Rigol DP900 / DP2000 Series Hack -

[hve]

This thread is dedicated to hacking the Rigol DC DP900/DP2000 power supplies:

Product	Type	Max Power	Max Voltage	Max Current	Channels	Price (USD)
DP2031	Power Supplies	222 Watts	64 Volts	10 Amps	3	$1,199
DP932U	Power Supplies	210 Watts	64 Volts	6 Amps	3	$529
DP932A	Power Supplies	210 Watts	64 Volts	6 Amps	3	$749

Platform is based on an Allwinner  i40 linux-sunxi platform

There is some firmware available:
https://www.rigol.eu/Public/Uploads/uploadfile/files/20230321/20230321002306_6418886a99c29.zip

Its a rar archive, extract using:

Code: [Select]

unrar x 20230321002306_6418886a99c29.zip
then there's a GEL file, extract using:

Code: [Select]

tar xvf DP900_DP2000_Update.GEL

-rw-r--r-- adil/root  35836928 2023-02-08 13:52 tina-r40-m2ultra.swu
-rw-r--r-- adil/root    105900 2022-04-08 04:44 sousa_fpga.024.bin
-rw-r--r-- adil/root       185 2023-02-08 13:52 image_info.txt
-rw-r--r-- adil/root       108 2023-02-08 13:52 checksum.txt

then there's a cpio archive:

Code: [Select]

cpio -i <tina-r40-m2ultra.swu

-rw-r--r-- 1 henk henk     3656 Apr 12 22:04 sw-description
-rw-r--r-- 1 henk henk      256 Apr 12 22:04 sw-description.sig
-rw-r--r-- 1 henk henk 15728640 Apr 12 22:04 recovery
-rw-r--r-- 1 henk henk  1196032 Apr 12 22:04 uboot
-rw-r--r-- 1 henk henk    32768 Apr 12 22:04 boot0
-rw-r--r-- 1 henk henk  4194304 Apr 12 22:04 kernel
-rw-r--r-- 1 henk henk 14680064 Apr 12 22:04 rootfs


Then there's a squashfs filesystem:

Code: [Select]

file rootfs
rootfs: Squashfs filesystem, little endian, version 4.0, xz compressed, 14674551 bytes, 1446 inodes, blocksize: 262144 bytes, created: Wed Feb  8 12:49:37 2023
So we have a sunix linux system running on your PSU unit together with an FPGA.

Firmware updates are controlled by swupdate https://sbabic.github.io/swupdate/sw-description.html

Update command:

Code: [Select]

swupdate -n -k /etc/swupdate_public.pem $check_version_para $swu_param -e $swu_software,$swu_mode >> $swupdate_log_file 2>&1

File /etc/swupdate_public.pem (RSA 2048):

Code: [Select]

-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxO//XV7kM2qvOjdcmqlF
JlzzHZtE3uu9GE5Vu7ba2jrqhhHy9ivXOb7kWbeIM3Jb5dqqAP1jaDjO7A+WF47R
WakMpv++MxDQP/oJNtlcGIraqSBRRxl+N/mIljA+G4uP/ZbLKDcWbh2fQr0yQ1T9
0KK1o10mTKzIvWGP5a7VNVlIfUd1KPjxzTFcFEcBcb7Hy6gVZYFmxdmFAicwVaG8
vHl2OUzG4I4rOVTdwGNp9ivsy3MqJjtHl4uY5HH+cubNnV8V6PaLtDi4YnZiP8cw
dDDY15h95NZ/2+FJCArc4oRaWQQ0VDxQ/9DLLdRYFbVZ1GSDuZ30cHJIIeqviGIo
lwIDAQAB
-----END PUBLIC KEY-----


[Userli]

The model is encrypted and hidden in the file /mnt/app/private/test.dll .
I created the attached file, which hopefully changes the model to DP932A and does not break anything else.
Make a backup and use at your own risk.

[Xoff]

  It's working! 

Thank you Userli! I would like to confirm, that after replacing original test.dll with yours and restarting my DP932E, now it is reporting DP32A model.
All other data are intact (calibration status & date, firmware version (00.00.01.00.20) and unit serial number).
The following options are installed (and working fine): HIRES, ARB, DIO
Monitor option however is not installed.

GOOD JOB! 

[Userli]

I didn't see it mentioned anywhere yet:

The initial password for the web interface is
Rigol1998

The username is empty.

The web interface seems pretty useless though, only allowing to change the network parameters, which somehow is a catch 22 .

