Hacking the HDO1k/HDO4k Rigol 12 bit scope

[Dennis Frie]

Just compared the permissions on the 2 apk's. Looks like the original apk pretty much just have full permission to everything

Original apk

Code: [Select]


    requested permissions:
      android.permission.CHANGE_WIFI_STATE
      android.permission.EXPAND_STATUS_BAR
      android.permission.READ_LOGS
      android.permission.SET_TIME
      android.permission.WRITE_EXTERNAL_STORAGE
      android.permission.ACCESS_NOTIFICATION_POLICY
      android.permission.CHANGE_CONFIGURATION
      android.permission.REBOOT
      android.permission.ACCESS_NETWORK_STATE
      android.permission.INTERNET
      android.permission.ACCESS_WIFI_STATE
      android.permission.CHANGE_NETWORK_STATE
      android.permission.CONNECTIVITY_INTERNAL
      android.permission.DISABLE_KEYGUARD
      android.permission.WAKE_LOCK
      android.permission.READ_FRAME_BUFFER
      android.permission.READ_PHONE_STATE
      android.permission.READ_EXTERNAL_STORAGE
    install permissions:
      android.permission.ACCESS_CACHE_FILESYSTEM: granted=true
      android.permission.WRITE_SETTINGS: granted=true
      android.permission.CONFIGURE_WIFI_DISPLAY: granted=true
      android.permission.CONFIGURE_DISPLAY_COLOR_MODE: granted=true
      android.permission.ACCESS_WIMAX_STATE: granted=true
      android.permission.RECOVERY: granted=true
      android.permission.USE_CREDENTIALS: granted=true
      android.permission.MODIFY_AUDIO_SETTINGS: granted=true
      android.permission.ACCESS_CHECKIN_PROPERTIES: granted=true
      android.permission.ACCESS_NOTIFICATION_POLICY: granted=true
      com.rigol.watchdog.have.new.app: granted=true
      com.rigol.watchdog.have.new.sys: granted=true
      android.permission.INSTALL_LOCATION_PROVIDER: granted=true
      android.permission.SYSTEM_ALERT_WINDOW: granted=true
      android.permission.CLEAR_APP_USER_DATA: granted=true
      android.permission.INSTALL_PACKAGES: granted=true
      android.permission.NFC: granted=true
      android.permission.CHANGE_NETWORK_STATE: granted=true
      android.permission.MASTER_CLEAR: granted=true
      android.permission.WRITE_SYNC_SETTINGS: granted=true
      android.permission.RECEIVE_BOOT_COMPLETED: granted=true
      android.permission.PEERS_MAC_ADDRESS: granted=true
      android.permission.DEVICE_POWER: granted=true
      android.rockchip.update.permission.SHOW_UI: granted=true
      android.permission.EXPAND_STATUS_BAR: granted=true
      android.permission.MANAGE_PROFILE_AND_DEVICE_OWNERS: granted=true
      android.permission.READ_PROFILE: granted=true
      android.permission.BLUETOOTH: granted=true
      android.permission.WRITE_MEDIA_STORAGE: granted=true
      android.permission.GET_TASKS: granted=true
      android.permission.INTERNET: granted=true
      android.permission.BLUETOOTH_ADMIN: granted=true
      android.permission.CONTROL_VPN: granted=true
      android.permission.MANAGE_FINGERPRINT: granted=true
      android.permission.MANAGE_USB: granted=true
      android.permission.INTERACT_ACROSS_USERS_FULL: granted=true
      android.permission.BATTERY_STATS: granted=true
      android.permission.PACKAGE_USAGE_STATS: granted=true
      android.permission.MOUNT_UNMOUNT_FILESYSTEMS: granted=true
      android.permission.TETHER_PRIVILEGED: granted=true
      android.permission.WRITE_SECURE_SETTINGS: granted=true
      android.permission.MOVE_PACKAGE: granted=true
      android.permission.STATUS_BAR_SERVICE: granted=true
      android.permission.READ_SEARCH_INDEXABLES: granted=true
      android.permission.ACCESS_DOWNLOAD_MANAGER: granted=true
      android.permission.BROADCAST_STICKY: granted=true
      android.permission.BLUETOOTH_PRIVILEGED: granted=true
      android.permission.HARDWARE_TEST: granted=true
      android.intent.category.MASTER_CLEAR.permission.C2D_MESSAGE: granted=true
      android.permission.BIND_JOB_SERVICE: granted=true
      android.permission.CONFIRM_FULL_BACKUP: granted=true
      android.permission.SET_TIME: granted=true
      android.permission.WRITE_APN_SETTINGS: granted=true
      android.permission.CHANGE_WIFI_STATE: granted=true
      android.permission.MANAGE_USERS: granted=true
      android.permission.ACCESS_NETWORK_STATE: granted=true
      android.permission.ACCESS_MTP: granted=true
      android.permission.DISABLE_KEYGUARD: granted=true
      android.permission.BACKUP: granted=true
      android.permission.CHANGE_CONFIGURATION: granted=true
      android.permission.USER_ACTIVITY: granted=true
      android.permission.READ_LOGS: granted=true
      android.permission.COPY_PROTECTED_DATA: granted=true
      android.permission.SET_WALLPAPER: granted=true
      android.permission.SET_KEYBOARD_LAYOUT: granted=true
      android.permission.KILL_BACKGROUND_PROCESSES: granted=true
      android.permission.USE_FINGERPRINT: granted=true
      android.permission.WRITE_USER_DICTIONARY: granted=true
      android.permission.READ_SYNC_STATS: granted=true
      android.permission.REBOOT: granted=true
      android.permission.OEM_UNLOCK_STATE: granted=true
      android.permission.MANAGE_DEVICE_ADMINS: granted=true
      android.permission.CHANGE_APP_IDLE_STATE: granted=true
      android.permission.SET_POINTER_SPEED: granted=true
      com.rigol.watchdog.business.process.crash: granted=true
      android.permission.MANAGE_NOTIFICATIONS: granted=true
      com.rigol.watchdog.update.app: granted=true
      com.rigol.watchdog.update.sys: granted=true
      android.permission.CONNECTIVITY_INTERNAL: granted=true
      android.permission.READ_SYNC_SETTINGS: granted=true
      android.permission.OVERRIDE_WIFI_CONFIG: granted=true
      android.permission.FORCE_STOP_PACKAGES: granted=true
      android.permission.HIDE_NON_SYSTEM_OVERLAY_WINDOWS: granted=true
      android.permission.ACCESS_NOTIFICATIONS: granted=true
      android.permission.VIBRATE: granted=true
      com.android.certinstaller.INSTALL_AS_USER: granted=true
      android.permission.READ_USER_DICTIONARY: granted=true
      android.permission.ACCESS_WIFI_STATE: granted=true
      android.permission.CHANGE_WIMAX_STATE: granted=true
      android.permission.REQUEST_INSTALL_PACKAGES: granted=true
      android.permission.MODIFY_PHONE_STATE: granted=true
      com.android.launcher.permission.INSTALL_SHORTCUT: granted=true
      android.permission.STATUS_BAR: granted=true
      android.permission.READ_FRAME_BUFFER: granted=true
      android.permission.LOCATION_HARDWARE: granted=true
      android.permission.WAKE_LOCK: granted=true
      android.permission.INJECT_EVENTS: granted=true
      android.permission.DELETE_PACKAGES: granted=true
    User 0: ceDataInode=0 installed=true hidden=false suspended=false stopped=false notLaunched=false enabled=0

