Products > Test Equipment

Hacking the DSO2X1X

(1/134) > >>

Mark5:
Here's how you can "hack" your DSO2X1X and turn it into a DSO2D15 :

All you need is :

1) A FAT32 formatted USB stick
2) The latest firmware update (http://www.hantek.com/download?word=dso2C10&sid=0&pid=0&key=fjzl)
3) A text editor.

Copy the firmware update to the root of the USB stick (after « unraring" it of course)
Create a file named do_other_update in the root of the USB stick (no extension, no .txt just do_other_update)

Add the following two lines in the do_other_update file :

sed -i 's/DSO2.1./DSO2D15/g' /cache/system.inf >/mnt/udisk/sed.log
sed -i 's/DSO2.1./DSO2D15/g' /dso/app/sys_inf.new >>/mnt/udisk/sed.log

/!\ Make sure that the file is UNIX formatted (ie line breaks should be unix style, you can check that with notedpad++)

Then all you have to do is launch the firmware update from the oscilloscope.

Please note that the AWG will only work if the PCB is fully populated (it doesn’t work on my 2C10 because the DAC, a relay and some other stuff are missing).
I know for sure that SOME 2C10 (early version as far as I understand)) are fully populated but not all.

I take no responsibility if anything goes wrong. All you do is at your own risk.

Technical stuff :

All this wouldn't have been possible without the help of @tinhead who provided the updater decryption key to the community. Kudos to him.

Now let me explain how I found how to hack the 2X1X :
Once the firmware update was decrypted and extracted, I looked into it and found the shell script that the scope launches in order to do the update.
This script name is do_update.sh
Here's its content (I removed all commented stuff for the sake of readability)

--- Code: ---#!/bin/sh
WORKPATH=/dso/var/run
echo "-------------------update start------------------"
cp $WORKPATH/package/root/* -rf /
cp $WORKPATH/package/fpga_i2c_kb.ko /dso/etc
cp $WORKPATH/package/spi-fpga-tn652.ko /dso/etc
cp $WORKPATH/package/load_fpga_kb.sh /dso/etc
if [ ! -d /dso/app/home/ref ]
then
mkdir /dso/app/home/ref
fi

if [ -f /mnt/udisk/do_other_update ];then
chmod +x /mnt/udisk/do_other_update
/mnt/udisk/do_other_update
fi
echo "-------------------update end------------------"
sync
sync
sync

--- End code ---

Notice the last if statement.
This is meant to execute arbitrary code from the file do_other_update if this file is present in the root directory of your USB stick.
I then checked the updater priviledge level by creating a do_other_update file containing the followng code :

--- Code: ---whoami >/mnt/udisk/whoami.txt

--- End code ---

The content of whoami.txt was root. Which is good. Very good indeed.
Now that I knew that the update was being executed as root, I was able to check various important stuff, like the mtd mapping and content of the mount table.
And I was also able to dump the whole firmware using dd (I know that dumping as live system with dd is not the best idea but it can still be quite usefull).
So I added this in my do_other_update script :

--- Code: ---ls / -R >/mnt/udisk/ls.txt
dd if=/dev/mtdblock0 of=/mnt/udisk/mtd0_boot.bin >/mnt/udisk/dd.log
dd if=/dev/mtdblock1 of=/mnt/udisk/mtd1_cache.bin >>/mnt/udisk/dd.log
dd if=/dev/mtdblock2 of=/mnt/udisk/mtd2_dtb.bin >>/mnt/udisk/dd.log
dd if=/dev/mtdblock3 of=/mnt/udisk/mtd3_kernel.bin >>/mnt/udisk/dd.log
dd if=/dev/mtdblock4 of=/mnt/udisk/mtd4_rootfs.bin >>/mnt/udisk/dd.log
dd if=/dev/mtdblock5 of=/mnt/udisk/mtd5_data.bin >>/mnt/udisk/dd.log

--- End code ---

This gave me a dump of each mtd partition (unfortunately, the first time I tried this, my USB stick died and I had to do it again).
Of course this process took quite a long time but it finaly ended and I was able to check the content of my USB stick.
The first line (ls -R) was really helpful because it contains a listing of ALL the files stored in the rootfs.
Then came another update from Hantek. After decrypting and unpacking, I noticed a new file named system.inf

The content of that file looked like this :

--- Code: ---[machine]
Model=DSO2C15
Vendor=Hantek
Product=undefined
Manufacturer=undefined
Serial=CN0000000000000
[version]
Pcb=000.000.000.000.000.000.000.000
Keyboard=undefined
[language]
Lans=65535
Language=2
[add]
Start=0
Update=0

--- End code ---

I searched my ls -R listing and found that same file located in /cache/system.inf
Once again, I modified the do_other_update script so it copies that file from my scope to the root of the USB stick.

--- Code: ---cp /cache/* /mnt/udisk

--- End code ---

Looking into the system.inf, I found MY model and serial number.
The last step was to write the small sed command in order to modify the model number from 2C10 to 2D15, and voila.

Feel free to comment and report success (or not).

Cheers,
Mark5

Edit : typos and firmware link.

tv84:
Well done.  :clap:

And where did the /dso/app/sys_inf.new came from?

Mark5:
I think it is used by Hantek to initialy set the model number.
Since they may check this file in future updates, I thought it'd be a good idea to edit this one as well.
But as far as I know it's not used in normal case.

Algoma:
Keyboard=undefined  .. It could be entirely practical to bring up a root console onscreen with that do_other_update (Provided a USB hub works to operate both the keyboard and USB drive at the same time).

There is a button hidden on the underside of the PCB, accessible through the venting holes under the unit. Likely to reset into a bootloader mode.

xuraax:
@Mark5.  Thank you very much for the above.

2 questions:

1. Would the file do_other_update have to be created every time Hantek issues a new upgrade or just the first time?
2. Without an actual 150MHZ signal to test out the hack how can one confirm that the hack actually works?

Navigation

[0] Message Index

[#] Next page

There was an error while thanking
Thanking...
Go to full version
Powered by SMFPacks Advanced Attachments Uploader Mod