade a 100MHz MDO3014 to 1GHz with software upgrade or do you need to send it back to Tektronix for a hardware mod ?

[onesixright]

Is it possible to upgrade a 100MHz MDO3014 to 1GHz with software upgrade or do you need to send it back to Tektronix for a hardware mod ?

You can goto 500 Mhz via software, for the last step it needs to be send back (replacing some h/w).

[Alphatronique]

Hi

for 500 to 1GHz  Tek remplace the ATTENUATOR Board and re-calibrate the whole thing  , since ADC was on main board
whit luck if you enable the 1Ghz  it work but out of calibration for all over 500mhz

what make me very curious is that if you look the late model of MDO4000  the RF section of  attenuator board  now look very similar to one in MDO3000

and if you peek a view into  v1.24 firmware it have nice find

 aSpectrumAnal_2 DCB "Spectrum analyzer 3GHz maximum input frequency",0
 aSpectrumAnal_3 DCB "Spectrum analyzer 6GHz maximum input frequency",0

definitively something to try

same for  a2ghzBandwidth  DCB "2GHz bandwidth",0   

ok seem that scope read attenuator PN and not let you put 1GHZ on a 500MHz unit        start to look how software read board ID ?

also the new DPO like "FastAcq" was bit a joke    ,in that mode all signal > 100mhz start to look like a collection of Dot
even on 20 year OLD TDS754D was able to see a perfect clean signal in DPO mode whit 1GHZ sinus on it input

[snoopy]

Hi

for 500 to 1GHz  Tek remplace the ATTENUATOR Board and re-calibrate the whole thing  , since ADC was on main board
whit luck if you enable the 1Ghz  it work but out of calibration for all over 500mhz

what make me very curious is that if you look the late model of MDO4000  the RF section of  attenuator board  now look very similar to one in MDO3000

and if you peek a view into  v1.24 firmware it have nice find

 aSpectrumAnal_2 DCB "Spectrum analyzer 3GHz maximum input frequency",0
 aSpectrumAnal_3 DCB "Spectrum analyzer 6GHz maximum input frequency",0

definitively something to try

same for  a2ghzBandwidth  DCB "2GHz bandwidth",0   

ok seem that scope read attenuator PN and not let you put 1GHZ on a 500MHz unit        start to look how software read board ID ?

also the new DPO like "FastAcq" was bit a joke    ,in that mode all signal > 100mhz start to look like a collection of Dot
even on 20 year OLD TDS754D was able to see a perfect clean signal in DPO mode whit 1GHZ sinus on it input

What does it look like on the TDS754D in DPO mode ?

cheers

[es]

also the new DPO like "FastAcq" was bit a joke    ,in that mode all signal > 100mhz start to look like a collection of Dot
even on 20 year OLD TDS754D was able to see a perfect clean signal in DPO mode whit 1GHZ sinus on it input

The scope is sampling at 2.5Gsps giving one sample each 0.4 ns, as seen in the screenshot. Turning on FastAcq/Persistence disable the Sinc interpolation, that's why the dots are disconnected horizontally.

[euphoria2002]

Keygen link down.

Please repost.

[euphoria2002]

Keygen link down.

Please repost.

Solved. All good!

[TopLoser]

Hi,

Is this hack still relevant. I want to buy MDO3014 and enable 500mhz bandwith spectrum analyzer and mso options if possible (too much to ask ?)

Yes it still works. On my desk I have a new MDO3024 that has all options plus 500MHz enabled and includes a digital pod and 4 x Tek 500MHz probes.

[TopLoser]

Hi,

Is this hack still relevant. I want to buy MDO3014 and enable 500mhz bandwith spectrum analyzer and mso options if possible (too much to ask ?)

Yes it still works. On my desk I have a new MDO3024 that has all options plus 500MHz enabled and includes a digital pod and 4 x Tek 500MHz probes.

Bro you made my day. I downloaded the src file in the first page of this post and attached to this reply(is this enough or need another version). I have python 2.7 intalled and added to path. I cannot download PyCrypto.

Could you help me please with the steps.  I really need it

Can’t remember what I downloaded and installed, I first did this maybe 2 years ago, don’t remember any problems downloading or installing anything and I had never used Python before.