Shared users:
  SharedUser [android.uid.system] (6d90f1f):
    userId=1000
    install permissions:
      android.permission.ACCESS_CACHE_FILESYSTEM: granted=true
      android.permission.WRITE_SETTINGS: granted=true
      android.permission.CONFIGURE_WIFI_DISPLAY: granted=true
      android.permission.CONFIGURE_DISPLAY_COLOR_MODE: granted=true
      android.permission.ACCESS_WIMAX_STATE: granted=true
      android.permission.RECOVERY: granted=true
      android.permission.USE_CREDENTIALS: granted=true
      android.permission.MODIFY_AUDIO_SETTINGS: granted=true
      android.permission.ACCESS_CHECKIN_PROPERTIES: granted=true
      android.permission.ACCESS_NOTIFICATION_POLICY: granted=true
      com.rigol.watchdog.have.new.app: granted=true
      com.rigol.watchdog.have.new.sys: granted=true
      android.permission.INSTALL_LOCATION_PROVIDER: granted=true
      android.permission.SYSTEM_ALERT_WINDOW: granted=true
      android.permission.CLEAR_APP_USER_DATA: granted=true
      android.permission.INSTALL_PACKAGES: granted=true
      android.permission.NFC: granted=true
      android.permission.CHANGE_NETWORK_STATE: granted=true
      android.permission.MASTER_CLEAR: granted=true
      android.permission.WRITE_SYNC_SETTINGS: granted=true
      android.permission.RECEIVE_BOOT_COMPLETED: granted=true
      android.permission.PEERS_MAC_ADDRESS: granted=true
      android.permission.DEVICE_POWER: granted=true
      android.rockchip.update.permission.SHOW_UI: granted=true
      android.permission.EXPAND_STATUS_BAR: granted=true
      android.permission.MANAGE_PROFILE_AND_DEVICE_OWNERS: granted=true
      android.permission.READ_PROFILE: granted=true
      android.permission.BLUETOOTH: granted=true
      android.permission.WRITE_MEDIA_STORAGE: granted=true
      android.permission.GET_TASKS: granted=true
      android.permission.INTERNET: granted=true
      android.permission.BLUETOOTH_ADMIN: granted=true
      android.permission.CONTROL_VPN: granted=true
      android.permission.MANAGE_FINGERPRINT: granted=true
      android.permission.MANAGE_USB: granted=true
      android.permission.INTERACT_ACROSS_USERS_FULL: granted=true
      android.permission.BATTERY_STATS: granted=true
      android.permission.PACKAGE_USAGE_STATS: granted=true
      android.permission.MOUNT_UNMOUNT_FILESYSTEMS: granted=true
      android.permission.TETHER_PRIVILEGED: granted=true
      android.permission.WRITE_SECURE_SETTINGS: granted=true
      android.permission.MOVE_PACKAGE: granted=true
      android.permission.STATUS_BAR_SERVICE: granted=true
      android.permission.READ_SEARCH_INDEXABLES: granted=true
      android.permission.ACCESS_DOWNLOAD_MANAGER: granted=true
      android.permission.BROADCAST_STICKY: granted=true
      android.permission.BLUETOOTH_PRIVILEGED: granted=true
      android.permission.HARDWARE_TEST: granted=true
      android.intent.category.MASTER_CLEAR.permission.C2D_MESSAGE: granted=true
      android.permission.BIND_JOB_SERVICE: granted=true
      android.permission.CONFIRM_FULL_BACKUP: granted=true
      android.permission.SET_TIME: granted=true
      android.permission.WRITE_APN_SETTINGS: granted=true
      android.permission.CHANGE_WIFI_STATE: granted=true
      android.permission.MANAGE_USERS: granted=true
      android.permission.ACCESS_NETWORK_STATE: granted=true
      android.permission.ACCESS_MTP: granted=true
