Author Topic: Hacking the Rigol DHO800/900 Scope  (Read 1353108 times)

nas7 and 16 Guests are viewing this topic.


Offline dreamcat4

  • Frequent Contributor
  • **
  • Posts: 495
  • Country: gb
Re: Hacking the Rigol DHO800/900 Scope
« Reply #76 on: September 26, 2023, 07:39:18 am »
Oh, looks like the serial console is just left enabled?!
Could you please run this and share the output?
getprop

Here you go!

Code: [Select]
rk3399_rigol:/ $ getprop
getprop

[UserVolumeLabel]: [RockChips]
[camera2.portability.force_api]: [1]
[crashlogd.processing.ongoing]: [0]
[crashlogd.token]: [1]
[dalvik.vm.appimageformat]: [lz4]
[dalvik.vm.boot-dex2oat-threads]: [2]
[dalvik.vm.dex2oat-Xms]: [64m]
[dalvik.vm.dex2oat-Xmx]: [512m]
[dalvik.vm.dex2oat-threads]: [2]
[dalvik.vm.heapgrowthlimit]: [192m]
[dalvik.vm.heapmaxfree]: [8m]
[dalvik.vm.heapminfree]: [512k]
[dalvik.vm.heapsize]: [512m]
[dalvik.vm.heapstartsize]: [16m]
[dalvik.vm.heaptargetutilization]: [0.75]
[dalvik.vm.image-dex2oat-Xms]: [64m]
[dalvik.vm.image-dex2oat-Xmx]: [64m]
[dalvik.vm.image-dex2oat-threads]: [2]
[dalvik.vm.isa.arm.features]: [default]
[dalvik.vm.isa.arm.variant]: [cortex-a53.a57]
[dalvik.vm.isa.arm64.features]: [default]
[dalvik.vm.isa.arm64.variant]: [cortex-a53]
[dalvik.vm.lockprof.threshold]: [500]
[dalvik.vm.stack-trace-file]: [/data/anr/traces.txt]
[dalvik.vm.usejit]: [true]
[dalvik.vm.usejitprofiles]: [true]
[debug.atrace.tags.enableflags]: [0]
[debug.force_rtl]: [0]
[debug.nfc.fw_download]: [false]
[debug.nfc.se]: [false]
[dev.bootcomplete]: [1]
[init.svc.adbd]: [running]
[init.svc.akmd]: [stopped]
[init.svc.ap_log_srv]: [stopped]
[init.svc.ap_logfs]: [stopped]
[init.svc.apk_logfs]: [running]
[init.svc.audioserver]: [running]
[init.svc.bootanim]: [stopped]
[init.svc.console]: [running]
[init.svc.crashlogd]: [running]
[init.svc.daemonssh]: [running]
[init.svc.debuggerd]: [running]
[init.svc.debuggerd64]: [running]
[init.svc.drm]: [running]
[init.svc.drmservice]: [stopped]
[init.svc.earlylogs]: [stopped]
[init.svc.gatekeeperd]: [running]
[init.svc.healthd]: [running]
[init.svc.installd]: [running]
[init.svc.keystore]: [running]
[init.svc.lmkd]: [running]
[init.svc.log-watch]: [running]
[init.svc.logd]: [running]
[init.svc.logd-reinit]: [stopped]
[init.svc.media]: [running]
[init.svc.mediacodec]: [running]
[init.svc.mediadrm]: [running]
[init.svc.mediaextractor]: [running]
[init.svc.netd]: [running]
[init.svc.perfprofd]: [running]
[init.svc.ril-daemon]: [stopped]
[init.svc.servicemanager]: [running]
[init.svc.startApp]: [stopped]
[init.svc.su_daemon]: [running]
[init.svc.surfaceflinger]: [running]
[init.svc.ueventd]: [running]
[init.svc.up_eth0]: [stopped]
[init.svc.vold]: [running]
[init.svc.zygote]: [running]
[init.svc.zygote_secondary]: [running]
[keyguard.no_require_sim]: [true]
[log.tag.WifiHAL]: [D]
[logd.logpersistd.enable]: [true]
[media.audio.slice]: [0]
[net.bt.name]: [Android]
[net.change]: [net.qtaguid_enabled]
[net.hostname]: [android-11e19a77c1de3ca5]
[net.qtaguid_enabled]: [1]
[net.tcp.default_init_rwnd]: [60]
[persist.core.enabled]: [0]
[persist.crashlogd.root]: [/data/logs]
[persist.demo.hdmirotates]: [true]
[persist.intel.logger.rot_cnt]: [20]
[persist.intel.logger.rot_size]: [5000]
[persist.internet.adb.enable]: [1]
[persist.net.ethernet.mode]: [normal]
[persist.rigol.boot.record]: [48]
[persist.rigol.fpga.boot.addr]: [0x400000]
[persist.service.apklogfs.enable]: [1]
