Author Topic: Someone has hacked MDO4000C?  (Read 5807 times)

0 Members and 1 Guest are viewing this topic.

Offline klaus11

  • Supporter
  • ****
  • Posts: 156
  • Country: 00
Someone has hacked MDO4000C?
« on: March 29, 2018, 08:11:31 am »
it possible to do it?
HP3458A, HP3245a, Keithley 2000, Fluke 87V, Rigol DP832, TEK TDS5052B, HP33120A
 

Offline andyturk

  • Frequent Contributor
  • **
  • Posts: 892
  • Country: us
Re: Someone has hacked MDO4000C?
« Reply #1 on: March 29, 2018, 02:14:31 pm »
It's pretty straightforward to hack the application modules. As for the other features, I don't know of any successful attempts.

I have a MDO4034B and when it boots up, it does say something on the syslog about a 1GHz analog board. Sure would be nice to liberate that extra 650MHz.  >:D

EDIT: The info about the 1GHz analog board is not in the "console log", it's actually displayed on the scope's GUI in manufacturing mode.
« Last Edit: April 01, 2018, 04:46:44 pm by andyturk »
 

Offline abyrvalg

  • Frequent Contributor
  • **
  • Posts: 471
  • Country: ru
 
The following users thanked this post: andyturk, klaus11, analogRF

Offline klaus11

  • Supporter
  • ****
  • Posts: 156
  • Country: 00
Re: Someone has hacked MDO4000C?
« Reply #3 on: March 31, 2018, 08:50:28 am »
Super Abyrvalg!

For Upgrade bandwidth 1GHz, is it necessary to modify hardware ?, remove some capacitor or resistor ...

I have searched a service manual for some clue, but it is a useless manual
HP3458A, HP3245a, Keithley 2000, Fluke 87V, Rigol DP832, TEK TDS5052B, HP33120A
 

Offline tmbinc

  • Regular Contributor
  • *
  • Posts: 228
Re: Someone has hacked MDO4000C?
« Reply #4 on: March 31, 2018, 06:47:57 pm »
I've hacked a DPO4034 (non-B) to enable full bandwidth by hacking the software - bandwidth seems to be software configured, and the pre-amplifier is actually populated. However only half the number of ADCs are populated, making this hack not super useful. I need to characterize the bandwidth but last time I looked I didn't have the right tools.

Then I hacked a DPO5034 (which is - hardware wise - similar to the DPO4034B, i.e. it has a separate frontend board), see http://debugmo.de/2013/03/whats-inside-tektronix-dpo5034/ , by removing the filter. I only did this on one channel, though. I also hacked the software for it to be detected as a 1GHz model so the UI behaves properly. (The 1GHz and 2GHz models usually have the advanced frontend board with the pre-amplifier, but the 350MHz and 500MHz models only have basic analog board). All of the DPO5xxx however have the same (full) ADC configuration, only the analog board is different.

(I'd guess the DPO4034B however would only have the half-ADC config.)

The MDO4xxx however (regardless of -, -B, -C) again have a similar design as the DPO4xxxB,  full-ADC config (since they need half the ADCs for the RF part), and of course have the MDO-style analog frontend with the RF part.

What I don't know is if they have the pre-amplifier for the non-RF channels (which I think implies a SW bandwidth limit) or not (which would probably be a HW BW limit then).

Can you post the syslog, and pictures of your analog frontend?
 

Offline klaus11

  • Supporter
  • ****
  • Posts: 156
  • Country: 00
Re: Someone has hacked MDO4000C?
« Reply #5 on: April 01, 2018, 04:02:08 am »
Thanks, but analog frontend is very different from MDO4KC, here the filter is not so clear to see, at least for me.
HP3458A, HP3245a, Keithley 2000, Fluke 87V, Rigol DP832, TEK TDS5052B, HP33120A
 

Offline andyturk

  • Frequent Contributor
  • **
  • Posts: 892
  • Country: us
 
The following users thanked this post: analogRF

Offline abyrvalg

  • Frequent Contributor
  • **
  • Posts: 471
  • Country: ru
Re: Someone has hacked MDO4000C?
« Reply #7 on: April 01, 2018, 09:39:34 pm »
andyturk, thanks, that explains some things.
I can elaborate on chapter 9 of that text: the cfgSetUBootEnvVariable is just a name of a function in firmware, but it is not mapped to any console/GPIB cmd directly. It is called by cfgSetSerialNumber function (which is brought out to both console and GPIB explicitly) with "serial#" parameter, then by cfgSetBboSerialNumber (accessible from GPIB only) with "bboard#" and "hostname" params.

