There are these SCPI commands :
DIAGNOSTIC:PRODUCT:OPTION:STATUS
DIAGNOSTIC:PRODUCT:OPTION:LIST
DIAGNOSTIC:PRODUCT:OPTION:ENABLE OFF ON
DIAGNOSTIC:PRODUCT:OPTION:FACTORY:CLEAR
DIAGNOSTIC:PRODUCT:MNUMBER:SET
Obviously I would not try CLEAR... but STATUS/LIST and ENABLE seem interesting...
Regarding reverse engineering, if the ENABLE command asks for a key, it could be possible to statically decompile the code and look at what checks are performed. This could yield to the key algorithm.
I don't have an RTB - I am waiting to see where this thread goes before maybe getting one. Someone wants to try these commands ?
PS: Oh and MNUMBER can be promising... maybe it allows changing the model number to... a higher bandwidth version ?