Hacking the Rigol DHO800/900 Scope

[Martin72]

Bandwith: Proofed..

Additional, bodnarpulser risetime.

[Martin72]

Finally, 50Mpts "proofed"...

[Serg65536]

Finally, 50Mpts "proofed"...

Please, help me, I modified rgtools according to the post https://www.eevblog.com/forum/testgear/rigols-new-dho800-oscilloscope-unbox-teardown/msg5067982/#msg5067982
But the scope ignores my SCPI commands. The format is ": SYSTem: OPTion: INSTall DHO800-BW7T10@<96 char key>" ?
Could you share the working script, please.

UPDATE: ": SYSTem: OPTion: INSTall" should be without spaces, and it WORKS!! 

[Martin72]

Me I typed it in this way into the console:

:SYST:OPT:INST DHO800-RLU@XXXXXXXXXXXXXXXXXX

[Fungus]

Oh -- it's BW7T10, not BW7TO10 as originally stated by nervdg.
That might explain why it didn't work for Fungus.

I think I tried all combinations. Even BW70TO100, etc.

I'll do it again and see... 

[Fungus]

Me I typed it in this way into the console:

:SYST:OPT:INST DHO800-RLU@XXXXXXXXXXXXXXXXXX

I just pushed the "BW7T10.lic" that I generated earlier (same file!) to the 'scope with ADB. I rebooted one last time and it worked! I have no idea why it didn't work before. 

My DHO 804 now says 100Mhz and I have 50Mpts memory.

Weirdly enough I seem to have more bandwidth than before, too. Before I had a rise time of 2.6ns (see previous page) and now I have 2.3ns.

Maybe my 'scope just needed a few hours rest from all the hacking attempts.   

Final state:

[Fungus]

Checking the bandwith with a sml01 generator and 50ohm external resistor.
Bandwith: Proofed..
I think I don´t need a further bandwith upgrade.

Yep, I'm staying with this setup, too. It's enough for me.

[Martin72]

150MHz measured

Take 0.45 in your calculation and you'll get what I've measured before.

[t_i_t_o]

Really... No one is going to try if BW7T20 works?
P.S. I am still waiting for eBay to release the money of my sold DS1054Z to buy the DHO804 and give it a try

[ebastler]

Really... No one is going to try if BW7T20 works?

Martin has tried upgrading to 250 MHz (the highest bandwidth available in the 900 series) without success. 200 MHz is not a bandwidth Rigol offers anywhere in the 800/900 series. It would be a logical next step after the 814 though; maybe worth a try?

Any chance of adding BW7TO25 and BW10TO25 to the script and giving those a try?

Tried...No. 

[csuhi17]

Really... No one is going to try if BW7T20 works?

Martin has tried upgrading to 250 MHz (the highest bandwidth available in the 900 series) without success. 200 MHz is not a bandwidth Rigol offers anywhere in the 800/900 series. It would be a logical next step after the 814 though; maybe worth a try?

Any chance of adding BW7TO25 and BW10TO25 to the script and giving those a try?

Tried...No. 

I haven't seen anyone try it without O
BW7T20

[ebastler]

I am pretty sure both Martin and Fungus did, based on the pre-existing entries in the script. It was just on this thread that the original post mentioning this upgrade approach mis-spelled it as "TO".

[t_i_t_o]

Did some APK unpacking and greping, here is what I found as possible options:
grep -r BW7T1 *
Binary file classes2.dex matches
Binary file lib/arm64-v8a/libscope-auklet.so matches
xxd lib/arm64-v8a/libscope-auklet.so | grep -A 3 BW7
00a39090: 424e 4400 4257 3754 3130 0045 4d42 4400  BND.BW7T10.EMBD.
00a390a0: 434f 4d50 0042 5731 3554 3235 0041 5554  COMP.BW15T25.AUT
00a390b0: 4f00 424f 4445 0042 5737 5432 3000 4257  O.BODE.BW7T20.BW
00a390c0: 3130 5432 3000 524c 5500 4257 3254 3400  10T20.RLU.BW2T4.
00a390d0: 4257 3254 3800 4257 3454 3800 4145 524f  BW2T8.BW4T8.AERO
00a390e0: 0046 4c45 5800 4155 4449 4f00 2e6c 6963  .FLEX.AUDIO..lic

[Fungus]

I haven't seen anyone try it without O
BW7T20

It doesn't work.