Looks like there is another "mode" enabled/disabled in a way similar to MFG mode:
Code: [Select]
:PASSW TRESPASS
:DEV:MOD 1
...
:DEV:MOD 0
Are there any new menus enabled with this?
 
The following users thanked this post: klaus11

Offline andyturk

  • Frequent Contributor
  • **
  • Posts: 892
  • Country: us
Re: Someone has hacked MDO4000C?
« Reply #8 on: April 01, 2018, 11:10:38 pm »
oh yeah...
 
The following users thanked this post: klaus11

Offline andyturk

  • Frequent Contributor
  • **
  • Posts: 892
  • Country: us
Re: Someone has hacked MDO4000C?
« Reply #9 on: April 02, 2018, 10:02:36 pm »
Note the sticker.  :-/O
 
The following users thanked this post: klaus11

Offline abyrvalg

  • Frequent Contributor
  • **
  • Posts: 471
  • Country: ru
Re: Someone has hacked MDO4000C?
« Reply #10 on: April 03, 2018, 06:38:19 pm »
klaus11, for -C models the max possible bandwidth depends on actual board types installed. Try getting device log (as in andyturk's link) to see main/AFE models. There are both MB and AFE limits:
Code: [Select]
afeid bw
1, 2 200M
3 1G
4 200M
5 350M
other 200M

mbid, bw
1, 5 1G-1G
2, 6 200M-500M
7 200M-1G
 
The following users thanked this post: klaus11

Offline klaus11

  • Supporter
  • ****
  • Posts: 156
  • Country: 00
Re: Someone has hacked MDO4000C?
« Reply #11 on: April 04, 2018, 09:49:19 am »
Bravo Abyrvalg!
Bravo andyturk!
HP3458A, HP3245a, Keithley 2000, Fluke 87V, Rigol DP832, TEK TDS5052B, HP33120A
 

Offline darkstar49

  • Regular Contributor
  • *
  • Posts: 234
Re: Someone has hacked MDO4000C?
« Reply #12 on: June 14, 2018, 04:25:52 pm »
Bravo Abyrvalg!
Bravo andyturk!

couldn't agree more...   :clap:
 

Offline Howardlong

  • Super Contributor
  • ***
  • Posts: 4977
  • Country: gb
Re: Someone has hacked MDO4000C?
« Reply #13 on: June 15, 2018, 09:03:43 pm »
I’m sure I’ve missed it somewhere, are there some resistor IDs on the 4000B to change, and if so where are they?
 

Offline Howardlong

  • Super Contributor
  • ***
  • Posts: 4977
  • Country: gb
Re: Someone has hacked MDO4000C?
« Reply #14 on: July 19, 2019, 11:34:55 am »
Interesting, this thread appears to be non-existent in Google, one can but wonder why that might be.

DuckDuckGo comes up right away. Google is not your friend in this case.
 

Offline Howardlong

  • Super Contributor
  • ***
  • Posts: 4977
  • Country: gb
Re: Someone has hacked MDO4000C?
« Reply #15 on: July 20, 2019, 04:37:32 pm »
Note the sticker.  :-/O

I have a similar result on an MDO4054C that I recently purchase, except that after upgrading the bandwidth, I get a permanent "WARNiNG: This oscilloscope is not compensated." SPC also consistently fails after two minutes. If I remove the bandwidth option, reverting to 500MHz, all is fine again.



Edit: my unit has MB HW ID 7, and AFE SW ID of 2. It is an MDO4054C with SA6 factory fitted at manufacture.

