Placeholder thread for hacking the Rigol DHO800/900 scope.
The general discussion thread can be found here.
https://www.eevblog.com/forum/testgear/rigols-new-dho800-oscilloscope-unbox-teardown/@hubertyoung has provided a DHO804 FW1.14 image with the DHO924 vendor file preloaded. It can be extracted using 7zip then flash using HDD Raw Copy Tool (compressed image).
https://mega.nz/file/UjBC3KRY#Kqv1BCHNQdPcUGMfR8IqbuUwHUsUhU4GpO1keTAXqf8@Luc7777 provided some guidelines on how has has achieved this.
Hi,
- This is what I've done:
1. Run the Win32 Disk Imager
2. Backup the SD
3. Flash the SD with the image from the link
4. Run the claibartation (offset gone) - device identifies as DHO804
5. Connect the scope to ethernet
6 Run adb:
6.1 adb devices
6.2 adb connect 192.xxx.x.xxx:55555
6.3 "adb pull /rigol/data/vendor.bin"
6.4 backup the generated vendor bin file from the adb folder to a new location
6.5 copy in the adb folder the DHO924 image
6.6 "adb push vendor.bin /rigol/data"
MOD EDIT:
Here is the latest instructions:
DHO800/DHO900 UNLOCK TOOLS
1) Install GOLang distribution
2) In the "run_DHO_Tools.bat":
- set the GO installation directory path
- set the IpAddress variable (your scope's address is on the IO tab of the "Utility" window)
- change options list, if DHO900
- change scopeID, if DHO900
- if you don't want to create a backup file and pull it to the computer, delete line 35, or make it comment like this:
rem call "adb\05 make Backup And pull it - adb rm updateGEL, sh buildGEL, pull.bat"
3) Run the "run_DHO_Tools.bat"
4) Send the generated SCPI commands to the scope via the SCPI browser tab, opened by the script. Common command view:
:SYSTem:OPTion:INSTall DHOX00-<option>@XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Scope reboot is not needed.
5) Check BW limit on the "About" tab and the memory depth (for the DHO804) on the "Options" tab of the "Utility" window.
PS: To remove installed options use the "adb\03 adb remove ALL options.bat" file or the ":SYSTem:OPTion:UNINstall" command from p268 of the DHO800/DHO900 Programming Guide.
UPDATE REASON: extending the description text.
initial thoughts for hacking external awg support, link to a prior discussion. just to layout the main options:
well yes, there is the choice of hacking the firmware alone, to trigger some actions that then communicates over one of the general purpose digital interfaces on the scope (whether that is via the ethernet, or usb, or something else). the advantage of that is then should not require any hardware mods / hacking whatsoever. which gives itself a potential to keep a viable product warranty...
then there's the idea of minimally hacking the pcb awg section there, to install some low level mcu digital interface within the scope....
[more]...
this was after some people had been asking about the real internal awg module
https://www.eevblog.com/forum/testgear/rigols-new-dho800-oscilloscope-unbox-teardown/msg5045164/?topicseen#msg5045164
For use with the DHO900 (and hopefully the DHO800 after a few mods?) I've created a new v3.1 of the 16-channel LA clone board that is cheaper to make and easier to hand-solder:
https://climbers.net/sbc/clone-pla2216-logic-probe-analyzer/The PCB has dual footprints for the quad-channel SN65LVDS391, so you can use SOIC or TSSOP packages depending on which is cheaper (or available in stock).
KiCad source files included, as are GERBERs and BOMs for LCSC & Mouser. Should be around US$15 incl components and PCB.
!! I haven't tested it !! Just waiting for the components to arrive...
The DHO800 at a minimum will need a hole cut into the front panel for the 50-way IDC connector, and a socket soldered onto the motherboard. Some people have said the 2 missing memory chips are required to use the logic analyser functionality, but I don't think that has been confirmed yet? The missing chips are GigaDevice GDP2BFLM-CA, 96-ball FBGA:
https://www.gigadevice.com.cn/Public/Uploads/uploadfile/files/20230704/DS-00823-GDP2BFLM-Rev1.1.pdf
I've started an attempt to clone the plugin AFG module from a DHO900.
In theory this could be used to add the same AFG functionality to a hacked DHO800. At a minimum 2x5-pin and 2x20-pin 1.27mm SMD headers would need to be soldered to the motherboard, and possibly other missing components.
I've gone as far as I can just working from photos: the attached
DHO900 AFG.zip contains KiCad schematic & PCB layout, hi-res photos and spreadsheet of the major components. Hopefully other people with the actual AFG hardware will be mad enough to continue the effort, tracing the tracks and measuring the capacitors & inductors.
