Hacking the DSO2X1X

[aika]

To sad I can't play with my scope at work
Maybe we need a faq as pdf that stores all info from various posts, ppl tend to not read all info, like in tldr :p

[DavidAlfa]

I also uploaded the decrypted updates for easy access.
Maybe we can find what changes the FW version, and revert it back using the do_other_update script.

I noticed that the platform-tools-20210129(FW3101) comes with two set of images:
images and images_adc
The rootfs CRC is different!

Edit: images_adc files restore FW3000!

I separated these, so now we have 3 platform tools versions:
- platform-tools-20201221(FW3000)
- platform-tools-20210129(FW3101)
- platform-tools-20210517(FW3102)

Remember that flashing platform tools will set Model, Serial and Hardware undefined! Take note of these to restore them later!
I made this do_other_update to restore them automatically (edit as your needs):

Code: [Select]

sed -i "s/Model=.*/Model=DSO2D10/g" /cache/system.inf /dso/app/sys_inf.new
sed -i "s/Serial=.*/Serial=CN0000000000000/g" /cache/system.inf /dso/app/sys_inf.new
sed -i "s/Pcb=.*/Pcb=000.000.000.000.000.000.000.001/g" /cache/system.inf /dso/app/sys_inf.new

After updating with platform-tools, /dso/app/sys_inf.new file no longer exists, but it doesn't seem to change anything.

Made some scripts to backup, restore, dumps log, edit the configs... Of course, copied to Gdrive folder!

[DavidAlfa]

I managed to make a custom update package that only runs "do_other_update".
And it's only the start, as now we can make our own update packages!
Huge thanks to tinhead!
Check it in the scripts folder, "dso3kb_run_other_update.upk"

To make your own, get some linux shell (Ubuntu VM in my case) and run these commands:

Code: [Select]

# Decrypt the firmware (Adjust dso3kb_package.upk to the package name)
gpg --batch --passphrase dso3000c --output decrypted.tar.gz -d dso3kb_package.upk

# Extract "decrypted.tar.gz". The output file should be "dso3kb.upk.tar"
tar -xvzf decrypted.tar.gz

# Extract "dso3kb.upk.tar" to "dso" folder
mkdir dso
tar -xvf dso3kb.upk.tar --directory dso

Inside dso folder, you will find "upend" and "package".
"upend" contains a listing of the files and folders stored in "package" folder.
I edited it and deleted everything, keeping only do_update.sh, Manifest.xml and special.
Did the same with package folder, I deleted everything except these files.
Last, I edited do_update.sh, deleting everything, leaving only the part that executes the script file.

Now I had to pack everything back:

Code: [Select]

# Enter dso folder and make the tar file
cd dso
tar -cvf ../dso3kb.upk.tar *

# Exit dso folder and make the tar.gz file
cd ..
tar -zcvf dso3kb_custom.tar.gz dso3kb.upk.tar

# Encrypt the file:
gpg --batch --passphrase dso3000c --output dso3kb_custom.upk -c dso3kb_custom.tar.gz

The update name must start with "dso3kb_", otherwise the update process will fail!
Copy the upk file to the usb, and enjoy!

[aika]

DavidAlfa great work, I'm a bit jealous how much time got left to invest.

That folder where you found the FW3000 was exactly the one I wanted to flash this evening and find out what it is. Ah well, there is still stuff to figure out left

The allwinner F1C200s is capable of playing 1080p in hardware , even adding network / WiFi should be possible. So animated startup sequences etc.
From the F1C200s datasheet:

The F1C200s is based on the ARM9 CPU architecture with a high degree of functional integration, and supports
Full HD video playback, including H.264,H.263,MPEG1/2/4 decoder. Integrated audio codec and I2S/PCM interface
provide end users with a good audio experience. TV-IN interface enables video input by connecting to video
devices such as camera, and TV-OUT interface enables video output by connecting to TV devices.

After all the Filesystem almost got 32MB free space left
The board for experimenting (sipeed licheepi nano) should arrive here in 10-14 days

[DavidAlfa]

The problem is that we don't have the sources.
Shouldn't hantek release their uboot/kernel sources to comply with the GPL?

About these fancy things: This is an old-school arm core. Performance is pretty poor.
It barely can move the DSO software, do you want to add more work to it?
I tried to overlock it, sadly it seems there's no module for that.

[aika]

There is some legal info and URLs in the status informations of the scope itself, its in 'utility->F6'. The Linux itself is free. The hardware modules itself will never be. I'm not sure if there is a decompiler for VHDL, we don't have any information about that Lemontree FPGA anyway.

But the phoenix app is written in C++, had it open in ghidra some days ago, the work is just commenting the code and after playing with it one should be able to implement new functions or improve them(speeding it up with some assembler) .

The UI is written in xml and the logos are easy to open/save in
nd
One more day and I will 'rebrand' it to "Hacktek"

[aika]

For overclocking the cpu check

https://whycan.com/t_3730.html

It's explained in english, the sources one needs are in the platform tools iirc. You need however to cross compile if your system ain't arm based.

Measure temperatures and slap a heatsink on, we don't want 'magic smoke'

[DavidAlfa]

I'd put a LN2 cooler, overvolt the core to 12V and oc it to 4GHz it if that makes the damn thing to work 

Yeah, if the code/modules are propietary they don't need to share it. But the kernel, u-boot and such, yes!
That would open a nice window for hacking. I've been busy with other stuff, no time yet for guidra!
I've been trying to open the serial port, but no way.
I think the UART registers shloud be configured in u-boot. And are not.
Everything appears ok (uboot and kernel use ttyS0), but nothing comes out.

Not being able to access the console makes it very slow and tedious.

Regarding guidra, did you check the file dso/etc/check_sys_inf?
Seems it's what parses system.inf.

[AndrewBCN]

I am not sure if you guys have seen this, but George Hilliard has been working on the F1C200s and has some good information on his blog about this $1 32-bit ARM CPU:
https://www.thirtythreeforty.net/posts/2020/02/trying-the-allwinner-f1c200s/

And a big thank you to DavidAlfa for his excellent work.   

[DavidAlfa]

Yeah, I saw that....
Chinese devices with no support at all, depending on user patches? Gave me headaches only to thing about it.
Will try to compile that, but when it starts with strange dependency/incorrect library versions, I spend my time elsewhere
Edit: Ater 30 min of compiling it drops error:

Code: [Select]

CMake Error at CMakeLists.txt:4 (SHLOMIF_COMMON_SETUP):
Unknown CMake command "SHLOMIF_COMMON_SETUP".


Tried deleting the games, as described here:
https://github.com/thirtythreeforty/businesscard-linux/issues/15
And it worked. Now we'll see if the files are useful for anything!


I also found this forum: https://whycan.com/f_17.html
But that's the same crap as most chinese pages, use your mobile phone, register using  weChat, and pay or start making useful posts which something impossible when you are trying to learn.
Also, Baidu no longer works, my user is blocked, I guess because it's not chinese. They ask for a passport number... Sure!

