Hacking the Rigol DHO800/900 Scope

[AndyBig]

Check the other apps in priv-app, are they 644 and not 755? I forget, check it.

644, but I decided that 755 would be more reliable ))

I'll write up a .sh to install the app,.................  uninstall app, create uid , echo into the xml, install app.  But not until mon or tue next week. something like "install.sh [uid] [apk]"
creates the uid, install app, fixes platform.xml, it will also check to see if the install is first time or a reinstall.

Great!

priv-app alone does not allow surface flinger for non-system uid. is there a fix just in manifest?

Well, at least this allows the application to take screenshots I completely removed the indication of the user from the manifest.

Also to note, we can do this perms thing only because it's an old version of droid, this feature has been deprecated, newer droid REQUIRES system uid to get at surface flinger.

It's good that Rigol made an oscilloscope on an old version of Android

That's not the point. The pub key is held in a trusted/protected area, just as they are when using keys auth for ssh, there's no priavte key on the system right, but it verifies only with a "trusted" pub key. The goal would be to find out how to add your pub key to the system keystore, and memory hacking is a way to do that. Once you can add your pub key to that protected keystore, then anything you sign with your private key will be trusted by the system.

I'm not sure that Android allows you to have more than one key, which it uses to check applications for compliance with the system level. And if we replace the only key that is used for this, then there is a possibility that the system, when booting, checks itself with the same key (the kernel is signed with the same private key) and the check will not pass with the replaced key.
But I'm not an Android expert, I could be wrong. These are just my thoughts.

[gabiz_ro]

I think keystore is empty on scope.
There are few keystore executable in /System/bin
keystore, keystore_cli and keystore_cli_v2
keys seems to be dev so maybe ading more keys or debug or release could be accepted. Via keystore commands.
As an update to https://www.eevblog.com/forum/testgear/hacking-the-rigol-dho800900-scope/msg5355560/#msg5355560

Code: [Select]

KRNL 0x2400000  kernel
KRNL 0x3C00000  ramdisk (can be extracted with 7zip)
KRNL 0x5C00000  recovery (can be extracted with 7zip)


[AndyBig]

Another drawback of the modified application was discovered - it is denied access to external storage, that is, to a USB flash drive. Because of this, the application gives an error when loading if the flash drive is plugged into USB. And you cannot save screenshots to a flash drive.
I looked at how the flash drive is mounted, the user root and group sdcard_rw are assigned to it.

It seems that moving the application to /system/priv-app does not solve all the issues. This gives access to the API, but does not give access to resources. I think that a possible solution could be the method suggested by @Randy222 - editing the platform.xml file.

[shapirus]

It seems that moving the application to /system/priv-app does not solve all the issues. This gives access to the API, but does not give access to resources. I think that a possible solution could be the method suggested by @Randy222 - editing the platform.xml file.

Try adding the user that the app runs under to the sdcard_rw group.

(not sure how it's even done on android)

[tv84]

Your RKey.data is also stored there and right after the individual options:

Code: [Select]

000001B0 13 09 00 00 | ED F6 FF FF | 04 00 00 00 | FC FF FF FF | 82 7F 61 DD | 70 08 00 03
000001C8 15 09 00 00 | EB F6 FF FF | 04 00 00 00 | FC FF FF FF | 14 4F 66 AA | 70 08 00 02First word identifies the option Type (0x913 == RLU) followed by the complement word followed by length (4) then complemented
then the CRC32 of the following 4 bytes. The last '03' means that 3 attempts have been made for the RLU option.

Look here.

BTW, is anyone able to provide me (via pm) a copy of his FRAM dump so that I can parse it (using my MSO5000 FRAM tool) for you to see?

[norbert.kiszka]

Also to note, we can do this perms thing only because it's an old version of droid, this feature has been deprecated, newer droid REQUIRES system uid to get at surface flinger.

It's good that Rigol made an oscilloscope on an old version of Android

From UART of mine scope:

Code: [Select]

U-Boot 2014.10-RK3399-06-gb34072bb7d (Aug 23 2023 - 11:38:38)

Code: [Select]

[    0.000000] Linux version 4.4.126 (adil@ubuntu) (gcc version 6.3.1 20170404 (Linaro GCC 6.3-2017.05) ) #72 SMP PREEMPT Tue Jul 18 13:47:35 CST 2023
Looks like they used OrangePi old build scripts with same toolchains. I found this build and last couple days Im making my own based on that. I gave it a name: "Orange Rigol". It will be on my github, when it will be usable.

