Hacking the HDO1k/HDO4k Rigol 12 bit scope

[2N3055]

It seems the new HDO software is prepared for the following devices:   

HDO1052  HDO2104  HDO4104  MSO8064  MSO8064A  DS70104
HDO1054  HDO2204  HDO4204  MSO8104  MSO8104A  DS70204
HDO1072           HDO4304  MSO8204  MSO8204A  DS70304
HDO1074           HDO4404           MSO8304A  DS70404
HDO1102           HDO4504                     DS70504
HDO1104           HDO4804
HDO1202
HDO1204

 MSO8304A hmm..

so MSO8000A and up to 3GHz.

And also MSO8000... does that mean that existing MSO8000 will be able to upgrade to new platform?
And MS8000A will exist in parallel with it? Is MSO8000A different package (larger screen or whatnot) or maybe also higher bit count...?

Interesting questions...

[AlphaRne]

Hi,
here is my tool to dump the FRAM ... it contains the system setup, the private mem file data (license stuff like install tries and the key data once more) and the binary device config.
I also made a license key generator to pretty much enable any option .... no idea if its ok to post that code here though ...

[bob808]

Looked through the dts file and found some ADC mentions. RK3399 should have one or two integrated ones. But I can't figure out which are the Rigol ones.
I noticed there's a ADC128D818 as well onboard, a 12bit 8ch ADC. Has two lines going to a connector.

[Fungus]

I also made a license key generator to pretty much enable any option .... no idea if its ok to post that code here though ...

Of course it is. Look at how many "hacking" threads there are here ... and how many "hacking" videos Dave's done.

[dschiedsch]

Hi,
here is my tool to dump the FRAM ... it contains the system setup, the private mem file data (license stuff like install tries and the key data once more) and the binary device config.
I also made a license key generator to pretty much enable any option .... no idea if its ok to post that code here though ...

Worked like a charm
Here are the commands i used to cross compile on my windows machine

Code: [Select]

go mod init .\fRAMdump.go
go mod tidy
$Env:GOOS = "linux"; $Env:GOARCH = "arm64"
go build fRAMdump.go
Then an adb push to the machine
set the execute bits and run as root

[Fungus]

Then an adb push to the machine

It works with ADB? 

How long before we see DOOM running on one?

[bob808]

DOOM? More like GTA Vice City or even a flight simulator (with all those knobs on the front panel?). That RK3399 chip has (a bit) better graphics than the Raspberry Pi 4 BCM2711.

[dschiedsch]

Then an adb push to the machine

It works with ADB? 

How long before we see DOOM running on one?

Yes on port 55555 via ethernet
Including root via su cmd (no password)

[Fungus]

It works with ADB? 

Yes on port 55555 via ethernet
Including root via su cmd (no password)

So these things are 100% hackable/programmable.

Market, owned.

[bob808]

curious if adding a second ADC is possible on the 1k series. the power rails are off the shelf parts but the ADC itself...

[thm_w]

curious if adding a second ADC is possible on the 1k series. the power rails are off the shelf parts but the ADC itself...

You can't and won't be able to buy the ADC.
The only option was as mentioned, here or another thread, buy another HDO1k for $700.

[AlphaRne]

Here is the lic gen ... just needs the key file from the device to work ....
The device id being field 0 is just a guess as the code ignores that field anyways ...

[bob808]

You can't and won't be able to buy the ADC.
The only option was as mentioned, here or another thread, buy another HDO1k for $700.

the ADC could be sourced from broken units, but apart from sourcing it what else would be an issue? apart from populating the missing rails as well.

[Fungus]

the ADC could be sourced from broken units

And the "broken units" come from ... where?

but apart from sourcing it what else would be an issue?

Nothing, but it's a BIG issue. 

[bob808]

Ah clearly, no easy feat. I was just curious if it's doable as long as you can source the ADC chip. I mean if it's doable software side.

[Fungus]

Ah clearly, no easy feat. I was just curious if it's doable as long as you can source the ADC chip. I mean if it's doable software side.

I don't think anybody tried it yet, but ...

If I was a betting person I'd put my money on it being possible.

[tv84]

Here is the lic gen ... just needs the key file from the device to work ....
The device id being field 0 is just a guess as the code ignores that field anyways ...

