Hacking the HDO1k/HDO4k Rigol 12 bit scope

[skander36]

I have to agree, I have the MSO5074, and would like to have 12 bit to play around with. If it goes on sale here in the USA, I would have to consider it. The 10.1" display, low noise and hi resolution acquisition would be worth it to me. Plus, I have a 10mhz reference I could finally use outside a frequency counter 

DHO1000 should be available for purchasing through Rigol NA. https://www.rigolna.com/products/digital-oscilloscopes/dho1000/
I purchased mine also through Rigol EU.

[fumitti]

I also bought it from that JP Amazon deal.

Key.data or similar data stored in fRAM is required to generate the optional installation code.
However, it is not required to change the model.

Looking into the software, it seems that if key.data or vendor.bin exists, it refers to it first, and if not, it reads the value from fRAM.
So, there should be no bricking if you make a mistake in rewriting these files.

The structure of vendor.bin and fRAM has been explained by a pioneer, so it is omitted.
We also have a nice set of tools.

This is the contents of a vendor.bin decrypted.

And the contents of the decompiled dts file.

Refreshing the FRAM dump...

Hi,
here is my tool to dump the FRAM ... it contains the system setup, the private mem file data (license stuff like install tries and the key data once more) and the binary device config.
I also made a license key generator to pretty much enable any option .... no idea if its ok to post that code here though ...

And here is my tool to decode key and vendor file.

[Syncronisator]

Hello specialists

does anybody who owns the HDO/DHO4K and mastered the "upgrade" like user "dschiedsch" did would have the mercy to create a "step by step manual" for Android-noobs like me?

In the MSO5000 thread was a perfect one:https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg3105598/#msg3105598

I connected the MSO via Ethernet and USB and tried to connect the device.

The Web Control is accessible via Browser and when i try to connect the MSO via adb Powershell shows me "connected".

 But when i type "adb devices" there is only an emulator-5562 that is offline.  This is my first thread here so please be patient


EDIT 08/15/:

finally i was able to upgrade following  this thread: https://www.eevblog.com/forum/testgear/hacking-the-hdo1khdo4k-rigol-12-bit-scope/msg4793000/#msg4793000

a BIG THX anyway!!!

[sintoodio]

Wow, 480 USD! That would be an instant buy for me.

Hello?

[tonywood]

The deal from Japan is about $600 after shipping for HDO1072. $480 would be nice!

[JCK]

I just purchased the HDO1074 from TEquipment, requested a quote using the EEVBlog discount code, the quote i received was the same as the list price on their website $999.00, in other words no discount?  However they had a promotion going so you get a free bandwidth upgrade from 70MHz to 100MHz.  Not to useful if you can hack it up to 200MHz as well as hack the memory upgrade too.
My question is: should I apply the upgrade hacks before or after upgrading the firmware to 2.07 or does it matter?

Thanks again to everyone who has made this hack possible.

John Kennedy

[skander36]

...
My question is: should I apply the upgrade hacks before or after upgrading the firmware to 2.07 or does it matter?

Thanks again to everyone who has made this hack possible.

John Kennedy

It doesn't matter.
Hack generate valid option codes for you to insert into scope as you do with the official codes.

[JCK]

Received my HDO1074 from TEquipment today.  Applied the upgrade hack, very smooth and quick no problems.  Updated the firmware to 2.07 all is well.  I'll spend some time now getting familiar with the scope.  Many thanks to all the contributors here for all your hard work making this possible.

John

[JCK]

Ok, now i'm messing with the fan speed as suggested by markone.  My scope is running in a cool basement so what would be a practical pwm value for the fan in this case?

John

[steradian]

I bought a 1074 recently and am attempting to upgrade it. I use Macs 99% of the time and am not very familiar with the Terminal commands in even that OS, so I am pretty much blindly following instructions at this point. I installed adb on my desktop, connected my PC and scope with a crossover cable, determined the IP address, and then tried to send the first command detailed in Reply #457 but it didn't connect. I am probably making a silly beginner error but I can't figure out what it is.

[skander36]

Configure the DHCP on your router to give the correct IP address and gateway to clients.

[EEVblog]

Should there be a new thread ofr hacking the DHO800/900?
Is it sufficienctly different with the SD card to have it's own thread?

[skander36]

Should there be a new thread ofr hacking the DHO800/900?
Is it sufficienctly different with the SD card to have it's own thread?

For software I see no difference, maybe from hardware perspective (adding LA connector, NAND chips, etc.).

