Author Topic: Hacking the HDO1k/HDO4k Rigol 12 bit scope  (Read 171958 times)

0 Members and 5 Guests are viewing this topic.

Online 2N3055

  • Super Contributor
  • ***
  • Posts: 6936
  • Country: hr
Re: Hacking the HDO1k/HDO4k Rigol 12 bit scope
« Reply #25 on: October 26, 2022, 02:33:02 pm »
Assuming of course.. the 800MHz "image" loaded onto the FPGA is going to ignore the missing 2nd ADC..

That's where the "hack" would come into it - tweak the firmware to create a Frankenscope.  :-/O

Hack the FPGA bitstream? Or code, partially, so part of it behaves like 1000 and part of it like 4000?
Both of these options are not easy...
But again, it is not necessary to convert HDO1000 to crippled HDO4000. Just providing a license to unlock HDO1074 into HDO1204 is enough. Only thing missing is 50Ω inputs. Maybe Rigol decides to enable those anyways on 1000. Or maybe they will remove 50Ω path later as price optimization. HDO1000 are still nowhere to be bought at the moment.
Maybe they spun first revision batch for testing based on 4000 board, but will optimize cost later...
It is still too early to say.
But biggest benefit of 4000 is active probes and additional ADC. Without those, there is no point for scope to show 4000 on the screen. It could be fun and giggles for a  hacker that would do it but no real benefit for a user that would like to use scope for real work..
People were attacking that 2 GS/s and 500 MHz is bullshit, now suddenly 800 MHz  is alright with same sample rate...
 
The following users thanked this post: hans, Martin72, GuntherM

Offline Fungus

  • Super Contributor
  • ***
  • Posts: 16801
  • Country: 00
Re: Hacking the HDO1k/HDO4k Rigol 12 bit scope
« Reply #26 on: October 26, 2022, 02:49:37 pm »
Assuming of course.. the 800MHz "image" loaded onto the FPGA is going to ignore the missing 2nd ADC..

That's where the "hack" would come into it - tweak the firmware to create a Frankenscope.  :-/O

Hack the FPGA bitstream? Or code, partially, so part of it behaves like 1000 and part of it like 4000?

The FPGA code will be in a file. What a hacker would do is patch the HDO1000's FPGA flle into the HDO4000's firmware.

But again, it is not necessary to convert HDO1000 to crippled HDO4000. Just providing a license to unlock HDO1074 into HDO1204 is enough. Only thing missing is 50Ω inputs..

Are you sure that's the only difference in the software features? How do you know if you don't actually own either of them?

Maybe Dave can put them side by side and go through the menus/features/abilities.

If I had to bet, I'd put money on the 4000 having a few extra "advanced" features that the 1000 doesn't.
« Last Edit: October 26, 2022, 02:51:48 pm by Fungus »
 

Offline bob808

  • Frequent Contributor
  • **
  • Posts: 281
  • Country: 00
Re: Hacking the HDO1k/HDO4k Rigol 12 bit scope
« Reply #27 on: October 26, 2022, 02:55:40 pm »
If the RK3399 is running Android then it might have a recovery image (that should be triggered to boot with a button) and maybe even A/B partitioning.
 

Offline Fungus

  • Super Contributor
  • ***
  • Posts: 16801
  • Country: 00
Re: Hacking the HDO1k/HDO4k Rigol 12 bit scope
« Reply #28 on: October 26, 2022, 03:03:14 pm »
There's two possibilities here:

a) Rigol used Android's secure boot mechanism to really lock down the firmware and made it very difficult to root/hack.

b) They've said "We'll make a hackable device and let the hackers believe they're fooling us". It's better to only make $100 than have them buy from somebody else.

They've done (b) for a long time now, let's hope this one doesn't bring a change of policy.
 

