Author Topic: Hacking the Rigol DHO800/900 Scope  (Read 1357193 times)

Awp and 12 Guests are viewing this topic.

Offline akkk44

  • Contributor
  • Posts: 29
  • Country: cn
Re: Hacking the Rigol DHO800/900 Scope
« Reply #100 on: October 12, 2023, 03:10:52 am »
Some claim they managed to hack the oscilloscope on firmware version 01.00 but they refuse to share their practices. Nonetheless, I will document what they say about this subject as it may contain some useful clues.

1. They claim that the baseline drift was caused by an update on the calibration algorithm. The reference gain is different from the previous firmware.
2. They claim that they solve this issue by programming the FPGA.
3. boot.bin is involved in the process.

I don't know much about FPGA but as the boot.bin is located at \rigol\FPGA, I think it is the file to be used to program the FPGA.
It seems that there are also some scripts located at rigol\shell that describe the update process of the FPGA.

Obviously, I am not smart enough to piece all these together. Therefore, I provide all the information on my hand and hope someone better to come and save the day. :palm:
« Last Edit: October 12, 2023, 03:16:23 am by akkk44 »
 
The following users thanked this post: Serg65536

Offline dreamcat4

  • Frequent Contributor
  • **
  • Posts: 495
  • Country: gb
Re: Hacking the Rigol DHO800/900 Scope
« Reply #101 on: October 12, 2023, 05:35:54 am »
so it is a mismatch between the boot.bin fpga code and the rigol firmware causing this issue?

for example if the fpga code isnt gets triggered to be updated? or is trys gets updated (uploaded) and fails, thereby defaulting back to what was originally programmed in the factory? sorry i don't know how this fpga works here. if its reloaded into running memory every boot time. instead of being flashed. or can it be that once programmed, the running fpga code is then subsequently configured with some settings, things like this?

those hints sound credible though. as per reason for why
 

Offline iMo

  • Super Contributor
  • ***
  • Posts: 4882
  • Country: vc
Re: Hacking the Rigol DHO800/900 Scope
« Reply #102 on: October 12, 2023, 07:51:40 am »
The Zynq is Xilinx FPGA and it usually loads the "bitstream" upon power on from an external source (usually flash rom). I doubt somebody made changes to the bitstream of the FPGA as that is pretty difficult exercise (unless you are an insider).
Btw., I would not mess with the upgrade until at least 3 brave new (knowledgeable) users will do it successfully (and they confirm the process step by step).
« Last Edit: October 12, 2023, 07:53:14 am by iMo »
 
The following users thanked this post: Serg65536

Online tv84

  • Super Contributor
  • ***
  • Posts: 3251
  • Country: pt
Re: Hacking the Rigol DHO800/900 Scope
« Reply #103 on: October 12, 2023, 09:02:36 am »
The Zynq is Xilinx FPGA and it usually loads the "bitstream" upon power on from an external source (usually flash rom). I doubt somebody made changes to the bitstream of the FPGA as that is pretty difficult exercise (unless you are an insider).
Btw., I would not mess with the upgrade until at least 3 brave new (knowledgeable) users will do it successfully (and they confirm the process step by step).

You don't need 3 brave. 1 is enough as long as it is knowledgeable.  :)

About the bitstream, I don't believe there was any "patch" change. At most, what happened is a repackaging of the bitstream from another model. Even that is see to believe.

I don't need to remember that patching the bitstream is beyond "knowledgeable" user level.

Also, remember these scope's price is well within many user's budgets here. But, there are some for whom even this price has some punch.  Spearheading new unproven "push the envelope" efforts might result in unhappy faces...
 
The following users thanked this post: Martin72, akkk44

Offline dmulligan

  • Regular Contributor
  • *
  • Posts: 86
  • Country: ca
Re: Hacking the Rigol DHO800/900 Scope
« Reply #104 on: October 14, 2023, 02:22:17 pm »
Has anyone decompiled the APK files and started to make sense of them yet?  I've taken a look but being an Android development newb I am having trouble finding my way.  I have been trying to find out where the application talks to the hardware to try to determine how much work, such as math functions, is done in the application vs FPGA.

I won't have a scope in my hands for over a week and I hope that it will be easier to find my way in the code once I can use debug to watch it working.  Of course I'll also have to figure out how to get debug working too.
 

