Hacking the Rigol DHO800/900 Scope

[rpro]

I found out you can load any firmware you want. It doesn't complain about downgrades...

I've just gone back to 1.00, I wanted to check something.

Re: the offsets, this worked for me very well for now: Starting with the 1.00 firmware and original corresponding 804 vendor.bin file, recalibrate (with the scope warmed up). Then substitute the 924 vendor.bin file (with the serial number we've all seen). Turn the scope on, with all the channels on and let it sit (if cold) for about 20 minutes at 200uV/div and, say, at 1ms/ with 1Mpts/62.5MSa/s. Hopefully you will see the 4 traces slowly come together, with no significant offsets (and <24uV AC-RMS term.), and remaining on top of each other all the way from 200uV/div to 10V/div. (Inconvenient to have to use the 1.00 firmware and to have to recalibrate with the orig. 804 file in the meantime, but not too bad with adb...)

[dmulligan]

I analyzed their apk software using IDA and found that hdcode was indeed used, and this part of the call was made before the system was calibrated, so this can be explained by overriding the vendor.bin Upgrading the DHO800 to the DHO900 will have an offset zero potential and be very noisy. So it's also not clear to me why they don't get the model ID directly through the information inside the vendor.bin.

Could you expand on this? We're trying this upgrade now and hitting this problem.

I would love to hear more from souldevelop but I haven't seen a post from him lately.  I did a quick search and found a product called IDA by a company called Hex-Rays.  It looks to me like he used the pro version which is very expensive.

[Martin72]

I'm still wondering about the "Option" section in the Utility menu.
After the purchase there was a bandwith option, after the firmware upgrade now a storage depth option.
And this although there are no options to buy...

[tv84]

This is the main reason why I've been away from all the noise in this thread. Let the dust settle and then we'll see what needs to be done.

Changing options from version to version... 

[Serg65536]

So called v1.14 Firmware is exactly v1.00 except for these files:
folder | name | size, bytes
data   cal_adc.hex   1.876   
data   cal_afe_bandwidth.hex   348   
data   cal_afe_zero.hex   348   
data   cal_ddr.hex   76   
data   cal_lsb.hex   156   
data   cal_vertical.hex   179.452
data   Key.data   148   (here is your key, don't replace this file)
data   vendor.bin   212   (here is your serial and model (which may, or not may be extending your scope's options))
data\default   cal_vertical.hex   179.452   
FPGA   BOOT.bin   3.631.368   

[tv84]

vendor.bin has nothing to do with options!  For what interests you all, it's basically Model and S/N.

[Serg65536]

You can create backup of many Rigol specific files (incl. vendor.bin and key.data) by typing in the command prompt:
adb connect <IP of your scope>:55555
adb devices
adb shell rm /rigol/DHO800_DHO900_Update.GEL
adb shell cd /rigol;sh build_gel.sh
adb pull rigol/DHO800_DHO900_Update.GEL

This creates DHO800_DHO900_Update.GEL file.
It's GZIP archive with DHO800_DHO900_Update (no extention) file inside. It's TAR archive containing all files and folders from the "rigol" folder.

[Martin72]

This creates DHO800_DHO900_Update.GEL file.

Where ?

[Serg65536]

With firmware 1.00 I did not find the way to properly upgrade my DHO804 to DHO924. The offset is always there.
I tried to replace cal*.hex files, but ended up with no waveform display.
Then, probably after replacing the Key.data file, my scope went into the boot loop.
There was no time to do anything before the reboot. The sparrow.apk was constantly reloading.
In this state, adb worked fine, it was possible to write any files to the scope, but the "/rigol/data/cal_afe_bandwidth.hex" was always replaced by the scope for the same instance before reboot. That was probably some dummy file, which I did not find in any of the firmware copies I have.
So I had to open the oscilloscope, to flash the DHO924S firmware from the first message. And now it's back again, calibrated with no offset.
BTW, the firmware is from DHO924S, but replacing only the vendor.bin gives DHO924 without the "S" option.

UPDATE: boot loop was due to lack of execution permissions on the scripts.

[Serg65536]

This creates DHO800_DHO900_Update.GEL file.

Where ?

In the /rigol folder.

[Mechatrommer]

So called v1.14 Firmware is exactly v1.00 except for these files:
folder | name | size, bytes
data   cal_adc.hex   1.876   
data   cal_afe_bandwidth.hex   348   
data   cal_afe_zero.hex   348   
data   cal_ddr.hex   76   
data   cal_lsb.hex   156   
data   cal_vertical.hex   179.452
data   Key.data   148   (here is your key, don't replace this file)
data   vendor.bin   212   (here is your serial and model (which may, or not may be extending your scope's options))
data\default   cal_vertical.hex   179.452   
FPGA   BOOT.bin   3.631.368   

thanks for info. last night i saved all those from 1.0.0, 1.1.2 and 1.14 thinking they might do something. using souldevelop tool is very quick pulling many files and viewing files structure, i wish souldevelop can expand its functionality to push files manually, no need command line... maybe next is experimenting with latest v1.1.2 and inserting those cal hex from 1.14 ... last night i upgraded to v1.1.2 and overwriting vendor.bin with 924, channel offset still problem...

