Author Topic: Hacking the DSO2X1X  (Read 133451 times)

supphol and 2 Guests are viewing this topic.

Offline Mark5Topic starter

  • Contributor
  • Posts: 29
  • Country: fr
Hacking the DSO2X1X
« on: March 18, 2021, 08:42:55 am »
Here's how you can "hack" your DSO2X1X and turn it into a DSO2D15 :

All you need is :

1) A FAT32 formatted USB stick
2) The latest firmware update (http://www.hantek.com/download?word=dso2C10&sid=0&pid=0&key=fjzl)
3) A text editor.

Copy the firmware update to the root of the USB stick (after « unraring" it of course)
Create a file named do_other_update in the root of the USB stick (no extension, no .txt just do_other_update)

Add the following two lines in the do_other_update file :

sed -i 's/DSO2.1./DSO2D15/g' /cache/system.inf >/mnt/udisk/sed.log
sed -i 's/DSO2.1./DSO2D15/g' /dso/app/sys_inf.new >>/mnt/udisk/sed.log

/!\ Make sure that the file is UNIX formatted (ie line breaks should be unix style, you can check that with notedpad++)

Then all you have to do is launch the firmware update from the oscilloscope.

Please note that the AWG will only work if the PCB is fully populated (it doesn’t work on my 2C10 because the DAC, a relay and some other stuff are missing).
I know for sure that SOME 2C10 (early version as far as I understand)) are fully populated but not all.

I take no responsibility if anything goes wrong. All you do is at your own risk.

Technical stuff :

All this wouldn't have been possible without the help of @tinhead who provided the updater decryption key to the community. Kudos to him.

Now let me explain how I found how to hack the 2X1X :
Once the firmware update was decrypted and extracted, I looked into it and found the shell script that the scope launches in order to do the update.
This script name is do_update.sh
Here's its content (I removed all commented stuff for the sake of readability)
Code: [Select]
#!/bin/sh
WORKPATH=/dso/var/run
echo "-------------------update start------------------"
cp $WORKPATH/package/root/* -rf /
cp $WORKPATH/package/fpga_i2c_kb.ko /dso/etc
cp $WORKPATH/package/spi-fpga-tn652.ko /dso/etc
cp $WORKPATH/package/load_fpga_kb.sh /dso/etc
if [ ! -d /dso/app/home/ref ]
then
mkdir /dso/app/home/ref
fi

if [ -f /mnt/udisk/do_other_update ];then
chmod +x /mnt/udisk/do_other_update
/mnt/udisk/do_other_update
fi
echo "-------------------update end------------------"
sync
sync
sync

Notice the last if statement.
This is meant to execute arbitrary code from the file do_other_update if this file is present in the root directory of your USB stick.
I then checked the updater priviledge level by creating a do_other_update file containing the followng code :
Code: [Select]
whoami >/mnt/udisk/whoami.txt

The content of whoami.txt was root. Which is good. Very good indeed.
Now that I knew that the update was being executed as root, I was able to check various important stuff, like the mtd mapping and content of the mount table.
And I was also able to dump the whole firmware using dd (I know that dumping as live system with dd is not the best idea but it can still be quite usefull).
So I added this in my do_other_update script :
Code: [Select]
ls / -R >/mnt/udisk/ls.txt
dd if=/dev/mtdblock0 of=/mnt/udisk/mtd0_boot.bin >/mnt/udisk/dd.log
dd if=/dev/mtdblock1 of=/mnt/udisk/mtd1_cache.bin >>/mnt/udisk/dd.log
dd if=/dev/mtdblock2 of=/mnt/udisk/mtd2_dtb.bin >>/mnt/udisk/dd.log
dd if=/dev/mtdblock3 of=/mnt/udisk/mtd3_kernel.bin >>/mnt/udisk/dd.log
dd if=/dev/mtdblock4 of=/mnt/udisk/mtd4_rootfs.bin >>/mnt/udisk/dd.log
dd if=/dev/mtdblock5 of=/mnt/udisk/mtd5_data.bin >>/mnt/udisk/dd.log

This gave me a dump of each mtd partition (unfortunately, the first time I tried this, my USB stick died and I had to do it again).
Of course this process took quite a long time but it finaly ended and I was able to check the content of my USB stick.
The first line (ls -R) was really helpful because it contains a listing of ALL the files stored in the rootfs.
Then came another update from Hantek. After decrypting and unpacking, I noticed a new file named system.inf

The content of that file looked like this :
Code: [Select]
[machine]
Model=DSO2C15
Vendor=Hantek
Product=undefined
Manufacturer=undefined
Serial=CN0000000000000
[version]
Pcb=000.000.000.000.000.000.000.000
Keyboard=undefined
[language]
Lans=65535
Language=2
[add]
Start=0
Update=0

I searched my ls -R listing and found that same file located in /cache/system.inf
Once again, I modified the do_other_update script so it copies that file from my scope to the root of the USB stick.
Code: [Select]
cp /cache/* /mnt/udisk

Looking into the system.inf, I found MY model and serial number.
The last step was to write the small sed command in order to modify the model number from 2C10 to 2D15, and voila.