Offline hans

  • Super Contributor
  • ***
  • Posts: 1659
  • Country: nl
Re: Hacking the HDO1k/HDO4k Rigol 12 bit scope
« Reply #29 on: October 26, 2022, 03:10:51 pm »
No one can judge from pictures if the BOM is loaded identically for both boards.  Although the amplifier front-end IC can do 800MHz, the bandwidth limit options could also be set externally. E.g. both the HDO1k and HDO4k have 3 tiers of bandwidth: perhaps this is the max amount of bandwidth limit taps the front-end can support (besides 20MHz) by switching in a few extra passives externally. Many 0402 passives and/or capacitors don't have markings, so it's not possible to tell from pictures if they are different.

W.r.t. FPGA bitstreams: modifying them is not so easy. Many FPGA bitstream formats are not even open format, so good luck finding the right bits for modification. Moreover FPGA vendors/customers are very concerned about protecting IP.. and since most FPGAs are volatile devices (and thus the firmware is loaded externally on-boot), the loaded bitstream must also be protected outside the device. Newer FPGAs support encrypted bitstreams which can't (easily) be modified. With a bit of bad luck, Rigol has decided to use different AES decrypt keys for HDO1k/HDO4k, so transplanting FPGA just the images won't work. Most likely this key is set to read-only on the eFUSE of the FPGA.

Then there the part that a HDO4k FPGA bitstream can very well assume 2 ADCs are fitted. So even if you jumped through all these obstacles to get an image to run.. the device may very will malfunction at this stage without a 2nd ADC fitted. I agree with @2N3055, these are a lot of assumptions and transplanting ADCs is a very risky move to potentially brick 2 scopes. But one can only dream and hope. A hack from 70MHz to 200MHz is still quite decent, as that's a bandwidth jump lots of people were happy with for the Rigol 2000 series.

I'm not sure if Rigol is willing to protect their sales of the HDO4k that little. Purely from starting price and max BW, you can tell the HDO4k and HDO1k have different target groups. The HDO1k is still within hobbyist budget reach. We have one HDO4k on order at work because we don't want to fuss around with hacks and other potentially accuracy/reliability-affecting modifications.
 
The following users thanked this post: 2N3055

Offline bob808

  • Frequent Contributor
  • **
  • Posts: 281
  • Country: 00
Re: Hacking the HDO1k/HDO4k Rigol 12 bit scope
« Reply #30 on: October 26, 2022, 03:20:03 pm »
if their customer base is made up from mainly businesses then they might benefit from leaving ways of hacking it. just leave enough hoops such that businesses wouldn't fuss around with, warranty is also on the line.
 

Offline Fungus

  • Super Contributor
  • ***
  • Posts: 16801
  • Country: 00
Re: Hacking the HDO1k/HDO4k Rigol 12 bit scope
« Reply #31 on: October 26, 2022, 03:21:49 pm »
No one can judge from pictures if the BOM is loaded identically for both boards.  Although the amplifier front-end IC can do 800MHz, the bandwidth limit options could also be set externally.

The obvious thing to do would be to check for presence of the second ADC.

W.r.t. FPGA bitstreams: modifying them is not so easy. Newer FPGAs support encrypted bitstreams which can't (easily) be modified. With a bit of bad luck, Rigol has decided to use different AES decrypt keys for HDO1k/HDO4k, so transplanting FPGA just the images won't work. Most likely this key is set to read-only on the eFUSE of the FPGA.

It won't be "luck", it will be a decision by Rigol's marketing department - allow hacking or not.

Hacking has sold a lot of Rigol 'scopes in the past, so... let's hope.

I'm not sure if Rigol is willing to protect their sales of the HDO4k that little.

Corporate/educational users aren't going to hack them, they'll pay full price.
 

Offline Fungus

  • Super Contributor
  • ***
  • Posts: 16801
  • Country: 00
Re: Hacking the HDO1k/HDO4k Rigol 12 bit scope
« Reply #32 on: October 26, 2022, 03:23:29 pm »
warranty is also on the line.

