Hacking the Rigol DHO800/900 Scope

[S2084]

I have 924S, later I will do some photosmodules

@norbert.kiszka I still dare to remind you.....

As for now I never removed heatsink. I was going to modify one channel, but I didnt. Also I cant find thermopads - Im not sure if I can reuse existing ones after heatisnk removal (maybe clean them with isopropyl?).

Anyway, I just did two photos just above heatsink. If You need something more (right now without removing heatsink), just give me a sign.

If You going to change only HW number, then read my previous posts about it, because You can change it in "soft" way, without changing resistors or decompiling anything.

Yes, I would like to see a photo of the back of the board.  Thank you...... By the way, it is not necessary to remove the radiator for this.... Your method is good, but when updating the firmware it needs to be repeated... I would like to permanently change the HW configuration.... configuration resistors are located on the reverse side  boards.... Thanks again!!!

[norbert.kiszka]

After some sdcard edits, got my scope back.

I believe this older droid uses sdcardfs on android_meta and android_expand partitions. sdcardfs apparently is a layer that does not use block addressing.
From what I know of and read about sdcardfs, ext4 is the underlying filesystem. Yep, android is as goofy as they come.

Good to hear that. Make some backup of working sd card image (at least in two places) and when You will need to do some write test on image, then dont forget to make another copy for that.

Speaking of ext4 - that is great file system, probably best one in world. Long time ago I was using ext3 and after I decided to use brand new ext4 it was crazy fast, especially with fsck (seconds instead of hours). Some people can say ReiserFS is better, but its not longer developed, because currently Hans Reiser is in jail.

Yes, I would like to see a photo of the back of the board.  Thank you...... By the way, it is not necessary to remove the radiator for this.... Your method is good, but when updating the firmware it needs to be repeated... I would like to permanently change the HW configuration.... configuration resistors are located on the reverse side  boards.... Thanks again!!!

Damn... After upgrading by GEL file, its just two lines of code - how often You do updates?

Currently Im working on some software changes, and right now probably I have some "small" breakthrough.

[Randy222]

Scope cpu temp. for stock fan configurations only.
In Utility , in the self-check board test, what do your ambient and cpu temps say?

Some many posts back I mentioned I added thermal paste between the heatsink pads, trying to ascertain any benefits.

My 804 scope has been on for about 1hr, it's doing no work (all channels are off) temps are
cpu_chip 52.7
cpu_amb 48.7
room amb is 23.5

[shapirus]

Scope cpu temp. for stock fan configurations only.
In Utility , in the self-check board test, what do your ambient and cpu temps say?

Some many posts back I mentioned I added thermal paste between the heatsink pads, trying to ascertain any benefits.

My scope has been on for about 1hr, it's doing no work (all channels are off) temps are
cpu_chip 52.7
cpu_amb 48.7
room amb is 23.5

Mine had ~56/52 respectively at ~21-22 room ambient.

[Fungus]

Is the bandwidth and memory hack stable enough that there's no point spending the extra on the DHO814 instead of the DHO804?

Yes.

I think we're overdue for a separate "how to unlock a DHO804" thread now. This one has devolved into Android hacking.

[Randy222]

If You going to change only HW number, then read my previous posts about it, because You can change it in "soft" way, without changing resistors or decompiling anything.

I have some questions about this.

If they can do it via shoving some data into gpio char device, then why use resistors at all?

If my 804 runs as a 924 vendor.bin, what does the scope gain by changing the HW type number? Does HW type number just unlock features without need for a lic file?

[Randy222]

Is the bandwidth and memory hack stable enough that there's no point spending the extra on the DHO814 instead of the DHO804?

Yes.

I think we're overdue for a separate "how to unlock a DHO804" thread now. This one has devolved into Android hacking.

The scope is an android, there's really no way to de-couple the two. A hack of droid is a hack of the scope device, a hack of the scope device is a hack of the droid.

[norbert.kiszka]

If You going to change only HW number, then read my previous posts about it, because You can change it in "soft" way, without changing resistors or decompiling anything.

I have some questions about this.

If they can do it via shoving some data into gpio char device, then why use resistors at all?

If my 804 runs as a 924 vendor.bin, what does the scope gain by changing the HW type number? Does HW type number just unlock features without need for a lic file?

App reads file /dev/hdcode_gpio many times (according to strace output) and also its being read by one script in DHO1000 and DHO4000 models. I tried to make DHO804 from DHO924S by changing this byte, but it doesnt change anything - maybe its used only if model in vendor.bin is DHO800.

In my scope I can even change this to 255 without any result in app, beside this number in "about".

[Fungus]

I think we're overdue for a separate "how to unlock a DHO804" thread now. This one has devolved into Android hacking.

The scope is an android, there's really no way to de-couple the two. A hack of droid is a hack of the scope device, a hack of the scope device is a hack of the droid.

Yes, but most people are only interested in getting more bandwidth and 50M memory on thier 804.

Finding the info in this thread isn't easy...