[NE666]

I agree with skander36, in that I think you should at least distinguish hardware hacks (i.e folks bleating about fan noise ad nauseam) from firm/software.

[x33yp]

Hey Fumitti,

I also just bought a 1074 from Amazon, thanks to everyone for sharing information about this deal.
My unit has not yet arrived, I am curious to attempt the 1074 to 4204 4408 4804 mod (in addition to the license unlock mods on the standard 1074).
The unit has not arrived yet so I am still a little unsure about some things, but I am curious to better understand.
I am guessing the vendor.bin is in the partition accessible either via ADB or by the serial console header ?
Also does one need to modify values associated with E_CFG_MODEL_RAW and also E_CFG_SN_RAW (are both necessary?) as shown in https://www.eevblog.com/forum/testgear/hacking-the-hdo1khdo4k-rigol-12-bit-scope/msg4501150/#msg4501150)
Also what about the CRC32? I don't think I saw anything here discussing how to compute a new CRC32 and no one has shared working values.

Lastly I saw you said in another comment that only channel one was working for you now, but you believed the UI was saying you had full 800mhz bandwidth.
In many other comments people were speculating that the ADC's were being time multiplexed to get the 4 Msps on a single channel, but your experience seems to indicate they may not be being time multiplexed, but split between channels. You even speculated that on the 1074, perhaps only channels 1 and 3 will work.
Am I correct to understand that you did not see any weird aliasing artifacts when running at 800Mhz, that might result from time multiplexing with a missing ADC if every other sample was incorrect?
This is good news I think, as perhaps it may mean that the front end is not strapped in hardware to multiplex the signal between the two ADC's, but rather the FPGA or MCU is telling the front end which ADC to send data too.
I doubt it would ever happen but it gives some hope towards a Frankenscope with 1 channel 800Mhz support on the 1074
It does make one wonder if on the 4804 they really do indeed have 4 Msps for a single channel or if that is just a marketing claim for when 2 channels are used each getting 2Msps.
If they aren't multiplexing the ADC's (which your success seems to indicate) I don't see how they could every actually get 4Msps on a single channel on the 4804.

I also bought it from that JP Amazon deal.

Key.data or similar data stored in fRAM is required to generate the optional installation code.
However, it is not required to change the model.

Looking into the software, it seems that if key.data or vendor.bin exists, it refers to it first, and if not, it reads the value from fRAM.
So, there should be no bricking if you make a mistake in rewriting these files.

The structure of vendor.bin and fRAM has been explained by a pioneer, so it is omitted.
We also have a nice set of tools.

This is the contents of a vendor.bin decrypted.

And the contents of the decompiled dts file.

Refreshing the FRAM dump...

Hi,
here is my tool to dump the FRAM ... it contains the system setup, the private mem file data (license stuff like install tries and the key data once more) and the binary device config.
I also made a license key generator to pretty much enable any option .... no idea if its ok to post that code here though ...

And here is my tool to decode key and vendor file.

[x33yp]

I'm planning to upgrade my unit to 2.07 as it is the latest firmware I have seen people commenting on being able to successfully get root access.
Is the "firmware repo" that oliv3r mentioned publicly accessible and can anyone share the link?
Alternatively the latest firmware from Rigol appears to be DHO1000-DHO4000(software)Updatev00.02.11 has anyone applied this and confirmed there is still root access via adb or onboard serial header?


I tried archive.org from rigol.eu but it seems they didn't capture any of the files.
V00.02.07
https://web.archive.org/web/20230604034457/https://rigol.eu/Public/Uploads/uploadfile/files/20230517/20230517221041_6464e0615a7c5.zip   (4K file)
https://web.archive.org/web/20230604034457/https://rigol.eu/Public/Uploads/uploadfile/files/20230517/20230517221431_6464e1473650a.zip   (1K file)
V00.02.04
https://web.archive.org/web/20230128225108/https://rigol.eu/Public/Uploads/uploadfile/files/20230109/20230109182046_63bbea7e0d543.rar   (4K file)

If anyone has the 2.07 1K or 4K file I'de appreciate a link

I just spotted a FW .GEL file in the scope filesystem (HDO4000Update.GEL) :

dunno if this come with the instrument or it was downloaded by the scope first time it went online.

Looking at FPGA bin filenames and  readme.txt content it seems my scope mount an XC7A100T FPGA model.

Can you send me all those files so I can add it to the firmware repo? thanks!

(I think the update file will contain everything else, but the 'build_gel.sh' script also looks _very_ interesting to me

[trinacria]

Alternatively the latest firmware from Rigol appears to be DHO1000-DHO4000(software)Updatev00.02.11 has anyone applied this and confirmed there is still root access via adb or onboard serial header?

