Hacking the HDO1k/HDO4k Rigol 12 bit scope

[core]

I have H/W 2, but maybe this version number is also related to the configuration: Mine is a 4-channel model (DHO1074), yours as well (I assume...) but ZhuraYuk's is a DHO1072.

Indeed, I have DHO1074. And about the same batch like yours : build : 2022/12/14, calibration date : 2023/3/28.
I will wait a while before to break the seal and see if I have the same mods inside. Or I will try to remove the seal gentile ...

[core]

Before and after the BW expanded 70 -> 200MHz.

DHO 1074, mem depth : auto, 50Ohm external terminator.

Signal source : Siglent SDG2042X "improved", 1Vpp, sinewave, 120MHz.

[ZhuraYuk]

Need more people with DHO1072 to report their hardware version.  It is interesting if later hardware versions have this factory rework done.

[dc_in_sf]

Got my 1074 yesterday, updated to FW 2.12 and unlocked the upgrades with the tool with no issues.

I was playing with the fan control and noticed that you can now set it to a floor of 10 (out 255) vs the reported earlier values of ~50, at least with FW 2.12.

With the fan control set to 10, it seems to have stabilized at temp of ~57C with the room at an ambient temp of 20C. I don't have any handy noise level measurement tools but would describe it as a heck of lot more pleasant than the full speed Jet engine that it was running at previously.

Have thrown together an external script to monitor and control (via adb.exe) the fan speed based on temperature but need to do a bit more research on the best way to map temp->speed.

[skander36]

...
 you can now set it to a floor of 10 (out 255) vs the reported earlier values of ~50, at least with FW 2.12.
...

It can be set even to 0, but I didn't seen a valuable improvement under 50.   

[dc_in_sf]

...
 you can now set it to a floor of 10 (out 255) vs the reported earlier values of ~50, at least with FW 2.12.
...

It can be set even to 0, but I didn't seen a valuable improvement under 50.

Huh that is weird, I did a bunch of testing and when I was setting it to <10 it was staying on 10, but just retested it and you are correct.

Probably the shenanigans I was using to set the values through a script were at fault.

[ebastler]

Have thrown together an external script to monitor and control (via adb.exe) the fan speed based on temperature

Wasn't there supposed to be a temperature-controlled PWM feedback already in place in the firmware, but unused or non-working? I can't find the details though, might be recalling this incorrectly?

[zrq]

So hacking for 50 Ohm path on HDO1k series is certainly possible (to some extent). I did a frida hook of
Module.getExportByName("libscope-auklet.so", "_Z20API_GetProductSeriesv")
to convince it to always return 4000. In this case, although I still cannot turn on the 50 Ohm path via the UI, it accepts SCPI command :CHANnel1:IMPedance FIFT .
The acquisition seems to be running fine, but there is a vertical range dependent offset. Probably this signal path is not included in the 1k series SPC.

Even the 500Mpts memory seems possible by hooking _Z22API_GetMaxRecordLengthv to return 12.
Now the question is what's the most elegant way of implementing the hacks.

(be careful when trying to patch the apk. I temporarily bricked my scope by unsuccessfully uninstalling the original com.rigol.scope, which have to be reinstalled by adb. It seems the /system partition is not writable, so replacing the apk needs a bit more hack to be figured out.)

[tv84]

Now the question is what's the most elegant way of implementing the hacks.

Isn't it with the model change?

[zrq]

Now the question is what's the most elegant way of implementing the hacks.

Isn't it with the model change?

From what I understand from other posts, changing model to 4k series will cause problems in acquisition, as the 1k series lack the other ADC chip. 2k maybe, but it will not provide 500Mpts. What I'm trying to achieve is to get as much features as possible while keeping loading the 1k series FPGA bit stream.

[skander36]

...
but it will not provide 500Mpts.
...

Actually the scope display 500 Mpts, but I don't know a method to validate this. When the 500 Mpts is selcted manually, the waveform update became slowly , much more than from the 10k to 100 Mpts. So there is a relation and an effect  between memory quantity that is selected.
https://youtu.be/873r9loUwuI

[ebastler]

Actually the scope display 500 Mpts

That's in "DHO4000 mode", right? (Your video shows that the scope assumes to sample at 4 GSa/s too.) But zrq was referring to the DHO2000 mode as a potential compromise -- which would however not provide the 500 MPts memory.

Unfortunately we can conclude from TurboTom's experiments (posted in this thread a few days ago) that the DHO2000 mode is not useful at all, since it was apparently abandoned before being developed to full functionality.

