Author Topic: Hacking the DSO2X1X  (Read 25018 times)

0 Members and 2 Guests are viewing this topic.

Offline Mark5

  • Contributor
  • Posts: 29
  • Country: fr
Hacking the DSO2X1X
« on: March 18, 2021, 08:42:55 am »
Here's how you can "hack" your DSO2X1X and turn it into a DSO2D15 :

All you need is :

1) A FAT32 formatted USB stick
2) The latest firmware update (http://www.hantek.com/download?word=dso2C10&sid=0&pid=0&key=fjzl)
3) A text editor.

Copy the firmware update to the root of the USB stick (after « unraring" it of course)
Create a file named do_other_update in the root of the USB stick (no extension, no .txt just do_other_update)

Add the following two lines in the do_other_update file :

sed -i 's/DSO2.1./DSO2D15/g' /cache/system.inf >/mnt/udisk/sed.log
sed -i 's/DSO2.1./DSO2D15/g' /dso/app/sys_inf.new >>/mnt/udisk/sed.log

/!\ Make sure that the file is UNIX formatted (ie line breaks should be unix style, you can check that with notedpad++)

Then all you have to do is launch the firmware update from the oscilloscope.

Please note that the AWG will only work if the PCB is fully populated (it doesn’t work on my 2C10 because the DAC, a relay and some other stuff are missing).
I know for sure that SOME 2C10 (early version as far as I understand)) are fully populated but not all.

I take no responsibility if anything goes wrong. All you do is at your own risk.

Technical stuff :

All this wouldn't have been possible without the help of @tinhead who provided the updater decryption key to the community. Kudos to him.

Now let me explain how I found how to hack the 2X1X :
Once the firmware update was decrypted and extracted, I looked into it and found the shell script that the scope launches in order to do the update.
This script name is do_update.sh
Here's its content (I removed all commented stuff for the sake of readability)
Code: [Select]
#!/bin/sh
WORKPATH=/dso/var/run
echo "-------------------update start------------------"
cp $WORKPATH/package/root/* -rf /
cp $WORKPATH/package/fpga_i2c_kb.ko /dso/etc
cp $WORKPATH/package/spi-fpga-tn652.ko /dso/etc
cp $WORKPATH/package/load_fpga_kb.sh /dso/etc
if [ ! -d /dso/app/home/ref ]
then
mkdir /dso/app/home/ref
fi

if [ -f /mnt/udisk/do_other_update ];then
chmod +x /mnt/udisk/do_other_update
/mnt/udisk/do_other_update
fi
echo "-------------------update end------------------"
sync
sync
sync

Notice the last if statement.
This is meant to execute arbitrary code from the file do_other_update if this file is present in the root directory of your USB stick.
I then checked the updater priviledge level by creating a do_other_update file containing the followng code :
Code: [Select]
whoami >/mnt/udisk/whoami.txt

The content of whoami.txt was root. Which is good. Very good indeed.
Now that I knew that the update was being executed as root, I was able to check various important stuff, like the mtd mapping and content of the mount table.
And I was also able to dump the whole firmware using dd (I know that dumping as live system with dd is not the best idea but it can still be quite usefull).
So I added this in my do_other_update script :
Code: [Select]
ls / -R >/mnt/udisk/ls.txt
dd if=/dev/mtdblock0 of=/mnt/udisk/mtd0_boot.bin >/mnt/udisk/dd.log
dd if=/dev/mtdblock1 of=/mnt/udisk/mtd1_cache.bin >>/mnt/udisk/dd.log
dd if=/dev/mtdblock2 of=/mnt/udisk/mtd2_dtb.bin >>/mnt/udisk/dd.log
dd if=/dev/mtdblock3 of=/mnt/udisk/mtd3_kernel.bin >>/mnt/udisk/dd.log
dd if=/dev/mtdblock4 of=/mnt/udisk/mtd4_rootfs.bin >>/mnt/udisk/dd.log
dd if=/dev/mtdblock5 of=/mnt/udisk/mtd5_data.bin >>/mnt/udisk/dd.log

This gave me a dump of each mtd partition (unfortunately, the first time I tried this, my USB stick died and I had to do it again).
Of course this process took quite a long time but it finaly ended and I was able to check the content of my USB stick.
The first line (ls -R) was really helpful because it contains a listing of ALL the files stored in the rootfs.
Then came another update from Hantek. After decrypting and unpacking, I noticed a new file named system.inf

The content of that file looked like this :
Code: [Select]
[machine]
Model=DSO2C15
Vendor=Hantek
Product=undefined
Manufacturer=undefined
Serial=CN0000000000000
[version]
Pcb=000.000.000.000.000.000.000.000
Keyboard=undefined
[language]
Lans=65535
Language=2
[add]
Start=0
Update=0

I searched my ls -R listing and found that same file located in /cache/system.inf
Once again, I modified the do_other_update script so it copies that file from my scope to the root of the USB stick.
Code: [Select]
cp /cache/* /mnt/udisk

Looking into the system.inf, I found MY model and serial number.
The last step was to write the small sed command in order to modify the model number from 2C10 to 2D15, and voila.

