Hacking the Rigol DHO800/900 Scope

[Mechatrommer]

In your screenshot the memory depth is only 10M.

thats for each channel. 4 channes active consume 40M total, that proves enough 50M is activated. stock unit you'll have abysmal like 1M/ch if all channels active. he can fullfill your wish by showing 1ch only active and show 50Mpts above there.

[Fungus]

In your screenshot the memory depth is only 10M.

10M per channel.

I posted that because the unhacked DHO800 only does 1M per channel with four channels on.

[Fungus]

Bottom line: The extra memory in the DHO900 is a mystery.

They could be fake chips for all we know.

[gabiz_ro]

Any dumps of 25Q128 of Xilinx Zynq available?
Most wanted from models with three RAM chips.

[AndyBig]

In your screenshot the memory depth is only 10M.

thats for each channel. 4 channes active consume 40M total, that proves enough 50M is activated. stock unit you'll have abysmal like 1M/ch if all channels active. he can fullfill your wish by showing 1ch only active and show 50Mpts above there.

Do you have a 900 series oscilloscope? Or the 800th hacked to 900?
It will be interesting to see what the real 900 will show when, for example, one analog channel and one logic analyzer channel are active.

[AndyBig]

Any dumps of 25Q128 of Xilinx Zynq available?
Most wanted from models with three RAM chips.

The FPGA firmware file is located in the update archive - BOOT.bin and BOOT_SelfTest.bin, each 3631368 bytes in size. Most likely they are written unchanged in 25Q128.

[Aleksandr]

Any dumps of 25Q128 of Xilinx Zynq available?
Most wanted from models with three RAM chips.

The FPGA firmware file is located in the update archive - BOOT.bin and BOOT_SelfTest.bin, each 3631368 bytes in size. Most likely they are written unchanged in 25Q128.

This may be the main idea of ​​​​using a 25 series initialization flash drive. It stores the initial initialization of the FPGA and it is in it that the presence of additional RAM memory is registered!! And the external update and firmware file that is stored in the Android OS only fills the program execution area and not the configuration of the FPGA and its modules!!! Anyone who works with FPGAs knows that when the FPGA starts, the initial configuration of the module DDR is loaded from external memory flash series 25Q128. Maybe I'm wrong, but this could be with 80% probability. And to put an end to this issue, it is necessary to compare the contents of the 25 series memory in the 900 and 800 oscilloscopes.

[maxspb69]

The initial FPGA configuration can be loaded in different ways. There is a more interesting question: why ZYNC? How do they use the CPU core? The fact is that the hardware DDR3 controller is connected only to the processor, not to the FPGA part. The other two DRAM chips apparently use a DDR3 “soft”-controller implemented  in FPGA part. Why the hell is ZYNC even in this circuit? Most likely because it is an old and very cheap chip. Because it is the only-FPGA  chip that is needed here, not the CPU or SOC.

[Mechatrommer]

Do you have a 900 series oscilloscope? Or the 800th hacked to 900?

you can search my posts...

[ebastler]

This may be the main idea of ​​​​using a 25 series initialization flash drive. It stores the initial initialization of the FPGA and it is in it that the presence of additional RAM memory is registered!! And the external update and firmware file that is stored in the Android OS only fills the program execution area and not the configuration of the FPGA and its modules!!! Anyone who works with FPGAs knows that when the FPGA starts, the initial configuration of the module DDR is loaded from external memory flash series 25Q128. Maybe I'm wrong, but this could be with 80% probability. And to put an end to this issue, it is necessary to compare the contents of the 25 series memory in the 900 and 800 oscilloscopes.

No, that seems unlikely. The .GEL firmware update file is a compressed archive. In one of its sub-folders, it contains two complete FPGA configuration files (for regular operation and selftest). So these files are updated too during a firmware update. And the DHO800 and 900 models share the exact same FPGA configuration file.

[Aleksandr]

Then it turns out that this configuration flash drive is rewritten every time the power is turned on?And if the RAM is connected to a slow interface, then it may simply store additional points for the generator, for example, points of an arbitrary curve. Or this is all a commercial move by Rigol!

[ebastler]

Then it turns out that this configuration flash drive is rewritten every time the power is turned on?

No, that's not what I meant to say. When you install a firmware update, the new FPGA configuration is copied once from the USB stick (or the online download) into the configuration flash. And then, of course, it is copied from the flash into to FPGA every time the scope boots.

And if the RAM is connected to a slow interface, then it may simply store additional points for the generator, for example, points of an arbitrary curve.

That's what nobody knows...

[shapirus]

When you install a firmware update, the new FPGA configuration is copied once from the USB stick (or the online download) into the configuration flash. And then, of course, it is copied from the flash into to FPGA every time the scope boots.

Do you mean the internal SD card by "flash"?

Related question: is the SD card the only storage that contains all the scope-specific data? In other words, will backing up the SD card (byte-for-byte raw image copy) and later restoring it after doing any kind of changes restore the original condition of the scope?

[Randy222]

Some comments for last few posts.

I think we covered storage devices already in this thread. I can go back onto my 804 later and list out the storage devices. Putting all the OS on sd card is not a good idea, so hopefully it's not there.

