Hacking the DSO2X1X

[phmarek]

Thanks to all the good information here I played around a bit with my DSO2D15.

The one thing that bothers me most is the very slow data transfer (via USB) to the PC, for 2 channels with 4MB each it takes about 5 minutes!! [1]

My plan is now to use a static GDB to set a breakpoint in the phoenix binary, so when I press "save to USB" gdb interrupts the process, fetches all necessary data from memory, and sends it via a quicker link to the PC.

For that it would be awesome if someone has the kernel build configuration available - with the g_android module (already on the scope, but for a different kernel version ;( ) it would be possible to use the same USB cable for a serial console, as network interface (rndis), and perhaps push the acquired data via PTP or similar (or just use socat on the network connection).

So... does anyone have more information about 5.2.0-licheepi-nano, perhaps even a g_android module

Thanks a lot!


Ad 1: https://github.com/phmarek/hantek-dso2000

[pcprogrammer]

Look at the work this guy did: https://www.thirtythreeforty.net/posts/2019/12/my-business-card-runs-linux/

I have played with a fork of his work on the FNIRSI-1013D which uses the F1C100s, which is the same as the F1C200s apart from the DRAM. 32MB vs 64MB.

No way to tell if it is the same code base. Forum member iscle https://www.eevblog.com/forum/profile/?u=685980 did some work on it and I believe he did it with a later kernel release. Maybe he can help you.

[Algoma]

So... does anyone have more information about 5.2.0-licheepi-nano, perhaps even a g_android module

Sipeed has an Allwinner F1C100s development board with a few links on the page:
https://www.seeedstudio.com/Sipeed-Lichee-Nano-Linux-Development-Board-16M-Flash-WiFi-Version-p-2893.html
GitHub for Lichee Pi, There is also the Wiki link from Seeedstudio
https://github.com/Lichee-Pi

Digikey sells the dev boards last time I ordered one. (still sitting on my bench collecting dust)

[pcprogrammer]

Aliexpress still seems to have stock: https://nl.aliexpress.com/item/4001150568609.html

There are also F1C200s boards to match the memory size.  For instance the MangoPi R3 https://nl.aliexpress.com/item/1005002527296059.html
Info on it: https://wiki.dfrobot.com/MangoPi_R3_SKU_DFR0780 shop: https://www.dfrobot.com/product-2274.html

Edit: A bit cheaper variant: https://nl.aliexpress.com/item/1005003625275029.html

Makes tinkering with a linux kernel easier than using your scope.

[DavidAlfa]

Read few post back for that kernel
It's probable Hantek made modified the kernel, but they didn't release the sources.

pcprogrammer, 1 year ago there were F1C200s boards for $8. $26 now? What a rip-off!
Cheaper seller: www.aliexpress.com/item/1005003479943027.html

[pcprogrammer]

pcprogrammer, 1 year ago there were F1C200s boards for $8. $26 now? What a rip-off!
Cheaper seller: www.aliexpress.com/item/1005003479943027.html

Yes I know. Paid ~7 euro for my lichee nano boards and now ~14 euro. But that is what is happening in the world at the moment. Huge rise of prices. Luckily I live in France now where electricity prices did not go up that much. In the Netherlands they tripled, together with the gas prices

Petrol on the other hand is probably becoming expensive everywhere.

[phmarek]

Hi David,

if you still have the build environment - would you please make menuconfig for the g_android module and put that in your Google drive?
Would save me quite a few hours trying to get the build env built....

With a bit of luck it's compatible (enough) to "just work".


Thanks!

[DavidAlfa]

I tried already, but that kernel makes the old libcomposite.ko, insmod fails...

[phmarek]

Did somebody succeed in booting mtdblock images from the device via qemu, for quicker testing?

[DavidAlfa]

AFAIK, nobody did anything.
I've cleaned my VM and uploaded it here.
Dependencies are installed, it's ready for building, only needing git clone-whatever.
There're lots of issues with newer Linux versions and older projects, this one works perfectly.
Of course, it includes the usual nude-stealing virus  .

[phmarek]

OK, I got a few kernel modules that load on the scope... g_serial, usb_f_serial, and a few others.

My current plan is still to capture the "Save to USB" button via gdb, then dump the whole (up to 8MB) big data area somewhere, and either make that accessible via USB mass storage support (so just download via accessing the usb disk!) or via xmodem/zmodem/base64 or whatever to another serial USB port.

But trying to get that working via do_update_script, failing, rebooting, ... is awkward.

Would somebody be so kind and allow me (watched! eg. via gnu screen) serial console access to quicken the debugging process?
I'm hoping to get a software-only serial console via the USB port (to avoid soldering and using a 3V3 compatible RS232 converter); as soon as that is working, other niceties (like the GDB trick) should be fairly easy to do...

[DavidAlfa]

Were you really able to sucessfully load these modules? I only got errors!

Yep, that must be the most depressing way on earth!

