EEVblog Electronics Community Forum

Products => Test Equipment => Topic started by: klaus11 on March 29, 2018, 08:11:31 am

Title: Someone has hacked MDO4000C?
Post by: klaus11 on March 29, 2018, 08:11:31 am
it possible to do it?
Title: Re: Someone has hacked MDO4000C?
Post by: andyturk on March 29, 2018, 02:14:31 pm
It's pretty straightforward to hack the application modules. As for the other features, I don't know of any successful attempts.

I have a MDO4034B and when it boots up, it does say something on the syslog about a 1GHz analog board. Sure would be nice to liberate that extra 650MHz.  >:D

EDIT: The info about the 1GHz analog board is not in the "console log", it's actually displayed on the scope's GUI in manufacturing mode.
Title: Re: Someone has hacked MDO4000C?
Post by: abyrvalg on March 30, 2018, 11:24:18 pm
https://0bin.net/paste/tZYZ4Fs5rjqvAoza#+yNeuILPU-nQmgFvDixaTsFyVclm2Mnh2gr2Id/aSBL
Title: Re: Someone has hacked MDO4000C?
Post by: klaus11 on March 31, 2018, 08:50:28 am
Super Abyrvalg!

For Upgrade bandwidth 1GHz, is it necessary to modify hardware ?, remove some capacitor or resistor ...

I have searched a service manual for some clue, but it is a useless manual
Title: Re: Someone has hacked MDO4000C?
Post by: tmbinc on March 31, 2018, 06:47:57 pm
I've hacked a DPO4034 (non-B) to enable full bandwidth by hacking the software - bandwidth seems to be software configured, and the pre-amplifier is actually populated. However only half the number of ADCs are populated, making this hack not super useful. I need to characterize the bandwidth but last time I looked I didn't have the right tools.

Then I hacked a DPO5034 (which is - hardware wise - similar to the DPO4034B, i.e. it has a separate frontend board), see http://debugmo.de/2013/03/whats-inside-tektronix-dpo5034/ (http://debugmo.de/2013/03/whats-inside-tektronix-dpo5034/) , by removing the filter. I only did this on one channel, though. I also hacked the software for it to be detected as a 1GHz model so the UI behaves properly. (The 1GHz and 2GHz models usually have the advanced frontend board with the pre-amplifier, but the 350MHz and 500MHz models only have basic analog board). All of the DPO5xxx however have the same (full) ADC configuration, only the analog board is different.

(I'd guess the DPO4034B however would only have the half-ADC config.)

The MDO4xxx however (regardless of -, -B, -C) again have a similar design as the DPO4xxxB,  full-ADC config (since they need half the ADCs for the RF part), and of course have the MDO-style analog frontend with the RF part.

What I don't know is if they have the pre-amplifier for the non-RF channels (which I think implies a SW bandwidth limit) or not (which would probably be a HW BW limit then).

Can you post the syslog, and pictures of your analog frontend?
Title: Re: Someone has hacked MDO4000C?
Post by: klaus11 on April 01, 2018, 04:02:08 am
Thanks, but analog frontend is very different from MDO4KC, here the filter is not so clear to see, at least for me.
Title: Re: Someone has hacked MDO4000C?
Post by: andyturk on April 01, 2018, 04:41:31 pm
https://0bin.net/paste/b41u5jNJcqNlURuI#fG6cEz17pYOVFTR5EX8I5XA9p8OdbkfyFLgGL0Z95O3
Title: Re: Someone has hacked MDO4000C?
Post by: abyrvalg on April 01, 2018, 09:39:34 pm
andyturk, thanks, that explains some things.
I can elaborate on chapter 9 of that text: the cfgSetUBootEnvVariable is just a name of a function in firmware, but it is not mapped to any console/GPIB cmd directly. It is called by cfgSetSerialNumber function (which is brought out to both console and GPIB explicitly) with "serial#" parameter, then by cfgSetBboSerialNumber (accessible from GPIB only) with "bboard#" and "hostname" params.

