Author Topic: Someone has hacked MDO4000C?  (Read 6675 times)

0 Members and 1 Guest are viewing this topic.

Offline klaus11

  • Supporter
  • ****
  • Posts: 156
  • Country: 00
Someone has hacked MDO4000C?
« on: March 29, 2018, 08:11:31 am »
it possible to do it?
HP3458A, HP3245a, Keithley 2000, Fluke 87V, Rigol DP832, TEK TDS5052B, HP33120A
 

Offline andyturk

  • Frequent Contributor
  • **
  • Posts: 892
  • Country: us
Re: Someone has hacked MDO4000C?
« Reply #1 on: March 29, 2018, 02:14:31 pm »
It's pretty straightforward to hack the application modules. As for the other features, I don't know of any successful attempts.

I have a MDO4034B and when it boots up, it does say something on the syslog about a 1GHz analog board. Sure would be nice to liberate that extra 650MHz.  >:D

EDIT: The info about the 1GHz analog board is not in the "console log", it's actually displayed on the scope's GUI in manufacturing mode.
« Last Edit: April 01, 2018, 04:46:44 pm by andyturk »
 

Offline abyrvalg

  • Frequent Contributor
  • **
  • Posts: 475
  • Country: ru
 
The following users thanked this post: andyturk, klaus11, analogRF

Offline klaus11

  • Supporter
  • ****
  • Posts: 156
  • Country: 00
Re: Someone has hacked MDO4000C?
« Reply #3 on: March 31, 2018, 08:50:28 am »
Super Abyrvalg!

For Upgrade bandwidth 1GHz, is it necessary to modify hardware ?, remove some capacitor or resistor ...

I have searched a service manual for some clue, but it is a useless manual
HP3458A, HP3245a, Keithley 2000, Fluke 87V, Rigol DP832, TEK TDS5052B, HP33120A
 

Offline tmbinc

  • Regular Contributor
  • *
  • Posts: 231
Re: Someone has hacked MDO4000C?
« Reply #4 on: March 31, 2018, 06:47:57 pm »
I've hacked a DPO4034 (non-B) to enable full bandwidth by hacking the software - bandwidth seems to be software configured, and the pre-amplifier is actually populated. However only half the number of ADCs are populated, making this hack not super useful. I need to characterize the bandwidth but last time I looked I didn't have the right tools.

Then I hacked a DPO5034 (which is - hardware wise - similar to the DPO4034B, i.e. it has a separate frontend board), see http://debugmo.de/2013/03/whats-inside-tektronix-dpo5034/ , by removing the filter. I only did this on one channel, though. I also hacked the software for it to be detected as a 1GHz model so the UI behaves properly. (The 1GHz and 2GHz models usually have the advanced frontend board with the pre-amplifier, but the 350MHz and 500MHz models only have basic analog board). All of the DPO5xxx however have the same (full) ADC configuration, only the analog board is different.

(I'd guess the DPO4034B however would only have the half-ADC config.)

The MDO4xxx however (regardless of -, -B, -C) again have a similar design as the DPO4xxxB,  full-ADC config (since they need half the ADCs for the RF part), and of course have the MDO-style analog frontend with the RF part.

What I don't know is if they have the pre-amplifier for the non-RF channels (which I think implies a SW bandwidth limit) or not (which would probably be a HW BW limit then).

Can you post the syslog, and pictures of your analog frontend?
 

