Hacking the Rigol DHO800/900 Scope

[Fungus]

With the latest firmware you should have the file /rigol/data/RKey.data

Depending on what you're after it can enough to upload a vendor.bin file.

(eg. make it into a DHO914 - that has ALL the options and ~225Mhz bandwidth).

[arturmariojr]

Many thanks for prompt reply, but believe me, as the directory listing on my previous post, really don't exist neither Key or RKey files.
I did a find . RKey.* and find . Key.* on all Sd and nothing.
I would like to keep the modelo and unlock Just the options.
As I understood, you are telling that maybe the Key file Will be not necessary, is this correct, but I'll have the model chanhed.
As last question: these Key or RKey are the scope keyboard (front painel) mapping ? If so,  as my model is dho804 (four Channel, 70MHz), someone couldn't send me a copy of his/her file?

[Fungus]

I would like to keep the modelo and unlock Just the options.

You need RKey.data to do that... 

RKey.data has your serial number in it. You need it to generate license keys.

[arturmariojr]

The most strange: when I access the About screen, the serial number and all original data is show, along with the new firmware code .....02.
There would be in Linux a way to search for my serial number inside any file?
Those information comes from querer, so?
 
I'll see tomorrow If the Rigol web control page (the one that we access by web  browsing by instrument IP address) gives me some Idea from where It takes such data.

[Fungus]

The most strange: when I access the About screen, the serial number and all original data is show, along with the new firmware code .....02.

The serial number is also in vendor.bin but you need the one in RKey.data for any licenses to work.

When did you buy it? What firmware version have you got?

Maybe they removed it in a new version because technically there's no licenses for sale, we're just hacking.

[Fungus]

Is there any way you might have deleted it? The 'scope will still work without it.

If you don't have RKey.data then your best option is to make it into a DHO914.

[shapirus]

If you don't have RKey.data then your best option is to make it into a DHO914.

Why not a 924?

[arturmariojr]

Is there any way you might have deleted it? The 'scope will still work without it.

No, I bought it has two weeks only. Just installed the new firmware from ....01 to ....02 and started the upgrade steps.  Just make the file copy and, when I was search both files, Just one was there...
[/quote]

I believe RIGOL is excluding key file intencionally when updating to 00.01.02.00.02, as the page Welcome.html has all oscilloscope data written in html code, it's not a script that fill the fields - it is hard coded. So, this page was generated when installing the ...02 version and the key file was deleted. So, no upgrade keeping the original model, and lost of warranty if you upgrade it.

If you don't have RKey.data then your best option is to make it into a DHO914.

Well, I will have to do this...
By the way, ALL of your ARE indeed fabulous with this incredible work!

In the pages where you teaches how to upgrade, there is information how to change the model, serial, etc... after upgrading, Í'll try that and hope the Logic Analyzer button disappears.

[arturmariojr]

Just my little contribution for upgrading or just updating the RIGOL DHO800 series, if you don't want read all 110 pages on this thread:

General instructions:

Beware!!! Before anything, check if you have in scope dir  /rigol/data  two important files:
vendor.bin  and  Key.data or RKey.data

If you have them, before any update or upgrade, copy them to your computer, mainly the Key.data ou Rkey.data – after updating mine from 00.01.02.00.01  to 00.01.02.00.02, this EXTREMILLY IMPORTANT file disappeared.

After copying both files to a secure place, as told above, and before changing the oscilloscope model, you need to make sure that it has firmware version 00.01.02.00.02 or later installed, otherwise, after changing the model from 8xx to 9xx, you will get unpleasant vertical shifts on the channels.

Make a backup of oscilloscope directory /rigol/data/  at least.
(follow instructions on page 61 of this thread)

Now, specific instructions for those who does not have the Key or RKey files, copyed mainly from page 61 on this thread and added with other informations:

2 (I would call it 3 or 2.1) - Same as the previous one (changing the model), alternative method:
See the oscilloscope IP address in the menu/utility/IO and take note of it:
Mine is 192.168.0.14

I believe you have already downloaded the ADB package and unzipped it to some directory.
(if not, download it now from this address and unzip it to some directory in your computer: https://developer.android.com/tools/releases/platform-tools
)

Download the file "generate_all_options" into the ADB directory (see above) from:
https://github.com/zelea2/rigol_vendor_bin/releases


From the ADB directory, launch the DOS command line.

