Upgrading the Hantek DSO4072C and DS4104C oscilloscopes bandwidth up to 250MHz

[Muellmann]

thank's for the very detailled hacking manual. This is very condensed all information at one place.

I again did some tests with my hacked DSO and I'm afraid I did some measurement mistakes. After I double check the tests I can't reproduce the result. The signal I used was a STM32H7 IO pin measured with a 300MHz probe.
I will intermit my reseach until I have a suitable signal. Therefore I will build this circuit: https://www.analog.com/en/design-center/reference-designs/circuit-collections/lt1721-pulse-generator-has-0ns-to-10ns-width-520ps-transitions.html.

I will compare with a calibrated 200MHz Agilent DSO I have at work and will come back after this measurements with more pictures.

[Microcheap]

I wrote a little hacking summary, that I will attach as pdf.

Nice job with the pdf, a lot of details. 

[W1ZZT3XX]

Hey guys. Thank You for Your positive feedback!

I kept trying out a little bit and found out one more point that seems to be important - the EEPROM!

Mine is a MICROCHIP one marked with 4L64I. The manufacturer's datasheet (http://ww1.microchip.com/downloads/en/devicedoc/21189f.pdf) says on p. 13, that it is a 24LC64 I²C device ( 8K x 8 ).
So I cross-compiled the linux i²c tools and read it out with eeprog

Code: [Select]

./eeprog /dev/i2c-0 0x50 -r 0x0000:0x2000 -16 > EEPROM.binYou can find it at https://github.com/WiZZteXX/DSO4xx4c/blob/master/EEPROM.bin. Here comes the plot:

They programmed the bandwidth from 0x0006 in as "80M" . By just wanting to know what happens, i desoldered the EEPROM - no difference. By reading the startup outputs, which say that the scope is 250M i guess that it is just a kind of backup.
What else is coded:
The [Lans] value starting at 0x020c and the [Language] value starting at 0x0216. That's it. No serial number. The rest are patterns of 0x00's and 0xFF's. The funny thing about this is, that they updated the [Lans] in their last update to 255 - but the did not change it in the EEPROM.

Unfortunately, it would not be the first time a Chinese company hard-copies some stuff and later tries to use it to deactivate the device (had that experience with a hacked MiniPRO EEPROM programmer, too). So better be careful with updates, until this is cleared!

So I am of course interested in changing the values to the current settings, but I am not sure, if 3-digit bandwidth values would also start @ 0x0006 or already at 0x0005. Maybe someone, who bought a 100 MHz scope could read out the EEPROM and tell me that. I would then script a shell file that corrects the value using the i²c tools. I uploaded the compiled tools to https://github.com/WiZZteXX/DSO4xx4c/tree/i2c-tools/usr/ so you can simply copy them to a flash drive an run the instruction mentioned before.

I just made a simple test: I first modified the EEPROM starting at 0x0005 to "250M" and renamed the /dso/root/system.inf. Starting the device and checking the bootlog it said, it is 50M. So i just cropped the 2.
Next try: I wrote the "250M" starting at 0x0006 and once more deleted the newly created system.inf.
The scope autocreated a new /dso/root/system.inf as a kind of template with the speed "250M" added (see attachment). 
So to complete the hacking process You will also have to change the eeprom contents as follows:

1 .Download the compiled i²c tools from my  github and save them to a flash drive.

2. Open the scope and start a terminal as described in pt. 3 of my Hacking guide

3. Run the following instructions

Code: [Select]

cd /mnt/udisk/usr/local/sbin
cat 250M | ./eeprog /dev/i2c-0 0x50 -f -w 0x0006 -16
./eeprog /dev/i2c-0 0x50 -f -w 0x0000:16 -16(The file 250M just contains the string "250M" without any control signals what makes it easier than an echo instruction)

4. The last output should now show the hex values for 250M like this:

Code: [Select]

0000| 00 00 00 00 00 00 32 35    30 4d 00 00 00 00 00 00

The scope should now be hacked completely

and should be safe for future updates. 

[/list]

I will compare with a calibrated 200MHz Agilent DSO I have at work and will come back after this measurements with more pictures.

I am really interested in the results!

[Microcheap]

I don't think that any change in the EEPROM is needed to change the BW. I measured the rise time of a pulse signal and used it to calculate the bandwidth of the scope with only the system.inf modification and the results are clear.