Offline klaus11

  • Supporter
  • ****
  • Posts: 156
  • Country: 00
Re: Someone has hacked MDO4000C?
« Reply #5 on: April 01, 2018, 04:02:08 am »
Thanks, but analog frontend is very different from MDO4KC, here the filter is not so clear to see, at least for me.
HP3458A, HP3245a, Keithley 2000, Fluke 87V, Rigol DP832, TEK TDS5052B, HP33120A
 

Offline andyturk

  • Frequent Contributor
  • **
  • Posts: 892
  • Country: us
 
The following users thanked this post: analogRF

Offline abyrvalg

  • Frequent Contributor
  • **
  • Posts: 475
  • Country: ru
Re: Someone has hacked MDO4000C?
« Reply #7 on: April 01, 2018, 09:39:34 pm »
andyturk, thanks, that explains some things.
I can elaborate on chapter 9 of that text: the cfgSetUBootEnvVariable is just a name of a function in firmware, but it is not mapped to any console/GPIB cmd directly. It is called by cfgSetSerialNumber function (which is brought out to both console and GPIB explicitly) with "serial#" parameter, then by cfgSetBboSerialNumber (accessible from GPIB only) with "bboard#" and "hostname" params.

Looks like there is another "mode" enabled/disabled in a way similar to MFG mode:
Code: [Select]
:PASSW TRESPASS
:DEV:MOD 1
...
:DEV:MOD 0
Are there any new menus enabled with this?
 
The following users thanked this post: klaus11

Offline andyturk

  • Frequent Contributor
  • **
  • Posts: 892
  • Country: us
Re: Someone has hacked MDO4000C?
« Reply #8 on: April 01, 2018, 11:10:38 pm »
oh yeah...
 
The following users thanked this post: klaus11

Offline andyturk

  • Frequent Contributor
  • **
  • Posts: 892
  • Country: us
Re: Someone has hacked MDO4000C?
« Reply #9 on: April 02, 2018, 10:02:36 pm »
Note the sticker.  :-/O
 
The following users thanked this post: klaus11

Offline abyrvalg

  • Frequent Contributor
  • **
  • Posts: 475
  • Country: ru
Re: Someone has hacked MDO4000C?
« Reply #10 on: April 03, 2018, 06:38:19 pm »
klaus11, for -C models the max possible bandwidth depends on actual board types installed. Try getting device log (as in andyturk's link) to see main/AFE models. There are both MB and AFE limits:
Code: [Select]
afeid bw
1, 2 200M
3 1G
4 200M
5 350M
other 200M

mbid, bw
1, 5 1G-1G
2, 6 200M-500M
7 200M-1G
 
The following users thanked this post: klaus11

Offline klaus11

  • Supporter
  • ****
  • Posts: 156
  • Country: 00
Re: Someone has hacked MDO4000C?
« Reply #11 on: April 04, 2018, 09:49:19 am »
Bravo Abyrvalg!
Bravo andyturk!
HP3458A, HP3245a, Keithley 2000, Fluke 87V, Rigol DP832, TEK TDS5052B, HP33120A
 

Offline darkstar49

  • Frequent Contributor
  • **
  • Posts: 256
Re: Someone has hacked MDO4000C?
« Reply #12 on: June 14, 2018, 04:25:52 pm »
Bravo Abyrvalg!
Bravo andyturk!

couldn't agree more...   :clap:
 

Offline Howardlong

  • Super Contributor
  • ***
  • Posts: 5006
  • Country: gb
Re: Someone has hacked MDO4000C?
« Reply #13 on: June 15, 2018, 09:03:43 pm »
I’m sure I’ve missed it somewhere, are there some resistor IDs on the 4000B to change, and if so where are they?
 

Offline Howardlong

  • Super Contributor
  • ***
  • Posts: 5006
  • Country: gb
Re: Someone has hacked MDO4000C?
« Reply #14 on: July 19, 2019, 11:34:55 am »
Interesting, this thread appears to be non-existent in Google, one can but wonder why that might be.

DuckDuckGo comes up right away. Google is not your friend in this case.
 

Offline Howardlong

  • Super Contributor
  • ***
  • Posts: 5006
  • Country: gb
Re: Someone has hacked MDO4000C?
« Reply #15 on: July 20, 2019, 04:37:32 pm »
Note the sticker.  :-/O

I have a similar result on an MDO4054C that I recently purchase, except that after upgrading the bandwidth, I get a permanent "WARNiNG: This oscilloscope is not compensated." SPC also consistently fails after two minutes. If I remove the bandwidth option, reverting to 500MHz, all is fine again.