Assuming Alpha is correct (I see no reason why he's not) this is THE BIGGEST BLUNDER I've seen from Rigol ever! I'm flabbergasted!!!

OTOH, if this is a marketing scheme then, you can all be sure that the next step will be Rigol selling their ADC individually for those that want to complete the HW conversion! Mark my words.

[Fungus]

OTOH, if this is a marketing scheme

It is.

Android has security built-in at the flick of a switch. There's no reason not to enable it other than "marketing".

you can all be sure that the next step will be Rigol selling their ADC individually for those that want to complete the HW conversion! Mark my words.

Very unlikely.

[tv84]

Here is the lic gen ... just needs the key file from the device to work ....
The device id being field 0 is just a guess as the code ignores that field anyways ...

AlphaRne, have you successfully tested these licenses?  (I still can't believe what you're saying they have done...)

Edit: If they work, in my book, someone ought to be fired. It's absolute incompetence from the programmer and the oversight guys. And people should start licensing ASAP before the next FW update...

There's no reason not to enable it other than "marketing".

I refuse to believe that. There are plenty of other ways of doing the programming (for marketing purposes). Not like this. I wouldn't like to have this on my résumé... 

[AlphaRne]

The lics work on my device.
At least the lic code looks kind of half baked judging from
the disassembly and they didn’t even bother to strip the symbols.
No idea on how well their other products are protected but this one
was def one of the easiest…

[doppelgrau]

Android has security built-in at the flick of a switch. There's no reason not to enable it other than "marketing".

Well, with security enabled it is easier to brick a device.
Maybe no one wanted to take that responsibility, or it was "this version works, no changes, we ship it".

Yes, security against hacking is clearly not high on the priority list, but in my eyes not a hint, that it was purpose.

[tv84]

AlphaRne,

This is my parsing of the FRAM that I have access:

Code: [Select]

00000000  Block_0 CRC32: 530E7D6A  [00000008-0000008B]  CRC OK
00000004  Block_0  Size: 00000084 bytes
00000100  Block_1  Size: 000000B0 bytes  [00000100-000001AF]  CKSM OK
-------------------------------------------------------------
00000108  Option: 0000091D  CKSM OK
00000110  Option Size: 00000094 bytes  CKSM OK
00000118  Option CRC32: 06131D97  [0000011C-000001AF]  CRC OK
Key.data: brainpoolP256r1;04xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
-------------------------------------------------------------
00000800  Block_2 CRC32: 7BAF99DF  [00000808-00001143]  CRC OK
00000804  Block_2  Size: 0000093C bytes
-------------------------------------------------------------
00000808  001C 0004 0109  DataSz: 003C BlockSz: 0040  [00000814-00000853]
00000854  000B 0011 002F  DataSz: 002F BlockSz: 0030  [00000860-0000088F]
00000890  0128 0001 0001  DataSz: 0001 BlockSz: 0001  [0000089C-0000089C]
0000089D  011A 00F0 001F  DataSz: 001F BlockSz: 001F  [000008A9-000008C7]
000008C8  0004 0002 004C  DataSz: 0020 BlockSz: 0020  [000008D4-000008F3]
000008F4  0003 0002 004C  DataSz: 0020 BlockSz: 0020  [00000900-0000091F]
00000920  0002 0002 004C  DataSz: 0020 BlockSz: 0020  [0000092C-0000094B]
0000094C  0001 0002 0054  DataSz: 0021 BlockSz: 0030  [00000958-00000987]
00000988  001C 0004 0109  DataSz: 0037 BlockSz: 0040  [00000994-000009D3]
000009D4  001D 0001 0029  DataSz: 001F BlockSz: 0020  [000009E0-000009FF]
00000A00  011E 0002 001F  DataSz: 001F BlockSz: 001F  [00000A0C-00000A2A]
00000A2B  0016 0001 00B2  DataSz: 0040 BlockSz: 0040  [00000A37-00000A76]
00000A77  0015 0003 0078  DataSz: 0030 BlockSz: 0030  [00000A83-00000AB2]
00000AB3  002A 0006 01B2  DataSz: 006E BlockSz: 0070  [00000ABF-00000B2E]
00000B2F  002B 0006 0192  DataSz: 006C BlockSz: 0070  [00000B3B-00000BAA]
00000BAB  002C 0006 0192  DataSz: 006C BlockSz: 0070  [00000BB7-00000C26]
00000C27  002D 0006 0192  DataSz: 006C BlockSz: 0070  [00000C33-00000CA2]
00000CA3  0011 0005 00C8  DataSz: 0066 BlockSz: 0070  [00000CAF-00000D1E]
00000D1F  0012 0005 00C8  DataSz: 0066 BlockSz: 0070  [00000D2B-00000D9A]
00000D9B  0013 0005 00C8  DataSz: 0066 BlockSz: 0070  [00000DA7-00000E16]
00000E17  0014 0005 00C8  DataSz: 0066 BlockSz: 0070  [00000E23-00000E92]
00000E93  0029 0003 0552  DataSz: 00A1 BlockSz: 00B0  [00000E9F-00000F4E]
00000F4F  002F 0011 0049  DataSz: 0037 BlockSz: 0040  [00000F5B-00000F9A]
00000F9B  010C 0001 0015  DataSz: 0015 BlockSz: 0015  [00000FA7-00000FBB]
00000FBC  0123 0003 0008  DataSz: 0008 BlockSz: 0008  [00000FC8-00000FCF]
00000FD0  002E 0010 0034  DataSz: 0020 BlockSz: 0020  [00000FDC-00000FFB]
00000FFC  000E 0010 0030  DataSz: 0023 BlockSz: 0030  [00001008-00001037]
00001038  011B 000D 0010  DataSz: 0010 BlockSz: 0010  [00001044-00001053]
00001054  0019 0005 01F6  DataSz: 0023 BlockSz: 0030  [00001060-0000108F]
00001090  001F 0003 0050  DataSz: 002E BlockSz: 0030  [0000109C-000010CB]
000010CC  003A 0003 005F  DataSz: 002A BlockSz: 0030  [000010D8-00001107]
00001108  000A 0005 005C  DataSz: 0026 BlockSz: 0030  [00001114-00001143]

