Hacking the Rigol DHO800/900 Scope

[norbert.kiszka]

I disassembled it through APKLab

I was using APKLab, but previously it was disassembled by apktool (without APKLab) Maybe thats the reason.

maybe you changed the .java files

Only one .java file also, but mostly files as I said before.

[AndyBig]

BTW. FPGA Image from DHO1000 works, however after reflashing I see no changes - not at all. BTW2. PLL is driven by a kernel module.

The DHO1000 has a completely different FPGA (Artix) and its firmware (configuration) cannot work on the FPGA in the DHO800/900 (Zync). There are no changes, probably because foreign firmware is not accepted by this FPGA and its native firmware is loaded into it.

[AndyBig]

I was using APKLab, but previously it was disassembled by apktool (without APKLab) Maybe thats the reason.

Yes, most likely because of this.

Only one .java file also, but mostly files as I said before.

This is useless, .java files are not compiled when building

[Randy222]

However... Now i tried to move generated apk into another folder, unpack+dissasemble it and rebuild it back - looks like it works (because of crash...). Of course that is not good way to test changes.

I haven't encountered anything like this. I disassembled it through APKLab, and put it back together through it - everything worked.

apklab, apkeditor, and apktool all work for me. Each has it's quarks. Realign zip (apk) and signing I do on a windows machine that has android studio and the platform & build tools.

[norbert.kiszka]

BTW. FPGA Image from DHO1000 works, however after reflashing I see no changes - not at all. BTW2. PLL is driven by a kernel module.

The DHO1000 has a completely different FPGA (Artix) and its firmware (configuration) cannot work on the FPGA in the DHO800/900 (Zync). There are no changes, probably because foreign firmware is not accepted by this FPGA and its native firmware is loaded into it.

Maybe Im wrong, but its the same datasheet. And it works - currently I dont see completely any changes after that.

EDIT: Yeah, I missed last part of Your post. "...firmware is not accepted by this..."

[AndyBig]

apklab, apkeditor, and apktool all work for me. Each has it's quarks. Realign zip (apk) and signing I do on a windows machine that has android studio and the platform & build tools.

I settled on VS Code + APKLab as the most convenient option. And it’s convenient to edit files, and all build processes are automated

[Randy222]

If You select msdos partition table before quick search, then testdisk will assume 4 root partitions at max. Try to select GPT.

If You want to find much more things, then use binwalk.

Yes correct, the partition layout, even if there is no partition table as such, appears to be GPT:

Code: [Select]

Disk sd-card-image - 31 GB / 29 GiB - CHS 3857 255 63
     Partition               Start        End    Size in sectors
>P Linux filesys. data       548864     811007     262144
 P Linux filesys. data       811008    5005311    4194304 [system]
 P Linux filesys. data      5005312    5038079      32768
 P Linux filesys. data      5047360    6071359    1024000 [rigol]
 P Linux filesys. data      6299648   61951999   55652352


I made image of sdcard and then connected it to /dev/loop9, ran testdisk on that device.
I get the same as you show here, but did you try to use the p, c, and C hotkeys on any dir or file? I can see filenames and such in the various slices testdisk shows, same structure as in the live DHO, but when I try to copy out a file the C just places an empty folder.
Even after testdisk can you mount the block device ?

Also noted, when I run testdisk on that loop9, it throws a warning "the partion table detected is GPT EFI, do not select none".

[norbert.kiszka]

If You select msdos partition table before quick search, then testdisk will assume 4 root partitions at max. Try to select GPT.

If You want to find much more things, then use binwalk.

Yes correct, the partition layout, even if there is no partition table as such, appears to be GPT:

Code: [Select]

Disk sd-card-image - 31 GB / 29 GiB - CHS 3857 255 63
     Partition               Start        End    Size in sectors
>P Linux filesys. data       548864     811007     262144
 P Linux filesys. data       811008    5005311    4194304 [system]
 P Linux filesys. data      5005312    5038079      32768
 P Linux filesys. data      5047360    6071359    1024000 [rigol]
 P Linux filesys. data      6299648   61951999   55652352


I made image of sdcard and then connected it to /dev/loop9, ran testdisk on that device.
I get the same as you show here, but did you try to use the p, c, and C hotkeys on any dir or file? I can see filenames and such in the various slices testdisk shows, same structure as in the live DHO, but when I try to copy out a file the C just places an empty folder.
Even after testdisk can you mount the block device ?

Nah.. I used offsets shown in testdisk to mount it using another terminal emulator.

Edit: testdisk works directly from a image file - I dont see any point to use loop.

[AndyBig]

Maybe Im wrong, but its the same datasheet. And it works - currently I dont see completely any changes after that.

No, they are quite different. The Zynq Z-7015 (DHO800/900) has a much less powerful FPGA than the XC7A100T (DHO1000). Not to mention that Zynq has an additional integrated processor core.

