Author Topic: Someone has hacked MDO4000C?  (Read 23662 times)

0 Members and 2 Guests are viewing this topic.

Offline Howardlong

  • Super Contributor
  • ***
  • Posts: 5411
  • Country: gb
Re: Someone has hacked MDO4000C?
« Reply #25 on: December 23, 2019, 07:56:44 pm »
Thank you so much @Howardlong. That is super helpful.

So you made a small hardware device that runs your codes.. that is super cool!

Do you remember what python versions you are running to make it run? Operating system/python version/crypto version? (Edit: I see now there are links in the "link" on versions.. but probably still a good questions to ask)

So you would pay 2k to get rid of the red banner? :)  (Edit: A man with similar OCD as myself??)

Many thanks and happy holidays..

Python version was 2.7x but they seem to have the crypto included in some distros, certainly the one a did a few moths ago included it.

Regarding the 2k to “remove the banner”, it’s probably as much to do with resale value as it is my own OCD!
 

Offline analogRF

  • Frequent Contributor
  • **
  • Posts: 986
  • Country: ca
Re: Someone has hacked MDO4000C?
« Reply #26 on: December 25, 2019, 03:38:20 am »
 

Offline analogRF

  • Frequent Contributor
  • **
  • Posts: 986
  • Country: ca
Re: Someone has hacked MDO4000C?
« Reply #27 on: August 27, 2020, 06:07:45 pm »
 

Offline tv84

  • Super Contributor
  • ***
  • Posts: 3322
  • Country: pt
Re: Someone has hacked MDO4000C?
« Reply #28 on: August 28, 2020, 07:20:36 pm »
DPO4000 uses the same AES_key as DPO3000, so you can easily change the script to accommodate for it.

BTW:

dpo4kb_key = "\x2A\x62\x31\x9B\x7F\x06\x34\x2A\x90\x1F\x07\x64\x80\x6A\xDE\xC2"
mdo4kc_key= "\xC5\x6F\x22\xB2\x5E\x70\xF1\x30\xAF\x3E\xF3\x11\x88\x11\xBF\x1B"


Edit: If the mdo4kc_key in the python script is correct, then I must have something wrong in these 2 keys.

Maybe it's like this:

dpo4kb_key = FC A9 8B 9E EF FB 95 48 B1 ED F1 3A C4 09 83 75
« Last Edit: February 12, 2021, 10:40:04 pm by tv84 »
 
The following users thanked this post: analogRF

Offline analogRF

  • Frequent Contributor
  • **
  • Posts: 986
  • Country: ca
Re: Someone has hacked MDO4000C?
« Reply #29 on: August 28, 2020, 08:49:01 pm »
DPO4000 uses the same AES_key as DPO3000, so you can easily change the script to accommodate for it.

BTW:

dpo4kb_key = "\x2A\x62\x31\x9B\x7F\x06\x34\x2A\x90\x1F\x07\x64\x80\x6A\xDE\xC2"
mdo4kc_key= "\xC5\x6F\x22\xB2\x5E\x70\xF1\x30\xAF\x3E\xF3\x11\x88\x11\xBF\x1B"

I don't know any Python at all  :-//
So is it enough just to add/change these two lines :
Code: [Select]
dpo4k_key = "\x9B\x31\x62\x2A\x2A\x34\x06\x7F\x64\x07\x1F\x90\xC2\xDE\x6A\x80" ---->>> same as DPO3000
:
:
:
keys = (("DPO4000", dpo4k_key),("MDO3000", mdo3k_key), ("DPO3000", dpo3k_key), ("MDO4000B", mdo4kb_key), ("MDO4000C", mdo4kc_key))

or other changes are also needed?
« Last Edit: August 28, 2020, 08:58:02 pm by analogRF »
 

Offline darkstar49

  • Frequent Contributor
  • **
  • Posts: 309
Re: Someone has hacked MDO4000C?
« Reply #30 on: August 28, 2020, 09:43:40 pm »
... or you get yourself a little option module (some cheap TDS3FFT / TRG), and reprogram it for the options you need, one by one, and transfer these to the scope (no DPO4BND for the non-B DPO4K...)
 
