Hantek - Tekway - DSO hack - get 200MHz bw for free

[littlebilly]

 :)Hello everybody this is my first post on this forum.
Due to the recommendations here I bought a Hantek DSO5102B from Elec3i a few days ago;
I got it today.
model; DSO5102B
sw version; 2.06.03 (110531.1)
hw version; 10070x555583e8
serial; T1G/005 xxxxxx
Firstly I made a fw backup with the fw3dump tool   file dst1kb_9.99.9_cli(200101.0).up
Secondly I did the 200MHZ Hack via usb Stick with dst1kb_9.99.9_cli_111111.0.up
This was done within ~5 minutes
Now my Systemparameters shows!!!
model; DSO5202B      ? Hack well done
sw version; 2.06.03 (110531.1)
hw version; 10070x555583e8
serial; T1G/005 xxxxxx
Now my question? Which software upgrade would you recommend?
Thanks a lot for your help.

[tinhead]

Thank you very much Tinhead for responding to my post.

...yes, i have 111124.0  and 111202.0. If you don't mind make a backup of the 111122.0 and send me PM
with download link (I'm collecting versions to track changes)...

Sorry I don't know how to do that. Is there an easy way to do it without opening the case or needing to solder to the PCB and get a USB/uart?

i have send you PM with description how to make backup

My workshop PC runs Win98 and needs the older support for parallel ports etc that only Win98 can provide. I also have some high speed Dos software which needs Win98.

yeah, parallel port ... i'm using since years HP nw8440 in my office which supports parallel port over dockng station

Now my question? Which software upgrade would you recommend?
Thanks a lot for your help.

you can try each of them i posted here above because you can always run another firmware update
just over the installed firmware.

[Kampfwurst]

Hello

One Question.
I use TTScope but is there a other Software available ?? The TTScope is not user-friendly ;_)

[flatv]

Hi all,
This is my first post here. I skimmed this tread with 68 (!) pages and I can find it very interesting.
My intention is to buy a Hantek DSO5062B (60Mhz), and modify it to 200 Mhz. It is not very clear for me if this thing is possible. I've seeing the mod for Hantek at 100 Mhz, but not for this one. It can be done, can I use the same way?
Owon 25Mhz can be modded? Can somebody share his experience?
Thanks

[possejdawg]

Hi all,
This is my first post here. I skimmed this tread with 68 (!) pages and I can find it very interesting.

Me too!

My intention is to buy a Hantek DSO5062B (60Mhz), I've seeing the mod for Hantek at 100 Mhz, but not for this one. It can be done, can I use the same way?

Based one of the posts in the middle, Hardware in the 60mhz = 100mhz = 200mhz (almost). All can be updated through TTL level UART connection in the same manner. (Instructions in first post). The input stage has a few resistor and compensation differences for the various units, so the 60mhz model only gets up to around 185mhz bandwidth.
However, changing these hardware components will effect the calibration of the unit. And you will then need to recalibrate the unit (Link in the 1st post)

Owon 25Mhz can be modded? Can somebody share his experience?

Probably should be in a different thread (not to be a dick, but...your at page 68, no one else that is interested and looking would ever find it)... This one is pretty full of Hantekway questions anyways.


Note: 'latest' firmware links on the first post could be updated, whenever is convenient.

I just ordered the 100Mhz version recently over the comparative (and slightly cheaper) Rigol DS1102E based on it running linux and being able to update / improve the hardware to do more than advertised. However, I don't think I'll molest open it right away to get to the UART until it's a ways into the warranty (or the SDK is released and labview connectivity is closer to reality), whichever comes first...

Thanks to all the positive contributors in these forums for sharing your knowledge and experience in regard to this equipment!

[tinhead]

Note: 'latest' firmware links on the first post could be updated, whenever is convenient.

yeah, good point. Did it now.

I just ordered the 100Mhz version recently over the comparative (and slightly cheaper) Rigol DS1102E based on it running linux and being able to update / improve the hardware to do more than advertised. However, I don't think I'll molest open it right away to get to the UART until it's a ways into the warranty (or the SDK is released and labview connectivity is closer to reality), whichever comes first...

well, there are actually 3 ways to hack the DSO:
- over UART or JTAG dump(hack and restore) - where both req. to open the unit. Warranty, ehm, i think
  as EE is allowed to replace broken fuse ?!