[Tor Björn]

Greetings to all. Today I tried to fix the time zone by this way and got a broken scope with eternal logo

...
One issue I run into was that the timezone was being reset on each boot - sadly they force the timezone in the startup script:
adb shell
su -
cd /rigol/shell; cp start_rigol_app.sh start_rigol_app.sh.orig
sed -i 's?setprop persist.sys.timezone Asia/Shanghai?setprop persist.sys.timezone America/New_York?' start_rigol_app.sh

I entered the adb commands changing "America/New_York" to "Europe/Helsinki". Then I checked the contents of the script, the timezone has indeed changed. Then I turned off the device and it no longer boots:
https://youtu.be/ebFSV6VQNRM?si=QLLapAEXIMGRVYaN
At 36 sec a quiet click is heard and that’s it, no other activity. When I press and hold the power button device turns off normally. Now he has no means of communication. My PC does not respond to the scope connection either through the rear usb (usb device) or through the front one (I disabled the VBUS wire in the type A -> type A cable in advance so as not to have consequences due to some potential difference and possible through currents).
My router interface does not see the scope connected via LAN. If I connect it by rj45 cord directly to the PC, then a new network connection appears in Windows, the PC regularly sends packets, but does not receive any in response, zero. The LEDs near the lan connector of scope are active.
I haven't done anything with the SD card yet. I have a copy of the entire "rigol" directory, but do not have a full "factory" dump of my sd card.
Where do you recommend starting debugging? Buy a new 32GB sd card and try to mount other people’s images that were posted on this forum, including Dave's img? Or look for ways to get into native recovery to install TWRP, with which maybe can upload the native script or the entire full "rigol" directory back?
A few days earlier, out of curiosity, I reboot scope to its native recovery via adb, it looks like this:
[spoiler]

[/spoiler]
I won’t say that I’m in despair, but it’s somehow unpleasant. I hope experienced programmers will help me. Have a nice day!

[shapirus]

Greetings to all. Today I tried to fix the time zone by this way and got a broken scope with eternal logo

This happened to me too!

I thought it was a random glitch, but apparently it wasn't, and it is reproducible. I edited the time zone in the boot script, replacing the original value with Europe/Kiev -- and I did verify in the command line that it indeed worked, meaning the TZ name was correct -- and on next reboot there was that eternal logo after a quiet click about halfway of the expected boot process.

It did boot eventually, however. I am not sure what exactly helped. I tried various things: connect or disconnect ethernet and wifi, wait several minutes or hours before the next attempt (maybe until morning, I don't remember), with the USB power cable disconnected. At some point it booted and it was able to connect to network, I don't remember if it was wired or wireless. It took some maybe 10-20 boot attempts in total.

Since changing the timezone to a non-factory one causes boot trouble, it means that the boot sequence is designed terribly wrong. I suspect that there are some decisions as to when various parts should be started that are made based on the text representation of current time -- and if it suddenly changes mid-boot, which is the case when you change the TZ, something is going to see an unexpected (e.g. negative) time difference and fail.

Now, worst case, you can always take the SD card out, back it up, and ideally put aside in a safe place, then get a new SD card (not necessarily 32 GB -- can be 64 GB or more), and write the backup image to it. Then, mount the file system (you need the /rigol partition), which you can do knowing the offset (man mount, search for "LOOP-DEVICE SUPPORT"; fs offsets were posted several pages earlier in this thread), and revert the changes you made to the boot script.

Once you get it back working again, make a fresh backup of the SD card and save it somewhere safe.

[shapirus]

Actually since you are able to enter the bootloader and it offers you to mount /system, then, probably, if you can get a shell with a mounted /system, you can mount the /rigol partition from there and edit the boot script directly on the scope without removing the SD card.

[Tor Björn]

I edited the time zone in the boot script, replacing the original value with Europe/Kiev

Im from Ukraine too, but wrote "Helsinki" in script because I didn't know how to write correctly (for Android system) "Kiev" or "Kyiv" 😂
Thanks for your answers, shapirus!

[enson72]

I have installed https://4pda.to/forum/index.php?showtopic=798101 fore timezone.

[AndyBig]

Since changing the timezone to a non-factory one causes boot trouble, it means that the boot sequence is designed terribly wrong.

Changing the time zone in the start_rigol_app.sh script did not cause any failures. After the change, the oscilloscope booted up as usual.

Actually since you are able to enter the bootloader and it offers you to mount /system, then, probably, if you can get a shell with a mounted /system, you can mount the /rigol partition from there and edit the boot script directly on the scope without removing the SD card.

There are no problems entering this recovery, this is done by the adb command. But to move between items here you need to press the “Volume+” and “Volume-” buttons, but they are not on the oscilloscope

[norbert.kiszka]

Finally my build from scratch is working on this scope  Few things left to enter alpha stage.

