Author Topic: Someone has hacked MDO4000C?  (Read 23670 times)

0 Members and 8 Guests are viewing this topic.

Offline darkstar49

  • Frequent Contributor
  • **
  • Posts: 309
Re: Someone has hacked MDO4000C?
« Reply #75 on: February 18, 2021, 06:27:19 pm »
i dont have a MDO4000/B/C but just out of curiosity, what can happen if you send the scope for calibration after unlocking the BW and options? either to Tek or to another reputable cal lab? it seems everybody is only stuck at this point step.

also what if you dont upgrade the BW and just unlock the options and send it for routine calibration? has anybody tried that?

if I understood correctly in these scopes the options are unlocked by license keys, so unlike for example keysight 3000 which requires patching the FW, what would be the problem of sending it for calibration?

The problem is this: the missing data is not linked to a calibration, but to what Tek calls an 'automated factory adjustment', which is the 'calibration' the instrument goes through once in its life, just before leaving the production lines.
This procedure is only known to Tek. LeCroy has exactly the same, named CalSoft, and no one else on Earth is able to do that 'factory adjustment'.
Those adjustment constants and curves are BW-specific, so there are 4 tables on the MDO4000C (200, 350, 500MHz, and 1GHz), but only the table for the 'original' BW is populated. Some models indeed require a h/w upgrade, but even those that don't, need the corresponding table to be filled to work properly (or at least to not display these error messages).

As for the options, while Tek may not have a view on all the options that are available as option modules, BW upgrades systematically require servicing at Tek (for the MDO4000C), so they will reset the scope to the bandwidth that is in their records, period. No doubt about this !

And it's exactly the same for BW upgrades that are 'user installable', like on the MDO3K. Those are sold per device, the key is generated on demand, so Tek knows exactly what BW has been paid for. This happens on a regular basis, and I know people who faced this, believing Tek wouldn't know... they got their '500MHz-pimped' MDO3014 back, calibrated... but at 100Mhz.   :-DD
 

Offline analogRF

  • Frequent Contributor
  • **
  • Posts: 986
  • Country: ca
Re: Someone has hacked MDO4000C?
« Reply #76 on: February 18, 2021, 09:00:27 pm »

The problem is this: the missing data is not linked to a calibration, but to what Tek calls an 'automated factory adjustment', which is the 'calibration' the instrument goes through once in its life, just before leaving the production lines.
This procedure is only known to Tek. LeCroy has exactly the same, named CalSoft, and no one else on Earth is able to do that 'factory adjustment'.
Those adjustment constants and curves are BW-specific, so there are 4 tables on the MDO4000C (200, 350, 500MHz, and 1GHz), but only the table for the 'original' BW is populated. Some models indeed require a h/w upgrade, but even those that don't, need the corresponding table to be filled to work properly (or at least to not display these error messages).

So what is different when you just send the unit for calibration to a Cal lab, either Tek or others? I mean, let's say you send it in for traceable calibration, and it will come back calibrated, what is the difference with that 'automated factory adjustment'? as far as I know calibration of all these modern scopes is automated anyways.


As for the options, while Tek may not have a view on all the options that are available as option modules, BW upgrades systematically require servicing at Tek (for the MDO4000C), so they will reset the scope to the bandwidth that is in their records, period. No doubt about this !

Ah, ok, that makes sense. Good that at least they are not sending their lawyers instead of the scope  :-DD


And it's exactly the same for BW upgrades that are 'user installable', like on the MDO3K. Those are sold per device, the key is generated on demand, so Tek knows exactly what BW has been paid for. This happens on a regular basis, and I know people who faced this, believing Tek wouldn't know... they got their '500MHz-pimped' MDO3014 back, calibrated... but at 100Mhz.   :-DD

Oh, that's good to know  :(
Again it's good that at least they send the scope back and not call the cops  :-DD

but still I am not sure about sending the scope to other calibration labs. I think there are plenty of them that have the ability to calibrate these MDO3K or MDO4K, no?

 

Offline darkstar49

  • Frequent Contributor
  • **
  • Posts: 309
Re: Someone has hacked MDO4000C?
« Reply #77 on: February 19, 2021, 06:12:17 am »
but still I am not sure about sending the scope to other calibration labs. I think there are plenty of them that have the ability to calibrate these MDO3K or MDO4K, no?

I contacted two labs (i.e. not related to Tek), and both answered negatively... I'm relatively sure for Tek, but 100% sure for LeCroy, their CalSoft calibration bench (the one that generates the files in the hidden d:\calibration directory) is NOT available to external labs... I'm not sure how the procedure looks like for external labs, but it's NOT the factory calibration. And as from the (few) information I got from Tek and these 2 labs, it's exactly the same for Tek.