- over USB as firmware update - i principle you can use on of the USB hack which i posted before, add in the root file
  named "special" and  the model will be not checked (like e.g. the latest firmware which is model independant because
  it is using the "special" file).  All such hack file (well firmware update file) have to do is to mv /dst1102b /dst1202b
  in your case. The logo will remain the same, but 200MHz features will get enabled after reboot.

- over USB as hidden PC<-> DSO communication functionality : hack itself is currently not tested, but it should work.
 The firmware as you know is allowing to communicate with PC, the protocol is simple (just look the fw disassembly)

 # each stabdard message begins with 0x53 (ASCII 'S') - you can find all about in "DoNormalProtocol" and subprocedures
 # each debug (hidden protocol) message begins with 0x43 (ACSII 'C') - you can find all about in "DoDebugProtocol" and subprocedures
 # messages are frmated as following (example run/stop key)


PC -> Osc:  53 0400 13 1301 7e

   0x53:  standard message identifier
   0x0400:  length of the message 0004 (Little-Endian) - that's total length - 3
   0x13:   type of the message (here keyboard use)
   0x1301: keycode 0x113 (Run/Stop key) (Little-Endian)
   0x7e:   Checksum

Checksum is very simple, just add all bytes together (starting from 0x53 and ending before checksum byte),
the LSB byte is the checksum

The hack itself could be probably done over debug kind of message, like (here for converting 100MHz model to 200MHz)
43 18 00 11 6D 76 20 2F 64 73 74 31 31 30 32 62 20 2F 64 73 74 31 32 30 32 62 D0

which is

0x43 start debug protocol
0x1800 length
0x11 start "PcUartRemoteCtrl" procedure (which is pasting the line below and executing on shell)
0x 6D 76 20 2F 64 73 74 31 31 30 32 62 20 2F 64 73 74 31 32 30 32 62 - that's just mv /dst1102b /dst1202b
0xD0 - checksum

As said above, this hack is not yet tested. The communication with DSO itself works
(as tested by someone else - look here http://www.mikrocontroller.net/topic/205820?page=3#2358106 )
the 0x43 debug things are just "last" findings (well, i didn't found time in last 3 months to check them ...)

This protocol seems to be still valid even for latest Hantek/Tekway models, so i think it is worth to check
it in detail. Sure, SDK will be available in Januar (that's the latest bad news ...) but i doubt that HanTekway
will say us anything about the debug protocol.

EDIT: i just coded few lines in VB and can confirm that this hack works, the console showed to me

rec shell code=mv /dst1102b /dst1202b...ok
<PcUartSendBuf> len = 0..
send shell msg ok..filesize=0..sum=0


and indeed the file /dst1102b has been renamed to /dst1202b (and of course after reboot DSO is acting as 200MHz model).

The code i tested is for LAN-enabled DSO, but the USB and LAN protocol are exact the same, so someone here can maybe
code it to work over USB? (guys, pls don't let me do the work alone ...)

Code: [Select]

Dim HackBytes As [Byte]() = {&H43, &H18, &H0, &H11, &H6D, &H76, &H20, &H2F, &H64, &H73, &H74, &H31,
&H31, &H30, &H32, &H62, &H20, &H2F, &H64, &H73, &H74, &H31, &H32, &H30, &H32, &H62, &HD0}

DSOIP = IPAddress.Parse("1.2.3.4")
DSOPORT = "9966"
udpClient.Connect(DSOIP , DSOPORT )
udpClient.Send(HackBytes , HackBytes.Length)


[patz]

Hi,

I've developed a small application that enables 200 MHz mode using the debug protocol command over USB. It seems to work fine. With the application, you can turn the scope into the 200 MHz version over USB without opening the case or soldering. Currently it works on linux only (as it uses libusb), but if someone is interested, I could create a windows version and upload it here.

Patrick

[clonecrp]

D I N O M I T E   !

When will you have a Windows XP/etc version available.