      android.permission.DISABLE_KEYGUARD: granted=true
      android.permission.BACKUP: granted=true
      android.permission.CHANGE_CONFIGURATION: granted=true
      android.permission.USER_ACTIVITY: granted=true
      android.permission.READ_LOGS: granted=true
      android.permission.COPY_PROTECTED_DATA: granted=true
      android.permission.SET_WALLPAPER: granted=true
      android.permission.SET_KEYBOARD_LAYOUT: granted=true
      android.permission.KILL_BACKGROUND_PROCESSES: granted=true
      android.permission.USE_FINGERPRINT: granted=true
      android.permission.WRITE_USER_DICTIONARY: granted=true
      android.permission.READ_SYNC_STATS: granted=true
      android.permission.REBOOT: granted=true
      android.permission.OEM_UNLOCK_STATE: granted=true
      android.permission.MANAGE_DEVICE_ADMINS: granted=true
      android.permission.CHANGE_APP_IDLE_STATE: granted=true
      android.permission.SET_POINTER_SPEED: granted=true
      com.rigol.watchdog.business.process.crash: granted=true
      android.permission.MANAGE_NOTIFICATIONS: granted=true
      com.rigol.watchdog.update.app: granted=true
      com.rigol.watchdog.update.sys: granted=true
      android.permission.CONNECTIVITY_INTERNAL: granted=true
      android.permission.READ_SYNC_SETTINGS: granted=true
      android.permission.OVERRIDE_WIFI_CONFIG: granted=true
      android.permission.FORCE_STOP_PACKAGES: granted=true
      android.permission.HIDE_NON_SYSTEM_OVERLAY_WINDOWS: granted=true
      android.permission.ACCESS_NOTIFICATIONS: granted=true
      android.permission.VIBRATE: granted=true
      com.android.certinstaller.INSTALL_AS_USER: granted=true
      android.permission.READ_USER_DICTIONARY: granted=true
      android.permission.ACCESS_WIFI_STATE: granted=true
      android.permission.CHANGE_WIMAX_STATE: granted=true
      android.permission.REQUEST_INSTALL_PACKAGES: granted=true
      android.permission.MODIFY_PHONE_STATE: granted=true
      com.android.launcher.permission.INSTALL_SHORTCUT: granted=true
      android.permission.STATUS_BAR: granted=true
      android.permission.READ_FRAME_BUFFER: granted=true
      android.permission.LOCATION_HARDWARE: granted=true
      android.permission.WAKE_LOCK: granted=true
      android.permission.INJECT_EVENTS: granted=true
      android.permission.DELETE_PACKAGES: granted=true
    User 0:
      gids=[2001, 3002, 1023, 1015, 3003, 3001, 1024, 1007]
      runtime permissions:
        android.permission.ACCESS_FINE_LOCATION: granted=true, flags=[ SYSTEM_FIXED GRANTED_BY_DEFAULT ]
        android.permission.READ_EXTERNAL_STORAGE: granted=true, flags=[ SYSTEM_FIXED GRANTED_BY_DEFAULT ]
        android.permission.ACCESS_COARSE_LOCATION: granted=true, flags=[ SYSTEM_FIXED GRANTED_BY_DEFAULT ]
        android.permission.READ_PHONE_STATE: granted=true, flags=[ SYSTEM_FIXED GRANTED_BY_DEFAULT ]
        android.permission.CALL_PHONE: granted=true, flags=[ SYSTEM_FIXED GRANTED_BY_DEFAULT ]
        android.permission.WRITE_CONTACTS: granted=true, flags=[ SYSTEM_FIXED GRANTED_BY_DEFAULT ]
        android.permission.GET_ACCOUNTS: granted=true, flags=[ SYSTEM_FIXED GRANTED_BY_DEFAULT ]
        android.permission.WRITE_EXTERNAL_STORAGE: granted=true, flags=[ SYSTEM_FIXED GRANTED_BY_DEFAULT ]
        android.permission.READ_CONTACTS: granted=true, flags=[ SYSTEM_FIXED GRANTED_BY_DEFAULT ]