Looks like there is another "mode" enabled/disabled in a way similar to MFG mode:
Code: [Select]
:PASSW TRESPASS
:DEV:MOD 1
...
:DEV:MOD 0
Are there any new menus enabled with this?
Title: Re: Someone has hacked MDO4000C?
Post by: andyturk on April 01, 2018, 11:10:38 pm
oh yeah...
Title: Re: Someone has hacked MDO4000C?
Post by: andyturk on April 02, 2018, 10:02:36 pm
Note the sticker.  :-/O
Title: Re: Someone has hacked MDO4000C?
Post by: abyrvalg on April 03, 2018, 06:38:19 pm
klaus11, for -C models the max possible bandwidth depends on actual board types installed. Try getting device log (as in andyturk's link) to see main/AFE models. There are both MB and AFE limits:
Code: [Select]
afeid bw
1, 2 200M
3 1G
4 200M
5 350M
other 200M

mbid, bw
1, 5 1G-1G
2, 6 200M-500M
7 200M-1G
Title: Re: Someone has hacked MDO4000C?
Post by: klaus11 on April 04, 2018, 09:49:19 am
Bravo Abyrvalg!
Bravo andyturk!
Title: Re: Someone has hacked MDO4000C?
Post by: darkstar49 on June 14, 2018, 04:25:52 pm
Bravo Abyrvalg!
Bravo andyturk!

couldn't agree more...   :clap:
Title: Re: Someone has hacked MDO4000C?
Post by: Howardlong on June 15, 2018, 09:03:43 pm
I’m sure I’ve missed it somewhere, are there some resistor IDs on the 4000B to change, and if so where are they?
Title: Re: Someone has hacked MDO4000C?
Post by: Howardlong on July 19, 2019, 11:34:55 am
Interesting, this thread appears to be non-existent in Google, one can but wonder why that might be.

DuckDuckGo comes up right away. Google is not your friend in this case.
Title: Re: Someone has hacked MDO4000C?
Post by: Howardlong on July 20, 2019, 04:37:32 pm
Note the sticker.  :-/O

I have a similar result on an MDO4054C that I recently purchase, except that after upgrading the bandwidth, I get a permanent "WARNiNG: This oscilloscope is not compensated." SPC also consistently fails after two minutes. If I remove the bandwidth option, reverting to 500MHz, all is fine again.

(https://www.eevblog.com/forum/testgear/someone-has-hacked-mdo4000c/?action=dlattach;attach=790284;image)

Edit: my unit has MB HW ID 7, and AFE SW ID of 2. It is an MDO4054C with SA6 factory fitted at manufacture.

For fully loaded but original bandwidth:
gen.py MDO4054C C###### 500MHz DVM DDU AFG MSO TRIG EMBD COMP ENET USB PWR AUDIO AERO AUTOMAX LMT VID SEC


For fully loaded with 1GHz  bandwidth:
gen.py MDO4054C C###### 500MHz DVM DDU AFG BW5T10 MSO TRIG EMBD COMP ENET USB PWR AUDIO AERO AUTOMAX LMT VID SEC
Title: Re: Someone has hacked MDO4000C?
Post by: Howardlong on July 21, 2019, 10:04:11 am
https://0bin.net/paste/tZYZ4Fs5rjqvAoza#+yNeuILPU-nQmgFvDixaTsFyVclm2Mnh2gr2Id/aSBL

I think there is a little bug when using this for the MDO4000C in the way it determines the key to use: as it stands, it will always generate MDO3000 keys if you specify an MDO4000C.

I am not a Python programmer, but I hacked the code for key.py to comment out the MDO4000B for my purposes, I suspect an elif might be a better longer term option.

The problem was that although the 4000C key was correctly selected, it is immediately overwritten with the MDO3000 key.

Original key.py:

Code: [Select]
# generate an option key
def encode(model, sn, mask):
if model.startswith("MDO4") and model.endswith("C"):
k = mdo4kc_key
if model.startswith("MDO4") and model.endswith("B"):
k = mdo4kb_key
elif model.startswith("MDO"):
k = mdo3k_key
else:
k = dpo3k_key
uid = GenerateUID(model, sn)

Hacked key.py for MDO4000C and MDO3000 only:
Code: [Select]
# generate an option key
def encode(model, sn, mask):
if model.startswith("MDO4") and model.endswith("C"):
k = mdo4kc_key
print "mdo4kc_key"
# if model.startswith("MDO4") and model.endswith("B"):
# k = mdo4kb_key
# print "mdo4kc_key"
elif model.startswith("MDO"):
k = mdo3k_key
print "mdo3k_key MDO"
else:
k = dpo3k_key
print "mdo3k_key default"
uid = GenerateUID(model, sn)
# find first leading 1 bit
Title: Re: Someone has hacked MDO4000C?
Post by: tv84 on July 21, 2019, 11:22:50 am
Original key.py:

Code: [Select]
# generate an option key
def encode(model, sn, mask):
if model.startswith("MDO4") and model.endswith("C"):
k = mdo4kc_key
if model.startswith("MDO4") and model.endswith("B"):
k = mdo4kb_key
elif model.startswith("MDO"):
k = mdo3k_key
else:
k = dpo3k_key
uid = GenerateUID(model, sn)

The "correct" correction should be:

Code: [Select]
# generate an option key
def encode(model, sn, mask):
if model.startswith("MDO4") and model.endswith("C"):
k = mdo4kc_key
elif model.startswith("MDO4") and model.endswith("B"):
k = mdo4kb_key
elif model.startswith("MDO"):
k = mdo3k_key
else:
k = dpo3k_key
uid = GenerateUID(model, sn)

I think this what the original programmer intended it to be.
Title: Re: Someone has hacked MDO4000C?
Post by: Howardlong on July 21, 2019, 09:21:46 pm
Like I said I’m not a Python programmer!
Title: Re: Someone has hacked MDO4000C?
Post by: Howardlong on August 04, 2019, 09:44:30 pm
I can get rid of the red compensation banner temporarily by enabling factory pass from the calibration memory. However after a reboot it returns.

To remove red "WARNING! This oscilloscope is not compensated." banner after each boot:

Code: [Select]
telnet <scopehostname> 4000
:PASSW TRESPASS
:DEV:MOD 1


Utility -> Calibration -> Factory Cal -> Always Pass: Yes

Code: [Select]
:DEV:MOD 0

Tonight I managed to do a factory calibration, and immediately for the first time a successful SPC. Being my first time, the whole process took me about two hours, but I had to build a 24Vpp amplifier for my AWG which maxes out at 20Vpp.

However, after a reboot the red compensation error banner returned. I suspect I may need to lock the calibration afterwards?

Is anyone familiar with recent Tek scope calibration processes? Is there something one should do after a successful cal and SPC?
Title: Re: Someone has hacked MDO4000C?
Post by: r0d3z1 on September 18, 2019, 06:24:38 am
Note the sticker.  :-/O

@andyturk I am curious about the pcb on the bottom right of the image ? is it a kind of DIY probe that use the proprietary tek connector ?
Title: Re: Someone has hacked MDO4000C?
Post by: 2N3055 on September 18, 2019, 06:41:33 am
Note the sticker.  :-/O

@andyturk I am curious about the pcb on the bottom right of the image ? is it a kind of DIY probe that use the proprietary tek connector ?

That is Leo Bodnar's pulser that he uses to get that pulse on the screen.
Title: Re: Someone has hacked MDO4000C?
Post by: supperman on December 22, 2019, 06:23:15 pm
Hi All - Wow this thread was hard to find.. again.. for some reason. (perhaps a good thing)

I'm trying to better understand what is possible with the MDO4000C and this thread has good info but raises more questions that it answers..

1. It seems you can liberate modules and bandwidth via the python script.. probably only with the "Corrected" version so one would have to put the old python build environment together.. there are not great instructions on.. (I ran into lots of compatibility issues and code errors when I did this for my MDO3k - especially with the crypto library no longer supported)

2. @abyrvalg mentioned that MDO4000Cs may all differ from each other and you don't know what you have until you check the board IDs.. is this really true? Does anyone have details on this? So a 4024 can only be turned into a 4104 if you are lucky? (or not at all?). Anyone know about serial number ranges.. or have examples?

3. @andyturk when you say it is easy to do the application modules on the "C" you mean via the python script method?

4. @Howardlong any luck with that red stripe? Can you live with it if you can't get rid of it. Was this 100% via python or did you make changes to model numbers like on the B models..

Ahhh.... I really want to get a used mdo4k.. but don't feel I have confidence it will perform at the price point I can afford..

 
Title: Re: Someone has hacked MDO4000C?
Post by: Howardlong on December 23, 2019, 01:38:07 pm
Hi All - Wow this thread was hard to find.. again.. for some reason. (perhaps a good thing)

I'm trying to better understand what is possible with the MDO4000C and this thread has good info but raises more questions that it answers..

...

4. @Howardlong any luck with that red stripe? Can you live with it if you can't get rid of it. Was this 100% via python or did you make changes to model numbers like on the B models..

Ahhh.... I really want to get a used mdo4k.. but don't feel I have confidence it will perform at the price point I can afford..