Feel free to comment and report success (or not).

Cheers,
Mark5

Edit : typos and firmware link.
« Last Edit: March 18, 2021, 10:52:42 am by Mark5 »
 
The following users thanked this post: gamalot, upsss, .rpv, dec123ua, elektek, cmaass, jobitjoseph1, jono80, Boyeen, tttonyyy, H2Nut

Online tv84

  • Super Contributor
  • ***
  • Posts: 2345
  • Country: pt
Re: Hacking the DSO2X1X
« Reply #1 on: March 18, 2021, 10:07:12 am »
Well done.  :clap:

And where did the /dso/app/sys_inf.new came from?
 

Offline Mark5

  • Contributor
  • Posts: 29
  • Country: fr
Re: Hacking the DSO2X1X
« Reply #2 on: March 18, 2021, 10:32:40 am »
I think it is used by Hantek to initialy set the model number.
Since they may check this file in future updates, I thought it'd be a good idea to edit this one as well.
But as far as I know it's not used in normal case.
 

Offline Algoma

  • Regular Contributor
  • *
  • Posts: 163
  • Country: ca
Re: Hacking the DSO2X1X
« Reply #3 on: March 18, 2021, 03:32:05 pm »
Keyboard=undefined  .. It could be entirely practical to bring up a root console onscreen with that do_other_update (Provided a USB hub works to operate both the keyboard and USB drive at the same time).

There is a button hidden on the underside of the PCB, accessible through the venting holes under the unit. Likely to reset into a bootloader mode.
 

Offline xuraax

  • Contributor
  • Posts: 32
  • Country: mt
Re: Hacking the DSO2X1X
« Reply #4 on: March 18, 2021, 05:05:54 pm »
@Mark5.  Thank you very much for the above.

2 questions:

1. Would the file do_other_update have to be created every time Hantek issues a new upgrade or just the first time?
2. Without an actual 150MHZ signal to test out the hack how can one confirm that the hack actually works?
 

Offline elektek

  • Newbie
  • Posts: 1
  • Country: mx
Re: Hacking the DSO2X1X
« Reply #5 on: March 18, 2021, 05:20:29 pm »
thanks, it worked perfect on DSO2C15
 

Offline upsss

  • Regular Contributor
  • *
  • Posts: 163
  • Country: us
Re: Hacking the DSO2X1X
« Reply #6 on: March 18, 2021, 06:13:48 pm »
Did anyone actually populated the missing components x1, u18, u35 and then Hacked the DSO2C1x to enable the AWG or you were just lucky and the AWG components were already on your scope?
« Last Edit: March 18, 2021, 06:30:56 pm by upsss »
 

Offline Mark5

  • Contributor
  • Posts: 29
  • Country: fr
Re: Hacking the DSO2X1X
« Reply #7 on: March 18, 2021, 07:46:17 pm »
@Mark5.  Thank you very much for the above.

2 questions:

1. Would the file do_other_update have to be created every time Hantek issues a new upgrade or just the first time?
2. Without an actual 150MHZ signal to test out the hack how can one confirm that the hack actually works?
1) Once the model has been changed, there's no need to change it again. So no.
2) Some lucky "beta testers" had a 2C10 that were succesfully converted to 2D15 with the AWG working as expected.
 

Offline Algoma

  • Regular Contributor
  • *
  • Posts: 163
  • Country: ca
Re: Hacking the DSO2X1X
« Reply #8 on: March 19, 2021, 12:05:45 am »
That Button underneath the unit puts the Allwinner F1C200S CPU into FEL mode.. Some generic documentation here:

https://linux-sunxi.org/FEL

Quote
sunxi-fel.exe --list --verbose
Warning: no 'soc_sram_info' data for your SoC (id=1663)
USB device 009:003   Allwinner 0x1663

Quote
sunxi-fel.exe version
Warning: no 'soc_sram_info' data for your SoC (id=1663)
AWUSBFEX soc=00001663(unknown) 00000001 ver=0001 44 08 scratchpad=00007e00 00000000 00000000