For fully loaded but original bandwidth:
gen.py MDO4054C C###### 500MHz DVM DDU AFG MSO TRIG EMBD COMP ENET USB PWR AUDIO AERO AUTOMAX LMT VID SEC


For fully loaded with 1GHz  bandwidth:
gen.py MDO4054C C###### 500MHz DVM DDU AFG BW5T10 MSO TRIG EMBD COMP ENET USB PWR AUDIO AERO AUTOMAX LMT VID SEC
« Last Edit: July 21, 2019, 10:16:51 am by Howardlong »
 

Offline Howardlong

  • Super Contributor
  • ***
  • Posts: 4977
  • Country: gb
Re: Someone has hacked MDO4000C?
« Reply #16 on: July 21, 2019, 10:04:11 am »
https://0bin.net/paste/tZYZ4Fs5rjqvAoza#+yNeuILPU-nQmgFvDixaTsFyVclm2Mnh2gr2Id/aSBL

I think there is a little bug when using this for the MDO4000C in the way it determines the key to use: as it stands, it will always generate MDO3000 keys if you specify an MDO4000C.

I am not a Python programmer, but I hacked the code for key.py to comment out the MDO4000B for my purposes, I suspect an elif might be a better longer term option.

The problem was that although the 4000C key was correctly selected, it is immediately overwritten with the MDO3000 key.

Original key.py:

Code: [Select]
# generate an option key
def encode(model, sn, mask):
if model.startswith("MDO4") and model.endswith("C"):
k = mdo4kc_key
if model.startswith("MDO4") and model.endswith("B"):
k = mdo4kb_key
elif model.startswith("MDO"):
k = mdo3k_key
else:
k = dpo3k_key
uid = GenerateUID(model, sn)

Hacked key.py for MDO4000C and MDO3000 only:
Code: [Select]
# generate an option key
def encode(model, sn, mask):
if model.startswith("MDO4") and model.endswith("C"):
k = mdo4kc_key
print "mdo4kc_key"
# if model.startswith("MDO4") and model.endswith("B"):
# k = mdo4kb_key
# print "mdo4kc_key"
elif model.startswith("MDO"):
k = mdo3k_key
print "mdo3k_key MDO"
else:
k = dpo3k_key
print "mdo3k_key default"
uid = GenerateUID(model, sn)
# find first leading 1 bit
 

Offline tv84

  • Super Contributor
  • ***
  • Posts: 1814
  • Country: pt
Re: Someone has hacked MDO4000C?
« Reply #17 on: July 21, 2019, 11:22:50 am »
Original key.py:

Code: [Select]
# generate an option key
def encode(model, sn, mask):
if model.startswith("MDO4") and model.endswith("C"):
k = mdo4kc_key
if model.startswith("MDO4") and model.endswith("B"):
k = mdo4kb_key
elif model.startswith("MDO"):
k = mdo3k_key
else:
k = dpo3k_key
uid = GenerateUID(model, sn)

The "correct" correction should be:

Code: [Select]
# generate an option key
def encode(model, sn, mask):
if model.startswith("MDO4") and model.endswith("C"):
k = mdo4kc_key
elif model.startswith("MDO4") and model.endswith("B"):
k = mdo4kb_key
elif model.startswith("MDO"):
k = mdo3k_key
else:
k = dpo3k_key
uid = GenerateUID(model, sn)

I think this what the original programmer intended it to be.
 
The following users thanked this post: Howardlong, wp_wp

Offline Howardlong

  • Super Contributor
  • ***
  • Posts: 4977
  • Country: gb
Re: Someone has hacked MDO4000C?
« Reply #18 on: July 21, 2019, 09:21:46 pm »
Like I said I’m not a Python programmer!
 

Offline Howardlong

  • Super Contributor
  • ***
  • Posts: 4977
  • Country: gb
Re: Someone has hacked MDO4000C?
« Reply #19 on: August 04, 2019, 09:44:30 pm »
I can get rid of the red compensation banner temporarily by enabling factory pass from the calibration memory. However after a reboot it returns.

To remove red "WARNING! This oscilloscope is not compensated." banner after each boot:

  • Login with telnet, note commands are sent in the blind:
Code: [Select]
telnet <scopehostname> 4000
:PASSW TRESPASS
:DEV:MOD 1

  • Then, on the scope:

Utility -> Calibration -> Factory Cal -> Always Pass: Yes

  • Finally, optionally from telnet to remove the new menus:
Code: [Select]
:DEV:MOD 0

    Tonight I managed to do a factory calibration, and immediately for the first time a successful SPC. Being my first time, the whole process took me about two hours, but I had to build a 24Vpp amplifier for my AWG which maxes out at 20Vpp.

