Someone has hacked MDO4000C?

[darkstar49]

i dont have a MDO4000/B/C but just out of curiosity, what can happen if you send the scope for calibration after unlocking the BW and options? either to Tek or to another reputable cal lab? it seems everybody is only stuck at this point step.

also what if you dont upgrade the BW and just unlock the options and send it for routine calibration? has anybody tried that?

if I understood correctly in these scopes the options are unlocked by license keys, so unlike for example keysight 3000 which requires patching the FW, what would be the problem of sending it for calibration?

The problem is this: the missing data is not linked to a calibration, but to what Tek calls an 'automated factory adjustment', which is the 'calibration' the instrument goes through once in its life, just before leaving the production lines.
This procedure is only known to Tek. LeCroy has exactly the same, named CalSoft, and no one else on Earth is able to do that 'factory adjustment'.
Those adjustment constants and curves are BW-specific, so there are 4 tables on the MDO4000C (200, 350, 500MHz, and 1GHz), but only the table for the 'original' BW is populated. Some models indeed require a h/w upgrade, but even those that don't, need the corresponding table to be filled to work properly (or at least to not display these error messages).

As for the options, while Tek may not have a view on all the options that are available as option modules, BW upgrades systematically require servicing at Tek (for the MDO4000C), so they will reset the scope to the bandwidth that is in their records, period. No doubt about this !

And it's exactly the same for BW upgrades that are 'user installable', like on the MDO3K. Those are sold per device, the key is generated on demand, so Tek knows exactly what BW has been paid for. This happens on a regular basis, and I know people who faced this, believing Tek wouldn't know... they got their '500MHz-pimped' MDO3014 back, calibrated... but at 100Mhz.   

[analogRF]

The problem is this: the missing data is not linked to a calibration, but to what Tek calls an 'automated factory adjustment', which is the 'calibration' the instrument goes through once in its life, just before leaving the production lines.
This procedure is only known to Tek. LeCroy has exactly the same, named CalSoft, and no one else on Earth is able to do that 'factory adjustment'.
Those adjustment constants and curves are BW-specific, so there are 4 tables on the MDO4000C (200, 350, 500MHz, and 1GHz), but only the table for the 'original' BW is populated. Some models indeed require a h/w upgrade, but even those that don't, need the corresponding table to be filled to work properly (or at least to not display these error messages).

So what is different when you just send the unit for calibration to a Cal lab, either Tek or others? I mean, let's say you send it in for traceable calibration, and it will come back calibrated, what is the difference with that 'automated factory adjustment'? as far as I know calibration of all these modern scopes is automated anyways.

As for the options, while Tek may not have a view on all the options that are available as option modules, BW upgrades systematically require servicing at Tek (for the MDO4000C), so they will reset the scope to the bandwidth that is in their records, period. No doubt about this !

Ah, ok, that makes sense. Good that at least they are not sending their lawyers instead of the scope 

And it's exactly the same for BW upgrades that are 'user installable', like on the MDO3K. Those are sold per device, the key is generated on demand, so Tek knows exactly what BW has been paid for. This happens on a regular basis, and I know people who faced this, believing Tek wouldn't know... they got their '500MHz-pimped' MDO3014 back, calibrated... but at 100Mhz.   

Oh, that's good to know 
Again it's good that at least they send the scope back and not call the cops 

but still I am not sure about sending the scope to other calibration labs. I think there are plenty of them that have the ability to calibrate these MDO3K or MDO4K, no?

[darkstar49]

but still I am not sure about sending the scope to other calibration labs. I think there are plenty of them that have the ability to calibrate these MDO3K or MDO4K, no?

I contacted two labs (i.e. not related to Tek), and both answered negatively... I'm relatively sure for Tek, but 100% sure for LeCroy, their CalSoft calibration bench (the one that generates the files in the hidden d:\calibration directory) is NOT available to external labs... I'm not sure how the procedure looks like for external labs, but it's NOT the factory calibration. And as from the (few) information I got from Tek and these 2 labs, it's exactly the same for Tek.

Now, I don't say it's impossible, maybe it's just a matter of performing a (normal) calibration with the manufacturing mode enabled (although that sounds pretty trivial). Or maybe these labs (and myself) were wrong, I don't know...

As for the lawyers/cops... don't forget (in most countries at least, no clue for the US) that it's their problem to prove that you did the cheating (i.e. that it wasn't hacked before you bought it), which is far from granted... secondly, when you buy a scope from Ebay (as an example), you're NOT in a contractual relation with Tek, etc... so while Tek is not known to have much humor when it comes to their licences, the risk is fairly low for an 'amateur' (/hobbyist) to get in trouble...

[analogRF]

does it make any difference if one uses e.g. BW2T54 instead of using 500MHz for bandwidth upgrade? I mean for MDO4000C.

I dont have the scope but since the upgrade has not worked as expected, i thought maybe using the other option might work differently

in the datasheet the official upgrade option that must be ordered is MDO4BW2T54-SA but I see there is no BW2T54-SA in the option.py script

[salviador]

have anyone ever tried on the tek4 series, news about it?

[Howardlong]

does it make any difference if one uses e.g. BW2T54 instead of using 500MHz for bandwidth upgrade? I mean for MDO4000C.

