Author Topic: DPO3000 Hacks  (Read 33909 times)

0 Members and 3 Guests are viewing this topic.

Offline FivePoint0Topic starter

  • Contributor
  • Posts: 28
DPO3000 Hacks
« on: January 12, 2015, 10:38:27 pm »
I know people on here love the Rigols, but . . .

Are there any hacks for the DPO3000?  Been offered one at a reasonable price and it appears the 100 MHz and 500 MHz are the same hardware . . .
 

Offline TopLoser

  • Supporter
  • ****
  • Posts: 1925
  • Country: fr
Re: DPO3000 Hacks
« Reply #1 on: January 12, 2015, 10:52:25 pm »
Well the plug in option modules are easily... erm... replicated!

Not heard of a bandwidth upgrade yet.
 

Offline FivePoint0Topic starter

  • Contributor
  • Posts: 28
Re: DPO3000 Hacks
« Reply #2 on: January 14, 2015, 09:37:53 pm »
Yet all the bandwidth upgrade needs is for the user to type in a key.

Shame.  I'd buy it just for the hack!
 

Offline abyrvalg

  • Frequent Contributor
  • **
  • Posts: 837
  • Country: es
Re: DPO3000 Hacks
« Reply #3 on: April 22, 2015, 10:53:40 pm »
Looks like some things (including BW upgrade) can be done over GPIB, but I don't have a scope to verify. Somebody willing to try?

Some interesting commands:
:PASSWord "password"- enable special modes
  Valid passwords:
  "XYZZY" - "user's password"
  "INTEKRITY" - "backdoor password" (this is the right one for other "backdoor" mode commands)
  "PUBLIC" - "public password"
  "TRESPASS" - "developer password"
  "MKTDEMO" - ???

:SETMODELID id - set model
  Valid IDs:
  0 - MSO/DPO3012 (MSO/DPO is selected by digital channels presense)
  1 - MSO/DPO3014
  2 - MSO/DPO3032
  3 - MSO/DPO3034
  4 - MSO/DPO3052
  5 - MSO/DPO3054

:HWAccountant:SERIAL - get/set serial number

:HWAccountant:INSTRumentid - get instrument id (no set here, it is generated from model+serial)

:HWAccountant:ACQBandwidth bw - bandwidth upgrade
  valid values:
  300
  500

:ARMDEMO pass, num_days - activate demo mode
   pass: "DontMakeTheWookieMad"
   num_days 1-30
 
The following users thanked this post: dzseki

Offline _Sync_

  • Contributor
  • Posts: 13
Re: DPO3000 Hacks
« Reply #4 on: May 26, 2015, 12:05:20 pm »
I cannot get these to work and my IDA skills are too bad to figure out what is happening.

As I said in the other thread, there should also be a debug console avalible that is accessible through TCPIP but I cannot figure out how to connect to it....
 

Offline j_hallows

  • Newbie
  • Posts: 8
Re: DPO3000 Hacks
« Reply #5 on: June 01, 2015, 10:13:21 pm »
I cannot get these to work and my IDA skills are too bad to figure out what is happening.

As I said in the other thread, there should also be a debug console avalible that is accessible through TCPIP but I cannot figure out how to connect to it....

This is for the DPO3000/MSO3000 not MDO3000. Different hardware.

These commands can be sent via TekVisa to the DPO3000/MSO3000.
 

Offline Jwalling

  • Supporter
  • ****
  • Posts: 1517
  • Country: us
  • This is work?
Re: DPO3000 Hacks
« Reply #6 on: June 02, 2015, 10:30:47 am »
I cannot get these to work and my IDA skills are too bad to figure out what is happening.

As I said in the other thread, there should also be a debug console avalible that is accessible through TCPIP but I cannot figure out how to connect to it....

Just a guess, but maybe Telnet? I have an MSO3034 -  I'll give it a try later today and see what happens.

Jay
Jay

System error. Strike any user to continue.
 

Offline Jwalling

  • Supporter
  • ****
  • Posts: 1517
  • Country: us
  • This is work?
Re: DPO3000 Hacks
« Reply #7 on: June 02, 2015, 05:06:46 pm »
I cannot get these to work and my IDA skills are too bad to figure out what is happening.

As I said in the other thread, there should also be a debug console avalible that is accessible through TCPIP but I cannot figure out how to connect to it....