Feel free to comment and report success (or not).

Cheers,
Mark5

Edit : typos and firmware link.
« Last Edit: March 18, 2021, 10:52:42 am by Mark5 »
 

Offline tv84

  • Super Contributor
  • ***
  • Posts: 3212
  • Country: pt
Re: Hacking the DSO2X1X
« Reply #1 on: March 18, 2021, 10:07:12 am »
Well done.  :clap:

And where did the /dso/app/sys_inf.new came from?
 

Offline Mark5Topic starter

  • Contributor
  • Posts: 29
  • Country: fr
Re: Hacking the DSO2X1X
« Reply #2 on: March 18, 2021, 10:32:40 am »
I think it is used by Hantek to initialy set the model number.
Since they may check this file in future updates, I thought it'd be a good idea to edit this one as well.
But as far as I know it's not used in normal case.
 

Offline Algoma

  • Frequent Contributor
  • **
  • Posts: 291
  • Country: ca
Re: Hacking the DSO2X1X
« Reply #3 on: March 18, 2021, 03:32:05 pm »
Keyboard=undefined  .. It could be entirely practical to bring up a root console onscreen with that do_other_update (Provided a USB hub works to operate both the keyboard and USB drive at the same time).

There is a button hidden on the underside of the PCB, accessible through the venting holes under the unit. Likely to reset into a bootloader mode.
 

Offline xuraax

  • Contributor
  • Posts: 35
  • Country: mt
Re: Hacking the DSO2X1X
« Reply #4 on: March 18, 2021, 05:05:54 pm »
@Mark5.  Thank you very much for the above.

2 questions:

1. Would the file do_other_update have to be created every time Hantek issues a new upgrade or just the first time?
2. Without an actual 150MHZ signal to test out the hack how can one confirm that the hack actually works?
 

Offline elektek

  • Newbie
  • Posts: 1
  • Country: mx
Re: Hacking the DSO2X1X
« Reply #5 on: March 18, 2021, 05:20:29 pm »
thanks, it worked perfect on DSO2C15
 
The following users thanked this post: trmntr

Offline upsss

  • Regular Contributor
  • *
  • Posts: 163
  • Country: us
Re: Hacking the DSO2X1X
« Reply #6 on: March 18, 2021, 06:13:48 pm »
Did anyone actually populated the missing components x1, u18, u35 and then Hacked the DSO2C1x to enable the AWG or you were just lucky and the AWG components were already on your scope?
« Last Edit: March 18, 2021, 06:30:56 pm by upsss »
 

Offline Mark5Topic starter

  • Contributor
  • Posts: 29
  • Country: fr
Re: Hacking the DSO2X1X
« Reply #7 on: March 18, 2021, 07:46:17 pm »
@Mark5.  Thank you very much for the above.

2 questions:

1. Would the file do_other_update have to be created every time Hantek issues a new upgrade or just the first time?
2. Without an actual 150MHZ signal to test out the hack how can one confirm that the hack actually works?
1) Once the model has been changed, there's no need to change it again. So no.
2) Some lucky "beta testers" had a 2C10 that were succesfully converted to 2D15 with the AWG working as expected.
 

Offline Algoma

  • Frequent Contributor
  • **
  • Posts: 291
  • Country: ca
Re: Hacking the DSO2X1X
« Reply #8 on: March 19, 2021, 12:05:45 am »
That Button underneath the unit puts the Allwinner F1C200S CPU into FEL mode.. Some generic documentation here:

https://linux-sunxi.org/FEL

Quote
sunxi-fel.exe --list --verbose
Warning: no 'soc_sram_info' data for your SoC (id=1663)
USB device 009:003   Allwinner 0x1663

Quote
sunxi-fel.exe version
Warning: no 'soc_sram_info' data for your SoC (id=1663)
AWUSBFEX soc=00001663(unknown) 00000001 ver=0001 44 08 scratchpad=00007e00 00000000 00000000

It is communicating with the Allwinner CPU through the back USB connection, though it looks like generally need to attach directly to the UART interface to do much more with it. Could dump/debug active memory over the interface.

sunxi-fel.exe hex 0 47000   spits out a whole bunch of raw memory into in Hex format.
« Last Edit: March 19, 2021, 12:30:00 am by Algoma »
 

Offline Mark5Topic starter

  • Contributor
  • Posts: 29
  • Country: fr
Re: Hacking the DSO2X1X
« Reply #9 on: March 19, 2021, 08:58:43 am »
I might also be possible to gain ssh acces through the back USB port.
Dropbear is present in the filesystem. I'd have to look how (and if) it is launched.
 

