Hacking the HDO1k/HDO4k Rigol 12 bit scope

[oliv3r]

Just a starting placeholder post for now, but this is a thread on hacking/unlocking the HDO-series of scopes from rigol (https://www.rigolna.com/products/digital-oscilloscopes/hdo4000/ and https://www.rigolna.com/products/digital-oscilloscopes/hdo1000/).

For more information for now, see https://www.eevblog.com/forum/testgear/rigol-hdo1000-and-hdo4000-12bit-oscilloscopes-launched-in-china/msg4446910/#msg4446910

We have nothing so far, we need at least some firmware, which is not yet available for download. I already requested the GPL source code for both these scopes.

First concerrns, secure boot. These android devices tend to be locked down at the bootloader, and tend to use 'verified boot'. If this is the case, unless we can get signing keys for the bootloader, hacking won't be possible as we can't replace the code. There might still be exploits and we might still 'hack' the code at runtime, but it wouldn't be a permanent one. From the Serial logs however, we don't see anything enabled in that light, secure boot, trust zone, all seems to be disabled. Also no dm-verity seems to be used.

Hardware hacking:
The HDO4000 and HDO1000 seem to share the same PCB (different revisions though) and one major difference, seems to be that one of the ADC's (and its power supply) is not populated. While in theory, one could solder the missing parts and turn a HDO1000 into a HDO4000 one electrically, finding the parts is probably not even going to be possible, and salvaging things from other scopes makes the value proposition not very interesting. But hey, in _theory_ its possible

Software hacking:
While the software platform is very similar to the MSO5000-series (FRAM to store stuff, encpryption, XXTEA etc).
A tool to decrypt the vendor.bin and generate a license key can be found here: https://gitlab.com/riglol/rigolee/hdo-tools. To use the license generator, one must have ssh access to the scope, to extract the key file from it (or use usb-uart and extract it like that somehow). Best extract the key at least once, and back it up, before updating any firmware, who knows what gets locked down later

Warning a head, this will not be and is not intended to be, a 'support' thread. So please keep on topic and focus only on hacking/unlocking these scopes!
Discussion thread about bugs: https://www.eevblog.com/forum/testgear/new-rigol-hdo1000-12-bit-dso-bugs/

[EEVblog]

Just did the HDO1000 teardown, and 
It's EXACTLY the same PCB as the HDO4000, minus one ADC!
Yes, that means full 800MHz front end with 50ohm even though the software doesn't support it.
Absolutely minor production changes, but it's clear they intend to use idenitical boards and parts. The profit margin on the HDO4000 must be really something.

So in theory you could get a 4CH 800MHz bandwidth 12bit 2GS/s scope for US$999

[EEVblog]

Both PCB photos cropped and aligned here
https://www.flickr.com/photos/eevblog/albums/72177720303155959

Some extras here: https://www.flickr.com/photos/eevblog/albums/72177720303155042

[EEVblog]

[tv84]

Dave, please try some log peeking.

[EEVblog]

Dave, please try some log peeking.

Began shooting that video before I left for home tonight. Will continue tomorrow.

[Fungus]

So in theory you could get a 4CH 800MHz bandwidth 12bit 2GS/s scope for US$999

All you need is that second custom Rigol  ADC. 


PS: There's a lot of missing stuff at top-right. What's all that for?

[mawyatt]

Quite interesting video indeed, thanks!!

One thing about the 1000 that may be going on is the 1000 may get the fallout ADCs that can't be utilized in the 4000. For example, the 4000 may require the 2 ADCs to be matched within some range like thru-put timing skew.

Also very interested in who. where and what process the ADCs came from.

Best,

[thm_w]

PS: There's a lot of missing stuff at top-right. What's all that for?

Those were the supplies + sense leads for probe detection. Not used on the HDO1k.

[EEVblog]

Dave, please try some log peeking.

Began shooting that video before I left for home tonight. Will continue tomorrow.

Sorry, haven't got it yet. Used my new R&S MXO44 scope to probe and debug and it turned into an entire session where the scope locked up 
Rendering video on that now for R&S to look at.

[EEVblog]

One thing about the 1000 that may be going on is the 1000 may get the fallout ADCs that can't be utilized in the 4000. For example, the 4000 may require the 2 ADCs to be matched within some range like thru-put timing skew.

Could be.
Someone in the comments noticed that the 2nd diff pair of resistor above the ASIC is missing.
So the HDO400o uses two pairs form the front end ASIC and the HDO1000 uses only one pair.
Maybe the extra pair is for a higher bandwidth path? Doesn't make much sense, but that's all I can think it. Going to have to measure them.

[EEVblog]

I'm not releasing it generally, but for those interested in the MXO44 lockup:
6:40 is when the problem starts.

[EEVblog]

The serial output is 1.5Mbaud and my terminal cature programs can't handle that data rate.
I was able to decode the text "Version" on my Keysight 3000 when manually set to 1.5Mbaud but I really need a PC capture to get the whole lot.
Need another option, maybe one of my PC based scopes.

