It seems the new HDO software is prepared for the following devices:
HDO1052 HDO2104 HDO4104 MSO8064 MSO8064A DS70104
HDO1054 HDO2204 HDO4204 MSO8104 MSO8104A DS70204
HDO1072 HDO4304 MSO8204 MSO8204A DS70304
HDO1074 HDO4404 MSO8304A DS70404
HDO1102 HDO4504 DS70504
HDO1104 HDO4804
HDO1202
HDO1204
MSO8304A hmm..
so MSO8000
A and up to 3GHz.
And also MSO8000... does that mean that existing MSO8000 will be able to upgrade to new platform?
And MS8000A will exist in parallel with it? Is MSO8000A different package (larger screen or whatnot) or maybe also higher bit count...?
Interesting questions...
Hi,
here is my tool to dump the FRAM ... it contains the system setup, the private mem file data (license stuff like install tries and the key data once more) and the binary device config.
I also made a license key generator to pretty much enable any option .... no idea if its ok to post that code here though ...
Looked through the dts file and found some ADC mentions. RK3399 should have one or two integrated ones. But I can't figure out which are the Rigol ones.
I noticed there's a ADC128D818 as well onboard, a 12bit 8ch ADC. Has two lines going to a connector.
I also made a license key generator to pretty much enable any option .... no idea if its ok to post that code here though ...
Of course it is. Look at how many "hacking" threads there are here ... and how many "hacking" videos Dave's done.
Hi,
here is my tool to dump the FRAM ... it contains the system setup, the private mem file data (license stuff like install tries and the key data once more) and the binary device config.
I also made a license key generator to pretty much enable any option .... no idea if its ok to post that code here though ...
Worked like a charm
Here are the commands i used to cross compile on my windows machine
go mod init .\fRAMdump.go
go mod tidy
$Env:GOOS = "linux"; $Env:GOARCH = "arm64"
go build fRAMdump.go
Then an adb push to the machine
set the execute bits and run as root
Then an adb push to the machine
It works with ADB?
How long before we see DOOM running on one?
DOOM? More like GTA Vice City or even a flight simulator (with all those knobs on the front panel?). That RK3399 chip has (a bit) better graphics than the Raspberry Pi 4 BCM2711.
Then an adb push to the machine
It works with ADB?
How long before we see DOOM running on one?
Yes on port 55555 via ethernet
Including root via su cmd (no password)
It works with ADB?
Yes on port 55555 via ethernet
Including root via su cmd (no password)
So these things are 100% hackable/programmable.
Market, owned.
curious if adding a second ADC is possible on the 1k series. the power rails are off the shelf parts but the ADC itself...
curious if adding a second ADC is possible on the 1k series. the power rails are off the shelf parts but the ADC itself...
You can't and won't be able to buy the ADC.
The only option was as mentioned, here or another thread, buy another HDO1k for $700.
Here is the lic gen ... just needs the key file from the device to work ....
The device id being field 0 is just a guess as the code ignores that field anyways ...
You can't and won't be able to buy the ADC.
The only option was as mentioned, here or another thread, buy another HDO1k for $700.
the ADC could be sourced from broken units, but apart from sourcing it what else would be an issue? apart from populating the missing rails as well.
the ADC could be sourced from broken units
And the "broken units" come from ... where?
but apart from sourcing it what else would be an issue?
Nothing, but it's a
BIG issue.
Ah clearly, no easy feat. I was just curious if it's doable as long as you can source the ADC chip. I mean if it's doable software side.
Ah clearly, no easy feat. I was just curious if it's doable as long as you can source the ADC chip. I mean if it's doable software side.
I don't think anybody tried it yet, but ...
If I was a betting person I'd put my money on it being possible.
Here is the lic gen ... just needs the key file from the device to work ....
The device id being field 0 is just a guess as the code ignores that field anyways ...
Assuming Alpha is correct (I see no reason why he's not) this is
THE BIGGEST BLUNDER I've seen from Rigol ever! I'm flabbergasted!!!