Do you understand now my hate for chinese products? And Linux in general. Compiling these things almost never work on first time.

I think I figured out why the serial console doesn't work.
Rx and Tx is connected to pins 63 and 64 (TPY1, TPY2).
They're UART1_RX, UART1_TX! The system uses ttyS0, so I guess everything goes to UART0?

Edit:
After running:

Code: [Select]

stty 115200 -F /dev/ttyS1
echo "Testing ttyS1" >/dev/ttyS1

I got: Testing ttyS1

I modified platform-tools/images/uboot-with-spl-spinand.bin, editing the bootargs and replacing ttyS0 with ttyS1. The patched file is attached.
Flashed the new binaries (Booting in FEL mode):

Code: [Select]

sunxi-fel uboot images/uboot_fb.bin
fastboot flash boot images/uboot-with-spl-spinand.bin
fastboot flash logo images/logo3.bin
fastboot reboot

If I flash only uboot-with-spl-spinand.bin the boot logo is erased. That's why I also flash logo3.bin

And I got shell! Login is "root", no password.

[    0.000000] Booting Linux on physical CPU 0x0
[    0.000000] Linux version 5.2.0-licheepi-nano (root@ubuntu) (gcc version 5.4.0 (Buildroot 2017.02.5)) #127 Fri Apr 30 08:59:43 CST 2021
[    0.000000] CPU: ARM926EJ-S [41069265] revision 5 (ARMv5TEJ), cr=0005317f
[    0.000000] CPU: VIVT data cache, VIVT instruction cache
[    0.000000] OF: fdt: Machine model: Lichee Pi Nano
[    0.000000] Memory policy: Data cache writeback
[    0.000000] Built 1 zonelists, mobility grouping on.  Total pages: 16256
[    0.000000] Kernel command line: earlyprintk console=ttyS1,115200 ubi.mtd=4 ubi.fm_autoconvert=1 root=ubi0:rootfs rw rootfstype=ubifs
[    0.000000] Dentry cache hash table entries: 8192 (order: 3, 32768 bytes)
[    0.000000] Inode-cache hash table entries: 4096 (order: 2, 16384 bytes)
[    0.000000] Memory: 54488K/65536K available (5120K kernel code, 187K rwdata, 2000K rodata, 1024K init, 209K bss, 11048K reserved, 0K cma-reserved, 0K highmem)
[    0.000000] SLUB: HWalign=32, Order=0-3, MinObjects=0, CPUs=1, Nodes=1
[    0.000000] NR_IRQS: 16, nr_irqs: 16, preallocated irqs: 16
[    0.000000] random: get_random_bytes called from start_kernel+0x254/0x430 with crng_init=0
[    0.000050] sched_clock: 32 bits at 24MHz, resolution 41ns, wraps every 89478484971ns
[    0.000130] clocksource: timer: mask: 0xffffffff max_cycles: 0xffffffff, max_idle_ns: 79635851949 ns
[    0.000716] Console: colour dummy device 80x30
[    0.000815] Calibrating delay loop... 203.16 BogoMIPS (lpj=1015808)
[    0.070257] pid_max: default: 32768 minimum: 301
[    0.070700] Mount-cache hash table entries: 1024 (order: 0, 4096 bytes)
[    0.070745] Mountpoint-cache hash table entries: 1024 (order: 0, 4096 bytes)
[    0.072436] CPU: Testing write buffer coherency: ok
[    0.074460] Setting up static identity map for 0x80100000 - 0x80100058
[    0.076756] devtmpfs: initialized
[    0.085338] clocksource: jiffies: mask: 0xffffffff max_cycles: 0xffffffff, max_idle_ns: 19112604462750000 ns
[    0.085403] futex hash table entries: 256 (order: -1, 3072 bytes)
[    0.085705] pinctrl core: initialized pinctrl subsystem
[    0.087795] NET: Registered protocol family 16
[    0.089365] DMA: preallocated 256 KiB pool for atomic coherent allocations
[    0.091596] cpuidle: using governor menu
[    0.128315] SCSI subsystem initialized
[    0.128753] usbcore: registered new interface driver usbfs
[    0.128914] usbcore: registered new interface driver hub
[    0.129104] usbcore: registered new device driver usb
[    0.129846] Advanced Linux Sound Architecture Driver Initialized.
[    0.132482] clocksource: Switched to clocksource timer
[    0.162391] NET: Registered protocol family 1
[    0.163580] NetWinder Floating Point Emulator V0.97 (double precision)
[    0.166212] workingset: timestamp_bits=30 max_order=14 bucket_order=0
[    0.183004] Block layer SCSI generic (bsg) driver version 0.4 loaded (major 252)
[    0.197546] suniv-f1c100s-pinctrl 1c20800.pinctrl: initialized sunXi PIO driver
[    0.200060] pwm-backlight backlight: backlight supply power not found, using dummy regulator
[    0.211510] Serial: 8250/16550 driver, 4 ports, IRQ sharing disabled
[    0.236459] 1c25000.serial: ttyS0 at MMIO 0x1c25000 (irq = 25, base_baud = 6250000) is a 16550A
[    0.259194] 1c25400.serial: ttyS1 at MMIO 0x1c25400 (irq = 26, base_baud = 6250000) is a 16550A
[    0.555677] printk: console [ttyS1] enabled
[    0.572819] panel-simple panel: panel supply power not found, using dummy regulator
[    0.586613] loop: module loaded
[    0.590740] SCSI Media Changer driver v0.25
[    0.599149] spi-nand spi0.0: Winbond SPI NAND was found.
[    0.604617] spi-nand spi0.0: 128 MiB, block size: 128 KiB, page size: 2048, OOB size: 64
[    0.613336] 6 fixed-partitions partitions found on MTD device spi0.0
[    0.619694] Creating 6 MTD partitions on "spi0.0":
[    0.624628] 0x000000000000-0x000000300000 : "boot"
[    0.636224] random: fast init done
[    0.648153] 0x000000300000-0x000000d00000 : "cache"
[    0.695051] 0x000000d00000-0x000000f00000 : "dtb"
[    0.711217] 0x000000f00000-0x000001500000 : "kernel"
[    0.743084] 0x000001500000-0x000006400000 : "rootfs"
[    1.053505] 0x000006400000-0x000008000000 : "data"
[    1.164845] random: crng init done
[    1.176687] ehci_hcd: USB 2.0 'Enhanced' Host Controller (EHCI) Driver
[    1.183362] ehci-platform: EHCI generic platform driver
[    1.188966] ohci_hcd: USB 1.1 'Open' Host Controller (OHCI) Driver
[    1.195299] ohci-platform: OHCI generic platform driver
[    1.201063] usbcore: registered new interface driver usb-storage
[    1.208262] usb_phy_generic usb_phy_generic.0.auto: usb_phy_generic.0.auto supply vcc not found, using dummy regulator
[    1.220276] musb-hdrc musb-hdrc.1.auto: MUSB HDRC host driver
[    1.226219] musb-hdrc musb-hdrc.1.auto: new USB bus registered, assigned bus number 1
[    1.236376] hub 1-0:1.0: USB hub found
[    1.240283] hub 1-0:1.0: 1 port detected
[    1.247017] <<-GTP-INFO->> GTP driver installing...
[    1.253074] i2c /dev entries driver
[    1.261312] sunxi-wdt 1c20ca0.watchdog: Watchdog enabled (timeout=16 sec, nowayout=0)
[    1.270228] hidraw: raw HID events driver (C) Jiri Kosina
[    1.276249] usbcore: registered new interface driver usbhid
[    1.281823] usbhid: USB HID core driver
[    1.288809] NET: Registered protocol family 17
[    1.307968] sun4i-backend 1e60000.display-backend: Couldn't find matching frontend, frontend features disabled
[    1.318543] sun4i-drm display-engine: bound 1e60000.display-backend (ops 0xc06e92d4)
[    1.327675] sun4i-drm display-engine: bound 1c0c000.lcd-controller (ops 0xc06e7f2c)
[    1.335471] [drm] Supports vblank timestamp caching Rev 2 (21.10.2013).
[    1.342076] [drm] No driver support for vblank timestamp query.
[    1.349406] [drm] Initialized sun4i-drm 1.0.0 20150629 for display-engine on minor 0
[    1.357373] panel_simple_get_fixed_modes:4119
[    1.365373] sun4i-drm display-engine: __drm_fb_helper_initial_config_and_unlock:bf3883c7, d8218831, 768000, e1a9cce9
[    1.425789] sun4i-drm display-engine: fb0: sun4i-drmdrmfb frame buffer device
[    1.434078] ubi0: default fastmap pool size: 30
[    1.438624] ubi0: default fastmap WL pool size: 15
[    1.443539] ubi0: attaching mtd4
[    1.784151] ubi0: attached by fastmap
[    1.787837] ubi0: fastmap pool size: 30
[    1.791669] ubi0: fastmap WL pool size: 15
[    1.820816] ubi0: attached mtd4 (name "rootfs", size 79 MiB)
[    1.826675] ubi0: PEB size: 131072 bytes (128 KiB), LEB size: 126976 bytes
[    1.833613] ubi0: min./max. I/O unit sizes: 2048/2048, sub-page size 2048
[    1.840420] ubi0: VID header offset: 2048 (aligned 2048), data offset: 4096
[    1.847420] ubi0: good PEBs: 632, bad PEBs: 0, corrupted PEBs: 0
[    1.853457] ubi0: user volume: 1, internal volumes: 1, max. volumes count: 128
[    1.860695] ubi0: max/mean erase counter: 4/1, WL threshold: 4096, image sequence number: 0
[    1.869072] ubi0: available PEBs: 0, total reserved PEBs: 632, PEBs reserved for bad PEB handling: 20
[    1.878993] vcc3v0: disabling
[    1.881986] vcc5v0: disabling
[    1.885059] ALSA device list:
[    1.888031]   No soundcards found.
[    1.891730] ubi0: background thread "ubi_bgt0d" started, PID 38
[    1.902247] UBIFS (ubi0:0): Mounting in unauthenticated mode
[    1.913654] UBIFS (ubi0:0): background thread "ubifs_bgt0_0" started, PID 39
[    2.030101] UBIFS (ubi0:0): recovery needed
[    2.467038] UBIFS (ubi0:0): recovery completed
[    2.471683] UBIFS (ubi0:0): UBIFS: mounted UBI device 0, volume 0, name "rootfs"
[    2.479210] UBIFS (ubi0:0): LEB size: 126976 bytes (124 KiB), min./max. I/O unit sizes: 2048 bytes/2048 bytes
[    2.489217] UBIFS (ubi0:0): FS size: 74407936 bytes (70 MiB, 586 LEBs), journal size 9023488 bytes (8 MiB, 72 LEBs)
[    2.499702] UBIFS (ubi0:0): reserved for root: 0 bytes (0 KiB)
[    2.505585] UBIFS (ubi0:0): media format: w4/r0 (latest is w5/r0), UUID CBFD45FE-89E5-4BA2-86E7-47B23AAFD4FD, small LPT model
[    2.526196] VFS: Mounted root (ubifs filesystem) on device 0:14.
[    2.538123] devtmpfs: mounted
[    2.546166] Freeing unused kernel memory: 1024K
[    2.550817] Run /sbin/init as init process