[persist.service.aplogfs.enable]: [0]
[persist.sys.alarm.fixed]: [300000]
[persist.sys.alarm.strategy]: [fixed2]
[persist.sys.color.main]: [RGB-8bit]
[persist.sys.dalvik.vm.lib.2]: [libart.so]
[persist.sys.first_booting]: [false]
[persist.sys.framebuffer.main]: [1024x600@60]
[persist.sys.hid]: []
[persist.sys.profiler_ms]: [0]
[persist.sys.root_access]: [1]
[persist.sys.rotation.efull]: [true]
[persist.sys.strictmode.visual]: [false]
[persist.sys.timezone]: [Asia/Shanghai]
[persist.sys.ui.hw]: [true]
[persist.sys.usb.config]: [mtp,adb]
[persist.sys.webview.vmsize]: [118564800]
[persist.tegra.nvmmlite]: [1]
[pm.dexopt.ab-ota]: [speed-profile]
[pm.dexopt.bg-dexopt]: [speed-profile]
[pm.dexopt.boot]: [verify-profile]
[pm.dexopt.core-app]: [speed]
[pm.dexopt.first-boot]: [interpret-only]
[pm.dexopt.forced-dexopt]: [speed]
[pm.dexopt.install]: [interpret-only]
[pm.dexopt.nsys-library]: [speed]
[pm.dexopt.shared-apk]: [speed]
[ril.function.dataonly]: [1]
[rild.libargs]: [-d /dev/ttyACM0]
[rild.libpath]: [/system/lib/libril-rk29-dataonly.so]
[ro.adb.secure]: [0]
[ro.allow.mock.location]: [0]
[ro.audio.monitorOrientation]: [true]
[ro.baseband]: [N/A]
[ro.board.platform]: [rk3399]
[ro.boot.baseband]: [N/A]
[ro.boot.console]: [ttyFIQ0]
[ro.boot.hardware]: [rk30board]
[ro.boot.mode]: [emmc]
[ro.boot.noril]: [true]
[ro.boot.oem_unlocked]: [0]
[ro.boot.selinux]: [disabled]
[ro.bootimage.build.date]: [Wed Aug 23 11:39:22 CST 2023]
[ro.bootimage.build.date.utc]: [1692761962]
[ro.bootimage.build.fingerprint]: [Android/rk3399_rigol/rk3399_rigol:7.1.2/NHG47K/adil08231139:userdebug/dev-keys]
[ro.bootloader]: [unknown]
[ro.bootmode]: [emmc]
[ro.bt.bdaddr_path]: [/data/misc/bluetooth/bdaddr]
[ro.build.characteristics]: [tablet]
[ro.build.date]: [Wed Aug 23 11:39:22 CST 2023]
[ro.build.date.utc]: [1692761962]
[ro.build.description]: [rk3399_rigol-userdebug 7.1.2 NHG47K eng.adil.20230823.113922 dev-keys]
[ro.build.display.id]: [rk3399_rigol-userdebug 7.1.2 NHG47K eng.adil.20230823.113922 dev-keys]
[ro.build.fingerprint]: [Android/rk3399_rigol/rk3399_rigol:7.1.2/NHG47K/adil08231139:userdebug/dev-keys]
[ro.build.flavor]: [rk3399_rigol-userdebug]
[ro.build.host]: [ubuntu]
[ro.build.id]: [NHG47K]
[ro.build.product]: [rk3399_rigol]
[ro.build.tags]: [dev-keys]
[ro.build.type]: [userdebug]
[ro.build.user]: [adil]
[ro.build.version.all_codenames]: [REL]
[ro.build.version.base_os]: []
[ro.build.version.codename]: [REL]
[ro.build.version.incremental]: [eng.adil.20230823.113922]
[ro.build.version.preview_sdk]: [0]
[ro.build.version.release]: [7.1.2]
[ro.build.version.sdk]: [25]
[ro.build.version.security_patch]: [2019-10-05]
[ro.carrier]: [unknown]
[ro.com.android.dataroaming]: [true]
[ro.config.alarm_alert]: [Alarm_Classic.ogg]
[ro.config.enable.remotecontrol]: [false]
[ro.config.notification_sound]: [pixiedust.ogg]
[ro.config.ringtone]: [Ring_Synth_04.ogg]
[ro.crypto.state]: [unencrypted]
[ro.dalvik.vm.native.bridge]: [0]
[ro.debuggable]: [1]
[ro.default.size]: [100]
[ro.device_owner]: [false]
[ro.enable_boot_charger_mode]: [0]
[ro.expect.recovery_id]: [0xd433ae56b13e30da0aee31b12bb7a704e313580a000000000000000000000000]
[ro.factory.hasGPS]: [false]
[ro.factory.hasUMS]: [false]
[ro.factory.storage_suppntfs]: [true]
[ro.factory.tool]: [0]
[ro.factory.without_battery]: [false]
[ro.hardware]: [rk30board]
[ro.hwui.disable_scissor_opt]: [true]
[ro.hwui.drop_shadow_cache_size]: [6]
