Enabling options for R&S test equipment

[carver]

yes, on ebay - these FPC/HW options, like FPC-B2 are sold as SW.

https://www.ebay.com/itm/363414986320

[Inside21]

and FPC-B3 (2-3 GHz) is SW option too
https://www.chipdip.ru/product/fpc-b3-2

[kendor]

Hello Pro's

I have a big problem... I used (https://github.com/rdelien/fsxx_keygen) to try to enable some options on my "FSEA 20".

I started entering all keys from 000, 001, .., 011. and it did enable FFT GSM EDGE, EMI receiver etc. however, upon entering the number of 012 it froze and when I rebooted the device now think it is an "FSIQ 3". 
 Anyone has a hint on how I get my "FSEA" back?

thanks

[analogRF]

Is this one too new for these hacks?

No but BW is a HW option.

all options on FPC including BW are software enabled. The brochure clearly says so and it is actually highlighted as one of their selling points

[ps]

I started entering all keys from 000, 001, .., 011. and it did enable FFT GSM EDGE, EMI receiver etc. however, upon entering the number of 012 it froze and when I rebooted the device now think it is an "FSIQ 3". 
 Anyone has a hint on how I get my "FSEA" back?

The easiest way is to restore the backup of your FSEA hard disk and start over, skipping the 012 key.

Otherwise, you would have to keep trying keys until you come across one that converts the personality back to an FSEA.

[Qw3rtzuiop]

Hello Pro's

I have a big problem... I used (https://github.com/rdelien/fsxx_keygen) to try to enable some options on my "FSEA 20".

I started entering all keys from 000, 001, .., 011. and it did enable FFT GSM EDGE, EMI receiver etc. however, upon entering the number of 012 it froze and when I rebooted the device now think it is an "FSIQ 3". 
 Anyone has a hint on how I get my "FSEA" back?

thanks

You should be able to change the identity via the attached service functions.

[OH2LIY]

Hi, all options are listed in OPTIONS.INI file (C:\R_S\INSTR\INI\OPTIONS.INI ,path may be wrong). Just remove option line...
3311386***; FSIQ
1124165***; W-CDMA BTS ANALYZER2331308513;
 ...

Ramppa

[smps]

for FSH3/FSH6 SA, is it possible to remove/disable an option ?  thanks

[kendor]

thanks for the hints. However, I can not enter the service menu anymore since the device seems to have different key assignments between spectrum analyzer and generator
what is the easiest way to access the HDD? I find it is burried underneath the powersupply and a pain to get out - or how do I get to edit the options.ini file?

[Robert763]

I have updated the source code of the Rohde & Schwarz FSP option generator in post 7 of this thread and put it on GitHub:
https://github.com/CatGenius/fsxx_keygen
It now contains all 200 seeds from API.DLL and it takes the serial number from the command line options.

If no instrument type is specified, it prints all 200 keys, generated from the serial number and the 200 seeds. If you have found some of these keys to activate any options, please report:

• Your instrument type (eg. FSEA20)
• The key number (a number between 0 and 199, not the actual key
• The number (eg. K10) and a description (eg. GSM MS Analyzer) of the option it enables

Please note I am not the original author of this software. I just extended it a bit.

EDIT.
Deleted a request for help . I did an new make and it worked

FSH3-13 (tracking generator) fairly late unit with Software 14.0
The input string was  ./keygen -s 123456/000  (replace 123456 with your FSH's six digit serial number). The FSH does not have a slash number but using 000 works.

The codes that worked were keys
001: 07225xxxxx  Demo Mode
002: 09689xxxxx  DTF B1
003: 27029xxxxx  Vector Calibration K2
004: 05650xxxxx  Remote Control K1
005: 40886xxxxx  Receiver Measurement K3
009: 01360xxxxx  Restricted Acc K60
010: 23507xxxxx  Calibration Allowed K15
I stopped at key 040 as there are no other options I'm aware of. Obviously the actual key numbers will be different for other units. Note that Demo mode only worked once. I presume it will work again once the 999hours have passed.