Welcome to phoenix
phoenix login: anolis_picture_width:21 picture!=NULL failed.
anolis_picture_width:21 picture!=NULL failed.
anolis_picture_width:21 picture!=NULL failed.
anolis_picture_width:21 picture!=NULL failed.
anolis_picture_width:21 picture!=NULL failed.
util_thread_start_with_sched_priority:thread 0xa15a18 is running
[    6.943846] spi_fpga_tn652: loading out-of-tree module taints kernel.
[    8.324318] input: afg3050_kbd as /devices/platform/soc/1c27000.i2c/i2c-0/0-0037/input/input0
CN2101029000000
[    8.638890] Mass Storage Function, version: 2009/09/11
[    8.644194] LUN: removable file: (no medium)
[    8.700976] dual speed tmc: IN/ep1in, OUT/ep1out, INTep2in/
[    8.707047] phy phy-1c13400.phy.0: Changing dr_mode to 1
[calibration_dds_result_read_eeprom] faild
[dds_calibration_load]open root/dds_calbration.dat failed
util_thread_start_with_sched_priority:thread 0xa1b0f8 is running
dso_acq_control:1:store_depth 4000, extra_len 64,acq_all_nm_for_read 4064,acq_dot_nm_of_timerange 4000,sample_rate = 1250000.000000
dbus session addr is unix:path=/var/run/dbus/system_bus_socket,guid=6c8daf60806bc81ddb86c4ee0000000c
dbus is valid and addr is unix:path=/var/run/dbus/system_bus_socket,guid=6c8daf60806bc81ddb86c4ee0000000c
[   13.614793] usbcore: registered new interface driver USBTMC
[   14.437448] phy phy-1c13400.phy.0: Changing dr_mode to 2
util_thread_start:thread 0xaff280 is running
********************  usb  thread   creat   *********************
[   15.819291] configfs-gadget gadget: high-speed config #1: c
[   18.007883] tmc_function_setup:32, 7
[   18.011621] tmc_function_setup:32, 7
==========str_model = DSO2D15
str_vendor = hantek
str_serial = CN2101029000000
str = hantek, DSO2D15, CN2101029000000, 1.1.0(20210517.00)

Welcome to phoenix
phoenix login: root
login[51]: root login on 'console'
unix:path=/var/run/dbus/system_bus_socket,guid=6c8daf60806bc81ddb86c4ee0000000c
# uname -a
Linux phoenix 5.2.0-licheepi-nano #127 Fri Apr 30 08:59:43 CST 2021 armv5tejl GNU/Linux
# ls /
THIS_IS_NOT_YOUR_ROOT_FILESYSTEM  mnt
bin                               opt
cache                             proc
data                              root
dev                               run
dso                               sbin
etc                               sys
lib                               sys_inf.new
lib32                             tmp
libexec                           usr
linuxrc                           var
media                             www
#

No wonder why it crashes. CPU usage is 80% all the time!