The following users thanked this post: analogRF

Offline analogRF

  • Frequent Contributor
  • **
  • Posts: 986
  • Country: ca
Re: Someone has hacked MDO4000C?
« Reply #31 on: August 29, 2020, 01:11:42 am »
... or you get yourself a little option module (some cheap TDS3FFT / TRG), and reprogram it for the options you need, one by one, and transfer these to the scope (no DPO4BND for the non-B DPO4K...)

i didnt know the same modules also fit DPO4000  :-[  Do they, really?

what if I change the EEPROM in the module to something bigger like 24C16 and put several options in it at the same time?
is it possible? Based on what I had read about TDS3UAM hack for TDS3000, it was possible. I dont have any of those modules for now..

I still prefer to get the Python code running but don't know what changes other than those I mentioned in the previous post are required
 

Offline analogRF

  • Frequent Contributor
  • **
  • Posts: 986
  • Country: ca
Re: Someone has hacked MDO4000C?
« Reply #32 on: August 29, 2020, 01:20:12 am »
DPO4000 uses the same AES_key as DPO3000, so you can easily change the script to accommodate for it.

BTW:

dpo4kb_key = "\x2A\x62\x31\x9B\x7F\x06\x34\x2A\x90\x1F\x07\x64\x80\x6A\xDE\xC2"
mdo4kc_key= "\xC5\x6F\x22\xB2\x5E\x70\xF1\x30\xAF\x3E\xF3\x11\x88\x11\xBF\x1B"

why the mdo4kc_key is different than what is in the script? was the script wrong?
i dont have that scope but just curious...
 

Offline tv84

  • Super Contributor
  • ***
  • Posts: 3322
  • Country: pt
Re: Someone has hacked MDO4000C?
« Reply #33 on: August 29, 2020, 08:14:48 am »
why the mdo4kc_key is different than what is in the script? was the script wrong?

I think mine is the correct (old) one. The "fake" in the code is definitely wrong.

I'm not sure that (new) key inside the python script is correct or maybe it's used in newer FWs. Only a MDO4000C owner can confirm this.
 

Offline tv84

  • Super Contributor
  • ***
  • Posts: 3322
  • Country: pt
Re: Someone has hacked MDO4000C?
« Reply #34 on: August 30, 2020, 05:16:49 pm »
Code: [Select]
dpo4k_key = "\x9B\x31\x62\x2A\x2A\x34\x06\x7F\x64\x07\x1F\x90\xC2\xDE\x6A\x80" ---->>> same as DPO3000
:
:
:
keys = (("DPO4000", dpo4k_key),("MDO3000", mdo3k_key), ("DPO3000", dpo3k_key), ("MDO4000B", mdo4kb_key), ("MDO4000C", mdo4kc_key))

or other changes are also needed?

Correct. But simpler could be just rewrite this one:

Code: [Select]
keys = (("DPO4000", dpo3k_key), ("MDO3000", mdo3k_key), ("DPO3000", dpo3k_key), ("MDO4000B", mdo4kb_key), ("MDO4000C", mdo4kc_key))
 
The following users thanked this post: analogRF

Offline darkstar49

  • Frequent Contributor
  • **
  • Posts: 309
Re: Someone has hacked MDO4000C?
« Reply #35 on: August 31, 2020, 02:31:31 pm »
... or you get yourself a little option module (some cheap TDS3FFT / TRG), and reprogram it for the options you need, one by one, and transfer these to the scope (no DPO4BND for the non-B DPO4K...)

i didnt know the same modules also fit DPO4000  :-[  Do they, really?


Yes, it's the same format... just that from the MDO onwards, the key was encrypted, but up to the DPO4000B, it was in clear text.
So for the DPO4000B, with DPO4BND, you're done, but for the DPO4000, you'd have to reprogram the module as many times as you want options. And no, you can't put more than one option in the module's eeprom (well, you could... but it wouldn't work, to my knowledge).
 
The following users thanked this post: analogRF

Offline analogRF

  • Frequent Contributor
  • **
  • Posts: 986
  • Country: ca
Re: Someone has hacked MDO4000C?
« Reply #36 on: September 02, 2020, 03:49:07 am »
I finally received the DPO4104, it has self test errors (see another thread on Repair section) but the scope seems to work pretty ok. so far I have not been able to find out what problem those errors cause

However, I want to enable the options and I had read all the MDO and DPO 3000/4000B/4000C hacking threads. Now that I have got the scope
I can see none of those methods and techniques are applicable really  :palm: |O

Let's say I generate the key with python script, then what? There is no place in this scope to enter any key  :palm: |O
Let's say I use the module programming, then what? there is no place to "transfer" the license to the scope  :palm: |O
so, unless there is a way to program a module (with a new larger EEPROM) with several options (similar to TDS3000) then I cannot see how these scopes can be hacked really.