Warranty isn't, but support contracts might be.
 

Online 2N3055

  • Super Contributor
  • ***
  • Posts: 6936
  • Country: hr
Re: Hacking the HDO1k/HDO4k Rigol 12 bit scope
« Reply #33 on: October 26, 2022, 03:27:56 pm »
Are you sure that's the only difference in the software features? How do you know if you don't actually own either of them?
There is a manual and datasheet. We don't know what and what not can Rigol add later. But at this moment it quite clear.
Also there is a fact that I know a bit about how these things are designed and what is and what isn't possible.

If I had to bet, I'd put money on the 4000 having a few extra "advanced" features that the 1000 doesn't.

I told you what is the difference at this moment. Don't trust me, do your homework. Don't ask Dave to do it for you..
 

Offline bob808

  • Frequent Contributor
  • **
  • Posts: 281
  • Country: 00
Re: Hacking the HDO1k/HDO4k Rigol 12 bit scope
« Reply #34 on: October 26, 2022, 03:29:16 pm »

The obvious thing to do would be to check for presence of the second ADC.


I saw what appears to be a missing regulator for the 2nd ADC. Rigol might sense its power rail or they might check in software and use an enable line for it (the regulator).
 

Offline bob808

  • Frequent Contributor
  • **
  • Posts: 281
  • Country: 00
Re: Hacking the HDO1k/HDO4k Rigol 12 bit scope
« Reply #35 on: October 26, 2022, 04:00:27 pm »
There's this part arrangement that's not populated on the HDO1k. Lower right one is missing. Upper left one has 1.8V label, and could be a linear reg. On the right side one (bottom) there's also a very small part that's missing from the left one. Might be a sense line. If the ADC is using analog and digital rails then maybe the other missing part (one MPPD 3630 marked) is the digital switching reg.

« Last Edit: October 26, 2022, 04:08:41 pm by bob808 »
 

Offline Fungus

  • Super Contributor
  • ***
  • Posts: 16801
  • Country: 00
Re: Hacking the HDO1k/HDO4k Rigol 12 bit scope
« Reply #36 on: October 26, 2022, 04:09:44 pm »
That's where the "hack" would come into it - tweak the firmware to create a Frankenscope.  :-/O
Hack the FPGA bitstream?

No, hack the firmware - where the FPGA bitstream files are stored.

(Reading comprehension??)

Are you sure that's the only difference in the software features? How do you know if you don't actually own either of them?
There is a manual and datasheet. We don't know what and what not can Rigol add later. But at this moment it quite clear.

Weird. All I did was glance at the index of both manuals and I saw the HDO4000 has a whole extra chapter.

It also has three more trigger types than the HDO1000 and three more protocol decoding options. :-//


 

Offline bob808

  • Frequent Contributor
  • **
  • Posts: 281
  • Country: 00
Re: Hacking the HDO1k/HDO4k Rigol 12 bit scope
« Reply #37 on: October 26, 2022, 04:31:38 pm »
MPPD 3630 marked device seems to indeed be a switching regulator, and does have an enable line as well.
https://www.monolithicpower.com/en/documentview/productdocument/index/version/2/document_type/Datasheet/lang/en/sku/MPM3630GQV/document_id/2114/
Or just search for MPM3630.

edit:
looking at the footprint in the datasheet I marked the trace for the enable/sync line. probing this at startup should be interesting to see if they also software disable that reg.
at least the enable trace seems to be going to that pad. hard to see.
« Last Edit: October 26, 2022, 04:42:02 pm by bob808 »
 
The following users thanked this post: Serg65536, GuntherM

Offline Kahooli

  • Contributor
  • Posts: 12
  • Country: us
Re: Hacking the HDO1k/HDO4k Rigol 12 bit scope
« Reply #38 on: October 26, 2022, 04:51:18 pm »
Dave,
I noticed in your teardown you didn't take the board out of the front chassis - can you tell if the active probe pads are part of the main board and covered on the HDO1000, but uncovered for the 4000? Or are they a sub assembly?
 