Below is my experience with an MDO4054C-SA6. So, it may be that other versions don’t have all the hardware bits populated, ISTR there’s a scheme that shares ADCs between the SA and scope. Certainly if I run the scope and SA simultaneously, when upgraded to 1GHz bw, the scope sample rate drops to 2.5GSa/s. The same applies in scope only mode if you enable three or more channels, but that’s documented by Tek, I assume they’re interleaving ADCs.

The red stripe appeared after I’d enabled the 1GHz bw. You can remove the red stripe by going into the dev menus and allowing it to pass tests, but you need to do it after each reboot (edit: see up thread). As far as I can tell it’s only a cosmetic annoyance, obscuring the display of the screen buffer overview. The scope seems to be reasonably accurate at 1GHz bw despite not being calibrated. When you remove the 1GHz bw option, the stripe disappears after a reboot.

I’ve been unable to successfully calibrate it at 1GHz bw. It won’t let you run an SPC without a valid cal either. Switching back to 500MHz bw, everything is fine and you can run an SPC successfully.

I can’t get one of the 70 odd cal steps to pass, and I still don't know why, but it’s near the end and can take an hour and a half to get to it. I don’t have any more information about calibration other than what’s provided onscreen (very terse) combined with some information I found about calibrating a DPO4000 that helped a little. I don’t have the Fluke calibration equipment of course, but I managed to build a few jigs and voltage amplifiers that seemed adequate for a cal.

Unless I need the extra bandwidth or a function requiring 1GHz (e.g. USB HS trigger/decode), I use the scope at its factory 500MHz.

I have a little USB thumb stick sized arduino keyboard macro generator with three buttons to select what options to set, saving me having to manually rekey. One button for default settings, one with everything enabled except 1GHz (my usual selection) and finally one with everything plus 1GHz. You need to restart the scope after each config option change.

Keep in mind that you might want to purchase the 1GHz passive probes which come up on eBay fairly frequently, but they’re not always particularly cheap. I’d already accumulated a set of four over a period of time. The 3.9pF is still a significant load at 1GHz!

What I’ve been unable to find out definitively is what is included in an upgrade from 500MHz to 1GHz, priced at about £2.3k. My reseller wanted to charge me for the upgrade, plus a new cal, plus the probes, so as that would raise the total to about 5 grand, I rejected it. I’ve read elsewhere that the probes and recal is included in the £2.3k upgrade path. If it were the latter, I’d pay for it.

Regarding the Python script, I did make a change, it’s documented somewhere on the forum, there was a problem with it choosing the right key for one of the scope series (3000, 4000B or 4000C) but I can’t remember which one. (Edit: see upthread, it affected the 4000C).
Title: Re: Someone has hacked MDO4000C?
Post by: supperman on December 23, 2019, 04:13:29 pm
Thank you so much @Howardlong. That is super helpful.

So you made a small hardware device that runs your codes.. that is super cool!

Do you remember what python versions you are running to make it run? Operating system/python version/crypto version? (Edit: I see now there are links in the "link" on versions.. but probably still a good questions to ask)

So you would pay 2k to get rid of the red banner? :)  (Edit: A man with similar OCD as myself??)

Many thanks and happy holidays..
Title: Re: Someone has hacked MDO4000C?
Post by: Howardlong on December 23, 2019, 07:56:44 pm
Thank you so much @Howardlong. That is super helpful.

So you made a small hardware device that runs your codes.. that is super cool!

Do you remember what python versions you are running to make it run? Operating system/python version/crypto version? (Edit: I see now there are links in the "link" on versions.. but probably still a good questions to ask)

So you would pay 2k to get rid of the red banner? :)  (Edit: A man with similar OCD as myself??)

Many thanks and happy holidays..

Python version was 2.7x but they seem to have the crypto included in some distros, certainly the one a did a few moths ago included it.

Regarding the 2k to “remove the banner”, it’s probably as much to do with resale value as it is my own OCD!
Title: Re: Someone has hacked MDO4000C?
Post by: analogRF on December 25, 2019, 03:38:20 am
https://0bin.net/paste/tZYZ4Fs5rjqvAoza#+yNeuILPU-nQmgFvDixaTsFyVclm2Mnh2gr2Id/aSBL

so is it possible to enable options on DPO4000 series, too?
Title: Re: Someone has hacked MDO4000C?
Post by: analogRF on August 27, 2020, 06:07:45 pm
https://0bin.net/paste/tZYZ4Fs5rjqvAoza#+yNeuILPU-nQmgFvDixaTsFyVclm2Mnh2gr2Id/aSBL

can someone confirm if this works for DPO4000 series (non -B or -C), please?
Title: Re: Someone has hacked MDO4000C?
Post by: tv84 on August 28, 2020, 07:20:36 pm
DPO4000 uses the same AES_key as DPO3000, so you can easily change the script to accommodate for it.