[Randy222]

Don't use dd, use ddrescue.

If there is no problem with reading data, then dd, ddrescue and cp will do same job. cp cant do offsets but its faster.

And somehow you know that every block on a block device are ok? And just to be clear, not everything is a "file". Block devices can be a file, they can also be ext hardware like sdcard, or spindle drive, or ssd.
The /dev/[files] are mappings, this however does not mean my /dev/sda is a img file somewhere on a mounted filesystem, it could be ext attached hardware.
When I image a disk to /home/myimage.img, "stat myimage.img" shows inode "reg file". If I map that img to /dev/loop9, "stat /dev/loop9" shows inode block device. 100% all files. This is not the same as /dev/sdb that maps to my USB sdcard.

dd has limitations, gddrescue, ddrescuew, and a few other "ddrescue" variants get beyond some putfalls of dd.

If it's a file, dd should be problem free. If it's hardware then something other than dd is a better choice.

[Bob_McBob]

I've tried to go through the thread, but it's a little daunting reading so many pages of posts. Is the bandwidth and memory hack stable enough that there's no point spending the extra on the DHO814 instead of the DHO804? I saw a recent comment on Youtube that someone was having issues applying it to the latest firmware, is that going to be a problem?

[AndyBig]

I've tried to go through the thread, but it's a little daunting reading so many pages of posts. Is the bandwidth and memory hack stable enough that there's no point spending the extra on the DHO814 instead of the DHO804? I saw a recent comment on Youtube that someone was having issues applying it to the latest firmware, is that going to be a problem?

No, you can easily get 814 from 804, and even 924 with full bandwidth.

[norbert.kiszka]

Don't use dd, use ddrescue.

If there is no problem with reading data, then dd, ddrescue and cp will do same job. cp cant do offsets but its faster.

And somehow you know that every block on a block device are ok? And just to be clear, not everything is a "file". Block devices can be a file, they can also be ext hardware like sdcard, or spindle drive, or ssd.
dd has limitations, gddrescue, ddrescuew, and a few other "ddrescue" variants get beyond some putfalls of dd.

If it's a file, dd should be problem free. If it's hardware then something other than dd is a better choice.

Im using cp to flash SD cards (and other devices) without any problems so far.

Maybe Im wrong, but its the same datasheet. And it works - currently I dont see completely any changes after that.

No, they are quite different. The Zynq Z-7015 (DHO800/900) has a much less powerful FPGA than the XC7A100T (DHO1000). Not to mention that Zynq has an additional integrated processor core.

https://www.mouser.com/pdfDocs/zynq-7000-product-selection-guide.pdf

Maybe it is, but (probably) nobody tried to dissasemble it to see what was changed between those scope series.

[Randy222]

If You select msdos partition table before quick search, then testdisk will assume 4 root partitions at max. Try to select GPT.

If You want to find much more things, then use binwalk.

Yes correct, the partition layout, even if there is no partition table as such, appears to be GPT:

Code: [Select]

Disk sd-card-image - 31 GB / 29 GiB - CHS 3857 255 63
     Partition               Start        End    Size in sectors
>P Linux filesys. data       548864     811007     262144
 P Linux filesys. data       811008    5005311    4194304 [system]
 P Linux filesys. data      5005312    5038079      32768
 P Linux filesys. data      5047360    6071359    1024000 [rigol]
 P Linux filesys. data      6299648   61951999   55652352


I made image of sdcard and then connected it to /dev/loop9, ran testdisk on that device.
I get the same as you show here, but did you try to use the p, c, and C hotkeys on any dir or file? I can see filenames and such in the various slices testdisk shows, same structure as in the live DHO, but when I try to copy out a file the C just places an empty folder.
Even after testdisk can you mount the block device ?

Nah.. I used offsets shown in testdisk to mount it using another terminal emulator.

Edit: testdisk works directly from a image file - I dont see any point to use loop.

mounted using what type of filesystem?

I was trying to mount the loop block device.

Emulator? We can use losetup with offset and sizelimit switches. I try that next.

[Randy222]

I've tried to go through the thread, but it's a little daunting reading so many pages of posts. Is the bandwidth and memory hack stable enough that there's no point spending the extra on the DHO814 instead of the DHO804? I saw a recent comment on Youtube that someone was having issues applying it to the latest firmware, is that going to be a problem?

As mentioned, yes.
If you want 4ch 800, get the 804 and turn it into a 924. That's how my 804 runs.

It's not hard, a bit tricky though, you really need to know adb and how to connect via ssh. The tool created by zelea2 runs directly on the dho.
Once you get access to the dho, adb pull the various files for backup reasons. The whole process is rather painless.

[AndyBig]

Maybe it is, but (probably) nobody tried to dissasemble it to see what was changed between those scope series.