PM me with your scope serial and model number and I’ll give you the licence code for all options enabled

[eliocor]

to install pycrypto you have only to digit (once) the following command*:

Code: [Select]

pip install pycrypto
and the library module will be installed.

And PLEASE do not call me 'Bro/mate/...' or whatever else!!!

*) assuming Python was correctly installed

[darkstar49]

a while ago, there was a helpdesk joke going around...

A guy who just bought a PC called the helpdesk because he couldn't get it to work, and after an hour or so doing his best, the helpdesk employee told the guy: "you're totally right, there's definitely something wrong here..., put it back in its packaging and bring it back to the shop"...
And the guy asked: "OK, but what should I tell them ??"...
... you guessed it... the guy from the helpdesk said "tell them you're just too stupid to use it..." 

No... jokes aside, developers love to say "it was hard to write, it should be hard to read/use !"...

[eliocor]

Quote from: ssdflash01 on Today at 21:20:36

Gives code. Do not know if works since i do not buy the scope yet. Hope it does


It works.... very well

[TopLoser]

Worked with latest firmware 2 months ago

[darkstar49]

a while ago, there was a helpdesk joke going around...

A guy who just bought a PC called the helpdesk because he couldn't get it to work, and after an hour or so doing his best, the helpdesk employee told the guy: "you're totally right, there's definitely something wrong here..., put it back in its packaging and bring it back to the shop"...
And the guy asked: "OK, but what should I tell them ??"...
... you guessed it... the guy from the helpdesk said "tell them you're just too stupid to use it..." 

No... jokes aside, developers love to say "it was hard to write, it should be hard to read/use !"...

I have done lots of c, java coding 2d game development with swift and plus python coding in embedded linux designs which i developed my self with uboot buildroot bootstrap plus linux kernels plus hardware and pcb design but have never used python shell with external library that was seeing another version in my library as its source and i sorted it out anyway. You learn new things everyday. I do not see how this is not knowing the pc usage. I might not described it well but sorry kid i am not the guy go put jokes on idiots like yourself.

You surely can be proud of all that, there's just one thing missing: some sense of humor...
And btw, I'm nor your kid, nor your brother...

[Simon]

a while ago, there was a helpdesk joke going around...

A guy who just bought a PC called the helpdesk because he couldn't get it to work, and after an hour or so doing his best, the helpdesk employee told the guy: "you're totally right, there's definitely something wrong here..., put it back in its packaging and bring it back to the shop"...
And the guy asked: "OK, but what should I tell them ??"...
... you guessed it... the guy from the helpdesk said "tell them you're just too stupid to use it..." 

No... jokes aside, developers love to say "it was hard to write, it should be hard to read/use !"...

I have done lots of c, java coding 2d game development with swift and plus python coding in embedded linux designs which i developed my self with uboot buildroot bootstrap plus linux kernels plus hardware and pcb design but have never used python shell with external library that was seeing another version in my library as its source and i sorted it out anyway. You learn new things everyday. I do not see how this is not knowing the pc usage. I might not described it well but sorry kid i am not the guy go put jokes on idiots like yourself.

You surely can be proud of all that, there's just one thing missing: some sense of humor...
And btw, I'm nor your kid, nor your brother...

and you need to bear in mind that english is not everyones first language, have you tried humor in a language you are not fully fluent in ?

[ssdflash01]

I got one question left,

When i am first time activating mdo3014 from 100mhz to 500mhz with every possible options will i write 500MHz or BW1T5

python gen.py MDO3014 C123456 500MHz AERO AFG AUDIO AUTOMAX COMP DVM EMBD ENET FLEX LMT MSO PWR SA TRIG USB VID AUTO SEC

python gen.py MDO3014 C123456 BW1T5 AERO AFG AUDIO AUTOMAX COMP DVM EMBD ENET FLEX LMT MSO PWR SA TRIG USB VID AUTO SEC

[TopLoser]

500MHz

[G33KatWork]

Do NOT include TRIG!
This causes your scope to crash on trigger selection.

Only really enable the options for which a real one is available.

[ssdflash01]

Do NOT include TRIG!
This causes your scope to crash on trigger selection.

Only really enable the options for which a real one is available.

