Hacking the Rigol DHO800/900 Scope

[Randy222]

Here is the GitHub Repo with the "Android-Keys" program I used to discover the keycodes.

https://github.com/stephenhouser/Android-Keys

Just for clarity, keyboard keys, and not "keys" used for lics.
Cool. Thanks.

[0xACE]

Yes! Keyboard keycodes. not license keys

[AceyTech]

Here is the GitHub Repo with the "Android-Keys" program I used to discover the keycodes.

https://github.com/stephenhouser/Android-Keys

Just for clarity, keyboard keys, and not "keys" used for lics.
Cool. Thanks.

Usually, GitHub projects have a readme when you click the link, that tells what it's for.

Here is the GitHub Repo with the "Android-Keys" program I used to discover the keycodes.

@0xACE Thanks for sharing the link.  Saved me having to ask. 

[AceyTech]

With all the hacking stuff, I think I will try to P-V the dho804, then get that to load into vmware workstation.
Or, install the same droid OS in VMware, then copy over all the additional Rigol stuff from the dho into the guest droid OS.
Will make poking around much easier.

Has anyone booted the DHO from a bootable USB stick?

Please keep us apprised of your progress.  I'm really interested in USB booting, especially regarding boot speed, etc. and virtualization might be a nice environment to experiment in.

[cte]

I wonder what URL I have to block to get rid of the red dot.

Request was like this:

Code: [Select]

https://spiderapi.rigol.com/api/Support/ProductUpgradeFile?sn=DHO8AXXXXXXXXX&hardware=1.0&behaviour=soft&software=00.01.01

This is shown in adb logcat

UPDATE: Just noticed this was already answered... 

[AceyTech]

If you're going to poke around, add a watch with a date in the lower right corner, like in the 1000 series....

Problem: Only DHO8/9 scopes with access to a NTP server could take advantage of the date/clock function, since these don't have a RTC  battery... 

...Yet 
(cough: Pin 9, PMIC. /cough)

[Fungus]

I wonder what URL I have to block to get rid of the red dot.

Request was like this:

Code: [Select]

https://spiderapi.rigol.com/api/Support/ProductUpgradeFile?sn=DHO8AXXXXXXXXX&hardware=1.0&behaviour=soft&software=00.01.01

This is shown in adb logcat

UPDATE: Just noticed this was already answered... 

But with a different URL:

Code: [Select]

http://support.rigol.com/api/Support/ProductUpgradeFile?sn=<serialnumber>&hardware=1.0&behaviour=soft&software=00.01.01

[cte]

Ok, sorry for the confusion. I just checked with Wireshark:

The initial update check is addressed to support.rigol.com.
The actual firmware image file would apparently be loaded from spiderapi.rigol.com.

NTP is queried from asia.pool.ntp.org

Additionally, I had two connection attempts to 192.168.1.143:2300 which is not a valid destination within my network...

[AceyTech]

Additionally, I had two connection attempts to 192.168.1.143:2300 which is not a valid destination within my network...

Thanks for doing that. 
So if I'm reading this right; you're on a different private IP space than the "de facto" 192.x, but the scope is trying to reach a "hard coded" private NAT address?

[cte]

Additionally, I had two connection attempts to 192.168.1.143:2300 which is not a valid destination within my network...

Thanks for doing that. 
So if I'm reading this right; you're on a different private IP space than the de facto 192.x, but the scope is trying to reach some "hard coded" private NAT addresses?

Yes, indeed. I just tried to configure a device at this address and look at the communication, but this failed cause the Rigol itself uses my DHCP assigned subnet, and the Mikrotik router doesn't know where to route this request to. I'm reluctant to reconfigure any router settings... It would be better to set up some isolated network with a Raspberry Pi or anything alike. Not sure if I find the time this weekend to do this, but I'm curious now...

[S2084]

If you're going to poke around, add a watch with a date in the lower right corner, like in the 1000 series....

I managed to do this using a third-party program "Status Bar Mini PRO"

[RAPo]

Please elaborate a bit more.
How to install Status Bar Mini PRO
Can it be moved to righttop off the screen?

I managed to do this using a third-party program "Status Bar Mini PRO"

[S2084]

Please elaborate a bit more.
How to install Status Bar Mini PRO
Can it be moved to righttop off the screen?

I managed to do this using a third-party program "Status Bar Mini PRO"

Just enter a query with the name of the program in a search engine, you will immediately be offered links to download the apk file, install the downloaded apk in your skope.  You can place the date and time display in any area of ​​the screen, you can also choose the color and font size, this program is very flexible in settings.  Go for it!!!

[cte]

Now this was quite some fun to setup...



Apparently, Rigol is contacting 192.168.1.143 for Android OTA updates...

Code: [Select]

bofh@raspberrypi:~ $ sudo ip addr add 192.168.1.143/22 dev eth0.666
bofh@raspberrypi:~ $ nc -l -s 192.168.1.143 -p 2300
HEAD /OtaUpdater/android?product=rk3399_rigol&version=1.0.0&sn=RW8GIY5R55&country=US&language=en HTTP/1.1
Host: 192.168.1.143:2300
Connection: Keep-Alive
User-Agent: rk29sdk/4.0

bofh@raspberrypi:~ $ 

[Fungus]

Apparently, Rigol is contacting 192.168.1.143 for Android OTA updates...