Offline Fungus

  • Super Contributor
  • ***
  • Posts: 16801
  • Country: 00
Re: Hacking the Rigol DHO800/900 Scope
« Reply #105 on: October 16, 2023, 06:31:56 pm »
I just pulled the main .apk file out to have a fiddle with it. Can anybody recommend a free apk decompiler?

nb. I'm not an Android guy so I don't really know what I'm doing. (yet)

Edit: I put the .apk file here: http://www.artlum.com/pub/DHO/Sparrow.apk
« Last Edit: October 21, 2023, 10:00:29 am by Fungus »
 

Offline Fungus

  • Super Contributor
  • ***
  • Posts: 16801
  • Country: 00
Re: Hacking the Rigol DHO800/900 Scope
« Reply #106 on: October 21, 2023, 09:56:32 am »
How can I decrypt/encrypt vendor.bin files?

I'd like to diff them to see if features can be enabled selectively.
 

Offline dmulligan

  • Regular Contributor
  • *
  • Posts: 86
  • Country: ca
Re: Hacking the Rigol DHO800/900 Scope
« Reply #107 on: October 21, 2023, 01:15:07 pm »
How can I decrypt/encrypt vendor.bin files?

Does SoulDevelop's tool decrypt vendor.bin as part of its job?  Alternatively I think I read somewhere that the encryption is the same as previous Rigol models, maybe look to the 1000z tool to extract the decryption part.
 

Online ebastler

  • Super Contributor
  • ***
  • Posts: 6671
  • Country: de
Re: Hacking the Rigol DHO800/900 Scope
« Reply #108 on: October 21, 2023, 01:25:46 pm »
How can I decrypt/encrypt vendor.bin files?
I'd like to diff them to see if features can be enabled selectively.

@tv84 had posted a decrypted vendor.bin here, so he can probably help?

Also, the same post mentions a :VENDor:CONFigure SCPI command to change individual parameters in vendor.bin. Has anyone tried that? Can it be that easy?
 

Offline Fungus

  • Super Contributor
  • ***
  • Posts: 16801
  • Country: 00
Re: Hacking the Rigol DHO800/900 Scope
« Reply #109 on: October 21, 2023, 04:47:23 pm »
How can I decrypt/encrypt vendor.bin files?

Does SoulDevelop's tool decrypt vendor.bin as part of its job?  Alternatively I think I read somewhere that the encryption is the same as previous Rigol models, maybe look to the 1000z tool to extract the decryption part.

It's TEA encryption with a known key. Shouldn't be too difficult...
 

Offline Mechatrommer

  • Super Contributor
  • ***
  • Posts: 11700
  • Country: my
  • reassessing directives...
Re: Hacking the Rigol DHO800/900 Scope
« Reply #110 on: October 21, 2023, 11:35:07 pm »
On to Mech trying to upgrade his scope from DHO804 to DHO924 in the whole night... after reading carefully this thread, then creating full backup of original FW (DHO804 ver 00.01.00)...

doing upgrade by using souldevelop's tool https://www.eevblog.com/forum/testgear/hacking-the-rigol-dho800900-scope/msg5077957/#msg5077957 for ver 1.00 FW to DHO924 model, creating problem weird voltage vertical offset on all channels.

and then copying full image v1.14 from first post https://www.eevblog.com/forum/testgear/hacking-the-rigol-dho800900-scope/msg5074423/#msg5074423 , doing calibration at first also introduce some weirdness esp when trying to enter development mode and enable ADC gain, AFE zero during calibration. switching dso off, turn on again and calibrate in normal mode, now it seems ok... few issues with 804 -> 924 upgrade...

1) even though BW increased to 230MHz, but extra ringing on pulses (overshot on both UTG962's and Leo Bodnar's pulse shown below)

2) observing 200uV/div reveals some suspiciously low noise floor when plotted in FFT. upon close observation of a signal between 500uV/div and 200uV/div, i concluded, there some kind of averaging (boxcar or running average) going on at 200uV/div, from less dense spectral content on display, shown below.. cant complaint much for an extra feature.. (better something than nothing, if you dont like it, dont use it)

3) the DSO original serial number is lost (already saved in backup image), so lets wait until someone know how to decrypt-edit-encrypt back the vendor.bin

good thing is...

