MDO3000 hacking

[MaxwellsSilverHammer]

Hi, my first post here. 

I am confused with options of :
xxxMHz bandwidth
Upgrade bandwidth from xxxMHz to xxxMHz

What are the difference?

And from the manual ("1 GHz upgrades require Tek Service installation and option IFC...", on page 15) and also the following video at 2:10 to 2:30
https://www.youtube.com/watch?t=130&v=VFX47ZGOn_o

The 1GHz option needs to send to service centre for hardware change.
And MDO3000 max bandwidth is 1GHz, so what is the meaning of 2GHz option
for the key?

And can the key be changed or removed?

Yes, that is correct on some models, for example the 100MHz 3000 model is upgradeable to 500MHz. Beyond this you need to send it in for a hardware upgrade to get 1GHz.

Yes, you can downgrade based on the options you select.

[klaus11]

According to data sheet no distinction between models, if the instrument is less than 1GHz must go through SC.Upgrade 500MHz 2.5GS/s 

"lnslrument bandwidth can be upgreded on any MD03000 Series product after initial purchase. Each
upgrede product inaeases
analog bandwidlh and spaclrum analyzer frequency renga. Bandwidlh upgredes are purchased basad on
the combination of lhe current bandwidth and the desired bandwidth. Bandwidth upgrede products
include new analog probes if applicable. Software oplion key products depend on inslrument model
and serial number oombinalion. Bandwidth upgredes up to 500 MHz can be performed in the field,
while upgrades to 1GHz requireinstallation at a Tektronix service center."

[_Sync_]

Did somebody look at how to activate the debug console?

There is evidence that you can activate one through GPIB. Also there seems to be a physical serial port hidden inside the unit, I suppose they are on the IDC headers. I think there is still a bit more to explore in those scopes....

[AlefSin]

Hi,

I found some good promotions for MDO3014 on few websites. So to be clear, all I need is the python script plus the procedure documented here to enter the key?

http://www.tek.com/worldwide-page/how-install-and-access-dvm-option-your-mdo3000-series-product

If yes, then all I need is a set of 500 MHz probes

[TopLoser]

Yes, very quick and simple. Plug in a USB keyboard to make it even easier because the generated key is quite long!

[Howardlong]

Is anyone aware of the hardware makeup of the LA probe option (MDO3MSO) on this scope?

For example. is it active, or a passive solution similar to the Agilent/Keysight 54620-61601 pods? The loading looks almost identical (100k//8pF) if that's anything to go by, but I fear that's seems to be a semi-standard LA probe loading specification.

[TopLoser]

It's the connector that seems to be the main problem, very deeply recessed. Send one to Fraser/Aurora and get it xrayed to confirm what's lurking inside?

[Howardlong]

It looks like the option is a liberation stick plus a P6316 probe. If that's the case, the probe on its own is 1/3 the price of the liberation stick plus probe option.

[TopLoser]

You can buy the probe on its own? That's interesting... please confirm if you manage to order one.

[TopLoser]

I've bought a few new ones for £300 ish from Farnell, they didn't come with anything other than the probe and grabbers.

[Howardlong]

I've bought a few new ones for £300 ish from Farnell, they didn't come with anything other than the probe and grabbers.

That was where I looked for pricing between the MDO3MSO and just the P6316, I am sure a man of your position is able to organise a reasonable discount anyway ;-)

[TopLoser]

I've bought a few new ones for £300 ish from Farnell, they didn't come with anything other than the probe and grabbers.

That was where I looked for pricing between the MDO3MSO and just the P6316, I am sure a man of your position is able to organise a reasonable discount anyway ;-)

I felt like I was being anally raped paying almost punter prices! Send me a pm if you can't get a discount elsewhere.

[Howardlong]

I haven't decided to get the scope yet! Farnell out of stock of the MDO3014 for a couple of months it would appear.

It's not like I need another scope, but that hasn't stopped me before.

[nctnico]

I don't see how the MDO3000 can match up with the Agilent MSO7104 you have. 

[Howardlong]

I took a P6316 MSO/LA probe apart this afternoon. This is a 16 channel probe designed to work with a number of Tek MSO/MDOs, including the MDO3000 with the MSO option. It can be purchased either with the appropriate option or on its own separately from the MSO option.

http://www.farnell.com/datasheets/1797423.pdf

In the short space of time I've used it on the MDO3000, there are pros and cons.

On the plus side, the cable has colour coded pins adhering to the resistor colour code with just tiny ring clips on each probe end, rather than larger markings sometimes used which get in the way when probing closely spaced and/or dense connections. The 10Mpts is pretty good, I was looking at > 22,000 frame listing of 16 bytes of 50MHz SPI earlier today.

On the negative side, the length of the probe leads isn't great if you operate the scope above your monitor rather than on the bench as I do, it's a choice of either having the cable get in the way in front of the monitor, or try to dress it around the side but then the DUT is placed a bit inconveniently. The sample rate on the digital side on the MDO3000 is marginal for me, at 500MSa/s, occasionally I do look at clock rates just beyond 200MHz in the digital domain. Most irritating is the sluggishness of the scope particularly when dealing with long record lengths. Sluggishness seems to be the order of the day though, even something simple like moving traces up and down has a very noticeable lag on this scope, but I digress.