[Serg65536]

Did some APK unpacking and greping

I confirm this text fields in 7 apk files on my DHO804 original firmware:
OPT_AERO OPT_ARINC OPT_AUDIO OPT_AUTO OPT_BND OPT_BODE OPT_BW10T20 OPT_BW15T25 OPT_BW2T4 OPT_BW2T8 OPT_BW4T8 OPT_BW7T10 OPT_BW7T15 OPT_BW7T20 OPT_CM_ENET OPT_CM_HDMI OPT_CM_MIPI OPT_CM_USB OPT_COMP OPT_COUNT OPT_DG OPT_EMBD OPT_EYE OPT_FLEX OPT_JITTER OPT_MSO OPT_PWR OPT_RLU OPT_RTSA OPT_UNKNOWN OPT_UPA
These apk files are different copies of base.apk and Sparrow.apk.
Strings near by: "Unknown Forever days Key.data HDO800 HDO900 DHO800 DHO900"

[Serg65536]

150MHz measured bandwidth:

Did you try OPT_BW7T15 OPT_BW7T20?

[Serg65536]

Take 0.45 in your calculation and you'll get what I've measured

Did you try BW7T15 BW7T20?

[Martin72]

I tried BW10T25, but nevertheless, the measured bandwith is 200Mhz (0.707) with BW7T10

[Fungus]

Did some APK unpacking and greping

I confirm this text fields in 7 apk files on my DHO804 original firmware:
OPT_AERO OPT_ARINC OPT_AUDIO OPT_AUTO OPT_BND OPT_BODE OPT_BW10T20 OPT_BW15T25 OPT_BW2T4 OPT_BW2T8 OPT_BW4T8 OPT_BW7T10 OPT_BW7T15 OPT_BW7T20 OPT_CM_ENET OPT_CM_HDMI OPT_CM_MIPI OPT_CM_USB OPT_COMP OPT_COUNT OPT_DG OPT_EMBD OPT_EYE OPT_FLEX OPT_JITTER OPT_MSO OPT_PWR OPT_RLU OPT_RTSA OPT_UNKNOWN OPT_UPA
These apk files are different copies of base.apk and Sparrow.apk.
Strings near by: "Unknown Forever days Key.data HDO800 HDO900 DHO800 DHO900"

I think those files have every string for every Rigol 'scope ever made in them. 

[Fungus]

150MHz measured

Take 0.45 in your calculation and you'll get what I've measured before.

OK, I'm old fashioned. Apparently it's changed to 0.45

My little AWG doesn't go that high but if you have 0.707 amplitude at 200MHz and we both have the same rise time....

... it's time open the "200MHz" bottle and have a party.

[rdtsc]

Just a note that VirusTotal is currently showing 25/72 "detections" for RigolTool.exe:  https://www.virustotal.com/gui/file/436c4795ddb4fd5edfeba5e2bf904811f7f0d061c43b99f9578b01dac3e49eb2/detection

[Fungus]

All your really need to hack it is upload three files with adb.

I want to test if you can use any key file on any 'scope. I think you should be able to.

If so we can just make a zip file with adb.exe and key/license files in it. That's all you need to hack a DHO800.

[tv84]

You can't because the S/N is used in the licenses. Unless everybody is using the same S/N... 

[Fungus]

You can't because the S/N is used in the licenses. Unless everybody is using the same S/N... 

Key.data has to be derived from the S/N otherwise Rigol wouldn't be able to generate licenses for you based on your S/N.

The question is: Does it have to match the S/N when the 'scope is checking the license files?

I don't think it does because I can change my vendor.bin and I still have 50M memory.

eg. Here's my 'scope with the DHO814 vendor.bin that's floating around:


So what's the point of Key.data? I'm not sure... they could easily use the S/N to encrypt the license files instead. 

I want to try making a Key.data with a random number in it and generate some license files for that. If it works then we can just pass three files around for everybody to use instead of getting people to pull their key, generate licenses from it, etc.

[ebastler]

Key.data has to be derived from the S/N otherwise Rigol wouldn't be able to generate licenses for you based on your S/N.
The question is: Does it have to match the S/N when the 'scope is checking the license files?
[...]
I want to try making a Key.data with a random number in it and generate some license files for that. If it works then we can just pass three files around for everybody to use instead of getting people to pull their key, generate licenses from it, etc.

While this might work, it would give Rigol the option (via a future firmware update) to invalidate licenses generated with a non-matching key. Nobody knows whether Rigol will ever be inclined to do that, but I would prefer to stick with licenses and keys which are indistinguishable from the official ones.