On the DOS command line window, write the command:
adb connect 192.168.0.14:55555
Of course, replace the address 192.168.1.14 with the address of your oscilloscope.

Now write the command:
adb push generate_all_options /rigol/data/

This will copy the "generate_all_options" file to the oscilloscope in the "/rigol/data" directory.

Launch the oscilloscope LINUX terminal on DOS command line window:
adb shell

Now you should see the oscilloscope terminal command line with the following prompt - "rk3399_rigol:/$".

Write the command:
su
The $ sign in the tooltip should change to #. This gives administrator rights to manipulate files.

Go to the "/rigol/data" directory:
cd /rigol/data

Make the file "generate_all_options" in this directory executable:
chmod 777 generate_all_options

Run the file "generate_all_options":
./generate_all_options

As a result of executing this file, information about the operation of the program should appear in the terminal, something like this:

Rigol 'vendor.bin' encoder/decoder v1.2 - Zelea
-------------------------------------------------- ---------
Model: DHO914
SN: DHO9A25xxxxxxxx
MAC: 0019xxxxxxxx
-------------------------------------------------- ---------
Generating options for DHO914
-------------------------------------------------- ---------
BW15T25 EMBD AUTO COMP BODE
-------------------------------------------------- ---------

After all, exit from shell and DOS command window keying on:
exit  ENTER  exit ENTER

Turn off and on the scope and verify the success of operation!

[Fungus]

If you don't have RKey.data then your best option is to make it into a DHO914.

Why not a 924?

It's all about sample rate to bandwidth ratios.

DHO924 bandwidth is too high for the 625MHz sample rate when just two channels are enabled, DHO914 bandwidth isn't.

DHO914 bandwidth is too high when more than two channels are enabled, which is why licensed DHO800 is preferred.

You might never notice this in practice.

You don't gain much by making it a DHO924 though.

[arturmariojr]

Please, the instructions I put above are correct? I'm very afraid of upgrading my expensive oscilloscope, as I have already lost the key file...

[arturmariojr]

I go with Fungus, as him explained.

Also, the "script" generate_all_options  described bellow has no option, as I can see, to model 924.

Could you verify the instruction I put above, please?

Best regards
Artur

[Fungus]

Please, the instructions I put above are correct? I'm very afraid of upgrading my expensive oscilloscope, as I have already lost the key file...

I don't think the license generator will work without the key file.


I'm sure you can't hurt anything though. Back up your /rigol folder first...

adb pull /rigol

[Mechatrommer]

If you don't have RKey.data then your best option is to make it into a DHO914.

Why not a 924?

Why not a 924S?

Please, the instructions I put above are correct? I'm very afraid of upgrading my expensive oscilloscope, as I have already lost the key file...

if anything fails, including asking from Rigol your original key.data, you can still use hubertyoung's 924 FW with vendor.bin and key.data so download it while you still can, dont rely too much on cloud thing. lesson learnt... backup your original FW from factory before doing anything, make your upgraded/hacked FW on another SD card iirc this is the second time i mentioned it.. 32GB sd card is just like $5. cheers.

[ebastler]

For what it's worth, when I got my DHO1000 in early November, it also came without the key.data file. At the time I put that down to the scope being an early unit which might have been sitting on the shelf for a long time, before Rigol eventually sold it off via the Black Friday sale.

I was able to generate the key.data file based on the the identical information that resides in the FRAM chip on the main board. The key ingredients were

• the Go program from this post: https://www.eevblog.com/forum/testgear/hacking-the-hdo1khdo4k-rigol-12-bit-scope/msg4501300/#msg4501300, and
  
• very helpful hints from user veteran68 on how to get that program to run: https://www.eevblog.com/forum/testgear/hacking-the-hdo1khdo4k-rigol-12-bit-scope/msg5250381/#msg5250381
  

If your DHO800 really has the same problem and the above information does not suffice, I can dig out my notes and try to help.