I'm very happy that in addition to a SA I now also have Scalar network analyser, Vector network analyser, Cable analyser (DTF) and a measurement receiver with CISPR bandwidths and quasi peak detection. 

[ZeusRDF]

Hello

I have a Rohde & Schwarz FSH4 .024 series, I see you had great success with the FSH3 model. 

I have tried the Python Scripts and also the Github and each time it gave me key results, but all 200 failed, and also the new updated posted Github c program with mods also failed.  I added the info "you" provided for the FSH models in the github program, compiled and got key results displayed but nothing worked still for the FSH4 i am working on.

The FSH4 does have a 024 after the serial number. 

I tried with the serial/024 and also /000 and nothing generated proper codes, all failed.

Is it possible the FSH4 has a different algorithm than the FSH3 do you think?  The 6 digit SERIAL NUMBER is basically the same setup, except I do have a /024 for a complete serial number - I tried it with /024 and also /000 still failed keys.  (mine is xxxxxx/xxx format)

*** IF ANYONE HAS A FSH4 and has successfully obtained the proper keys with the Py Script or C program, can you let me know how you managed to get it to work properly?  The FSH3 and FSH4 are very similar in all ways (except you mentioned you DIDNT have the /024 or anything after your serial so you entered /000 and everything worked great) lucky you.

I would greatly appreciate if someone who has had success with a FSH4 could share their process or mods to the scripts/c program that worked for you..... as I have spent several weeks with not one valid key, still working on it tho, patient.

Glad to hear someone with a FSH series had success!  Any others?

Hopefully others with a FSH4 or different FSH model can share their experiences also.

Thanks for your time & info and great thread for sure.. 

[carver]

these programs don't work for FSH4/ZVH4(8/etc) on the Orion platform.
the new keys should be three times as long.

even newer devices, like FSW/SMBV/etc, use the smart card, as your bank.

I have a Rohde & Schwarz FSH4 .024 series, I see you had great success with the FSH3 model.

[radiont]

Hi Guys,
             I have FSH8 option keys which were in my ZVH4 Analyser case when I purchased (Supplier Mistake I suspect) If anyone can use these let me know.
Please see attached Document i've blocked out serial number and complete keys.

email me direct.

radio@adsl.on.net

[Tek14]

Hello,

I have a CMU200 with base V5.20 and VersionManager V4.06. Tried to update it with option K29 AMPS. Downloaded IS1MV5.20.exe and unpacked it with the result folder IS1MV5.20 Installed it with R&S RemoteServiceTool V1.7.1. Everything seemed to be going well. But when CMU200 rebooted, I got the message: The version you selected is corrupt! (and so on). IS1MV5.20.exe was downloaded from https://gotroot.ca/cmu200/ Does anyone have any idea what might be wrong?

73 Anders SA0BDK

[carvalhoatx]

Sir. Try to download the last version of the Firmware and all version update info with R&S website.
Second. Once you cannot find with R&S website the suitable one version, message the support. They should fix this issue for you.
Kind regards,

[Tek14]

The problem is solved.
It turned out that my CMU200 was the older model with FrontModule FMR5 but it was equipped with base V5.20. Downgraded to version V5.10 and now it works as it should.

[ktgun]

Hi pro's!
Veeeeery interesting topic and so many great ideas! I'm newbie in these "options-encrypt/decrypt things", but for me its cool opportunity to improve skills. I have some experience in R&S, Agilent, Keysight, etc. test equipment, but never wondering about options stuff and how they produce, before saw this topic.
I've tested an old italian C-script from post #140 and it work's great with FSP, FSIQ, ESU, PR100, old-FSH.
Now i have in my lab few FSV and have an idea to activate some option for them. Only for science interest, of course)))
I make some little 'investigation' of R&S-software from FSV and FSVR with diassemblers like IDA-pro. Both SA have same software and it seems that main API is "RSCompassFramework.dll". The encrypt\decrypt options algo is similar RC4, but i'm not sure. Maybe somebody can clearify this moment?
But what i know exactly, is that active option keys contained in three files: InstrumentData.xls, InstumentData.dds and IstrumentData.mac. Last two have some HEX-text, looks like some checksum. If delete any of them, active option will dissapear from SA, until you will copy a backup of deleted file and rerun "AnalyzerFirmware.exe". I don't have these three files with none-default active option, but maybe somebody will share it to look difference between HEX-text of default and none-default SA files?
And finally the most interesting moment:
I maked a full memory-dump for my FSV with AcessData FTK Manager, open it with WinHEX and gather all text. Then wrote little simple script in python 3.8 to filter from result text 30-digit sequences:

import re
import tkinter as tk
from tkinter import filedialog
root = tk.Tk()
root.withdraw()
file_path = filedialog.askopenfilename()
pattern = re.compile('^\d\d\d\d\d\d\d\d\d\d\d\d\d\d\d\d\d\d\d\d\d\d\d\d\d\d\d\d\d\d\W')
f = open(file_path)
for line in f:
    buff_line=line
    if (pattern.findall(buff_line)) == []:
        continue
    else:
        print(pattern.findall(buff_line))

It give me array with 18 sequences, where 2 of them was default-option keys from InstrumentData.xls. Like this:
['3735038260026847987220783*****\n']
['2825359980055994898912437*****\n']
['1324212018274908492608555*****\n']
['1613021472429378831233579*****\n']
['0397841781301905908232242*****\n']

I thought it was a succes, BUT none of other codes, except default, DIDN'T WORK!!!! Why? I don't know. What is these keys? I don't know too. Maybe some wise guys will tell me, where i was wrong?
I will procced with my investigations and will be very glad for some feedback.
P.S. I diggined many special SCPI-commands when dissasemble FSV dll's and want to try make some magic with them. If my resarch are interesting, i will be glad to post some thoughts here from time to time.

[R-S-chx]

hello,

The keygen works perfectly for:
FSH 3 serial number: 1018xx
FSH 6 serial number: 1006xx
thank you for your work
Tested for an RTM 1054 scope the serial numbers do not work
I will try with an FSL3 soon

[Jens01]

(...)

thank you for sharing your journey - i also own a FSV and i failed in unlocking more options using the methods mentioned in this thread. My unit does not have any software options, but does have the B3 audio demodulator and B9 tracking gen. I'm curious to see if there is a way to unlock SW options since these units are very powerful (and the options very expensive for hobbyist..). Please let me know if i can help you in some way.

[randolfss]

With a memory dump, it is likely possible. For the devices like the FSV/RTM/RTB/RTH/SMU/... that use RSCompassFramework, you need encryption keys that are unique to your individual device, so a universal keygen like in this thread is not possible. A memory dump should include the keys though if you know what to look for. The other thing you need is the mapping from "option index" to the actual option types/descriptions. If you have a device with installed options, you can get the option indexes from the output of the SCPI command :DIAGNOSTIC:PRODUCT:OPTION:LIST? (and can tie the option keys back to option descriptions with :SYST:DFPR? if needed). Otherwise you would have to find the table mapping the option indexes by reversing the firmware.

[Astralix]

Hi!

Recently restored an SMIQ03B and wonder if there is a solution for getting the B57 and B60 option going? I have seen some discussion for the AMIQ so I tried the github code. But the FME code gives me 10 digit codes and the UPL version only 5 digits.
But it looks like the SMIQ wants to see 6 digits? I guess, one of the units to repair does have at least one software option, so if that helps and I get some assistance, I can provide necessary input to the developers of the codes...

[tv84]

I've finally figured out the SMIQ/SME license construction.

In the process I learned here that the Factory Key is used to determine the Model type of the device.

So, with the right HW inside the device, we can change the device model by inserting the correct Factory Key. The other option keys will remain the same.

The license algo is a very basic hash based on the S/N. Don't know if it has any similarities to AMIQ licenses...

[tv84]

...continuing from last post:

The AMIQ licensing is totally different from the SMIQ licensing. It's a MD5 hash based on the S/N.   

[tv84]

So, with the right HW inside the device, we can change the device model by inserting the correct Factory Key. The other option keys will remain the same.

Here is the proof, of a SMIQ 04B transformed into a 06B just by inserting the corresponding Factory Key. Not a random mistake.

[Bicurico]

Top!