First, the original 100MHz, the rise time is about 3.5ns, calculating BW=0.35/trise => 100MHz


Now changing only the system.inf file to 250MHz, the rise time is clearly faster, about 2ns. Note that if solving the equation above the BW is only 175MHz, but that is a limitation of the pulse of my generator, I would need a faster pulse


Obs. Measured connecting the pulse of the sync output of my function generator to the oscilloscope using coax cable and a 50ohm feedthrough in the scope input.

[W1ZZT3XX]

Sorry if i misexpressed myself.   

I did not want to claim, that it changes the bandwith, because this is indeed only done by changing the Model value of system.inf.

My thought was another one:
If I was the vendor of those DSOs, I'd try to do something against hacking in some update-
My personal way would be to reset the samplerate to the one from the EEPROM and lock the serial port. So I saw it as a kind of "preventive measure" againt upcoming anti-hacking software updates, because now the DSO even to the software looks like a real DSO4254B/C and i can keep it updatable.

As You can see in the screenshot below that was taken before the EEPROM hack it was the same for me - rise time about 2ns (It is the ADC CLK signal @ 200 MHz)

[Muellmann]

I got the LT1721CGN + SN74AHC1G08DBVR and soldered my Pulse Generator Board. I some did measurements with an Agilent DSO-X 3024A (200MHz bandwidth) and my hacked DSO4084C (250MHz bandwidth). I measured with the same 300MHz 1:10 Agilent probe. I compensated it individually to each scope before doing the measurement.

Sad to say the pulse generator is not as good as LT promised. They told it should have 560ps rise time but I can measure only about 2ns. No surprise, the datasheet of the AHC08 (the output stage) says risetime with 15pF load: min 1ns, max 7ns. The measured 2ns seems to be a good value with my ugly wireing.

Both oszilloscopes showed nearly the same shape with the same rise time, for 2ns only about 170MHz bandwidth is neccessary to measure. So far, so good.
To fully check for the bandwidth limit I still need a better generator. Maybe I can get a 250,000000 MHZ TCXO Oscillator chip to do more measurements...

[DEBO]

Hi, the DSO4072C model has been superseded with the DSO4072S. I went to buy one from Aliexpress and found this in the description "Note:  Older model is DSO4072C now update to DSO4072S , the function is the same . what we sent is DSO4072S new version" .

Has anyone received the new model yet?  Is it still hackable?

[Microcheap]

I think they are exactly the same, the "S" version could have been rebadged by some distributor for the Chinese market only. If you check Hantek's website there's no mention about this "s" model.

https://www.eediscuss.com/forum.php?mod=viewthread&tid=14958

[kuken]

I bought a damaged Voltcraft DSO-1084E oscilloscope, it was hanging on the boot screen. I was able to fix it and then I found this topic and decided to run the built-in generator and extend the frequency to 250MHz. I modified my oscilloscope according to the description in PDF, very good description. Not calibrating yet generator, then started it to check if it generates anything, connected CH1 to out gen and in the whole range up to 25MHz the generator works, but not exactly, the amplitude is too low and the frequency jumps slightly. I decided calibrate it. However, when trying to calibrate, DDS calibrate amp filed. I bought the parts on Aliexpress. What could be wrong, any suggestions? 

After push calibrate button, UART shows:

[root@Hantek ~]#anolis_widget_rect:394 widget!=NULL&&rect!=NULL failed.
util_thread_pause:thread 0x9fd0f0 is paused
util_thread_pause:thread 0x9ec690 is paused
acq_dot_nm_of_timerange =4000,time_range=3200000000,dso_acq.dot_factor =1,sample_rate =1250000.000000
dso_acq_control:1:2056, 2056,0
dso_acq_control:2:2056, 2056
dso_acq_control:3:205600, 207200
dso_acq_control:4:after= 205600, before= 207200
acq_dot_nm_of_timerange =4000,time_range=3200000000,dso_acq.dot_factor =1,sample_rate =1250000.000000
dso_acq_control:1:2056, 2056,0
dso_acq_control:2:2056, 2056
dso_acq_control:3:205600, 207200
dso_acq_control:4:after= 205600, before= 207200
measure_helper_set_one_chn_all_only:0
dds_calibrate_uniformlize_offset:0x100011
dds_calibrate_uniformlize_offset:0.000000, 3.500000, -3.500000, 0.000000, 1.000000, 0.285714, 0.000000
dds_calibrate_uniformlize_amp:0x100011
dds_calibrate_uniformlize_amp:7.000000, 1.500000
**********amp_value = 0.214286,amp = 438,cal_value =1.000000
util_thread_resume:thread 0x9ec690 is resumed
util_thread_resume:thread 0x9fd0f0 is resumed
util_thread_pause:thread 0x9fd0f0 is paused
util_thread_resume:thread 0x9fd0f0 is resumed
update_trigtime:0.000000, 0.0s
anolis_picture_copy_to_data_rgb565:672 oy < dh failed.
dds_calibrate_uniformlize_offset:0x100011
dds_calibrate_uniformlize_offset:0.000000, 3.500000, -3.500000, 0.000000, 1.000000, 0.285714, 0.000000
dds_calibrate_uniformlize_amp:0x100011
dds_calibrate_uniformlize_amp:7.000000, 1.500000
**********amp_value = 0.214286,amp = 438,cal_value =1.000000
dds_calibrate_uniformlize_offset:0x100011
dds_calibrate_uniformlize_offset:0.000000, 3.500000, -3.500000, 0.000000, 1.000000, 0.285714, 0.000000
**********amp_value = 0.000000,amp = 0,cal_value =1.000000
dds_calibrate_uniformlize_offset:0x100011
dds_calibrate_uniformlize_offset:1.000000, 3.500000, -3.500000, 3.500000, 1.000000, 0.285714, 0.000000
**********amp_value = 0.000000,amp = 0,cal_value =1.000000
max =1.082851