BTW:

dpo4kb_key = "\x2A\x62\x31\x9B\x7F\x06\x34\x2A\x90\x1F\x07\x64\x80\x6A\xDE\xC2"
mdo4kc_key= "\xC5\x6F\x22\xB2\x5E\x70\xF1\x30\xAF\x3E\xF3\x11\x88\x11\xBF\x1B"


Edit: If the mdo4kc_key in the python script is correct, then I must have something wrong in these 2 keys.

Maybe it's like this:

dpo4kb_key = ED B1 83 75 FC A9 9E 8B 48 95 F1 3A EF FB 09 C4
Title: Re: Someone has hacked MDO4000C?
Post by: analogRF on August 28, 2020, 08:49:01 pm
DPO4000 uses the same AES_key as DPO3000, so you can easily change the script to accommodate for it.

BTW:

dpo4kb_key = "\x2A\x62\x31\x9B\x7F\x06\x34\x2A\x90\x1F\x07\x64\x80\x6A\xDE\xC2"
mdo4kc_key= "\xC5\x6F\x22\xB2\x5E\x70\xF1\x30\xAF\x3E\xF3\x11\x88\x11\xBF\x1B"

I don't know any Python at all  :-//
So is it enough just to add/change these two lines :
Code: [Select]
dpo4k_key = "\x9B\x31\x62\x2A\x2A\x34\x06\x7F\x64\x07\x1F\x90\xC2\xDE\x6A\x80" ---->>> same as DPO3000
:
:
:
keys = (("DPO4000", dpo4k_key),("MDO3000", mdo3k_key), ("DPO3000", dpo3k_key), ("MDO4000B", mdo4kb_key), ("MDO4000C", mdo4kc_key))

or other changes are also needed?
Title: Re: Someone has hacked MDO4000C?
Post by: darkstar49 on August 28, 2020, 09:43:40 pm
... or you get yourself a little option module (some cheap TDS3FFT / TRG), and reprogram it for the options you need, one by one, and transfer these to the scope (no DPO4BND for the non-B DPO4K...)
Title: Re: Someone has hacked MDO4000C?
Post by: analogRF on August 29, 2020, 01:11:42 am
... or you get yourself a little option module (some cheap TDS3FFT / TRG), and reprogram it for the options you need, one by one, and transfer these to the scope (no DPO4BND for the non-B DPO4K...)

i didnt know the same modules also fit DPO4000  :-[  Do they, really?

what if I change the EEPROM in the module to something bigger like 24C16 and put several options in it at the same time?
is it possible? Based on what I had read about TDS3UAM hack for TDS3000, it was possible. I dont have any of those modules for now..

I still prefer to get the Python code running but don't know what changes other than those I mentioned in the previous post are required
Title: Re: Someone has hacked MDO4000C?
Post by: analogRF on August 29, 2020, 01:20:12 am
DPO4000 uses the same AES_key as DPO3000, so you can easily change the script to accommodate for it.

BTW:

dpo4kb_key = "\x2A\x62\x31\x9B\x7F\x06\x34\x2A\x90\x1F\x07\x64\x80\x6A\xDE\xC2"
mdo4kc_key= "\xC5\x6F\x22\xB2\x5E\x70\xF1\x30\xAF\x3E\xF3\x11\x88\x11\xBF\x1B"

why the mdo4kc_key is different than what is in the script? was the script wrong?
i dont have that scope but just curious...
Title: Re: Someone has hacked MDO4000C?
Post by: tv84 on August 29, 2020, 08:14:48 am
why the mdo4kc_key is different than what is in the script? was the script wrong?

I think mine is the correct (old) one. The "fake" in the code is definitely wrong.

I'm not sure that (new) key inside the python script is correct or maybe it's used in newer FWs. Only a MDO4000C owner can confirm this.
Title: Re: Someone has hacked MDO4000C?
Post by: tv84 on August 30, 2020, 05:16:49 pm
Code: [Select]
dpo4k_key = "\x9B\x31\x62\x2A\x2A\x34\x06\x7F\x64\x07\x1F\x90\xC2\xDE\x6A\x80" ---->>> same as DPO3000
:
:
:
keys = (("DPO4000", dpo4k_key),("MDO3000", mdo3k_key), ("DPO3000", dpo3k_key), ("MDO4000B", mdo4kb_key), ("MDO4000C", mdo4kc_key))

or other changes are also needed?

