Hacking the DSO2X1X

[Boyeen]

Hi,

Mark is infinitely more qualified to help you than me but I will have a go at least. He can correct me when I get it wrong.
I think the problem you are having is that you changed the device ID from DSOC10 to DSOC15 in the "do_other_update" script.
I had this problem earlier when I tried to reverse it. I found that I had to edit the script to specifically change the device
back to DSOC10. I don't have the script handy but it was an easy edit. On the other hand it does no harm to have the device
ID be "wrong". The firmware is exactly the same... although I was unable to reclibrate automatically because the AWG chips were missing.

Speaking of the update, if you have some surface mount soldering skills it is very doable. If not, it might
be a very tricky and expensive way to learn :-)  Good luck.


UPDATE:     If memory serves I modified "do_other_update" as follows and it worked for me...

sed -i 's/DSO2.1./DSO2C10/g' /cache/system.inf >/mnt/udisk/sed.log
sed -i 's/DSO2.1./DSO2C10/g' /dso/app/sys_inf.new >>/mnt/udisk/sed.log

[maskedviperus]

I see its been asked 100 times, but can i get a copy of platform tools? Im willing to host on my g drive so it doesnt expire.

[DavidAlfa]

+1
All the platform-tools links are dead! Please stop using temporal file services!
There are a ton of alternatives, Gdrive, file.io, mediafire, mega...
Fastboot can only write... Was anyone able to dump the spi contents using sunxi-fel?

[aika]

there are the platform-tools i got from:

I had a similar problem with freezes and I was able to solve that reprogramming the system images with some files sent by Hantek's support.

If you dare, you can try it yourself. I've uploaded the files to a temporary file sharing page, the link will be valid for only 7 days before it expires:

https://www.filemail.com/d/mmnhoxtbjdututb

In the downloaded file you will find included a .doc text with the instructions on how to proceed.

Note 1: this procedure will blank some details on the system info screen of the scope, but that is easily fixed later if you mind the missing information. I would just recommend that you take a picture before to have as reference.
(Attachment Link)

Note 2: this images install the firmware 3101 on the oscilloscope, looks like there's already newer scopes with version 3200. Which version yours scope is running now?

https://download.gg/en/file-12180247_e6b8784930457ac2

BE AWARE, noone is responsible if something goes wrong, make backups, especially the SPI-Flash. This changed my FIRMWARE to 3101, at least works fine on my scope

my scope is the DSO2D15, original firmware 3000
I had no backup and tried the 20210510 firmware, my firmware changed to 3202...sadly my 2nd channel was random offset, calibration was broken with the 505...something error.

so i was lucky to get the platform-tools last time they were uploaded to filemail.

however, following the readme_English.docx i had to reboot my Windows 10 20H2 to get the Android device recognized properly.
with the

Code: [Select]

sunxi-fel uboot images/uboot_fastboot.bin my scope wouldnt boot to the phoenix frontend.
but with only using the commands from cmds.bat it works just fine.


afaik there are 3 firmware versions i am aware of which could be cause of hardware changes onboard or in the fpga which are not compatible between firmware 3000/3101 and 3202.

interestingly enough, a dmesg on the scope shows it booting

Code: [Select]

[    0.000000] Linux version 5.2.0-licheepi-nano (root@ubuntu) (gcc version 5.4.0 (Buildroot 2017.02.5)) #122 Tue Jan 19 10:01:16 CST 2021
[    0.000000] CPU: ARM926EJ-S [41069265] revision 5 (ARMv5TEJ), cr=0005317fI am gonna order me the Sipeed Lichee Pi nano board to play around with, still waiting so they translate the documentation to english and fix broken links.

also im gonna try reverse engineering the phoenix app with ghidra to see if i can change the functions of the scope to what i expect from it (f.e. i want ASCII shown when i am decoding iic or spi, hex only is somehow no enough for me)

[DavidAlfa]

Thanks for uploading!

Mine arrived today. I've managed to crash it in the first minute 
Model  DSO2D10
SW      1.1.0(202012221.00)
HW     000.000.000.000.000.000.001
FW      3000

Calibration shows error 50041.

As the platform tools instructions, I installed WinUSB driver for the device "USH Device(VID_1f3a_PID_efe8)"

After that, running sunxi-fel ver showed:
AWUSBFEX soc=00001663(F1C100s) 00000001 ver=0001 44 08 scratchpad=00007e00 00000000 00000000

Then I tried to dump the 128MB SPI contents: sunxi-fel.exe spiflash-read 0 134217728 orig.bin
It takes about 15mins. However most of the file reads 0, with patches here and there. Doesnt look nice!
Can anyone upload their backup to compare?