Is there any way to do it through the SCPI commands? Telnet?
 

Offline darkstar49

  • Frequent Contributor
  • **
  • Posts: 309
Re: Someone has hacked MDO4000C?
« Reply #37 on: September 11, 2020, 03:47:39 am »
I finally received the DPO4104, it has self test errors (see another thread on Repair section) but the scope seems to work pretty ok. so far I have not been able to find out what problem those errors cause

However, I want to enable the options and I had read all the MDO and DPO 3000/4000B/4000C hacking threads. Now that I have got the scope
I can see none of those methods and techniques are applicable really  :palm: |O

Let's say I generate the key with python script, then what? There is no place in this scope to enter any key  :palm: |O
Let's say I use the module programming, then what? there is no place to "transfer" the license to the scope  :palm: |O
so, unless there is a way to program a module (with a new larger EEPROM) with several options (similar to TDS3000) then I cannot see how these scopes can be hacked really.

Is there any way to do it through the SCPI commands? Telnet?

having all options enabled in the TDS3000 is not a matter of having a larger eeprom, that works with the ‘engineering option’ TDS3ENG, a bit like the official option bundle DPO4BND (unfortunately not in the pre-B models). Not having the menu to transfer a module’s license into the scope is most probably a FW version issue (got 2.68 ?).
 

Offline analogRF

  • Frequent Contributor
  • **
  • Posts: 986
  • Country: ca
Re: Someone has hacked MDO4000C?
« Reply #38 on: September 27, 2020, 08:06:11 pm »
Is the bandwidth on DPO4000B software upgradable? I dont mean to 1GHz but something like 350MHz to 500MHz or 100MHz to 350MHz
 

Offline Howardlong

  • Super Contributor
  • ***
  • Posts: 5411
  • Country: gb
Re: Someone has hacked MDO4000C?
« Reply #39 on: September 28, 2020, 10:10:38 am »
I don’t have a 4000B, but I believe so.

I have a recollection that some 4000Bs can be liberated to 1GHz if they have the right hardware.
 

Offline analogRF

  • Frequent Contributor
  • **
  • Posts: 986
  • Country: ca
Re: Someone has hacked MDO4000C?
« Reply #40 on: September 28, 2020, 10:55:02 am »
I don’t have a 4000B, but I believe so.

I have a recollection that some 4000Bs can be liberated to 1GHz if they have the right hardware.

can anybody confirm? even upgrade to 500MHz is good. there is no official lupgrade option in the datasheet
but since MDOs had BW upgrade I though DPO4000B probably have it too
 

Offline Howardlong

  • Super Contributor
  • ***
  • Posts: 5411
  • Country: gb
Re: Someone has hacked MDO4000C?
« Reply #41 on: September 28, 2020, 11:56:25 am »
I don’t have a 4000B, but I believe so.

I have a recollection that some 4000Bs can be liberated to 1GHz if they have the right hardware.

can anybody confirm? even upgrade to 500MHz is good. there is no official lupgrade option in the datasheet
but since MDOs had BW upgrade I though DPO4000B probably have it too

Have you tried it? It’s as simple as running gen.py with the right options to create the option key.
 

Offline analogRF

  • Frequent Contributor
  • **
  • Posts: 986
  • Country: ca
Re: Someone has hacked MDO4000C?
« Reply #42 on: September 28, 2020, 12:04:59 pm »
I don’t have a 4000B, but I believe so.

I have a recollection that some 4000Bs can be liberated to 1GHz if they have the right hardware.

can anybody confirm? even upgrade to 500MHz is good. there is no official lupgrade option in the datasheet
but since MDOs had BW upgrade I though DPO4000B probably have it too

Have you tried it? It’s as simple as running gen.py with the right options to create the option key.

no I dont have the equipment. I have the opportunity to buy a 100MHz version for a good price
but I only want to do it if the BW upgrade is possible
 

Offline Howardlong

  • Super Contributor
  • ***
  • Posts: 5411
  • Country: gb
Re: Someone has hacked MDO4000C?
« Reply #43 on: September 28, 2020, 12:26:24 pm »
 

Offline analogRF

  • Frequent Contributor
  • **
  • Posts: 986
  • Country: ca
Re: Someone has hacked MDO4000C?
« Reply #44 on: September 28, 2020, 12:38:22 pm »
There’s a semi cryptic note here

https://www.eevblog.com/forum/testgear/mdo3000-hacking/msg1603087/#msg1603087 Post 141

umm...yeah. that's for MDO4000B though but I guess they are very similar to DPO4kB at least they dont have official BW upgrade option in their datasheet just like DPO4kB.
But I wonder what he meant because I cannot find that method he is talking about
 