    However, after a reboot the red compensation error banner returned. I suspect I may need to lock the calibration afterwards?

    Is anyone familiar with recent Tek scope calibration processes? Is there something one should do after a successful cal and SPC?
    « Last Edit: September 29, 2019, 12:44:23 pm by Howardlong »
     

    Offline r0d3z1

    • Regular Contributor
    • *
    • Posts: 112
    • Country: it
    Re: Someone has hacked MDO4000C?
    « Reply #20 on: September 18, 2019, 06:24:38 am »
    Note the sticker.  :-/O

    @andyturk I am curious about the pcb on the bottom right of the image ? is it a kind of DIY probe that use the proprietary tek connector ?
     

    Offline 2N3055

    • Super Contributor
    • ***
    • Posts: 2929
    • Country: hr
    Re: Someone has hacked MDO4000C?
    « Reply #21 on: September 18, 2019, 06:41:33 am »
    Note the sticker.  :-/O

    @andyturk I am curious about the pcb on the bottom right of the image ? is it a kind of DIY probe that use the proprietary tek connector ?

    That is Leo Bodnar's pulser that he uses to get that pulse on the screen.
     

    Offline supperman

    • Regular Contributor
    • *
    • Posts: 87
    • Country: us
    Re: Someone has hacked MDO4000C?
    « Reply #22 on: December 22, 2019, 06:23:15 pm »
    Hi All - Wow this thread was hard to find.. again.. for some reason. (perhaps a good thing)

    I'm trying to better understand what is possible with the MDO4000C and this thread has good info but raises more questions that it answers..

    1. It seems you can liberate modules and bandwidth via the python script.. probably only with the "Corrected" version so one would have to put the old python build environment together.. there are not great instructions on.. (I ran into lots of compatibility issues and code errors when I did this for my MDO3k - especially with the crypto library no longer supported)

    2. @abyrvalg mentioned that MDO4000Cs may all differ from each other and you don't know what you have until you check the board IDs.. is this really true? Does anyone have details on this? So a 4024 can only be turned into a 4104 if you are lucky? (or not at all?). Anyone know about serial number ranges.. or have examples?

    3. @andyturk when you say it is easy to do the application modules on the "C" you mean via the python script method?

    4. @Howardlong any luck with that red stripe? Can you live with it if you can't get rid of it. Was this 100% via python or did you make changes to model numbers like on the B models..

    Ahhh.... I really want to get a used mdo4k.. but don't feel I have confidence it will perform at the price point I can afford..

     
     

    Offline Howardlong

    • Super Contributor
    • ***
    • Posts: 4977
    • Country: gb
    Re: Someone has hacked MDO4000C?
    « Reply #23 on: December 23, 2019, 01:38:07 pm »
    Hi All - Wow this thread was hard to find.. again.. for some reason. (perhaps a good thing)

    I'm trying to better understand what is possible with the MDO4000C and this thread has good info but raises more questions that it answers..

    ...

    4. @Howardlong any luck with that red stripe? Can you live with it if you can't get rid of it. Was this 100% via python or did you make changes to model numbers like on the B models..

    Ahhh.... I really want to get a used mdo4k.. but don't feel I have confidence it will perform at the price point I can afford..

    Below is my experience with an MDO4054C-SA6. So, it may be that other versions don’t have all the hardware bits populated, ISTR there’s a scheme that shares ADCs between the SA and scope. Certainly if I run the scope and SA simultaneously, when upgraded to 1GHz bw, the scope sample rate drops to 2.5GSa/s. The same applies in scope only mode if you enable three or more channels, but that’s documented by Tek, I assume they’re interleaving ADCs.

    The red stripe appeared after I’d enabled the 1GHz bw. You can remove the red stripe by going into the dev menus and allowing it to pass tests, but you need to do it after each reboot (edit: see up thread). As far as I can tell it’s only a cosmetic annoyance, obscuring the display of the screen buffer overview. The scope seems to be reasonably accurate at 1GHz bw despite not being calibrated. When you remove the 1GHz bw option, the stripe disappears after a reboot.

    I’ve been unable to successfully calibrate it at 1GHz bw. It won’t let you run an SPC without a valid cal either. Switching back to 500MHz bw, everything is fine and you can run an SPC successfully.

