Update on
#594 Figured out how to make the scope run pathed code, ignoring the signatures. (inspired by
https://github.com/giacomoferretti/odex-patcher)
The trick is that besides the installed apk, there is also precompiled code generated on install (odex). Which having root permissions can be replaced, and can be used without signature verification. Also, this is relatively safe and can be reverted - simply reinstalling the app, will recreate those files.
step by step, how to update odex file:
# push patched apk to the device
adb push Auklet.apk /sdcard/Download/base.apk
# login onto the device as root (needed for dex2oat to work)
adb root
adb shell
# on the device generate odex file from the patched code, using arguments similar to those found in the original odex file
cd /sdcard/Download
dex2oat --instruction-set=arm64 --instruction-set-variant=cortex-a53 --instruction-set-features=default --compiler-filter=verify-profile --dex-file=base.apk --oat-file=base.odex
# pull generated odex file from the device for patching dex hashes in it
adb pull /sdcard/Download/base.odex
# to make android use new odex file, we need to replace file hashes for dex files in it(so it is not re-generated)
# crc32 hashes before code changes
# b09a1260 classes.dex
# 5ebcb7e4 classes2.dex
# after code changes
# b0aabf7e classes.dex
# 23e082b5 classes2.dex
# using some hex editor, this would be two replacements in odex file
# 7ebfaab0 -> 60129ab0
# b582e023 -> e4b7bc5e
# (if there are multiple places with this data - the ones to change should be close together, at the beginning of the file, near ".dex", in my case however there was just one entry… for more "reliable/correct" approach - check odex-patcher code mentioned above for references about odex file format)
# push patched odex file back (using a different file name to avoid replacing the original with bad permissions)
adb push base.odex /data/app/com.rigol.scope-1/oat/arm64/base1.odex
# on the device, list files in the target folder to see the ownership
ls -la /data/app/com.rigol.scope-1/oat/arm64/base.odex
# -rw-rw---- 1 system u0_a31000 15172224 2023-12-25 21:05 /data/app/com.rigol.scope-1/oat/arm64/base.odex
# change owner for added file to match original
chown system:u0_a31000 /data/app/com.rigol.scope-1/oat/arm64/base1.odex
# replace the original odex file
mv /data/app/com.rigol.scope-1/oat/arm64/base1.odex /data/app/com.rigol.scope-1/oat/arm64/base.odex
# done, restart the app/scope - to see the changes
This made the changes mentioned in the original post appear in the UI.
However, the 50Ω impedance switch, while visible and clickable - but did not worked, because of checks also in libscope-auklet.so blocking it.
Looking into libscope using Ghidra(
https://ghidra-sre.org/), found some interesting usages of _Z20API_GetProductSeriesv
For 50Ω input specifically _ZN12CApiVertical23ApiChannel_SetImpedanceEj was easy to patch:
# find & replace in a hex editor (added a prefix to make it unique in the file)
f30300aa6ccefc971f0800710101005499e1fc971f401f71
f30300aa6ccefc971f0800710101005499e1fc9706000014
Using the same approach, pushed the patched libscope file to the device:
# push the patched file to apk install location
adb root
adb push libscope-auklet.so /data/app/com.rigol.scope-1/lib/arm64/libscope-auklet.so
# fix permissions in adb shell
chown system:u0_a31000 /data/app/com.rigol.scope-1/lib/arm64/libscope-auklet.so
After restarting the scope - the toggling of input impedance appeared working (the relay does click, DC offset also was corrected after running self-calibration).