Maybe Rigol's internal server for devs to push out updates...

[S2084]

I wish every scope would allow an individual color selection for each channel. Though, very few does unfortunately.

By the way, LeCroy has a paid option...

[RAPo]

Weel shall we mail Rigol with this idea? An option for Eu20,-- is a cashcow.

I wish every scope would allow an individual color selection for each channel. Though, very few does unfortunately.

By the way, LeCroy has a paid option...

[AceyTech]

Now this was quite some fun to setup...

Apparently, Rigol is contacting 192.168.1.143 for Android OTA updates...

Code: [Select]

bofh@raspberrypi:~ $ sudo ip addr add 192.168.1.143/22 dev eth0.666
bofh@raspberrypi:~ $ nc -l -s 192.168.1.143 -p 2300
HEAD /OtaUpdater/android?product=rk3399_rigol&version=1.0.0&sn=RW8GIY5R55&country=US&language=en HTTP/1.1
Host: 192.168.1.143:2300
Connection: Keep-Alive
User-Agent: rk29sdk/4.0

bofh@raspberrypi:~ $ 

That's so awesome, thanks for confirming that.  Seems like a silly thing for the devs to overlook.  And, given that they're targeting a specific port#, I agree with @Fungus that it's probably an internal server.

[AceyTech]

I managed to do this using a third-party program "Status Bar Mini PRO"

Looks like you also modified the fonts as well.  Did you do that with Status Bar Mini Pro as well?  If so, It's worth the $3us to me.
  Edit: Looks like the font modifying program was mentioned in the "Unbox" thread, sorry.

It's probably a bit peevish of me, but I would love to change the font on the "Auto" in the upper left corner so the "O" isn't wrapped around to the second line in the box.  I know it's a bargain scope, and maybe users have filed a bug report, but it just looks silly and unprofessional.

[ebastler]

I would love to change the font on the "Auto" in the upper left corner so the "O" isn't wrapped around to the second line in the box.  I know it's a bargain scope, and maybe users have filed a bug report, but it just looks silly and unprofessional.

Filing a bug report (with Rigol) on a hack is probably not going to be effective. 
The original font fits into its allotted space without a line break, I believe.

[S2084]

I managed to do this using a third-party program "Status Bar Mini PRO"

Looks like you also modified the fonts as well.  Did you do that with Status Bar Mini Pro as well?  If so, It's worth the $3us to me.

It's probably a bit peevish of me, but I would love to change the font on the "Auto" in the upper left corner so the "O" isn't wrapped around to the second line in the box.  I know it's a bargain scope, and maybe users have filed a bug report, but it just looks silly and unprofessional.

I changed the font with the program "FontFix 4.9.0", the font name is "comfortaa", in some places the text does not fit on one line because I increased the font scale in the android system settings... It’s more convenient for me.If you don’t change the font scale in the system, everything will fit....

[AceyTech]

I would love to change the font on the "Auto" in the upper left corner so the "O" isn't wrapped around to the second line in the box.  I know it's a bargain scope, and maybe users have filed a bug report, but it just looks silly and unprofessional.

Filing a bug report (with Rigol) on a hack is probably not going to be effective. 
The original font fits into its allotted space without a line break, I believe.

Confirmed.  I guess I saw so many screenshots recently with the wrap around, and mine was back in the box, I thought it was systemic.
And yeah, that wouldn't be prudent to file with Rigol.

[Randy222]

Now this was quite some fun to setup...

(Attachment Link)

Apparently, Rigol is contacting 192.168.1.143 for Android OTA updates...

Code: [Select]

bofh[member=125346]raspberrypi[/member]:~ $ sudo ip addr add 192.168.1.143/22 dev eth0.666
bofh[member=125346]raspberrypi[/member]:~ $ nc -l -s 192.168.1.143 -p 2300
HEAD /OtaUpdater/android?product=rk3399_rigol&version=1.0.0&sn=RW8GIY5R55&country=US&language=en HTTP/1.1
Host: 192.168.1.143:2300
Connection: Keep-Alive
User-Agent: rk29sdk/4.0

bofh[member=125346]raspberrypi[/member]:~ $ 

These commands are seen on the DHO ?
Not making sense to me.
sudo ip addr add 192.168.1.143/22 dev eth0.666 binds ipv4 address with /22 mask to sub iface 666 on eth0

nc -l -s 192.168.1.143 -p 2300 , at least in combo with ip add, this nc seems to be setting up a local tcp socket listener on port 2300

So how does this facilitate an OTA update?

[mwb1100]

These commands are seen on the DHO ?

No. These commands are being run on a raspberry pi.  They set up a listener on that IP address so that when the DHO tries to connect to it, the raspberry will display the request that the DHO makes.

[Randy222]

These commands are seen on the DHO ?

No. These commands are being run on a raspberry pi.  They set up a listener on that IP address so that when the DHO tries to connect to it, the raspberry will display the request that the DHO makes.

Ahhh. Makes sense now.

Just run filter on wireshark looking for the ARP who-has and DNS requests. Maybe see even more odd attempts from the DHO to reach out.