    I can’t get one of the 70 odd cal steps to pass, and I still don't know why, but it’s near the end and can take an hour and a half to get to it. I don’t have any more information about calibration other than what’s provided onscreen (very terse) combined with some information I found about calibrating a DPO4000 that helped a little. I don’t have the Fluke calibration equipment of course, but I managed to build a few jigs and voltage amplifiers that seemed adequate for a cal.

    Unless I need the extra bandwidth or a function requiring 1GHz (e.g. USB HS trigger/decode), I use the scope at its factory 500MHz.

    I have a little USB thumb stick sized arduino keyboard macro generator with three buttons to select what options to set, saving me having to manually rekey. One button for default settings, one with everything enabled except 1GHz (my usual selection) and finally one with everything plus 1GHz. You need to restart the scope after each config option change.

    Keep in mind that you might want to purchase the 1GHz passive probes which come up on eBay fairly frequently, but they’re not always particularly cheap. I’d already accumulated a set of four over a period of time. The 3.9pF is still a significant load at 1GHz!

    What I’ve been unable to find out definitively is what is included in an upgrade from 500MHz to 1GHz, priced at about £2.3k. My reseller wanted to charge me for the upgrade, plus a new cal, plus the probes, so as that would raise the total to about 5 grand, I rejected it. I’ve read elsewhere that the probes and recal is included in the £2.3k upgrade path. If it were the latter, I’d pay for it.

    Regarding the Python script, I did make a change, it’s documented somewhere on the forum, there was a problem with it choosing the right key for one of the scope series (3000, 4000B or 4000C) but I can’t remember which one. (Edit: see upthread, it affected the 4000C).
    « Last Edit: December 23, 2019, 01:51:15 pm by Howardlong »
     

    Offline supperman

    • Regular Contributor
    • *
    • Posts: 87
    • Country: us
    Re: Someone has hacked MDO4000C?
    « Reply #24 on: December 23, 2019, 04:13:29 pm »
    Thank you so much @Howardlong. That is super helpful.

    So you made a small hardware device that runs your codes.. that is super cool!

    Do you remember what python versions you are running to make it run? Operating system/python version/crypto version? (Edit: I see now there are links in the "link" on versions.. but probably still a good questions to ask)

    So you would pay 2k to get rid of the red banner? :)  (Edit: A man with similar OCD as myself??)

    Many thanks and happy holidays..
    « Last Edit: December 23, 2019, 04:25:46 pm by supperman »
     

    Offline Howardlong

    • Super Contributor
    • ***
    • Posts: 4977
    • Country: gb
    Re: Someone has hacked MDO4000C?
    « Reply #25 on: December 23, 2019, 07:56:44 pm »
    Thank you so much @Howardlong. That is super helpful.

    So you made a small hardware device that runs your codes.. that is super cool!

    Do you remember what python versions you are running to make it run? Operating system/python version/crypto version? (Edit: I see now there are links in the "link" on versions.. but probably still a good questions to ask)

    So you would pay 2k to get rid of the red banner? :)  (Edit: A man with similar OCD as myself??)

    Many thanks and happy holidays..

    Python version was 2.7x but they seem to have the crypto included in some distros, certainly the one a did a few moths ago included it.

    Regarding the 2k to “remove the banner”, it’s probably as much to do with resale value as it is my own OCD!
     

    Offline analogRF

    • Frequent Contributor
    • **
    • Posts: 619
    • Country: ca
    Re: Someone has hacked MDO4000C?
    « Reply #26 on: December 25, 2019, 03:38:20 am »
     

    Offline analogRF

    • Frequent Contributor
    • **
    • Posts: 619
    • Country: ca
    Re: Someone has hacked MDO4000C?
    « Reply #27 on: August 27, 2020, 06:07:45 pm »
     

    Offline tv84

    • Super Contributor
    • ***
    • Posts: 1814
    • Country: pt
    Re: Someone has hacked MDO4000C?
    « Reply #28 on: August 28, 2020, 07:20:36 pm »
    DPO4000 uses the same AES_key as DPO3000, so you can easily change the script to accommodate for it.