Now, I don't say it's impossible, maybe it's just a matter of performing a (normal) calibration with the manufacturing mode enabled (although that sounds pretty trivial). Or maybe these labs (and myself) were wrong, I don't know...

As for the lawyers/cops... don't forget (in most countries at least, no clue for the US) that it's their problem to prove that you did the cheating (i.e. that it wasn't hacked before you bought it), which is far from granted... secondly, when you buy a scope from Ebay (as an example), you're NOT in a contractual relation with Tek, etc... so while Tek is not known to have much humor when it comes to their licences, the risk is fairly low for an 'amateur' (/hobbyist) to get in trouble...
« Last Edit: February 22, 2021, 12:56:11 pm by darkstar49 »
 
The following users thanked this post: analogRF

Offline analogRF

  • Frequent Contributor
  • **
  • Posts: 986
  • Country: ca
Re: Someone has hacked MDO4000C?
« Reply #78 on: March 07, 2021, 01:08:12 am »
does it make any difference if one uses e.g. BW2T54 instead of using 500MHz for bandwidth upgrade? I mean for MDO4000C.

I dont have the scope but since the upgrade has not worked as expected, i thought maybe using the other option might work differently

in the datasheet the official upgrade option that must be ordered is MDO4BW2T54-SA but I see there is no BW2T54-SA in the option.py script
 

Offline salviador

  • Regular Contributor
  • *
  • Posts: 106
  • Country: it
    • https://www.youtube.com/user/mancio92M
Re: Someone has hacked MDO4000C?
« Reply #79 on: May 17, 2021, 12:41:12 pm »
have anyone ever tried on the tek4 series, news about it?
 

Offline Howardlong

  • Super Contributor
  • ***
  • Posts: 5411
  • Country: gb
Re: Someone has hacked MDO4000C?
« Reply #80 on: May 19, 2021, 08:01:24 am »
does it make any difference if one uses e.g. BW2T54 instead of using 500MHz for bandwidth upgrade? I mean for MDO4000C.

On the MDO4054C-SA6 I have, liberating it to 1GHz BW with an option key introduces some relatively minor vertical offsets, and the red banner "WARNiNG: This oscilloscope is not compensated". Running an SPC fails. Reverting back to 500MHz, those minor offsets disappear again, as does the red banner warning.

When I add or remove options, I still use 500MHz even though it's a 500MHz factory unit. When opening up to 1GHz, I include both 500MHz and BW5T10 options.

On the other side of the coin, on the MDO3014, liberating it to 500MHz with an option key seems to be seamless.

Of course, this is purely anecdotal, although my understanding is that the MDO3000 & MDO4000C share some similarities.
« Last Edit: May 19, 2021, 08:12:04 am by Howardlong »
 

Offline Howardlong

  • Super Contributor
  • ***
  • Posts: 5411
  • Country: gb
Re: Someone has hacked MDO4000C?
« Reply #81 on: July 19, 2021, 12:12:31 pm »
FWIW, I discovered over the weekend that at least some bandwidth upgrades on the MDO4000C are now discontinued.

e.g., MDO4BW5T104-SA 500MHz to 1GHz w/SA.
 

Offline Howardlong

  • Super Contributor
  • ***
  • Posts: 5411
  • Country: gb
Re: Someone has hacked MDO4000C?
« Reply #82 on: July 28, 2021, 06:44:07 pm »
Here's a .vbs I use to remove the red banner.

Set your target IP address appropriately.

Sometimes I have to run it a couple of times if the toggle settings aren't in the expected state: it does nothing more than automatically push front panel buttons and turn knobs programmatically.

Code: [Select]
set WshShell = WScript.CreateObject("WScript.Shell")
WshShell.run("telnet.exe 192.168.50.139 4000")
WScript.Sleep 500

WshShell.SendKeys":PASSW TRESPASS"
WshShell.SendKeys("{Enter}")
WScript.Sleep 50
WshShell.SendKeys":DEV:MOD 1"
WshShell.SendKeys("{Enter}")
WScript.Sleep 50