Edit: Running sunxi-fel.exe spiflash-info shows:
Manufacturer: Unknown (00h), model: EFh, size: 1024 bytes.

EFh is correct for the 25N01G, but it seems that FEL or whatever is unable to correctly detect/handle/identify the SPI flash.
So, I guess I'll have to open it and use my good old friend CH341A.
Do you remember how hard/expensive these things were before the Arduino boom, in the years 200x or before?
I you told me you got an USB programmer for $3 I would told you were fuc*** nuts!

I thought desoldering the memory was going to be harder thanks to the ground pad. But it was pretty straightforward.
Since I didn't have any kapton, I just used kitchen aluminium foil, folded to make 4 layers(more isolation), and cut a window for the memory. Easy.
wson and soic have similar footprints, so the pcb adapter I had worked well. But the bottom pad can cause shorts to the soic pins!
Clean the pads thoroughly and make continuity checks before powering it up!
Also remember that most CH341 programmers output 5V! This memory is 3.3V only! However you can mod the programmer to use 3.3V.





I've been unable to read anything from the serial port. Rx and Tx are always at 3.3V.


I'll make a Gdrive folder with all the tools, documentation, updates, dumps... It would be nice to have dumps for every HW revision just in case someone loses it, who wants to contribute?

[Algoma]

You can also simply copy, move, rename or execute contents of the internal filesystem to and from your USB drive during the Do_other_update procedure that is executed during a firmware update. It can executes most basic Linux commands, and could run arbitrary code from your USB drive.

Of course a full off-board image will properly backup all the other hidden partitions before picking at the file system.

[DavidAlfa]

I know, but that's not useful when you mess up the system.
It's easy to fu*** everything up! Just touch something you shouldn't, or make a mistake...

Definitely needing to disassemble everything, desolder the flash with hot air, solder to the programmer pcb, wait 20min for programming, desolder from the adapter, solder back to the PCB and assemble everything back, can be called a lot of things, but absolutely not "hacking friendly".

So I decided to hack the hack!
I opened a SD card adapter, embedded the flash with a 22uF cap and glued everything together.
Made 2 adapters with SD slots.
One for the CH341 programmer, other soldered to the Hantek PCB using twisted pairs to avoid noise.

The result is great, now I only need to remove 4 screws for programming.
I could make a slot in the housing for direct access, but it's sad to break it on the first day!

(Yeah, I have a ton of parts that my company was going to send to waste, so I got them. About 8kg of small parts!),

[DavidAlfa]

So the calibration worked after trying again.

Updated to the 20210510 fw, it completely broke calibration.
Tried 20210416, the error is still there.
Edit: Because 20210510 changed FW version. After restoring the backup, 20210416 works nicely.

A very interesting option would be to chroot the system, and use an external USB drive.
That way restoring the system would be a breeze. I'll have too look at it!

I want to enable the shell so badly....!

[DavidAlfa]

I know I already said this in the other DSO2x1x thread, but I think it's relevant.

I took everything I found for them and made a Gdrive folder here:

https://drive.google.com/drive/folders/1Tqk8YbL_M3S0vtk7h_cZ-01U2idIaqqx

I'd appreciate if you guys send different original dumps to have handy!
For example, updating to the 20210510 changed my FW version and there was no way to restore it back without the dump.
So it's better to have them, someone could make a mistake...

[aika]

DavidAlfa  great work with the GDrive folder 

nice collection of firmware-updates there.

i did spot that the '20210517' is a lot larger than the others, there is a different platform-tools included!

did reflashing the spi-flash with your dump put you back to FW3000?

Im off work from thursday to sunday due to a holyday here, so i will have some time to look into all this information 

btw '20210510' system.inf file has some weird hacks in it

Code: [Select]

[machine]
       Model=250M$DSO2C10
       Vendor=hantek
       Product=DSO
       Manufacturer=hantek
       Serial=CN21030229002304
[version]
       Pcb=501.001.001.000.000.000.000.000
       Keyboard=1
[language]
       Lans=65535
       Language=3
[add]
       Start=0
       Update=0that is part of hacking the DSO4xx4B/C , check the section

3.4 Extending the Bandwidth by Software

in the PDF file at https://github.com/WiZZteXX/DSO4xx4c. very strange someone from Hantek would put that into the DSO2000 series system.inf (not to mention that we are somehow running on the dso3000c 'line' of scopes 

[DavidAlfa]

Yes, in fact it's the only way to restore FW version. You can rollback any update, but it wont restore or change your FW version.
How do you extract the data from the rootfs images? I'm a bit confused with so many ubi files.
NeoProgrammer + CH341 writes the data in ~11 minutes, as it's clever enough to skip 0xFF sections (All the memory become FF after chip erase).