Edit: my unit has MB HW ID 7, and AFE SW ID of 2. It is an MDO4054C with SA6 factory fitted at manufacture.

For fully loaded but original bandwidth:
gen.py MDO4054C C###### 500MHz DVM DDU AFG MSO TRIG EMBD COMP ENET USB PWR AUDIO AERO AUTOMAX LMT VID SEC


For fully loaded with 1GHz  bandwidth:
gen.py MDO4054C C###### 500MHz DVM DDU AFG BW5T10 MSO TRIG EMBD COMP ENET USB PWR AUDIO AERO AUTOMAX LMT VID SEC
« Last Edit: July 21, 2019, 10:16:51 am by Howardlong »
 

Offline Howardlong

  • Super Contributor
  • ***
  • Posts: 5006
  • Country: gb
Re: Someone has hacked MDO4000C?
« Reply #16 on: July 21, 2019, 10:04:11 am »
https://0bin.net/paste/tZYZ4Fs5rjqvAoza#+yNeuILPU-nQmgFvDixaTsFyVclm2Mnh2gr2Id/aSBL

I think there is a little bug when using this for the MDO4000C in the way it determines the key to use: as it stands, it will always generate MDO3000 keys if you specify an MDO4000C.

I am not a Python programmer, but I hacked the code for key.py to comment out the MDO4000B for my purposes, I suspect an elif might be a better longer term option.

The problem was that although the 4000C key was correctly selected, it is immediately overwritten with the MDO3000 key.

Original key.py:

Code: [Select]
# generate an option key
def encode(model, sn, mask):
if model.startswith("MDO4") and model.endswith("C"):
k = mdo4kc_key
if model.startswith("MDO4") and model.endswith("B"):
k = mdo4kb_key
elif model.startswith("MDO"):
k = mdo3k_key
else:
k = dpo3k_key
uid = GenerateUID(model, sn)

Hacked key.py for MDO4000C and MDO3000 only:
Code: [Select]
# generate an option key
def encode(model, sn, mask):
if model.startswith("MDO4") and model.endswith("C"):
k = mdo4kc_key
print "mdo4kc_key"
# if model.startswith("MDO4") and model.endswith("B"):
# k = mdo4kb_key
# print "mdo4kc_key"
elif model.startswith("MDO"):
k = mdo3k_key
print "mdo3k_key MDO"
else:
k = dpo3k_key
print "mdo3k_key default"
uid = GenerateUID(model, sn)
# find first leading 1 bit
 

Online tv84

  • Super Contributor
  • ***
  • Posts: 1851
  • Country: pt
Re: Someone has hacked MDO4000C?
« Reply #17 on: July 21, 2019, 11:22:50 am »
Original key.py:

Code: [Select]
# generate an option key
def encode(model, sn, mask):
if model.startswith("MDO4") and model.endswith("C"):
k = mdo4kc_key
if model.startswith("MDO4") and model.endswith("B"):
k = mdo4kb_key
elif model.startswith("MDO"):
k = mdo3k_key
else:
k = dpo3k_key
uid = GenerateUID(model, sn)

The "correct" correction should be:

Code: [Select]
# generate an option key
def encode(model, sn, mask):
if model.startswith("MDO4") and model.endswith("C"):
k = mdo4kc_key
elif model.startswith("MDO4") and model.endswith("B"):
k = mdo4kb_key
elif model.startswith("MDO"):
k = mdo3k_key
else:
k = dpo3k_key
uid = GenerateUID(model, sn)

I think this what the original programmer intended it to be.
 
The following users thanked this post: Howardlong, wp_wp

Offline Howardlong

  • Super Contributor
  • ***
  • Posts: 5006
  • Country: gb
Re: Someone has hacked MDO4000C?
« Reply #18 on: July 21, 2019, 09:21:46 pm »
Like I said I’m not a Python programmer!
 