[skander36]

Actually the scope display 500 Mpts

That's in "DHO4000 mode", right? (Your video shows that the scope assumes to sample at 4 GSa/s too.) But zrq was referring to the DHO2000 mode as a potential compromise -- which would however not provide the 500 MPts memory.

Unfortunately we can conclude from TurboTom's experiments (posted in this thread a few days ago) that the DHO2000 mode is not useful at all, since it was apparently abandoned before being developed to full functionality.

I see that is write "changing model to 4k series" not 2K ... If he was refered to 2K series then yes 500 mpts may not show as we don't know nothing about, just assumptions ...

[ebastler]

2k maybe, but it will not provide 500Mpts.

[TurboTom]

I wouldn't bet on a functional 500Mpts without the second ADC. I've got the impression that accessing the "full" available memory requires parallel data streams from both ADCs and the dho4000 FPGA configuration. I'ld be happy to be proven wrong, but 100MPts at 2MSa/s are still not bad. The 50 Ohms and maybe some of the advanced decoders and the power analysis would be much more attractive to have.

Whatsoever, the current excitement regarding Siglent's low-end 12 bit scopes may hopefully motivate Rigol to provide some add-ons in future firmware updates...

[skander36]

I wouldn't bet on a functional 500Mpts without the second ADC. I've got the impression that accessing the "full" available memory requires parallel data streams from both ADCs and the dho4000 FPGA configuration. I'ld be happy to be proven wrong, but 100MPts at 2MSa/s are still not bad. The 50 Ohms and maybe some of the advanced decoders and the power analysis would be much more attractive to have.

Whatsoever, the current excitement regarding Siglent's low-end 12 bit scopes may hopefully motivate Rigol to provide some add-ons in future firmware updates...

Agree, and at least in case of 50 ohm input they not only that put it inside the relay, but they already made inscription outside 
They can also improve these scopes further in Siglent style, bringing Bode plot app from DHO 900 series and implement a software command for external AWG's (RIGOL at least).
Due to the HW, DHO 1000 can succesfully compete with SDS 1000X HD if they would be willing to do software improvements.

[Antonio90]

I wouldn't bet on a functional 500Mpts without the second ADC. I've got the impression that accessing the "full" available memory requires parallel data streams from both ADCs and the dho4000 FPGA configuration. I'ld be happy to be proven wrong, but 100MPts at 2MSa/s are still not bad. The 50 Ohms and maybe some of the advanced decoders and the power analysis would be much more attractive to have.

Whatsoever, the current excitement regarding Siglent's low-end 12 bit scopes may hopefully motivate Rigol to provide some add-ons in future firmware updates...

Agree, and at least in case of 50 ohm input they not only that put it inside the relay, but they already made inscription outside 
They can also improve these scopes further in Siglent style, bringing Bode plot app from DHO 900 series and implement a software command for external AWG's (RIGOL at least).
Due to the HW, DHO 1000 can succesfully compete with SDS 1000X HD if they would be willing to do software improvements.

Indeed, hardware-wise it's up to par, if not better. The problem is the software platform, which is new in Rigol (completely new) and quite mature in Siglent, as it started with mid-range scopes like the 2000 and 6000 series.
If Rigol stays with this Android software platform long enough it can become pretty good, but it will most likely take quite some time.

[zrq]

So hacking for 50 Ohm path on HDO1k series is certainly possible (to some extent). I did a frida hook of
Module.getExportByName("libscope-auklet.so", "_Z20API_GetProductSeriesv")
to convince it to always return 4000. In this case, although I still cannot turn on the 50 Ohm path via the UI, it accepts SCPI command :CHANnel1:IMPedance FIFT .
The acquisition seems to be running fine, but there is a vertical range dependent offset. Probably this signal path is not included in the 1k series SPC.

Even the 500Mpts memory seems possible by hooking _Z22API_GetMaxRecordLengthv to return 12.
Now the question is what's the most elegant way of implementing the hacks.

(be careful when trying to patch the apk. I temporarily bricked my scope by unsuccessfully uninstalling the original com.rigol.scope, which have to be reinstalled by adb. It seems the /system partition is not writable, so replacing the apk needs a bit more hack to be figured out.)