Offline bob808

  • Frequent Contributor
  • **
  • Posts: 281
  • Country: 00
Re: Hacking the HDO1k/HDO4k Rigol 12 bit scope
« Reply #39 on: October 26, 2022, 04:57:27 pm »
And linear reg seems to be a TPS72301 which is a negative linear reg. At least the markings match. And its enable pin seems to be tied to input, on the pcb.

edit: ah yes, on the left side reg there's N1V8 on the silkscreen which must mean negative 1.8V. so HDO1K is missing a set of +/- 1.8V rails. And an ADC.
so theoretically one of the easiest hacks (if they allow it) would be to power the sense lines for these rails, if they have any sense lines on those rail outputs.
« Last Edit: October 26, 2022, 05:17:30 pm by bob808 »
 
The following users thanked this post: GuntherM

Online tv84

  • Super Contributor
  • ***
  • Posts: 3251
  • Country: pt
Re: Hacking the HDO1k/HDO4k Rigol 12 bit scope
« Reply #40 on: October 26, 2022, 06:20:50 pm »
I'm not releasing it generally, but for those interested in the MXO44 lockup:
6:40 is when the problem starts.

I've said this before and repeat: I like new R&S scopes.

Having said that, this bug would fuel the whole hell from some of our residents if it was on a Siglent and even more on a Rigol.

I didn't see anything of the sort on this one...  :-//   (rush to market, etc. etc.)
 
The following users thanked this post: Someone, 2N3055, zrq

Online 2N3055

  • Super Contributor
  • ***
  • Posts: 6936
  • Country: hr
Re: Hacking the HDO1k/HDO4k Rigol 12 bit scope
« Reply #41 on: October 26, 2022, 06:47:59 pm »
That's where the "hack" would come into it - tweak the firmware to create a Frankenscope.  :-/O
Hack the FPGA bitstream?

No, hack the firmware - where the FPGA bitstream files are stored.

(Reading comprehension??)

Are you sure that's the only difference in the software features? How do you know if you don't actually own either of them?
There is a manual and datasheet. We don't know what and what not can Rigol add later. But at this moment it quite clear.

Weird. All I did was glance at the index of both manuals and I saw the HDO4000 has a whole extra chapter.

It also has three more trigger types than the HDO1000 and three more protocol decoding options. :-//

So FPGA bitstream contents... Where you load it from is not relevant.
Three more triggers and three more protocol decodes are not a big difference. Triggers will be in HDO4000 bitstream that you cannot load because you don't have additional ADC...

 

Offline bob808

  • Frequent Contributor
  • **
  • Posts: 281
  • Country: 00
Re: Hacking the HDO1k/HDO4k Rigol 12 bit scope
« Reply #42 on: October 26, 2022, 06:56:40 pm »
Found a better picture from the HDO1K teardown.

Upper yellow circled pad seems to actually be the enable line for the +1.8V regulator (but should be checked with dmm). Lower blue circled pad might be a sense line for the -1.8V output.
There's two vias on the output of the positive regulator but they are before filtering so might be from the regulator itself.
« Last Edit: October 26, 2022, 07:01:12 pm by bob808 »
 

Offline EEVblog

  • Administrator
  • *****
  • Posts: 37947
  • Country: au
    • EEVblog
Re: Hacking the HDO1k/HDO4k Rigol 12 bit scope
« Reply #43 on: October 26, 2022, 11:04:04 pm »
So what does the second ADC actually do? If the PCB's are the same, and all the four channels are connected to the one ADC, what's the purpose of the other ADC?

The front end chip has diff drivers one going to each ADC. In the HDO4000 each channel is interleaved to get double the sample rate.
The HDO1000 only has one ADC so you only get half the sampel rate maximum, and you can see on the front end, two of the resistors for the 2nd diff pair are missing because they aren't used.
 