A little hint: Remove the usb drive before connecting the oscilloscope to the computer.
I left mine plugged in, the USB enumeration was resetting like crazy.
I thought my computer went nuts!
Since my usb is small, low profile type, I didn't notice it was plugged in. I lost 10 minutes of my life!

[aika]

Im gonna have to look into extracting and building the rootfs files, all i know so far is that it's a Filesystem specially used for nand flash memory. Found a website with some links to info via google...that's why I'm so into the sipeed LicheePi nano, it's the same architecture that is used in the DSO2000 series and that's the source I'm gonna milk to find all the info.
Not giving up the hope to do everything in software ( the thing does change the FW version in software anyway)

[DavidAlfa]

WHen you see "ubi", you say: "OK, it's ubifs, supported by linux, should be easy as executing few mount commands..."

But then you see rootfs.ubi, rootfs.ubifs, rootfs.ubifsaa, rootfs.ubifsab...
And I got lost. Didn't find info about that.

[reisher]

My calibration is lost now after messing with different firmware files.
How can I restore it? I got the DSO2C10 and can't find any guide using the platform tool thing I've spent hours and still stuck without calibration.
any help would be appreciated!

[DavidAlfa]

Did you make a backup?
None of the available firmwares restored my FW version, neither the platform-tools.
I had to fully restore the backup.

[reisher]

No backup unfortunately what are my options at this point?

[DavidAlfa]

I've been only one day with it... You can try contacting Hantek, or you can remove the SPI flash and program it.
I uploaded my 2D10 dump... could work.

Added to Gdrive some system logs (dmesg, cpuinfo, ls...) and most system files (bin, sbin, usr, etc...).
I found  lighttpd server. So LAN port might be operative in the kernel.

[reisher]

I've see your folder which is awesome I just can't figure out how to update the spi flash using the dump files you provided I got lost.
The thing is everything is working its just that the calibration gives me an error every time I calibrate. Did you manage to get calibration back?

[DavidAlfa]

Yes, by restoring my backup. As long as my FW version is 3000, calibration works.
The backup is done with a CH341A programmer. You'll have to remove the flash...
Luckly someone will figure out how to program it from FEL, or how to extract the partititions from the dump and flash them using fastboot.

[aika]

Btw i also used the 10/5 firmware which put me to firmware 3202 and with the platform tools I went back to 3101.
With 3202 calibration was broken, channel 2 was random offset.
With 3101 calibration worked just fine!
That from original DSO2D15 fw 3000.
So platform tools with original fw 3000 should fix everything... The question is how we get that from hantek

[DavidAlfa]

But how to calibrate amplitude in 31xx?

[aika]

@VISTORIK, Your explenation on how to use the platform tools and PhoenixSuit_CN is nicely done.
Regarding the Amplitude Calibration, it  does nothing.
When I queried HANTEK about this they told me its only necessary to do the Offset.
Answer from wangshuang@hantek.com "Users don't need to perform amplitude calibration."

We are not supposed to, only offset... Im gonna find out as soon as I find it in the firmware and/or phoenix app which is the frontend.

Iirc there is an older folder with the file system provided with the platform tools i have, didn't try it yet, but remembered it before falling asleep, will have to test it and see what happens.

[DavidAlfa]

Try it, and share if the sw version is different than those in the folder!

[reisher]

Do you have a link to the original firmware and maybe instructions on how to do it with the platform tools? I'm still lost and don't have calibration

[DavidAlfa]

Check my Drive folder! Download the platform-tools version you like.
Versions 3101 and 3102 calibrate ok in my 3000.

Check readme inside platform-tools.
You have to push the button below the DSO, power it on, then release.
Open zadig, check show all devices, select "USH Device(VID_1f3a_PID_efe8)", then select WinUSB, click on install driver.
Open a cmd window in platform-tools and run sunxi-fel ver, it should recognice the device.
Now run cmds.bat, it will flash everything.