[EEVblog]

Data dump from the HDO1000. The Salaea logic did 1.5Mbps and has a data terminal window, very nice.
The /0 data continues for the rest of the boot process and then nothing when power is shut down.

Code: [Select]

DDR Version 1.26 20210628
In
channel 0
CS = 0
MR0=0x98
MR4=0x1
MR5=0xFF
MR8=0x10
MR12=0x72
MR14=0x72
MR18=0x0
MR19=0x0
MR24=0x8
MR25=0x0
channel 1
CS = 0
MR0=0x98
MR4=0x1
MR5=0xFF
MR8=0x10
MR12=0x72
MR14=0x72
MR18=0x0
MR19=0x0
MR24=0x8
MR25=0x0
channel 0 training pass!
channel 1 training pass!
change freq to 416MHz 0,1
Channel 0: LPDDR4,416MHz
Bus Width=32 Col=10 Bank=8 Row=16 CS=1 Die Bus-Width=16 Size=2048MB
Channel 1: LPDDR4,416MHz
Bus Width=32 Col=10 Bank=8 Row=16 CS=1 Die Bus-Width=16 Size=2048MB
256B stride
channel 0
CS = 0
MR0=0x98
MR4=0x1
MR5=0xFF
MR8=0x10
MR12=0x72
MR14=0x72
MR18=0x0
MR19=0x0
MR24=0x8
MR25=0x0
channel 1
CS = 0
MR0=0x98
MR4=0x1
MR5=0xFF
MR8=0x10
MR12=0x72
MR14=0x72
MR18=0x0
MR19=0x0
MR24=0x8
MR25=0x0
channel 0 training pass!
channel 1 training pass!
channel 0, cs 0, advanced training done
channel 1, cs 0, advanced training done
change freq to 856MHz 1,0
ch 0 ddrconfig = 0x101, ddrsize = 0x40
ch 1 ddrconfig = 0x101, ddrsize = 0x40
pmugrf_os_reg[2] = 0x32C1F2C1, stride = 0xD
ddr_set_rate to 328MHZ
ddr_set_rate to 666MHZ
ddr_set_rate to 416MHZ, ctl_index 0
ddr_set_rate to 856MHZ, ctl_index 1
support 416 856 328 666 MHz, current 856MHz
OUT
Boot1 Release Time: May 29 2020 17:36:36, version: 1.26
CPUId = 0x0
ChipType = 0x10, 351
SdmmcInit=2 0
BootCapSize=100000
UserCapSize=7456MB
FwPartOffset=2000 , 100000
mmc0:cmd8,20
mmc0:cmd5,20
mmc0:cmd55,20
mmc0:cmd1,20
mmc0:cmd8,20
mmc0:cmd5,20
mmc0:cmd55,20
mmc0:cmd1,20
mmc0:cmd8,20
mmc0:cmd5,20
mmc0:cmd55,20
mmc0:cmd1,20
SdmmcInit=0 1
StorageInit ok = 69537
SecureMode = 0
SecureInit read PBA: 0x4
SecureInit read PBA: 0x404
SecureInit read PBA: 0x804
SecureInit read PBA: 0xc04
SecureInit read PBA: 0x1004
SecureInit read PBA: 0x1404
SecureInit read PBA: 0x1804
SecureInit read PBA: 0x1c04
SecureInit ret = 0, SecureMode = 0
atags_set_bootdev: ret:(0)
GPT 0x3335db8 signature is wrong
recovery gpt...
GPT 0x3335db8 signature is wrong
recovery gpt fail!
Trust Addr:0x4000, 0x58334c42
No find bl30.bin
Load uboot, ReadLba = 2000
Load OK, addr=0x200000, size=0x869bc
RunBL31 0x40000 @ 97359 us
\x01NOTICE:  BL31: v1.3(release):845ee93
NOTICE:  BL31: Built : 15:51:11, Jul 22 2020
NOTICE:  BL31: Rockchip release version: v1.1
INFO:    GICv3 with legacy support detected. ARM GICV3 driver initialized in EL3
INFO:    Using opteed sec cpu_context!
INFO:    boot cpu mask: 0
INFO:    plat_rockchip_pmu_init(1196): pd status 3e
INFO:    BL31: Initializing runtime services
INFO:    BL31: Initializing BL32
INF [0x0] TEE-CORE:init_primary_helper:337: Initializing (1.1.0-256-gebb61ff5 #4 Wed Apr 22 01:34:02 UTC 2020 aarch64)

INF [0x0] TEE-CORE:init_primary_helper:338: Release version: 1.2

INF [0x0] TEE-CORE:init_teecore:83: teecore inits done
INFO:    BL31: Preparing for EL3 exit to normal world
INFO:    Entry point address = 0x200000
INFO:    SPSR = 0x3c9
\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0

[2N3055]

I'm not releasing it generally, but for those interested in the MXO44 lockup:
6:40 is when the problem starts.

Picoscopes have auto Baud detection.. Works quite well. Very useful for nonstandard rates.
Or confuse you when you program registers wrong and your baud rate is all funny...
You look at the screen and all the messages are there, but it is not received on the other side. Ask me how I know... 
My Keysight has baud rate measurement. So you measure it and then type it in by hand.