2nd, I see some noted the FPGA bin is same for 800-900, but that alone does not mean much. bin code can use dynamic functions (good coding), like "what ram can I access?". So, same code, different addressabe memory devices possible depending what's on the m-board.

[ebastler]

Do you mean the internal SD card by "flash"?

No, I was referring to the 25Q128 serial flash, right next to the FPGA.

Related question: is the SD card the only storage that contains all the scope-specific data? In other words, will backing up the SD card (byte-for-byte raw image copy) and later restoring it after doing any kind of changes restore the original condition of the scope?

There is also the 25Q128 with the FPGA config, and there is an FRAM chip which contains a copy of the key.data file, the most recent scope state, and probably calibration data. (Not sure about the latter -- maybe these are written to the SD card?)

[ebastler]

Putting all the OS on sd card is not a good idea, so hopefully it's not there.

Where else would it be?

2nd, I see some noted the FPGA bin is same for 800-900, but that alone does not mean much. bin code can use dynamic functions (good coding), like "what ram can I access?". So, same code, different addressabe memory devices possible depending what's on the m-board.

Of course. There obviously are various differences between the 800 and 900 hardware, where the CPU and the FPGA need to decide "dynamically" what to do. These decisions may be based on the vendor.bin entry and/or on querying the actual hardware. I just wanted to correct Aleksandr's assumption that different FPGA configurations, stored in the 25Q128, are encoding the model differences.

[empeka]

Do you have a 900 series oscilloscope? Or the 800th hacked to 900?
It will be interesting to see what the real 900 will show when, for example, one analog channel and one logic analyzer channel are active.

I have dho914 modded to 924 and it does 10M with 4 channels active.
Don't have the LA probe, but if anyone could tell me how to trick device into thinking it has one attached, i could test 1ch + LA configuration

[Randy222]

Do you have a 900 series oscilloscope? Or the 800th hacked to 900?
It will be interesting to see what the real 900 will show when, for example, one analog channel and one logic analyzer channel are active.

I have dho914 modded to 924 and it does 10M with 4 channels active.
Don't have the LA probe, but if anyone could tell me how to trick device into thinking it has one attached, i could test 1ch + LA configuration

I am trying to catch up on 10M part.
Mod'd, and the display says "10Mpts" with 4ch active, but does the scope actually do it?
Maybe that question is more relative to an 800 series mod'd up to 900 series?
 

[Fungus]

I am trying to catch up on 10M part.
Mod'd, and the display says "10Mpts" with 4ch active, but does the scope actually do it?

YES!

[AceyTech]

I have dho914 modded to 924 and it does 10M with 4 channels active.
Don't have the LA probe, but if anyone could tell me how to trick device into thinking it has one attached, i could test 1ch + LA configuration

Short the "probe connected" pin to it's corresponding GND. (use a 2-pin shorting jumper)  If memory serves it's pin 1

EDIT: confirmed.  Jumper covering rightmost 2 pins in a vertical manner. See this post for more info

[AceyTech]

The initial FPGA configuration can be loaded in different ways. There is a more interesting question: why ZYNC? How do they use the CPU core? The fact is that the hardware DDR3 controller is connected only to the processor, not to the FPGA part. The other two DRAM chips apparently use a DDR3 “soft”-controller implemented  in FPGA part. Why the hell is ZYNC even in this circuit? Most likely because it is an old and very cheap chip. Because it is the only-FPGA  chip that is needed here, not the CPU or SOC.

Why ZYNC FPGA?
Here's a theory in question form:  Can you implement PCIe in a FPGA without using a CPU core?

EDIT: Hey, while you FPGA peeps are paying attn:  Do any of you know how many PCIe lanes Rigol are using in the 800/900?  All four appear to be routed between SoC and FPGA, --and that's smart-- but that's a ton of B/W, and i'm curious if we could utilize a lane for something else.

[AceyTech]

Why ZYNC FPGA?
Here's a theory in question form:  Can you implement PCIe in a FPGA without using a CPU?

Where would PCIe be used in the scope?

Between the RK3399 and ZYNC FPGA.

[empeka]

Short the "probe connected" pin to it's corresponding GND. (use a 2-pin shorting jumper)  If memory serves it's pin 1

Thanks!
So for 914/924 it's:

50M	1ch	-	-
25M	2ch	1ch+LA	-
10M	3ch	4ch	2ch+LA
1M	3ch+LA	4ch+LA	-

[maxspb69]

Why ZYNC FPGA?
Here's a theory in question form:  Can you implement PCIe in a FPGA without using a CPU core?

Of course, this can be done. There are no difficulties with such implementations.
FPGA is enough for PСIe and there are ready-made IP blocks for this...

[Randy222]

Depth of my 804 running as 914 with option lics

Sequence the ch's 1-4 on, set 1 to 50M
1 50
2 25
3 10
4 10

Is that 95M total?



Individual ch's
1 up to 50
2 up to 25
3 up to 25
4 up to 25

Why 2-3-4 can't do 50M on their own ?

Also to note, if the scope is in STOP state, the auto-down on mem depth does not change until you put scope into RUN. That's odd way of doing things. Don't you want to know your actual mem depth setting before the scope goes to RUN?