It is communicating with the Allwinner CPU through the back USB connection, though it looks like generally need to attach directly to the UART interface to do much more with it. Could dump/debug active memory over the interface.

sunxi-fel.exe hex 0 47000   spits out a whole bunch of raw memory into in Hex format.
« Last Edit: March 19, 2021, 12:30:00 am by Algoma »
 

Offline Mark5

  • Contributor
  • Posts: 29
  • Country: fr
Re: Hacking the DSO2X1X
« Reply #9 on: March 19, 2021, 08:58:43 am »
I might also be possible to gain ssh acces through the back USB port.
Dropbear is present in the filesystem. I'd have to look how (and if) it is launched.
 

Offline Algoma

  • Regular Contributor
  • *
  • Posts: 163
  • Country: ca
Re: Hacking the DSO2X1X
« Reply #10 on: March 19, 2021, 01:27:56 pm »
Connecting the DSO2D15 in FEL mode showed up on my system as the SNES mini.. The USB idenifier used in FEL mode was common to the Allwinner R16 found in those recent Nintendo Mini consoles when they're also placed in FEL mode.  (Basically a Firmware recovery mode)

Hakchi2 is an open source program for unlocking and loading additional data into those mini consoles' flash memory could give us a good foundation examples for accessing the onboard memory and firmware of those Allwinner chips. While the F1C200s is newer than the R16, there is likely much that remains in common, besides some changes in the boot memory mappings.

It would be somewhat amusing to run some classic games onscreen.. Its all entirely possible to do from that FEL mode.
« Last Edit: March 19, 2021, 02:53:33 pm by Algoma »
 

Offline cmaass

  • Contributor
  • Posts: 28
  • Country: za
Re: Hacking the DSO2X1X
« Reply #11 on: March 20, 2021, 10:49:02 pm »
At some point my DSO2D10 hanged when I rebooted it. It only Initialized the hardware to 80% then it hanged.
I reported it to Hantek after which they've  send me the platform tools as well as Phoenixsuite_CN to be able to reload the .bin files directly through the rear USB connector to the usb port of the Allwinner controller. This cleared the problem and it could reboot normal again.

When the bottom button is pressed during booting to put it into FEL mode ,Sunxi-fel is used to convert the Allwinner to an Android system. It will show up on the PC's Device Manager as an Android Device. This is accomplished using Phoenixsuite_CN then all the .bin files can be programmed directly onto the Allwinner via its USB port.
« Last Edit: March 20, 2021, 11:29:06 pm by cmaass »
 

Offline Algoma

  • Regular Contributor
  • *
  • Posts: 163
  • Country: ca
Re: Hacking the DSO2X1X
« Reply #12 on: March 21, 2021, 01:46:28 am »
The FEL mode could be used to load and execute temporary custom programs into RAM memory and execute it over the USB.  This has potential to read and write changes into the existing firmware and further explore RAM or Flash memory from the common USB port.

Yes, FEL is primarily used for base level firmware loading and disaster recovery, but its capable of temporarily loading a custom set of instructions into the CPU's RAM and then executing them without modifications to the system.


Basically an factory self testing and initial firmware loading mode.. but it does leave the system fully open to modifications without relying on the internal Firmware update scripts (that could be changed in future updates).
« Last Edit: March 21, 2021, 01:52:56 am by Algoma »
 

Offline vistorik

  • Contributor
  • Posts: 27
  • Country: de
Re: Hacking the DSO2X1X
« Reply #13 on: March 21, 2021, 01:47:56 pm »
Mark5, you are not the first to hack this device. The first was the Chinese from Hantek who provided platform-tools. Cmaass wrote about using platform-tools on 12/18/2020. Regardless of whether the memory Winbond 25N01GVZEIG on the board is empty or it has working firmware, platform-tools allows us to overwrite this memory again. We need to install the USB Device driver (VID_1f3a_PID_efe8) - for this we need to install PhoenixSuit_CN and then, connecting the device in recovery mode by pressing the bottom button during switching the device on, run zadig-2.5.exe. Then we need to run sunxi-fel uboot images / uboot_fastboot.bin. After that, we need to run cmds.bat:
Code: [Select]
sunxi-fel uboot images/uboot_fb.bin
fastboot flash boot images/uboot-with-spl-spinand.bin
fastboot flash logo images/logo3.bin
fastboot flash dtb images/suniv-f1c100s-licheepi-nano.dtb
fastboot flash kernel images/uImage


fastboot flash rootfssize images/rootfs.size
fastboot flash rootfs images/rootfs.ubifs
fastboot -S 20M flash rootfsa images/rootfs.ubifsaa
fastboot -S 20M flash rootfsb images/rootfs.ubifsab

fastboot flash cache images/cache.ubifs
fastboot flash data images/data.ubifs
fastboot reboot