OTOH, if this is a marketing scheme then, you can all be sure that the
next step will be Rigol selling their ADC individually for those that want to complete the HW conversion! Mark my words.
OTOH, if this is a marketing scheme
It is.
Android has security built-in at the flick of a switch. There's no reason not to enable it other than "marketing".
you can all be sure that the next step will be Rigol selling their ADC individually for those that want to complete the HW conversion! Mark my words.
Very unlikely.
Here is the lic gen ... just needs the key file from the device to work ....
The device id being field 0 is just a guess as the code ignores that field anyways ...
AlphaRne, have you successfully tested these licenses? (I still can't believe what you're saying they have done...)
Edit: If they work, in my book, someone ought to be fired. It's absolute incompetence from the programmer and the oversight guys. And people should start licensing ASAP before the next FW update...
There's no reason not to enable it other than "marketing".
I refuse to believe that. There are plenty of other ways of doing the programming (for marketing purposes). Not like this. I wouldn't like to have this on my résumé...
The lics work on my device.
At least the lic code looks kind of half baked judging from
the disassembly and they didn’t even bother to strip the symbols.
No idea on how well their other products are protected but this one
was def one of the easiest…
Android has security built-in at the flick of a switch. There's no reason not to enable it other than "marketing".
Well, with security enabled it is easier to brick a device.
Maybe no one wanted to take that responsibility, or it was "this version works, no changes, we ship it".
Yes, security against hacking is clearly not high on the priority list, but in my eyes not a hint, that it was purpose.
AlphaRne,
This is my parsing of the FRAM that I have access:
00000000 Block_0 CRC32: 530E7D6A [00000008-0000008B] CRC OK
00000004 Block_0 Size: 00000084 bytes
00000100 Block_1 Size: 000000B0 bytes [00000100-000001AF] CKSM OK
-------------------------------------------------------------
00000108 Option: 0000091D CKSM OK
00000110 Option Size: 00000094 bytes CKSM OK
00000118 Option CRC32: 06131D97 [0000011C-000001AF] CRC OK
Key.data: brainpoolP256r1;04xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
-------------------------------------------------------------
00000800 Block_2 CRC32: 7BAF99DF [00000808-00001143] CRC OK
00000804 Block_2 Size: 0000093C bytes
-------------------------------------------------------------
00000808 001C 0004 0109 DataSz: 003C BlockSz: 0040 [00000814-00000853]
00000854 000B 0011 002F DataSz: 002F BlockSz: 0030 [00000860-0000088F]
00000890 0128 0001 0001 DataSz: 0001 BlockSz: 0001 [0000089C-0000089C]
0000089D 011A 00F0 001F DataSz: 001F BlockSz: 001F [000008A9-000008C7]
000008C8 0004 0002 004C DataSz: 0020 BlockSz: 0020 [000008D4-000008F3]
000008F4 0003 0002 004C DataSz: 0020 BlockSz: 0020 [00000900-0000091F]
00000920 0002 0002 004C DataSz: 0020 BlockSz: 0020 [0000092C-0000094B]
0000094C 0001 0002 0054 DataSz: 0021 BlockSz: 0030 [00000958-00000987]
00000988 001C 0004 0109 DataSz: 0037 BlockSz: 0040 [00000994-000009D3]
000009D4 001D 0001 0029 DataSz: 001F BlockSz: 0020 [000009E0-000009FF]
00000A00 011E 0002 001F DataSz: 001F BlockSz: 001F [00000A0C-00000A2A]
00000A2B 0016 0001 00B2 DataSz: 0040 BlockSz: 0040 [00000A37-00000A76]
00000A77 0015 0003 0078 DataSz: 0030 BlockSz: 0030 [00000A83-00000AB2]
00000AB3 002A 0006 01B2 DataSz: 006E BlockSz: 0070 [00000ABF-00000B2E]
00000B2F 002B 0006 0192 DataSz: 006C BlockSz: 0070 [00000B3B-00000BAA]
00000BAB 002C 0006 0192 DataSz: 006C BlockSz: 0070 [00000BB7-00000C26]
00000C27 002D 0006 0192 DataSz: 006C BlockSz: 0070 [00000C33-00000CA2]