[ro.hwui.gradient_cache_size]: [1]
[ro.hwui.layer_cache_size]: [48]
[ro.hwui.path_cache_size]: [32]
[ro.hwui.r_buffer_cache_size]: [8]
[ro.hwui.text_large_cache_height]: [1024]
[ro.hwui.text_large_cache_width]: [2048]
[ro.hwui.text_small_cache_height]: [1024]
[ro.hwui.text_small_cache_width]: [1024]
[ro.hwui.texture_cache_flushrate]: [0.4]
[ro.hwui.texture_cache_size]: [72]
[ro.intel.logger]: [/system/vendor/bin/logcatext]
[ro.opengles.version]: [196610]
[ro.product.board]: [rk30sdk]
[ro.product.brand]: [Android]
[ro.product.cpu.abi]: [arm64-v8a]
[ro.product.cpu.abilist]: [arm64-v8a,armeabi-v7a,armeabi]
[ro.product.cpu.abilist32]: [armeabi-v7a,armeabi]
[ro.product.cpu.abilist64]: [arm64-v8a]
[ro.product.device]: [rk3399_rigol]
[ro.product.first_api_level]: [25]
[ro.product.locale]: [en-US]
[ro.product.manufacturer]: [Rigol ([url=http://www.rigol.com]www.rigol.com[/url])]
[ro.product.model]: [rk3399_rigol]
[ro.product.name]: [rk3399_rigol]
[ro.product.usbfactory]: [rockchip_usb]
[ro.radio.noril]: [true]
[ro.revision]: [0]
[ro.rigol.ota.build]: [0]
[ro.rigol.product.aliasname]: [sparrow]
[ro.rigol.system.version]: [1.1.3]
[ro.ril.ecclist]: [112,911]
[ro.rk.LowBatteryBrightness]: [true]
[ro.rk.MassStorage]: [false]
[ro.rk.bt_enable]: [true]
[ro.rk.def_brightness]: [200]
[ro.rk.flash_enable]: [true]
[ro.rk.hdmi_enable]: [true]
[ro.rk.homepage_base]: [http://www.google.com/webhp?client={CID}&source=android-home]
[ro.rk.install_non_market_apps]: [false]
[ro.rk.screenoff_time]: [60000]
[ro.rk.screenshot_enable]: [true]
[ro.rk.soc]: [rk3399]
[ro.rk.systembar.tabletUI]: [false]
[ro.rk.systembar.voiceicon]: [true]
[ro.rksdk.version]: [RK30_ANDROID7.1.2-SDK-v1.00.00]
[ro.runtime.firstboot]: [1358470234680]
[ro.safemode.disabled]: [true]
[ro.secure]: [1]
[ro.serialno]: [RW8GIY5R55]
[ro.service.default_logfs]: [apklogfs]
[ro.sf.fakerotation]: [false]
[ro.sf.hwrotation]: [0]
[ro.sf.lcd_density]: [228]
[ro.support.lossless.bitstream]: [true]
[ro.sys.sdcardfs]: [true]
[ro.target.product]: [tablet]
[ro.tether.denied]: [false]
[ro.udisk.visible]: [true]
[ro.wifi.channels]: []
[ro.zygote]: [zygote64_32]
[security.perf_harden]: [1]
[selinux.reload_policy]: [1]
[service.adb.tcp.port]: [55555]
[service.bootanim.exit]: [1]
[sf.power.control]: [8847360]
[sys.boot_completed]: [1]
[sys.bootvideo.closed]: [1]
[sys.device_locked.status]: [0]
[sys.dropbox.max_size_kb]: [4096]
[sys.dump.binder_stats.anr]: [1]
[sys.dump.binder_stats.uiwdt]: [1]
[sys.ggralloc.commit]: [commit-id:1c1bd71]
[sys.ggralloc.version]: [1.0.6]
[sys.ghwc.commit]: [commit-id:3212866]
[sys.ghwc.version]: [0.66-rk3399-MID]
[sys.gmali.fbdc_target]: [0]
[sys.gmali.version]: [r18p0-01rel0-x-6@0]
[sys.gralloc.disable_afbc]: [1]
[sys.hwc.compose_policy]: [6]
[sys.hwc.device.aux]: []
[sys.hwc.device.main]: [DSI]
[sys.hwc.device.primary]: [DSI]
[sys.logbootcomplete]: [1]
[sys.resolution.changed]: [false]
[sys.rga.version]: [v1.0-20180420]
[sys.rkadb.root]: [0]
[sys.secureboot]: [false]
[sys.serialno]: [RW8GIY5R55]
[sys.status.hidebar_enable]: [false]
[sys.sysctl.extra_free_kbytes]: [7200]
[sys.usb.config]: [mtp,adb]
[sys.usb.configfs]: [1]
[sys.usb.controller]: [fe800000.dwc3]
[sys.wallpaper.rgb565]: [0]
[testing.mediascanner.skiplist]: [/mnt/shell/emulated/Android/]
[vold.has_adoptable]: [1]
[vold.post_fs_data_done]: [1]
[wifi.interface]: [wlan0]
[wifi.supplicant_scan_interval]: [15]
[wlan.driver.status]: [unloaded]
 