@echo off
setlocal enabledelayedexpansion
for /f "delims=" %%i in ("images/rootfs.ubi") do (
 set size=%%~zi
)

pause

Detailed instructions is in the readme_English.docx file. After the first execution of the cmds.bat, the system may not boot. Then we need to turn off the device and reconnect it in recovery mode once more. After that, we execute immediately cmds.bat, the device should boot. As a result, we get a variant with undefined model and serial numbers - see the system.inf file:
Code: [Select]
[machine]
Model=undefined
Vendor=undefined
Product=undefined
Manufacturer=undefined
Serial=undefined
[version]
Pcb=undefined
Keyboard=undefined
[language]
Lans=65535
Language=2
[add]
Start=8
Update=0
But the AWG is present. Now we can edit the system.inf file in Notepad ++ to replace the undefined numbers with real model and serial numbers, for example, DSO2D15 and our serial number, place the command to copy this file
cp -f  /mnt/udisk/system.inf  /cache
to the do_other_update file, and it, together with system.inf, to the root directory of the USB stick along with the firmware file/files, and by making the update on the device, get a working version of the DSO2D15 with working AWG.
It is interesting that this variant has additional calibration options, namely, instead of just calibration, as in a factory device, it becomes possible to calibrate the Amplitude and the OffSet –see photos. When calibrating the Amplitude, a prompt appears – «connect an external signal source and press F2» - see photo. I tried connecting an external generator for one and two channels and then pressed F2 again, but no calibration was done.
« Last Edit: March 21, 2021, 02:28:06 pm by vistorik »
 

Offline Piton

  • Regular Contributor
  • *
  • Posts: 55
  • Country: ua
Re: Hacking the DSO2X1X
« Reply #14 on: March 21, 2021, 03:20:32 pm »
Strange, I have both calibrations in the factory device, but the amplitude does not work either.
 

Offline cmaass

  • Contributor
  • Posts: 28
  • Country: za
Re: Hacking the DSO2X1X
« Reply #15 on: March 21, 2021, 03:35:39 pm »
@VISTORIK, Your explenation on how to use the platform tools and PhoenixSuit_CN is nicely done.
Regarding the Amplitude Calibration, it  does nothing.
When I queried HANTEK about this they told me its only necessary to do the Offset.
Answer from wangshuang@hantek.com "Users don't need to perform amplitude calibration."
« Last Edit: March 21, 2021, 03:44:05 pm by cmaass »
 

Offline Algoma

  • Regular Contributor
  • *
  • Posts: 163
  • Country: ca
Re: Hacking the DSO2X1X
« Reply #16 on: March 21, 2021, 04:41:30 pm »
I see your notes mention:

Quote
fastboot flash dtb images/suniv-f1c100s-licheepi-nano.dtb

So this scope is technically a F1C200s based Lychee-PI-nano as its foundation .. That makes documentation research much easier.

Still missing the actual Platform tools posted by Cmaass

Uboot features a UMS mode that can present the onboard storage as a USB mass storage device to the host, Provided the right platform drivers (DeviceTreeBlob)(.DTB) have been loaded to access the SPI NAND.
« Last Edit: March 21, 2021, 07:42:54 pm by Algoma »
 

Offline Algoma

  • Regular Contributor
  • *
  • Posts: 163
  • Country: ca
Re: Hacking the DSO2X1X
« Reply #17 on: March 21, 2021, 07:48:54 pm »
For reference the: The Lichee PI Nano, this image was posted previously by
@GeorgeOfTheJungle: https://www.eevblog.com/forum/testgear/fnirsi-1013d-100mhz-tablet-oscilloscope/msg3145826/#msg3145826



 

Offline Mark5

  • Contributor
  • Posts: 29
  • Country: fr
Re: Hacking the DSO2X1X
« Reply #18 on: March 21, 2021, 08:06:31 pm »
Mark5, you are not the first to hack this device. The first was the Chinese from Hantek who provided platform-tools.
I definitely agree with that : people from Hantek were the first to hack their own scope.
And I'm pretty sure they can hack every model they sell  ;D
 

Offline xuraax

  • Contributor
  • Posts: 32
  • Country: mt
Re: Hacking the DSO2X1X
« Reply #19 on: March 22, 2021, 05:30:32 am »
How can one get a copy of these Platform Tools?
 