Correct. But simpler could be just rewrite this one:

Code: [Select]
keys = (("DPO4000", dpo3k_key), ("MDO3000", mdo3k_key), ("DPO3000", dpo3k_key), ("MDO4000B", mdo4kb_key), ("MDO4000C", mdo4kc_key))
Title: Re: Someone has hacked MDO4000C?
Post by: darkstar49 on August 31, 2020, 02:31:31 pm
... or you get yourself a little option module (some cheap TDS3FFT / TRG), and reprogram it for the options you need, one by one, and transfer these to the scope (no DPO4BND for the non-B DPO4K...)

i didnt know the same modules also fit DPO4000  :-[  Do they, really?


Yes, it's the same format... just that from the MDO onwards, the key was encrypted, but up to the DPO4000B, it was in clear text.
So for the DPO4000B, with DPO4BND, you're done, but for the DPO4000, you'd have to reprogram the module as many times as you want options. And no, you can't put more than one option in the module's eeprom (well, you could... but it wouldn't work, to my knowledge).
Title: Re: Someone has hacked MDO4000C?
Post by: analogRF on September 02, 2020, 03:49:07 am
I finally received the DPO4104, it has self test errors (see another thread on Repair section) but the scope seems to work pretty ok. so far I have not been able to find out what problem those errors cause

However, I want to enable the options and I had read all the MDO and DPO 3000/4000B/4000C hacking threads. Now that I have got the scope
I can see none of those methods and techniques are applicable really  :palm: |O

Let's say I generate the key with python script, then what? There is no place in this scope to enter any key  :palm: |O
Let's say I use the module programming, then what? there is no place to "transfer" the license to the scope  :palm: |O
so, unless there is a way to program a module (with a new larger EEPROM) with several options (similar to TDS3000) then I cannot see how these scopes can be hacked really.

Is there any way to do it through the SCPI commands? Telnet?
Title: Re: Someone has hacked MDO4000C?
Post by: darkstar49 on September 11, 2020, 03:47:39 am
I finally received the DPO4104, it has self test errors (see another thread on Repair section) but the scope seems to work pretty ok. so far I have not been able to find out what problem those errors cause

However, I want to enable the options and I had read all the MDO and DPO 3000/4000B/4000C hacking threads. Now that I have got the scope
I can see none of those methods and techniques are applicable really  :palm: |O

Let's say I generate the key with python script, then what? There is no place in this scope to enter any key  :palm: |O
Let's say I use the module programming, then what? there is no place to "transfer" the license to the scope  :palm: |O
so, unless there is a way to program a module (with a new larger EEPROM) with several options (similar to TDS3000) then I cannot see how these scopes can be hacked really.

Is there any way to do it through the SCPI commands? Telnet?

having all options enabled in the TDS3000 is not a matter of having a larger eeprom, that works with the ‘engineering option’ TDS3ENG, a bit like the official option bundle DPO4BND (unfortunately not in the pre-B models). Not having the menu to transfer a module’s license into the scope is most probably a FW version issue (got 2.68 ?).
Title: Re: Someone has hacked MDO4000C?
Post by: analogRF on September 27, 2020, 08:06:11 pm
Is the bandwidth on DPO4000B software upgradable? I dont mean to 1GHz but something like 350MHz to 500MHz or 100MHz to 350MHz
Title: Re: Someone has hacked MDO4000C?
Post by: Howardlong on September 28, 2020, 10:10:38 am
I don’t have a 4000B, but I believe so.

I have a recollection that some 4000Bs can be liberated to 1GHz if they have the right hardware.
Title: Re: Someone has hacked MDO4000C?
Post by: analogRF on September 28, 2020, 10:55:02 am
I don’t have a 4000B, but I believe so.

I have a recollection that some 4000Bs can be liberated to 1GHz if they have the right hardware.

can anybody confirm? even upgrade to 500MHz is good. there is no official lupgrade option in the datasheet
but since MDOs had BW upgrade I though DPO4000B probably have it too
Title: Re: Someone has hacked MDO4000C?
Post by: Howardlong on September 28, 2020, 11:56:25 am
I don’t have a 4000B, but I believe so.

I have a recollection that some 4000Bs can be liberated to 1GHz if they have the right hardware.

can anybody confirm? even upgrade to 500MHz is good. there is no official lupgrade option in the datasheet
but since MDOs had BW upgrade I though DPO4000B probably have it too

Have you tried it? It’s as simple as running gen.py with the right options to create the option key.
Title: Re: Someone has hacked MDO4000C?
Post by: analogRF on September 28, 2020, 12:04:59 pm
I don’t have a 4000B, but I believe so.