Code: [Select]

Mem: 24924K used, 30588K free, 20K shrd, 0K buff, 7204K cached
CPU:  52% usr  46% sys   0% nic   0% idle   0% io   0% irq   0% sirq
Load average: 3.65 1.90 0.77 3/33 1575
  PID  PPID USER     STAT   VSZ %VSZ %CPU COMMAND
   53     1 root     S    62536 113%  83% ./phoenix
   33     2 root     SW       0   0%   2% [spi1]
   30     2 root     IW       0   0%   1% [kworker/0:1-pm]
    7     2 root     SW       0   0%   1% [ksoftirqd/0]
 1327    51 root     R     2404   4%   1% top
    5     2 root     IW       0   0%   0% [kworker/u2:0-ev]
  107     1 dbus     S     2792   5%   0% dbus-daemon --system --print-address
   51     1 root     S     2404   4%   0% -sh
    1     0 root     S     2276   4%   0% init
   34     2 root     IW       0   0%   0% [kworker/0:2-pm]
   32     2 root     SW       0   0%   0% [spi0]
   38     2 root     SW       0   0%   0% [ubi_bgt0d]
    8     2 root     SW       0   0%   0% [kdevtmpfs]
   37     2 root     IW       0   0%   0% [kworker/0:3-pm]
   39     2 root     SW       0   0%   0% [ubifs_bgt0_0]
    2     0 root     SW       0   0%   0% [kthreadd]
    3     2 root     IW       0   0%   0% [kworker/0:0-pm]
    4     2 root     IW<      0   0%   0% [kworker/0:0H]
    6     2 root     IW<      0   0%   0% [mm_percpu_wq]
    9     2 root     IW<      0   0%   0% [netns]


[DavidAlfa]

However u-boot is still quiet. Checking the binary I found these strings:
serial0
serial0:115200n8
/soc/serial@1c25000

1c25000 is the UART0 address! Tried replacing it with 1c25400 (UART1) but it crashes.
Replacing any of "serial0" strings with "serial1" also crashes.

Maybe it's not implemented or hardcoded somewhere, further investigation is needed.

[AndrewBCN]

DavidAlfa, you got a root shell, this opens up infinite possibilities!
Amazing work!   

Btw there usually is some interesting information to be found inside /proc. For example, if /proc/config.gz is there, that is the configuration file for the kernel when it was compiled.

In any case, congratulations!

[DavidAlfa]

I had already search for that file, but it's missing. Neither there's cpu clock control.

The memory bus seems to be 16bit, so there's a big bottleneck there.
Some people did overclock the cpu  to 800MHz, and DDR to 240MHz (From 156MHz).
That should help a little!

[AndrewBCN]

DavidAlfa,
I would leave the overclocking for later, since usually with these ARM SOCs, the various clocks are interconnected, including the memory, USB clock, the video clock, UART, etc (all the peripherals on the AHB (Arm High speed Bus).

The most important information if you want to recompile the kernel is to find the kernel configuration information and the dtb file. If the kernel config is not in /proc it could be somewhere else, or you can try using George Hilliard's kernel config as a start, and enable the modules that you think are missing. There is probably a proprietary module for the ASIC, but that too can come later.

In any case, as root, you now have total control of the DSO. Check how you can write something to the LCD display, perhaps? And the USB connector at the back can probably be used as a serial-over-USB port, so in theory at least one could just connect the USB cable to a PC and login to the DSO (definitely more practical than soldering a USB to serial adapter to the PCB).

[DavidAlfa]

I leave that for more experienced linux users, this is not my field!
I can fight for days to achieve something, then someone comes and makes 10x more work in 5 minutes.

As far as I've seen, it seems eerything has its own PLL, so there should be no issues?

I found this u-boot already patched that supports nand spi flash:
https://github.com/TiNredmc/u-boot

There you can see that core runs at 408MHz and RAM at 156MHz.
I'm playing with it...

[AndrewBCN]

However u-boot is still quiet. Checking the binary I found these strings:
serial0
serial0:115200n8
/soc/serial@1c25000

1c25000 is the UART0 address! Tried replacing it with 1c25400 (UART1) but it crashes.
Replacing any of "serial0" strings with "serial1" also crashes.

Maybe it's not implemented or hardcoded somewhere, further investigation is needed.

Yes, you have to recompile u-boot to change the serial port it uses as a boot console. You can use the source at George Hilliard's GitHub account. But since you already have a Linux console as root, I don't think you really need a console for u-boot.

[DavidAlfa]

You seem to know a lot, why don't you recompile it?

[AndrewBCN]

DavidAlfa,
Check BuildRoot here: https://buildroot.org/
You can use George Hilliard's buildroot configuration file, it will install the toolchain and build u-boot, the kernel and a basic Linux root filesystem for the L1C200s which should in principle boot in the DSO and give you the same root console access that you have now, but with control of the kernel (so you can compile different modules, etc).

If you want to further hack your DSO that is one way of doing it. Another way is to reverse engineer the user program(s) that is(are) are responsible for the DSO functions. I believe it should be possible to load a module for a USB serial driver that will give you access to a root console through the USB A connector on the back of the DSO. Quite possibly the module is already compiled, in fact.

Personally I am not interested in hacking my DSO2C10, I just want to use it in my home projects and it's working well enough for my purposes as it is.

[DavidAlfa]

I've tried, no way. Too complex for me. The compiled u-boot images don't work.
Since the CPU load is 80%, my intention was to overclock it and see if the performance gets better.
I don't plan to reverse engineer anything., but I left the door open for everyone!
And that's were my knowledge/time wasting  ends.

[DavidAlfa]

I thought on directly writing to the SOC registers, by accessing memory space using devmem.
It turned out to work! Made some compression tests:

Code: [Select]

After clean boot:
14.76s
15.14s
15.23s
15.15s

# Set CPU PLL multiplier to 29 (720MHz). Stock=16(408MHz)
devmem 0x1C20000 32 0x90001D00

# Set DDR PLL Multiplier to 17(432MHz). Stock=12(312MHz)
devmem 0x1C20020 32 0x90101100
10.19s
10.99s
10.53s
10.52s
So it clearly does something. 50% extra performance!.

It's nice to know we can access the SOC registers directly
The stability needs to be tested. Any higher than those values resulted in crashes and exceptions.
To apply at boot time I edited  /etc/init.d/S31local.sh.
I also fixed the script, as Hantek programmers didn't care about the start and stop arguments, so it would start another process of Phoenix when rebooting, sometimes crashing.
I guess they didn't care because the DSO it's never supposed to be rebooted from the console!