1) 50Mpts memory (10Mpts/ch if all channel enabled)
2) 230MHz BW (except ringy)
3) Bode plot menu appears, quick play with it, possibly it can be hacked by injecting external (middleman) signal?
4) Nice D (LA)and G (AWG) stickers at bottom screen next to channels button (that Fungus really hates)

fwiw...
« Last Edit: October 21, 2023, 11:49:22 pm by Mechatrommer »
Nature: Evolution and the Illusion of Randomness (Stephen L. Talbott): Its now indisputable that... organisms “expertise” contextualizes its genome, and its nonsense to say that these powers are under the control of the genome being contextualized - Barbara McClintock
 
The following users thanked this post: iMo

Offline Fungus

  • Super Contributor
  • ***
  • Posts: 16801
  • Country: 00
Re: Hacking the Rigol DHO800/900 Scope
« Reply #111 on: October 21, 2023, 11:48:00 pm »
On to Mech trying to upgrade his scope from DHO804 to DHO924 in the whole night... after reading carefully this thread, then creating full backup of original FW (DHO804 ver 00.01.00)...

You don't need too do any of that. Just replace vendor.bin using ADB, it takes a few seconds.


Fungus' quick guide to changing to a 924:

Download adb command line tools here: https://developer.android.com/tools/releases/platform-tools

(nb. You only need three files from that .zip file:  adb.exe and AdbWin*.dll)

Now do this:

adb connect 192.168.1.205:55555            (or whatever your IP address is)
adb pull /rigol/data/vendor.bin            (keep this file safe - it's your vendor.bin)

Download the HDO924 vendor.bin from here

adb push vendor.bin /rigol/data           (send the HDO924 vendor.bin to the 'scope)
adb reboot                                                (do NOT power cycle it, there seems to be a caching delay before the file is written to flash)

To switch it back just push your original vendor.bin
« Last Edit: October 21, 2023, 11:51:59 pm by Fungus »
 
The following users thanked this post: Houseman, iMo

Offline Mechatrommer

  • Super Contributor
  • ***
  • Posts: 11700
  • Country: my
  • reassessing directives...
Re: Hacking the Rigol DHO800/900 Scope
« Reply #112 on: October 21, 2023, 11:51:39 pm »
You don't need too do any of that. Just replace vendor.bin using ADB, it takes a few seconds....
i think that is what souldevelop's tool do earlier on my scope.. some DHO924's vendor.bin got pushed into DHO804 v00.01.00
« Last Edit: October 21, 2023, 11:54:56 pm by Mechatrommer »
Nature: Evolution and the Illusion of Randomness (Stephen L. Talbott): Its now indisputable that... organisms “expertise” contextualizes its genome, and its nonsense to say that these powers are under the control of the genome being contextualized - Barbara McClintock
 

Offline Fungus

  • Super Contributor
  • ***
  • Posts: 16801
  • Country: 00
Re: Hacking the Rigol DHO800/900 Scope
« Reply #113 on: October 21, 2023, 11:53:33 pm »
You don't need too do any of that. Just replace vendor.bin using ADB, it takes a few seconds....
i think that is what souldevelop's tool do earlier on my scope.. some DHO924 got pushed into DHO804 1.00

I prefer to do it manually.
 

Offline Fungus

  • Super Contributor
  • ***
  • Posts: 16801
  • Country: 00
Re: Hacking the Rigol DHO800/900 Scope
« Reply #114 on: October 21, 2023, 11:57:25 pm »
Do you have the vendor.bin for a 924S ? (ie. With AWG)

I'm trying to collect vendor.bin files for all the different models. I have the 924 but not the 924S.

 

Offline Mechatrommer

  • Super Contributor
  • ***
  • Posts: 11700
  • Country: my
  • reassessing directives...
Re: Hacking the Rigol DHO800/900 Scope
« Reply #115 on: October 22, 2023, 12:48:15 am »
Do you have the vendor.bin for a 924S ? (ie. With AWG)
I'm trying to collect vendor.bin files for all the different models. I have the 924 but not the 924S.
i did full copy from OP, didnt you read? that means i'm using his vendor right now. i only have my DHO804 vendor.bin but its already in the 32GB image file.. takes time to extract if you interested. bed time now..

