Hacking the Rigol DHO800/900 Scope

[norbert.kiszka]

heating PCB with components on it.

for some, this is bread and butter and hope...

 

decompiled hdcode_gpio.ko and looks like its pretty simple module reading gpio and writing one byte into a file and nothing more. Thats why I posted to do printf (to generate one byte file) in a shell script

but since there not yet solid and stable solution, i guess its not that simple. from fractions that i can understand, there's complication such as compiled apk/ko kernel authentication error? (MITM spoofing from inside ie modified code/compiled app file) or sleep timing complication? (MITM spoof and sniff from outside? hook/script whatever it is) btw i have no clue about how android/linux system works, you are ahead in this we are counting on you. i may do/learn this on free time next time if i can dig whats the real complications are with hints from posts of you people. cheers.

Probably You missed my posts about chmod. App creates file descriptor with RW flag (but it doesnt write into that file). In my case 444 was working, but in case of @Randy222 it wasnt. As far as I remeber, changing 444 to 666 (2 = write permission) worked for him.

In other words do:

Code: [Select]

chmod 666 /dev/hdcode_gpio
Instead of:

Code: [Select]

chmod 444 /dev/hdcode_gpio

[Randy222]

Probably You missed my posts about chmod. App creates file descriptor with RW flag (but it doesnt write into that file). In my case 444 was working, but in case of @Randy222 it wasnt. As far as I remeber, changing 444 to 666 (2 = write permission) worked for him.

In other words do:

Code: [Select]

chmod 666 /dev/hdcode_gpio
Instead of:

Code: [Select]

chmod 444 /dev/hdcode_gpio

Yes, 444 no good. 666 is good.

But I noted, on my 804 (probably for all 800's), HW-12 to HW-8 (via software) does not appear to enrich the product. I also run my 804 with the 914 vendor.bin and some lics.
Didn't you mention the hdcode KLM was being called by other processes so not really sure what the impact is when disabling that KLM?
It might be a prudent test to mod that ko KLM so that it perhaps reads a user file that logical maps the gpio pin names to a value, this way you can just plop 0 or 1 into a file and reload the KLM. This would bypass actual read to the RK, etc.

We must remember that the 900 has a bunch more hardware inside.
We could probably carve out a hack thread for 800, and one for 900, but this thread is long and very mixed already.

[norbert.kiszka]

Probably You missed my posts about chmod. App creates file descriptor with RW flag (but it doesnt write into that file). In my case 444 was working, but in case of @Randy222 it wasnt. As far as I remeber, changing 444 to 666 (2 = write permission) worked for him.

In other words do:

Code: [Select]

chmod 666 /dev/hdcode_gpio
Instead of:

Code: [Select]

chmod 444 /dev/hdcode_gpio

Yes, 444 no good. 666 is good.

But I noted, on my 804 (probably for all 800's), HW-12 to HW-8 (via software) does not appear to enrich the product. I also run my 804 with the 914 vendor.bin and some lics.
Didn't you mention the hdcode KLM was being called by other processes so not really sure what the impact is when disabling that KLM?

We must remember that the 900 has a bunch more hardware inside.
We could probably carve out a hack thread for 800, and one for 900, but this thread is long and very mixed already.

GPIO pins can be read and write only by kernel modules. We can decompile other modules, but I doubt that other modules reads those pins.

[Randy222]

GPIO pins can be read and write only by kernel modules. We can decompile other modules, but I doubt that other modules reads those pins.

Yes, the platform uses that hdcode KLM, perhaps in various ways. I was suggesting mod the KLM to not even read RK gpio, but rather just read a file to obtain values. This way the KLM stays loaded, but we then get control of the values via user file.

[Randy222]

Scope cpu temp. for stock fan configurations only.
In Utility , in the self-check board test, what do your ambient and cpu temps say?

Some many posts back I mentioned I added thermal paste between the heatsink pads, trying to ascertain any benefits.

My scope has been on for about 1hr, it's doing no work (all channels are off) temps are
cpu_chip / cpu_amb

52.7/48.7
cpu_chip 52.7
cpu_amb 48.7
room amb is 23.5

Mine had ~56/52 respectively at ~21-22 room ambient.