Offline dreamcat4

  • Frequent Contributor
  • **
  • Posts: 495
  • Country: gb
Re: Hacking the Rigol DHO800/900 Scope
« Reply #77 on: September 26, 2023, 07:39:57 am »
Here are the partitions in the SD card image, RigolDHO800-SDcard-dump.img:
  • offset=281018368,sizelimit=134217728: Ext4 Android backup/recovery partition
  • offset=415236096,sizelimit=2147483648: Ext4 Android filesystem system named system (startup stuff)
  • offset=2562719744,sizelimit=16777216: Ext4, empty
  • offset=2584248320,sizelimit=524288000: Ext4 filesystem named rigol, contains interesting Rigol stuff
  • offset=3225419776,sizelimit=28494004224: Ext4 filesystem, rest of the Android filesystem
Thanks for figuring out the offsets. Some more details on the partitions:
offset=415236096,sizelimit=2147483648:  => /system partition which contains the Android framework (="operatingsystem" without kernel)
offset=2584248320,sizelimit=524288000: => Rigol proprietary partition. DHO800_DHO900_Update.GEL is a tar.gz file which seems to contain the parts of that partition. There seems also some calibration data stored in the data folder. There is also a 148 byte Key.data file.
(Attachment Link)
app/Sparrow.apk contains libscope-auklet.so which has quite some interesting strings embedded.

offset=3225419776,sizelimit=28494004224: => userdata partition. This is where on an Android system all user generated data is stored. logs/tools_log contains there some interesting logfiles.
 

Offline dreamcat4

  • Frequent Contributor
  • **
  • Posts: 495
  • Country: gb
Re: Hacking the Rigol DHO800/900 Scope
« Reply #78 on: September 26, 2023, 07:41:06 am »
more experience with Linux-based integration than Android, the difference being in the userspace, but I really don't see why the bootup should take 45 seconds

Bumped the other day into this parallel between Linux and Android partitions layout and boot process.  It's a bird-eye view, in the premise of replacing Android with Linux on a mobile platform:
https://forum.xda-developers.com/t/info-android-device-partitions-and-filesystems.3586565/
https://forum.xda-developers.com/t/info-boot-process-android-vs-linux.3785254/
https://forum.xda-developers.com/t/info-is-it-possible-to-install-windows-ios-or-linux-on-android-device.3763961/
 

Offline dreamcat4

  • Frequent Contributor
  • **
  • Posts: 495
  • Country: gb
Re: Hacking the Rigol DHO800/900 Scope
« Reply #79 on: September 26, 2023, 07:41:44 am »
Out of curiosity I looked at the firmware update.