Offline cmaass

  • Contributor
  • Posts: 28
  • Country: za
Re: Hacking the DSO2X1X
« Reply #20 on: March 22, 2021, 06:19:45 am »
I will upload the Platform-Tools on the Filemail.com server since it is too big to post on this forum.
Will post the link as soon as it is ready.

It will take a while since my upload speed is slow ;D
« Last Edit: March 22, 2021, 06:22:26 am by cmaass »
 
The following users thanked this post: xuraax

Offline vistorik

  • Contributor
  • Posts: 27
  • Country: de
Re: Hacking the DSO2X1X
« Reply #21 on: March 22, 2021, 11:40:10 am »
How can one get a copy of these Platform Tools?
You can get the platform-tools with the firmware dso3kb_20201221 here:https://www.filemail.com/d/jaoaiyhwhraxaez.

Before using the platform-tools it is the best to make a complete memory (Winbond  25N01GVZEIG) dump eg using the programmer CH341a, the WSON8 to DIP8 adapter and the program Neo Programmer (from 4pda.ru/forum), and do not expose the device's native memory to experiments. Winbond  25N01GVZEIG , CH341a and WSON8 to DIP8 adapter can be purchased on AliExpress.
To simplify manipulation with memory chips, I’ve made an additional adapter, which I’ve soldered to the contact pads of the memory chip. This adapter fits to WSON8 to DIP8 adapter , into which the memory chip (not native memory chip) is soldered.

Yes, using platform-tools you can get 2D15 from 2C10 with the AWG, but this is not the best way, since the AWG will not be calibrated. The best way is the way suggested by mark5 - changing the model number using SED command in do_other_update file, but once again not with native memory chip.
« Last Edit: March 22, 2021, 09:54:42 pm by vistorik »
 
The following users thanked this post: Mark5, cmaass, xuraax, Algoma, jono80

Offline cmaass

  • Contributor
  • Posts: 28
  • Country: za
Re: Hacking the DSO2X1X
« Reply #22 on: March 22, 2021, 06:26:19 pm »
You can also download the platform-tools here.
You have 7 days to download the file.
PhoenixSuit_CN is included in the file.
Remember to read the readme_English.docx on how to use the tools.
All the files are included in the one .rar file so the file is much smaller than the file posted by vistorik Its 114.28 Mb in size.
Please read the post by vistorik of a description on how these tools are used. Reply #13 on: Yesterday at 01:47:56 pm
https://www.filemail.com/d/advzemzwfpioyvw
« Last Edit: March 22, 2021, 06:55:45 pm by cmaass »
 
The following users thanked this post: xuraax, Algoma

Offline cmaass

  • Contributor
  • Posts: 28
  • Country: za
Re: Hacking the DSO2X1X
« Reply #23 on: March 22, 2021, 07:26:37 pm »
@ Algoma. Getting back to your post Reply #72 on: January 29, 2021 on the topic. New Hantek DSO2X1X models?,  regarding the ADC numbers that you speculated about.
When I did the dot test then in Single Ch. mode I could get only 1 dot every 2ns at 1Gs/s thus 500 Ms/s. After I hacked the scope to 150MHz, I now get two dots, thus 1ns sampling  which relates to 1Gs/s..
Thanks Mark5.
 
The following users thanked this post: Mark5, Algoma

Offline Boyeen

  • Contributor
  • Posts: 7
  • Country: us
Re: Hacking the DSO2X1X
« Reply #24 on: March 25, 2021, 08:36:05 pm »
Thanks for the info. I have some advice for newbies (like myself)...
Perhaps foolishly, I tried the firmware/SED hack on my brand new DSO2C15 hoping the board was populated for the AWG, but without checking.
Bad idea, my machine transmogrified into a DSO2D15 and the WAVE-GEN  button lit up, scope menus updated etc. but no output signals. OK, missing components, no harm right?  Well yes actually... the scope can no longer calibrate and other operations gave errors too.  I also discovered that the hidden files my Mac puts on the USB stick cause problems, gotta delete them before trying to update firmware. That may have been part of my problem...

Anyway, long story short, I erased the USB drive, loaded a new copy of the firmware from Hantek, cleared all the Apple .junk off it and edited your SED script to revert the machine from D15 back to C15.  It worked perfectly and now I can calibrate and use everything I paid for :-)

Hope this helps. I'll be interested to see if anyone bothers to install the missing components and if that works but right now I'm glad I didn't brick my new toy.
 


Share me

Digg  Facebook  SlashDot  Delicious  Technorati  Twitter  Google  Yahoo
Smf