[Muellmann]

today I was able to do more tests with a very old UHF wobble generator (1969). I was able to measure a 200MHz sinus at about 1V amplitude. This looks good but I didn't confirm with a calibrated equipment. I will come back...

[TequilaTom]

Hi W1ZZT3XX,

I bought a Hantek DSO4084B from ebay.de for 265,14€ it was shipped directly from China and arrived after 14 days.

Following your manual, I could change it to 250MHz, thx for that.

I read out the EEPROM, it contains following information:

1. 0x0007 "80M" (changed to 250M @0x0006)
2. 0x0027 "DSO4084B"
3. 0x0048 "Hantek"
4. 0x00C9 "DSO"
5. 0x014A "hantek"
6. 0x01CB "CNxxxxxxxxxxxxx" Serialnumber 13 numbers, which is equal to the calibration document of the scope.
7. 0x020C "163190" Language
8. 0x0216 "1" ?
9. 0x0227 "101.001.001.000.000.000.0"

Maybe somebody find it useful 

[danielazo69]

Hello,
 I am new to this oscilloscope and recently bought a Hantek DSO4104B.
Today, when I start it, I have the logo with all the lights on and it never starts.
I leave a photo for you to see. Can somebody help me? I think it's the damaged firmware, but I don't know how to load it.
Thank you.

[Microcheap]

The solution is simple, you need to restore the file system in scope. Try this:

Turn off the oscilloscope
Turn it on, wait about 2 seconds and turn off again.
Turn on one more time, a menu will show on the screen.
Press F2 to select the option "recover system", confirm and wait, the process takes some time.

After the restoration, update the device to its latest FW.

For more details you can check Hantek's support forum: https://www.eediscuss.com/forum.php?mod=viewthread&tid=14831&fromuid=26055

[danielazo69]

Thank you very much I just did it and it was really working. saved my life.
I have another query, now that I start, download the latest firmware from the official website, but I get an error and it doesn't let me do the update.
I leave a picture.
thanks

p/d firmware:
http://www.hantek.com/en/ProductDetail_3_12166.html

[Microcheap]

That I don't know, try sending an email to Hantek or posting a message in their forum, it can take some time but, eventually, you'll get a reply from their support.

[fer662]

Just got myself a DSO4084c as a first scope after evaluating a few alternatives. It was the cheapest I could get here (the whimsical land of Peronia) with 4 channels and decent bandwidth (and already having read about the possibility of upgrade to 250mhz) and I probably paid close to what you'd pay for a much more decent scope there (around 600 bucks). Now I'm pondering whether it's worth it to me to do the procedure, since it appears the probes that came with it (pp-90) only go up to 80mhz. Is this generally a hard limit or would I see any difference with the upgraded bandwidth of the scope with these same probes? I know I could buy better probes in the future but honestly it's probably going to be a while until I need something like that since I'm just getting started with oscilloscopes and I'm just a hobbist.

[Microcheap]

The maximum bandwidth (BW) of an oscilloscope or probe is not a "hard limit", they won't stop working after reaching this limit. In theory, the specified BW is the point where an input signal is attenuated by 3db, after this point, the amplitude of the input signal starts to fall sharply, that means, you still can see the signal, but its amplitude will be attenuated. And this is not a precise limit, normally the manufacturers leave some margin so in practice, the actual BW is greater than specified.