On the MDO4054C-SA6 I have, liberating it to 1GHz BW with an option key introduces some relatively minor vertical offsets, and the red banner "WARNiNG: This oscilloscope is not compensated". Running an SPC fails. Reverting back to 500MHz, those minor offsets disappear again, as does the red banner warning.

When I add or remove options, I still use 500MHz even though it's a 500MHz factory unit. When opening up to 1GHz, I include both 500MHz and BW5T10 options.

On the other side of the coin, on the MDO3014, liberating it to 500MHz with an option key seems to be seamless.

Of course, this is purely anecdotal, although my understanding is that the MDO3000 & MDO4000C share some similarities.

[Howardlong]

FWIW, I discovered over the weekend that at least some bandwidth upgrades on the MDO4000C are now discontinued.

e.g., MDO4BW5T104-SA 500MHz to 1GHz w/SA.

[Howardlong]

Here's a .vbs I use to remove the red banner.

Set your target IP address appropriately.

Sometimes I have to run it a couple of times if the toggle settings aren't in the expected state: it does nothing more than automatically push front panel buttons and turn knobs programmatically.

Code: [Select]

set WshShell = WScript.CreateObject("WScript.Shell")
WshShell.run("telnet.exe 192.168.50.139 4000")
WScript.Sleep 500

WshShell.SendKeys":PASSW TRESPASS"
WshShell.SendKeys("{Enter}")
WScript.Sleep 50
WshShell.SendKeys":DEV:MOD 1"
WshShell.SendKeys("{Enter}")
WScript.Sleep 50

WshShell.SendKeys"FPA:PRESS MENU0"
WshShell.SendKeys("{Enter}")
WScript.Sleep 50
WshShell.SendKeys"FPA:PRESS MENU0"
WshShell.SendKeys("{Enter}")
WScript.Sleep 50
WshShell.SendKeys"FPA:PRESS MENU0"
WshShell.SendKeys("{Enter}")
WScript.Sleep 50
WshShell.SendKeys"FPA:PRESS MENU0"
WshShell.SendKeys("{Enter}")
WScript.Sleep 50
WshShell.SendKeys"FPA:PRESS MENU0"
WshShell.SendKeys("{Enter}")
WScript.Sleep 50
WshShell.SendKeys"FPA:PRESS MENU0"
WshShell.SendKeys("{Enter}")
WScript.Sleep 250
WshShell.SendKeys"FPA:PRESS UTIL"
WshShell.SendKeys("{Enter}")
WScript.Sleep 250

WshShell.SendKeys"FPA:PRESS BMENU1"
WshShell.SendKeys("{Enter}")
WScript.Sleep 50
WshShell.SendKeys"FPA:TURN GPKNOB1,10"
WshShell.SendKeys("{Enter}")
WScript.Sleep 50
WshShell.SendKeys"FPA:TURN GPKNOB1,-5"
WshShell.SendKeys("{Enter}")
WScript.Sleep 50
WshShell.SendKeys"FPA:PRESS BMENU7"
WshShell.SendKeys("{Enter}")
WScript.Sleep 50
WshShell.SendKeys"FPA:PRESS RMENU1"
WshShell.SendKeys("{Enter}")
WScript.Sleep 250

WshShell.SendKeys":DEV:MOD 0"
WshShell.SendKeys("{Enter}")
WScript.Sleep 250

WshShell.SendKeys":PASSW INTEKRITY"
WshShell.SendKeys("{Enter}")
WScript.Sleep 50
WshShell.SendKeys":MFG:MOD 1"
WshShell.SendKeys("{Enter}")
WScript.Sleep 500
WshShell.SendKeys":MFG:MOD 0"
WshShell.SendKeys("{Enter}")
WScript.Sleep 500

WshShell.SendKeys(chr(29))
WshShell.SendKeys"qui"
WshShell.SendKeys("{Enter}")



[darkstar49]

FWIW, I discovered over the weekend that at least some bandwidth upgrades on the MDO4000C are now discontinued.

e.g., MDO4BW5T104-SA 500MHz to 1GHz w/SA.

What's the difference between discontinued, and selling these options at prices higher then an MDO4104C-SA6 at many brokers ?   
(might not be totally true in your case, but definitely for my MDO4024C-SA6)

[analogRF]

I have a MDO4034C which I would like to upgrade to 500MHz.
But in the python scripts there is one BW3T5 option with two different masks and one is for 300MHz to 500MHz
and the other is for 350MHz to 500MHz. Obviously for MDO4000C it has to be 350MHz to 500MHz
but both of them are named BW3T5. If i generate the key and then validate it, it says 300 to 500.

So I am wondering which mask (0x40000 or 0x20000) works for 350M to 500M on MDO4000C?

my other question is that is this going to cause the same RED warning message about calibration that Hwardlong experienced with BW5T10?

[analogRF]

I tried both masks and although after reboot the scope reports MDO4BW3T54 is installed but the Bandwidth still shows 350MHz and also measures about 420MHz as it was before the install 
this is how I did it
python gen.py MDO4034C C0xxxxxx 350MHz BW3T5 MSO AFG DVM

then in the option.py once I set the mask to 0x20000 and the next time I set it to 0x40000

I cannot upgrade to 500MHz even though the option gets installed 

[yuxiaohupda]

I have a MDO4054C and I want to install some applications.
Can't open 0bin.net. Would anyone like to paste the full code file here?