It is a busy board with a lot of passives, but I haven't seen any expensive/custom components yet.
This vendor.bin thing was shown a year ago in the DHO1000 thread (HDO1000 at the time).
The vendor_dho924.zip that is being shared contains the following info:
00000000 File CRC32: A2A69654 [00000008-000000D3] CRC OK
00000004 File Length: 204 Size OK
-----------------------------------------------------------
00000008 NameSize: 4
0000000C Name: E_CFG_MODEL_RAW
00000010 FieldSize: 56
00000014 CRC32: 0ADE0274 [0000001C-0000004B] CRC OK
00000018 DataSize: 44 Size OK
0000001C Data: DHO924
-----------------------------------------------------------
0000004C NameSize: 4
00000050 Name: E_CFG_SN_RAW
00000054 FieldSize: 56
00000058 CRC32: 6184E52C [00000060-0000008F] CRC OK
0000005C DataSize: 44 Size OK
00000060 Data: DHO9A252500008
-----------------------------------------------------------
00000090 NameSize: 4
00000094 Name: E_CFG_MAC
00000098 FieldSize: 56
0000009C CRC32: 8292C492 [000000A4-000000D3] CRC OK
000000A0 DataSize: 44 Size OK
000000A4 Data: 0019AFA00004
File processed OK
I've been away from DHO investigations as, I think, all is done since DHO1000 came out.
With that in mind, I ask if people have tried to just change the model in their vendor.bin to DHO924 and see if that is enough for a model conversion? Given previous Rigol cases I think it should not be necessary to flash whole new CF 924 images.
But I might be wrong...
As in the past, there should be a SCPI command to change params in vendor.bin:
:VENDor:CONFigure
If anyone with a DHO8xx wants to try this SCPI method, I can try to revive my dusty tool and create the command file.
With that in mind, I ask if people have tried to just change the model in their vendor.bin to DHO924 and see if that is enough for a model conversion? Given previous Rigol cases I think it should not be necessary to flash whole new CF 924 images.
For the first batch of DHO804/814s with firmware version 01.14: yes, replacing only the vendor.bin will be enough.
The issue here is that newer DHO804/814s ship with firmware version 01.00, simply replacing the vendor.bin will cause a 5mV-10mV offset to appear, and it can't be eliminated by self-cal.
Thanks to @hubertyoung, we now have access to SD card images with firmware version 01.14, we can basically "downgrade" the newer scopes back to the state it was in during the first batch, which is easily hackable.
Sidenote: Someone has claimed that he managed to perform the hack on firmware version 01.00, but he refuses to provide the method, so I don't know if there's any credibility to his claims.
I am curious about how the vendor.bin is decrypted, and it seems that you mentioned a method for changing the content of it with the SCPI command? It is certainly interesting.
But isn't v01.14 a newer version than v01.00?
What about just replacing the cal files and let the FW do the self cal? Maybe the "newer" cal files are so off that the self cal can't correct them...
I just think that it has to be an easier way.
Some people have said the 2 missing memory chips are required to use the logic analyser functionality, but I don't think that has been confirmed yet?
I think what has been confirmed is that (a) the DHO900 models have these chips populated, and (b) the DHO800 models can be upgraded to 50 Mpts memory via just a software hack, i.e. the extra memory chips are
not required for sample storage. That's what led to the assumption that the extra memory supports the logic analyser functionality.
I think what has been confirmed is that (a) the DHO900 models have these chips populated, and (b) the DHO800 models can be upgraded to 50 Mpts memory via just a software hack, i.e. the extra memory chips are not required for sample storage. That's what led to the assumption that the extra memory supports the logic analyser functionality.
True, but there's something that doesn't make much sense: Why does Rigol add two 256MBits * 16 RAM chips to sample 16 digital channels while one of these chips would have been more than sufficient for this job. Considering the ADC delivers a 12bit datastream at 1.25GSa/s and a single such RAM chip, interfaced via the Zync FPGA/SoC is well fast enough to cope with this data rate, we may in future DHO900 units only see one of the additional footprints populated with a RAM or .... there may be hacking possibilities that as yet nobody has on their list. At least, all the front end hardware including ADC and ADC sampling clock PLL are capable of 2GSa/s. And two such RAM chips, if you swap the ADC / MSO data streams, and the FPGA section of the Zync has enough I/O connectivity ... well I guess you know what I mean
Of course that's something that isn't done at home easily, but maybe even Rigol has plans for a further uprated model based on this hardware. Pure speculation...
