Hacking the Rigol MHO900 Scope

[Dagger]

Hi. I saw that Rigol released a new firmware for the MHO900 (v00.01.00.00.25)
Is it possible to have the hack along with the new version by replacing the firmware files in the "files_v0.1.2\firmware_00_01_00_00_24_mod_v0.1.2" folder and using the posix script intallation or should we wait for the next release of the hack?

Thanks a lot for your work!

Hi. I noticed their release, which was a surprise (updates are extremely rare). I have already downloaded it to make a review. After comparing changes I will need to decide either to merge changes or to make everything almost from scratch.

As for now, Im maintaining three mods and my current work is with DHO800/900, which already took much longer than I expected. It's based on the same code (also similar hardware) and good thing is I can do same fixes and improvements for other two series.

Making mentioned review and merging changes or making it almost from scratch will take at least one-two weeks.

Before that, I have plan to release quick update with changed AFE bandwidth binary flags, based on my findings from a reverse engineering - mainly this will allow to have more than 1 GHz bandwidth (around 1.4 GHz - 1.5 GHz).

Thanks a lot, glad that the improvements on DHO can be brought to the MHO. I will subscribe to your buymeacoffee for your motivation
Your work is truly appreciated!

[dka]

I cannot trust myself with manually looking for strings in memory dumps, so I made a simple script that uses instructions by gsobol to auto-activate oscilloscope over the network.

The script

• Enumerates all VISA-accessible instruments on the network
• Selects IP addresses of those that respond with MHO9... for *IDN? SCPI command
• Retrieves encrypted key file
• Identifies PID of the process and corresponding memory ranges
• Looks for memory blocks that contain both encrypted key and 130-symbol null-terminated ascii string (by default memory blocks larger than 16M are discarded; use --use-large-blocks if all blocks should be processed)
• Generates license strings for options
• Supplies those licenses via SCPI; use --print-only to skip sending commands

My MHO954 got all upgrades in 20 seconds with no user intervention or manual operations required; just an ethernet connection.

This script incorporates knowledge from the following posts (and would not be possible without them):

• https://www.eevblog.com/forum/testgear/hacking-the-rigol-mho900-scope/msg6119683/#msg6119683 - idea with scanning memory for a memory block containing both encrypted and decrypted keys
• https://www.eevblog.com/forum/testgear/hacking-the-rigol-dho800900-scope/msg5148330/#msg5148330 - instructions on license generation from the key

In order to run it one needs python packages adbutils, pyvisa-py and pycryptodome; adbutils requires adb to be installed.

Edit (2026-01-22): added BWU03T08 and BWU03T05 into the list of default options.

[Lunasix]

Thanks ! I just received my new MHO954 few days ago and I will try this script. I had no time to apply what was described in other posts and buying the mod version was another solution but not just before a new release.

[rnelectro]

Hello dka

Many thanks for the python script.

Another happy upgrade of the MHO934 to the 800MHz version, with the 100MHz generator and the rest of the functions.

Regards

[superkent]

Hello dka

Many thanks for the python script.
I have upgraded my MHO934, but without bandwidth options. I received error message on Rigol screen.
Maybe the version of software is too old? Or it is not capability with MHO934?

[superkent]

Hello dka

Many thanks for the python script.

Another happy upgrade of the MHO934 to the 800MHz version, with the 100MHz generator and the rest of the functions.

Regards

Hi, Could you please share About screen from settings? I have issue with bandwidth upgrade.
Maybe it is firmware issue, as we have for DHO804 before? Because DHO804 have upgrade issue at 1.00 fw.
Maybe here the same issue.

[rnelectro]

Hello,

This isn't a firmware or Python script error. The script is simply configured for the MHO954 by default, and you need to manually add variables to enable the upgrade for the MHO934.

You need to add another variable to this line (see picture) of code (increases the bandwidth to 500MHz -> BWU03T05):

default=["AUTOA", "FlexA", "AUDIOA", "AEROA", "RLU05", "AFG100", "BWU03T05"],


Here is the full list of options mentioned earlier by someone on this forum:

BND CAN-FD serial bus decoding analysis option
Flexray bus trigger and decoding analysis option
Audio serial bus 12S trigger and decoding analysis option
MIL-STD-1553 bus trigger and decoding analysis option
Built-in dual-channel 100MHz function generator (and Bode) option

EMBD Embedded serial bus trigger and analysis

COM Computer serial trigger and analysis (RS232/UART)

AUTO Auto serial bus trigger and analysis

AUTOA ​​CAN-FD serial bus decoding analysis option

FlexA Flexray bus trigger and decoding analysis option

AUDIOA Audio serial bus 12S trigger and decoding analysis option

AEROA MIL-STD-1553 bus trigger and decoding analysis option

RLU05 500Mpts storage depth option

AFG50 Built-in dual-channel 50MHz function generator(and Bode) option

AFG100 Built-in dual-channel 100MHz function generator(and Bode) option

BWU03T05 350MHz to 500MHz bandwidth upgrade option

BWU03T08 350MHz to 800MHz bandwidth upgrade option

BWU05T08 500MHz to 800MHz bandwidth upgrade option

[tv84]

He needs BWU03T08 instead of BWU03T05.