Modified apk

Code: [Select]

    requested permissions:
      android.permission.CHANGE_WIFI_STATE
      android.permission.EXPAND_STATUS_BAR
      android.permission.READ_LOGS
      android.permission.SET_TIME
      android.permission.WRITE_EXTERNAL_STORAGE
      android.permission.ACCESS_NOTIFICATION_POLICY
      android.permission.CHANGE_CONFIGURATION
      android.permission.REBOOT
      android.permission.ACCESS_NETWORK_STATE
      android.permission.INTERNET
      android.permission.ACCESS_WIFI_STATE
      android.permission.CHANGE_NETWORK_STATE
      android.permission.CONNECTIVITY_INTERNAL
      android.permission.DISABLE_KEYGUARD
      android.permission.WAKE_LOCK
      android.permission.READ_FRAME_BUFFER
      android.permission.READ_PHONE_STATE
      android.permission.READ_EXTERNAL_STORAGE
    install permissions:
      android.permission.ACCESS_NOTIFICATION_POLICY: granted=true
      android.permission.CHANGE_NETWORK_STATE: granted=true
      android.permission.EXPAND_STATUS_BAR: granted=true
      android.permission.INTERNET: granted=true
      android.permission.CHANGE_WIFI_STATE: granted=true
      android.permission.ACCESS_NETWORK_STATE: granted=true
      android.permission.DISABLE_KEYGUARD: granted=true
      android.permission.CHANGE_CONFIGURATION: granted=true
      android.permission.READ_LOGS: granted=true
      android.permission.ACCESS_WIFI_STATE: granted=true
      android.permission.WAKE_LOCK: granted=true
    User 0: ceDataInode=112521 installed=true hidden=false suspended=false stopped=true notLaunched=true enabled=0