Could someone help me find out how to safely replace the Auklet.apk with a patched version? It's simple to make an apk with the said hacks (and I have one already). But I'm not familiar with Android internals and can't get it to install and replace the original version (and also dare not bricking the scope as I don't know how to recover from it if somehow the adb connection can be lost).
My problem is when doing pm uninstall com.rigol.scope, either with or without --user 0, either with or without remounting /system as rw, I always get DELETE_FAILED_INTERNAL_ERROR, but somehow something got deleted. And then I get the signature conflict when pushing the patched apk as apparently the uninstall is not successful.

[thm_w]

Could someone help me find out how to safely replace the Auklet.apk with a patched version? It's simple to make an apk with the said hacks (and I have one already). But I'm not familiar with Android internals and can't get it to install and replace the original version (and also dare not bricking the scope as I don't know how to recover from it if somehow the adb connection can be lost).
My problem is when doing pm uninstall com.rigol.scope, either with or without --user 0, either with or without remounting /system as rw, I always get DELETE_FAILED_INTERNAL_ERROR, but somehow something got deleted. And then I get the signature conflict when pushing the patched apk as apparently the uninstall is not successful.

Would it be easier, for initial development, to install the modified APK with another name in parallel and run it using a launcher?
From the DHO800 thread: https://www.eevblog.com/forum/testgear/hacking-the-rigol-dho800900-scope/msg5209788/#msg5209788

Unsure how hard it is to change the name of the app though. Some ideas here: https://stackoverflow.com/questions/13583511/how-to-install-two-instances-by-one-apk

edit: is it possible to just rename Auklet.apk and replace with your copy? I tried renaming help.apk and it worked:

Code: [Select]

adb connect 192.168.1.x:55555
adb root
adb shell mv /rigol/app/help.apk /rigol/app/help1.apk
adb shell mv /rigol/app/help1.apk /rigol/app/help.apk

do a adb pull to back up everything before you modify. You might have to close the app first.

[bosav]

Looked over the code Auklet.apk file - it looks like many features can be unlocked by patching it (would assume it is likely that checks are only in scope UI).

The apk can be decompiled/compiled back, after patching, using Apktool(https://github.com/iBotPeaches/Apktool)
Also, to get it in a bit more readable format while figuring out what to patch - JADX(https://github.com/skylot/jadx) can be useful, allowing decompiling most of the code to Java.


Found hidden "Test Mode" feature in Utility window: if to click "About" item 3 times - "Test Mode" will be activated, displaying some additional items and settings.

Found a bunch of checks for product series, disabling features(version 00.02.12):

50Ω input:

Code: (diff) [Select]

diff --git a/apps/Auklet/smali/com/rigol/scope/adapters/UtilityCalibrationAdapter.smali b/apps/Auklet/smali/com/rigol/scope/adapters/UtilityCalibrationAdapter.smali
index f882a229..8a755fec 100644
--- a/apps/Auklet/smali/com/rigol/scope/adapters/UtilityCalibrationAdapter.smali
+++ b/apps/Auklet/smali/com/rigol/scope/adapters/UtilityCalibrationAdapter.smali
@@ -300,7 +300,9 @@

     const/16 v0, 0x9

-    if-ne p0, v0, :cond_2
+    # if-ne p0, v0, :cond_2
+    # do not disable 50Ω in calibration menu
+    goto :cond_2

     return v1

diff --git a/apps/Auklet/smali/com/rigol/scope/adapters/VerticalViewPagerAdapter.smali b/apps/Auklet/smali/com/rigol/scope/adapters/VerticalViewPagerAdapt
er.smali
index 4028b35a..dbd9f4d4 100644
--- a/apps/Auklet/smali/com/rigol/scope/adapters/VerticalViewPagerAdapter.smali
+++ b/apps/Auklet/smali/com/rigol/scope/adapters/VerticalViewPagerAdapter.smali
@@ -1212,7 +1212,8 @@

     iget v0, v0, Lcom/rigol/scope/cil/ServiceEnum$ProductSeries;->value1:I

-    if-eq p1, v0, :cond_21
+    # do not ignore click on 50Ω image view
+    # if-eq p1, v0, :cond_21

     .line 385
     iget-object p1, p0, Lcom/rigol/scope/adapters/VerticalViewPagerAdapter;->param:Lcom/rigol/scope/data/VerticalParam;
@@ -1292,7 +1293,8 @@

     iget v0, v0, Lcom/rigol/scope/cil/ServiceEnum$ProductSeries;->value1:I

-    if-eq p1, v0, :cond_21
+    # do not ignore click on 50Ω image view
+    # if-eq p1, v0, :cond_21

