Products > Test Equipment

Upgrading the Hantek DSO4072C and DS4104C oscilloscopes bandwidth up to 250MHz

<< < (6/15) > >>

Muellmann:
thank's for the very detailled hacking manual. This is very condensed all information at one place.

I again did some tests with my hacked DSO and I'm afraid I did some measurement mistakes. After I double check the tests I can't reproduce the result. The signal I used was a STM32H7 IO pin measured with a 300MHz probe.
I will intermit my reseach until I have a suitable signal. Therefore I will build this circuit: https://www.analog.com/en/design-center/reference-designs/circuit-collections/lt1721-pulse-generator-has-0ns-to-10ns-width-520ps-transitions.html.

I will compare with a calibrated 200MHz Agilent DSO I have at work and will come back after this measurements with more pictures.

Microcheap:

--- Quote from: W1ZZT3XX on September 30, 2019, 04:19:39 am ---I wrote a little hacking summary, that I will attach as pdf.

--- End quote ---

Nice job with the pdf, a lot of details.  :-+

W1ZZT3XX:
Hey guys. Thank You for Your positive feedback!

I kept trying out a little bit and found out one more point that seems to be important - the EEPROM!

Mine is a MICROCHIP one marked with 4L64I. The manufacturer's datasheet (http://ww1.microchip.com/downloads/en/devicedoc/21189f.pdf) says on p. 13, that it is a 24LC64 I²C device ( 8K x 8 ).
So I cross-compiled the linux i²c tools and read it out with eeprog
--- Code: ---./eeprog /dev/i2c-0 0x50 -r 0x0000:0x2000 -16 > EEPROM.bin
--- End code ---
You can find it at https://github.com/WiZZteXX/DSO4xx4c/blob/master/EEPROM.bin. Here comes the plot:

They programmed the bandwidth from 0x0006 in as "80M" . By just wanting to know what happens, i desoldered the EEPROM - no difference. By reading the startup outputs, which say that the scope is 250M i guess that it is just a kind of backup.
What else is coded:
The [Lans] value starting at 0x020c and the [Language] value starting at 0x0216. That's it. No serial number. :wtf: The rest are patterns of 0x00's and 0xFF's. The funny thing about this is, that they updated the [Lans] in their last update to 255 - but the did not change it in the EEPROM.

Unfortunately, it would not be the first time a Chinese company hard-copies some stuff and later tries to use it to deactivate the device (had that experience with a hacked MiniPRO EEPROM programmer, too). So better be careful with updates, until this is cleared!

So I am of course interested in changing the values to the current settings, but I am not sure, if 3-digit bandwidth values would also start @ 0x0006 or already at 0x0005. Maybe someone, who bought a 100 MHz scope could read out the EEPROM and tell me that. I would then script a shell file that corrects the value using the i²c tools. I uploaded the compiled tools to https://github.com/WiZZteXX/DSO4xx4c/tree/i2c-tools/usr/ so you can simply copy them to a flash drive an run the instruction mentioned before.

I just made a simple test: I first modified the EEPROM starting at 0x0005 to "250M" and renamed the /dso/root/system.inf. Starting the device and checking the bootlog it said, it is 50M. So i just cropped the 2.
Next try: I wrote the "250M" starting at 0x0006 and once more deleted the newly created system.inf.
The scope autocreated a new /dso/root/system.inf as a kind of template with the speed "250M" added (see attachment). 
So to complete the hacking process You will also have to change the eeprom contents as follows:

1 .Download the compiled i²c tools from my  github and save them to a flash drive.

2. Open the scope and start a terminal as described in pt. 3 of my Hacking guide

3. Run the following instructions

--- Code: ---cd /mnt/udisk/usr/local/sbin
cat 250M | ./eeprog /dev/i2c-0 0x50 -f -w 0x0006 -16
./eeprog /dev/i2c-0 0x50 -f -w 0x0000:16 -16
--- End code ---
(The file 250M just contains the string "250M" without any control signals what makes it easier than an echo instruction)

4. The last output should now show the hex values for 250M like this:

--- Code: ---0000| 00 00 00 00 00 00 32 35    30 4d 00 00 00 00 00 00
--- End code ---
The scope should now be hacked completely and should be safe for future updates.  :-DD

[/list]


--- Quote from: Muellmann on September 30, 2019, 07:13:34 pm ---
I will compare with a calibrated 200MHz Agilent DSO I have at work and will come back after this measurements with more pictures.


--- End quote ---

I am really interested in the results!

Microcheap:
I don't think that any change in the EEPROM is needed to change the BW. I measured the rise time of a pulse signal and used it to calculate the bandwidth of the scope with only the system.inf modification and the results are clear.

First, the original 100MHz, the rise time is about 3.5ns, calculating BW=0.35/trise => 100MHz


Now changing only the system.inf file to 250MHz, the rise time is clearly faster, about 2ns. Note that if solving the equation above the BW is only 175MHz, but that is a limitation of the pulse of my generator, I would need a faster pulse


Obs. Measured connecting the pulse of the sync output of my function generator to the oscilloscope using coax cable and a 50ohm feedthrough in the scope input.

W1ZZT3XX:
Sorry if i misexpressed myself.   :palm:

I did not want to claim, that it changes the bandwith, because this is indeed only done by changing the Model value of system.inf.

My thought was another one:
If I was the vendor of those DSOs, I'd try to do something against hacking in some update-
My personal way would be to reset the samplerate to the one from the EEPROM and lock the serial port. So I saw it as a kind of "preventive measure" againt upcoming anti-hacking software updates, because now the DSO even to the software looks like a real DSO4254B/C and i can keep it updatable.

As You can see in the screenshot below that was taken before the EEPROM hack it was the same for me - rise time about 2ns (It is the ADC CLK signal @ 200 MHz)

Navigation

[0] Message Index

[#] Next page

[*] Previous page

There was an error while thanking
Thanking...
Go to full version
Powered by SMFPacks Advanced Attachments Uploader Mod