[Userli]

A small change to enable the monitoring option. I only gave it a quick try. There might be a reason, why you can't buy the option currently. Use at your own risk!

Apply the attached patch to the version 21 SousaMain file (MD5: 4a0c633eadc7c0f7009a464a16d35747). After patching the MD5 should be fd14f9a93f4310ccbe8b9171ff4ebf25   .

[Xoff]

Apply the attached patch to the version 21 SousaMain file

Are you referring to to the newest FW upgrade version 00.00.01.00.21 (dated 25/05/2023)?
Yesterday have upgraded my DP932E from version 00.00.01.20 (from 08/02/2023) with no need to change 'mnt\app\private\test.dll' file.
Didn't notice any changes to DP900 power supply so fare...

[Userli]

Yes, this is the version I was referring to.
The test.dll should be independent of the version.

[Xoff]

Thank you Userli,

Unfortunately I don't know how to patch SousaMain file.
I can upload/download it from root\mnt\app\  (using SSH file transfer protocol).
Can you please explain, how I can apply the patch?

[Userli]

It's a standard bpatch. You could do for instance:
bspatch.exe SousaMain SousaMain_patched SousaMain_patch

SousaMain_patched would be the new file.

[Xoff]

OK. Working great! After the restart of DP932A(E) 'option' Monitor is now active (of course it is NOT mentioned in 'Utility >Option' menu.

Thank you again for your help! 

To control my instruments I'm using M1 macOS (Monterey v12.6.7), so to patch SousaMain file, I have used MultiPatch 2.0 app (by Paul Kratt from GitHub). The trick is, you have to add BDF extension to your 'SousaMain_patch.bdf' file. You also need to change permissions of patched file to match original SousaMain (-rwxrwxrwx). New file has the same file size of 23705744 bytes.

[Userli]

Well done! 

I found that the monitor switches off after triggering, which doesn't seem very user friendly to me. Maybe this can be tweaked....

[Xoff]

In 'Monitor > CH1' menu you can set various output conditions for Volts, Current and Power, as well as, (after pushing the 'Settings' button) three actions (to be selected independently): 'Output Off', 'Warning' and/or 'Beeper'.

So fare Output Off and Warning are working great in my instrument. However no 'Beeper' tone ever triggered.
So if you want to be only warned of some output conditions, you can select checkbox 'Warning', while leaving 'Output Off' unchecked.

You are right that after the first message 'Monitor Warning', monitoring switches off, but otherwise you will be 'spammed' the same message again and again (on screen and in the LOG). For the 'Beeper' however this behaviour is not needed. Maybe this is the reason why the 'Monitor' option is not officially released yet?

 

[KrzysztofB]

Hi.
Any chance of enabling HiRes and High current mode on 2000 model?

[Userli]

Try the attached patch, also for version 00.00.01.00.21 . At your own risk!

[Xoff]

Checked new patch on original SousaMain, but no new options on DP900

[Userli]

To my understanding, the 10A option requires the DP2000 hardware. So even if you would enable it on your DP900, it wouldn't work. If somebody finds that this is not the case, I'll be happy to look, how to enable this option for the DP900, too.
It would in fact be nice to have pictures of the interior of both devices.

[KrzysztofB]

I have DP2031 PSU so can try that.
There were inside pictures in the past here in one of my posts.

https://www.eevblog.com/forum/testgear/rigol-dp2031/msg4551335/#msg4551335

[KrzysztofB]

I patched SousaMain with last patch you sent.
Seem like Monitor got activated, however Options: HADC and 10A are not installed.

[Userli]

Indeed interesting. It was not straight forward. Hopefully the attached patch works.

[KrzysztofB]

Tried it.
Now when you go to Options window it says:
HADC: Office, 10A: Office
But not possible to lift current limit to 5A

[Userli]

Interesting! Faking a DP2031 on a DP932, I could set the current limit to 10A on CH3 . Does the high speed sampling work?

[Userli]

Here pictures of the internals of the DP932:
The transformer is different, 2 ADCs SGM58600 are missing and a few other parts.

[KrzysztofB]

Will check tomorrow.
But. Do I need to change that dll file also? Or only patch?

[Userli]

For the DP2031 you don't need to change the test.dll . Please note that only channel 3 allows for 10A.

[KrzysztofB]

For the DP2031 you don't need to change the test.dll . Please note that only channel 3 allows for 10A.

I didn't note the fact it's for CH3, thanks for pointing that. That was absolutely spot on. Works like a charm. High sampling rate also.
Also, a note, that when 10A is enabled, CH1 and CH2 have to go down to 2A.