It is a *.GEL file that you can open with 7ZIP without problem.

The file within can then be extracted again with 7ZIP and you get the folder structure of the whole update file.

The update routine includes this folder with the update scripts:

Code: [Select]
Directory of DHO800_DHO900(Software)Update\Root\shell

13/09/2023  17:44    <DIR>          .
13/09/2023  17:08    <DIR>          ..
29/03/2023  09:37               512 bootApp.sh
29/03/2023  09:37               659 copy_logs_to_udisk.sh
20/06/2023  12:47             8,079 do_extract.sh
08/06/2023  03:46             1,798 do_update.sh
29/03/2023  09:37               645 force_update_gel.sh
29/03/2023  09:37             1,027 load_pcie.sh
20/06/2023  12:47             1,427 reload_fpga.sh
05/07/2023  08:16                97 restartScope.sh
20/06/2023  12:47             5,362 start_rigol_app.sh
              9 File(s)         19,606 bytes

The main app is the Sparow.apk. Looking at it with a HEX-Editor, I found this:

License file detected
License invalid. Remaining attempts: 1
License invalid. Remaining attempts: 2
License invalid. Remaining attempts: 3
License invalid. Remaining attempts: 4
License invalid. Remaining attempts: 5
License invalid. Remaining attempts: 6
License invalid. Remaining attempts: 7
License invalid. Remaining attempts: 8
License invalid. Remaining attempts: 9
...
This function requires the following license:
...

Also, it seems that the licenses are stored in "LICENSE.txt".

It should be possible to edit "copy_logs_to_udisk.sh":

Code: [Select]
#!/system/bin/bash

echo "...... ifconfig ......"
ifconfig

udisk_mount_dir=$(ls -d1 /mnt/media_rw/* 2> /dev/null | head -n 1)

if [[ x"${udisk_mount_dir}" == x"" || ! -d ${udisk_mount_dir} ]]; then
    echo "Does not exist U-Disk !"
    exit 2
fi

target_log_dir=${udisk_mount_dir}/$(date "+%Y.%m.%d_%H.%M.%S")

# target_log_dir=/data/UserData/logs_for_debug/$(date "+%Y.%m.%d_%H.%M.%S")

echo mkdir -p ${target_log_dir}
mkdir -p ${target_log_dir}

echo cp -r /data/logs/tools_log  ${target_log_dir}
cp -r /data/logs/tools_log  ${target_log_dir}

# chown -R system:system /data/UserData/logs_for_debug

rm -f ${udisk_mount_dir}/fetch_sparrow_logs.txt

sync

In order to add a line like

Code: [Select]
cp -r /data  ${target_log_dir}
The goal is to copy the whole data folder (and its sub-folders) to the attached USB disk. This might be the wrong folder, but with a bit of trial & error one should be able to get to see the LICENSE.txt file. I wonder if the options are in plain text...

Disclaimer: I don't own this device and I am not looking forward to buy one (I have the DS1054Z which is more than I will ever need). These are just my thoughts and ideas, they might break you brand new device.
 
The following users thanked this post: Serg65536

Offline dreamcat4

  • Frequent Contributor
  • **
  • Posts: 495
  • Country: gb
Re: Hacking the Rigol DHO800/900 Scope
« Reply #80 on: September 26, 2023, 07:42:34 am »
Found a hidden debug mode in the utility menu that can be enabled if you tap the About button several times. This unlocks more options in the Other and the SelfCal tabs and a new Debug tab. Not sure if it has other effects.
 

Offline dreamcat4

  • Frequent Contributor
  • **
  • Posts: 495
  • Country: gb
Re: Hacking the Rigol DHO800/900 Scope
« Reply #81 on: September 26, 2023, 07:44:01 am »
I am a Java/Kotlin software developer and like some of the folks here my hobby is electronics, mainly microcontrollers stuff (pic18,pic24,pic32) and PCBs, also opened firmware update file and successfully decompiled the APKs, I have some experience with Android development so with that code and some effort you can compile your own modified APK and run it on the scope, I think everything is open in the scope to do that. Looking quickly at the code I think Sparrow.apk is all the GUI stuff, that should be communicating with the FPGA, is interesting to analyze the code because we can reverse engineer the communication between APK and FPGA so we can run custom apps on the scope.