Offline Howardlong

  • Super Contributor
  • ***
  • Posts: 5006
  • Country: gb
Re: Someone has hacked MDO4000C?
« Reply #19 on: August 04, 2019, 09:44:30 pm »
I can get rid of the red compensation banner temporarily by enabling factory pass from the calibration memory. However after a reboot it returns.

To remove red "WARNING! This oscilloscope is not compensated." banner after each boot:

  • Login with telnet, note commands are sent in the blind:
Code: [Select]
telnet <scopehostname> 4000
:PASSW TRESPASS
:DEV:MOD 1

  • Then, on the scope:

Utility -> Calibration -> Factory Cal -> Always Pass: Yes

  • Finally, optionally from telnet to remove the new menus:
Code: [Select]
:DEV:MOD 0

    Tonight I managed to do a factory calibration, and immediately for the first time a successful SPC. Being my first time, the whole process took me about two hours, but I had to build a 24Vpp amplifier for my AWG which maxes out at 20Vpp.

    However, after a reboot the red compensation error banner returned. I suspect I may need to lock the calibration afterwards?

    Is anyone familiar with recent Tek scope calibration processes? Is there something one should do after a successful cal and SPC?
    « Last Edit: September 29, 2019, 12:44:23 pm by Howardlong »
     

    Offline r0d3z1

    • Regular Contributor
    • *
    • Posts: 112
    • Country: it
    Re: Someone has hacked MDO4000C?
    « Reply #20 on: September 18, 2019, 06:24:38 am »
    Note the sticker.  :-/O

    @andyturk I am curious about the pcb on the bottom right of the image ? is it a kind of DIY probe that use the proprietary tek connector ?
     

    Offline 2N3055

    • Super Contributor
    • ***
    • Posts: 3059
    • Country: hr
    Re: Someone has hacked MDO4000C?
    « Reply #21 on: September 18, 2019, 06:41:33 am »
    Note the sticker.  :-/O

    @andyturk I am curious about the pcb on the bottom right of the image ? is it a kind of DIY probe that use the proprietary tek connector ?

    That is Leo Bodnar's pulser that he uses to get that pulse on the screen.
     

    Offline supperman

    • Regular Contributor
    • *
    • Posts: 87
    • Country: us
    Re: Someone has hacked MDO4000C?
    « Reply #22 on: December 22, 2019, 06:23:15 pm »
    Hi All - Wow this thread was hard to find.. again.. for some reason. (perhaps a good thing)

    I'm trying to better understand what is possible with the MDO4000C and this thread has good info but raises more questions that it answers..

    1. It seems you can liberate modules and bandwidth via the python script.. probably only with the "Corrected" version so one would have to put the old python build environment together.. there are not great instructions on.. (I ran into lots of compatibility issues and code errors when I did this for my MDO3k - especially with the crypto library no longer supported)

    2. @abyrvalg mentioned that MDO4000Cs may all differ from each other and you don't know what you have until you check the board IDs.. is this really true? Does anyone have details on this? So a 4024 can only be turned into a 4104 if you are lucky? (or not at all?). Anyone know about serial number ranges.. or have examples?

    3. @andyturk when you say it is easy to do the application modules on the "C" you mean via the python script method?

    4. @Howardlong any luck with that red stripe? Can you live with it if you can't get rid of it. Was this 100% via python or did you make changes to model numbers like on the B models..

    Ahhh.... I really want to get a used mdo4k.. but don't feel I have confidence it will perform at the price point I can afford..

     
     

    Offline Howardlong

    • Super Contributor
    • ***
    • Posts: 5006
    • Country: gb
    Re: Someone has hacked MDO4000C?
    « Reply #23 on: December 23, 2019, 01:38:07 pm »
    Hi All - Wow this thread was hard to find.. again.. for some reason. (perhaps a good thing)

    I'm trying to better understand what is possible with the MDO4000C and this thread has good info but raises more questions that it answers..