    BTW:

    dpo4kb_key = "\x2A\x62\x31\x9B\x7F\x06\x34\x2A\x90\x1F\x07\x64\x80\x6A\xDE\xC2"
    mdo4kc_key= "\xC5\x6F\x22\xB2\x5E\x70\xF1\x30\xAF\x3E\xF3\x11\x88\x11\xBF\x1B"


    Edit: If the mdo4kc_key in the python script is correct, then I must have something wrong in these 2 keys.

    Maybe it's like this:

    dpo4kb_key = ED B1 83 75 FC A9 9E 8B 48 95 F1 3A EF FB 09 C4
    « Last Edit: August 30, 2020, 05:27:48 pm by tv84 »
     
    The following users thanked this post: analogRF

    Offline analogRF

    • Frequent Contributor
    • **
    • Posts: 619
    • Country: ca
    Re: Someone has hacked MDO4000C?
    « Reply #29 on: August 28, 2020, 08:49:01 pm »
    DPO4000 uses the same AES_key as DPO3000, so you can easily change the script to accommodate for it.

    BTW:

    dpo4kb_key = "\x2A\x62\x31\x9B\x7F\x06\x34\x2A\x90\x1F\x07\x64\x80\x6A\xDE\xC2"
    mdo4kc_key= "\xC5\x6F\x22\xB2\x5E\x70\xF1\x30\xAF\x3E\xF3\x11\x88\x11\xBF\x1B"

    I don't know any Python at all  :-//
    So is it enough just to add/change these two lines :
    Code: [Select]
    dpo4k_key = "\x9B\x31\x62\x2A\x2A\x34\x06\x7F\x64\x07\x1F\x90\xC2\xDE\x6A\x80" ---->>> same as DPO3000
    :
    :
    :
    keys = (("DPO4000", dpo4k_key),("MDO3000", mdo3k_key), ("DPO3000", dpo3k_key), ("MDO4000B", mdo4kb_key), ("MDO4000C", mdo4kc_key))

    or other changes are also needed?
    « Last Edit: August 28, 2020, 08:58:02 pm by analogRF »
     

    Offline darkstar49

    • Regular Contributor
    • *
    • Posts: 234
    Re: Someone has hacked MDO4000C?
    « Reply #30 on: August 28, 2020, 09:43:40 pm »
    ... or you get yourself a little option module (some cheap TDS3FFT / TRG), and reprogram it for the options you need, one by one, and transfer these to the scope (no DPO4BND for the non-B DPO4K...)
     
    The following users thanked this post: analogRF

    Offline analogRF

    • Frequent Contributor
    • **
    • Posts: 619
    • Country: ca
    Re: Someone has hacked MDO4000C?
    « Reply #31 on: August 29, 2020, 01:11:42 am »
    ... or you get yourself a little option module (some cheap TDS3FFT / TRG), and reprogram it for the options you need, one by one, and transfer these to the scope (no DPO4BND for the non-B DPO4K...)

    i didnt know the same modules also fit DPO4000  :-[  Do they, really?

    what if I change the EEPROM in the module to something bigger like 24C16 and put several options in it at the same time?
    is it possible? Based on what I had read about TDS3UAM hack for TDS3000, it was possible. I dont have any of those modules for now..

    I still prefer to get the Python code running but don't know what changes other than those I mentioned in the previous post are required
     

    Offline analogRF

    • Frequent Contributor
    • **
    • Posts: 619
    • Country: ca
    Re: Someone has hacked MDO4000C?
    « Reply #32 on: August 29, 2020, 01:20:12 am »
    DPO4000 uses the same AES_key as DPO3000, so you can easily change the script to accommodate for it.

    BTW:

    dpo4kb_key = "\x2A\x62\x31\x9B\x7F\x06\x34\x2A\x90\x1F\x07\x64\x80\x6A\xDE\xC2"
    mdo4kc_key= "\xC5\x6F\x22\xB2\x5E\x70\xF1\x30\xAF\x3E\xF3\x11\x88\x11\xBF\x1B"

    why the mdo4kc_key is different than what is in the script? was the script wrong?
    i dont have that scope but just curious...
     

    Offline tv84

    • Super Contributor
    • ***
    • Posts: 1814
    • Country: pt
    Re: Someone has hacked MDO4000C?
    « Reply #33 on: August 29, 2020, 08:14:48 am »
    why the mdo4kc_key is different than what is in the script? was the script wrong?

    I think mine is the correct (old) one. The "fake" in the code is definitely wrong.