In the screenshots, you can see some code to render the data on the screen, another thing to notice is that Rigol did not bother to obfuscate the code.  :-DD

« Last Edit: September 26, 2023, 07:46:02 am by dreamcat4 »
 
The following users thanked this post: Serg65536

Offline souldevelop

  • Regular Contributor
  • *
  • Posts: 54
  • Country: cn
  • Serious and rigorous
Re: Hacking the Rigol DHO800/900 Scope
« Reply #82 on: September 26, 2023, 11:41:48 am »
I have tracked the entire process of reading HDCODE, and have confirmed that it reads information from the GPIO port.

OK, but what does it do with that number?

Have you carefully read the analysis content in front of this thread, HDCODE is a 4-bit binary code,
HDCODE 1000 = Hardware version is 8
HDCODE 1100 = Hardware version is 12.
You should be familiar with similar computer coding.

Yes, I know all that...

The question is what does it do with that number? People have turned their DHO800s into DHO900s with vendor.bin so the firmware doesn't appear to do much with HDCODE.

I analyzed their apk software using IDA and found that hdcode was indeed used, and this part of the call was made before the system was calibrated, so this can be explained by overriding the vendor.bin Upgrading the DHO800 to the DHO900 will have an offset zero potential and be very noisy. So it's also not clear to me why they don't get the model ID directly through the information inside the vendor.bin. :-//
Darkness before dawn.
 
The following users thanked this post: thm_w, Fungus, dreamcat4

Online Fungus

  • Super Contributor
  • ***
  • Posts: 16800
  • Country: 00
Re: Hacking the Rigol DHO800/900 Scope
« Reply #83 on: September 26, 2023, 12:52:04 pm »
I analyzed their apk software using IDA and found that hdcode was indeed used, and this part of the call was made before the system was calibrated, so this can be explained by overriding the vendor.bin Upgrading the DHO800 to the DHO900 will have an offset zero potential and be very noisy. So it's also not clear to me why they don't get the model ID directly through the information inside the vendor.bin. :-//

It might just be a legacy thing. Maybe they originally planned to use hardware to select the model then a boss changed it to use vendor.bin to save a few $$$ on the production line.
« Last Edit: September 26, 2023, 03:48:01 pm by Fungus »
 
The following users thanked this post: dreamcat4

Offline souldevelop

  • Regular Contributor
  • *
  • Posts: 54
  • Country: cn
  • Serious and rigorous
Re: Hacking the Rigol DHO800/900 Scope
« Reply #84 on: September 26, 2023, 01:01:33 pm »
 
Quote

It might just be a legacy thing. Maybe they originally planned to use hardware to select the model then a boss changed it vendor.bin to save a few $$$ on the production line.

Your guess fits the reality quite well.
« Last Edit: October 01, 2023, 04:59:54 am by souldevelop »
Darkness before dawn.
 

Offline tv84

  • Super Contributor
  • ***
  • Posts: 3251
  • Country: pt
Re: Hacking the Rigol DHO800/900 Scope
« Reply #85 on: September 26, 2023, 01:55:56 pm »
AFAIK all of this vendor.bin, chip IDs, etc. started (in a more well thought way) with the MSO5000 and its bigger brothers.

What has been implemented in the HDO/DHO machines has some inheritance of those days but it's completely messed up, making hacks substantially easier to implement. On purpose or not, you choose.
 

Offline akkk44

  • Contributor
  • Posts: 29
  • Country: cn
Re: Hacking the Rigol DHO800/900 Scope
« Reply #86 on: October 01, 2023, 06:37:37 pm »


Some are reporting the waveform became fluffy after the hack.

edit: the person who reported this issue said he solved it by replacing the .hex calibration file from the backup. I didn't see this issue so can't confirm if it is true.
« Last Edit: October 07, 2023, 03:52:47 am by akkk44 »
 

Offline Dacian

  • Contributor
  • !
  • Posts: 40
  • Country: ca
Re: Hacking the Rigol DHO800/900 Scope
« Reply #87 on: October 01, 2023, 07:58:56 pm »

Yes, I know all that...

The question is what does it do with that number? People have turned their DHO800s into DHO900s with vendor.bin so the firmware doesn't appear to do much with HDCODE.