Shared users:
  SharedUser [org.riglol] (2b0b91a):
    userId=10036
    install permissions:
      android.permission.ACCESS_NOTIFICATION_POLICY: granted=true
      android.permission.CHANGE_NETWORK_STATE: granted=true
      android.permission.EXPAND_STATUS_BAR: granted=true
      android.permission.INTERNET: granted=true
      android.permission.CHANGE_WIFI_STATE: granted=true
      android.permission.ACCESS_NETWORK_STATE: granted=true
      android.permission.DISABLE_KEYGUARD: granted=true
      android.permission.CHANGE_CONFIGURATION: granted=true
      android.permission.READ_LOGS: granted=true
      android.permission.ACCESS_WIFI_STATE: granted=true
      android.permission.WAKE_LOCK: granted=true
    User 0:
      gids=[3003, 1007]
      runtime permissions:
        android.permission.READ_EXTERNAL_STORAGE: granted=true
        android.permission.READ_PHONE_STATE: granted=true
        android.permission.WRITE_EXTERNAL_STORAGE: granted=true


Trying to add a specific permission that differs, I get the error;

Code: [Select]

Operation not allowed: java.lang.SecurityException: Package com.riglol.scope has not requested permission android.permission.ACCESS_CACHE_FILESYSTEM

apk is installed using .\adb install -g packagename.apk

[bosav]

Just compared the permissions on the 2 apk's. Looks like the original apk pretty much just have full permission to everything

The issue is not about the android permissions the app requests, but about the permissions of the linux user running the application process.

The original app is using "system" user, but a user-installed app(for the patched one) - will be a separate user… with different permissions (meaning no access to some parts of the file system, and probably not getting some of the requested android permissions which are limited to system apps).

[Dennis Frie]

Just compared the permissions on the 2 apk's. Looks like the original apk pretty much just have full permission to everything

The issue is not about the android permissions the app requests, but about the permissions of the linux user running the application process.

The original app is using "system" user, but a user-installed app(for the patched one) - will be a separate user… with different permissions (meaning no access to some parts of the file system, and probably not getting some of the requested android permissions which are limited to system apps).

Oh, I got the impression the "SU" command would switch to a user with full permissions, eleminating that problem? I've not messed with Android apps and adb before, so I'm on deep water. Thanks for your inputs

[bosav]

OK my instinct is right, the screenshot problem disappears if I use bosav's method for patching the native binary instead of recompiling the apk. Also worth mentioning, somehow on my scope, the com.rigol.scope-2 is the right folder name instead of com.rigol.scope-1.
The 50Ohm gain problem is more stubborn than I expected, fiddled again with DrvChannel_SetScale but no success, running out of ideas now...

Tried patching more functions - but also had no luck getting it working.

tried patching _ZN7CApiRef29ApiReference_GetUIVScaleRangeERxS, _ZN12CApiVertical26ApiChannel_SetRefAutoScaleE, _ZN12CApiVertical19ApiChannel_GetScaleERx

also, checking things in a code around impedance, found checks for it to look like _ZN8CChannel12getImpedanceEv call or alternatively something like "*(int *)(param_1 + 0x128)" in decompiled code(when it is accessed directly), where - 0 = 50Ω and 1 = 1MΩ

with that, noticed one common pattern in a bunch of places:

Code: [Select]

  iVar2 = _ZN8CChannel12getImpedanceEv(…);
  if (iVar2 == 0) {
    ...
    if (iVar1 == 1000) {
      DevInOutAFE_SetHzOutput(param_1,0,0);
      DevInOutAFE_SetHzOutput(param_1,1,1);
    }
    else if (iVar1 == 4000) {
      DevInOutAFE_SetBuffer(param_1,1);
    }
    ...
  } else {
    ...
    DevInOutAFE_SetBuffer(param_1,1);
    ...
  }

not sure what that is doing (any ideas?), but DevInOutAFE_SetHzOutput looks to change something similar to what DevInOutAFE_SetBuffer changes…
and so, I tried patching that as well(especially given it looks to be specific to 50Ω), however also was not successful

so far - that is all the places, I noticed to somehow relate to 50Ω

[zrq]

OK my instinct is right, the screenshot problem disappears if I use bosav's method for patching the native binary instead of recompiling the apk. Also worth mentioning, somehow on my scope, the com.rigol.scope-2 is the right folder name instead of com.rigol.scope-1.
The 50Ohm gain problem is more stubborn than I expected, fiddled again with DrvChannel_SetScale but no success, running out of ideas now...