Is it still causing that problem. Could you list the ones i should enable if not problem for you like in below

python gen.py MDO3014 C123456 500MHz AERO AFG AUDIO AUTOMAX COMP DVM EMBD ENET FLEX LMT MSO PWR SA TRIG USB VID AUTO SEC

[G33KatWork]

Remove TRIG and ENET.

TRIG causes crashes
ENET doesn't do anything
Unsure about AUTOMAX. Seems to exist only for the 4000 series

Just check Tek's docs about the buyable options and try it by yourself.

[ssdflash01]

Remove TRIG and ENET.

TRIG causes crashes
ENET doesn't do anything
Unsure about AUTOMAX. Seems to exist only for the 4000 series

Just check Tek's docs about the buyable options and try it by yourself.

Thank you. I want to ask one last thing.

I do not have experience with oscilloscope base logic analysis. Without trigger, how does it work. Do i have to capture with single capture or is it capturing for some amount of time so i will zoom and pan to those captured let say 20 separate transmissions. If so, then i can easily debug without triggering function right since as far as i know trigger is capturing for specific events' occurrence.

[G33KatWork]

You can trigger on digital channels.

The TRIG *option* doesn't exist. It has nothing to do with how you trigger. Maybe there was something planned by Tek and abandoned, maybe it's left over from the porting effort of the software.

[mk_]

FWIW:

I did the FW-update from 1.10 to 1.26 some days ago, all options - enabled via script @ FW1.10 - are still enabled

[r0d3z1]

about bandwidth upgrade, is is possible to bring the scope back to the original setup ?
For example "python gen.py MDO3014 C123456 500MHz" convert the 100MHz to 500MHz. After that, could I bring it back to 100MHz with "python gen.py MDO3014 C123456 100MHz" ?
What is the difference between the options "500MHz" and "BW1T5" ?

[startronic]

Hello people

I need some help with an MDO3014.
I made the upgrade, as described here in the forum, to 3054, but my firmeware is 1.20, I want to update to 1.26, you know if you lose the options installed in this way, and if you have to do it again in firmeware 1.26

[Howardlong]

Hello people

I need some help with an MDO3014.
I made the upgrade, as described here in the forum, to 3054, but my firmeware is 1.20, I want to update to 1.26, you know if you lose the options installed in this way, and if you have to do it again in firmeware 1.26

You just update the firmware, the options remain, at least in my experience. I successfully updated to 1.26 a couple of months ago, it was from 1.24 in my case.

[startronic]

Good morning people.
I took courage and made the update from 1.20 to 1.26.
The options installed were completely 

[mk_]

OK, PLEASE MR.  WERE IS IN THE FORUM THIS UPGRADE ?

it`s not so difficult to read this thread carefully...

[LUIZ_ALVES]

BOM DIA
VOCE FEZ  ATUALIZAÇÃO RECENTEMENTE ?
ESTOU NAMORANDO UM MDO3014
GRATO
LUIZ

[LUIZ_ALVES]

MANY THANKS mk_

[LUIZ_ALVES]

Now I was excited to buy my MDO3014
Mr Satartronic, if possible give me your ZAP
 

[startronic]

Olá amigo

Já fiz faz um ano ou um pouco mais, mais está tudo descrito aqui no fórum

[LUIZ_ALVES]

Ok
Mas apareceu assim pra mim:

Re: MDO3000 hacking
« Reply #128 on: June 08, 2018, 11:26:12 pm »
Say ThanksReplyQuote
Good morning people.
I took courage and made the update from 1.20 to 1.26.
The options installed were completely 

Logo pensei que fosse resultado de ontem   certo  ?

[startronic]

Não

Ontem fiz o up date de firmware que estava 1.20 foi para 1.26

A instalação dos opcionais já fiz quando comprei ele, já faz um tempo já

[LUIZ_ALVES]

A tá   agora entendi... criou coragem ontem   hehehehe
Estou pretendendo comprar essa maquina por R$ 19.000,00   em lugar de um RTB2004 da Rohde...
Pela possibilidade de upgrade "mais barata"  estou decidindo pelo MDO3014
Grato pela atenção e se puderes mande o ZAP pelo meu email.