If you use a 80MHz probe with a 250MHz BW oscilloscope the BW of your system will be limited by your probe. I would recommend an article from Keysight which explains that better than I can: https://community.keysight.com/community/keysight-blogs/oscilloscopes/blog/2016/09/01/what-is-oscilloscope-system-bandwidth-and-how-do-i-find-the-bandwidth-of-the-scope-probe

200MHz and 300MHz probes are available relatively cheap on ebay or aliexpress but I can't attest its quality as I never used one.
Or, you can do your own high speed probe : http://paulorenato.com/index.php/93

[fer662]

Got it! I'll probably grab a higher BW probe next time i have to buy something in AliExpress and the same seller has one. I'm super happy with the scope so far!

[Simon_RL]

Microcheap, thank you very much for providing this information. Unfortunately I recently bought my DSO4204C before I found out about scope hacking.

Fortunately I did find out before I bought my HDG6082B. Got to say I am very happy with is AWG/Function Generator, it is great value. Anyway I am planning on attempting to apply the upgrade, hopefully I can get it to 200M. I am planning to read out the eprom as per Microcheaps instructions and will share all findings and results in this thread.

My only concern is a lack of backup and restore, in case of a total failure. Is anyone able to provide advice and/or assistance with the creation of the backup and restore files used for the Oscilloscope? I come from a programming background (C/C++ in Unix Environment), but am totally new to embedded systems.

[kutukvpavel]

To Simon:
The ultimate backup is a collections of images of all ROMs the device contains, made with (a) suitable programmer(s). In case anything goes wrong you reflash the ROMs and the scope is again factory-new. However, this is really inconvenient ([de]soldering) and mostly unnecessary (current firmware doesn't seem to counteract any sort of tampering). So, an average backup is just an image of the flash-rom that contains the firmware (made using UART connection to a running scope).
I don't think you should be worried that much if you are familiar with C/C++ programming (it's fairly low-level compared to .NET environment, for example, where I departed from some time ago, having to learn C/C++ and various embedded stuff simultaneously).
Check out the backup method link in the first post.

Btw, there is a longer thread on Hantek DSO5000 series hack: https://www.eevblog.com/forum/testgear/hantek-tekway-dso-hack-get-200mhz-bw-for-free
You may find backup how-to-s there too. Adjusting them to suit this model should be bot that hard, after all it's just a Linux distro and a flash chip that may differ.
Just in case, AFAIR, the OP is chinese-speaking guy who delivers information from chinese community here (you'd be surprised how much stuff you can find in the chinese segment if the Net, many of chinese developers of such devices actually share source codes etc). He briefly mentioned that DSO4004 series is completely different in terms of software, but if he's still around he would probably be able to help. Especially with firmware mods.

To All:
I'm about to get a DSO4084-series scope to hack it to 250MHz. Does anyone have any recent hacking experience with those? Do I still have to change a single text file only? Has anyone tested actual rise time before/after the hack? AFAIR, chinese manufacturers made some attempts to prevent hacking (at least make it more complicated) for 5000-series scopes at some point in time, therefore I'm a bit worried.

[Simon_RL]

To Simon:
The ultimate backup is a collections of images of all ROMs the device contains, made with (a) suitable programmer(s). In case anything goes wrong you reflash the ROMs and the scope is again factory-new. However, this is really inconvenient ([de]soldering) and mostly unnecessary (current firmware doesn't seem to counteract any sort of tampering). So, an average backup is just an image of the flash-rom that contains the firmware (made using UART connection to a running scope).
I don't think you should be worried that much if you are familiar with C/C++ programming (it's fairly low-level compared to .NET environment, for example, where I departed from some time ago, having to learn C/C++ and various embedded stuff simultaneously).
Check out the backup method link in the first post.

Btw, there is a longer thread on Hantek DSO5000 series hack: https://www.eevblog.com/forum/testgear/hantek-tekway-dso-hack-get-200mhz-bw-for-free
You may find backup how-to-s there too. Adjusting them to suit this model should be bot that hard, after all it's just a Linux distro and a flash chip that may differ.
Just in case, AFAIR, the OP is chinese-speaking guy who delivers information from chinese community here (you'd be surprised how much stuff you can find in the chinese segment if the Net, many of chinese developers of such devices actually share source codes etc). He briefly mentioned that DSO4004 series is completely different in terms of software, but if he's still around he would probably be able to help. Especially with firmware mods.