It is just the hardware version (likely they had an older version before release probably low run or prototype).
Mine is DHO804 and it is Hardware version 12

 

Offline souldevelop

  • Regular Contributor
  • *
  • Posts: 54
  • Country: cn
  • Serious and rigorous
Re: Hacking the Rigol DHO800/900 Scope
« Reply #88 on: October 02, 2023, 04:10:17 am »


Some are reporting the waveform became fluffy after the hack.
Is there a measurement picture to compare?
Darkness before dawn.
 

Online Fungus

  • Super Contributor
  • ***
  • Posts: 16800
  • Country: 00
Re: Hacking the Rigol DHO800/900 Scope
« Reply #89 on: October 02, 2023, 04:27:46 pm »
Some are reporting the waveform became fluffy after the hack.
Is there a measurement picture to compare?

Higher bandwidth = more fluff. That's just the way it is.
« Last Edit: October 02, 2023, 09:16:20 pm by Fungus »
 

Offline UK

  • Regular Contributor
  • *
  • Posts: 77
  • Country: ma
Re: Hacking the Rigol DHO800/900 Scope
« Reply #90 on: October 02, 2023, 07:13:44 pm »
Some are reporting the waveform became fluffy after the hack.
Is there a measurement picture to compare?

Higher bandwidth = more noise. That's just the way it is.
Exactly! I even read one thread on some forum where one guy strips several capacitors of the front-end circuit of its high-end scope to lower the bandwidth of BW mode on that channel to use it for the purpose of low noise studies when high bandwidth is not required.

That's why I thought that firmware from dho914s was more attractive because it could get all the features without quadrupling the bandwidth.

But anyway it would the interesting to see more head-to-head comparisons between 804 and 924s firmware to know the exact level of fluffiness.
 

Offline Serg65536

  • Regular Contributor
  • *
  • Posts: 133
  • Country: ua
Re: Hacking the Rigol DHO800/900 Scope
« Reply #91 on: October 02, 2023, 09:33:33 pm »
to know the exact level of fluffiness.
BW limit 100 MHz option should resolve the issue.
 

Online Fungus

  • Super Contributor
  • ***
  • Posts: 16800
  • Country: 00
Re: Hacking the Rigol DHO800/900 Scope
« Reply #92 on: October 03, 2023, 12:00:32 am »
to know the exact level of fluffiness.
BW limit 100 MHz option should resolve the issue.

I still think the HDO800 could do 125Mhz with the right sort of hacking. That's the sweet spot for the sample rate.

(and a really fancy hack could switch 125MHz/250MHz depending on how many channels are enabled)

 

Online Martin72

  • Super Contributor
  • ***
  • Posts: 6083
  • Country: de
  • Testfield Technician
Re: Hacking the Rigol DHO800/900 Scope
« Reply #93 on: October 03, 2023, 08:55:23 pm »
Quote
and a really fancy hack could switch 125MHz/250MHz depending on how many channels are enabled

This should normally be the job for Rigol, on the 900 models.
But I wouldn't be surprised if the users get it right first. ;)
Assuming that both models use the same hardware, I hope that the 800 can be brought up to the same bandwidth without having to pretend it's a 900.

Offline dreamcat4

  • Frequent Contributor
  • **
  • Posts: 495
  • Country: gb
Re: Hacking the Rigol DHO800/900 Scope
« Reply #94 on: October 03, 2023, 09:09:31 pm »
to then try the 800 and 900 probes, although there are 2 types of probes on 900 depending on the specific model?

would be cool to see on the lower freq x1 mode too. you know, how much difference is actually down to the included probes. at these price points. that's not to say cannot get 3rd party ones - kindda just bumps the price up which then makes into some pricing difference between 800 and 900 series. be it whatever if only +$100 for the probes themselves. but hacking l.a. header is so cheap, which would make to $200 worth of options (unless the 900 comes with external l.a. module, but i dont believe it does, does it?)
 

Offline Serg65536

  • Regular Contributor
  • *
  • Posts: 133
  • Country: ua
Re: Hacking the Rigol DHO800/900 Scope
« Reply #95 on: October 10, 2023, 04:20:33 pm »
edit: the person who reported this issue said he solved it by replacing the .hex calibration file from the backup. I didn't see this issue so can't confirm if it is true.
Could you please describe step by step the procedure? Where to get the DHO800_DHO900_Update.GEL from DHO924? Could the scope be hacked without warranty sticker  violation?
 