[startronic]

amigo pode me enviar um mp,  qual quer duvida, gosto muito do mdo3014, já tenho ele faz uns 2 anos , tinha também um MSO3022T,  mais acho o tek  superior

[tautech]

Can I remind you this is an English forum.
You'd be best advised to share email addresses via PM and correspond with each other directly and privately.

[startronic]

ok...
Sorry my freind

[startronic]

Hello guys
can you tell me if this method also works for mdo400 line

[abyrvalg]

startronic, https://www.eevblog.com/forum/testgear/someone-has-hacked-mdo4000c/
Summary:
- MDO4kC - yes
- MDO4kB - different approach (console): upgrade bandwidth by model id change, turn on demo mode to enable all options (needs to be repeated every year).

[Nebulex]

Does anybody know if it is possible to get the calibration data back? I screwed the MDO3014 up while trying to activate the 1GHz option without having the appropriate hardware inside the scope. 

[Nebulex]

Does anybody know if it is possible to get the calibration data back? I screwed the MDO3014 up while trying to activate the 1GHz option without having the appropriate hardware inside the scope. 

It was not the 1GHz option that screwed it up. It was the AFG option. After removing the AFG option the calibration was back. So it looks like the AFG option is for whatever reason out of calibration and if activated lets the oscilloscope look like uncalibrated.


Gesendet von iPhone mit Tapatalk

[r0d3z1]

It was not the 1GHz option that screwed it up. It was the AFG option. After removing the AFG option the calibration was back. So it looks like the AFG option is for whatever reason out of calibration and if activated lets the oscilloscope look like uncalibrated.

good to know. How is going with the 1Ghz upgrade ?

[darkstar49]

It was not the 1GHz option that screwed it up. It was the AFG option. After removing the AFG option the calibration was back. So it looks like the AFG option is for whatever reason out of calibration and if activated lets the oscilloscope look like uncalibrated.

good to know. How is going with the 1Ghz upgrade ?

up to now, it seems granted that 1GHz needs a h/w change... so unless a similar hack as for the TDS series exists, there's NO 1Ghz update trick for the MDO3K...

[Nebulex]

Darkstar49 is right. The 1GHz option does not work.


Gesendet von iPhone mit Tapatalk

[lavadisco]

Anybody have an updated link for the keygen?

[TopLoser]

Read the thread - 20th post.

[lavadisco]

Whoops, totally missed that! Thank you.

[lavadisco]

Just as another data point: I was able to enable all the upgrades on my MDO3012 today, including AFG without losing calibrations, and then update the firmware from 1.12 (I think?) to 1.26. The upgrades remained and all is well.

[reynomj]

Recently was given a MDO3104  with firmware 1.26, "key.py" could only enable "Instrument Options" received invalid code whenever tried to enable "Application Modules"

Downgrade to firmware to 1.24, "key.py" could then enable all "Instrument Options" and "Application Modules"

Upgrade firmware to 1.30 all options & modules retained.

[darkfrog]

Has anyone gotten this to work with the MSO3000 series? I started taking a look at the software disassembly and it seems like it has the same AES encryption functions as the MDO3000.

Perhaps the two are simply one AES key apart then?

[r0d3z1]

as far as I rembember, MSO is supported....you have to use MSO3014 in the scope model....

[volvo_nut_v70]

Found this on the web, instruction was to change the extension to 7Z

[hhappy1]

Found this on the web, instruction was to change the extension to 7Z

Wow~ Thank you sir. Please.

You will be blessed. 

New mdo3 series is available?  I hope it's possible.

[BH3XON]

I have seen the post several times，But I still don't understand how to hack it.

I think the problem is that I don't know how these gen commands are sent to the oscilloscope.

USB? LAN? mod firmware？

told me, anyone, thank you!

[BH3XON]

as far as I rembember, MSO is supported....you have to use MSO3014 in the scope model....

Hi!

Have you successfully hack it?

I have seen the post several times，But I still don't understand how to hack it.

I think the problem is that I don't know how these gen commands are sent to the oscilloscope.

USB? LAN? mod firmware？

Can you help me ？thank you!

[RomDump]

I have seen the post several times，But I still don't understand how to hack it.

I think the problem is that I don't know how these gen commands are sent to the oscilloscope.

