I had a play with uboot on a raspberry pi just to emulate the procedure and I was able to extract a file from /boot, modify it and write it back, all from the uboot shell.
Some manufacturers might set the countdown timer to a very low value so it's easier to miss it, but if you spam the keyboard after startup you should get into the shell.
The text to watch out for is:
Hit any key to stop autoboot: 0
After dropping into the uboot shell you should type "help" at first so you get a list of available commands:
U-Boot> help
? - alias for 'help'
base - print or set address offset
bdinfo - print Board Info structure
blkcache - block cache diagnostics and control
boot - boot default, i.e., run 'bootcmd'
bootd - boot default, i.e., run 'bootcmd'
bootefi - Boots an EFI payload from memory
bootelf - Boot from an ELF image in memory
bootflow - Boot flows
bootm - boot application image from memory
bootp - boot image via network using BOOTP/TFTP protocol
bootvx - Boot vxWorks from an ELF image
bootz - boot Linux zImage image from memory
cmp - memory compare
coninfo - print console devices and information
cp - memory copy
crc32 - checksum calculation
dhcp - boot image via network using DHCP/TFTP protocol
dm - Driver model low level access
echo - echo args to console
editenv - edit environment variable
env - environment handling commands
exit - exit script
ext2load - load binary file from a Ext2 filesystem
ext2ls - list files in a directory (default /)
ext4load - load binary file from a Ext4 filesystem
ext4ls - list files in a directory (default /)
ext4size - determine a file's size
false - do nothing, unsuccessfully
fatinfo - print information about filesystem
fatload - load binary file from a dos filesystem
fatls - list files in a directory (default /)
fatmkdir - create a directory
fatrm - delete a file
fatsize - determine a file's size
fatwrite - write file into a dos filesystem
fdt - flattened device tree utility commands
fstype - Look up a filesystem type
fstypes - List supported filesystem types
fsuuid - Look up a filesystem UUID
go - start application at address 'addr'
gpio - query and control gpio pins
help - print command description/usage
iminfo - print header information for application image
imxtract - extract a part of a multi-image
itest - return true/false on integer compare
lcdputs - print string on video framebuffer
ln - Create a symbolic link
load - load binary file from a filesystem
loadb - load binary file over serial line (kermit mode)
loads - load S-Record file over serial line
loadx - load binary file over serial line (xmodem mode)
loady - load binary file over serial line (ymodem mode)
loop - infinite loop on address range
ls - list files in a directory (default /)
md - memory display
mii - MII utility commands
mm - memory modify (auto-incrementing address)
mmc - MMC sub system
mmcinfo - display MMC info
mw - memory write (fill)
net - NET sub-system
nfs - boot image via network using NFS protocol
nm - memory modify (constant address)
panic - Panic with optional message
part - disk partition related commands
ping - send ICMP ECHO_REQUEST to network host
pinmux - show pin-controller muxing
printenv - print environment variables
pxe - commands to get and boot from pxe files
random - fill memory with random pattern
reset - Perform RESET of the CPU
run - run commands in an environment variable
save - save file to a filesystem
saveenv - save environment variables to persistent storage
setcurs - set cursor position within screen
setenv - set environment variables
setexpr - set environment variable as the result of eval expression
showvar - print local hushshell variables
size - determine a file's size
sleep - delay execution for some time
source - run script from memory
sysboot - command to get and boot from syslinux files
test - minimal test like /bin/sh
tftpboot - load file via network using TFTP protocol
true - do nothing, successfully
usb - USB sub-system
usbboot - boot from USB device
version - print monitor, compiler and linker version
Now this is where there might be surprises. The upper list is from a raspberry pi, and I do have "save" and "usb" which make it easy. There's USB ports on the front of the oscilloscope so you should be able to add a fat formatted usb stick.
Also on the rpi the storage was under the "mmc" command. The oscilloscope should have 8GB storage.
You basically load the file of interest into RAM with something like:
load mmc 0:1 $loadaddr example.dtbwhere 0:1 is the device and partition
and then write it to usb with
save usb 0:2 $loadaddr example.dtb nr_of_bytesthis wrote the file to the second partition of the usb stick.
I had to input the correct number of bytes based on the size of the file in RAM.
I wrote back the modified file the other way around. But extracting/inserting files into the oscilloscope's storage might vary depending on available commands in the oscilloscope's uboot shell.
TFTP booting should also be available from uboot shell so you could use a minimal linux system from a local TFTP server that's for a rk3399 board and you might be able to get a bash shell to access local storage.
edit: maybe don't write to the scope's storage until there's firmware available and ways for restoring it.
Home
Help
Search
Login
Register
Topic: Hacking the HDO1k/HDO4k Rigol 12 bit scope (Read 140860 times)