[Fungus]

So called v1.14 Firmware is exactly v1.00 except for these files:
folder | name | size, bytes
data   cal_adc.hex   1.876   
data   cal_afe_bandwidth.hex   348   
data   cal_afe_zero.hex   348   
data   cal_ddr.hex   76   
data   cal_lsb.hex   156   
data   cal_vertical.hex   179.452
data   Key.data   148   (here is your key, don't replace this file)
data   vendor.bin   212   (here is your serial and model (which may, or not may be extending your scope's options))
data\default   cal_vertical.hex   179.452   
FPGA   BOOT.bin   3.631.368

The timestamp changes on "cal_vertical.hex" whenever you do a self-cal. I think that's where the results are stored. 

thanks for info. last night i saved all those from 1.0.0, 1.1.2 and 1.14 thinking they might do something. using souldevelop tool is very quick pulling many files and viewing files structure

You can pull many files with ADB by putting a '.' on the end of the file name.

eg. Use this to pull the entire "/rigol/data" folder (with subfolders)

ADB pull /rigol/data/.

[Fungus]

You can create backup of many Rigol specific files (incl. vendor.bin and key.data) by typing in the command prompt:
adb connect <IP of your scope>:55555
adb shell rm /rigol/DHO800_DHO900_Update.GEL
adb shell cd /rigol;sh build_gel.sh

This creates DHO800_DHO900_Update.GEL file.
It's GZIP archive with DHO800_DHO900_Update (no extention) file inside. It's TAR archive containing all files and folders from the "rigol" folder.

It would be awesome if somebody could do this with a 1.14 installation and upload the .GEL file somewhere.

That way everybody could try 1.14 without opening up their 'scope and messing around with SD cards.

[Fungus]

vendor.bin has nothing to do with options!  For what interests you all, it's basically Model and S/N.

To be precise: Model, serial number and MAC address

Options appear to be in /rigol/data/Key.data

I read somewhere that the key file is encrypted using the serial number from vendor.bin but that would imply my serial decoder options should disappear when I change my vendor.bin. But they don't. 

[Fungus]

This creates DHO800_DHO900_Update.GEL file.
It's GZIP archive with DHO800_DHO900_Update (no extention) file inside. It's TAR archive containing all files and folders from the "rigol" folder.

Aha! The thing inside the .gel file is a .tar file. That's worth knowing 

(Obvious, really, if you look at "build_gel.sh")

Code: [Select]

####################################################################################
# Create tar.gz package
####################################################################################

if [ -d data/ ]; then
    tar -czvf temp.gel app driver FPGA shell tools resource data
else
    tar -czvf temp.gel app driver FPGA shell tools resource
fi

if [ $? -eq 0 ]; then
mv temp.gel $build_out
else
    echo "Create Sparrow-Package GEL Failed !"
    exit 1
fi

echo "Create Sparrow-Package GEL Success !"



[Fungus]

So called v1.14 Firmware is exactly v1.00 except for these files:
folder | name | size, bytes
data   cal_adc.hex   1.876   
data   cal_afe_bandwidth.hex   348   
data   cal_afe_zero.hex   348   
data   cal_ddr.hex   76   
data   cal_lsb.hex   156   
data   cal_vertical.hex   179.452
data   Key.data   148   (here is your key, don't replace this file)
data   vendor.bin   212   (here is your serial and model (which may, or not may be extending your scope's options))
data\default   cal_vertical.hex   179.452   
FPGA   BOOT.bin   3.631.368

With firmware 1.00 I did not find the way to properly upgrade my DHO804 to DHO924. The offset is always there.
I tried to replace cal*.hex files, but ended up with no waveform display.

The secret might be in /rigol/FPGA/BOOT.bin

[akkk44]

I'm trying to understand some of the early posts in this thread:

https://www.eevblog.com/forum/testgear/hacking-the-rigol-dho800900-scope/msg5074867/#msg5074867

It seems that all that's in vendor.bin is a model number, a serial number, and a MAC address.

In that case: The options that you get are based only on the model number in that file. They aren't selected individually.




The post after that one doesn't make much sense:

https://www.eevblog.com/forum/testgear/hacking-the-rigol-dho800900-scope/msg5075035/#msg5075035

"simply replacing the vendor.bin will cause a 5mV-10mV offset to appear, and it can't be eliminated by self-cal."

Why should that be?