Considering the ADC delivers a 12bit datastream at 1.25GSa/s and a single such RAM chip, interfaced via the Zync FPGA/SoC is well fast enough to cope with this data rate, we may in future DHO900 units only see one of the additional footprints populated with a RAM or .... there may be hacking possibilities that as yet nobody has on their list. At least, all the front end hardware including ADC and ADC sampling clock PLL are capable of 2GSa/s. And two such RAM chips, if you swap the ADC / MSO data streams, and the FPGA section of the Zync has enough I/O connectivity ... well I guess you know what I mean
Well, there is that strange mismatch in the DHO924 specs, with four channels at 250 MHz bandwidth and still only 1.25 GSamples/s. They even ship four fast probes with it, which one can't fully use.
Maybe the DHO800/900 was indeed designed with a higher sample rate in mind. Then either some technical challenge got in the way late during development, or product management intervened and wanted to protect the more expensive product lines for the time being. The latter is a more likely explanation in my opinion, and might mean that we will see faster sampling a year from now, maybe even software-upgradable in the current scopes...
The maximum you can get out of one ADC for all channels can be seen with the DHO1000.
This model is really "reduced by half" compared to the DHO4000 with its 2 ADCs.
It is interesting to see why the bandwidth of the DHO900 is 250Mhz and not 200Mhz like the DHO1000, which seems more "natural".
Maybe the DHO800/900 was indeed designed with a higher sample rate in mind. Then either some technical challenge got in the way late during development, or product management intervened and wanted to protect the more expensive product lines for the time being. The latter is a more likely explanation in my opinion, and might mean that we will see faster sampling a year from now, maybe even software-upgradable in the current scopes...
The latter is indeed the most likely explaination. But it does also have a different FPGA which could potentially impact that.
But isn't v01.14 a newer version than v01.00?
I don't get that either. Mine is 1.00
For use with the DHO900 (and hopefully the DHO800 after a few mods?) I've created a new v3.1 of the 16-channel LA clone board that is cheaper to make and easier to hand-solder:
https://climbers.net/sbc/clone-pla2216-logic-probe-analyzer/
The PCB has dual footprints for the quad-channel SN65LVDS391, so you can use SOIC or TSSOP packages depending on which is cheaper (or available in stock).
KiCad source files included, as are GERBERs and BOMs for LCSC & Mouser. Should be around US$15 incl components and PCB.
!! I haven't tested it !! Just waiting for the components to arrive...
The DHO800 at a minimum will need a hole cut into the front panel for the 50-way IDC connector, and a socket soldered onto the motherboard. Some people have said the 2 missing memory chips are required to use the logic analyser functionality, but I don't think that has been confirmed yet? The missing chips are GigaDevice GDP2BFLM-CA, 96-ball FBGA:
https://www.gigadevice.com.cn/Public/Uploads/uploadfile/files/20230704/DS-00823-GDP2BFLM-Rev1.1.pdf
I suspect that few will go to the effort to hack their DHO800 to this extent, but the probe should be popular with DHO900 owners given the Rigol probe costs a crazy $400.
Maybe the DHO800/900 was indeed designed with a higher sample rate in mind. Then either some technical challenge got in the way late during development, or product management intervened and wanted to protect the more expensive product lines for the time being. The latter is a more likely explanation in my opinion
I think it's more likely it was the FPGA that decided it.
The cheaper FPGA in these probably can't keep with the 2GHz sample rate.
It is interesting to see why the bandwidth of the DHO900 is 250Mhz and not 200Mhz like the DHO1000, which seems more "natural".
This is definitely strange. I'm hoping my DHO800 can be set to 125Mhz, it seems like the sweet spot for this ADC on a 4-channel 'scope.
Considering the ADC delivers a 12bit datastream at 1.25GSa/s and a single such RAM chip, interfaced via the Zync FPGA/SoC is well fast enough to cope with this data rate, we may in future DHO900 units only see one of the additional footprints populated with a RAM or .... there may be hacking possibilities that as yet nobody has on their list. At least, all the front end hardware including ADC and ADC sampling clock PLL are capable of 2GSa/s. And two such RAM chips, if you swap the ADC / MSO data streams, and the FPGA section of the Zync has enough I/O connectivity ... well I guess you know what I mean
Well, there is that strange mismatch in the DHO924 specs, with four channels at 250 MHz bandwidth and still only 1.25 GSamples/s. They even ship four fast probes with it, which one can't fully use.
Maybe the DHO800/900 was indeed designed with a higher sample rate in mind. Then either some technical challenge got in the way late during development, or product management intervened and wanted to protect the more expensive product lines for the time being. The latter is a more likely explanation in my opinion, and might mean that we will see faster sampling a year from now, maybe even software-upgradable in the current scopes...