Shure would like a copy !

Please advise...

Thanks & Happy New Year !

Doug

[patz]

It should be ready by tomorrow evening if the windows USB api is working as expected.

[tinhead]

It should be ready by tomorrow evening if the windows USB api is working as expected.

nice .. but take your time. I recognized today that some of the firmware i have (actually full backups of other ppl DSOs)
have different endpoints that, so EPIN might be $81, $82 or $83 and EPOUT $1, $2 or $3 - and that's in few combinations.

So it would make sense to not use numbers but to scan first descriptors for endpoints numbers/address.

Maybe is a good idea to echo the model number/name into logotype and logotype.dis additionally to the
hack via mv dstxxx. That would make it perfect, a list with "target models", mv /whatevermodel /targetmodel
and echo manufacturer and/or manufacturer_model into ogotype/logotype.dis

Btw, libusb on Windows, it works fine with filter driver only but of course you need to call once

Code: [Select]

usb_set_configuration(handle,1)
usb_claim_interface(handle,0)
before you do usb_bulk_write.

[patz]

Hi,

I'm planning to communicate through the official Hantekway Windows driver, so endpoints etc should not be a problem!

libusb on Windows works, but I do not want my application to need a seperate driver to be installed.

I'd like to do the logotype tweaks too, but I read somewhere that not every firmware contains every boot logo. Also, I don't have a list of all model identifiers etc., so for now the app will just do the mv command and reboot the scope. Maybe I'll post the source code so that guys with more Hantekway experience can extend it.

With the USB protocol known, it would be a nice idea to develop an own TTscope replacement using Qt or another cross platform GUI framework. It would be awesome to use the scope with Mac and Linux machines.

[patz]

Hi,

it works! Communication is done through the official USB driver.

I attached the first version as EXE file. Use at your own risk!



Some feedback if it is working would be nice. Tested with Hantek DSO5102B.

[tinhead]

i have tested it with 4 different root fs / firmware versions (DSO5xxxB, DST1xxxB scopes) and it works so
far good (of course as long the scope is dst1102b).

The reboot is working too, however ppl need to know that during reboot (when the USB cable still connected) the
SoC will recognize itself as unknown device (actualy not unknown, but the boot loader is enumerating USB too)
So this means USB cable need to be reconnected after reboot.


It does work partialy on DSO1xxxB/S handhelds too, they have dirrenet root fs/kernel (2.6.30.4)
and the firmware is for some reason not handling properly something ( i guess the successful msg).
This means the second command will be not executed anymore. Sure these Hantek handhelds
are not part of this thread but as they based on what will be on the bench BM/BMV scopes (they will get new root fs/kernel/drivers)
it might be interessting to trace what's different. Any thought to share the source?

[patz]

The (messy, ugly) source code is attached. (VC2010)

The scope response messages are not evaluated in the current version.

I have added a notice to re-connect the scope afterwards and updated the binary in my above post.

[a-nebel]

hello patz,
i did the upgrade and it works fine.
there was no problem during the procedure and ttscope recognizes my hantek dso 5102 as a 5202.

[tinhead]

The (messy, ugly) source code is attached. (VC2010)

thanks ... that was a good idea to work with the org. driver directly,
for some reason i don't like LibUSB on Windows.

I extended your code to do some additionaal things, however something was (even with sleep) still not
working as expected, especialy when more than one command or more than one read backs are send
so i started to debuger and loked a bit more detailed what TTScope is doing.

There are 4 Vendor IOCTL's implemented into the driver

0x222019 is ResetPipe (called once at the begin of TTScope communication),
0x222012 is BULK READ with 64k buffer
0x22201D is AbortPipe(called once at the end of TTScope communication)
0x22200D is BULK_WRITE

ResetPipe is called once at connect, AbortPipe at disconnect.

