Someone has hacked MDO4000C?

[Howardlong]

Thank you so much @Howardlong. That is super helpful.

So you made a small hardware device that runs your codes.. that is super cool!

Do you remember what python versions you are running to make it run? Operating system/python version/crypto version? (Edit: I see now there are links in the "link" on versions.. but probably still a good questions to ask)

So you would pay 2k to get rid of the red banner?   (Edit: A man with similar OCD as myself??)

Many thanks and happy holidays..

Python version was 2.7x but they seem to have the crypto included in some distros, certainly the one a did a few moths ago included it.

Regarding the 2k to “remove the banner”, it’s probably as much to do with resale value as it is my own OCD!

[analogRF]

https://0bin.net/paste/tZYZ4Fs5rjqvAoza#+yNeuILPU-nQmgFvDixaTsFyVclm2Mnh2gr2Id/aSBL

so is it possible to enable options on DPO4000 series, too?

[analogRF]

https://0bin.net/paste/tZYZ4Fs5rjqvAoza#+yNeuILPU-nQmgFvDixaTsFyVclm2Mnh2gr2Id/aSBL

can someone confirm if this works for DPO4000 series (non -B or -C), please?

[tv84]

DPO4000 uses the same AES_key as DPO3000, so you can easily change the script to accommodate for it.

BTW:

dpo4kb_key = "\x2A\x62\x31\x9B\x7F\x06\x34\x2A\x90\x1F\x07\x64\x80\x6A\xDE\xC2"
mdo4kc_key= "\xC5\x6F\x22\xB2\x5E\x70\xF1\x30\xAF\x3E\xF3\x11\x88\x11\xBF\x1B"

Edit: If the mdo4kc_key in the python script is correct, then I must have something wrong in these 2 keys.

Maybe it's like this:

dpo4kb_key = FC A9 8B 9E EF FB 95 48 B1 ED F1 3A C4 09 83 75

[analogRF]

DPO4000 uses the same AES_key as DPO3000, so you can easily change the script to accommodate for it.

BTW:

dpo4kb_key = "\x2A\x62\x31\x9B\x7F\x06\x34\x2A\x90\x1F\x07\x64\x80\x6A\xDE\xC2"
mdo4kc_key= "\xC5\x6F\x22\xB2\x5E\x70\xF1\x30\xAF\x3E\xF3\x11\x88\x11\xBF\x1B"

I don't know any Python at all 
So is it enough just to add/change these two lines :

Code: [Select]

dpo4k_key = "\x9B\x31\x62\x2A\x2A\x34\x06\x7F\x64\x07\x1F\x90\xC2\xDE\x6A\x80" ---->>> same as DPO3000
:
:
:
keys = (("DPO4000", dpo4k_key),("MDO3000", mdo3k_key), ("DPO3000", dpo3k_key), ("MDO4000B", mdo4kb_key), ("MDO4000C", mdo4kc_key))

or other changes are also needed?

[darkstar49]

... or you get yourself a little option module (some cheap TDS3FFT / TRG), and reprogram it for the options you need, one by one, and transfer these to the scope (no DPO4BND for the non-B DPO4K...)

[analogRF]

... or you get yourself a little option module (some cheap TDS3FFT / TRG), and reprogram it for the options you need, one by one, and transfer these to the scope (no DPO4BND for the non-B DPO4K...)

i didnt know the same modules also fit DPO4000    Do they, really?

what if I change the EEPROM in the module to something bigger like 24C16 and put several options in it at the same time?
is it possible? Based on what I had read about TDS3UAM hack for TDS3000, it was possible. I dont have any of those modules for now..

I still prefer to get the Python code running but don't know what changes other than those I mentioned in the previous post are required

[analogRF]

DPO4000 uses the same AES_key as DPO3000, so you can easily change the script to accommodate for it.

BTW:

dpo4kb_key = "\x2A\x62\x31\x9B\x7F\x06\x34\x2A\x90\x1F\x07\x64\x80\x6A\xDE\xC2"
mdo4kc_key= "\xC5\x6F\x22\xB2\x5E\x70\xF1\x30\xAF\x3E\xF3\x11\x88\x11\xBF\x1B"

why the mdo4kc_key is different than what is in the script? was the script wrong?
i dont have that scope but just curious...