Tried patching more functions - but also had no luck getting it working.

tried patching _ZN7CApiRef29ApiReference_GetUIVScaleRangeERxS, _ZN12CApiVertical26ApiChannel_SetRefAutoScaleE, _ZN12CApiVertical19ApiChannel_GetScaleERx

also, checking things in a code around impedance, found checks for it to look like _ZN8CChannel12getImpedanceEv call or alternatively something like "*(int *)(param_1 + 0x128)" in decompiled code(when it is accessed directly), where - 0 = 50Ω and 1 = 1MΩ

with that, noticed one common pattern in a bunch of places:

Code: [Select]

  iVar2 = _ZN8CChannel12getImpedanceEv(…);
  if (iVar2 == 0) {
    ...
    if (iVar1 == 1000) {
      DevInOutAFE_SetHzOutput(param_1,0,0);
      DevInOutAFE_SetHzOutput(param_1,1,1);
    }
    else if (iVar1 == 4000) {
      DevInOutAFE_SetBuffer(param_1,1);
    }
    ...
  } else {
    ...
    DevInOutAFE_SetBuffer(param_1,1);
    ...
  }

not sure what that is doing (any ideas?), but DevInOutAFE_SetHzOutput looks to change something similar to what DevInOutAFE_SetBuffer changes…
and so, I tried patching that as well(especially given it looks to be specific to 50Ω), however also was not successful

so far - that is all the places, I noticed to somehow relate to 50Ω

So far I did 4 successful hacks to my libscope:
1. nop out the API_SetProductSeries
2. patch the default value of the variable referenced in API_GetProductSeries. Together with 1, everywhere API_GetProductSeries is called shall get 4000, which seems OK to me. However one should not do this to DevSystem_GetProductSeries as it will mess up with the acquisition.
3. DrvChannel_SetBandLimit: patch all the 4000 to 1000 and 1000 to probably 1001
4. frida hooking _ZN11CApiLicense18check_BandWidthOptE7OptType and installing :SYST:OPT:INST HDO1000-BW2T8

[ebastler]

So far I did 4 successful hacks to my libscope:
1. nop out the API_SetProductSeries
2. patch the default value of the variable referenced in API_GetProductSeries. Together with 1, everywhere API_GetProductSeries is called shall get 4000, which seems OK to me. However one should not do this to DevSystem_GetProductSeries as it will mess up with the acquisition.
3. DrvChannel_SetBandLimit: patch all the 4000 to 1000 and 1000 to probably 1001
4. frida hooking _ZN11CApiLicense18check_BandWidthOptE7OptType and installing :SYST:OPT:INST HDO1000-BW2T8

Thanks for the update -- great to see continued work and progress!

Does the UI let you select the bandwidth limit in three steps now -- 20 MHz, 200 MHz, full BW? That would make 800 MHz practical, since one could limit the bandwidth when using more than one channel. (Or likewise for 400 MHz full bandwidth, where one needs to limit the BW when using more than two channels.)

Also, do the above changes enable the 50 Ohm termination (with the vertical scale deviation you had mentioned earlier), or does that require additional patches?

[lownoise]

Maybe the Cross References to API_GetProductSeries will help (from IDA)....

edit: +API_GetProductDomain

[zrq]

Yes (20 M, 250 M and full, after doing patch 3) and yes (but with the amplitude problem).

[core]

Yes (20 M, 250 M and full, after doing patch 3) and yes (but with the amplitude problem).

Very good news ! Thanks for sharing.

[Frex]

Hello,

I'm an happy owner of the Rigol DHO1074 tha fit well side by side on my desktop with my Siglent SDS1204X+.
I thank you very much all people that has contribued to become it hackable.
I performed it as desribe without issue. Thank's again to all of them ! 

I played with the DHO1074 today, and I noticed a strange thing.
The full sampling rate is only acheveiable on CH4.
On all others channels, I can get only 1G/s (one channel active at same time).
As writed in manual, full sampling can only be obtainable wih only one input active but that not on a specific channel.

Another point is if I enable 2 channels other than the CH4, the sampling rate is limited o 500Ms/s instead of 1Gs/s !

All seem to work same as if an "hidden" channel would be active ...
(It count 3 instaed of two acive channel)

Does anyone here had seen he same behaviour on his scope ?
Regards.

Frex
(Note: firmware installed is 00.02.04, hardware 2)

[Antonio90]

Hello,

I'm an happy owner of the Rigol DHO1074 tha fit well side by side on my desktop with my Siglent SDS1204X+.
I thank you very much all people that has contribued to become it hackable.
I performed it as desribe without issue. Thank's again to all of them ! 

I played with the DHO1074 today, and I noticed a strange thing.
The full sampling rate is only acheveiable on CH4.
On all others channels, I can get only 1G/s (one channel active at same time).
As writed in manual, full sampling can only be obtainable wih only one input active but that not on a specific channel.