btw: i think one hint to crack vendor.bin is disassemble sparrow.apk or whoever apk read the file for serial and model display and find out what decryption scheme is used, or possibly by luck find encryption scheme too in there. if you just want to eyeball the difference of rjindael encrypted files content i believe you are going to have bad daysssss... thats alan turing's job at breaking enigma.
Nature: Evolution and the Illusion of Randomness (Stephen L. Talbott): Its now indisputable that... organisms “expertise” contextualizes its genome, and its nonsense to say that these powers are under the control of the genome being contextualized - Barbara McClintock
 

Offline Fungus

  • Super Contributor
  • ***
  • Posts: 16801
  • Country: 00
Re: Hacking the Rigol DHO800/900 Scope
« Reply #116 on: October 22, 2023, 12:51:40 am »
Do you have the vendor.bin for a 924S ? (ie. With AWG)
I'm trying to collect vendor.bin files for all the different models. I have the 924 but not the 924S.
i did full copy from OP, didnt you read? that means i'm using his vendor right now. i only have my DHO804 vendor.bin but its already in the 32GB image file.. takes time to extract if you interested. bed time now..

Yeah, I read. Could you pull the 924S vendor.bin using ADB now you have his image installed? It only takes a second, see instructions above.

Once you have vendor.bin files you'll never need to do the SD card imaging thing again. eg. You could switch back to your original 804 over Ethernet in not much more than the time it takes to reboot.

btw: i think one hint to crack vendor.bin is disassemble sparrow.apk or whoever apk read the file for serial and model display and find out what decryption scheme is used, or possibly by luck find encryption scheme too in there.

I think it's TEA encryption with the standard Rigol key but I haven't had time to play yet.

(ie. It's more obfuscation than encryption...)

I have sparrow.apk decompiled but most of the low level functions are in a ".so" file so there's no source code for me to read.
« Last Edit: October 22, 2023, 12:55:44 am by Fungus »
 

Offline Houseman

  • Regular Contributor
  • *
  • Posts: 176
  • Country: it
Re: Hacking the Rigol DHO800/900 Scope
« Reply #117 on: October 22, 2023, 07:47:14 am »
Hi. Thanks for all for the effort.
So after reading all the posts I have sincerely not understood if the tool provided is definitely able to upgrade the Rigol without the calibration problem. As far as I have understood it has still some minor things lneed to be corrected (GPIO pin model assignment) . Is the tool ready or will be there more version? Thank you all.
 

Offline Mechatrommer

  • Super Contributor
  • ***
  • Posts: 11700
  • Country: my
  • reassessing directives...
Re: Hacking the Rigol DHO800/900 Scope
« Reply #118 on: October 22, 2023, 09:03:04 am »
Hi. Thanks for all for the effort.
So after reading all the posts I have sincerely not understood if the tool provided is definitely able to upgrade the Rigol without the calibration problem. As far as I have understood it has still some minor things lneed to be corrected (GPIO pin model assignment) . Is the tool ready or will be there more version? Thank you all.
from what i understand reading the thread... and doing the upgrade last night with no-hassle-free process. souldevelop's tool is to automate adb's job at uploading vendor.bin file into android operating system in the dso's sd card. adb tool is generic (manual command line) tool for android system debugging, its like remote control pc tool. it can send command to android OS, upload and download files etc. otoh the image file (600-800MB compressed, 32GB expanded) in OP is the whole operating system ver1.14 if you want to write to your sd card using hdd raw copy tool in PC... its preloaded with DHO924S verdor.bin "signature" so you dont have to use souldevelop's tool nor adb to change anything. just copy, run and calibrate.

currently DHO800 batch in market comes with ver1.00 and it has issues with calibrating DHO800 HW for DHO900 model. but earlier ver1.14 android has no issue or can be worked to calibrate. so if your DHO800 already has OS ver1.14 in it, you can just use souldevelop's tool to switch back and forth verdor.bin file in and out of your DHO. but if you have ver1.00 OS in your DSO, i think you need to full copy the image file in OP first into sd card. i have suspicion that ver1.00 is newer updated and more fine tuned calibration algorithm, so if you dont want to miss out its new feature, dont upgrade to DHO900, just upgrade to DHO814 using souldevelop's tool.