No one has tried to disassemble the DHO1000? Of course someone tried

[norbert.kiszka]

I've tried to go through the thread, but it's a little daunting reading so many pages of posts. Is the bandwidth and memory hack stable enough that there's no point spending the extra on the DHO814 instead of the DHO804? I saw a recent comment on Youtube that someone was having issues applying it to the latest firmware, is that going to be a problem?

No, you can easily get 814 from 804, and even 924 with full bandwidth.

One of my reasons why I did buy 924S was different passive probes (350 MHz instead of 150 MHz) included.

mounted using what type of filesystem?

I was trying to mount the loop block device.

Code: [Select]

mount -t ext4 imageFile.bin /mount/point -o offsetAndSizeOptions
In past years something was changed and I dont need to add option loop - mount does this automatically.

It's not hard, a bit tricky though, you really need to know adb and how to connect via ssh. The tool created by zelea2 runs directly on the dho.
Once you get access to the dho, adb pull the various files for backup reasons. The whole process is rather painless.

Code: [Select]

adb root
adb shell
So there is no need to use ssh at all.

[norbert.kiszka]

Maybe it is, but (probably) nobody tried to dissasemble it to see what was changed between those scope series.

No one has tried to disassemble the DHO1000? Of course someone tried

I meant flash binary, not scope teardown.

[AndyBig]

I meant flash binary, not scope teardown.

Ah, got it. Here's another disappointment - parsing the FPGA configuration binary is almost impossible, at least for any practical purpose.

[Randy222]

Code: [Select]

mount -t ext4 imageFile.bin /mount/point -o offsetAndSizeOptions
In past years something was changed and I dont need to add option loop - mount does this automatically.

Code: [Select]

adb root
adb shell
So there is no need to use ssh at all.

adb is a bit clunky, unless you use an add-on gui app.
I use putty for ssh, open putty, dbl-click my "rigol" profile name, i'm in.
I only use adb to push and pull files, and where bin tools in ssh have been deprecated and can only be used via adb, like package lists, need to use 'adb shell cmd package'. I said it before, Android is a wonky system, way overly convoluted, but I guess goole needed to say they had their own linux OS.

[norbert.kiszka]

adb is a bit clunky, unless you use an add-on gui app.
I use putty for ssh, open putty, dbl-click my "rigol" profile name, i'm in.
I only use adb to push and pull files, and where bin tools in ssh have been deprecated and can only be used via adb, like package lists, need to use 'adb shell cmd package'. I said it before, Android is a wonky system, way overly convoluted, but I guess goole needed to say they had their own linux OS.

adb shell works little slow (I didnt compare it to ssh beacuse I didnt use it on this scope) if You meant this.

Putty - so looks like You are using Windows. That also can make difference.

About Android, yeah, they took Linux kernel and they made Windows 3.11 from it. Thats why I made my Debian build to work on this scope - but X is little unstable, with same error in logs after every crash.

[Randy222]

mounted using what type of filesystem?

I was trying to mount the loop block device.

Code: [Select]

mount -t ext4 imageFile.bin /mount/point -o offsetAndSizeOptions
In past years something was changed and I dont need to add option loop - mount does this automatically.

[/code]

Ok, I found it.

It's 512 setcor size. So, when mounting using the START number found from testdisk, offset for mount is really     -o offset=$((512* [start number]))  , so example somethig like mount -t ext4 -o offset=$((512*811088)) [PATH_TO_IMG] [PATH_TO_EMPTY_DIR]

So for readers here, image the sdcard (I use ddrescue or the like, not dd), then you can run testdisk on the image (choose EFI/GPT a partition header type), do "anaylse" to find the START numbers of the slice, then you can mount that slice per above. Best to view the slices using the 'p' hotkey to see if the slice is empty or not, as there's no reason to mount an empty slice.

[S2084]

I have 924S, later I will do some photosmodules

@norbert.kiszka I still dare to remind you.....

[norbert.kiszka]

I have 924S, later I will do some photosmodules

@norbert.kiszka I still dare to remind you.....

As for now I never removed heatsink. I was going to modify one channel, but I didnt. Also I cant find thermopads - Im not sure if I can reuse existing ones after heatisnk removal (maybe clean them with isopropyl?).

Anyway, I just did two photos just above heatsink. If You need something more (right now without removing heatsink), just give me a sign.

If You going to change only HW number, then read my previous posts about it, because You can change it in "soft" way, without changing resistors or decompiling anything.

[Randy222]

After some sdcard edits, got my scope back.

I believe this older droid uses sdcardfs on android_meta and android_expand partitions. sdcardfs apparently is a layer that does not use block addressing.
From what I know of and read about sdcardfs, ext4 is the underlying filesystem. Yep, android is as goofy as they come.

Another interesting note, vold has expand encryption keys in /data/misc/vold dir