[tv84]

why the mdo4kc_key is different than what is in the script? was the script wrong?

I think mine is the correct (old) one. The "fake" in the code is definitely wrong.

I'm not sure that (new) key inside the python script is correct or maybe it's used in newer FWs. Only a MDO4000C owner can confirm this.

[tv84]

Code: [Select]

dpo4k_key = "\x9B\x31\x62\x2A\x2A\x34\x06\x7F\x64\x07\x1F\x90\xC2\xDE\x6A\x80" ---->>> same as DPO3000
:
:
:
keys = (("DPO4000", dpo4k_key),("MDO3000", mdo3k_key), ("DPO3000", dpo3k_key), ("MDO4000B", mdo4kb_key), ("MDO4000C", mdo4kc_key))

or other changes are also needed?

Correct. But simpler could be just rewrite this one:

Code: [Select]

keys = (("DPO4000", dpo3k_key), ("MDO3000", mdo3k_key), ("DPO3000", dpo3k_key), ("MDO4000B", mdo4kb_key), ("MDO4000C", mdo4kc_key))

[darkstar49]

... or you get yourself a little option module (some cheap TDS3FFT / TRG), and reprogram it for the options you need, one by one, and transfer these to the scope (no DPO4BND for the non-B DPO4K...)

i didnt know the same modules also fit DPO4000    Do they, really?

Yes, it's the same format... just that from the MDO onwards, the key was encrypted, but up to the DPO4000B, it was in clear text.
So for the DPO4000B, with DPO4BND, you're done, but for the DPO4000, you'd have to reprogram the module as many times as you want options. And no, you can't put more than one option in the module's eeprom (well, you could... but it wouldn't work, to my knowledge).

[analogRF]

I finally received the DPO4104, it has self test errors (see another thread on Repair section) but the scope seems to work pretty ok. so far I have not been able to find out what problem those errors cause

However, I want to enable the options and I had read all the MDO and DPO 3000/4000B/4000C hacking threads. Now that I have got the scope
I can see none of those methods and techniques are applicable really 

Let's say I generate the key with python script, then what? There is no place in this scope to enter any key 
Let's say I use the module programming, then what? there is no place to "transfer" the license to the scope 
so, unless there is a way to program a module (with a new larger EEPROM) with several options (similar to TDS3000) then I cannot see how these scopes can be hacked really.

Is there any way to do it through the SCPI commands? Telnet?

[darkstar49]

I finally received the DPO4104, it has self test errors (see another thread on Repair section) but the scope seems to work pretty ok. so far I have not been able to find out what problem those errors cause

However, I want to enable the options and I had read all the MDO and DPO 3000/4000B/4000C hacking threads. Now that I have got the scope
I can see none of those methods and techniques are applicable really 

Let's say I generate the key with python script, then what? There is no place in this scope to enter any key 
Let's say I use the module programming, then what? there is no place to "transfer" the license to the scope 
so, unless there is a way to program a module (with a new larger EEPROM) with several options (similar to TDS3000) then I cannot see how these scopes can be hacked really.

Is there any way to do it through the SCPI commands? Telnet?

having all options enabled in the TDS3000 is not a matter of having a larger eeprom, that works with the ‘engineering option’ TDS3ENG, a bit like the official option bundle DPO4BND (unfortunately not in the pre-B models). Not having the menu to transfer a module’s license into the scope is most probably a FW version issue (got 2.68 ?).

[analogRF]

Is the bandwidth on DPO4000B software upgradable? I dont mean to 1GHz but something like 350MHz to 500MHz or 100MHz to 350MHz

[Howardlong]

I don’t have a 4000B, but I believe so.

I have a recollection that some 4000Bs can be liberated to 1GHz if they have the right hardware.

[analogRF]

I don’t have a 4000B, but I believe so.

I have a recollection that some 4000Bs can be liberated to 1GHz if they have the right hardware.

can anybody confirm? even upgrade to 500MHz is good. there is no official lupgrade option in the datasheet
but since MDOs had BW upgrade I though DPO4000B probably have it too

[Howardlong]

I don’t have a 4000B, but I believe so.