[norbert.kiszka]

I edited the time zone in the boot script, replacing the original value with Europe/Kiev

Im from Ukraine too, but wrote "Helsinki" in script because I didn't know how to write correctly (for Android system) "Kiev" or "Kyiv" 😂
Thanks for your answers, shapirus!

https://gist.github.com/arpit/1035596

Europe/Kiev

[AceyTech]

Finally my build from scratch is working on this scope  Few things left to enter alpha stage.

Cool! Do you have accelerated video implemented yet?  Historically, it has been a challenge for RK3399 based SBCs running Linux.  I'm pretty sure it's important since this is a visual device, and is probably one of the biggest reasons Rigol's team chose Android for the RK3399 based products.

Keep up the work.  Looking forward to your progress.

[Tor Björn]

There are no problems entering this recovery, this is done by the adb command. But to move between items here you need to press the “Volume+” and “Volume-” buttons, but they are not on the oscilloscope

I definitely remember that stock recovery worked with the physical keyboard, like with tvboxes.

Now, after resuscitation using Dave's .img, recovery does not load. It tries to boot, and once every 22 seconds the following information appears on the screen for a moment:





 But it doesn't load. This doesn't bother me much, but I would like to have a backup recovery option via usb adb instead of disassembling and installing a spare sd card.
 I updated old fw of Dave's image to 1.02, and while I didn’t return the 802 model with Zelea2's tool. Just for fun, I’m testing the 814. I did a simple calibration (not an advanced calibration), the offsets disappeared on the first and second channels. On the fourth channel (ext trig in the original) there are still offsets, including a constant ADC's offset that does not depend on the set input sensitivity V/div value. I think this is explained by the different configuration of these resistors in 802/804 and 814/804:




I will continue my research when I have more free time.

[norbert.kiszka]

There are no problems entering this recovery, this is done by the adb command. But to move between items here you need to press the “Volume+” and “Volume-” buttons, but they are not on the oscilloscope

I definitely remember that stock recovery worked with the physical keyboard, like with tvboxes.

Now, after resuscitation using Dave's .img, recovery does not load. It tries to boot, and once every 22 seconds the following information appears on the screen for a moment:





 But it doesn't load. This doesn't bother me much, but I would like to have a backup recovery option via usb adb instead of disassembling and installing a spare sd card.
 I updated ol fw of Dave's image to 1.02, and while I didn’t return the 802 model witht Zelea's tool. Just for fun, I’m testing the 814. I did a simple calibration (not an advanced calibration), the offsets disappeared on the first and second channels. On the fourth channel (ext trig in the original) there are still offsets, including a constant ADC's offset that does not depend on the set input sensitivity V/div value. I think this is explained by the different configuration of these resistors in 802/804 and 814/804:




I will continue my research when I have more free time.

Pretty useful info. Someday we will make a rocket based on this scope

Anyway, I have image of 924S. I can upload it somewhere if You need it (before that, I need to delete some non-free files from it - not relevant to scope).

[norbert.kiszka]

Now, after resuscitation using Dave's .img, recovery does not load. It tries to boot, and once every 22 seconds the following information appears on the screen for a moment:

Check UART output. I can't read this blurry text.

[norbert.kiszka]

BTW I Just found this (decompiled from SD card):

Code: [Select]

        i2c@ff160000 {
                compatible = "rockchip,rk3399-i2c";
                reg = <0x0 0xff160000 0x0 0x1000>;
                clocks = <0x8 0x46 0x8 0x15a>;
                clock-names = "i2c", "pclk";
                interrupts = <0x0 0x24 0x4 0x0>;
                pinctrl-names = "default";
                pinctrl-0 = <0x3e>;
                #address-cells = <0x1>;
                #size-cells = <0x0>;
                status = "okay";
                clock-frequency = <0x61a80>;

                rtc@32 {
                        compatible = "rockchip,rtc-rx8010sj";
                        reg = <0x32>;
                        interrupt-parent = <0x3f>;
                        interrupts = <0x3 0x8>;
                        status = "okay";
                };
        };
I think that was copied from DHO1000 or DHO4000.

Anyway, it will be also in my build if somebody wants to add this RTC.

[Tor Björn]

I can't read this blurry text.

The text is clearly visible in the second and third images. These are stills (frames) from the video. Same as on blurred gif (1st image).

Anyway, I have image of 924S. I can upload it somewhere if You need it (before that, I need to delete some non-free files from it - not relevant to scope).

Thank you! I will definitely contact you when I find time to experiment with 924S img on my 802.

[norbert.kiszka]

I can't read this blurry text.

The text is clearly visible in the second and third images. These are stills (frames) from the video. Same as on blurred gif (1st image).