I have a recollection that some 4000Bs can be liberated to 1GHz if they have the right hardware.

can anybody confirm? even upgrade to 500MHz is good. there is no official lupgrade option in the datasheet
but since MDOs had BW upgrade I though DPO4000B probably have it too

Have you tried it? It’s as simple as running gen.py with the right options to create the option key.

no I dont have the equipment. I have the opportunity to buy a 100MHz version for a good price
but I only want to do it if the BW upgrade is possible
Title: Re: Someone has hacked MDO4000C?
Post by: Howardlong on September 28, 2020, 12:26:24 pm
There’s a semi cryptic note here

https://www.eevblog.com/forum/testgear/mdo3000-hacking/msg1603087/#msg1603087 (https://www.eevblog.com/forum/testgear/mdo3000-hacking/msg1603087/#msg1603087) Post 141
Title: Re: Someone has hacked MDO4000C?
Post by: analogRF on September 28, 2020, 12:38:22 pm
There’s a semi cryptic note here

https://www.eevblog.com/forum/testgear/mdo3000-hacking/msg1603087/#msg1603087 (https://www.eevblog.com/forum/testgear/mdo3000-hacking/msg1603087/#msg1603087) Post 141

umm...yeah. that's for MDO4000B though but I guess they are very similar to DPO4kB at least they dont have official BW upgrade option in their datasheet just like DPO4kB.
But I wonder what he meant because I cannot find that method he is talking about
Title: Re: Someone has hacked MDO4000C?
Post by: Howardlong on September 28, 2020, 12:50:08 pm
There’s a semi cryptic note here

https://www.eevblog.com/forum/testgear/mdo3000-hacking/msg1603087/#msg1603087 (https://www.eevblog.com/forum/testgear/mdo3000-hacking/msg1603087/#msg1603087) Post 141

umm...yeah. that's for MDO4000B though but I guess they are very similar to DPO4kB at least they dont have official BW upgrade option in their datasheet just like DPO4kB.
But I wonder what he meant because I cannot find that method he is talking about

Sorry, my bad!
Title: Re: Someone has hacked MDO4000C?
Post by: syau on October 30, 2020, 10:02:17 am
I finally received the DPO4104, it has self test errors (see another thread on Repair section) but the scope seems to work pretty ok. so far I have not been able to find out what problem those errors cause

However, I want to enable the options and I had read all the MDO and DPO 3000/4000B/4000C hacking threads. Now that I have got the scope
I can see none of those methods and techniques are applicable really  :palm: |O

Let's say I generate the key with python script, then what? There is no place in this scope to enter any key  :palm: |O
Let's say I use the module programming, then what? there is no place to "transfer" the license to the scope  :palm: |O
so, unless there is a way to program a module (with a new larger EEPROM) with several options (similar to TDS3000) then I cannot see how these scopes can be hacked really.

Is there any way to do it through the SCPI commands? Telnet?

Wonder if you managed to enter the option code, I just scored a MDO4K and found no way to enter the option key  :palm:
Title: Re: Someone has hacked MDO4000C?
Post by: Howardlong on October 30, 2020, 03:05:26 pm
I finally received the DPO4104, it has self test errors (see another thread on Repair section) but the scope seems to work pretty ok. so far I have not been able to find out what problem those errors cause

However, I want to enable the options and I had read all the MDO and DPO 3000/4000B/4000C hacking threads. Now that I have got the scope
I can see none of those methods and techniques are applicable really  :palm: |O

Let's say I generate the key with python script, then what? There is no place in this scope to enter any key  :palm: |O
Let's say I use the module programming, then what? there is no place to "transfer" the license to the scope  :palm: |O
so, unless there is a way to program a module (with a new larger EEPROM) with several options (similar to TDS3000) then I cannot see how these scopes can be hacked really.

Is there any way to do it through the SCPI commands? Telnet?

Wonder if you managed to enter the option code, I just scored a MDO4K and found no way to enter the option key  :palm:

On my MDO4000C, it's Utility -> Utility Page: Config -> Manage Modules & Options -> Install Option.

It's a little easier to key in if you have a USB keyboard handy that you can attach.
Title: Re: Someone has hacked MDO4000C?
Post by: syau on October 30, 2020, 11:47:05 pm
On my MDO4000C, it's Utility -> Utility Page: Config -> Manage Modules & Options -> Install Option.