TTScope is running two threads, one is doing read the antoher one write.
For each read the CreateFile/Read/CloseHandle sequence is executed, for
each write CreateFile/Write/CloseHandle. The write starts before read is closing handle
and vice versa, the first read is called before write was executed (weird but it make sense to have always some data in queue)

When you run TTScope in idle mode you can clreay see that the after each write the data coming back is
looking like this (small before big buffer):



when you run your code (or whatever single thread code) the data looks different (big before small buffer):



For the current hack this not really matter, it is good enough to do Sleep or full sequence
(CreateFile/Write/Close->CreateFile/Read/Close) twice, however for custom PC software it seems
to be necessary to work with two threads in similar way as TTScope is doing.
Without the multithreading the reading of multiple buffers (like screenshot or waveform capture)
is stopping too early (actually freezing because there is no data in buffer) as the scope is stopping
to send data after the big buffer has been send.

EDIT: attached latest TTScope decompilation, not perfect but good enough to see how some things are working

[tinhead]

btw, on Hantek website there is new TTScope version - it does support LAN (even if B models have no LAN "yet"
and BM/BMV not yet released). I didn't saw any other major changes, still not that good software
(especialy the fact that the software is reading back ever second DSO configuration but not doing anything with that)

[patz]

Hi,

thanks for your research.
Maybe you can post your updated source code.
Or, if the hack is working for everyone, link your/my binary in the first post so people do not have to open their scope's cases.

[Kampfwurst]

Hello

I have a DSO5102B HW 10070 SW 111124.0. Can I also use the USB Updater?

Greets Christoph

[patz]

Which USB adapter?

[tinhead]

Maybe you can post your updated source code.
Or, if the hack is working for everyone, link your/my binary in the first post so people do not have to open their scope's cases.

i'm not working on hack but on custom PC software (or actually debuging the communication protocol first).

The code i tested was nothing special, just closehandle and reopen before next comand (so reboot) was called.
However, it works as already said above with simple Sleep before reboot will get calleds, so easy to change.

This is not 100% clean impelementation, but it does not matter for simple hack (just bw without logo).
For more advanced hack (so with logo etc.) it matters, but i would say for now it's enough for most ppl.

Hello

I have a DSO5102B HW 10070 SW 111124.0. Can I also use the USB Updater?

Greets Christoph

yes you can

[patz]

For a custom PC software, I would stick with libusb as it seems to provide 100% stable communication with the scope. And it is cross platform! In my opinion, platform dependency is a major problem of the TTScope application.

I think for a PC software it is acceptable to install the libusb driver. I just wanted to use the official driver because a simple 40 kb one-button "Hack the scope" app should not require a driver to be installed.

[tinhead]

For a custom PC software, I would stick with libusb ...

oh well, that's maybe 10 lines of code to switch between generic or libusb as driver, the rest of the code (the actual DSO protocol)
remains the same. I'm getting already crazy with USB sniffing, only the DSO status is 213byte long, and
i decoded/documented until now only 42bytes ...

[patz]

Okay. Can't this be derived from the TTScope decompilation?

[tinhead]

Okay. Can't this be derived from the TTScope decompilation?

well, when the software would work as supose to work then i would not spend time on
protocol debuging ... but the software is definitely not working properly.
The reason ( i remember i posted it already) is very simple, TTScope was designed for the first
Tekway DSO model - DST1xxx (not B ). These scopes are unsing 320x240 display with 10x8 DIVs
and 2500kpoint memory (no long memory available)

The current scopes are 20 virtual (19 visible) x 10 (9visible) DIVs, with 4k to 2Mpoint memory
and 640x480/800x480 reslution ...

TTScope (when you look deep inside you will cry) is not completly customized for the currenty models,
just run e.g. XY Sheet - you will see 8x4 DIVs - how the hell Hantek got that value? No idea, but when you click on run
icon you will see the waveform as on DSO but the timebase/grid is not matching.