Back to the P6316 Digital Probe.

It comprises of a scope connector (40 pin 0.8mm pitch double sided PCB), then two separate ~84cm 8 channel cable pairs to the logic probe interface 2x8 pin 0.1" receptacle. I assumed they were each individually coaxially screened, but on closer inspection there was no visible evidence of this, although the cables are glued down impeding better viewing: they look simply to be twisted pair. Finally there's a short "Lead Set", part number 196-3508-00, for each 8 channel cable, comprising of a 2x8 pin 0.1" mating jack, two 8cm ground leads and eight 15cm probe leads.

Taking each part apart demands some patience with a selection of spudgers. The cases are all two part, and the halves are glued together with a small amount of super glue, so care is needed. The enclosures on the main cable aren't too hard to prise apart but the "Lead Set" box I had to put in a spare 0.1" 2x8 mating receptacle to get enough purchase with the spudgers to prise the halves apart without bending the pins.

Inside the scope end connector there's nothing other than a PCB with the cables connected. Good so far.

Inside the enclosure at the other end, there's a small passive circuit comprising of two resistors and a capacitor for each channel.

For the Lead Set, there is nothing component-wise.

I also checked to see if there was anything not quite so obvious, as can be the case in scope probe voodoo. It turns out that the 84cm cable has an inline 200 ohm DC resistance on the signal connections, and the 15cm leads on the Lead Sets have a 100 ohm DC resistance. All ground returns are zero ohms.

I would imagine that it would be possible to be able to fabricate a board up to make an old LA probe work reasonably well, the impedance matching and 10:1 factor seem to be similar features between this and Agilent LA probes such as the venerable 54620 probes that are still very common today and are still used on current Keysight MSOs. You might even get away with fabricating an entire probe, but that inline resistance is in there for a reason, there's a really old Tek document about it somewhere that I can't locate right now, but it's also covered here http://www.dfad.com.au/links/THE%20SECRET%20WORLD%20OF%20PROBES%20OCt09.pdf. I don't know if the Agilent/Keysight probes have this distributed resistance too, they do have a fancy woven cable on the two examples I have so I wouldn't be surprised.

Teardown...

Scope connector, nothing much to see here other than 0.8mm pitch, double sided PCB connector.


Top of scope connector is for group 2 inputs, D8-D15


Bottom of scope connector is for group 1 inputs, D1-D7


Top of one of the two probe ends of scope lead, showing the three passives.


Bottom of one of the two probe ends of scope lead: the "B" was written on by me, but the soldering is a bit "how you doin'"


Top of the "Lead Set"


Bottom of the Lead Set for completeness, I didn't take this bit apart, too much glue to take off and re-apply.


DaveCAD

[Carrington]

Yeah! Take it apart!

Edit:

It is a coaxial cable!    Isn't a twisted pair?

I assumed they were each individually coaxially screened, but on closer inspection there was no visible evidence of this, although the cables are glued down impeding better viewing: they look simply to be twisted pair.

Sorry, it was the excitement. 


Very similar to Agilent LA probes:



No idea about the cable resistance.

[Howardlong]

If anyone's in the market for the ACD3000 soft carry case for the MDO3000, there are a couple of demo ones left at substantial discount (£92 down from £186 ex VAT) at http://www.sjelectronics.co.uk, product code "ACD3000/DEMO". Still not "cheap", but then neither is the scope.

[Howardlong]

This is a link to that old Tek article (from 1969) that I referred to that talks about using lossy coax http://www.davmar.org/TE/TekConcepts/TekProbeCircuits.pdf

[coflynn]

The sample rate on the digital side on the MDO3000 is marginal for me, at 500MSa/s, occasionally I do look at clock rates just beyond 200MHz in the digital domain.

Did you look at the MagniVu feature too? While it limits your number of samples considerably (I think 10k), you get around 8GS/s sample rate according to their literature. Curious how well it works in practice, don't have the probe set/option enabled to try out myself.

[Howardlong]

The sample rate on the digital side on the MDO3000 is marginal for me, at 500MSa/s, occasionally I do look at clock rates just beyond 200MHz in the digital domain.

Did you look at the MagniVu feature too? While it limits your number of samples considerably (I think 10k), you get around 8GS/s sample rate according to their literature. Curious how well it works in practice, don't have the probe set/option enabled to try out myself.

This is a good point, and as I've delved further into this scope, it's been largely a case of swings and roundabouts. The 500MS/s has been sufficient for what I've used it for so far in the few days I've had it, so I haven't needed to use MagniVu, but I understand it only works within 10k pts of the trigger. Whether that's a limitation practically for me I don't know yet, and to be fair it is only occaionally I would benefit from an LA sampling rate over 500MSa/s.

I've been making a quite extensive list of pros and cons on this scope, I'll do a post on it soon, but for now here is the worst and best thing...