My DHO temps remain a constant 4 diff. After running several cal routines, which takes cpu up to around 50%, temps rose to 57/53.

[shapirus]

GPIO pins can be read and write only by kernel modules.

Can also be done from userspace by accessing /dev/mem directly.

[norbert.kiszka]

GPIO pins can be read and write only by kernel modules.

Can also be done from userspace by accessing /dev/mem directly.

We can strace syscalls and filter syscalls related to files - which I did couple times. I dont remeber any fd opened for that file.

[shapirus]

We can strace syscalls and filter syscalls related to files - which I did couple times. I dont remeber any fd opened for that file.

Yeah, normally you work with gpio via kernel modules, was just saying that it's possible to work with the respective registers directly.

There's also /sys/class/gpio interface, which is probably the interface provided by the modules.

These are general considerations, I'm not speaking about this scope's system specifically.

[Mechatrommer]

Probably You missed my posts about chmod.

is this line ok?

Code: [Select]

# Get the Hardware version
#insmod /rigol/driver/hdcode_gpio.ko
#chmod 777 /dev/hdcode_gpio
printf '\xc' > /dev/hdcode_gpio
chmod 666 /dev/hdcode_gpio

because i tried...

Code: [Select]

# Get the Hardware version
#insmod /rigol/driver/hdcode_gpio.ko
#chmod 777 /dev/hdcode_gpio
printf '\x0F' > /dev/hdcode_gpio
chmod 666 /dev/hdcode_gpio

and push the edited start_rigol_app.sh and my scope reboot indefinitely, it just enter GUI for 2 seconds and reboot. congratulation to me and my VB hex knowledge, i'm reimaging the sd card...

[norbert.kiszka]

and push the edited start_rigol_app.sh and my scope reboot indefinitely, it just enter GUI for 2 seconds and reboot. congratulation to me and my VB hex knowledge, i'm reimaging the sd card...

I already did mistake caused to boot loop caused by script. Just mount it on PC and edit this file. If You just want to start system without fixing, then add exit at beginning of script - exit will prevent further script execution. Same as removing execute permission(s) or changing its name.

Reboot can be caused by writing into device file which is read only.

Maybe somehow You had loaded hdcode_gpio.ko. So check Your script carefully.

[AceyTech]

Speaking of additional calibration options..  I hadn't noticed this before tonight.  There is a "Detail" drop-down on the SelfCal window with some interesting calibration info. -if it passes- 
(Attachment Link)
BTW: these are all the "additional calibration" options that I found to calibrate with success.  Anything else added will fail. 
(Attachment Link)
FYI: it took 7 hours to test all the permutations, because some would go 98 or 99% before stopping or crashing.

What's the ADC Clock adjustments in Debug? Is that only used when you have $50,000 calibration signal feeding the inputs?

Not 100% sure, but I had a theory(total WAG) about this last month here, below the pix.  And now I almost wonder if it's for calibration since there aren't any trimmer/pots for cal like in a lot of Front End sections.  But your guess is as good as any.

[Mechatrommer]

Maybe somehow You had loaded hdcode_gpio.ko. So check Your script carefully.

there is nowhere else hdcode_gpio.ko is scripted in the file. and i already commented the only one as i showed above..

Just mount it on PC and edit this file.

mount what? the sd card? as soon as i hook in with card reader, my windows asks to format it because its unreadable

If You just want to start system without fixing, then add exit at beginning of script - exit will prevent further script execution. Same as removing execute permission(s) or changing its name.
Reboot can be caused by writing into device file which is read only.

how easy! chmod 666 and the file is still read only? duh... 

[norbert.kiszka]

there is nowhere else hdcode_gpio.ko is scripted in the file. and i already commented the only one as i showed above..

Maybe this module was already loaded. Did you check it with lsmod?

Edit: to unload module use this:

Code: [Select]

rmmod hdcode_gpio
Or:

Code: [Select]

modprobe -r hdcode_gpio

mount what? the sd card? as soon as i hook in with card reader, my windows asks to format it because its unreadable

Windows itself is capable of catching malware instead of doing what we need. Grab some GNU/Linux distribution instead. Personally I dont have Windows at all - for last ~15 years.