I've upgraded my DHO1074's firmware to version 00.02.11 and I still have root access (abd over LAN) and all features "unlocked".

[skander36]

If anyone has the 2.07 1K or 4K file I'de appreciate a link

You can update to last version (2.11) without problems.
I have 2.07 (76 MB) fw but I suggest to get directly the last version. You can also downgrade anytime.

[fumitti]

Hello x33yp

The Vendor.bin file resides in /rigol/data/.
It is accessible via ADB (or other shell access).
I think you can change E_CFG_MODEL_RAW and you should be fine.
As for CRC32, you need to calculate it well.
That calculation can be performed by the IEEE polynomial implementation.
As for the channel topic, I haven't investigated that much, just confirming that the various functions are working to some extent.
However, from what I have investigated, it does not work correctly when 1 and 2 channels are enabled at the same time.

I am posting this in machine translation, so sorry if it is hard to read.
Since you seem to be from Japan, we can talk in Japanese via DM.

[trinacria]

And here is my tool to decode key and vendor file.

I modified your tool so it can change the vendor.bin file, but I've only just barely started testing what the effects are.

However, as I wrote earlier, this simple hack will adversely affect a significant portion of the system (halving the available CHs, etc.).
Besides that, it can even cause irreversible damage to the hardware.

WARNING: This is a tool to help with developing new hacks. Be careful with it. You have to uncomment some code for it to do anything.

It will be interesting to see what happens when the same hack is performed on the 1074.
I think that 1 and 3 channels may work when the hack is performed on the 1074.

Update: I changed the model in vendor.bin from HDO1074 to HDO4804. Here's what I found:

• None of the 50Ω inputs seem to work, even though the relays click into position and measure 50Ω with a multimeter. All subsequent tests performed with 1MΩ inputs.
• Using one channel at a time, all 4 channels work well enough to trigger on the probe compensation square wave.
• Two channels can sort of "work" together, but triggering seems disabled. Looks like there might be some weird aliasing or glitches.
• I unlocked the other apps (like power analysis, etc), then changed it back to HDO1074, but the apps didn't stay enabled.

[skander36]

...
Thanks! I modified your tool so it can change the vendor.bin file. I was able to change the model number from HDO1074 to HDO4804, but I've only just barely started testing what it actually unlocks. Posting the file here for anyone feeling adventurous, but be warned that I have no idea if it will break your scope. Don't use it except to explore how to unlock more features.

It doesn't change my model!
Nothing happened with the scope after push the vendor.bin generated.
Json atached.

[trinacria]

It doesn't change my model!
Nothing happened with the scope after push the vendor.bin generated.

Please don't use it blindly like that. I updated my post to clarify that it's a tool to help you develop new hacks. It contains example code for changing the model number, but it doesn't do that by default. If you had done a diff of the binaries, you would have seen they were identical, which is why nothing changed. Generating the same output as the input is a sanity check.

[skander36]

It doesn't change my model!
Nothing happened with the scope after push the vendor.bin generated.

Please don't use it blindly like that. I updated my post to clarify that it's a tool to help you develop new hacks. It contains example code for changing the model number, but it doesn't do that by default. If you had done a diff of the binaries, you would have seen they were identical, which is why nothing changed. Generating the same output as the input is a sanity check.

Ok. You didn't say that, so I thought that it would change model number directly. My bad.

[trinacria]

Ok. You didn't say that, so I thought that it would change model number directly. My bad.

What I said was it can change the vendor.bin file, and that I was able to change the model number. I also said it could break your scope. Then you ran a file literally called "create_dodgy_vendor_dot_bin.txt" without even trying to understand what it does, which is nuts. Plus, there's a section in the code called "Change the data" which is completely commented out.

[skander36]

Ok. You didn't say that, so I thought that it would change model number directly. My bad.

What I said was it can change the vendor.bin file, and that I was able to change the model number. I also said it could break your scope. Then you ran a file literally called "create_dodgy_vendor_dot_bin.txt" without even trying to understand what it does, which is nuts. Plus, there's a section in the code called "Change the data" which is completely commented out.

I inspected the code before but without trying to understand every line. The code was supposed to just generate a file. But there is no problem from your side, I just want to inform you that there is no effect for my file. If you don't intended to do that you can stay cool. Even if  you would want (hypothetical) to do harm with your code I take all my responsabilty to me. It's my problem. I can protect myself.  So stay cool. Regards!