if i know android system and am an apk developer, i would like to construct the whole android file structure in sandbox folder in my PC, try to study it, put a usefull apk tool for the DSO like Azusa did put game in https://www.eevblog.com/forum/testgear/rigols-new-dho800-oscilloscope-unbox-teardown/msg4981042/#msg4981042 and also try to find how vendor.bin is read, decrypted and encrypted so we can edit it in plain text, put DHO924 model in it, our original serial number, encrypt it back and put in DSO. unfortunately i'm not apk developer, so let young people do the job. we can only benefit from their hardwork right now.
Nature: Evolution and the Illusion of Randomness (Stephen L. Talbott): Its now indisputable that... organisms “expertise” contextualizes its genome, and its nonsense to say that these powers are under the control of the genome being contextualized - Barbara McClintock
 
The following users thanked this post: Houseman

Offline Fungus

  • Super Contributor
  • ***
  • Posts: 16801
  • Country: 00
Re: Hacking the Rigol DHO800/900 Scope
« Reply #119 on: October 22, 2023, 10:16:14 am »
you dont have to use souldevelop's tool nor adb to change anything. just copy, run and calibrate.

So long as you don't mind opening it up and unglueing the SD card...  :popcorn:

The ADB method can be done in two minutes without opening anything up and is completely reversible (so long as you keep your vendor.bin safe).

I had no calibration problems with the latest 01.01.19 firmware.

Here's my 804 thinking it's a 924:


This was my rise time measurement:

« Last Edit: October 22, 2023, 10:17:53 am by Fungus »
 
The following users thanked this post: 2N3055, iMo, Martin72

Offline UK

  • Regular Contributor
  • *
  • Posts: 77
  • Country: ma
Re: Hacking the Rigol DHO800/900 Scope
« Reply #120 on: October 22, 2023, 01:04:29 pm »
The ADB method can be done in two minutes without opening anything up and is completely reversible (so long as you keep your vendor.bin safe).

What about the possible simple hack/mod to limit or raise BW just by swapping SD cards without opening the unit chassis (of course you have to open it once).
That can be done with this neat SD card extender and attached to the backside with regular double-sided tape.
 
The following users thanked this post: iMo

Offline Mechatrommer

  • Super Contributor
  • ***
  • Posts: 11700
  • Country: my
  • reassessing directives...
Re: Hacking the Rigol DHO800/900 Scope
« Reply #121 on: October 22, 2023, 02:12:08 pm »
you dont have to use souldevelop's tool nor adb to change anything. just copy, run and calibrate.
So long as you don't mind opening it up and unglueing the SD card...  :popcorn:
mine is not glued, it is taped which can easily be untaped and retaped. unglueing and tearing down is our play thing, its even the mission/motto of this forum ;) here attached step by step guide on doing backup your sd SW and HW (please note how i store the original card without needing external dedicated space for it (d.jpg) ;D now running from another sd card, its cheap nowadays...

I had no calibration problems with the latest 01.01.19 firmware.
ok now we have newer than v1.00? where can i get it?
Nature: Evolution and the Illusion of Randomness (Stephen L. Talbott): Its now indisputable that... organisms “expertise” contextualizes its genome, and its nonsense to say that these powers are under the control of the genome being contextualized - Barbara McClintock
 

Offline Fungus

  • Super Contributor
  • ***
  • Posts: 16801
  • Country: 00
Re: Hacking the Rigol DHO800/900 Scope
« Reply #122 on: October 22, 2023, 03:11:33 pm »
The ADB method can be done in two minutes without opening anything up and is completely reversible (so long as you keep your vendor.bin safe).
What about the possible simple hack/mod to limit or raise BW just by swapping SD cards without opening the unit chassis (of course you have to open it once).
That can be done with this neat SD card extender and attached to the backside with regular double-sided tape.

I guess that would work.  :-//

Still takes time to prepare all the SD cards though, and you have to own a pile of them.
 

Offline Fungus

  • Super Contributor
  • ***
  • Posts: 16801
  • Country: 00
 
The following users thanked this post: Mechatrommer

Online Martin72

  • Super Contributor
  • ***
  • Posts: 6084
  • Country: de
  • Testfield Technician
Re: Hacking the Rigol DHO800/900 Scope
« Reply #124 on: October 22, 2023, 03:29:08 pm »
Hi,

The "ADB Method":

When I run adb connect 192.XXXXXXX after a while the message "failed to connect 192.XXXXXXXX" appears.
When I try it again, message "already conneted to 192.XXXXXXXX" appears.
But when I type the command for getting the data from the rigol the message "device is offline" appears - although it´s not...


Share me

Digg  Facebook  SlashDot  Delicious  Technorati  Twitter  Google  Yahoo
Smf