    I'm not sure that (new) key inside the python script is correct or maybe it's used in newer FWs. Only a MDO4000C owner can confirm this.
     

    Offline tv84

    • Super Contributor
    • ***
    • Posts: 1814
    • Country: pt
    Re: Someone has hacked MDO4000C?
    « Reply #34 on: August 30, 2020, 05:16:49 pm »
    Code: [Select]
    dpo4k_key = "\x9B\x31\x62\x2A\x2A\x34\x06\x7F\x64\x07\x1F\x90\xC2\xDE\x6A\x80" ---->>> same as DPO3000
    :
    :
    :
    keys = (("DPO4000", dpo4k_key),("MDO3000", mdo3k_key), ("DPO3000", dpo3k_key), ("MDO4000B", mdo4kb_key), ("MDO4000C", mdo4kc_key))

    or other changes are also needed?

    Correct. But simpler could be just rewrite this one:

    Code: [Select]
    keys = (("DPO4000", dpo3k_key), ("MDO3000", mdo3k_key), ("DPO3000", dpo3k_key), ("MDO4000B", mdo4kb_key), ("MDO4000C", mdo4kc_key))
     
    The following users thanked this post: analogRF

    Offline darkstar49

    • Regular Contributor
    • *
    • Posts: 234
    Re: Someone has hacked MDO4000C?
    « Reply #35 on: August 31, 2020, 02:31:31 pm »
    ... or you get yourself a little option module (some cheap TDS3FFT / TRG), and reprogram it for the options you need, one by one, and transfer these to the scope (no DPO4BND for the non-B DPO4K...)

    i didnt know the same modules also fit DPO4000  :-[  Do they, really?


    Yes, it's the same format... just that from the MDO onwards, the key was encrypted, but up to the DPO4000B, it was in clear text.
    So for the DPO4000B, with DPO4BND, you're done, but for the DPO4000, you'd have to reprogram the module as many times as you want options. And no, you can't put more than one option in the module's eeprom (well, you could... but it wouldn't work, to my knowledge).
     
    The following users thanked this post: analogRF

    Offline analogRF

    • Frequent Contributor
    • **
    • Posts: 619
    • Country: ca
    Re: Someone has hacked MDO4000C?
    « Reply #36 on: September 02, 2020, 03:49:07 am »
    I finally received the DPO4104, it has self test errors (see another thread on Repair section) but the scope seems to work pretty ok. so far I have not been able to find out what problem those errors cause

    However, I want to enable the options and I had read all the MDO and DPO 3000/4000B/4000C hacking threads. Now that I have got the scope
    I can see none of those methods and techniques are applicable really  :palm: |O

    Let's say I generate the key with python script, then what? There is no place in this scope to enter any key  :palm: |O
    Let's say I use the module programming, then what? there is no place to "transfer" the license to the scope  :palm: |O
    so, unless there is a way to program a module (with a new larger EEPROM) with several options (similar to TDS3000) then I cannot see how these scopes can be hacked really.

    Is there any way to do it through the SCPI commands? Telnet?
     

    Offline darkstar49

    • Regular Contributor
    • *
    • Posts: 234
    Re: Someone has hacked MDO4000C?
    « Reply #37 on: September 11, 2020, 03:47:39 am »
    I finally received the DPO4104, it has self test errors (see another thread on Repair section) but the scope seems to work pretty ok. so far I have not been able to find out what problem those errors cause

    However, I want to enable the options and I had read all the MDO and DPO 3000/4000B/4000C hacking threads. Now that I have got the scope
    I can see none of those methods and techniques are applicable really  :palm: |O

    Let's say I generate the key with python script, then what? There is no place in this scope to enter any key  :palm: |O
    Let's say I use the module programming, then what? there is no place to "transfer" the license to the scope  :palm: |O
    so, unless there is a way to program a module (with a new larger EEPROM) with several options (similar to TDS3000) then I cannot see how these scopes can be hacked really.

    Is there any way to do it through the SCPI commands? Telnet?

    having all options enabled in the TDS3000 is not a matter of having a larger eeprom, that works with the ‘engineering option’ TDS3ENG, a bit like the official option bundle DPO4BND (unfortunately not in the pre-B models). Not having the menu to transfer a module’s license into the scope is most probably a FW version issue (got 2.68 ?).
     