Online Fungus

  • Super Contributor
  • ***
  • Posts: 16800
  • Country: 00
Re: Hacking the Rigol DHO800/900 Scope
« Reply #96 on: October 11, 2023, 02:31:57 am »
Could the scope be hacked without warranty sticker  violation?

Yes. You can hack it with Android Debugger ("ADB") over the ethernet port.
 

Offline souldevelop

  • Regular Contributor
  • *
  • Posts: 54
  • Country: cn
  • Serious and rigorous
Re: Hacking the Rigol DHO800/900 Scope
« Reply #97 on: October 11, 2023, 11:29:34 am »
edit: the person who reported this issue said he solved it by replacing the .hex calibration file from the backup. I didn't see this issue so can't confirm if it is true.
Could you please describe step by step the procedure? Where to get the DHO800_DHO900_Update.GEL from DHO924? Could the scope be hacked without warranty sticker  violation?

Obviously, you didn't look closely at the tool software RIGOL_Tools_v1.0.2 .zip

https://www.eevblog.com/forum/testgear/hacking-the-rigol-dho800900-scope/msg5077960/#msg5077960

that I released a few pages before this thread. With it you don't need to disassemble the hardware and program the SD card, and you can freely upgrade to the latest firmware without having to worry about zero offset.
Darkness before dawn.
 
The following users thanked this post: Serg65536

Offline Serg65536

  • Regular Contributor
  • *
  • Posts: 133
  • Country: ua
Re: Hacking the Rigol DHO800/900 Scope
« Reply #98 on: October 11, 2023, 06:51:09 pm »
....and you can freely upgrade to the latest firmware without having to worry about zero offset.
I've found 1.14 (the latest firmware) SD card disc image only (the first message of this thread).
How do I install firmware V1.14 on my V1.00 scope without disassembly? Should I extract the ./rigol folder and replace it on the scope through adb push? Or should I extract the DHO800_DHO900_Update.GEL file, push it to the scope, and install with appropriate script? :-//  :-BROKE
 

Offline akkk44

  • Contributor
  • Posts: 29
  • Country: cn
Re: Hacking the Rigol DHO800/900 Scope
« Reply #99 on: October 12, 2023, 02:57:24 am »
edit: the person who reported this issue said he solved it by replacing the .hex calibration file from the backup. I didn't see this issue so can't confirm if it is true.
Could you please describe step by step the procedure? Where to get the DHO800_DHO900_Update.GEL from DHO924? Could the scope be hacked without warranty sticker  violation?

Updated: Please check here first:https://www.eevblog.com/forum/testgear/hacking-the-rigol-dho800900-scope/msg5130924#msg5130924

Sure.

1. Make a full backup of your oscilloscope
This was done by taking the oscilloscope apart and extracting its SD card to make a full disk image.
Alternatively, you can make a backup using ADB to transfer all the files to your PC, I think it can achieve the same goal. (The rigoltool provided by @souldevelop also relies on ADB, see #31)

2. Roll back the firmware version from 01.00 to 01.14. (Noted that 01.14 did have an earlier compile date although it has a larger number.)
This was previously done by overwriting the SD card with the disk image containing firmware version 01.14 provided by @hubertyoung. (See #0)
Alternatively, I think replacing all the files on the SD card with ADB commands can achieve the same goal. (Just replacing the critical files may be enough but I have no idea which file is affecting the firmware number.)

3. Reboot and check if the firmware version has been successfully rolled back. If not, disconnect the power and try again.

4. Write the new identity of the oscilloscope using the rigoltool. Reboot and your oscilloscope has been hacked.

5. Calibrate your oscilloscope. Several people are reporting strange issues after hacking. For most of the time, calibration can solve the issue.
In my case, I do a full calibration manually. In the "settings" menu, tap on the "about" tab several times to activate factory mode. Turn to the calibration tab and do a full calibration. Some reports that they can do the full calibration with no issue. In my case, I have to uncheck the "ADC phase" to complete the calibration.
Alternatively, some replace the cal_xxx.hex file from the backup (Step1) and claim that can also get the job done. (See #86)
« Last Edit: October 24, 2023, 07:13:05 am by akkk44 »
 
The following users thanked this post: Mechatrommer, Serg65536, artik


Share me

Digg  Facebook  SlashDot  Delicious  Technorati  Twitter  Google  Yahoo
Smf