USB? LAN? mod firmware？

Can you help me ？thank you!

I don't own this product but a brief overview of what the tools does. By entering the Serial Number of your Tektronix MDO3000 into the application attached previously in the message thread, it will generate option keys which you must manually enter into the Oscilloscope. See this link on entering option keys into the oscilloscope.

[BH3XON]

I don't own this product but a brief overview of what the tools does. By entering the Serial Number of your Tektronix MDO3000 into the application attached previously in the message thread, it will generate option keys which you must manually enter into the Oscilloscope. See this link on entering option keys into the oscilloscope.

Oh, I see！thank very much!

Unfortunately, My model is DPO3014, and its interface is somewhat different.

Push Install Option on the side menu：

“All upgrades for this oscilloscope must be performed by an authorized Tektronix Service Center . Push Menu Off to remove this message . ”

Maybe related to the firmware version? The current version is V2.40.

Thank you for your reply!

[RomDump]

Unfortunately, My model is DPO3014, and its interface is somewhat different.

There is another thread in unlocking the MSO/DPO3000 however depending on your serial number you can only unlock the bandwidth with an option key. See link

For features to be unlock, you have to enter some GPIB commands to enable them for 30 days or put in a hacked Module.

[BH3XON]

Unfortunately, My model is DPO3014, and its interface is somewhat different.

There is another thread in unlocking the MSO/DPO3000 however depending on your serial number you can only unlock the bandwidth with an option key. See link

For features to be unlock, you have to enter some GPIB commands to enable them for 30 days or put in a hacked Module.

Thank you for your reply！

My oscilloscope serial number is C01XXXX, But can also use GPIB command to hack.

At present, I found a bug, and the Signal Path Compensation will fail after the hack.

All in all, a success by the method you provided, thanks again！

[analogRF]

I've just, ehm, found this link http://rghost.ru/download/57060583/0486bdb3f37075a5e1bb5ef3017f9218eb7c0e67/mdo3kgen.zip in a pastebin entry that had self-destructed on Ctrl-C 

Hi abyrvalg

could you please let me know how this tool can be downloaded? or if possible pm it to me?

thanks

[volvo_nut_v70]

See reply 154.

[analogRF]

See reply 154.

thanks 

damn it, how could I miss that 

[transio]

Hello everyone ,

I am new to the EEVblog forum.

I'm doing a bit in analog electronics or digital but I'm a donkey in computer software installation.

can i be explained how to install: pycrypto-2.6 on python-2.7.17.amd64.

I downloaded the following files:
pycrypto-2.6.1-CP35-none-win_amd64.whl
pycrypto-2.6.win32-py2.6.exe.asc

but the installation stops right from the start and asks me: "python version 2.6, which was not found in the registry."

it must be python 2.6 version and not 2.7?

regards,
Pierre

[transio]

problem solved .
I did not download the good pakage, it must be:  pycrypto-2.6.win-amd64-py2.7.

[supperman]

Has anyone compared the hardware between the 500mhz MDO3k and the 1Ghz version? Is it just the analog board? Or just the 2.5gs vs 5.0gs? I can't imagine that they would replace the main board in an upgrade. I bet it is simpler than that... Would love pictures if anyone has them.

[r0d3z1]

Has anyone compared the hardware between the 500mhz MDO3k and the 1Ghz version? Is it just the analog board? Or just the 2.5gs vs 5.0gs? I can't imagine that they would replace the main board in an upgrade. I bet it is simpler than that... Would love pictures if anyone has them.

Interesting question, here is the picture of dave teardown https://www.flickr.com/photos/eevblog/with/12979022035/

[supperman]

Nice.. and I happen to have a "500mhz" one.. do I open it? Did someone do this already?

[supperman]

Right off the bat I see lots of missing capacitors on the front end board.. interesting...

I know people tried to upgrade to 1ghz.. and did not succeed.. what precisely happened in that case? Probably an ID thing on aboard? Sample rate AND analog issues?

[supperman]

Just a note of caution... I was looking at firmware updates and noticed that ALL firmware files have been "touched" according to the date stamp on the Tek website. (They all list "Last Update: Tuesday, November 12, 2019") which I'm not sure I had seen before.. Probably nothing to worry about..