[AceyTech]

BTW. FPGA Image from DHO1000 works, however after reflashing I see no changes - not at all. BTW2. PLL is driven by a kernel module.

The DHO1000 has a completely different FPGA (Artix) and its firmware (configuration) cannot work on the FPGA in the DHO800/900 (Zync). There are no changes, probably because foreign firmware is not accepted by this FPGA and its native firmware is loaded into it.

I don't think he is ready to accept the architectural differences between the 2 platforms/FPGAs.    Kudos to you for trying to help.

[Randy222]

If You going to change only HW number, then read my previous posts about it, because You can change it in "soft" way, without changing resistors or decompiling anything.

I have some questions about this.

If they can do it via shoving some data into gpio char device, then why use resistors at all?

If my 804 runs as a 924 vendor.bin, what does the scope gain by changing the HW type number? Does HW type number just unlock features without need for a lic file?

App reads file /dev/hdcode_gpio many times (according to strace output) and also its being read by one script in DHO1000 and DHO4000 models. I tried to make DHO804 from DHO924S by changing this byte, but it doesnt change anything - maybe its used only if model in vendor.bin is DHO800.

In my scope I can even change this to 255 without any result in app, beside this number in "about".

I suspect it only changes default options/features. Example, all the 900's are 50M already. My guess is, a HW number in the 900 series simply allows 50M without any lic, etc.

If the HW number of a 924 provides 50M depth to any 800, then would we 800 folks even need the lic hack?

[AceyTech]

I have some questions about this.

If they can do it via shoving some data into gpio char device, then why use resistors at all?

If my 804 runs as a 924 vendor.bin, what does the scope gain by changing the HW type number? Does HW type number just unlock features without need for a lic file?

We don't know for sure that the app isn't periodically looking at the config bits on those GPIO lines as a sanity/authenticity check.  The effort to disable the checking might be a good idea in the long run, but it sure seems a good idea to change those hardware bits on a 802 to make a 804 upgrade so you could potentially use the 4th AFE as a 3rd channel.,(on the cheap)

[norbert.kiszka]

If You going to change only HW number, then read my previous posts about it, because You can change it in "soft" way, without changing resistors or decompiling anything.

I have some questions about this.

If they can do it via shoving some data into gpio char device, then why use resistors at all?

If my 804 runs as a 924 vendor.bin, what does the scope gain by changing the HW type number? Does HW type number just unlock features without need for a lic file?

App reads file /dev/hdcode_gpio many times (according to strace output) and also its being read by one script in DHO1000 and DHO4000 models. I tried to make DHO804 from DHO924S by changing this byte, but it doesnt change anything - maybe its used only if model in vendor.bin is DHO800.

In my scope I can even change this to 255 without any result in app, beside this number in "about".

I suspect it only changes default options/features. Example, all the 900's are 50M already. My guess is, a HW number in the 900 series simply allows 50M without any lic, etc.

If the HW number of a 924 provides 50M depth to any 800, then would we 800 folks even need the lic hack?

I tested with HW 12 and I still have 50M depth.

[AceyTech]

Greetings.  I did a quick mod to my scope to make the SDCard easier to access.


The cool thing is, you could do this to YOUR scope without peeling your Warranty sticker, if you just need to back up your card or try different cards..  Is there any language in the warranty statement that prohibits a plastic alteration?   

If anyone cares, I can post step by step pix and instructions how to do it.

[Randy222]

My suspect idea is probably good.

https://www.eevblog.com/forum/testgear/hacking-the-rigol-dho800900-scope/msg5078275/#msg5078275

All the 9's are same HW #, they are all 4ch 50M. The only diff is bandwidth.
The 800's have two HW numbers, because 800's are 2ch and 4ch models with different bandwidth.

This leads me to believe HW number is mem depth only setting as default, and then lics for 800's.
We can't apply a lic to a 900 for more mem depth, they are all 50M already.

I can test by removing my 804 mem lic and changing HW # from 12 to 8.

[ebastler]

The scope is an android, there's really no way to de-couple the two. A hack of droid is a hack of the scope device, a hack of the scope device is a hack of the droid.

I beg to differ. The working hacks which unlock new functionality do that on the application level, by using existing configuration options (option keys or vendor.bin). No software disassembly required, and nothing to do with Android.

On the other hand, the Android exploration has not really produced working hacks beyond some nice cosmetic improvements. Frankly I am not sure what the expectations are for the "Android hacking". What do you expect to gain from it? (Beyond satisfying technical curiosity, which is a perfectly valid reason of course.)

For the DHO1000, I could understand the desire to unlock the built-in 50 Ohm terminators and 400 or 800 MHz bandwidth, which the Rigol firmware for that series does not support at all. But in the DHO800/900 there is no such unused hardware. So what is the end game here?

[Randy222]

Greetings.  I did a quick mod to my scope to make the SDCard easier to access.
(Attachment Link)

The cool thing is, you could do this to YOUR scope without peeling your Warranty sticker, if you just need to back up your card or try different cards..  Is there any language in the warranty statement that prohibits a plastic alteration?   