Just a guess, but maybe Telnet? I have an MSO3034 -  I'll give it a try later today and see what happens.

Jay

OK, so using telnet didn't work, but using my browser (Firefox) brings up a Tektronix menu.
I selected the tab "DATA" and I'm able to talk to the scope using GPIB commands.
I then sent the following per abyrvalg's post:

:SETMODELID 5
:HWAccountant:ACQBandwidth 500

Then power-cycled the unit. It did not make any changes.
So I used the back door password first:

:PASSWord "INTEKRITY"
:SETMODELID 5
:HWAccountant:ACQBandwidth 500

Then power-cycled the unit again. Still no change. I'm probably doing something wrong; I'm an idiot when it comes to stuff like this...  :-//

Jay
Jay

System error. Strike any user to continue.
 

Offline Jwalling

  • Supporter
  • ****
  • Posts: 1517
  • Country: us
  • This is work?
Re: DPO3000 Hacks
« Reply #8 on: June 02, 2015, 05:13:53 pm »
I cannot get these to work and my IDA skills are too bad to figure out what is happening.

As I said in the other thread, there should also be a debug console avalible that is accessible through TCPIP but I cannot figure out how to connect to it....

Just a guess, but maybe Telnet? I have an MSO3034 -  I'll give it a try later today and see what happens.

Jay

OK, so using telnet didn't work, but using my browser (Firefox) brings up a Tektronix menu.
I selected the tab "DATA" and I'm able to talk to the scope using GPIB commands.
I then sent the following per abyrvalg's post:

:SETMODELID 5
:HWAccountant:ACQBandwidth 500

Then power-cycled the unit. It did not make any changes.
So I used the back door password first:

:PASSWord "INTEKRITY"
:SETMODELID 5
:HWAccountant:ACQBandwidth 500

Then power-cycled the unit again. Still no change. I'm probably doing something wrong; I'm an idiot when it comes to stuff like this...  :-//

Jay

OK, it's confirmed, I am an idiot.  :-/O Remove the quotes around the password:
:PASSWord INTEKRITY
:SETMODELID 5
:HWAccountant:ACQBandwidth 500

Voila, it reports that it is a MSO5054!

Thank you very much abyrvalg!  :clap: Now to do some bandwidth testing!

Jay
Jay

System error. Strike any user to continue.
 
The following users thanked this post: analogRF

Offline abyrvalg

  • Frequent Contributor
  • **
  • Posts: 837
  • Country: es
Re: DPO3000 Hacks
« Reply #9 on: June 02, 2015, 09:10:59 pm »
Great! :-+ Try ARMDEMO also - my guess it should enable all options for a specified number of days.
 

Offline Jwalling

  • Supporter
  • ****
  • Posts: 1517
  • Country: us
  • This is work?
Re: DPO3000 Hacks
« Reply #10 on: June 03, 2015, 05:21:40 pm »
Great! :-+ Try ARMDEMO also - my guess it should enable all options for a specified number of days.

Huh. That didn't seem to work...

I tried both:
:ARMDEMO DontMakeTheWookieMad, 30
:ARMDEMO DontMakeTheWookieMad 30

Wasn't sure about the comma...
My firmware revision is 2.07 - perhaps that may play into the equation as it's rather old.

In other news, with a 500MHz 600mV signal applied from my signal generator to each channel in 50 Ohm mode, all four channels measure a minimum of 520mV, so the scope exceeds the specification of a MSO5054. In fact, the amplitude is not what falls below spec first, but the triggering. at about 550MHz, the trigger starts becoming unstable.
Nice!

As a side note, my scope has a number of errors from 2010 that I'd like to clear. I've looked through the operators, programming, and service manual and did not find anything on what command(s) might do this. Would you or anyone esle ahppen to know how to clear them?
Many thanks again!  ;D
Jay
« Last Edit: June 03, 2015, 05:31:33 pm by Jwalling »
Jay

System error. Strike any user to continue.
 

Offline j_hallows

  • Newbie
  • Posts: 8
Re: DPO3000 Hacks
« Reply #11 on: June 04, 2015, 02:32:33 am »
Quote
I tried both:
:ARMDEMO DontMakeTheWookieMad, 30
:ARMDEMO DontMakeTheWookieMad 30

Did you do:

Code: [Select]
:PASSWord INTEKRITY
First?

