Products > Test Equipment

Hacking the HDO1k/HDO4k Rigol 12 bit scope

(1/150) > >>

oliv3r:
Just a starting placeholder post for now, but this is a thread on hacking/unlocking the HDO-series of scopes from rigol (https://www.rigolna.com/products/digital-oscilloscopes/hdo4000/ and https://www.rigolna.com/products/digital-oscilloscopes/hdo1000/).

For more information for now, see https://www.eevblog.com/forum/testgear/rigol-hdo1000-and-hdo4000-12bit-oscilloscopes-launched-in-china/msg4446910/#msg4446910 ;)

We have nothing so far, we need at least some firmware, which is not yet available for download. I already requested the GPL source code for both these scopes.

First concerrns, secure boot. These android devices tend to be locked down at the bootloader, and tend to use 'verified boot'. If this is the case, unless we can get signing keys for the bootloader, hacking won't be possible as we can't replace the code. There might still be exploits and we might still 'hack' the code at runtime, but it wouldn't be a permanent one. From the Serial logs however, we don't see anything enabled in that light, secure boot, trust zone, all seems to be disabled. Also no dm-verity seems to be used.

Hardware hacking:
The HDO4000 and HDO1000 seem to share the same PCB (different revisions though) and one major difference, seems to be that one of the ADC's (and its power supply) is not populated. While in theory, one could solder the missing parts and turn a HDO1000 into a HDO4000 one electrically, finding the parts is probably not even going to be possible, and salvaging things from other scopes makes the value proposition not very interesting. But hey, in _theory_ its possible :)

Software hacking:
While the software platform is very similar to the MSO5000-series (FRAM to store stuff, encpryption, XXTEA etc).
A tool to decrypt the vendor.bin and generate a license key can be found here: https://gitlab.com/riglol/rigolee/hdo-tools. To use the license generator, one must have ssh access to the scope, to extract the key file from it (or use usb-uart and extract it like that somehow). Best extract the key at least once, and back it up, before updating any firmware, who knows what gets locked down later ;)

Warning a head, this will not be and is not intended to be, a 'support' thread. So please keep on topic and focus only on hacking/unlocking these scopes!
Discussion thread about bugs: https://www.eevblog.com/forum/testgear/new-rigol-hdo1000-12-bit-dso-bugs/

EEVblog:
Just did the HDO1000 teardown, and  :o
It's EXACTLY the same PCB as the HDO4000, minus one ADC!
Yes, that means full 800MHz front end with 50ohm even though the software doesn't support it.
Absolutely minor production changes, but it's clear they intend to use idenitical boards and parts. The profit margin on the HDO4000 must be really something.

So in theory you could get a 4CH 800MHz bandwidth 12bit 2GS/s scope for US$999

EEVblog:
Both PCB photos cropped and aligned here
https://www.flickr.com/photos/eevblog/albums/72177720303155959

Some extras here: https://www.flickr.com/photos/eevblog/albums/72177720303155042

EEVblog:

tv84:
Dave, please try some log peeking.

Navigation

[0] Message Index

[#] Next page

There was an error while thanking
Thanking...
Go to full version
Powered by SMFPacks Advanced Attachments Uploader Mod