If anyone cares, I can post step by step pix and instructions how to do it.

Funny, I was thinking about same today. I have sdcard ribbon extensions. They also make pcb extensions M-F too.

[Randy222]

The scope is an android, there's really no way to de-couple the two. A hack of droid is a hack of the scope device, a hack of the scope device is a hack of the droid.

I beg to differ. The working hacks which unlock new functionality do that on the application level, by using existing configuration options (option keys or vendor.bin). No software disassembly required, and nothing to do with Android.

On the other hand, the Android exploration has not really produced working hacks beyond some nice cosmetic improvements. Frankly I am not sure what the expectations are for the "Android hacking". What do you expect to gain from it? (Beyond satisfying technical curiosity, which is a perfectly valid reason of course.)

For the DHO1000, I could understand the desire to unlock the built-in 50 Ohm terminators and 400 or 800 MHz bandwidth, which the Rigol firmware for that series does not support at all. But in the DHO800/900 there is no such unused hardware. So what is the end game here?

Mod apk that needs to save images with quick button, needs a droid hack to allow it.

[norbert.kiszka]

For the DHO1000, I could understand the desire to unlock the built-in 50 Ohm terminators and 400 or 800 MHz bandwidth, which the Rigol firmware for that series does not support at all.

It is in the app but its locked somehow. If I had DHO1000 then I will try to hack it - maybe someone already did it.

[AceyTech]

The scope is an android, there's really no way to de-couple the two. A hack of droid is a hack of the scope device, a hack of the scope device is a hack of the droid.

I beg to differ. The working hacks which unlock new functionality do that on the application level, by using existing configuration options (option keys or vendor.bin). No software disassembly required, and nothing to do with Android.

I think his comment was in direct response to Fungus, "suggesting to fork the thread".  --at least that's how I read it.

I think we're overdue for a separate "how to unlock a DHO804" thread now. This one has devolved into Android hacking.

The scope is an android, there's really no way to de-couple the two. A hack of droid is a hack of the scope device, a hack of the scope device is a hack of the droid.

Yes, but most people are only interested in getting more bandwidth and 50M memory on thier 804.

Finding the info in this thread isn't easy...

[norbert.kiszka]

Mod apk that needs to save images with quick button, needs a droid hack to allow it.

Unless You will use print screen on usb keyboard or use Linux/GNU installed on this scope (which I personally did).

[ebastler]

For the DHO1000, I could understand the desire to unlock the built-in 50 Ohm terminators and 400 or 800 MHz bandwidth, which the Rigol firmware for that series does not support at all.

It is in the app but its locked somehow. If I had DHO1000 then I will try to hack it - maybe someone already did it.

Yes, there was decent progress in the DHO1000 hacking thread. The code seems to be there, but in conditional clauses which skip it on the DHO1000 models. But there were some stumbling blocks -- maybe due to the fact that the code fragments were "abandoned" long ago and no longer fully functional. I am not aware of a fully working DHO1000 hack which gives it the missing hardware features.

[Mechatrommer]

Yes, I would like to see a photo of the back of the board.  Thank you...... By the way, it is not necessary to remove the radiator for this.... Your method is good, but when updating the firmware it needs to be repeated... I would like to permanently change the HW configuration.... configuration resistors are located on the reverse side  boards.... Thanks again!!!

Damn... After upgrading by GEL file, its just two lines of code - how often You do updates?
Currently Im working on some software changes, and right now probably I have some "small" breakthrough.

i thought you could change HW version by just modding SW... souldevelop hinted us months ago its all about hooking or something hdcode_gpio. if its just a call to those plugin/module then my thinking it shouldnt be that hard to modify that module and push back to dso. but i guess its not as simple as 3 words? (linux is file)? if its Windows, maybe i guess i can start from what i already know, i imagine its something like DLL or drv? i have free ed IDA, so i can open a little bit exe or dll, but since its Linux/android i'm pretty much zero about how things work in those system. maybe later if it turns out config resistor is nowhere to be found in HW, maybe i'll start learning whats all those syntaxes in start_rigol_app.sh and what bits and pieces inside hdcode_gpio dot io or dot apk whatever.

[AceyTech]

Funny, I was thinking about same today. I have sdcard ribbon extensions. They also make pcb extensions M-F too.

Thanks!  Yeah., I have one of those.  Problem: If you don't cut the slot, the extension doesn't fit, and you can't put the case back together.  BTW: the M-F extension I bought has a flared PCB where it attached to the ribbon cable, and will need a wider slot to work.

[Mechatrommer]

If my 804 runs as a 924 vendor.bin, what does the scope gain by changing the HW type number? Does HW type number just unlock features without need for a lic file?

you need to step few posts/pages back to see why. if you cant find it, trace my posts... my hacked 804->924 cannot do digital trigger while legit 924 can... on a very same FW version. if you can make my dho804 (hacked to 924S) to report HW 8 (instead of 12) in the About Menu, i will be thankful