Code: (/etc/init.d/S31local.sh) [Select]

#!/bin/sh

# Increase frequency in small steps, too fast would cause a crash sometimes.
apply_oc () {
    echo "Applying Overclock!"> /dev/kmsg
    #set CPU to 696MHz
    devmem 0x1C20000 32 0x90001100
    sleep 0.2
    devmem 0x1C20000 32 0x90001200
    sleep 0.2
    devmem 0x1C20000 32 0x90001300
    sleep 0.2
    devmem 0x1C20000 32 0x90001400
    sleep 0.2
    devmem 0x1C20000 32 0x90001500
    sleep 0.2
    devmem 0x1C20000 32 0x90001600
    sleep 0.2
    devmem 0x1C20000 32 0x90001700
    sleep 0.2
    devmem 0x1C20000 32 0x90001800
    sleep 0.2
    devmem 0x1C20000 32 0x90001900
    sleep 0.2
    devmem 0x1C20000 32 0x90001A00
    sleep 0.2
    devmem 0x1C20000 32 0x90001B00
    sleep 0.2
    devmem 0x1C20000 32 0x90001C00
    sleep 0.2
    devmem 0x1C20000 32 0x90001D00
    sleep 0.2

    # set DDR to 408MHz
    devmem 0x1C20020 32 0x90100D00
    sleep 0.2
    devmem 0x1C20020 32 0x90100E00
    sleep 0.2
    devmem 0x1C20020 32 0x90100F00
    sleep 0.2
    devmem 0x1C20020 32 0x90101000
    sleep 0.2
    devmem 0x1C20020 32 0x90101100
    sleep 0.2
}

if [ "$1" = "start" ]; then
    # Apply OC and start DSO software
    apply_oc
    /dso/etc/boot.sh &

elif [ "$1" = "stop" ]; then
    # Kill the DSO software
    pidof phoenix | xargs kill -9

fi

I don't know if it's placebo or not, but the system seems a little more responsive!

[AndrewBCN]

Well done, DavidAlfa! Very, very impressive hacking. 

Note that with increased CPU clock and DDR clock, the chip temperatures have probably gone up considerably, it would be good to check the temperatures before/after overclocking. And unfortunately the little L1C200s SOC does not have an onboard temperature sensor, so you'll have to rely on an external infrared thermometer for that.

[DavidAlfa]

Yeah, it's strange that a such highly integrated SOC doesn't have something simple as a temp sensor. C'mon, it even has TV input!
Sad, I'll I have my finger IR sensor. I don't think it gets so hot, at stock speeds it barely gets warm.
I'm tired of disassembling it! 

Before running benchmarks, remember to kill phoenix process! (screen will freeze, don't panic)

Code: [Select]

pidof phoenix | xargs kill -9

To make it easier, so you can just type "stop" to kill phoenix process:

Code: [Select]

echo "pidof phoenix | xargs kill -9" >/usr/bin/stop
chmod +x  /usr/bin/stop
sync

I wrote a small Pi calculation program
Copypasted some code from internet and adapted for my needs, making a Pi benchmark.
Cross-compiled to arm, worked great.
My idea was, being very smalll, it should avoid cache misses and show the real cpu performance difference.
There was very little difference between O1, O2, O3 and Os optimizations,less than 1%.
From O0 it was 10% faster. I had to compile with static libraries, as it complained about LIBC libraries version.

And it's very obvious:

Code: (CPU:408MHz RAM:312MHz) [Select]

# ./pi 1000000
Starting PI...

 Pi:    3.141592653589794004176383168669417500495910644531250000000000
 Loops: 1000000
 Time:  9932mS


Code: (CPU:720MHz RAM:312MHz) [Select]

# ./pi 1000000
Starting PI...

 Pi:    3.141592653589794004176383168669417500495910644531250000000000
 Loops: 1000000
 Time:  5626mS

Almost 200% cpu power!

In this case, DDR speed made no difference, clearly stating my cache supposition.

Code: (CPU:720MHz RAM:432) [Select]

# ./pi 1000000
Starting PI...

 Pi:    3.141592653589794004176383168669417500495910644531250000000000
 Loops: 1000000
 Time:  5624mS

Benchmarked it for 10 minutes, no stability issues. Running top showed 100% cpu usage

Code: (CPU:720MHz RAM:432MHz) [Select]

# pi 100000000
Starting PI...

 Pi:    3.141592653589794004176383168669417500495910644531250000000000
 Loops: 100000000
 Time:  568621mS

However in memory operations the DDR performance boost is huge:

Code: (CPU:720MHz RAM:312MHz) [Select]

# time dd if=/dev/zero of=/dev/null bs=1M count=8192
8192+0 records in
8192+0 records out
real    0m 35.62s
user    0m 0.02s
sys     0m 35.59s


Code: (CPU:720MHz RAM:432MHz) [Select]

# time dd if=/dev/zero of=/dev/null bs=1M count=8192
8192+0 records in
8192+0 records out
real    0m 24.76s
user    0m 0.00s
sys     0m 24.76s

I used the scope for few hours with no issues.
[Irony on] With this cpu power, you could start mining bitcoin and it would self-pay in about 10 years! [Irony off]

I made a video. Notice how the FFT update rate almost doubles with the overclock!

`


Now I'm figuring out how to write to the display buffer.
We need DOOM running in this!

[DavidAlfa]

More hacking! The Model, Serial, Vendor and PCB can be changed using the VISA API.
Running strings in Phoenix app showed to be very productive:

PRIVate:SET:SERIal
PRIVate:SET:SERIal?
PRIVate:SET:MODEl1
PRIVate:SET:MODEl2
PRIVate:SET:MODEl?
PRIVate:SET:VENDor
PRIVate:SET:VENDor?
PRIVate:SET:PCB
PRIVate:SET:PCB?
PRIVate:SET:LANGuage:VALId
PRIVate:SET:LANGuage:CONFig
PRIVate:CLEAr:EE
PRIVate:SET:BIAS
PRIVate:SET:CODE
PRIVate:SET:BOARD
PRIVate:SET:BOARD?
PRIVate:GET:ERRO?
PRIVate:FACTORY:RESET
PRIVate:WRITE:EEPROM
PRIVate:READ:EEPROM
PRIVate:READ:BANDWidth
PRIVate:TEST:RESUlt?
PRIVate:HARDWare:TEST
PRIVate:HARDWare:INFO
DDS:CAL:OFFSet
DDS:CAL:AMP
DDS:CAL:RESUlt
PRIVate:TEST:CH1:FACTOR
PRIVate:TEST:CH2:FACTOR
PRIVate:RELAY
SYSTem:ERRor?
SYSTem:ERRor:NEXT?
SYSTem:ERRor:COUNt?
SYSTem:VERSion?
SYSTem:IP
SYSTem:IP?
SYSTem:SET:TIME
SYSTem:TIME?
SYSTem:USB?
STATus:QUEStionable?
STATus:QUEStionable:EVENt?
STATus:QUEStionable:ENABle
STATus:QUEStionable:ENABle?
STATus:PRESet
AUTorange:STARt
AUTorange:STOP
SETUp:NORMal?
PRIVate:GET:STATus?
CHANnel1:BWLimit
CHANnel1:BWLimit?
CHANnel1:COUPling
CHANnel1:COUPling?
CHANnel1:DISPlay
CHANnel1:DISPlay?
CHANnel1:INVert
CHANnel1:INVert?
CHANnel1:OFFSet
CHANnel1:OFFSet?
CHANnel1:RANGe
CHANnel1:RANGe?
CHANnel1:SCALe
CHANnel1:SCALe?
CHANnel1:PROBe
CHANnel1:PROBe?
CHANnel1:VERNier
CHANnel1:VERNier?
CHANnel2:BWLimit
CHANnel2:BWLimit?
CHANnel2:COUPling
CHANnel2:COUPling?
CHANnel2:DISPlay
CHANnel2:DISPlay?
CHANnel2:INVert
CHANnel2:INVert?
CHANnel2:OFFSet
CHANnel2:OFFSet?
CHANnel2:RANGe
CHANnel2:RANGe?
CHANnel2:SCALe
CHANnel2:SCALe?
CHANnel2:PROBe
CHANnel2:PROBe?
CHANnel2:VERNier
CHANnel2:VERNier?
CHANnel3:BWLimit
CHANnel3:BWLimit?
CHANnel3:COUPling
CHANnel3:COUPling?
CHANnel3:DISPlay
CHANnel3:DISPlay?
CHANnel3:INVert
CHANnel3:INVert?
CHANnel3:OFFSet
CHANnel3:OFFSet?
CHANnel3:RANGe
CHANnel3:RANGe?
CHANnel3:SCALe
CHANnel3:SCALe?
CHANnel3:PROBe
CHANnel3:PROBe?
CHANnel3:VERNier
CHANnel3:VERNier?
CHANnel4:BWLimit
CHANnel4:BWLimit?
CHANnel4:COUPling
CHANnel4:COUPling?
CHANnel4:DISPlay
CHANnel4:DISPlay?
CHANnel4:INVert
CHANnel4:INVert?
CHANnel4:OFFSet
CHANnel4:OFFSet?
CHANnel4:RANGe
CHANnel4:RANGe?
CHANnel4:SCALe
CHANnel4:SCALe?
CHANnel4:PROBe
CHANnel4:PROBe?
CHANnel4:VERNier
CHANnel4:VERNier?
TIMebase:WINDow:ENABle
TIMebase:WINDow:ENABle?
TIMebase:WINDow:POSition
TIMebase:WINDow:POSition?
TIMebase:WINDow:SCALe
TIMebase:WINDow:SCALe?
TIMebase:WINDow:RANGe
TIMebase:WINDow:RANGe?
TIMebase:POSition
TIMebase:POSition?
TIMebase:SCALe
TIMebase:SCALe?
TIMebase:RANGe
TIMebase:RANGe?
TIMebase:MODE
TIMebase:MODE?
TIMebase:VERNier
TIMebase:VERNier?
TIMebase:XY:XSOUrce
TIMebase:XY:XSOUrce?
TIMebase:XY:YSOUrce
TIMebase:XY:YSOUrce?
ACQuire:MODe
ACQuire:MODe?
ACQuire:POINts
ACQuire:POINts?
ACQuire:TYPE
ACQuire:TYPE?
ACQuire:SRATe?
ACQuire:COUNt
ACQuire:COUNt?
TRIGger:FORCe
TRIGger:MODE
TRIGger:MODE?
TRIGger:COUPling
TRIGger:COUPling?
TRIGger:STATus?
TRIGger:SWEep
TRIGger:SWEep?
TRIGger:HOLDoff
TRIGger:HOLDoff?
TRIGger:NREJect
TRIGger:NREJect?
TRIGger:SENSitivity
TRIGger:SENSitivity?
TRIGger:EDGe:SOURce
TRIGger:EDGe:SOURce?
TRIGger:EDGe:SLOPe
TRIGger:EDGe:SLOPe?
TRIGger:EDGe:LEVel
TRIGger:EDGe:LEVel?
TRIGger:PULSe:SOURce
TRIGger:PULSe:SOURce?
TRIGger:PULSe:POLarity
TRIGger:PULSe:POLarity?
TRIGger:PULSe:WHEN
TRIGger:PULSe:WHEN?
TRIGger:PULSe:WIDth
TRIGger:PULSe:WIDth?
TRIGger:PULSe:LEVel
TRIGger:PULSe:LEVel?
TRIGger:SLOPe:SOURce
TRIGger:SLOPe:SOURce?
TRIGger:SLOPe:POLarity
TRIGger:SLOPe:POLarity?
TRIGger:SLOPe:WHEN
TRIGger:SLOPe:WHEN?
TRIGger:SLOPe:WIDth
TRIGger:SLOPe:WIDth?
TRIGger:SLOPe:ALEVel
TRIGger:SLOPe:ALEVel?
TRIGger:SLOPe:BLEVel
TRIGger:SLOPe:BLEVel?
TRIGger:TV:SOURce
TRIGger:TV:SOURce?
TRIGger:TV:POLarity
TRIGger:TV:POLarity?
TRIGger:TV:MODE
TRIGger:TV:MODE?
TRIGger:TV:LINE
TRIGger:TV:LINE?
TRIGger:TV:STANdard
TRIGger:TV:STANdard?
TRIGger:VIDeo:LEVel
TRIGger:VIDeo:LEVel?
TRIGger:TIMeout:SOURce
TRIGger:TIMeout:SOURce?
TRIGger:TIMeout:LEVel
TRIGger:TIMeout:LEVel?
TRIGger:TIMeout:WIDth
TRIGger:TIMeout:WIDth?
TRIGger:TIMeout:POLarity
TRIGger:TIMeout:POLarity?
TRIGger:WINDOw:SOURce
TRIGger:WINDOw:SOURce?
TRIGger:WINDOw:ALEVel
TRIGger:WINDOw:ALEVel?
TRIGger:WINDOw:BLEVel
TRIGger:WINDOw:BLEVel?
TRIGger:INTERVAl:SOURce
TRIGger:INTERVAl:SOURce?
TRIGger:INTERVAl:SLOp
TRIGger:INTERVAl:SLOp?
TRIGger:INTERVAl:WHEN
TRIGger:INTERVAl:WHEN?
TRIGger:INTERVAl:TIME
TRIGger:INTERVAl:TIME?
TRIGger:INTERVAl:ALEVel
TRIGger:INTERVAl:ALEVel?
TRIGger:UNDER_Am:SOURce
TRIGger:UNDER_Am:SOURce?
TRIGger:UNDER_Am:POLarity
TRIGger:UNDER_Am:POLarity?
TRIGger:UNDER_Am:WHEN
TRIGger:UNDER_Am:WHEN?
TRIGger:UNDER_Am:TIME
TRIGger:UNDER_Am:TIME?
TRIGger:UNDER_Am:ALEVel
TRIGger:UNDER_Am:ALEVel?
TRIGger:UNDER_Am:BLEVel
TRIGger:UNDER_Am:BLEVel?
TRIGger:UART:SOURce
TRIGger:UART:SOURce?
TRIGger:UART:CONdition
TRIGger:UART:CONdition?
TRIGger:UART:BAUd
TRIGger:UART:BAUd?
TRIGger:UART:ALEVel
TRIGger:UART:ALEVel?
TRIGger:UART:DATA
TRIGger:UART:DATA?
TRIGger:UART:WIDTh
TRIGger:UART:WIDTh?
TRIGger:UART:STOP
TRIGger:UART:STOP?
TRIGger:UART:PARIty
TRIGger:UART:PARIty?
TRIGger:UART:WHEN
TRIGger:UART:WHEN?
TRIGger:UART:IDLe
TRIGger:UART:IDLe?
TRIGger:CAN:SOURce
TRIGger:CAN:SOURce?
TRIGger:CAN:IDLe
TRIGger:CAN:IDLe?
TRIGger:CAN:BAUd
TRIGger:CAN:BAUd?
TRIGger:CAN:CONdition
TRIGger:CAN:CONdition?
TRIGger:CAN:ID
TRIGger:CAN:ID?
TRIGger:CAN:DLC
TRIGger:CAN:DLC?
TRIGger:CAN:DATA
TRIGger:CAN:DATA?
TRIGger:CAN:ALEVel
TRIGger:CAN:ALEVel?