My scope has a ESP-01 with Jeelabs's Esp-link firmware, runs great, it's basically a raw TCP connection.
I have no problem sharing it, the issue is with my ISP using CGNAT (Shares external IP between several customers), so any option requiring some sort of server from my side will not work.
Could get a unique IP by paying a small fee, but I never use that feature anymore!

Perhabs you could run a server where I could connect to? Being the client, it should work.
Don't know, reverse ssh perhabs?
I also have a small linux box, could be used for that.

BTW the system already includes the mass_storage usb widget! But not ACM or any other one.

Edit: Got it doing some reverse netcat. Check your pm.

[DavidAlfa]

Finally got it. I'm attaching this as it could be useful for a lot of situations.
Just keep in mind this method won't encrypt the traffic.

I'm behind a NAT, so I can't open ports.
Thus, for it to work, I need to initiate the connection.
On my side: Will run this script, starts a nc client to the ESP port (serial->tcp bridge), and another to your server, both bridged:

Code: [Select]

cd /tmp; rm -f a; mkfifo a
while true; do
  cat a | nc ESP_IP ESP_PORT 2>&1 | nc -nv REMOTE_IP REMOTE_PORT -w5 >a
done

On your side: Linux machine, or Windows with cygwin and nc package installed.
Start a netcat server for my system to connect to, and another to open a local port where Putty can connect to, also bridged.

Code: [Select]

cd /tmp
rm -f a b; mkfifo a b
nc -lk REMOTE_PORT < b > a &
nc -lk INTERNAL_PORT < a > b &
printf "" > a
Only REMOTE_PORT needs to be open in the firewall/router.
Then putty connects to localhost and INTERNAL_PORT, which is the local netcat server.
This way, the shell works perfectly.
Took me several hours to find the correct commands!

Sending files: Login first, then exit the terminal (you can't have two concurrent connections) and run:

Code: [Select]

sz --tcp-client 127.0.0.1:9922 FILE
Also SecureCRT (paid) works well for this, you can download it on internet.

[DavidAlfa]

Good news!
Thanks to @phmarek, we finally got the usb console working!
(All this time I was missing a dependency!... omg)

New package available:USB Console.

Enjoy!

[rtek1000]

Hello,

I believe I have found the masters of the F1C100s. 

I have a DSO1511E+ (this model has the F1C100s) and unfortunately I bricked it due to an update, I forgot to unzip the file. 

I would like to know if it would be possible to recover its functioning by copying the contents of the SPI memory of an oscilloscope that has its firmware intact.

Or if it would be possible to write the update file directly to SPI memory using a CH341 programmer.

This is the video about the update I should have been able to do:


Thank you.

[pcprogrammer]

I believe I have found the masters of the F1C100s. 

I have a DSO1511E+ (this model has the F1C100s) and unfortunately I bricked it due to an update, I forgot to unzip the file. 

I would like to know if it would be possible to recover its functioning by copying the contents of the SPI memory of an oscilloscope that has its firmware intact.

Or if it would be possible to write the update file directly to SPI memory using a CH341 programmer.

Yes if it is just the firmware that is corrupted, you should be able to restore it with a copy of firmware from a working scope.

Is that a SD card slot on the board next to the FLASH chip? If so you can make an SD card that boots the F1C100s into FEL mode. With the sunxi-fel utility you can then, via USB, check the system and read and write the FLASH. Way easier then trying to hook up a CH341 programmer.

Search the FNIRSI-1013D thread on how to do this. Lots of information about the F1C100s there.

[rtek1000]

I believe I have found the masters of the F1C100s. 

I have a DSO1511E+ (this model has the F1C100s) and unfortunately I bricked it due to an update, I forgot to unzip the file. 

I would like to know if it would be possible to recover its functioning by copying the contents of the SPI memory of an oscilloscope that has its firmware intact.

Or if it would be possible to write the update file directly to SPI memory using a CH341 programmer.

Yes if it is just the firmware that is corrupted, you should be able to restore it with a copy of firmware from a working scope.

Is that a SD card slot on the board next to the FLASH chip? If so you can make an SD card that boots the F1C100s into FEL mode. With the sunxi-fel utility you can then, via USB, check the system and read and write the FLASH. Way easier then trying to hook up a CH341 programmer.

Search the FNIRSI-1013D thread on how to do this. Lots of information about the F1C100s there.

Really thank you for your answer, that's what I needed to conclude. 

Yes, it's an SD card slot, I just don't know if it's plugged into the correct port for boot to occur.

I could also conclude that it would be possible to use an sd card to boot, I read many posts about this F1C100s.

All the posts I read were of conversations between advanced people in the programming of this F1C100s, so I was not able to know how to start, I had seen about a tool to interact via USB port.

I'm just weird that the update vendor hasn't confirmed this to me. He said he would help me but after a few weeks of waiting he never came back. I hope he didn't die because of Covid there in China.