00000CA3 0011 0005 00C8 DataSz: 0066 BlockSz: 0070 [00000CAF-00000D1E]
00000D1F 0012 0005 00C8 DataSz: 0066 BlockSz: 0070 [00000D2B-00000D9A]
00000D9B 0013 0005 00C8 DataSz: 0066 BlockSz: 0070 [00000DA7-00000E16]
00000E17 0014 0005 00C8 DataSz: 0066 BlockSz: 0070 [00000E23-00000E92]
00000E93 0029 0003 0552 DataSz: 00A1 BlockSz: 00B0 [00000E9F-00000F4E]
00000F4F 002F 0011 0049 DataSz: 0037 BlockSz: 0040 [00000F5B-00000F9A]
00000F9B 010C 0001 0015 DataSz: 0015 BlockSz: 0015 [00000FA7-00000FBB]
00000FBC 0123 0003 0008 DataSz: 0008 BlockSz: 0008 [00000FC8-00000FCF]
00000FD0 002E 0010 0034 DataSz: 0020 BlockSz: 0020 [00000FDC-00000FFB]
00000FFC 000E 0010 0030 DataSz: 0023 BlockSz: 0030 [00001008-00001037]
00001038 011B 000D 0010 DataSz: 0010 BlockSz: 0010 [00001044-00001053]
00001054 0019 0005 01F6 DataSz: 0023 BlockSz: 0030 [00001060-0000108F]
00001090 001F 0003 0050 DataSz: 002E BlockSz: 0030 [0000109C-000010CB]
000010CC 003A 0003 005F DataSz: 002A BlockSz: 0030 [000010D8-00001107]
00001108 000A 0005 005C DataSz: 0026 BlockSz: 0030 [00001114-00001143]
Do you know what are the UInt16 fields in the Block2? Do you know if their data contents has any XXTEA encryption or other?
if they have good control over their ADC chips then what features exactly would a user be able to get extra from software hacking? what is their sales risk vs reward? most of this type of hacking (especially the hardware one) would be done by hobbyists which wouldn't shell the big bucks for higher end models anyway. giving them a taste for higher end options might help overall.
I see this as an interesting experiment and curious how it's going to play out. let's not blast them for making it easy for us, I don't think it's productive.
I see this as an interesting experiment and curious how it's going to play out. let's not blast them for making it easy for us, I don't think it's productive.
They've been doing it for a long time now.
The MSO5000 has been hackable since day one, the DS1054Z too.
Sales of both would definitely have been significantly lower if they hadn't allowed hacking.
Before that it was the DS1052E...
etc., etc.
Rigol management for sure knows all about it and
obviously told the engineers not to lock anything down. Anybody who can't see that might want to make an appointment with the optician.
PS: There's a DS1000Z variant that
is locked down - the one with the built-in AWG. They obviously decided not to let anybody have that for free, then repented with the MSO5000 and allowed it again.
if they have good control over their ADC chips then what features exactly would a user be able to get extra from software hacking? what is their sales risk vs reward? most of this type of hacking (especially the hardware one) would be done by hobbyists which wouldn't shell the big bucks for higher end models anyway. giving them a taste for higher end options might help overall.
I see this as an interesting experiment and curious how it's going to play out. let's not blast them for making it easy for us, I don't think it's productive.
Hacking of these devices would have same usefulness like it did with old Riglol: you could buy cheapest MSO1074 and unlock bandwidth to full 200MHz and all optional features that MSO1000 platform has. If a simple license generator (like Riglol) is available than it would be low (zero) risk for home users and would be done en masse..
These scopes are not exactly DS1000Z cheap though, so market will still be much smaller.
I don't see conversion from MSO1000 to MSO4000 as something that would be done by more than few daredevils.
It also remains to be seen it this "too easy hack" was a gaffe by Rigol and will be patched ASAP.
If they don't then they might be counting on this "advantage" and are happy to sell the scope at lowest price..