TRIGger:CAN:VALId
TRIGger:CAN:VALId?
TRIGger:LIN:SOURce
TRIGger:LIN:SOURce?
TRIGger:LIN:IDLe
TRIGger:LIN:IDLe?
TRIGger:LIN:BAUd
TRIGger:LIN:BAUd?
TRIGger:LIN:CONdition
TRIGger:LIN:CONdition?
TRIGger:LIN:ID
TRIGger:LIN:ID?
TRIGger:LIN:DATA
TRIGger:LIN:DATA?
TRIGger:LIN:ALEVel
TRIGger:LIN:ALEVel?
TRIGger:LIN:VALId
TRIGger:LIN:VALId?
TRIGger:IIC:SDA:SOURce
TRIGger:IIC:SDA:SOURce?
TRIGger:IIC:SCL:SOURce
TRIGger:IIC:SCL:SOURce?
TRIGger:IIC:CONdition
TRIGger:IIC:CONdition?
TRIGger:IIC:ADDer
TRIGger:IIC:ADDer?
TRIGger:IIC:DATA
TRIGger:IIC:DATA?
TRIGger:IIC:ALEVel
TRIGger:IIC:ALEVel?
TRIGger:IIC:BLEVel
TRIGger:IIC:BLEVel?
TRIGger:IIC:VALId
TRIGger:IIC:VALId?
TRIGger:IIC:ACT:LEVEl
TRIGger:IIC:ACT:LEVEl?
TRIGger:SPI:SDA:SOURce
TRIGger:SPI:SDA:SOURce?
TRIGger:SPI:SCL:SOURce
TRIGger:SPI:SCL:SOURce?
TRIGger:SPI:IDLe
TRIGger:SPI:IDLe?
TRIGger:SPI:SCK
TRIGger:SPI:SCK?
TRIGger:SPI:WIDth
TRIGger:SPI:WIDth?
TRIGger:SPI:DATA
TRIGger:SPI:DATA?
TRIGger:SPI:MASK
TRIGger:SPI:MASK?
TRIGger:SPI:ALEVel
TRIGger:SPI:ALEVel?
TRIGger:SPI:BLEVel
TRIGger:SPI:BLEVel?
TRIGger:SPI:OVERtime
TRIGger:SPI:OVERtime?
TRIGger:SPI:ACT:LEVEl
TRIGger:SPI:ACT:LEVEl?
TRIGger:PATTern:PATTern
TRIGger:PATTern:PATTern?
TRIGger:PATTern:LEVel
TRIGger:PATTern:LEVel?
CALibrate:STARt
CALibrate:STATus?
CALibrate:QUIT
CALibrate:GET:TEMPerture?
CALibrate:GET:CONDition?
MATH:DISPlay
MATH:DISPlay?
MATH:OPERator
MATH:OPERator?
MATH:SOURce1
MATH:SOURce1?
MATH:SOURce2
MATH:SOURce2?
MATH:SCALe
MATH:SCALe?
MATH:OFFSet
MATH:OFFSet?
MATH:FFT:SOURce
MATH:FFT:SOURce?
MATH:FFT:WINDow
MATH:FFT:WINDow?
MATH:FFT:UNIT
MATH:FFT:UNIT?
MATH:FFT:HSCale
MATH:FFT:HSCale?
MATH:FFT:HCENter
MATH:FFT:HCENter?
REFerence1:DISPlay
REFerence1:DISPlay?
REFerence1:SOURce
REFerence1:SOURce?
REFerence1:VSCale
REFerence1:VSCale?
REFerence1:VOFFset
REFerence1:VOFFset?
REFerence1:CURRent
REFerence1:CURRent?
REFerence1:SAVe
REFerence2:DISPlay
REFerence2:DISPlay?
REFerence2:SOURce
REFerence2:SOURce?
REFerence2:VSCale
REFerence2:VSCale?
REFerence2:VOFFset
REFerence2:VOFFset?
REFerence2:CURRent
REFerence2:CURRent?
REFerence2:SAVe
WAVeform:SOURce
WAVeform:SOURce?
WAVeform:SOURce:SUBSource
WAVeform:SOURce:SUBSource?
WAVeform:BYTeorder
WAVeform:BYTeorder?
WAVeform:FORMat
WAVeform:FORMat?
WAVeform:POINts:MODE
WAVeform:POINts:MODE?
WAVeform:UNSigned
WAVeform:UNSigned?
WAVeform:PREamble?
WAVeform:COUNt?
WAVeform:POINts
WAVeform:POINts?
WAVeform:STARt
WAVeform:STARt?
WAVeform:STOP
WAVeform:STOP?
WAVeform:DATA
WAVeform:DATA:DISP?
PRIVate:WAVeform:DATA:ALL?
WAVeform:XINCrement?
WAVeform:XORigin?
WAVeform:XREFerence?
WAVeform:YINCrement?
WAVeform:YORigin?
WAVeform:YREFerence?
DISPlay:CLEar
DISPlay:DATA?
DISPlay:TYPE
DISPlay:TYPE?
DISPlay:GRADing:TIME
DISPlay:WBRightness
DISPlay:WBRightness?
DISPlay:GRID
DISPlay:GRID?
DISPlay:GBRightness
DISPlay:GBRightness?
CURSor:MODE
CURSor:MODE?
CURSor:MANual:TYPE
CURSor:MANual:TYPE?
CURSor:MANual:SOURce
CURSor:MANual:SOURce?
CURSor:MANual:AX
CURSor:MANual:AX?
CURSor:MANual:AXValue?
CURSor:MANual:AY
CURSor:MANual:AY?
CURSor:MANual:AYValue?
CURSor:MANual:BX
CURSor:MANual:BX?
CURSor:MANual:BXValue?
CURSor:MANual:BY
CURSor:MANual:BY?
CURSor:MANual:BYValue?
CURSor:MANual:XDELta?
CURSor:MANual:YDELta?
CURSor:MANual:IXDELta?
CURSor:TRACk:SOURcea
CURSor:TRACk:SOURcea?
CURSor:TRACk:SOURceb
CURSor:TRACk:SOURceb?
CURSor:TRACk:AX
CURSor:TRACk:AX?
CURSor:TRACk:AXValue?
CURSor:TRACk:AY?
CURSor:TRACk:AYValue?
CURSor:TRACk:BX
CURSor:TRACk:BX?
CURSor:TRACk:BXValue?
CURSor:TRACk:BY?
CURSor:TRACk:BYValue?
CURSor:TRACk:XDELta?
CURSor:TRACk:YDELta?
CURSor:TRACk:IXDELta?
MEASure:ENABle
MEASure:ENABle?
MEASure:SOURce
MEASure:SOURce?
MEASure:COUNter:VALue?
MEASure:CLEar
MEASure:RECover
MEASure:ADISplay
MEASure:ADISplay?
MEASure:AMSource
MEASure:AMSource?
MEASure:CHANnel1:ITEM
MEASure:CHANnel2:ITEM
MEASure:CHANnel3:ITEM
MEASure:CHANnel4:ITEM
MEASure:CHANnel1:ITEM?
MEASure:CHANnel2:ITEM?
MEASure:CHANnel3:ITEM?
MEASure:CHANnel4:ITEM?
MEASure:MATH:ITEM?
MEASure:GATE:ENABle
MEASure:GATE:ENABle?
MEASure:GATE:AY
MEASure:GATE:AY?
MEASUre:GATE:BY
MEASure:GATE:BY?
MEASure:COUNter
MEASure:CHANnel1:COUNter?
MEASure:CHANnel2:COUNter?
MEASure:CHANnel3:COUNter?
MEASure:CHANnel4:COUNter?
MEASure:CHANnel1:FREQ?
MEASure:CHANnel2:FREQ?
MEASure:CHANnel3:FREQ?
MEASure:CHANnel4:FREQ?
MEASure:DEL:ALL
MASK:EANBle
MASK:EANBle?
MASK:SOURce
MASK:SOURce?
MASK:OPERate
MASK:OPERate?
MASK:MDISplay
MASK:MDISplay?
MASK:SOOutput
MASK:SOOutput?
MASK:OUTPut
MASK:OUTPut?
MASK:X
MASK:X?
MASK:Y
MASK:Y?
MASK:CREate
MASK:PASSed?
MASK:FAILed?
MASK:TOTal?
SAVE:SETup
SAVE:MULTi
SAVE:CSV
SAVE:IMAGe
SAVE:MASK
RECall:SETup
RECall:MULTi
RECall:MASK
SYSTem:GAM?
SYSTem:RAM?
SYSTem:PON
SYSTem:PON?
SYSTem:LANGuage
SYSTem:LANGuage?
SYSTem:LOCKed
SYSTem:LOCKed?
DDS:SWITch
DDS:SWITch?
DDS:TYPE
DDS:TYPE?
DDS:FREQ
DDS:FREQ?
DDS:AMP
DDS:AMP?
DDS:OFFSet
DDS:OFFSet?
DDS:DUTY
DDS:DUTY?
DDS:WAVE:MODE
DDS:WAVE:MODE?
DDS:MODE:TYPE
DDS:MODE:TYPE?
DDS:MODE:WAVE:TYPE
DDS:MODE:WAVE:TYPE?
DDS:MODE:FREQ
DDS:MODE:FREQ?
DDS:MODE:DEPThordeviation
DDS:MODE:DEPThordeviation?
DDS:BURSt:SWITch
DDS:BURSt:SWITch?
DDS:BURSt:TYPE
DDS:BURSt:TYPE?
DDS:BURSt:CNT
DDS:BURSt:CNT?
DDS:BURSt:SRC
DDS:BURSt:SRC?
DDS:BURSt:SLOPE
DDS:BURSt:SLOPE?
DDS:BURSt:GATE:POLArity
DDS:BURSt:GATE:POLArity?
DDS:BURSt:TRIGger
DDS:SETUp:ALL?