So before i start to analyze such TTScope code like that :

Code: [Select]

signed __int64 __cdecl CalcVoltBase(signed int a1, int a2)
{
  signed int v2; // ecx@1
  signed __int64 result; // qax@2
  float v4; // [sp+Ch] [bp+4h]@3

  v2 = a1;
  if ( a1 == 1 )
  {
    result = 2 * a2;
  }
  else
  {
    v4 = 2.5;
    if ( v2 % 3 != 2 )
      v4 = 2.0;
    result = (signed __int64)((double)CalcVoltBase(v2 - 1, a2) * v4);
  }
  return result;
}

double __cdecl CalcVoltBaseEx(signed int a1, int a2, int a3, int a4)
{
  signed int v4; // ecx@1
  double result; // st7@3
  int v6; // edi@7
  int v7; // eax@8
  float v8; // [sp+8h] [bp+4h]@5
  float v9; // [sp+10h] [bp+Ch]@8

  v4 = a1;
  if ( a1 == 1 )
  {
    if ( a4 == 1000 )
    {
      *(_DWORD *)a2 = 1;
      CString::Format(a3, "%s", dword_10012174);
      result = 2.0;
    }
    else
    {
      *(_DWORD *)a2 = 2;
      CString::Format(a3, "%s", dword_10012178);
      result = (double)(2 * a4);
    }
  }
  else
  {
    v8 = 2.5;
    if ( v4 % 3 != 2 )
      v8 = 2.0;
    v6 = a3;
    result = CalcVoltBaseEx(v4 - 1, a2, a3, a4) * v8;
    if ( result >= 1000.0 )
    {
      v7 = *(_DWORD *)a2 - 1;
      *(_DWORD *)a2 = v7;
      v9 = result * 0.001;
      CString::Format(v6, "%s", dword_10012170[v7]);
      result = v9;
    }
  }
  return result;
}

and hope the code is working with current models (which is in most case not really, additionaly many current model
features are missing in TTScope ...) is maybe smarter to use USB sniffer,
push some buttons and analyze the USB data to get something like that:

byte 001 - 53 msg header
byte 002 - D2  00 msg length
byte 003 -    ^
byte 004 - 81 msg type (see "types", here 81 = "DSO echo data" as answer to "01" = "get DSO echo data")


byte 005 - 01 ch1 channel on/off - "00" off/hidden, "01" on/visible
byte 006 - 02 ch1 volt/div position - 00 = lovest position, 0A highest position, e.g. when x 1 00=2mV/DIV and  0A = 5V/DIV
byte 007 - 00 ch1 coupling - 00 = DC, 01 = AC, 02 = GND
byte 008 - 00 ch1 bw limit - "00" off, "01" 20MHz bw on
byte 009 - 00 ch1 volt/div fine/coarse - "00" = "coarse", "01" = "fine"
byte 010 - 01 ch1 probe multiplier - "00" = x1, "01" = x10, "02" = x100, "03" = x1000
byte 011 - 00 ch1 invert on/off - "00" = invert off, "01" = invert on
byte 012 - 00 ch1 volt fine position - max 32 steps with autozero (when next coarse level reached)
      if changing between x2 voltage levels (weird heh, when changing from 1V/DIV to 2V/DIV
      the ratio is x2, when changing from 2V/DIV to 5/DIV ratio is 2.5) and max 75 steps with
      autozero (when next coarse level reached) if changing between x2.5 voltage levels.
      When increasing value from "00" = current coarse level, then "01","02" and so on
      up to "31"=49step or "4A"=74step (see above why!) and reseting to "00" when
      next coarse level reached.

byte 013 - 00 00 ch1 volt position (Little-Endian) - Max position = (+-)25.0DIV, each DIV = 25 steps.
       When increasing (pos "+") value is increasing from 00 00 to max F4 01 (500)
       When decreasing )pos "-") value is decreasing from FF FF to max 0C FE (65036 which mean 65536-65036=500)
byte 014 -    ^


The TTScope decompilation might be useful for some things, that's for sure, but as long i can
track back the USB dumps results to "taken action" no need to send time on guessing the decompilation.

A better source as TTScope is of course the ARM disassembly itself, but still there is some additional effort necessary
to track back things... but even in ARM code (the firmware itself !!) there are some traps :

- byte 179 - FFT algo - "00" = "hanning", "01" = flatop", "02" = "rectangle", "00" = "barlett", "01" = "blackman"
So why 00 and 01 are used twice in ARM code? The answer is simple, originaly these DSOs has been developed
with only 3 FFTs algos, later 2 algos has been added but the developer forgot to add 2 additional values into
"DSO echo/status" code ...