From UART in mine 924S:

Code: [Select]

[    0.000000] Kernel command line: earlycon=uart8250,mmio32,0xff1a0000 swiotlb=1 coherent_pool=1m cma=257M androidboot.baseband=N/A androidboot.selinux=disabled androidboot.hardware=rk30board androidboot.console=ttyFIQ0 init=/init mtdparts=rk29xxnand:0x00002000@0x00002000(uboot),0x00002000@0x00004000(trust),0x00002000@0x00006000(misc),0x00008000@0x00008000(resource),0x0000C000@0x00010000(kernel),0x00010000@0x0001C000(boot),0x00020000@0x0002C000(recovery),0x00038000@0x0004C000(backup),0x00040000@0x00084000(cache),0x00400000@0x000C4000(system),0x00008000@0x004C4000(metadata),0x00000040@0x004CC000(verity_mode),0x00002000@0x004CC040(baseparamer),0x00000400@0x004CE040(frp),0x000FA000@0x004CE440(rigol),-@0x00600000(userdata) storagemedia=sd androidboot.oem_unlocked=0 uboot_logo=0x02000000@0xf5c00000 loader.timestamp=2023-08-23_11:38:38 SecureBootCheckOk=0
So i suggest to check this filesystems by using almost any Linux computer.

rknand can be googled.

[Fungus]

Thank you! I will definitely contact you when I find time to experiment with 924S img on my 802.

I think it should be identical apart from the vendor.bin file.

[gabiz_ro]

Anyway, I have image of 924S. I can upload it somewhere if You need it (before that, I need to delete some non-free files from it - not relevant to scope).

I'm interested too, just to compare with 800 series.

Partitions on sdcard are offset by 0x400000
Real addresses on sdcard are

Code: [Select]

      uboot: 0x000800000 -- 0x000C00000 (4 MB)
      trust: 0x000C00000 -- 0x001000000 (4 MB)
       misc: 0x001000000 -- 0x001400000 (4 MB)
   resource: 0x001400000 -- 0x002400000 (16 MB)
     kernel: 0x002400000 -- 0x003C00000 (24 MB)
       boot: 0x003C00000 -- 0x005C00000 (32 MB)
   recovery: 0x005C00000 -- 0x009C00000 (64 MB)
     backup: 0x009C00000 -- 0x010C00000 (112 MB)
      cache: 0x010C00000 -- 0x018C00000 (128 MB)
     system: 0x018C00000 -- 0x098C00000 (2048 MB)
   metadata: 0x098C00000 -- 0x099C00000 (16 MB)
verity_mode: 0x099C00000 -- 0x099C08000 (0 MB)
baseparamer: 0x099C08000 -- 0x09A008000 (4 MB)
        frp: 0x09A008000 -- 0x09A088000 (0 MB)
      rigol: 0x09A088000 -- 0x0B9488000 (500 MB)
   userdata: 0x0C0400000 -- 0x7629FFFFF (27174 MB) ? 


[AceyTech]

I definitely remember that stock recovery worked with the physical keyboard, like with tvboxes.

Is that only for wired kybds, or wireless too?  I haven't found any good info for button-less navigation in recovery., so please share when you find something.

I would like to have a backup recovery option via usb adb instead of disassembling and installing a spare sd card.

I don't know about your country/vendor, but I've heard that several countries have barred companies from voiding warranties based on peeling the stupid sticker they use.  I.e., they supposedly can't refuse service(based on a fragile sticker).  Check the main forums here; Dave was involved in a conversation, and he even made a YT video on how to peel it up safely.(warning; make sure it's warm)
Oh, and it's only a $300US product.  How much will it cost to send it for service?? 
FYI: I'm booting mine from a 64GB card with a spare DD img on my Ubuntu box, and the original SDCard safely stored.

I updated old fw of Dave's image to 1.02, and while I didn’t return the 802 model with Zelea2's tool. Just for fun, I’m testing the 814. I did a simple calibration (not an advanced calibration), the offsets disappeared on the first and second channels. On the fourth channel (ext trig in the original) there are still offsets, including a constant ADC's offset that does not depend on the set input sensitivity V/div value. I think this is explained by the different configuration of these resistors in 802/804 and 814/804:

I will continue my research when I have more free time.

That's interesting.  I was wondering if anyone put a 814 model number on their 802 scope to make a 3ch scope.  Good to know!  Thanks for sharing the pic of the DHO802 Ext/Ch4 AFE.  FYI: once you enable the testmodel option, you might be able to play with your 4th ch offsets  YMMV, standard disclaimers apply.

[AceyTech]

I'm interested too, just to compare with 800 series.

Partitions on sdcard are offset by 0x400000

16!  That is the most partitions i've seen so far.  There have been a few people reporting partitions/offsets since the first bunch of scopes hit the mainstream in September, and I'm trying to keep track of them all..  BTW: What are you using to view, Testdisk?
Thanks!