Honestly probably more of a development / cost thing. Probably cheaper to throw in a slightly overkill probe on the top DHO900 scope if someone is willing to pay for all the features than commission a probe new to spec for only one line. The PVP2350 (the 350MHz probes included with the DHO924) is the standard probe for the MSO5000.
Well, there is that strange mismatch in the DHO924 specs, with four channels at 250 MHz bandwidth and still only 1.25 GSamples/s. They even ship four fast probes with it, which one can't fully use. [...]
Honestly probably more of a development / cost thing. Probably cheaper to throw in a slightly overkill probe on the top DHO900 scope if someone is willing to pay for all the features than commission a probe new to spec for only one line. The PVP2350 (the 350MHz probes included with the DHO924) is the standard probe for the MSO5000.
Oh, I was not referring to the 350 MHz spec on the probes, but to the fact that Rigol gives you four of them. The sampling rate drops to ~300 MHz when using more than two channels, so two fast probes and two of the cheaper 150 MHz type would have been enough.
Yes, I realize that having two different pairs of probes would be a hassle, so I appreciate that Rigol provides four PVP2350s. Decent value for money for the $100 surcharge they ask for the 924 model -- if only the scope could fully use the probes...
I was sniffing Dave's DHO800 dump file and found references to 2 other models whose initial letters were swapped. Should they be the same models but launched in another country? maybe yes maybe no.
They are HDO800 and HDO900, included are also DHO800 and DHO900
Offset 0 1 2 3 4 5 6 7 8 9 A B C D E F
01D6DB8D0 48 44 4F 38 30 30 00 48 44 HDO800 HD
01D6DB8E0 4F 39 30 30 00 44 48 4F 38 30 30 00 44 48 4F 39 O900 DHO800 DHO9
01D6DB8F0 30 30 00
I also found references to codes assigned to options available or not on the oscilloscope and a type of .lic file
Maybe it will be possible to activate the options through these codes and generate such licenses the same way we did on the DS1054Z model
Offset 0 1 2 3 4 5 6 7 8 9 A B C D E F
01D6DB7F0 42 4E 44 00 42 57 37 54 BND BW7T
01D6DB800 31 30 00 45 4D 42 44 00 43 4F 4D 50 00 42 57 31 10 EMBD COMP BW1
01D6DB810 35 54 32 35 00 41 55 54 4F 00 42 4F 44 45 00 42 5T25 AUTO BODE B
01D6DB820 57 37 54 32 30 00 42 57 31 30 54 32 30 00 52 4C W7T20 BW10T20 RL
01D6DB830 55 00 42 57 32 54 34 00 42 57 32 54 38 00 42 57 U BW2T4 BW2T8 BW
01D6DB840 34 54 38 00 41 45 52 4F 00 46 4C 45 58 00 41 55 4T8 AERO FLEX AU
01D6DB850 44 49 4F 00 2E 6C 69 63 00 40 00 55 6E 6B 6E 6F DIO .lic @ Unkno
01D6DB860 77 6E 00 46 6F 72 65 76 65 72 00 64 61 79 73 00 wn Forever days
The HDO was Rigol's initial designation before having to change to DHO.
Regarding the lics generation, look into the HDO/DHO1000/4000 thread. It's all there so there is no need to reinvent the wheel.
I was sniffing Dave's DHO800 dump file and found references to 2 other models whose initial letters were swapped. Should they be the same models but launched in another country? maybe yes maybe no.
They were called "HDO" when they were announced but that turned out to be a trademark (of Lecroy?) or something so they changed it to "DHO".
The firmware probably works both ways.
I also found references to codes assigned to options available or not on the oscilloscope and a type of .lic file
Does it have power analysis?
Maybe it will be possible to activate the options through these codes and generate such licenses the same way we did on the DS1054Z model
Let's hope so. Ideally I want my DHO800 to be 125Mhz bandwidth and 50Mpts of memory but without the extra AWG/LA menus of the DHO900.
I was sniffing Dave's DHO800 dump file and found references to 2 other models whose initial letters were swapped. Should they be the same models but launched in another country? maybe yes maybe no.
They were called "HDO" when they were announced but that turned out to be a trademark (of Lecroy?) or something so they changed it to "DHO".
The firmware probably works both ways.
So, probably some code leftovers.
I also found references to codes assigned to options available or not on the oscilloscope and a type of .lic file
Does it have power analysis?
Maybe it will be possible to activate the options through these codes and generate such licenses the same way we did on the DS1054Z model
Let's hope so. Ideally I want my DHO800 to be 125Mhz bandwidth and 50Mpts of memory but without the extra AWG/LA menus of the DHO900.
I don't have the scope (yet) so I can't tell you what each code means. Sorry