It's a little easier to key in if you have a USB keyboard handy that you can attach.

I am using a MDO4104-6, on the Install Option page, I can’t find any way for me to enter the key  :-//
[attach=1]
[attach=2]
Title: Re: Someone has hacked MDO4000C?
Post by: Howardlong on October 31, 2020, 08:10:18 pm
On my MDO4000C, it's Utility -> Utility Page: Config -> Manage Modules & Options -> Install Option.

It's a little easier to key in if you have a USB keyboard handy that you can attach.

I am using a MDO4104-6, on the Install Option page, I can’t find any way for me to enter the key  :-//
[attach=1]
[attach=2]

Here is my MDO4000C.

I am wondering if the firmware needs updating?


Title: Re: Someone has hacked MDO4000C?
Post by: analogRF on October 31, 2020, 08:14:22 pm
for DPO/MSO/MDO4000 (no letter at the end) the "only" way is to program and then transfer license from an app module
It takes a while and needs many power on/offs but that's the only way  :(

Title: Re: Someone has hacked MDO4000C?
Post by: syau on November 01, 2020, 04:01:46 am
for DPO/MSO/MDO4000 (no letter at the end) the "only" way is to program and then transfer license from an app module
It takes a while and needs many power on/offs but that's the only way  :(

Quck hack using a broken phone + 24c02, job done in 2 hours  :-+

Thanks.
Title: Re: Someone has hacked MDO4000C?
Post by: darkstar49 on November 13, 2020, 01:57:36 pm
an MDO4024C-6 just arrived... and luckily, the week-end just starts...   >:D

thus an MDO4024C with factory SA6, DPO4BND and AFG options.

but SCPI shell on port 4000 doesn't seem to work on MDO4000C  :(
Anyone experienced with the 'C' models ? This one is running FW 1.10 (2018), any idea whether it's a good idea to upgrade or not ?
Strange that netcat isn't working... console log reports daemon started on port 4000...?


Anyway... web console seems to work, additional menu's are there...
here some console file: (start of...)

 errSetConsoleLogState() logging to /usr/local/nv/consoleLog50.txt
 cfgInit
 versionBuildFWVersionString(): TimestampString: 30-Oct-15  11:43   
                                VersionFIRMWAREVERSIONversion: v1.02
                                Major ver num: 1 Minor ver num: 2
 sysInit
 execInit
 hwInit
 vertReprogramFeProc(): Platform Route66c fw 1003 filefw 1003
 Front Panel Firmware update not needed
   Current firmware 1003 >= 1003
 
Main Board HW ID: 0x07

 AFE Board SW ID: 0x02
 cfgGetRfHwInfo(): Contents of CfgRfHwInfo:
  rfHwPresent = 1; rfFrontEndType = 4; rfAfeRev = 2
  rfBw = 6e+09; rfLowBandStartFreq = 9000; rfAttenResolution = 1.000000
  rfAcqMemSize = 2e+09
 
Main Board SW ID: 0x01

       HFD144[0] ID_REG = 0x00001440
       HFD144[1] ID_REG = 0x00001440
       HFD144[2] ID_REG = 0x00001440
       HFD144[3] ID_REG = 0x00001440
 fanControlInit
     Init ADT7476.
 mitlInit
 afgInit
 diagInit
 diagRunEarlyPostDiags
 ialInit
 ialInit(): AFE id 0x2, rev 0x2, bI 8
 calInit
 Factory Checksum:
 Demux initialization
 
Main Board HW Rev: 0x02
Title: Re: Someone has hacked MDO4000C?
Post by: Howardlong on November 13, 2020, 09:16:15 pm
I think 1.10 is the latest firmware.

Check the

Utility -> I/O -> Socket Server

settings.

[attachimg=1]

[attachimg=2]
Title: Re: Someone has hacked MDO4000C?
Post by: darkstar49 on November 16, 2020, 07:57:43 am
klaus11, for -C models the max possible bandwidth depends on actual board types installed. Try getting device log (as in andyturk's link) to see main/AFE models. There are both MB and AFE limits:
Code: [Select]
afeid bw
1, 2 200M
3 1G
4 200M
5 350M
other 200M

mbid, bw
1, 5 1G-1G
2, 6 200M-500M
7 200M-1G

AFE's always report a SW ID, whereas the main board reports a HW ID... so I'm not (yet) 100% convinced the AFE's can't be software-upgraded...