Another point is if I enable 2 channels other than the CH4, the sampling rate is limited o 500Ms/s instead of 1Gs/s !

All seem to work same as if an "hidden" channel would be active ...
(It count 3 instaed of two acive channel)

Does anyone here had seen he same behaviour on his scope ?
Regards.

Frex
(Note: firmware installed is 00.02.04, hardware 2)

Hi, maybe you already checked that, but are you sure the scope wasn't triggering on an "inactive", different channel? I find it quite unlikely that a bug like this has gone unnoticed so far.

[Frex]

Hello and thank you for your (fast) answer Antonio90.

I seem you are right.
I discover that if the trigger is set even on an unused channel, it count as an active channel  !
Now I understand this strange behaviour...
Thank you again ! 

Frex

[Antonio90]

No probs! I guess triggering is digital, and as such it needs sampled data.

[ebastler]

After playing with my DHO1074 Christmas present for a while, I thought I'd apply the basic upgrades (memory & bandwidth). Nasty surprise: After connecting via the adb tools, I can't find a key.data file, neither in /rigol/data nor elsewhere in the file system.

Have other DHO1074 owners seen this (or rather not seen this) too? Am I just overlooking something or did I miss a step?

In case there is no simple solution -- I have searched the forum and come across early posts which mention that the same information is also stored in the FRAM. I also found a tool which is meant to dump the FRAM, so I could presumably get to the key.data information:
https://www.eevblog.com/forum/testgear/hacking-the-hdo1khdo4k-rigol-12-bit-scope/msg4501300/#msg4501300

But I am out of my depth there. There is a Go program attached to that post -- is it meant to run on the scope itself? If so, how do I get it to run? If it is meant to run on the PC, how does it get the FRAM data? Many thanks for some helpful hints!

[voltsandjolts]

My scope had key.data in /rigol/data

Code: [Select]

D:\adb>adb shell ls -l /rigol/data
total 992
-rwxrwxrwx 1 system system    388 2023-01-09 18:58 Key.data
-rwxrwxrwx 1 system system    101 2023-11-29 10:01 RLU.lic
-rwxrwxrwx 1 system system   1260 2023-01-09 19:41 cal_adc.hex
-rwxrwxrwx 1 system system    732 2023-01-09 19:41 cal_adc_SpuGain.hex
-rwxrwxrwx 1 system system 458972 2023-11-23 21:12 cal_afe.hex
-rwxrwxrwx 1 system system    348 2023-01-09 20:24 cal_afe_bandwidth.hex
-rwxrwxrwx 1 system system    588 2023-01-09 19:22 cal_afe_zero.hex
-rwxrwxrwx 1 system system     36 2023-01-09 19:39 cal_ext.hex
-rwxrwxrwx 1 system system    796 2023-01-09 19:30 cal_lsb.hex
drwxrwxrwx 2 root   root     4096 2022-12-06 22:31 default
drwxrwxrwx 2 root   root     4096 1970-01-01 08:09 probe
-rwxrwxrwx 1 system system    200 2023-01-10 10:54 vendor.bin

The Go program runs on your PC, need to install Go compiler.
Oh, different Go script, didn't know about that one and I too don't know how that works...gimmie a minute

[ebastler]

My scope had key.data in /rigol/data

Thanks. Yes, that's what I expected to find. Nada, unfortunately...

The Go program runs on your PC, need to install Go compiler.

Please note that I was not talking about the Go program which generates the license codes (based on key.data). I know that this one needs to run on the PC. I can run it, but lacking the key.data it will fail, of course.

What I am unclear about is the different Go program which is attached to the post I linked to in my prior post. It is meant to dump the FRAM content, as a way to get to the key.data information when it is not preset in a file, but I don't know how and where to run that program. -- Ah, just saw your edit. If you can figure that one out, many thanks in advance!

[voltsandjolts]

Yeh, sorry, thought there was just one Go script, THE one!

But yeh, that FRAM dump Go program needs to run on the scope, after you build it on your PC using Go compiler:

Code: [Select]

// build using
// GOOS=linux GOARCH=arm64 go build fRAMdump.go

Copy executable to scope and run it 


Edit: gimmie a minute I'll try to build the exe

[voltsandjolts]

Ah, the Go script requires the logger module which is not supported on Windows, so I'll need to build it on my linux box but am out of time tonight...will look at it tomorrow if someone else doesn't jump in first.