     .line 397
     iget-object p1, p0, Lcom/rigol/scope/adapters/VerticalViewPagerAdapter;->param:Lcom/rigol/scope/data/VerticalParam;
diff --git a/apps/Auklet/smali_classes2/com/rigol/scope/databinding/AdapterItemPopupviewVerticalBindingImpl.smali b/apps/Auklet/smali_classes2/com/rigol/scope/databinding/AdapterItemPopupviewVerticalBindingImpl.smali
index ca3529f8..96fd143f 100644
--- a/apps/Auklet/smali_classes2/com/rigol/scope/databinding/AdapterItemPopupviewVerticalBindingImpl.smali
+++ b/apps/Auklet/smali_classes2/com/rigol/scope/databinding/AdapterItemPopupviewVerticalBindingImpl.smali
@@ -2282,7 +2282,9 @@

     iget v14, v14, Lcom/rigol/scope/cil/ServiceEnum$ProductSeries;->value1:I

-    if-ne v13, v14, :cond_0
+    # do not hide impedance switch
+    # if-ne v13, v14, :cond_0
+    goto :cond_0

     move v13, v11

SPI trigger on "When timeout" (weirdly, while it is disabled - the user guide for DHO1000 says it should be available, explaining how to use that)

Code: (diff) [Select]

diff --git a/apps/Auklet/smali_classes2/com/rigol/scope/databinding/AdapterTriggerSpiBindingImpl.smali b/apps/Auklet/smali_classes2/com/rigol/scope/databinding/AdapterTriggerSpiBindingImpl.smali
index 8e510be8..e87b0946 100644
--- a/apps/Auklet/smali_classes2/com/rigol/scope/databinding/AdapterTriggerSpiBindingImpl.smali
+++ b/apps/Auklet/smali_classes2/com/rigol/scope/databinding/AdapterTriggerSpiBindingImpl.smali
@@ -1945,7 +1945,8 @@

     iget v15, v15, Lcom/rigol/scope/cil/ServiceEnum$ProductSeries;->value1:I

-    if-eq v14, v15, :cond_0
+    # do not disable SPI trigger "when timeout"
+    # if-eq v14, v15, :cond_0

     const/4 v14, 0x1

Power analysis (UPA item in navigation menus)

Code: (diff) [Select]

diff --git a/apps/Auklet/smali_classes2/com/rigol/scope/views/analyse/AnalysePopupView.smali b/apps/Auklet/smali_classes2/com/rigol/scope/views/analyse/AnalysePopupView.smali
index 5c09a3b2..a159d702 100644
--- a/apps/Auklet/smali_classes2/com/rigol/scope/views/analyse/AnalysePopupView.smali
+++ b/apps/Auklet/smali_classes2/com/rigol/scope/views/analyse/AnalysePopupView.smali
@@ -84,10 +84,12 @@
     if-le v2, v3, :cond_0

     .line 67
-    invoke-interface {v1, v3}, Ljava/util/List;->remove(I)Ljava/lang/Object;
+    # do not remove UPA menu item
+    #invoke-interface {v1, v3}, Ljava/util/List;->remove(I)Ljava/lang/Object;

     .line 68
-    invoke-interface {v0, v3}, Ljava/util/List;->remove(I)Ljava/lang/Object;
+    # do not remove UPA menu item
+    #invoke-interface {v0, v3}, Ljava/util/List;->remove(I)Ljava/lang/Object;

     .line 71
     :cond_0
diff --git a/apps/Auklet/smali_classes2/com/rigol/scope/views/startMenu/StartMenuPopupView.smali b/apps/Auklet/smali_classes2/com/rigol/scope/views/startMenu/StartMenuPopupView.smali
index 767e1da2..09c09d2a 100644
--- a/apps/Auklet/smali_classes2/com/rigol/scope/views/startMenu/StartMenuPopupView.smali
+++ b/apps/Auklet/smali_classes2/com/rigol/scope/views/startMenu/StartMenuPopupView.smali
@@ -99,7 +99,8 @@
     const/16 v2, 0x9

     .line 83
-    invoke-interface {v1, v2}, Ljava/util/List;->remove(I)Ljava/lang/Object;
+    # do not remove UPA menu item
+    # invoke-interface {v1, v2}, Ljava/util/List;->remove(I)Ljava/lang/Object;

     .line 86
     :cond_1

Also, there is similar logic around Memory depth in "com/rigol/scope/utilities/ViewUtil" -- might be possible to expand it up 500M:

Code: (java) [Select]

if (UI_QueryInt322 == ServiceEnum.ProductSeries.SERIES_1000.value1) {
    i3 = ServiceEnum.AcquireDepth.Acquire_Depth_100M.value1;
    if (UI_QueryInt323 == ServiceEnum.SampleMode.DUAL_SAMPLE_MODE.value1) {
        i3 = ServiceEnum.AcquireDepth.Acquire_Depth_50M.value1;
    } else if (UI_QueryInt323 == ServiceEnum.SampleMode.QUAD_SAMPLE_MODE.value1) {
        i3 = ServiceEnum.AcquireDepth.Acquire_Depth_25M.value1;
    }
} else if (UI_QueryInt322 == ServiceEnum.ProductSeries.SERIES_2000.value1) {
    i3 = ServiceEnum.AcquireDepth.Acquire_Depth_200M.value1;
    if (UI_QueryInt323 == ServiceEnum.SampleMode.DUAL_SAMPLE_MODE.value1) {
        i3 = ServiceEnum.AcquireDepth.Acquire_Depth_100M.value1;
    } else if (UI_QueryInt323 == ServiceEnum.SampleMode.QUAD_SAMPLE_MODE.value1) {
        i3 = ServiceEnum.AcquireDepth.Acquire_Depth_50M.value1;
    }
} else if (UI_QueryInt322 == ServiceEnum.ProductSeries.SERIES_4000.value1) {
    i3 = ServiceEnum.AcquireDepth.Acquire_Depth_500M.value1;
    if (UI_QueryInt323 == ServiceEnum.SampleMode.DUAL_SAMPLE_MODE.value1) {
        i3 = ServiceEnum.AcquireDepth.Acquire_Depth_250M.value1;
    } else if (UI_QueryInt323 == ServiceEnum.SampleMode.QUAD_SAMPLE_MODE.value1) {
        i3 = ServiceEnum.AcquireDepth.Acquire_Depth_125M.value1;
    }
}

I was not patching this one (it might take some time to figure out all the parts in smali file) - but should be not hard as well.

---

However, I have not tested any of these, because of the mentioned signature checks…

Could someone help me find out how to safely replace the Auklet.apk with a patched version? It's simple to make an apk with the said hacks (and I have one already). But I'm not familiar with Android internals and can't get it to install and replace the original version (and also dare not bricking the scope as I don't know how to recover from it if somehow the adb connection can be lost).
My problem is when doing pm uninstall com.rigol.scope, either with or without --user 0, either with or without remounting /system as rw, I always get DELETE_FAILED_INTERNAL_ERROR, but somehow something got deleted. And then I get the signature conflict when pushing the patched apk as apparently the uninstall is not successful.

Not sure about a safe way to make that would work.
Btw the moment you log in as a root in adb - it is already pretty unsafe.

About options possible to try:

 - apktool apparently also allows repackaging the app using a different package name - with some modifications to the app manifest XML (shared user, exposed services, etc), it might be possible to install the patched app separately  -- this should be very safe, if that works
 - disabling signature check - with the root that also should be possible, and there are tools for that, however, never used any of them
 - in adb root shell it might be possible to remove the system scope application (the one that can not easily be uninstalled) -- but, I am not sure if this safe, likely not

[TurboTom]

It's interesting to see that there are memory options for 125MSa and 250MSa -- and 200MSa for the HDO2000 configuration as well, it may be possible to use the latter with a single ADC in case 500MSa won't work.

[zrq]

The signature checks are very annoying, now getting this for modified package name.

Code: [Select]

Failure [INSTALL_FAILED_SHARED_USER_INCOMPATIBLE: Package couldn't be installed in /data/app/com.riglol.scope-1: Package com.riglol.scope has no signatures that match those in shared user android.uid.system; ignoring!]

https://stackoverflow.com/questions/17222535/create-system-application

Update: I made it! repacking the patched apk with a changed package name (also changed provider names) in the manifest, then also change the android:sharedUserId="org.riglol" rather the system uid, repack and resign, adb push install and then it should work! just note that you need to use
am start -n com.riglol.scope/com.rigol.scope.MainActivity
to invoke the correct activity after changing the package name.
50 Ohm with UI, 500Mpts memory and all the advanced decoding seems available!
There is even some weird mechanism to let the scope start the patched app instead of the normal scope app by default on the next boot,  , so it can be a untethered hack.

