Author Topic: Someone has hacked MDO4000C?  (Read 2968 times)

0 Members and 1 Guest are viewing this topic.

Offline klaus11

  • Supporter
  • ****
  • Posts: 156
  • Country: 00
Someone has hacked MDO4000C?
« on: March 29, 2018, 08:11:31 am »
it possible to do it?
HP3458A, HP3245a, Keithley 2000, Fluke 87V, Rigol DP832, TEK TDS5052B, HP33120A
 

Offline andyturk

  • Frequent Contributor
  • **
  • Posts: 892
  • Country: us
Re: Someone has hacked MDO4000C?
« Reply #1 on: March 29, 2018, 02:14:31 pm »
It's pretty straightforward to hack the application modules. As for the other features, I don't know of any successful attempts.

I have a MDO4034B and when it boots up, it does say something on the syslog about a 1GHz analog board. Sure would be nice to liberate that extra 650MHz.  >:D

EDIT: The info about the 1GHz analog board is not in the "console log", it's actually displayed on the scope's GUI in manufacturing mode.
« Last Edit: April 01, 2018, 04:46:44 pm by andyturk »
 

Offline abyrvalg

  • Frequent Contributor
  • **
  • Posts: 354
  • Country: ru
 
The following users thanked this post: andyturk, klaus11

Offline klaus11

  • Supporter
  • ****
  • Posts: 156
  • Country: 00
Re: Someone has hacked MDO4000C?
« Reply #3 on: March 31, 2018, 08:50:28 am »
Super Abyrvalg!

For Upgrade bandwidth 1GHz, is it necessary to modify hardware ?, remove some capacitor or resistor ...

I have searched a service manual for some clue, but it is a useless manual
HP3458A, HP3245a, Keithley 2000, Fluke 87V, Rigol DP832, TEK TDS5052B, HP33120A
 

Offline tmbinc

  • Regular Contributor
  • *
  • Posts: 174
Re: Someone has hacked MDO4000C?
« Reply #4 on: March 31, 2018, 06:47:57 pm »
I've hacked a DPO4034 (non-B) to enable full bandwidth by hacking the software - bandwidth seems to be software configured, and the pre-amplifier is actually populated. However only half the number of ADCs are populated, making this hack not super useful. I need to characterize the bandwidth but last time I looked I didn't have the right tools.

Then I hacked a DPO5034 (which is - hardware wise - similar to the DPO4034B, i.e. it has a separate frontend board), see http://debugmo.de/2013/03/whats-inside-tektronix-dpo5034/ , by removing the filter. I only did this on one channel, though. I also hacked the software for it to be detected as a 1GHz model so the UI behaves properly. (The 1GHz and 2GHz models usually have the advanced frontend board with the pre-amplifier, but the 350MHz and 500MHz models only have basic analog board). All of the DPO5xxx however have the same (full) ADC configuration, only the analog board is different.

(I'd guess the DPO4034B however would only have the half-ADC config.)

The MDO4xxx however (regardless of -, -B, -C) again have a similar design as the DPO4xxxB,  full-ADC config (since they need half the ADCs for the RF part), and of course have the MDO-style analog frontend with the RF part.

What I don't know is if they have the pre-amplifier for the non-RF channels (which I think implies a SW bandwidth limit) or not (which would probably be a HW BW limit then).

Can you post the syslog, and pictures of your analog frontend?
 

Offline klaus11

  • Supporter
  • ****
  • Posts: 156
  • Country: 00
Re: Someone has hacked MDO4000C?
« Reply #5 on: April 01, 2018, 04:02:08 am »
Thanks, but analog frontend is very different from MDO4KC, here the filter is not so clear to see, at least for me.
HP3458A, HP3245a, Keithley 2000, Fluke 87V, Rigol DP832, TEK TDS5052B, HP33120A
 

Offline andyturk

  • Frequent Contributor
  • **
  • Posts: 892
  • Country: us
 

Offline abyrvalg

  • Frequent Contributor
  • **
  • Posts: 354
  • Country: ru
Re: Someone has hacked MDO4000C?
« Reply #7 on: April 01, 2018, 09:39:34 pm »
andyturk, thanks, that explains some things.
I can elaborate on chapter 9 of that text: the cfgSetUBootEnvVariable is just a name of a function in firmware, but it is not mapped to any console/GPIB cmd directly. It is called by cfgSetSerialNumber function (which is brought out to both console and GPIB explicitly) with "serial#" parameter, then by cfgSetBboSerialNumber (accessible from GPIB only) with "bboard#" and "hostname" params.

Looks like there is another "mode" enabled/disabled in a way similar to MFG mode:
Code: [Select]
:PASSW TRESPASS
:DEV:MOD 1
...
:DEV:MOD 0
Are there any new menus enabled with this?
 