You can send these commands using KeySight Interactive IO.
Also, you can open Keysight IO Monitor and see what DigitalScope or WaveEditor apps are doing.

PRIVate:FACTORY:RESET does what its name says. Resets the user settings and reboots. Serial, model remains unchanged.

Be careful of these commands!
- PRIVate:WRITE:EEPROM
- PRIVate:CLEAr:EE


PRIVate:READ:EEPROM returns:

Code: [Select]

<- 0????????????????????????«x01»«x01»But in the IO Monitor:

Code: [Select]

30 ff ff ff ff ff ff ff
ff ff ff ff ff ff ff ff
ff ff ff ff ff ff ff ff
ff 01 01
I don't know how to restore these values since the cmd box only allows ascii characters!

The commands ended in '?' are queries. First, you send them, then click on "Read response".
The commands with arguments don't have response.
Don't execute a read response if you didn't send a query first, phoenix handles that pretty bad, it's easy to cause a buffer overflow, crashing the system.

You can easily change the values in seconds:

Code: [Select]

PRIVate:SET:MODEl1 DSO2D15
PRIVate:SET:SERIal CN2101029000000
PRIVate:SET:VENDor Hantek
PRIVate:SET:PCB "000.000.000.000.000.000.000.001"


[DavidAlfa]

People complained about the UART decoding only showing HEX data.
It was extremely easy to patch the phoenix binary to show ASCII:

Sync decode patch:







Monitor patch:

[AndrewBCN]

DavidAlfa,
If you have the time, could you please check what happens when you plug in the DSO to your PC using the USB cable on the back:
1. What is the kernel message you get (dmesg)?
2. What kernel module if any is loaded (lsmod)?
3. What USB devices are seen by the kernel (lsusb)?
4. Can you list the kernel modules available in /lib/modules?
5. Can you list the tty devices in /dev (ls /dev/tty*)?

What I am trying to determine is if it's possible to get a serial console on the USB OTG interface. This would make it possible to login to the DSO as root without opening it. 

See here for Allwinner SOCs: https://linux-sunxi.org/USB_Gadget/Serial

About writing to the display: it should be as simple as writing to memory, since I believe the display buffer is mapped to RAM, you have the specific region in the kernel message I believe.