Anyone have a way to see if anything changed in the older ones.. and if so what?

[supperman]

Has anyone compared the hardware between the 500mhz MDO3k and the 1Ghz version? Is it just the analog board? Or just the 2.5gs vs 5.0gs? I can't imagine that they would replace the main board in an upgrade. I bet it is simpler than that... Would love pictures if anyone has them.

I finally opened my MDO3014. Bad news.. the analog front end board is completely different. There is of course a chance that it is just a new revision.. but there are no resistor networks or any obvious ways to change the ID of the board. There seem to be a Jtag header (not soldered) but someone braver than me would need to check that out. Given how different the board is I think that there are diminishing returns here.. It would probably just get you 5GS/s at some compromised bandwidth.. probably around 700mhz.. at best. (on 2 channels)

All other boards seem identical to the 1Ghz model including the main board.. (including all chip stickers / IDs)

[VDD]

Hi all. Do somebody tryed to do same on 5000 series (DPO5034) Tek?

[voicu]

Hello
I found you post regard Tektronix MSO/MDO 3000
My scope model is   MSO3014 and after i update to firmware 2.40 missing the trace and when the scope power on show the model screen after that the image is corrupted like ( pc video card corrupted)
I wold like to return on previous firmware just for see if is some difference.
what is the procedure for downgrade the firmware or if is possible to reinstall the scope software ?

Thank you in advance 

[analogRF]

Hi
I know that 1GHZ option will not upgrade the BW without HW replacement but what exactly happens if one enables this option on a MDO30x4 ?
will the scope be out of cal? will it pass SPC? will is pass self test?
I dont care if the BW does not go higher than 500MHz but I would like to have the 5Gs/s sample rate

[analogRF]

I got my MDO3014 today and, thanks to the people in this thread, it is now liberated from all that marketing junk 
I also upgraded the firmware to 1.30 (from 1.22) after the mod and then ran SPC

Before the mod, I measured the 3dB BW and it was actually around 250-260MHz    did anybody notice that before?
After the upgrade it is 570-580MHz on all channels    the scope can trigger stably up to 700MHz

All other options also work. The SA works up to 3GHz and it is a very nice handy thing to have but it never replaces a real SA at all.
It has a pretty good noise floor and pretty accurate readings. However there are two visible spurs at 1.25GHz and 2.5GHz which is obvious why...

The integrated AFG is very very limited (no sweep and no modulation and low amplitude) clearly it is because they wanted to save their AFG market


However, I am still wondering what happens if 1GHz option is selected? Will the scope fail self test or SPC? Is it possible to exactly go back to the previous state (500MHz) with no consequence?
Did anybody ever try the 1GHz option?

I dont care about not reaching 1GHz but I want to have the 5Gs/s and <1ns/div. is that possible?

[Howardlong]

I dont care about not reaching 1GHz but I want to have the 5Gs/s and <1ns/div. is that possible?

IME not just by using the 1GHz or bandwidth upgrade options. I believe there's a hardware change on the analog board, but how the scope know I don't know. If you try to use the 1GHz or BW5T10 options for example, it just goes back to 100MHz on my MDO3014.

[analogRF]

I dont care about not reaching 1GHz but I want to have the 5Gs/s and <1ns/div. is that possible?

IME not just by using the 1GHz or bandwidth upgrade options. I believe there's a hardware change on the analog board, but how the scope know I don't know. If you try to use the 1GHz or BW5T10 options for example, it just goes back to 100MHz on my MDO3014.

oh, so you have tried it? so basically nothing happens and goes back to stock, right?


by the way when I was trying to measure the 3dB BW of the scope,  I realized that it is wrong to rely on the scope's RMS measurement reading. Only rely on the pk-pk reading or even better just rely on the pk-pk with your own eyes. The RMS measurement goes way off as the frequency is increased even way below the 500MHz, this measurement is not accurate anymore

[analogRF]

I thought only the front end is different than the 1GHz version but the acquisition parts are the same, i mean same ADC etc...so I was hoping to get the 5Gs/s at least...too bad

[analogRF]

I dont care about not reaching 1GHz but I want to have the 5Gs/s and <1ns/div. is that possible?