    ...

    4. @Howardlong any luck with that red stripe? Can you live with it if you can't get rid of it. Was this 100% via python or did you make changes to model numbers like on the B models..

    Ahhh.... I really want to get a used mdo4k.. but don't feel I have confidence it will perform at the price point I can afford..

    Below is my experience with an MDO4054C-SA6. So, it may be that other versions don’t have all the hardware bits populated, ISTR there’s a scheme that shares ADCs between the SA and scope. Certainly if I run the scope and SA simultaneously, when upgraded to 1GHz bw, the scope sample rate drops to 2.5GSa/s. The same applies in scope only mode if you enable three or more channels, but that’s documented by Tek, I assume they’re interleaving ADCs.

    The red stripe appeared after I’d enabled the 1GHz bw. You can remove the red stripe by going into the dev menus and allowing it to pass tests, but you need to do it after each reboot (edit: see up thread). As far as I can tell it’s only a cosmetic annoyance, obscuring the display of the screen buffer overview. The scope seems to be reasonably accurate at 1GHz bw despite not being calibrated. When you remove the 1GHz bw option, the stripe disappears after a reboot.

    I’ve been unable to successfully calibrate it at 1GHz bw. It won’t let you run an SPC without a valid cal either. Switching back to 500MHz bw, everything is fine and you can run an SPC successfully.

    I can’t get one of the 70 odd cal steps to pass, and I still don't know why, but it’s near the end and can take an hour and a half to get to it. I don’t have any more information about calibration other than what’s provided onscreen (very terse) combined with some information I found about calibrating a DPO4000 that helped a little. I don’t have the Fluke calibration equipment of course, but I managed to build a few jigs and voltage amplifiers that seemed adequate for a cal.

    Unless I need the extra bandwidth or a function requiring 1GHz (e.g. USB HS trigger/decode), I use the scope at its factory 500MHz.

    I have a little USB thumb stick sized arduino keyboard macro generator with three buttons to select what options to set, saving me having to manually rekey. One button for default settings, one with everything enabled except 1GHz (my usual selection) and finally one with everything plus 1GHz. You need to restart the scope after each config option change.

    Keep in mind that you might want to purchase the 1GHz passive probes which come up on eBay fairly frequently, but they’re not always particularly cheap. I’d already accumulated a set of four over a period of time. The 3.9pF is still a significant load at 1GHz!

    What I’ve been unable to find out definitively is what is included in an upgrade from 500MHz to 1GHz, priced at about £2.3k. My reseller wanted to charge me for the upgrade, plus a new cal, plus the probes, so as that would raise the total to about 5 grand, I rejected it. I’ve read elsewhere that the probes and recal is included in the £2.3k upgrade path. If it were the latter, I’d pay for it.

    Regarding the Python script, I did make a change, it’s documented somewhere on the forum, there was a problem with it choosing the right key for one of the scope series (3000, 4000B or 4000C) but I can’t remember which one. (Edit: see upthread, it affected the 4000C).
    « Last Edit: December 23, 2019, 01:51:15 pm by Howardlong »
     

    Offline supperman

    • Regular Contributor
    • *
    • Posts: 87
    • Country: us
    Re: Someone has hacked MDO4000C?
    « Reply #24 on: December 23, 2019, 04:13:29 pm »
    Thank you so much @Howardlong. That is super helpful.

    So you made a small hardware device that runs your codes.. that is super cool!

    Do you remember what python versions you are running to make it run? Operating system/python version/crypto version? (Edit: I see now there are links in the "link" on versions.. but probably still a good questions to ask)

    So you would pay 2k to get rid of the red banner? :)  (Edit: A man with similar OCD as myself??)

    Many thanks and happy holidays..
    « Last Edit: December 23, 2019, 04:25:46 pm by supperman »
     


    Share me

    Digg  Facebook  SlashDot  Delicious  Technorati  Twitter  Google  Yahoo
    Smf