[2N3055]

The serial output is 1.5Mbaud and my terminal cature programs can't handle that data rate.
I was able to decode the text "Version" on my Keysight 3000 when manually set to 1.5Mbaud but I really need a PC capture to get the whole lot.
Need another option, maybe one of my PC based scopes.

Yes, Pico would handle it no problem.

[hans]

Just did the HDO1000 teardown, and 
It's EXACTLY the same PCB as the HDO4000, minus one ADC!
Yes, that means full 800MHz front end with 50ohm even though the software doesn't support it.
Absolutely minor production changes, but it's clear they intend to use idenitical boards and parts. The profit margin on the HDO4000 must be really something.

So in theory you could get a 4CH 800MHz bandwidth 12bit 2GS/s scope for US$999

Assuming of course.. the 800MHz "image" loaded onto the FPGA is going to ignore the missing 2nd ADC..
Because although technically 800MHz and 2GS/s is not aliasing.. it's very close to and I think I'd rather keep the bandwidth at 400MHz to have less noise.

I would place my bets at a 1700$ 4ch 800MHz 12-bit 4GS/s scope. Get a 4ch 1000$ model and a 2ch 700$ model. Move the ADC from 2ch to the 4ch board with a bit of hot air. Hack the firmware into thinking it's a HDO4k 800MHz. That's 3k$ "saved".
But in theory that sounds easy. As pointed out, maybe there is some analog path and digital bus de-skewing going on to have both ADCs sample properly for all channel configurations. If this is stored in some calibration ROM, that perhaps requires an intensive procedure to fix.
Also hot air reflowing on 1700$ worth of gear doesn't sound too attractive.. But the potential may be there if indeed both boards are identically BOM-loaded (except ADC), and/or it's possible to figure out what to change.

[hexpope]

Ooh, I haven't been excited for this since the release of the DS1000Z series scopes a few years back. 

[insine]

All those "\0\0\0\0\0\0\0\0" is probably when the second bootloader (u-boot) started and used a different baudrate. You may want to re-decode that part.

[EEVblog]

All those "\0\0\0\0\0\0\0\0" is probably when the second bootloader (u-boot) started and used a different baudrate. You may want to re-decode that part.

Never would have thought of that. It would really do that?

[2N3055]

Just did the HDO1000 teardown, and 
It's EXACTLY the same PCB as the HDO4000, minus one ADC!
Yes, that means full 800MHz front end with 50ohm even though the software doesn't support it.
Absolutely minor production changes, but it's clear they intend to use idenitical boards and parts. The profit margin on the HDO4000 must be really something.

So in theory you could get a 4CH 800MHz bandwidth 12bit 2GS/s scope for US$999

Assuming of course.. the 800MHz "image" loaded onto the FPGA is going to ignore the missing 2nd ADC..
Because although technically 800MHz and 2GS/s is not aliasing.. it's very close to and I think I'd rather keep the bandwidth at 400MHz to have less noise.

I would place my bets at a 1700$ 4ch 800MHz 12-bit 4GS/s scope. Get a 4ch 1000$ model and a 2ch 700$ model. Move the ADC from 2ch to the 4ch board with a bit of hot air. Hack the firmware into thinking it's a HDO4k 800MHz. That's 3k$ "saved".
But in theory that sounds easy. As pointed out, maybe there is some analog path and digital bus de-skewing going on to have both ADCs sample properly for all channel configurations. If this is stored in some calibration ROM, that perhaps requires an intensive procedure to fix.
Also hot air reflowing on 1700$ worth of gear doesn't sound too attractive.. But the potential may be there if indeed both boards are identically BOM-loaded (except ADC), and/or it's possible to figure out what to change.

If it is possible at all, I have no doubt someone will do it just to claim the fame. But that is way too expensive, risky and complicated for average user. 
DS1000Z was cheap to buy and then you generate license and voila. Beginners skill level for beginners that are buying that scope.

This would be buying 2 scopes for 6x times more money, then voiding warranty and potentially destroying both. I personally would really hesitate to buy a used "frankensteined" HDO like that... While any software based tiknering really is safe...

One more thing: in EU price for HDO1074 are 999€ without VAT. With VAT it is 1200€.
So HDO1074 is not sub 1000€ for a private user in EU. 
2 ch one is 830€ with VAT. Hacker special combination would be a tad over 2000€ with VAT..

I don't see this happening at any scale.

[ulwur]

So what does the second ADC actually do? If the PCB's are the same, and all the four channels are connected to the one ADC, what's the purpose of the other ADC?

[MegaVolt]

So what does the second ADC actually do? If the PCB's are the same, and all the four channels are connected to the one ADC, what's the purpose of the other ADC?

Interleaving?

[2N3055]

So what does the second ADC actually do? If the PCB's are the same, and all the four channels are connected to the one ADC, what's the purpose of the other ADC?

Interleaving?

Exactly..

[Fungus]

Assuming of course.. the 800MHz "image" loaded onto the FPGA is going to ignore the missing 2nd ADC..

That's where the "hack" would come into it - tweak the firmware to create a Frankenscope.