Products > Test Equipment

Hacking the HDO1k/HDO4k Rigol 12 bit scope

<< < (127/151) > >>

bosav:
Update on #594

Figured out how to make the scope run pathed code, ignoring the signatures. (inspired by https://github.com/giacomoferretti/odex-patcher)

The trick is that besides the installed apk, there is also precompiled code generated on install (odex). Which having root permissions can be replaced, and can be used without signature verification.  Also, this is relatively safe and can be reverted - simply reinstalling the app, will recreate those files.

step by step, how to update odex file:

--- Code: ---# push patched apk to the device
adb push Auklet.apk /sdcard/Download/base.apk

# login onto the device as root (needed for dex2oat to work)
adb root
adb shell

# on the device generate odex file from the patched code, using arguments similar to those found in the original odex file
cd /sdcard/Download
dex2oat --instruction-set=arm64 --instruction-set-variant=cortex-a53 --instruction-set-features=default --compiler-filter=verify-profile  --dex-file=base.apk --oat-file=base.odex

# pull generated odex file from the device for patching dex hashes in it
adb pull /sdcard/Download/base.odex

# to make android use new odex file, we need to replace file hashes for dex files in it(so it is not re-generated)

# crc32 hashes before code changes
#    b09a1260 classes.dex
#    5ebcb7e4 classes2.dex

# after code changes
#    b0aabf7e classes.dex
#    23e082b5 classes2.dex

# using some hex editor, this would be two replacements in odex file
#  7ebfaab0 -> 60129ab0
#  b582e023 -> e4b7bc5e
# (if there are multiple places with this data - the ones to change should be close together, at the beginning of the file, near ".dex", in my case however there was just one entry… for more "reliable/correct" approach - check odex-patcher code mentioned above for references about odex file format)


# push patched odex file back (using a different file name to avoid replacing the original with bad permissions)
adb push base.odex /data/app/com.rigol.scope-1/oat/arm64/base1.odex

# on the device, list files in the target folder to see the ownership
ls -la /data/app/com.rigol.scope-1/oat/arm64/base.odex
#   -rw-rw---- 1 system u0_a31000 15172224 2023-12-25 21:05 /data/app/com.rigol.scope-1/oat/arm64/base.odex

# change owner for added file to match original
chown system:u0_a31000 /data/app/com.rigol.scope-1/oat/arm64/base1.odex

# replace the original odex file
mv /data/app/com.rigol.scope-1/oat/arm64/base1.odex /data/app/com.rigol.scope-1/oat/arm64/base.odex

# done, restart the app/scope - to see the changes

--- End code ---

This made the changes mentioned in the original post appear in the UI.

However, the 50Ω impedance switch, while visible and clickable - but did not worked, because of checks also in libscope-auklet.so blocking it.

Looking into libscope using Ghidra(https://ghidra-sre.org/), found some interesting usages of _Z20API_GetProductSeriesv

For 50Ω input specifically _ZN12CApiVertical23ApiChannel_SetImpedanceEj was easy to patch:


--- Code: ---# find & replace in a hex editor (added a prefix to make it unique in the file)
f30300aa6ccefc971f0800710101005499e1fc971f401f71
f30300aa6ccefc971f0800710101005499e1fc9706000014

--- End code ---

Using the same approach, pushed the patched libscope file to the device:


--- Code: ---# push the patched file to apk install location
adb root
adb push libscope-auklet.so /data/app/com.rigol.scope-1/lib/arm64/libscope-auklet.so

# fix permissions in adb shell
chown system:u0_a31000 /data/app/com.rigol.scope-1/lib/arm64/libscope-auklet.so

--- End code ---

After restarting the scope - the toggling of input impedance appeared working (the relay does click, DC offset also was corrected after running self-calibration).