Offline Algoma

  • Frequent Contributor
  • **
  • Posts: 291
  • Country: ca
Re: Hacking the DSO2X1X
« Reply #10 on: March 19, 2021, 01:27:56 pm »
Connecting the DSO2D15 in FEL mode showed up on my system as the SNES mini.. The USB idenifier used in FEL mode was common to the Allwinner R16 found in those recent Nintendo Mini consoles when they're also placed in FEL mode.  (Basically a Firmware recovery mode)

Hakchi2 is an open source program for unlocking and loading additional data into those mini consoles' flash memory could give us a good foundation examples for accessing the onboard memory and firmware of those Allwinner chips. While the F1C200s is newer than the R16, there is likely much that remains in common, besides some changes in the boot memory mappings.

It would be somewhat amusing to run some classic games onscreen.. Its all entirely possible to do from that FEL mode.
« Last Edit: March 19, 2021, 02:53:33 pm by Algoma »
 

Offline cmaass

  • Contributor
  • Posts: 28
  • Country: za
Re: Hacking the DSO2X1X
« Reply #11 on: March 20, 2021, 10:49:02 pm »
At some point my DSO2D10 hanged when I rebooted it. It only Initialized the hardware to 80% then it hanged.
I reported it to Hantek after which they've  send me the platform tools as well as Phoenixsuite_CN to be able to reload the .bin files directly through the rear USB connector to the usb port of the Allwinner controller. This cleared the problem and it could reboot normal again.

When the bottom button is pressed during booting to put it into FEL mode ,Sunxi-fel is used to convert the Allwinner to an Android system. It will show up on the PC's Device Manager as an Android Device. This is accomplished using Phoenixsuite_CN then all the .bin files can be programmed directly onto the Allwinner via its USB port.
« Last Edit: March 20, 2021, 11:29:06 pm by cmaass »
 

Offline Algoma

  • Frequent Contributor
  • **
  • Posts: 291
  • Country: ca
Re: Hacking the DSO2X1X
« Reply #12 on: March 21, 2021, 01:46:28 am »
The FEL mode could be used to load and execute temporary custom programs into RAM memory and execute it over the USB.  This has potential to read and write changes into the existing firmware and further explore RAM or Flash memory from the common USB port.

Yes, FEL is primarily used for base level firmware loading and disaster recovery, but its capable of temporarily loading a custom set of instructions into the CPU's RAM and then executing them without modifications to the system.


Basically an factory self testing and initial firmware loading mode.. but it does leave the system fully open to modifications without relying on the internal Firmware update scripts (that could be changed in future updates).
« Last Edit: March 21, 2021, 01:52:56 am by Algoma »
 

Offline Piton

  • Regular Contributor
  • *
  • Posts: 68
  • Country: ua
Re: Hacking the DSO2X1X
« Reply #13 on: March 21, 2021, 03:20:32 pm »
Strange, I have both calibrations in the factory device, but the amplitude does not work either.
 

Offline cmaass

  • Contributor
  • Posts: 28
  • Country: za
Re: Hacking the DSO2X1X
« Reply #14 on: March 21, 2021, 03:35:39 pm »
@VISTORIK, Your explenation on how to use the platform tools and PhoenixSuit_CN is nicely done.
Regarding the Amplitude Calibration, it  does nothing.
When I queried HANTEK about this they told me its only necessary to do the Offset.
Answer from wangshuang@hantek.com "Users don't need to perform amplitude calibration."
« Last Edit: March 21, 2021, 03:44:05 pm by cmaass »
 

Offline Algoma

  • Frequent Contributor
  • **
  • Posts: 291
  • Country: ca
Re: Hacking the DSO2X1X
« Reply #15 on: March 21, 2021, 04:41:30 pm »
I see your notes mention:

Quote
fastboot flash dtb images/suniv-f1c100s-licheepi-nano.dtb

So this scope is technically a F1C200s based Lychee-PI-nano as its foundation .. That makes documentation research much easier.