I'll look for the reference you gave me.

Thank you very much! 

[pcprogrammer]

You are welcome.

The documentation and internet is not conclusive about the ability to boot from which devices. The first SD/MMC and SPI port do work for sure.

Take a look here for more info about FEL boot from the SD card: https://github.com/pecostm32/FNIRSI-1013D-1014D-Hack/tree/main/Linux/images/fel_boot The readme file shows the command on how to put the image on the SD card. It also gives info about where to get the sunxi-fel source code and how to build it.

It is targeted to Linux not Windows, which I don't do anymore, apart from occasional gaming.

A pre-build version of sunxi-fel is also there: https://github.com/pecostm32/FNIRSI-1013D-1014D-Hack/tree/main/sunxi_stuff

Attach the device to the PC via USB, stick in the SD card, turn it on and see if the "Onda" device shows up in the USB device list ("lsusb" from Linux command line)

[rtek1000]

I thank you for your attention,

I was already viewing this same repository, I found it in this other post:

https://www.eevblog.com/forum/testgear/fnirsi-1013d-100mhz-tablet-oscilloscope/msg4195390/#msg4195390

I still think it might be easier for me to remove the SPI memory from the board, I work with hardware for a long time, just in the ARM programming part that I'm learning, I've already made program for STM32F4, so I'm venturing with this F1C100s.

But I thought about the following: If I used the compressed file, could I read the contents of the SPI memory, find where this file started to be written, then write the correct content from this address?

I still don't know if there is a specific address for the F1C100s to start running the firmware, but I'll look for it.

Thanks again!

[pcprogrammer]

It starts on address 0 in the FLASH. There should be a boot header (BROM) there.

The first four bytes are a branch instruction, followed by 28 bytes of information about the code. The boot loader starts with eGON.BT0. The actual firmware has eGON.EXE

And glad to see you did your homework

What ever works best for you. For me the FEL mode made live much simpler while working on the FNIRSI-1013D.

[rtek1000]

It starts on address 0 in the FLASH. There should be a boot header (BROM) there.

The first four bytes are a branch instruction, followed by 28 bytes of information about the code. The boot loader starts with eGON.BT0. The actual firmware has eGON.EXE

And glad to see you did your homework

What ever works best for you. For me the FEL mode made live much simpler while working on the FNIRSI-1013D.

Thanks for these clarifications!

In fact the update file (unzipped) has these instructions at the addresses mentioned by you.

I did the SPI memory dump (W25Q32FVSIG) and in fact the contents of the RAR file are present in memory, as can be seen in the image.

I was surprised that all Flash content is written. I didn't find any unused parts, I think maybe the update has looped and overwritten all of Flash.

I hope there isn't some address with calibration data in this Flash that has been overwritten.

Thanks for the help you gave me, I wish you the best!

[pcprogrammer]

I'm not sure what you were looking at with the hex editor, but the data you marked (37 63 C7 73 CE) is not proper data to be found at location 0x00000000 in the FLASH. This is simply why your system does not boot.

The file that needs to be loaded to the FLASH might be the one inside the .rar file (dso1511e_v1.2.2.bin) but it may well be that this is just the firmware and not the whole FLASH content. Start a new post either in the repair section or the test equipment section and ask if someone is willing to extract the FLASH from it's device.

The reason I say this is to no longer be off topic in this thread and that the .bin file starts with

Code: [Select]

06 00 00 EA 00 00 00 00 00 00 00 00 00 00 00 00 00 FE 06 00 52 F0 01 00 00 00 00 00 00 00 00 00

which is a BROM header but not for a boot loader since there is no eGON marker. For as far as I know the BROM checks on this marker and the length and CRC fields.

So you need a new copy of the proper boot loader.

Edit: see here for more info: https://linux-sunxi.org/EGON

And I think this scope is just as big a lie as the FNIRSI-1013D. 120MHz BW and 500MSa/s. Looks like the ADC is the same 2 x 100MSa/s chip used in the FNIRSI. Even if they push it to 125MHz per ADC it is still half what they advertise.

[rtek1000]

Yes, I merged the contents of the update file at the start of flash, but it didn't work.

Only Flash power is performed when the power button is pressed, but nothing else happens.

The Flash content was overwritten every 0x1000 block, with the same incorrect content.

I did some tests with the bootloader of STM32F4 and at the time I only loaded files with a bin extension, it's a pity that this was not the case with this F1C100s, which accepted any file without any filter.

I'm going to program myself to buy another one of this oscilloscope, I already tried to ask someone to make a copy of the firmware but I didn't have any answers, maybe people who are buying these handheld models don't have enough knowledge to perform the flash dump.

I thank you for providing me with some knowledge about this F1C100s!

[DavidAlfa]

Is it a spi nand flash? Then DsoFlash should work.

[pcprogrammer]

The picture of the PCB shows it is a Winbond 25Q32, so NOR type.