Worst has to be the UI, is Tek incapable of coming up with an intuitive and performant UI on a DSO? The last of the Tek analogue scopes were just so good in this respect (apart from understanding some of those lesser used delayed timebase modes). But the DSOs apart from the entry level units have never been well organized or responsive in my experience. The MDO3000's UI is quite modal, lacks consistency and frequently obscure the trace with unnecessary windows.

What is the best thing about it I found so far? The VESA mount at the back! I have the scope on a quick release gas spring monitor arm and can position it anywhere on the bench, and take up no desk space. Awesome, all TE of this form factor should have a VESA mount as standard IMHO.

[steffenmauch]

Can someone tell me how I can activate the DEBUG console via GPIB or how to get the real signals from a header inside the scope?

[G33KatWork]

There is a debug shell on the MDO3000, but be careful what you do there! You may delete your calibration data.

Connect to the GPIB Shell on Port 4000 using telnet or netcat.

Code: [Select]

:PASSWord INTEKRITY
:MFG:MODe 1
:MFG:MODe?The last command should return a 1. This indicates, you are in MFG-Mode. You can leave it again with the parameter 0 when setting the mode.
You can also leave it via the menu: Utility -> Self test -> Error Log -> Manufacturing Mode -> Off.

There is an even more privileged mode which gives you a few more menus. The engineering mode. Once you enabled the MFG-Mode, go to: Utility -> Self test -> Warm Up Timer & Monitor -> Engineering Mode -> On
Doesn't gain you that much I think, it's been a while since I enabled it.

Anyway, a more interesting feature in MFG-Mode is the debug shell. You can reach it via telnet on port 1072.
If you want to execute Linux commands, you can do so on this shell if you redirect stdout and stderr beforehand:

Code: [Select]

utilConsoleRedirect 1 1
utilConsoleRedirect 2 1
After that you can execute arbitrary commands (replace spaces with a backslash):

Code: [Select]

utilShell cat\/proc/cmdline
I've been reversing the Tek-Firmware for quite some time now.
I also reversed their boot procedure and misused their updating mechanism to create a USB-stick from which the scopes boots with an ssh server and all that jazz. It's almost unbrickable now (as long as I don't touch the bootenv, u-boot or the kernel) and I have a backup of all the sensitive data like the calibration data and so on. The USB-stick thing is not something you need if you don't know exactly what you do, to be honest.

Please be careful with everything you do. The possibility for a brick is pretty high and I'm not going to fix your stuff!

edit: Oh, I think that there is a feature in the engineering mode in the File Utilities to make a backup of your filesystem on an USB-stick. But when I looked at the code, it does the weirdest things. While doing the backup, it ERASES the calibration data. After the backup, the calibration data is restored from the backup. So again: BE CAREFUL. If you cannnot resist the urge to hit that button, DO NOT TURN OFF YOUR SCOPE! Wait for the operation to finish!

The best thing to do is to disassemble the firmware and look at every command before you execute it, so that you know at least roughly know what it does.

[steffenmauch]

Well thank you very much.
I do not want to execute commands in the shell instead I want to see the debug strings which are visible in the binary.
I hope to find some hints about the checksum of the 1-wire chip of the passive probes.
Or do you know the mechanism or where to start digging?

[Howardlong]

The sample rate on the digital side on the MDO3000 is marginal for me, at 500MSa/s, occasionally I do look at clock rates just beyond 200MHz in the digital domain.

Did you look at the MagniVu feature too? While it limits your number of samples considerably (I think 10k), you get around 8GS/s sample rate according to their literature. Curious how well it works in practice, don't have the probe set/option enabled to try out myself.

The MagniVu feature I tried yesterday. It does indeed take the sampling down to a 121ps period (an impressive 8.2GSa/s), but at the expense of memory: only 10k points are used around the trigger pont, there is nothing else displayed, so it's a case of either using 10k points MagniVu or up to 10Mpts 500MSa/s, but not both att he same time. In practical terms I don't see this as a problem for what I do, becuase if I'm digging into that sort of time granularity I'd be looking at things like setup and hold times which don't often need deep memory. For long serial decodes, there's typically no need for >500MSa/s. The scope slows down markedly when in MagniVu, in particular when zoomed, which is going to be a very typical use case. I am not sure why this slowing down occurs, as I understand it MagniVu is a real time hardware oversampling technology, not software.

Typically when using MagniVu you'll notice significantly less jitter on the edges. In retrospect, it's a nice additional feature, but as with a lot of things on this scope, when you start digging into the detail, it becomes quite modal, in other words you can use a given feature x, but not at the same time as feature y. In this case, you get 8.2GSa/s sample rate but only with a maximum 10kpts.

[Romedp]

All hello!
Excuse for my English.
I want to buy MDO3014. I have the "mdo 3k gen" file (compiled).
In the menu of an oscillograph there are two lists of options:
1 Application Modules (MDO3AERO,MDO3AUDIO, MDO3AUTO etc.)
2 Options (MDO3AFG,MDO3MSO, etc.)
I don't understand their difference. What can I activate keys and what I can't?