IME not just by using the 1GHz or bandwidth upgrade options. I believe there's a hardware change on the analog board, but how the scope know I don't know. If you try to use the 1GHz or BW5T10 options for example, it just goes back to 100MHz on my MDO3014.

probably there are some ID resistors that must be changed too...still I think the only difference must be just he front end, so 5gs/s should be possible...

[Howardlong]

I thought only the front end is different than the 1GHz version but the acquisition parts are the same, i mean same ADC etc...so I was hoping to get the 5Gs/s at least...too bad

Yes, that's the analog board. Take a look at the service manual. The ADCs are on the main acquisition board.

Edit: see: https://youtu.be/VFX47ZGOn_o?t=1551

[Howardlong]

I dont care about not reaching 1GHz but I want to have the 5Gs/s and <1ns/div. is that possible?

IME not just by using the 1GHz or bandwidth upgrade options. I believe there's a hardware change on the analog board, but how the scope know I don't know. If you try to use the 1GHz or BW5T10 options for example, it just goes back to 100MHz on my MDO3014.

probably there are some ID resistors that must be changed too...still I think the only difference must be just he front end, so 5gs/s should be possible...

This is different behaviour to the MDO4054C-SA6 I have, I can upgrade that to 1GHz & 5GSa/s by installing the appropriate options, and it works, however it displays a red error at the top of the screen about calibration which can be temporarily disabled, but it comes back on after a reboot.

MDO4000C upgrade to 1GHz:

Code: [Select]

gen.py MDO4054C C012345 500MHz DVM DDU AFG BW5T10 MSO TRIG EMBD COMP ENET USB PWR AUDIO AERO AUTOMAX LMT VID SEC

Edit: I have attempted a calibration on the MDO4000C but it gets stuck at one of the many dozen tests close to the end, and I don't have the right documentation to tell me where I might be going wrong.

[uski]

Hi

Any idea if the source code given for the keygen would work on a modern 3-series MDO32 or MDO34 ?

Thanks

[darkstar49]

Hi

Any idea if the source code given for the keygen would work on a modern 3-series MDO32 or MDO34 ?

Thanks

despite numerous similarities in the firmware, it doesn't (yet...)

[tv84]

Any idea if the source code given for the keygen would work on a modern 3-series MDO32 or MDO34 ?

With the right AES key I don't see why not. 

[analogRF]

Has anyone tried to use option MDO3BND (BND) instead of writing down all of them? I wonder how that looks like when it is enabled
currently the script does not recognize it as a valid option. Is there any workaround?

I also tried to make a MDO3BND app module but it seems the format (or maybe the eeprom) for MDO3K is totally different
than other models. I dont know how some people apparently made app modules for MDO3k but it didnt work for me
no matter which option I tried

is it just the format of the content being different? how?

[salviador]

Excuse me.
How to get MDO34 AES key from 3-series FW?

do you have any news about it?

[Kualker]

Just added the "fix" on a used 3034 with a bundle I bought and it worked! 
Thank you guys 

[wp_wp]

I write a C code to generate UID of MDO3 series scopes.
It was tested in WIN10 with tcc-0.9.27-win64-bin and tcc-0.9.25-win32-bin.
Welcome interested friends to download.
Usage:
Input scope model number and serial number according prompt.
Notice:
All letters are capitalized.
See the GenerateUID.c and GenUID.jpg.

[luis garcia]

The company i was working for has been sold to another company. They offered some spare material for purchase for workers and i have bought several tek scopes, one dpo, and three mdo. Except the DPO (which is high level) the other three are low range 100Mhz. These are the MDO3014, the MDO32 and MDO34. All of them were working when removed from production.
My main interest would be the MDO34. The official upgrade price is out my reach so my question is: is it possible to upgrade such system to say 500Mhz? The scope has already a lot of other features (bus analysis and afg) that came as a bundle with the original purchase. I have some expereience upgrading my own MDO3000 some years ago. Is this possible with the MDO34 too?

[brainstorm]

root:$1$yAoxZ14J$A33l9FllNgGwk2s/GAjS8/:0:0:root:/root:/bin/sh

I wonder how far away from root/root this hash is, as we saw with Rigol MSO5000 in https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg2011082/#msg2011082 ?

