Hacking the DSO2X1X

[DavidAlfa]

I received the DS1307! Made few mods to it:
- Removed the charging diode/resistor as Im using a CR2032.
- Replaced the 500K in-series resistor between battery and Vbat pin with a solder jumper (there's no need of that)
- Removed the really stupid 1M5 pull-down resistor whose function is just to drain the battery faster.
- Lifted 24C32 pin 1 and connected to VCC to change address to 0x51.

Everything was detected at the first try:

Code: (i2cdetect -y 0) [Select]

     0  1  2  3  4  5  6  7  8  9  a  b  c  d  e  f
00:                         -- -- -- -- -- -- -- --
10: -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- --
20: -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- --
30: -- -- -- -- -- -- -- UU -- -- -- -- -- -- -- --
40: -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- --
50: 50 51 -- -- -- -- -- -- -- -- -- -- -- -- -- --
60: -- -- -- -- -- -- -- -- 68 -- -- -- -- -- -- --
70: -- -- -- -- -- -- -- --

Then I updated the RTC script.
Much cleaner, now it supports both DS1307 and DS3132 in a single file.
Very nice, now I have timestamps, no longer scratching my head while trying to figure out when the screenshots were made

So, nice for Hantek. They really needed to save $1 in parts

[morgan_flint]

Perfect!

Mine is also working OK since a few days ago with a DS3132 module and the script I posted here, modded from your old RAM version to work with flash. I'll try your new version also.

Still have to make the permanent installation, for the moment I have it provisional to experiment with different modules.

Definitely, for the cost, it's a worthwhile modification, especially for those who take screenshots on a regular basis.

[DavidAlfa]

Yes, the script is doing the same thing, just a lot more tidier and better formatting, removing a lot of intermediate steps.

[m3vuv]

Wtf is fel mode?

[DavidAlfa]

Wtf is reading the f. FAQ? 

[pcprogrammer]

Wtf is fel mode?

Although a bit blunt David is right. Reading seems to be a lost skill, but to make is simple for you FEL is a state Allwinner MCU's can be put in. When in this state the USB port is set to slave mode and allows for a host to control the MCU. It is possible to read and write peripheral registers and load code to memory (not the DRAM though because that needs initialization first) or a FLASH chip when connected to the MCU.

To do this dedicated software is needed on the host. sunxi-fel to be specific. Not sure about the platform tools frequently mentioned in the Hantek threads, because I have not used these yet.

[DavidAlfa]

Sorry, I can't stand lazy people.
While I made a quite big effort on documenting everything, but it's easier to ask and wait! While simple forum search provides it all.

SEARCHING FAQ:
-Enter your subject in the searching box, placed at the top right corner.
-Click search
-Read
-If still not clear, you may ask.

[DavidAlfa]

Please help-me with my DSO2D10 with freezing after booting.

I forget there was a factory reset command, if it happens again, try that.
Connect the computer to the rear port, open the scpi console and send "PRIVate:FACTORY:RESET" as described here.

[morgan_flint]

I received the DS1307! Made few mods to it:...

Hi, David.

After these new versions, I've updated the folder for the RTC mod on your disk with your new scripts. The folder also contains your i2c binaries and the "do_other_update" scripts needed to install them in the scope (although I doubt anybody installing an RTC would need them, as they'd probably also install the serial port and make the installation from the console).

There's also a "readme" file and a detailed document for the mod (also attached here) If you want the editable version, I'd send it to you also.

You could just move the entire folder to the appropriate place on the nonwritable part of the disk, but I imagine you'll like to revise it first 

Thank you for all your work with this mod!

EDIT: Typo in attachment
EDIT2: new version of the document, including David's requests

[DavidAlfa]

Edit:
RTC packages done, placed in RTC clock mod folder.
Please make a cut-down version of the RTC installation guide, removing the script details, as they're not required?
Also, it would be better to add the RTC circuit/eeprom modification details instead linking to the forum, as you never know what could happen, tomorrow the server could break down and everything get lost.

[.rpv]

Thanks guys, I installed the hack and works like a charm.

I used an DS3231 module with DavidAlfa's dso3kb_rtc_DS3231_install.upk package.

 

[morgan_flint]

...
Please make a cut-down version of the RTC installation guide, removing the script details, as they're not required?
Also, it would be better to add the RTC circuit/eeprom modification details instead linking to the forum, as you never know what could happen, tomorrow the server could break down and everything get lost.

Ok, I'll do it

[morgan_flint]

Thanks guys, I installed the hack and works like a charm.
...

Congrats!

Could you please add a photo of the place where you connected the wires to the mainboard?

From your second picture, it looks like you soldered them to the EEPROM, as I did. I think this is the best alternative, as the pins are much larger than other possibilities.

Also, I discovered yesterday that the I2C bus is present at the mainboard to LCD connector, which would be also an alternative. Pins 8 and 9 are SDA and SCL, GND is at pins 11-12-14-16-18-20-22-28-30-32-38-45 and 3.3V at 25-26.