The following users thanked this post: klaus11

Offline andyturk

  • Frequent Contributor
  • **
  • Posts: 892
  • Country: us
Re: Someone has hacked MDO4000C?
« Reply #8 on: April 01, 2018, 11:10:38 pm »
oh yeah...
 
The following users thanked this post: klaus11

Offline andyturk

  • Frequent Contributor
  • **
  • Posts: 892
  • Country: us
Re: Someone has hacked MDO4000C?
« Reply #9 on: April 02, 2018, 10:02:36 pm »
Note the sticker.  :-/O
 
The following users thanked this post: klaus11

Offline abyrvalg

  • Frequent Contributor
  • **
  • Posts: 354
  • Country: ru
Re: Someone has hacked MDO4000C?
« Reply #10 on: April 03, 2018, 06:38:19 pm »
klaus11, for -C models the max possible bandwidth depends on actual board types installed. Try getting device log (as in andyturk's link) to see main/AFE models. There are both MB and AFE limits:
Code: [Select]
afeid bw
1, 2 200M
3 1G
4 200M
5 350M
other 200M

mbid, bw
1, 5 1G-1G
2, 6 200M-500M
7 200M-1G
 
The following users thanked this post: klaus11

Offline klaus11

  • Supporter
  • ****
  • Posts: 156
  • Country: 00
Re: Someone has hacked MDO4000C?
« Reply #11 on: April 04, 2018, 09:49:19 am »
Bravo Abyrvalg!
Bravo andyturk!
HP3458A, HP3245a, Keithley 2000, Fluke 87V, Rigol DP832, TEK TDS5052B, HP33120A
 

Offline darkstar49

  • Regular Contributor
  • *
  • Posts: 145
Re: Someone has hacked MDO4000C?
« Reply #12 on: June 14, 2018, 04:25:52 pm »
Bravo Abyrvalg!
Bravo andyturk!

couldn't agree more...   :clap:
 

Online Howardlong

  • Super Contributor
  • ***
  • Posts: 4744
  • Country: gb
Re: Someone has hacked MDO4000C?
« Reply #13 on: June 15, 2018, 09:03:43 pm »
I’m sure I’ve missed it somewhere, are there some resistor IDs on the 4000B to change, and if so where are they?
 

Online Howardlong

  • Super Contributor
  • ***
  • Posts: 4744
  • Country: gb
Re: Someone has hacked MDO4000C?
« Reply #14 on: July 19, 2019, 11:34:55 am »
Interesting, this thread appears to be non-existent in Google, one can but wonder why that might be.

DuckDuckGo comes up right away. Google is not your friend in this case.
 

Online Howardlong

  • Super Contributor
  • ***
  • Posts: 4744
  • Country: gb
Re: Someone has hacked MDO4000C?
« Reply #15 on: July 20, 2019, 04:37:32 pm »
Note the sticker.  :-/O

I have a similar result on an MDO4054C that I recently purchase, except that after upgrading the bandwidth, I get a permanent "WARNiNG: This oscilloscope is not compensated." SPC also consistently fails after two minutes. If I remove the bandwidth option, reverting to 500MHz, all is fine again.



Edit: my unit has MB HW ID 7, and AFE SW ID of 2. It is an MDO4054C with SA6 factory fitted at manufacture.

For fully loaded but original bandwidth:
gen.py MDO4054C C###### 500MHz DVM DDU AFG MSO TRIG EMBD COMP ENET USB PWR AUDIO AERO AUTOMAX LMT VID SEC


For fully loaded with 1GHz  bandwidth:
gen.py MDO4054C C###### 500MHz DVM DDU AFG BW5T10 MSO TRIG EMBD COMP ENET USB PWR AUDIO AERO AUTOMAX LMT VID SEC
« Last Edit: July 21, 2019, 10:16:51 am by Howardlong »
 

Online Howardlong

  • Super Contributor
  • ***
  • Posts: 4744
  • Country: gb
Re: Someone has hacked MDO4000C?
« Reply #16 on: July 21, 2019, 10:04:11 am »
https://0bin.net/paste/tZYZ4Fs5rjqvAoza#+yNeuILPU-nQmgFvDixaTsFyVclm2Mnh2gr2Id/aSBL

I think there is a little bug when using this for the MDO4000C in the way it determines the key to use: as it stands, it will always generate MDO3000 keys if you specify an MDO4000C.

I am not a Python programmer, but I hacked the code for key.py to comment out the MDO4000B for my purposes, I suspect an elif might be a better longer term option.