To All:
I'm about to get a DSO4084-series scope to hack it to 250MHz. Does anyone have any recent hacking experience with those? Do I still have to change a single text file only? Has anyone tested actual rise time before/after the hack? AFAIR, chinese manufacturers made some attempts to prevent hacking (at least make it more complicated) for 5000-series scopes at some point in time, therefore I'm a bit worried.

Hi kutukvpavel,
Thank you very much for taking the time to provide this information, it is very helpful. My questions were in relation to hacking the HDG6082B and creating a backup and restore for this AWG. I am still waiting for my USB to UART adapter and was my post is part of my preliminary as there is no info around on hacking the HDG6082. Although I have found a thread on hacking the HDG2XXX, I am hoping I can apply the same steps to my AWG.

[Microcheap]

I am planning to read out the eprom as per Microcheaps instructions and will share all findings and results in this thread.

I don't recall I needed reading the eeprom of the oscilloscope to be able to change it's BW, I think it was another user who tried this approach. Anyway, I don't think you need that to get the maximum bw of your function generator, if Hantek still doing things the same way, all you will need is to simple change some parameter in a text file.

To avoid any problems, just make a copy of the file before you change it (oh! and don't forget to backup the cal data as well). In the thread about the HDG2000 you can find a script (NANDDump) to copy the flash partitions of the device, you can try that with the HDG6000 and see if it works.

By the way, if you are interested, you could start a new thread for this new Hantek's HDG6000, I saw it on their web site, the specs looks good, not that I need another function generator but, I am curious to see how the firmware performs and what changes they made to the HW comparing to the HDG2000.

To All:
I'm about to get a DSO4084-series scope to hack it to 250MHz. Does anyone have any recent hacking experience with those? Do I still have to change a single text file only? Has anyone tested actual rise time before/after the hack? AFAIR, chinese manufacturers made some attempts to prevent hacking (at least make it more complicated) for 5000-series scopes at some point in time, therefore I'm a bit worried.

I don't have access to this scope anymore, but I believe it still works just fine, I don't think Hantek will ever bother to change that. Regarding the rise time, I did a quick and dirt measurement and posted it a few messages above, the change is clear.

[Simon_RL]

I am planning to read out the eprom as per Microcheaps instructions and will share all findings and results in this thread.

I don't recall I needed reading the eeprom of the oscilloscope to be able to change it's BW, I think it was another user who tried this approach. Anyway, I don't think you need that to get the maximum bw of your function generator, if Hantek still doing things the same way, all you will need is to simple change some parameter in a text file.

To avoid any problems, just make a copy of the file before you change it (oh! and don't forget to backup the cal data as well). In the thread about the HDG2000 you can find a script (NANDDump) to copy the flash partitions of the device, you can try that with the HDG6000 and see if it works.

By the way, if you are interested, you could start a new thread for this new Hantek's HDG6000, I saw it on their web site, the specs looks good, not that I need another function generator but, I am curious to see how the firmware performs and what changes they made to the HW comparing to the HDG2000.

Thanks Microcheap, no it wasn’t you that read out the eeprom it was TequilaTom. I will start a new thread for the HDG6000, I really was trying to avoid hijacking this thread and just get some pointers.

[Microcheap]

No worries, you are not hijacking the thread, your questions fits here perfectly, if you check how the others Hantek's devices are "hacked" you'll find that it's always the same approach.

I suggested a thread about the HDG6000 just because it would be easier for someone looking for more information about this awg and I'm curious, I saw this function generator on Hantek's website but I can't find anything about it elsewhere.
I already have a HDG2002 "upgraded" and I really don't need another AWG but would be nice to compare it to the new model.

[Simon_RL]

No worries, you are not hijacking the thread, your questions fits here perfectly,

I suggested a thread about the HDG6000 just because it would make easier for someone looking for more information about it and I'm just curious, I saw this function generator on Hantek's website but I can't find anything about it elsewhere.

Thanks Microcheap.

My biggest concern was lack of backup and restore. I had assumed that the backup and restore files were executable binaries and not scripts. Once I get my USB to UART adapter I will edit the scripts to suit the HDG6XXX (if editing required) and share them in a seperate thread, along with photos of the internals.

The HDG6XXX had a lot more features than I expected for the price and I am very happy with it. Although the manual while being very long is not the best and read more like marketing guff than providing instructions on how to actually use certain features.