I have a recollection that some 4000Bs can be liberated to 1GHz if they have the right hardware.

can anybody confirm? even upgrade to 500MHz is good. there is no official lupgrade option in the datasheet
but since MDOs had BW upgrade I though DPO4000B probably have it too

Have you tried it? It’s as simple as running gen.py with the right options to create the option key.

[analogRF]

I don’t have a 4000B, but I believe so.

I have a recollection that some 4000Bs can be liberated to 1GHz if they have the right hardware.

can anybody confirm? even upgrade to 500MHz is good. there is no official lupgrade option in the datasheet
but since MDOs had BW upgrade I though DPO4000B probably have it too

Have you tried it? It’s as simple as running gen.py with the right options to create the option key.

no I dont have the equipment. I have the opportunity to buy a 100MHz version for a good price
but I only want to do it if the BW upgrade is possible

[Howardlong]

There’s a semi cryptic note here

https://www.eevblog.com/forum/testgear/mdo3000-hacking/msg1603087/#msg1603087 Post 141

[analogRF]

There’s a semi cryptic note here

https://www.eevblog.com/forum/testgear/mdo3000-hacking/msg1603087/#msg1603087 Post 141

umm...yeah. that's for MDO4000B though but I guess they are very similar to DPO4kB at least they dont have official BW upgrade option in their datasheet just like DPO4kB.
But I wonder what he meant because I cannot find that method he is talking about

[Howardlong]

There’s a semi cryptic note here

https://www.eevblog.com/forum/testgear/mdo3000-hacking/msg1603087/#msg1603087 Post 141

umm...yeah. that's for MDO4000B though but I guess they are very similar to DPO4kB at least they dont have official BW upgrade option in their datasheet just like DPO4kB.
But I wonder what he meant because I cannot find that method he is talking about

Sorry, my bad!

[syau]

I finally received the DPO4104, it has self test errors (see another thread on Repair section) but the scope seems to work pretty ok. so far I have not been able to find out what problem those errors cause

However, I want to enable the options and I had read all the MDO and DPO 3000/4000B/4000C hacking threads. Now that I have got the scope
I can see none of those methods and techniques are applicable really 

Let's say I generate the key with python script, then what? There is no place in this scope to enter any key 
Let's say I use the module programming, then what? there is no place to "transfer" the license to the scope 
so, unless there is a way to program a module (with a new larger EEPROM) with several options (similar to TDS3000) then I cannot see how these scopes can be hacked really.

Is there any way to do it through the SCPI commands? Telnet?

Wonder if you managed to enter the option code, I just scored a MDO4K and found no way to enter the option key 

[Howardlong]

I finally received the DPO4104, it has self test errors (see another thread on Repair section) but the scope seems to work pretty ok. so far I have not been able to find out what problem those errors cause

However, I want to enable the options and I had read all the MDO and DPO 3000/4000B/4000C hacking threads. Now that I have got the scope
I can see none of those methods and techniques are applicable really 

Let's say I generate the key with python script, then what? There is no place in this scope to enter any key 
Let's say I use the module programming, then what? there is no place to "transfer" the license to the scope 
so, unless there is a way to program a module (with a new larger EEPROM) with several options (similar to TDS3000) then I cannot see how these scopes can be hacked really.

Is there any way to do it through the SCPI commands? Telnet?

Wonder if you managed to enter the option code, I just scored a MDO4K and found no way to enter the option key 

On my MDO4000C, it's Utility -> Utility Page: Config -> Manage Modules & Options -> Install Option.

It's a little easier to key in if you have a USB keyboard handy that you can attach.

[syau]

On my MDO4000C, it's Utility -> Utility Page: Config -> Manage Modules & Options -> Install Option.

It's a little easier to key in if you have a USB keyboard handy that you can attach.

I am using a MDO4104-6, on the Install Option page, I can’t find any way for me to enter the key 

[Howardlong]

On my MDO4000C, it's Utility -> Utility Page: Config -> Manage Modules & Options -> Install Option.

It's a little easier to key in if you have a USB keyboard handy that you can attach.

I am using a MDO4104-6, on the Install Option page, I can’t find any way for me to enter the key 
(Attachment Link)
(Attachment Link)

Here is my MDO4000C.

I am wondering if the firmware needs updating?