Do you know what are the UInt16 fields in the Block2? Do you know if their data contents has any XXTEA encryption or other?

[bob808]

if they have good control over their ADC chips then what features exactly would a user be able to get extra from software hacking? what is their sales risk vs reward? most of this type of hacking (especially the hardware one) would be done by hobbyists which wouldn't shell the big bucks for higher end models anyway. giving them a taste for higher end options might help overall.
I see this as an interesting experiment and curious how it's going to play out. let's not blast them for making it easy for us, I don't think it's productive.

[Fungus]

I see this as an interesting experiment and curious how it's going to play out. let's not blast them for making it easy for us, I don't think it's productive.

They've been doing it for a long time now.

The MSO5000 has been hackable since day one, the DS1054Z too.

Sales of both would definitely have been significantly lower if they hadn't allowed hacking.

Before that it was the DS1052E...



etc., etc.

Rigol management for sure knows all about it and obviously told the engineers not to lock anything down. Anybody who can't see that might want to make an appointment with the optician.

PS: There's a DS1000Z variant that is locked down - the one with the built-in AWG. They obviously decided not to let anybody have that for free, then repented with the MSO5000 and allowed it again.

[2N3055]

if they have good control over their ADC chips then what features exactly would a user be able to get extra from software hacking? what is their sales risk vs reward? most of this type of hacking (especially the hardware one) would be done by hobbyists which wouldn't shell the big bucks for higher end models anyway. giving them a taste for higher end options might help overall.
I see this as an interesting experiment and curious how it's going to play out. let's not blast them for making it easy for us, I don't think it's productive.

Hacking of these devices would have same usefulness like it did with old Riglol: you could buy cheapest MSO1074 and unlock bandwidth to full 200MHz and all optional features that MSO1000 platform has. If a simple license generator (like Riglol) is available than it would be low (zero) risk for home users and would be done en masse..
These scopes are not exactly DS1000Z cheap though, so market will still be much smaller.

I don't see conversion from  MSO1000 to MSO4000 as something that would be done by more than few daredevils.

It also remains to be seen it this "too easy hack" was a gaffe by Rigol and will be patched ASAP.
If they don't then they might be counting on this "advantage" and are happy to sell the scope at lowest price..