The problem was that although the 4000C key was correctly selected, it is immediately overwritten with the MDO3000 key.

Original key.py:

Code: [Select]
# generate an option key
def encode(model, sn, mask):
if model.startswith("MDO4") and model.endswith("C"):
k = mdo4kc_key
if model.startswith("MDO4") and model.endswith("B"):
k = mdo4kb_key
elif model.startswith("MDO"):
k = mdo3k_key
else:
k = dpo3k_key
uid = GenerateUID(model, sn)

Hacked key.py for MDO4000C and MDO3000 only:
Code: [Select]
# generate an option key
def encode(model, sn, mask):
if model.startswith("MDO4") and model.endswith("C"):
k = mdo4kc_key
print "mdo4kc_key"
 # if model.startswith("MDO4") and model.endswith("B"):
 # k = mdo4kb_key
 # print "mdo4kc_key"
elif model.startswith("MDO"):
k = mdo3k_key
print "mdo3k_key MDO"
else:
k = dpo3k_key
print "mdo3k_key default"
uid = GenerateUID(model, sn)
# find first leading 1 bit
 

Online tv84

  • Frequent Contributor
  • **
  • Posts: 862
  • Country: pt
Re: Someone has hacked MDO4000C?
« Reply #17 on: July 21, 2019, 11:22:50 am »
Original key.py:

Code: [Select]
# generate an option key
def encode(model, sn, mask):
if model.startswith("MDO4") and model.endswith("C"):
k = mdo4kc_key
if model.startswith("MDO4") and model.endswith("B"):
k = mdo4kb_key
elif model.startswith("MDO"):
k = mdo3k_key
else:
k = dpo3k_key
uid = GenerateUID(model, sn)

The "correct" correction should be:

Code: [Select]
# generate an option key
def encode(model, sn, mask):
if model.startswith("MDO4") and model.endswith("C"):
k = mdo4kc_key
elif model.startswith("MDO4") and model.endswith("B"):
k = mdo4kb_key
elif model.startswith("MDO"):
k = mdo3k_key
else:
k = dpo3k_key
uid = GenerateUID(model, sn)

I think this what the original programmer intended it to be.
 
The following users thanked this post: Howardlong

Online Howardlong

  • Super Contributor
  • ***
  • Posts: 4744
  • Country: gb
Re: Someone has hacked MDO4000C?
« Reply #18 on: July 21, 2019, 09:21:46 pm »
Like I said I’m not a Python programmer!
 

Online Howardlong

  • Super Contributor
  • ***
  • Posts: 4744
  • Country: gb
Re: Someone has hacked MDO4000C?
« Reply #19 on: August 04, 2019, 09:44:30 pm »
I can get rid of the red compensation banner temporarily by enabling factory pass from the calibration memory. However after a reboot it returns.

To remove red "WARNING! This oscilloscope is not compensated." banner after each boot:

  • Login with telnet, note commands are sent in the blind:
Code: [Select]
telnet <scopehostname> 4000
:PASSW TRESPASS
:DEV:MOD 1

  • Then, on the scope:

Utility -> Calibration -> Factory Cal -> Always Pass: Yes

  • Finally, optionally from telnet to remove the new menus:
Code: [Select]
:DEV:MOD 0

    Tonight I managed to do a factory calibration, and immediately for the first time a successful SPC. Being my first time, the whole process took me about two hours, but I had to build a 24Vpp amplifier for my AWG which maxes out at 20Vpp.

    However, after a reboot the red compensation error banner returned. I suspect I may need to lock the calibration afterwards?

    Is anyone familiar with recent Tek scope calibration processes? Is there something one should do after a successful cal and SPC?
    « Last Edit: September 29, 2019, 12:44:23 pm by Howardlong »
     

    Offline r0d3z1

    • Regular Contributor
    • *
    • Posts: 83
    • Country: it
    Re: Someone has hacked MDO4000C?
    « Reply #20 on: September 18, 2019, 06:24:38 am »
    Note the sticker.  :-/O

    @andyturk I am curious about the pcb on the bottom right of the image ? is it a kind of DIY probe that use the proprietary tek connector ?
     

    Online 2N3055

    • Super Contributor
    • ***
    • Posts: 2087
    • Country: hr
    Re: Someone has hacked MDO4000C?
    « Reply #21 on: September 18, 2019, 06:41:33 am »
    Note the sticker.  :-/O

    @andyturk I am curious about the pcb on the bottom right of the image ? is it a kind of DIY probe that use the proprietary tek connector ?

    That is Leo Bodnar's pulser that he uses to get that pulse on the screen.
     


    Share me

    Digg  Facebook  SlashDot  Delicious  Technorati  Twitter  Google  Yahoo
    Smf