[RutskoyA]

I write a C code to generate UID of MDO3 series scopes.
It was tested in WIN10 with tcc-0.9.27-win64-bin and tcc-0.9.25-win32-bin.
Welcome interested friends to download.
Usage:
Input scope model number and serial number according prompt.
Notice:
All letters are capitalized.
See the GenerateUID.c and GenUID.jpg.

Hello!
Can you help me to activate. I go to menu, type the key that was generated by your script but have a message "Invalid license"
So how to use it. Please write step by step.
Thank you!

[wp_wp]

I write a C code to generate UID of MDO3 series scopes.
It was tested in WIN10 with tcc-0.9.27-win64-bin and tcc-0.9.25-win32-bin.
Welcome interested friends to download.
Usage:
Input scope model number and serial number according prompt.
Notice:
All letters are capitalized.
See the GenerateUID.c and GenUID.jpg.

Hello!
Can you help me to activate. I go to menu, type the key that was generated by your script but have a message "Invalid license"
So how to use it. Please write step by step.
Thank you!

My code is not keygen.
It just generate UID.

[RutskoyA]

I write a C code to generate UID of MDO3 series scopes.
It was tested in WIN10 with tcc-0.9.27-win64-bin and tcc-0.9.25-win32-bin.
Welcome interested friends to download.
Usage:
Input scope model number and serial number according prompt.
Notice:
All letters are capitalized.
See the GenerateUID.c and GenUID.jpg.

Hello!
Can you help me to activate. I go to menu, type the key that was generated by your script but have a message "Invalid license"
So how to use it. Please write step by step.
Thank you!

My code is not keygen.
It just generate UID.

Oh, I understand, sorry.
Is keygen exist for MDO34?

[Finderbinder]

How to enter generated key to MSO4032 ? There isn't possibility to enter something in "Manage modules & options" section. 
This guide does not work:
https://www.tek.com/en/worldwide-page/how-install-and-access-dvm-option-your-mdo3000-series-product
It seems it should work differently than with MSO3000.

[Finderbinder]

Resolved. The process is identical as with TDS3000B, even application modules are 100% identical.

[Finderbinder]

Only I'm not sure about BW upgrade. Is it possible exactly for my model? I tried few methods without success 
https://www.eevblog.com/forum/testgear/dpo3000-hacks/
this didn't work for me:

:PASSWord INTEKRITY
:SETMODELID 5
:HWAccountant:ACQBandwidth 500

MODELID have effect immediately (but only lasts till reboot).
ACQBandwidth no effect at all.

Anyone there who knows the right method?

[Gorden]

Hello,

Can you share as my MSO4104B also does not have the ability to enter a key.

Thank You

[luis garcia]

Does Engineering Mode enabled still provide the "Backup" feature, after installing firmware 3.0 ??
I believe it was located in the "File Utilities"when Engineering Mode was enabled.

[lern01]

copyright violation? the keygenerator has been NOT developed by Tektronix, so how can they claim that?

The AES key and option keys/values are in clear text visible, there is no need to "reverse" anything, therefore nothing
what one could "protect with anti-reverse copyright" whatsoever crap.

It is funny that Tektronix is veeeeery slow when goes to GPL violation or GPL source publishing, but that fast to claim
copyright on code that they haven't developed. There are keygen sources inside, not a single line belongs to Tektronix.

Does DPO3000 series work?

[lern01]

You need to have Python installed on your PC.

Skip the validate.py step, it's unnecessary.

On your PC, use gen.py with, as arguments, your scope model and serial number along with the wanted bandwidth and options.

python gen.py <model> <serial> <bandwidth> <options>

My python2.7, running according to the format described, appears the following situation, what is the reason? Thank you!

[ken246810]

Dammed if I can get this to work but then I have never used python before, i want to open up my MDO3034

[ikkeharry]

Question, where can I get the needed Python script?
I cannot find it. Please can you give me a hint where to  get it?
Thanks!

[mk_]

Question, where can I get the needed Python script?
I cannot find it. Please can you give me a hint where to  get it?
Thanks!

https://www.eevblog.com/forum/testgear/mdo3000-hacking/msg485114/#msg485114