Offline Howardlong

  • Super Contributor
  • ***
  • Posts: 5411
  • Country: gb
Re: Someone has hacked MDO4000C?
« Reply #45 on: September 28, 2020, 12:50:08 pm »
There’s a semi cryptic note here

https://www.eevblog.com/forum/testgear/mdo3000-hacking/msg1603087/#msg1603087 Post 141

umm...yeah. that's for MDO4000B though but I guess they are very similar to DPO4kB at least they dont have official BW upgrade option in their datasheet just like DPO4kB.
But I wonder what he meant because I cannot find that method he is talking about

Sorry, my bad!
 

Offline syau

  • Frequent Contributor
  • **
  • Posts: 369
  • Country: hk
Re: Someone has hacked MDO4000C?
« Reply #46 on: October 30, 2020, 10:02:17 am »
I finally received the DPO4104, it has self test errors (see another thread on Repair section) but the scope seems to work pretty ok. so far I have not been able to find out what problem those errors cause

However, I want to enable the options and I had read all the MDO and DPO 3000/4000B/4000C hacking threads. Now that I have got the scope
I can see none of those methods and techniques are applicable really  :palm: |O

Let's say I generate the key with python script, then what? There is no place in this scope to enter any key  :palm: |O
Let's say I use the module programming, then what? there is no place to "transfer" the license to the scope  :palm: |O
so, unless there is a way to program a module (with a new larger EEPROM) with several options (similar to TDS3000) then I cannot see how these scopes can be hacked really.

Is there any way to do it through the SCPI commands? Telnet?

Wonder if you managed to enter the option code, I just scored a MDO4K and found no way to enter the option key  :palm:
 

Offline Howardlong

  • Super Contributor
  • ***
  • Posts: 5411
  • Country: gb
Re: Someone has hacked MDO4000C?
« Reply #47 on: October 30, 2020, 03:05:26 pm »
I finally received the DPO4104, it has self test errors (see another thread on Repair section) but the scope seems to work pretty ok. so far I have not been able to find out what problem those errors cause

However, I want to enable the options and I had read all the MDO and DPO 3000/4000B/4000C hacking threads. Now that I have got the scope
I can see none of those methods and techniques are applicable really  :palm: |O

Let's say I generate the key with python script, then what? There is no place in this scope to enter any key  :palm: |O
Let's say I use the module programming, then what? there is no place to "transfer" the license to the scope  :palm: |O
so, unless there is a way to program a module (with a new larger EEPROM) with several options (similar to TDS3000) then I cannot see how these scopes can be hacked really.

Is there any way to do it through the SCPI commands? Telnet?

Wonder if you managed to enter the option code, I just scored a MDO4K and found no way to enter the option key  :palm:

On my MDO4000C, it's Utility -> Utility Page: Config -> Manage Modules & Options -> Install Option.

It's a little easier to key in if you have a USB keyboard handy that you can attach.
 

Offline syau

  • Frequent Contributor
  • **
  • Posts: 369
  • Country: hk
Re: Someone has hacked MDO4000C?
« Reply #48 on: October 30, 2020, 11:47:05 pm »
On my MDO4000C, it's Utility -> Utility Page: Config -> Manage Modules & Options -> Install Option.

It's a little easier to key in if you have a USB keyboard handy that you can attach.

I am using a MDO4104-6, on the Install Option page, I can’t find any way for me to enter the key  :-//
1100642-0
1100646-1
« Last Edit: October 31, 2020, 10:05:31 am by syau »
 

Offline Howardlong

  • Super Contributor
  • ***
  • Posts: 5411
  • Country: gb
Re: Someone has hacked MDO4000C?
« Reply #49 on: October 31, 2020, 08:10:18 pm »
On my MDO4000C, it's Utility -> Utility Page: Config -> Manage Modules & Options -> Install Option.

It's a little easier to key in if you have a USB keyboard handy that you can attach.

I am using a MDO4104-6, on the Install Option page, I can’t find any way for me to enter the key  :-//
(Attachment Link)
(Attachment Link)

Here is my MDO4000C.

I am wondering if the firmware needs updating?


« Last Edit: October 31, 2020, 08:12:15 pm by Howardlong »
 


Share me

Digg  Facebook  SlashDot  Delicious  Technorati  Twitter  Google  Yahoo
Smf