Quote
In other news, with a 500MHz 600mV signal applied from my signal generator to each channel in 50 Ohm mode, all four channels measure a minimum of 520mV, so the scope exceeds the specification of a MSO5054.

Does it say MSO5054 or MSO3054?
 

Offline Jwalling

  • Supporter
  • ****
  • Posts: 1517
  • Country: us
  • This is work?
Re: DPO3000 Hacks
« Reply #12 on: June 04, 2015, 05:27:34 pm »
Quote
I tried both:
:ARMDEMO DontMakeTheWookieMad, 30
:ARMDEMO DontMakeTheWookieMad 30

Did you do:

Code: [Select]
:PASSWord INTEKRITY
First?

Quote
In other news, with a 500MHz 600mV signal applied from my signal generator to each channel in 50 Ohm mode, all four channels measure a minimum of 520mV, so the scope exceeds the specification of a MSO5054.

Does it say MSO5054 or MSO3054?

I tried with :PASSWord INTEKRITY first and that didn't make any difference.
I updated the firmware to 2.40, no difference.
Oops. - that was a typo (or perhaps wishful thinking!  ;) Yes, it reports itself as a MSO3054.

The error logs can be retrieved with:
:ERRlog?
:ERRlog:NEXt?

There's two other references in the firmware with regards to the error logs.
:ERRlog:CLEar and :ERRlog:FILL
The CLEar doesn't seem to work.
FILL does not seem to do anything either.

Jay
Jay

System error. Strike any user to continue.
 

Offline j_hallows

  • Newbie
  • Posts: 8
Re: DPO3000 Hacks
« Reply #13 on: October 04, 2015, 01:44:59 pm »
I just saw this on E-bay, (see attached Picture).

So I guess we have the wrong sequence for activating the modules.
« Last Edit: October 04, 2015, 01:46:56 pm by j_hallows »
 

Offline darkstar49

  • Frequent Contributor
  • **
  • Posts: 309
Re: DPO3000 Hacks
« Reply #14 on: December 05, 2015, 02:33:14 pm »
Hi together,

HWAccountant:ACQBandwidth 500

indeed works fine, a 100Mhz model suddenly can trigger without problems on a 500Mhz signal, but... when displaying for example the frequency of that signal, it says low resolution (+- 2.5V P2P, and it's from a Rohde&Schwarz generator, quite clean 500Mhz sine wave), so I'm not too sure that hack alone does it... the "low resolution" warning starts at around 155Mhz, which suggests there's another soft-limit somewhere that needs to be 'extended'...
My scope (MSO3014) has a serial > C020000, so definitely one that does NOT need Tek for the upgrade...

The ideal way would be to find out how the key is generated for the 500Mhz upgrade, because the scope's firmware definitely knows what to do when upgrading...
Maybe some similar routines as for the MDO3000 ?? (if I got it right, the MDO3xxx option modules now contain not stupidly the option's name, but some encrypted form of it... so maybe the key generated by Tek for the DPO3K BW upgrade uses similar or identical routines...??)

 

Offline Marchello

  • Contributor
  • Posts: 29
  • Country: ru
Re: DPO3000 Hacks
« Reply #15 on: December 05, 2015, 03:31:19 pm »
Is it possible to hack MSO4034?  (not B version)

Best regards!
Mark
 

Offline robert_

  • Regular Contributor
  • *
  • Posts: 151
  • Country: de
Re: DPO3000 Hacks
« Reply #16 on: December 05, 2015, 06:29:55 pm »
Cant answer to this, but as i have a MSO3014, C02* at work, i did hack it some months ago. Worked fine, and bandwidth did improve, although it doesnt seem to meet the 3054 risetime spec. I measure around 1ns on a fast rise pulse, which measures around 600ns on a HDO6054 (samne on an old TDS7054), which would suggest around 350-400Mhz. Still a huge improvement over the standard 100Mhz, and enough to get my work done properly (where im dealing with around 3ns edges).

As for the options, i did install them the old way. Program one of these option modules (TDS3FFT borrowed from an old TDS3k, not needed anymore) with the option needed, insert in scope and transfer the licence from the module to the scope, reprogram with next option and repeat.
 