I can edit everything directly from SD card with standard GNU tools.

how easy! chmod 666 and the file is still read only? duh... 

Permissions are completely separate thing in Linux VFS (which can be directed to real FS if its capable). This module wasnt developed to create writeable file and to read data from it.

[Mechatrommer]

Personally I dont have Windows at all - for last ~15 years.

then you missed mixed reality experience and errr... telemetry btw if nothing wrong with '\x0F' then the problem must be something else... since i posted, just to let you guys knows... start_rigol_app.sh also get updated from v1.14 to v1.2.2 since i spotted differences such as changes from "focaltech for guoxian" to "focaltech for gaozhan", so i guess for every FW update, we need to redo this script spoofing steps, even if its successful. cheers.

[norbert.kiszka]

if nothing wrong with '\x0F'

App just reads first byte and nothing more. I even done \xFF which makes 255 in app.

Im almost sure you had loaded hdcode_gpio before printf (into existing /dev/hdcode_gpio) and that caused it.

To be safe, You can add rmmod just before printf. If rrmod will be called to unexisting module (not loaded) then it will scream (will print error message) and nothing else.

so i guess for every FW update, we need to redo this script spoofing steps, even if its successful. cheers.

In GNU/Linux You can use /etc/rc... to execute scripts (and to manage order of it) at different runlevels. Im not very familiar with Android which uses Linux kernel, but beside of that, its a completely different system. As I told before, Google made Windows from a Linux.

[norbert.kiszka]

I was looking for something else, but inside of libscope-auklet.so there is a function DevAcquireSPU_SetSinc so probably we can get rid of sin(x)/x interpolation.

There are many things which can be done by decompiling and changing it, but its time consuming. I wasnt coding in C too much in last couple years, so I managed to forget many things.

[sjfaustino]

Is it possible to add a icon to the menu to call an app or failing that, add a link inside the help or even replace the help?
I would like to keep booting into the scope app but be able to call the "Electrical Calculations" ( https://play.google.com/store/apps/details?id=it.Ettore.calcolielettrici&hl=en&gl=US ) app at will.

[norbert.kiszka]

Is it possible to add a icon to the menu to call an app or failing that, add a link inside the help or even replace the help?
I would like to keep booting into the scope app but be able to call the "Electrical Calculations" ( https://play.google.com/store/apps/details?id=it.Ettore.calcolielettrici&hl=en&gl=US ) app at will.

Thats why I started to developing Debian to work on this scope and get rid of Android. Currently X crashes from time to time and Rigol didnt send me kernel source code.

[AceyTech]

Mine had ~56/52 respectively at ~21-22 room ambient.

Scope cpu temp. for stock fan configurations only.
In Utility , in the self-check board test, what do your ambient and cpu temps say?
Some many posts back I mentioned I added thermal paste between the heatsink pads, trying to ascertain any benefits.

My scope has been on for about 1hr, it's doing no work (all channels are off) temps are
cpu_chip 52.7
cpu_amb 48.7
room amb is 23.5

Randy222: What were your temps prior to your paste mod?

FYI: Mine were 58.3/53 @25.6  Doing math, 4 ch active, post calibration(1 hour ea test)
I'm running in the 40's now tho'., same test conditions, slight HW mod.

[AceyTech]

Is it possible to add a icon to the menu to call an app or failing that, add a link inside the help or even replace the help?
I would like to keep booting into the scope app but be able to call the "Electrical Calculations" ( https://play.google.com/store/apps/details?id=it.Ettore.calcolielettrici&hl=en&gl=US ) app at will.

Welcome aboard!

You need to install a simple launcher and then a gesture app to do that. Key assignment, maybe.   I think you can do all that via ADB.
 FYI: You can get to the android "desktop" by hitting Win-N on your USB keyboard to do fun things with Android.

p.s.,  You'll probably need the APK's and install directly.  Not sure you can install/run play store...  Apparently you can.  Here's some examples, including Electrodoc and some other Android stuff running on these from a few months ago.

[Randy222]

Mine had ~56/52 respectively at ~21-22 room ambient.