I'd like to post more details, but not tonight, I need sleep for tomorrow's day job.

[thm_w]

Found hidden "Test Mode" feature in Utility window: if to click "About" item 3 times - "Test Mode" will be activated, displaying some additional items and settings.

This was found on the DHO800, though 1000 may have more features than on that one. What I saw:
- HDMI resolution can be adjusted
- Self-cal lets you choose what to calibrate (50R is greyed out so we probably need that added to the code mods), and offers Default/User/Export options (they seem to do nothing, maybe some other debug requirement is not met)
- A Debug menu is added to Utility with: XY advanced options, ADC clock, DDR, ADC Ser, Logcat

ADC clock setting is interesting, some sort of adjustment for each channel and each ADC:


DDR: text in chinese only, address, length, name, file path, load. Some sort of memory test/loader.
ADC Ser: for each ADC channel, TCMP 0 to 4, TDMX on or off, "save" button (? doesn't seem to do anything)
Logcat: logging with a filter textbox, buttons are "refresh" and "save" on the right side.

Also, there is similar logic around Memory depth in "com/rigol/scope/utilities/ViewUtil" -- might be possible to expand it up 500M:

They have the DS70000 and DS8000 8-bit scopes in here as well:

Code: [Select]

} else if (UI_QueryInt32 == ServiceEnum.ProductDomain.DOMAIN_DSO.value1) {
                i3 = ServiceEnum.AcquireDepth.Acquire_Depth_1G.value1;
                if (readShowDepth && UI_QueryInt322 == ServiceEnum.ProductSeries.SERIES_70000.value1) {
                    i3 = ServiceEnum.AcquireDepth.Acquire_Depth_2G.value1;
                }
            } else if (UI_QueryInt32 == ServiceEnum.ProductDomain.DOMAIN_MSO.value1 && UI_QueryInt322 == ServiceEnum.ProductSeries.SERIES_8000.value1) {
                i3 = ServiceEnum.AcquireDepth.Acquire_Depth_500M.value1;
So the question is whats in here vs what is set in the FPGA code, since the DHO4000 FPGA code can't be used as-is, probably.

Update: I made it! repacking the patched apk with a changed package name (also changed provider names) in the manifest, then also change the android:sharedUserId="org.riglol" rather the system uid, repack and resign, adb push install and then it should work! just note that you need to use
am start -n com.riglol.scope/com.rigol.scope.MainActivity
to invoke the correct activity after changing the package name.
50 Ohm with UI, 500Mpts memory and all the advanced decoding seems available!
There is even some weird mechanism to let the scope start the patched app instead of the normal scope app by default on the next boot,  , so it can be a untethered hack.

I'd like to post more details, but not tonight, I need sleep for tomorrow's day job.

Take your time to get good sleep.
I was going to offer a $100 hack bounty, I guess its yours if you want it once finished.

[ebastler]

50 Ohm with UI, 500Mpts memory and all the advanced decoding seems available!

Wow! That is impressive work, congratulations! 

So the only thing left on the wishlist would be offset calibration for the 50 Ohm path?

Edit: Seems that bosav has already found where a code change is required to allow 50 Ohm calibration to be enabled in the Advanced/Debug settings; maybe that's enough? https://www.eevblog.com/forum/testgear/hacking-the-hdo1khdo4k-rigol-12-bit-scope/msg5218437/#msg5218437

[zrq]

50 Ohm with UI, 500Mpts memory and all the advanced decoding seems available!

Wow! That is impressive work, congratulations! 

So the only thing left on the wishlist would be offset calibration for the 50 Ohm path?

Edit: Seems that bosav has already found where a code change is required to allow 50 Ohm calibration to be enabled in the Advanced/Debug settings; maybe that's enough? https://www.eevblog.com/forum/testgear/hacking-the-hdo1khdo4k-rigol-12-bit-scope/msg5218437/#msg5218437

Unfortunately, I tried running the SPC (I can see the 50 Ohm is selected by default after enabling the engineering mode in the SPC menu) after the hack, the baseline shift is still there. Wait, I just tried the default SPC again, and seemingly the offset is gone ??
Another undesirable side effect is after the _Z20API_GetProductSeriesv patch, the bandwidth options are no longer accepted. I tried all different combinations but none of them worked. It should be easy to patch though.

The 500 Mpts doesn't seem to work. There is always a glitch on the waveform, likely caused by corruption of memory, but 250Mpts seems to look fine. (uninstall the RLU option to avoid using the nonexistent memory).