I2C bus is also routed to (unmounted) P2 connector in the LCD-keyboard PCB. Could be a good alternative if you have or can find a connector or ribbon cable that fits there (very fine pitch). From left to right, P2 is: MCU pin 28-3.3V-GND-MCU pin 29-SDA-SCL. Maybe that connector was there for a touch pannel...

EDIT: Didnt see well the photo in the first version of the post

[DavidAlfa]

I wouldn't solder to the plastic lcd connector under any circumstances, it's just too easy mess up something!
Interfacing the 24c02 pins is, by far, the best and safest option.

Yes, there're traces of the Goodix GT911 i2c touch controller everywhere, but I guess it didn't made it to the final production version.

[morgan_flint]

...
Please make a cut-down version of the RTC installation guide, removing the script details, as they're not required?
Also, it would be better to add the RTC circuit/eeprom modification details instead linking to the forum, as you never know what could happen, tomorrow the server could break down and everything get lost.

Ok, I'll do it

Done and uploaded to the Google drive and the previous post.

[morgan_flint]

The RTC script is finished, working great. Supports both DS1307 and DS3231.

Code: (/usr/bin/date_daemon) [Select]

....
# Monitor "date" file, update if timestamp changed
while true; do
  if [ -f "$DATE_FILE" ]; then
    NEW="$($DATE -r "$DATE_FILE" +"0x%02S 0x%02M 0x%02H 0x%02u 0x%02d 0x%02m 0x%02y")"
    [ "$NEW" != "$STAMP" ] && write_rtc
  fi
  sleep 5
done


Not really very important, as a few seconds' difference is not relevant in this application, but for future versions you might consider this modification to the last line:

Code: [Select]

[ "$NEW" != "$STAMP" ] && NEW="$($DATE -d "@$((20 + $($DATE -r "$DATE_FILE" +"%s")))" +"0x%02S 0x%02M 0x%02H 0x%02u 0x%02d 0x%02m 0x%02y")" && write_rtc
It simply recalculates $NEW, after comparing to $STAMP, adding 20 seconds before calling write_rtc. This is to compensate for the time you need to extract the pendrive from the PC (after "touching" it), plug it in the scope, and for the time the scope needs to mount the unit and read it. I've tried it in my scope and seems to work as intended.

I had also added this compensation here, but the idea probably got lost in the (too long) post. I tend to "enrollarme" more than necessary...

[Maxie]

Is there any document about the serial console mod?
All I found is a JPG file in the 'Mods/hacking' folder.
Can I control my scope using a terminal window in normal operation or only in FEL mode?
Is the serial mod a normal RS232 port? So I can use console commands and the front USB at the same time?

[morgan_flint]

That JPG is all needed from the hardware point of view, you get a 3.3V level serial port (not RS232 levels). To connect it to a PC, you'd need a serial to USB adapter compatible with these levels (maybe it's 5V tolerant, especially if you use the suggested resistors, but I haven't tried).

This serial port gives access to a console terminal for the scope's embedded Linux, very good for hacking but, AFAIK, not useful to send SPCI commands.

It's possible to use it simultaneously with the front USB.

I just gave a try to connect Keysight's utilities via the serial port but, as expected, they didn't work. They seem to reproduce the dialog for user logging (see attached pictures, the 3rd one is what you get in Putty, for example). Maybe there's a command or executable to set the scope listening for SCPI on that port, but I don't know it 

[DavidAlfa]

I don't think so, scpi is handled by Hantek's Phoenix binary itself (The one running the main app, gui, functions...).

FEL is just a low-level boot mode for Allwinner devices, nothing related to controlling the scope.

No RS232 levels, it's 3.3V.
There's an unpopulated max232 that could be added if required, I guess they thought on adding rs485 but didnt' in the end.
I used a esp8266 with Jeelabs firmware, it's very convenient to have console access wirelessly.

[Maxie]

Thanks guys, if it is only for hacking Linux I'll pass.
Not quite on that level yet.
Might be useful for running different scripts though, instead of constantly moving the USB dongle between the PC and the scope ..... hmm.

[.rpv]

Could you please add a photo of the place where you connected the wires to the mainboard?

From your second picture, it looks like you soldered them to the EEPROM, as I did. I think this is the best alternative, as the pins are much larger than other possibilities.

I solder the wires to the eeprom, as suggested, I used the connector and the buzzer as strain-relieve 

[DavidAlfa]

I wanted to patch the UART (again) but with better formatting, the original string was too small and couldn't be done by simply patching it.
So I've revisited something I had already done: Finding empty spaces in the binary, inserting a new string and replacing the pointer addresses.
I hadn't documented any details, so I had to start from zero, last time I did this I was recovering from the surgery, had a lot of sleep deprivation and pain for months, so now I didn't remember anything!

Start with a working linux system with python3 and python3-pip installed, and your prefered HEX editor. I'm using HxD (Windows).