Scope cpu temp. for stock fan configurations only.
In Utility , in the self-check board test, what do your ambient and cpu temps say?
Some many posts back I mentioned I added thermal paste between the heatsink pads, trying to ascertain any benefits.

My scope has been on for about 1hr, it's doing no work (all channels are off) temps are
cpu_chip 52.7
cpu_amb 48.7
room amb is 23.5

Randy222: What were your temps prior to your paste mod?

FYI: Mine were 58.3/53 @25.6  Doing math, 4 ch active, post calibration(1 hour ea test)
I'm running in the 40's now tho'., same test conditions, slight HW mod.

I honestly don't know. I went in to look around for solder blobs, founds the dirty areas around the BNC solder pins, but when lifting heatsink that's when I noticed sink pads, which I don't like, but since the sink is cast and spans 7 chips, pads is the only way to do it. It's why I asked for others to check temps with 800 and oem fan.

My DHO sitting idle is at 52/48. The diffs always appear to be 4. Does your run a diff of 5? Sitting idle your DHO temps are below 50?

[Randy222]

Maybe somehow You had loaded hdcode_gpio.ko. So check Your script carefully.

there is nowhere else hdcode_gpio.ko is scripted in the file. and i already commented the only one as i showed above..

Just mount it on PC and edit this file.

mount what? the sd card? as soon as i hook in with card reader, my windows asks to format it because its unreadable

If You just want to start system without fixing, then add exit at beginning of script - exit will prevent further script execution. Same as removing execute permission(s) or changing its name.
Reboot can be caused by writing into device file which is read only.

how easy! chmod 666 and the file is still read only? duh... 

It's always best to comment out the hdcode KLM in start script and reboot BEFORE creating the dev file. I have sent junk into the dev char device file with the KLM loaded, it did cause what seemed like a system crash, but I was able to power cycle and it came back.

As for mounting the sdcard, windows will be a bear. Ubuntu LTS live disk (iso to USB stick) is the way to go. Mounting the slices Android has in android_meta and android_expand is tricky, but not hard, use testdisk to find the start #, then mount with offest multiplier of 512. I posted it a few pages back, search the forum for "offset" or "testdisk" or "mount", that should narrow it down.

---> https://www.eevblog.com/forum/testgear/hacking-the-rigol-dho800900-scope/msg5387744/?topicseen#msg5387744

[shapirus]

My DHO sitting idle is at 52/48. The diffs always appear to be 4. Does your run a diff of 5? Sitting idle your DHO temps are below 50?

diff can be higher with a larger fan, I think I saw a difference of 8 degrees.

[Randy222]

My DHO sitting idle is at 52/48. The diffs always appear to be 4. Does your run a diff of 5? Sitting idle your DHO temps are below 50?

diff can be higher with a larger fan, I think I saw a difference of 8 degrees.

I was not even sure what "cpu_amb" was. Varies from device to device. cpu_chip is usually a diode or something inside the cpu. "amb" can be anything not in the chip. Isn't larger diff between the two mean cpu heat is not being sinked out to amb fast enough? cpu temp can be no lower than ambient temp, so isnt smaller diff better?

With an 8 diff, does that bring down cpu temp more? Cold amb is good, but most meaningful if the cpu temp also comes down due to the higer temo diff gradient.

[AceyTech]

My DHO sitting idle is at 52/48. The diffs always appear to be 4. Does your run a diff of 5? Sitting idle your DHO temps are below 50?

diff can be higher with a larger fan, I think I saw a difference of 8 degrees.

I was not even sure what "cpu_amb" was. Varies from device to device. cpu_chip is usually a diode or something inside the cpu. "amb" can be anything not in the chip. Isn't larger diff between the two mean cpu heat is not being sinked out to amb fast enough? cpu temp can be no lower than ambient temp, so isnt smaller diff better?

With an 8 diff, does that bring down cpu temp more? Cold amb is good, but most meaningful if the cpu temp also comes down due to the higer temo diff gradient.

I'm not sure yet where they're measuring that CPU_amb at, but it's obviously pretty close, due to the direct correlation in temps.  And @shapirus, you nailed it with the larger fan comment. 
I have some analytical data that I'll post regarding mods vs temps.  Soon.