Please refer to here for the possible reason:
https://www.eevblog.com/forum/testgear/hacking-the-rigol-dho800900-scope/msg5108487

[akkk44]

So called v1.14 Firmware is exactly v1.00 except for these files:
folder | name | size, bytes
data   cal_adc.hex   1.876   
data   cal_afe_bandwidth.hex   348   
data   cal_afe_zero.hex   348   
data   cal_ddr.hex   76   
data   cal_lsb.hex   156   
data   cal_vertical.hex   179.452
data   Key.data   148   (here is your key, don't replace this file)
data   vendor.bin   212   (here is your serial and model (which may, or not may be extending your scope's options))
data\default   cal_vertical.hex   179.452   
FPGA   BOOT.bin   3.631.368

With firmware 1.00 I did not find the way to properly upgrade my DHO804 to DHO924. The offset is always there.
I tried to replace cal*.hex files, but ended up with no waveform display.

The secret might be in /rigol/FPGA/BOOT.bin

All the clue so far seem to suggest this might be the case.

[scient]

To decrypt vendor.bin, this should work. I don't have one (yet) so I can't test for myself. Stumbled across this post and thought I'd help out. Added some notes on how to find key.

Code: [Select]

import xxtea

# .\Sparrow.apk\lib\arm64-v8a\libscope-auklet.so
# CApiUtility::ApiUtility_SaveVendorData(_QWORD *) > CXXTEA::setKeys(int *) > fileKeys
key = b'\x34\xCD\x12\xAB\x34\xCD\x12\xAB\x34\xCD\x12\xAB\x34\xCD\x12\xAB'

with open('vendor.bin', 'rb') as f:
    ven_data = f.read()
    ven_dec = xxtea.decrypt(ven_data, key, False)
    print(ven_dec)
    ven_enc = xxtea.encrypt(ven_dec, key, False)
    print(ven_enc == ven_data)


[akkk44]

You can create backup of many Rigol specific files (incl. vendor.bin and key.data) by typing in the command prompt:
adb connect <IP of your scope>:55555
adb shell rm /rigol/DHO800_DHO900_Update.GEL
adb shell cd /rigol;sh build_gel.sh

This creates DHO800_DHO900_Update.GEL file.
It's GZIP archive with DHO800_DHO900_Update (no extention) file inside. It's TAR archive containing all files and folders from the "rigol" folder.

It would be awesome if somebody could do this with a 1.14 installation and upload the .GEL file somewhere.

That way everybody could try 1.14 without opening up their 'scope and messing around with SD cards.

Here you go:https://drive.google.com/file/d/1PPwj8Ll_AcQYaTjsKz7_kHFZq16VN0zK/view?usp=drive_link

What is it?
It is an upgrade pack based on the files on my oscilloscope with FW 01.14. The vendor.bin of 924 is already included.

How to use it?
Use the upgrade function of the oscilloscope(Remove the extra text in the file name before use).  Please refer to Rigol's official FW upgrade guide.
After the upgrade, the FW version would be 01.06 (I don't know why) but there will be no DC offset.
If the waveform disappeared after the upgrade, do a selfcal and it will be back.

Is it safe?
No, if you don't know what you are doing.

Would it work?
Yes. As tested by some other 804 owners.

p.s. It seems that sparrow.apk determines the displayed FW version.

Feeding in 1Vpp 120MHz Sin wave as a demo.

[tv84]

Options appear to be in /rigol/data/Key.data

I read somewhere that the key file is encrypted using the serial number from vendor.bin but that would imply my serial decoder options should disappear when I change my vendor.bin. But they don't. 

Once again: key.data is only a ECC key for the options. Has no keys inside! It's encrypted with a standard key (in these DHO).

[nervdg]

Options 70mhz to 100mhz and storage depth can be unlock using SCPI command,which could gnenrate by rigol HDO-tools.
https://gitlab.com/riglol/rigolee/hdo-tools
(string BW7TO10,RLU)

[ebastler]

Options 70mhz to 100mhz and storage depth can be unlock using SCPI command,which could gnenrate by rigol HDO-tools.
https://gitlab.com/riglol/rigolee/hdo-tools
(string BW7TO10,RLU)

That's nice! Looks like a much cleaner way to enable these options than having to make the scope a pseudo-DHO9x4. Is there also a string to enable 250 MHz bandwidth, by any chance?

[Fungus]

Options 70mhz to 100mhz and storage depth can be unlock using SCPI command,which could gnenrate by rigol HDO-tools.
https://gitlab.com/riglol/rigolee/hdo-tools
(string BW7TO10,RLU)

That looks like a better way to do it! I'll try it later.

How do you know the possible strings?

[tv84]

That's nice! Looks like a much cleaner way to enable these options than having to make the scope a pseudo-DHO9x4. Is there also a string to enable 250 MHz bandwidth, by any chance?

That won't happen. When you want to go above the official options for a certain model, you have to change model.