First steps
Get some basic file information:

Code: [Select]

file phoenix
phoenix: ELF 32-bit LSB executable, ARM, EABI5 version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux.so.3, for GNU/Linux 3.10.0, stripped
LSB means the file uses little-endian, that is, less significant bytes first, or reversed.
Ex. the number 0x11223344 would be encoded as 0x44332211.

Install cavefinder

Code: [Select]

sudo pip3 install cavefinder
Check you new string requirements
In this example I'll be adding a larger string for the UART decoder, so it outputs HEX+char.
Remember you need a termination (null) char, also it's better to ensure the preceding byte is 0 in case there's a string there
For [%02X '%1$c'] , the decoder output for 0x41 would be: <41 'A'>, and requires at least 13 bytes.

Find empty space
I recommend specifying slightly bigger size for future changes, ex. in this case 32 bytes should be more than enough.

Code: [Select]

cavefinder --size 32 phoenixYou'll get a lot of results, take any size matching your requirements.
There'll will be much bigger zones, but it's better to preserve them for other future purposes that really require larger sizes.

Code: [Select]

Section name:       .rodata
Cave begin:         799690 - 0xc33ca
Cave end:           799722 - 0xc33ea
Cave size:          32 bytes
Virtaddr:           0xd33ca
info:               Type: SHT_PROGBITS, Flags: SHF_ALLOC
So we have a good one at 0xC33CA. Note that the virtual address has an offset of 0x10000 (0xd33ca), remember this!
Better to align it to 32-bit, just in case, so our string will start at 0xC33CC.
Opening phoenix in the hex editor and jumping to the address:

Code: [Select]

                                             / Start
                                            |
0C33C0  19 80 19 80 19 80 19 80 19 80 00 00 00 00 00 00    .€.€.€.€.€......
0C33D0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00    ................
0C33E0  00 00 00 00 00 00 00 00 00 00 03 30 03 30 03 30    ...........0.0.0
                                |
                                 \ End
Insert the string:

Code: [Select]

0C33C0  19 80 19 80 19 80 19 80 19 80 00 00 25 30 32 58    .€.€.€.€.€..%02X
0C33D0  20 27 25 31 24 63 27 00 00 00 00 00 00 00 00 00     '%1$c'.........
0C33E0  00 00 00 00 00 00 00 00 00 00 03 30 03 30 03 30    ...........0.0.0
We're done with the first (easy) part.

Patching the pointers
Now we have to find the original string, the pointers to it and redirect them to the new one.
Because I already spent a ton of time testing different locations, I know the original string is "%02x", placed very close to another string, "UART DATA".
Searching "UART DATA" quickly finds the location at 0BAAAC:

Code: [Select]

0BAAA0  00 00 00 00 55 61 72 74 00 00 00 00 25 30 32 78    ....Uart....%02x
0BAAB0  00 00 00 00 25 30 34 78 00 00 00 00 52 00 00 00    ....%04x....R...
0BAAC0  25 73 3A 25 30 32 78 5B 25 73 5D 00 7E 41 00 00    %s:%02x[%s].~A..
0BAAD0  57 00 00 00 55 41 52 54 20 44 41 54 41 00 00 00    W...UART DATA...
Address size is 32-bit, so: 000BAAAC
Add the previous 0x10000 offset, and reverse it (Remember, uses little endian), the result is ACAA0C00.
Our string starts at 0x000C33CC, requires the same conversion: 0xCC330D00

Search ACAA0C00 pattern (hex), you'll find plenty of values.
Now it's matter of replacing one at a time with CC330D00, and testing the binary in the scope.
I've found the pattern at: 0x53550, 0x53AA0, 0x54050, 0x54488, 0x553B4, 0x9196C,
so I've made different files called phoenix_53550, phoenix_53AA0...

After testing, the pointer for the UART decoder was the first one, at 0x53550:

Code: [Select]

053550  AC AA 0C 00 10 D0 4D E2 F0 4F 2D E9 41 DF 4D E2    ¬ª...ÐMâðO-éAßMâ


Code: [Select]

053550  CC 33 0D 00 10 D0 4D E2 F0 4F 2D E9 41 DF 4D E2    Ì3...ÐMâðO-éAßMâ

And enjoy a better UART decoder!

[DavidAlfa]

Lastly, I finally made a package for the small english font patch.
Although smaller, it's way better to look at.

[morgan_flint]

Hi, David. I saw your post at eediscuss.com asking Hantek to release the code, and replied supporting your request.

I think it would be good if all people monitoring this thread would do the same, so Hantek could consider doing so if they see there are many people interested. We should expose reasons such as increased sales or product improvement by volunteers, to try to convince them.

I don't have much faith that it will work, but it's worth a try... I'll also post this on the main thread

I had also suggested to them releasing the code in this other thread, but they didn't bother answering...

P.S: If it's possible for you to do so, I'd suggest changing the subject of the thread at eediscuss to include that you are asking for the code for DSO2x1x series, as that forum is general for all Hantek desktop scopes, not just this series

[pupkinv]

I don't have much faith that it will work, but it's worth a try... I'll also post this on the main thread

+1