    Offline analogRF

    • Frequent Contributor
    • **
    • Posts: 619
    • Country: ca
    Re: Someone has hacked MDO4000C?
    « Reply #38 on: September 27, 2020, 08:06:11 pm »
    Is the bandwidth on DPO4000B software upgradable? I dont mean to 1GHz but something like 350MHz to 500MHz or 100MHz to 350MHz
     

    Offline Howardlong

    • Super Contributor
    • ***
    • Posts: 4977
    • Country: gb
    Re: Someone has hacked MDO4000C?
    « Reply #39 on: September 28, 2020, 10:10:38 am »
    I don’t have a 4000B, but I believe so.

    I have a recollection that some 4000Bs can be liberated to 1GHz if they have the right hardware.
     

    Offline analogRF

    • Frequent Contributor
    • **
    • Posts: 619
    • Country: ca
    Re: Someone has hacked MDO4000C?
    « Reply #40 on: September 28, 2020, 10:55:02 am »
    I don’t have a 4000B, but I believe so.

    I have a recollection that some 4000Bs can be liberated to 1GHz if they have the right hardware.

    can anybody confirm? even upgrade to 500MHz is good. there is no official lupgrade option in the datasheet
    but since MDOs had BW upgrade I though DPO4000B probably have it too
     

    Offline Howardlong

    • Super Contributor
    • ***
    • Posts: 4977
    • Country: gb
    Re: Someone has hacked MDO4000C?
    « Reply #41 on: September 28, 2020, 11:56:25 am »
    I don’t have a 4000B, but I believe so.

    I have a recollection that some 4000Bs can be liberated to 1GHz if they have the right hardware.

    can anybody confirm? even upgrade to 500MHz is good. there is no official lupgrade option in the datasheet
    but since MDOs had BW upgrade I though DPO4000B probably have it too

    Have you tried it? It’s as simple as running gen.py with the right options to create the option key.
     

    Offline analogRF

    • Frequent Contributor
    • **
    • Posts: 619
    • Country: ca
    Re: Someone has hacked MDO4000C?
    « Reply #42 on: September 28, 2020, 12:04:59 pm »
    I don’t have a 4000B, but I believe so.

    I have a recollection that some 4000Bs can be liberated to 1GHz if they have the right hardware.

    can anybody confirm? even upgrade to 500MHz is good. there is no official lupgrade option in the datasheet
    but since MDOs had BW upgrade I though DPO4000B probably have it too

    Have you tried it? It’s as simple as running gen.py with the right options to create the option key.

    no I dont have the equipment. I have the opportunity to buy a 100MHz version for a good price
    but I only want to do it if the BW upgrade is possible
     

    Offline Howardlong

    • Super Contributor
    • ***
    • Posts: 4977
    • Country: gb
    Re: Someone has hacked MDO4000C?
    « Reply #43 on: September 28, 2020, 12:26:24 pm »
     

    Offline analogRF

    • Frequent Contributor
    • **
    • Posts: 619
    • Country: ca
    Re: Someone has hacked MDO4000C?
    « Reply #44 on: September 28, 2020, 12:38:22 pm »
    There’s a semi cryptic note here

    https://www.eevblog.com/forum/testgear/mdo3000-hacking/msg1603087/#msg1603087 Post 141

    umm...yeah. that's for MDO4000B though but I guess they are very similar to DPO4kB at least they dont have official BW upgrade option in their datasheet just like DPO4kB.
    But I wonder what he meant because I cannot find that method he is talking about
     

    Offline Howardlong

    • Super Contributor
    • ***
    • Posts: 4977
    • Country: gb
    Re: Someone has hacked MDO4000C?
    « Reply #45 on: September 28, 2020, 12:50:08 pm »
    There’s a semi cryptic note here

    https://www.eevblog.com/forum/testgear/mdo3000-hacking/msg1603087/#msg1603087 Post 141

    umm...yeah. that's for MDO4000B though but I guess they are very similar to DPO4kB at least they dont have official BW upgrade option in their datasheet just like DPO4kB.
    But I wonder what he meant because I cannot find that method he is talking about

    Sorry, my bad!
     


    Share me

    Digg  Facebook  SlashDot  Delicious  Technorati  Twitter  Google  Yahoo
    Smf