[rnelectro]

He needs BWU03T08 instead of BWU03T05.

Hi,
This is just an example, as there are other options to enable, such as EMBD or COM. The script can be run multiple times with different options.

[Lunasix]

Many thanks, all worked fine after some struggle with python !
And after that the scope had been updated with the last version (build 26/12/2025).
Quick test with signal over 900MHz, all is ok.

[dka]

You need to add another variable to this line (see picture) of code (increases the bandwidth to 500MHz -> BWU03T05):

Technically, there is no need to modify script, one can supply list of options on the command line via mho9x4_auto_enhance.py --options FOO BAR to activate options FOO and BAR.

Here is the full list of options mentioned earlier by someone on this forum:

BND, EMBD, COM, AUTO,  AUTOA, FlexA, AUDIOA, AEROA, RLU05, AFG50, AFG100, BWU03T05, BWU03T08, BWU05T08

I believe BND, EMBD, COM AUTO are not valid license options in the case of MHO9xx-series.

BND is a bundle of options (AFG100, AUDIOA, AUTOA, FlexA, AEROA) sold at discount.
I expect that the distributor sends you a separate key for each of those options, but I am too broke to check it.

While the scope does not report any status of license key being accepted or not over SCPI, you can check if corresponding .lic file was created in /rigol/data.

Rigol distributors sell AUTOA, FlexA, AUDIOA, AEROA, RLU05, AFG50, AFG100, BWU03T05, BWU03T08, BWU05T08.
AFG100 implies AFG50 (and if you activate AFG100 first - you can notice that 50MHz options vanishes from the status window)
I don't have the 350Mhz (native) scope, but I believe that BWU03T08 is equivalent to BWU03T05 + BWU05T08.

[rnelectro]

Hello,

I checked the activation of the EMBD and COM options, and they activated normally (Forever license).

However, there seem to be new options in the trigger menu. If you haven't enabled it yet, compare the trigger window with the one I've attached in the photo.

[dka]

However, there seem to be new options in the trigger menu. If you haven't enabled it yet, compare the trigger window with the one I've attached in the photo.

Triggering on I2C and RS232 are standard features for mho934/954/984 according to the manufacturer's datasheet.
Are you sure they were not there before but just order of the buttons changed due to addition of flexray, i2s, etc?

Triggering on I2S is a part of the option AUDIOA, FlexRay - FlexA,  MIL-STD-1553B - AEROA.
AUTOA updates CAN decoding from CAN 2.0 to CAN-FD.

[superkent]

Thanks for helping. I have used next command and all work fine. All options are upgraded.
./mho9x4_auto_enhance.py --device-id MHO9 --scpi-prefix :SYST:OPT:INST --options BND EMBD COMP AUTO AUTOA FlexA AUDIOA AEROA RLU05 AFG50 AFG100 BWU03T05 BWU03T08 BWU05T0

[Hydron]

Man that's a killer first post!

Don't need the unlocks with the MHO98, but thanks dka for contributing the python code.

[rteodor]

Don't need the unlocks with the MHO98, but thanks dka for contributing the python code.

Apart from more buttons and mate screen its the first scope for what I do not need anything more from what comes out of the box. In fact, I would need less. Less bugs that is.

[KeBeNe]

Hi,

Has anyone already determined the -3dB point for the extended version and compared it with MHO98?

[tdavid]

Dumb question here.
What would be the way to revert to the original firmware in case of waranty claim is needed?
Regards

[LesWright]

Curious Observations:

I have a MHO954 upgraded to >800MHz thanks to this thread. I applied the new Rigol firmware MHO900 (v00.01.00.00.25) (but not before making a backup image  )

Before the update, risetime was measured at 375.02ps (~923MHz BW), but after the update 425.00ps (~823MHz BW). I am not sure is this is a AFE flag that has been "fixed"  in the update.

Speaking of images, just for amusement, I wrote Dave's image downloaded from Norbert's server, to an SD card, and when the scope boots off of this, it thinks its a MHO934, with a corresponding 350MHz bandwidth. It evidently knows it is in the wrong scope.

[Martin72]

Before the update, risetime was measured at 375.02ps (~923MHz BW), but after the update 425.00ps (~823MHz BW).

I was afraid that Rigol would react to the fact that the MHO984 has over 1 GHz bandwidth and is therefore almost on par with the MHO98.

Btw, For a rough conversion using the Risetime, the factor 0.45 is closer to the “truth” than 0.35:
https://www.eevblog.com/forum/testgear/rigol-mho98-and-mho900-oscilloscope-series/msg6080453/#msg6080453

[SiliconWizard]

Yes they most likely have changed AFE settings so that people will now notice a difference of bandwidth with the MHO98, but also with their other 1 GHz scopes.

Other than that, there is no difference at all in hardware between all MHO9xx models, so only the firmware determines the features and bandwidth.

Both the upgrades (via Norbert's changes) and downgrades (using a firmware made for a lower-range model) show that the firmware absolutely doesn't check anything about the hardware platform itself and that they probably haven't bothered even storing a hardware identification in EEPROM or some such. This way they have maximum flexibility in production and can decide nearly in "real-time" the number of scopes to produce for each version, knowing that the only thing different is the microSD card and the front panel.