WshShell.SendKeys"FPA:PRESS MENU0"
WshShell.SendKeys("{Enter}")
WScript.Sleep 50
WshShell.SendKeys"FPA:PRESS MENU0"
WshShell.SendKeys("{Enter}")
WScript.Sleep 50
WshShell.SendKeys"FPA:PRESS MENU0"
WshShell.SendKeys("{Enter}")
WScript.Sleep 50
WshShell.SendKeys"FPA:PRESS MENU0"
WshShell.SendKeys("{Enter}")
WScript.Sleep 50
WshShell.SendKeys"FPA:PRESS MENU0"
WshShell.SendKeys("{Enter}")
WScript.Sleep 50
WshShell.SendKeys"FPA:PRESS MENU0"
WshShell.SendKeys("{Enter}")
WScript.Sleep 250
WshShell.SendKeys"FPA:PRESS UTIL"
WshShell.SendKeys("{Enter}")
WScript.Sleep 250

WshShell.SendKeys"FPA:PRESS BMENU1"
WshShell.SendKeys("{Enter}")
WScript.Sleep 50
WshShell.SendKeys"FPA:TURN GPKNOB1,10"
WshShell.SendKeys("{Enter}")
WScript.Sleep 50
WshShell.SendKeys"FPA:TURN GPKNOB1,-5"
WshShell.SendKeys("{Enter}")
WScript.Sleep 50
WshShell.SendKeys"FPA:PRESS BMENU7"
WshShell.SendKeys("{Enter}")
WScript.Sleep 50
WshShell.SendKeys"FPA:PRESS RMENU1"
WshShell.SendKeys("{Enter}")
WScript.Sleep 250

WshShell.SendKeys":DEV:MOD 0"
WshShell.SendKeys("{Enter}")
WScript.Sleep 250

WshShell.SendKeys":PASSW INTEKRITY"
WshShell.SendKeys("{Enter}")
WScript.Sleep 50
WshShell.SendKeys":MFG:MOD 1"
WshShell.SendKeys("{Enter}")
WScript.Sleep 500
WshShell.SendKeys":MFG:MOD 0"
WshShell.SendKeys("{Enter}")
WScript.Sleep 500

WshShell.SendKeys(chr(29))
WshShell.SendKeys"qui"
WshShell.SendKeys("{Enter}")

 

Offline darkstar49

  • Frequent Contributor
  • **
  • Posts: 309
Re: Someone has hacked MDO4000C?
« Reply #83 on: July 30, 2021, 04:03:25 pm »
FWIW, I discovered over the weekend that at least some bandwidth upgrades on the MDO4000C are now discontinued.

e.g., MDO4BW5T104-SA 500MHz to 1GHz w/SA.

What's the difference between discontinued, and selling these options at prices higher then an MDO4104C-SA6 at many brokers ?   :wtf:
(might not be totally true in your case, but definitely for my MDO4024C-SA6)
« Last Edit: July 30, 2021, 04:05:40 pm by darkstar49 »
 

Offline analogRF

  • Frequent Contributor
  • **
  • Posts: 986
  • Country: ca
Re: Someone has hacked MDO4000C?
« Reply #84 on: September 08, 2023, 03:58:09 pm »
I have a MDO4034C which I would like to upgrade to 500MHz.
But in the python scripts there is one BW3T5 option with two different masks and one is for 300MHz to 500MHz
and the other is for 350MHz to 500MHz. Obviously for MDO4000C it has to be 350MHz to 500MHz
but both of them are named BW3T5. If i generate the key and then validate it, it says 300 to 500.

So I am wondering which mask (0x40000 or 0x20000) works for 350M to 500M on MDO4000C?

my other question is that is this going to cause the same RED warning message about calibration that Hwardlong experienced with BW5T10?

 

Offline analogRF

  • Frequent Contributor
  • **
  • Posts: 986
  • Country: ca
Re: Someone has hacked MDO4000C?
« Reply #85 on: September 09, 2023, 11:06:03 am »
I tried both masks and although after reboot the scope reports MDO4BW3T54 is installed but the Bandwidth still shows 350MHz and also measures about 420MHz as it was before the install  :( :( :-//
this is how I did it
python gen.py MDO4034C C0xxxxxx 350MHz BW3T5 MSO AFG DVM

then in the option.py once I set the mask to 0x20000 and the next time I set it to 0x40000

I cannot upgrade to 500MHz even though the option gets installed  :-//
 

Offline yuxiaohupda

  • Newbie
  • Posts: 1
  • Country: cn
Re: Someone has hacked MDO4000C?
« Reply #86 on: January 01, 2024, 05:18:44 am »
I have a MDO4054C and I want to install some applications.
Can't open 0bin.net. Would anyone like to paste the full code file here?
 


Share me

Digg  Facebook  SlashDot  Delicious  Technorati  Twitter  Google  Yahoo
Smf