Still missing the actual Platform tools posted by Cmaass

Uboot features a UMS mode that can present the onboard storage as a USB mass storage device to the host, Provided the right platform drivers (DeviceTreeBlob)(.DTB) have been loaded to access the SPI NAND.
« Last Edit: March 21, 2021, 07:42:54 pm by Algoma »
 

Offline Algoma

  • Frequent Contributor
  • **
  • Posts: 291
  • Country: ca
Re: Hacking the DSO2X1X
« Reply #16 on: March 21, 2021, 07:48:54 pm »
For reference the: The Lichee PI Nano, this image was posted previously by
@GeorgeOfTheJungle: https://www.eevblog.com/forum/testgear/fnirsi-1013d-100mhz-tablet-oscilloscope/msg3145826/#msg3145826



 

Offline Mark5Topic starter

  • Contributor
  • Posts: 29
  • Country: fr
Re: Hacking the DSO2X1X
« Reply #17 on: March 21, 2021, 08:06:31 pm »
Mark5, you are not the first to hack this device. The first was the Chinese from Hantek who provided platform-tools.
I definitely agree with that : people from Hantek were the first to hack their own scope.
And I'm pretty sure they can hack every model they sell  ;D
 

Offline xuraax

  • Contributor
  • Posts: 35
  • Country: mt
Re: Hacking the DSO2X1X
« Reply #18 on: March 22, 2021, 05:30:32 am »
How can one get a copy of these Platform Tools?
 

Offline cmaass

  • Contributor
  • Posts: 28
  • Country: za
Re: Hacking the DSO2X1X
« Reply #19 on: March 22, 2021, 06:19:45 am »
I will upload the Platform-Tools on the Filemail.com server since it is too big to post on this forum.
Will post the link as soon as it is ready.

It will take a while since my upload speed is slow ;D
« Last Edit: March 22, 2021, 06:22:26 am by cmaass »
 
The following users thanked this post: xuraax

Offline cmaass

  • Contributor
  • Posts: 28
  • Country: za
Re: Hacking the DSO2X1X
« Reply #20 on: March 22, 2021, 06:26:19 pm »
You can also download the platform-tools here.
You have 7 days to download the file.
PhoenixSuit_CN is included in the file.
Remember to read the readme_English.docx on how to use the tools.
All the files are included in the one .rar file so the file is much smaller than the file posted by vistorik Its 114.28 Mb in size.
Please read the post by vistorik of a description on how these tools are used. Reply #13 on: Yesterday at 01:47:56 pm
https://www.filemail.com/d/advzemzwfpioyvw
« Last Edit: March 22, 2021, 06:55:45 pm by cmaass »
 
The following users thanked this post: xuraax, Algoma

Offline cmaass

  • Contributor
  • Posts: 28
  • Country: za
Re: Hacking the DSO2X1X
« Reply #21 on: March 22, 2021, 07:26:37 pm »
@ Algoma. Getting back to your post Reply #72 on: January 29, 2021 on the topic. New Hantek DSO2X1X models?,  regarding the ADC numbers that you speculated about.
When I did the dot test then in Single Ch. mode I could get only 1 dot every 2ns at 1Gs/s thus 500 Ms/s. After I hacked the scope to 150MHz, I now get two dots, thus 1ns sampling  which relates to 1Gs/s..
Thanks Mark5.
 
The following users thanked this post: Mark5, Algoma

Offline Boyeen

  • Newbie
  • Posts: 7
  • Country: us
Re: Hacking the DSO2X1X
« Reply #22 on: March 25, 2021, 08:36:05 pm »
Thanks for the info. I have some advice for newbies (like myself)...
Perhaps foolishly, I tried the firmware/SED hack on my brand new DSO2C15 hoping the board was populated for the AWG, but without checking.
Bad idea, my machine transmogrified into a DSO2D15 and the WAVE-GEN  button lit up, scope menus updated etc. but no output signals. OK, missing components, no harm right?  Well yes actually... the scope can no longer calibrate and other operations gave errors too.  I also discovered that the hidden files my Mac puts on the USB stick cause problems, gotta delete them before trying to update firmware. That may have been part of my problem...

Anyway, long story short, I erased the USB drive, loaded a new copy of the firmware from Hantek, cleared all the Apple .junk off it and edited your SED script to revert the machine from D15 back to C15.  It worked perfectly and now I can calibrate and use everything I paid for :-)

Hope this helps. I'll be interested to see if anyone bothers to install the missing components and if that works but right now I'm glad I didn't brick my new toy.
 

Offline cmaass

  • Contributor
  • Posts: 28
  • Country: za
Re: Hacking the DSO2X1X
« Reply #23 on: March 27, 2021, 10:04:25 am »
@ boyeen, if ever you brick it you can use the platform-tools to unbrick it. :)
You can still download the tools from this post Reply #22 on: March 22, 2021, 06:26:19 pm
« Last Edit: March 27, 2021, 10:08:32 am by cmaass »
 

Offline Piton

  • Regular Contributor
  • *
  • Posts: 68
  • Country: ua
Re: Hacking the DSO2X1X
« Reply #24 on: March 27, 2021, 12:52:42 pm »
I looked at my C10. Haven't hacked it yet, but soon.
 


Share me

Digg  Facebook  SlashDot  Delicious  Technorati  Twitter  Google  Yahoo
Smf