[Veteran68]

I also found a tool which is meant to dump the FRAM, so I could presumably get to the key.data information:

Just as FYI, the output fram.bin file produced by fRAMdump.go contains two copies of the key, one starting at offset 0x011C and the next at 0x01C4. The key is 148 bytes.

Ah, the Go script requires the logger module which is not supported on Windows, so I'll need to build it on my linux box but am out of time tonight...will look at it tomorrow if someone else doesn't jump in first.

I just built it on Windows. You have to set the environment properly and those errors will resolve. The other posts are building from Linux and so the env set commands are different.

The correct commands for Windows are:

Code: [Select]

go mod init fRAMdump.go
go mod tidy
set GOOS=linux
set GOARCH=arm64
go build fRAMdump.go
Then adb push "fRAMdump" to a writeable area of the file system (I created /rigol/temp folder), set it's execute bits, and run it as root. It will output to the console but also create the file fram.bin in the same folder.

[ebastler]

Many thanks, voltsandjolts and Veteran68! I will try to get that program compiled and over to the scope now.

So far, things aren't looking great for generating options for my scope. I just tried the official memory upgrade which I got bundled with the scope (after nagging Rigol Europe three times). The Rigol website produces a 96-digit hex code, based on my scope's serial number and the entitlement key I got from Rigol. But entering that code via SYST:OPT:INST DHO1000-RLU-01@xxxxx does not produce any response, except for resetting my scope to "beep on" mode.   Instead of the "DHO1000-RLU-01" prefix, which is the option name given on my PDF from Rigol, I also tried HDO1000-RLU and various permutations (DHO/HDO, with or without the -01).

Is the scope supposed to send a reply to the SCPI command? Is the lack of a response and/or the lack of an enabled memory upgrade an indication that my scope's key information is totally missing or messed up?

[voltsandjolts]

This worked for me

:SYST:OPT:INST DHO1000-RLU@xxxxx

I had to experiment to get that right, don't know why they can't put the whole command in the delivered license file, ... it's Rigol of course.

No response on scope if not accepted.

Message pop up on scope screen when it is accepted, and listed in about licenses, no need to reboot.

[voltsandjolts]

Built the Go script using Vet68 commands, attached.

[bosav]

After playing with my DHO1074 Christmas present for a while, I thought I'd apply the basic upgrades (memory & bandwidth). Nasty surprise: After connecting via the adb tools, I can't find a key.data file, neither in /rigol/data nor elsewhere in the file system.

Have other DHO1074 owners seen this (or rather not seen this) too? Am I just overlooking something or did I miss a step?

That is interesting - I have /rigol/data/Key.data on the scope.
Curious - what are the versions of hardware/firmware/android you have in about window? maybe that is some newer revision?
Also, what is linux version you have? ("adb shell uname -a" to check)

in my case, it is:

Code: [Select]

firmware: 00.02.12 (originally was 00.02.04)
hardware: 2
build: 2023/10/18 18:14:32
build: 2022/10/10 19:30:48
android version: 7.1.2

uname:  Linux localhost 4.4.126 #2 SMP PREEMPT Mon Aug 22 11:16:18 CST 2022 aarch64


[ebastler]

Progress -- many thanks for the foolproof instructions, Veteran68! I compiled the program, pushed it over to the scope and ran it, and captured both, the fram.bin file and the console output.

However, the binary file does not have the same data at offsets 0x011C and 0x01C4. The text file starts with a first data block which is indeed the same data that shows up at 0x011C in the binary file, but has 388 bytes (0x184), not 148.

Code: [Select]

id:091d data[184]:
C7 00 EE 86 54 DA 36 3D 18 10 53 F9 16 C3 D9 A0 A8 07 2E B0 2D A1 D8 65 82 46 54 F9 75 AD 25 98
...

Any recommendation what should go into the key.data file? Thank you!

[ebastler]

Curious - what are the versions of hardware/firmware/android you have in about window? maybe that is some newer revision?
Also, what is linux version you have? ("adb shell uname -a" to check)

My software details are all the same as yours (I assume there's a typo in your build year?).
But my hardware version is 3.

Code: [Select]

firmware: 00.02.12 (originally was 00.02.04 as well)
hardware: 3
build 2023/10/18 18:14:32
android build 2022/10/10 19:30:48
android version 7.1.2

Linux localhost 4.4.126 #2 SMP PREEMPT Mon Aug 22 11:16:18 CST 2022 aarch64