Dennis Frie:

--- Quote from: bosav on December 26, 2023, 04:14:26 pm ---Update on #594

Figured out how to make the scope run pathed code, ignoring the signatures. (inspired by https://github.com/giacomoferretti/odex-patcher)

The trick is that besides the installed apk, there is also precompiled code generated on install (odex). Which having root permissions can be replaced, and can be used without signature verification.  Also, this is relatively safe and can be reverted - simply reinstalling the app, will recreate those files.

step by step, how to update odex file:

--- Code: ---# push patched apk to the device
adb push Auklet.apk /sdcard/Download/base.apk

# login onto the device as root (needed for dex2oat to work)
adb root
adb shell

# on the device generate odex file from the patched code, using arguments similar to those found in the original odex file
cd /sdcard/Download
dex2oat --instruction-set=arm64 --instruction-set-variant=cortex-a53 --instruction-set-features=default --compiler-filter=verify-profile  --dex-file=base.apk --oat-file=base.odex

# pull generated odex file from the device for patching dex hashes in it
adb pull /sdcard/Download/base.odex

# to make android use new odex file, we need to replace file hashes for dex files in it(so it is not re-generated)

# crc32 hashes before code changes
#    b09a1260 classes.dex
#    5ebcb7e4 classes2.dex

# after code changes
#    b0aabf7e classes.dex
#    23e082b5 classes2.dex

# using some hex editor, this would be two replacements in odex file
#  7ebfaab0 -> 60129ab0
#  b582e023 -> e4b7bc5e
# (if there are multiple places with this data - the ones to change should be close together, at the beginning of the file, near ".dex", in my case however there was just one entry… for more "reliable/correct" approach - check odex-patcher code mentioned above for references about odex file format)


# push patched odex file back (using a different file name to avoid replacing the original with bad permissions)
adb push base.odex /data/app/com.rigol.scope-1/oat/arm64/base1.odex

# on the device, list files in the target folder to see the ownership
ls -la /data/app/com.rigol.scope-1/oat/arm64/base.odex
#   -rw-rw---- 1 system u0_a31000 15172224 2023-12-25 21:05 /data/app/com.rigol.scope-1/oat/arm64/base.odex

# change owner for added file to match original
chown system:u0_a31000 /data/app/com.rigol.scope-1/oat/arm64/base1.odex

# replace the original odex file
mv /data/app/com.rigol.scope-1/oat/arm64/base1.odex /data/app/com.rigol.scope-1/oat/arm64/base.odex

# done, restart the app/scope - to see the changes

--- End code ---

This made the changes mentioned in the original post appear in the UI.

However, the 50Ω impedance switch, while visible and clickable - but did not worked, because of checks also in libscope-auklet.so blocking it.

Looking into libscope using Ghidra(https://ghidra-sre.org/), found some interesting usages of _Z20API_GetProductSeriesv

For 50Ω input specifically _ZN12CApiVertical23ApiChannel_SetImpedanceEj was easy to patch:


--- Code: ---# find & replace in a hex editor (added a prefix to make it unique in the file)
f30300aa6ccefc971f0800710101005499e1fc971f401f71
f30300aa6ccefc971f0800710101005499e1fc9706000014

--- End code ---

Using the same approach, pushed the patched libscope file to the device:


--- Code: ---# push the patched file to apk install location
adb root
adb push libscope-auklet.so /data/app/com.rigol.scope-1/lib/arm64/libscope-auklet.so

# fix permissions in adb shell
chown system:u0_a31000 /data/app/com.rigol.scope-1/lib/arm64/libscope-auklet.so

--- End code ---

After restarting the scope - the toggling of input impedance appeared working (the relay does click, DC offset also was corrected after running self-calibration).

--- End quote ---

Really nice work. Using the dex2oat is an interesting approach, but modifying the manifest and installing it as a new application, seems like an easier way. At least for initial testing.

Good work on the libscope, that's a great find  :clap:. I have to try that, thanks.

voltsandjolts:
Excellent, nice work, good to know that the fpga bitstream doesn't play a part in disabling use of the 50 Ohm inputs.

zrq:
I think patching the .so on the fly is actually easier, it would be nice if I know this earlier. In my experiments, there is no need to touch the java codes, so the patching can be done quite simply with just adb and a hex editor (or programmatically).

RFDx:

--- Quote from: TurboTom on December 03, 2023, 09:56:21 pm ---Most "fellas" interested in Rigol's DHO 800/900/1k/4k may have followed the other thread about the broken FlatTop FFT window function. I wrote a small basic (yes, really!  ;) ) program that calculates the correct window file -- the windows executable is attached.

--- End quote ---

Thank you very much, works now as it should. Is the repair of the flattop window function to be done every time there is a new firmware update?

Navigation

[0] Message Index

[#] Next page

[*] Previous page

There was an error while thanking
Thanking...
Go to full version
Powered by SMFPacks Advanced Attachments Uploader Mod