Offline EEVblog

  • Administrator
  • *****
  • Posts: 37947
  • Country: au
    • EEVblog
Re: Hacking the HDO1k/HDO4k Rigol 12 bit scope
« Reply #44 on: October 26, 2022, 11:06:19 pm »
I'm not releasing it generally, but for those interested in the MXO44 lockup:
6:40 is when the problem starts.
I've said this before and repeat: I like new R&S scopes.
Having said that, this bug would fuel the whole hell from some of our residents if it was on a Siglent and even more on a Rigol.
I didn't see anything of the sort on this one...  :-//   (rush to market, etc. etc.)

FYI, R&S have said they have recreated the problem and are working on it. The firmware is still early release stuff, they mentioned also a known issue with the USB.
 
The following users thanked this post: pdenisowski

Offline EEVblog

  • Administrator
  • *****
  • Posts: 37947
  • Country: au
    • EEVblog
Re: Hacking the HDO1k/HDO4k Rigol 12 bit scope
« Reply #45 on: October 26, 2022, 11:07:44 pm »
Dave,
I noticed in your teardown you didn't take the board out of the front chassis - can you tell if the active probe pads are part of the main board and covered on the HDO1000, but uncovered for the 4000? Or are they a sub assembly?

In the HDO4000 teardown you can see it's an entire PCB assembly for hte front active probes, with lots of fusing and the big ribbon cable running to the main PCB.
 
The following users thanked this post: Kahooli

Offline EEVblog

  • Administrator
  • *****
  • Posts: 37947
  • Country: au
    • EEVblog
Re: Hacking the HDO1k/HDO4k Rigol 12 bit scope
« Reply #46 on: October 26, 2022, 11:10:45 pm »
I'm not sure if Rigol is willing to protect their sales of the HDO4k that little.
Corporate/educational users aren't going to hack them, they'll pay full price.

Correct. That's how the game is played.
 

Offline EEVblog

  • Administrator
  • *****
  • Posts: 37947
  • Country: au
    • EEVblog
Re: Hacking the HDO1k/HDO4k Rigol 12 bit scope
« Reply #47 on: October 26, 2022, 11:12:26 pm »
If the RK3399 is running Android then it might have a recovery image (that should be triggered to boot with a button) and maybe even A/B partitioning.

There are three unlabled button populated on the PCB  8)
 

Offline bob808

  • Frequent Contributor
  • **
  • Posts: 281
  • Country: 00
Re: Hacking the HDO1k/HDO4k Rigol 12 bit scope
« Reply #48 on: October 26, 2022, 11:26:14 pm »
Two of them seem right next to RTC battery. One of them might be a reset for that. The third looks like it has a trace going straight to the RK3399 chip.
 

Offline bob808

  • Frequent Contributor
  • **
  • Posts: 281
  • Country: 00
Re: Hacking the HDO1k/HDO4k Rigol 12 bit scope
« Reply #49 on: October 26, 2022, 11:36:19 pm »
RK808 which is under the RTC battery is a power management chip, and on the pinout the side towards the battery does have a RTC power line. So the upper two buttons might be related to RTC and something else. RK808 datasheet also shows a button in their application schematic. 

edit: also theoretically there could be some ways to disable AVB but needs to be in fastboot or recovery or something like that. dumping the partitions would also be useful, boot.img could be edited to disable AVB. there's also magisk.
not sure if you can navigate recovery with the front panel controls. but if you get it in recovery try and have it connected to a PC via USB cable and check device manager if anything pops up while in recovery/fastboot.
I didn't yet identify the storage/flash chip.
RK3399 seems to be in OrangePi4 https://www.orangepi.com/index.php?route=product/product&product_id=895 which also has RK808 power management chip.
« Last Edit: October 27, 2022, 12:00:00 am by bob808 »
 


Share me

Digg  Facebook  SlashDot  Delicious  Technorati  Twitter  Google  Yahoo
Smf