Offline darkstar49

  • Frequent Contributor
  • **
  • Posts: 309
Re: DPO3000 Hacks
« Reply #17 on: December 06, 2015, 03:31:33 pm »

And btw, these changes seem impossible to roll-back...  so be careful playing around with this...  ;-
But if anyone has managed to undo such changes, comments are welcome...
 

Offline darkstar49

  • Frequent Contributor
  • **
  • Posts: 309
Re: DPO3000 Hacks
« Reply #18 on: December 06, 2015, 05:17:29 pm »
@Marchello...

Don't think so... DPO4K's are not bandwidth upgradeable, and other Tek models have shown to have high-pass filters in hardware to differentiate models (same board, but a few different components...), so a bandwidth upgrade is possible in theory (up to 500Mhz for the 2.5GS/s models), but definitely requires hardware changes, and to my knowledge, these have never been attempted, nor documented anywhere...
 

Offline Marchello

  • Contributor
  • Posts: 29
  • Country: ru
Re: DPO3000 Hacks
« Reply #19 on: December 07, 2015, 10:56:42 am »
Ok. Thanks to all!
I activated all options. (sim card holder + 24C08 + PICKITII + few strings)
BW let it be 350 MHz...

Best regards!
Mark
 

Offline tmbinc

  • Frequent Contributor
  • **
  • Posts: 253
Re: DPO3000 Hacks
« Reply #20 on: December 07, 2015, 10:01:28 pm »
I did bandwidth-update my DPO5034 (they have 5GS/s even for the 350MHz models) by removing the lowpass (on one channel), see http://debugmo.de/2013/03/whats-inside-tektronix-dpo5034/ .

I also hacked my DPO4034 (non-B) to "more" bandwidth by hacking the executable - not a nice hack by any means. The DPO4034 has the pre-amp which the DPO4034B and DPO5034(B) lack; but it only has 2.5GHz so that limits the usefulness a bit.
 

Offline darkstar49

  • Frequent Contributor
  • **
  • Posts: 309
Re: DPO3000 Hacks
« Reply #21 on: December 10, 2015, 09:03:41 pm »

Once again, if anyone knows of other :HWAccountant:xxxxx commands....  please let us know... there's definitely something missing by setting only the Acquisition bandwidth to 500...

Or alternatively: where did Abyrvalg get this ??? Is there a chance to find more about these commands by disassembling the binaries ?? Or was that some 'insider info' ???
 

Offline klaus11

  • Supporter
  • ****
  • Posts: 156
  • Country: 00
Re: DPO3000 Hacks
« Reply #22 on: December 11, 2015, 09:47:18 am »
Know any tricks for TDS5000B?  ::)
HP3458A, HP3245a, Keithley 2000, Fluke 87V, Rigol DP832, TEK TDS5052B, HP33120A
 

Offline darkstar49

  • Frequent Contributor
  • **
  • Posts: 309
Re: DPO3000 Hacks
« Reply #23 on: January 18, 2016, 08:35:37 am »

There are "tricks" for the TDS7000B (and others), I can't imagine why the code would be that much different for the TDS5000B...
But it looks like every model series has its own encryption key(s) and options bitmasks, so disassembling the code and finding those would always be step 1...

The logic is always the same... a key is an encryptet version of a bitmask (every bit set being a specific option), coded using the device ID and an (AES) encryption key.

So you (just  ;-) need the bitmasks for the different options, the logic to generate the unique device ID, and the AES key...

 

Offline klaus11

  • Supporter
  • ****
  • Posts: 156
  • Country: 00
Re: DPO3000 Hacks
« Reply #24 on: January 19, 2016, 10:42:57 am »

There are "tricks" for the TDS7000B (and others), I can't imagine why the code would be that much different for the TDS5000B...
But it looks like every model series has its own encryption key(s) and options bitmasks, so disassembling the code and finding those would always be step 1...

The logic is always the same... a key is an encryptet version of a bitmask (every bit set being a specific option), coded using the device ID and an (AES) encryption key.

So you (just  ;-) need the bitmasks for the different options, the logic to generate the unique device ID, and the AES key...



Thank
HP3458A, HP3245a, Keithley 2000, Fluke 87V, Rigol DP832, TEK TDS5052B, HP33120A
 


Share me

Digg  Facebook  SlashDot  Delicious  Technorati  Twitter  Google  Yahoo
Smf