[Fungus]

the key file is derived cryptographically from the serial number in vendor.bin but I don't know if we have the secret key to do it.

Anybody...?

[ebastler]

the key file is derived cryptographically from the serial number in vendor.bin

Is that so? Do you have a source/reference for that?

If I recall correctly, the jury is still out on that one. The key file might also be totally independent of the serial number, and Rigol maintains a database of key.data vs. serial number which they use to generate upgrade license keys.

In any case, the "generate key.data from FRAM dump" approach mentioned above is known to work -- at least for the DHO1000, but I see no reason why the 800 should be fundamentally different.

[arturmariojr]

Great! I will read about the Go and commentaries. I'm really not  experienced on doing such low level interventions, but
with your previous help I hope get It upgraded.

[Fungus]

the key file is derived cryptographically from the serial number in vendor.bin

Is that so? Do you have a source/reference for that? The key file might also be totally independent of the serial number, and Rigol maintains a database of key.data vs. serial number

That seems like a lot of work to me - very unlikely considering they knowingly leave Android debug mode enabled.

[arturmariojr]

Is there a way to copy entire SD card to some folder in my PC running Windows without having to open the scope and removing de SD from it??

I found these commands on this thread:

dd if=/dev/sda    of=/path/to/backup.img  (but it seens to me this must be run in shell command, so, the destiny is not a windows folder or a sd installed in my computer)

Other one:
Executing /rigol/build_gel.sh can generate a backup of the current running version of firmware!

I believe this is too much for me. I don't have the knowledge fur such operations.

[bulba99]

I tested the below method to recover Key.data/RKey.data files using @Zelea2 tools (many thanks).

1. We copy nv-mem, e.g. to /rigol/temp/ and give permissions 777
2. Run nv-mem -r to create the FRAM.bin file and download it to your computer
3. Open FRAM.bin in the hex editor, select 0x94 bytes from offset 0x011C and save them to the Key.data file.
4. Verify the Key.data file by running rigol_vendor_bin.exe -d -o, the Key.dec text file should be created
5. If a Key.dec file has been created, copy the Key.data file to /rigol/data/
6. Restart the oscilloscope.
7. Depending on the installed FW, the Key.data file will remain in the /rigol/data/ directory or RKey.data will be created
8. We can now generate options

Alternatively, instead of p.2 and p.3 you can run: nv-mem -r -s 0x11C -l 0x94 Key.data to get the Key.data file directly

[mrisco]

The DHO800/900 oscilloscope runs Android as the OS so it is possible to install Android applications and, by using some hacks, control external equipment like a Riden external power supply via Python scripting.

https://github.com/mriscoc/RIGOL_DHO800_DHO900_GUI/discussions/5

[arturmariojr]

I did it! Many thanks for precious support!
At the end, it seems that the important file is the vender.bin, which can be generated by rigol_vendir_bin as wished. My generated key.data by nv-mem was filled with 00 at indicated star-size instructions.
Got the model 914!

Mem depth from 1k to  50M - great!

In options I can see:
1 Embedded serial bus trigger and analyzes: forever
2 Auto serial bus trigger and analysis: forever
3 Computer serial trigger and analysis  (RS232/UART): forever
4 Blode plot (packed with signal source)

My question: is it possible to execute Bode analyzes with an external function generator, as my model doesn't have the internal function generator? The menu option is not shown. (as bellow, no, we need the extra AFG board).

PS: some other improvements to this scope:
- someone trying to make his own AFG module for Rigol DHO800 series!
https://www.eevblog.com/forum/testgear/rigol-dho804-bode-plot

- Improvements on GUI: https://www.patreon.com/mriscoc/shop/rigol-dho800-900-sparrow-extended-gui-204640

- better FFT analyzes:
https://github.com/mriscoc/RIGOL_DHO800_DHO900_GUI/releases/tag/FFTAVG0.3.3

And more from our friend just above this message:
https://github.com/mriscoc/RIGOL_DHO800_DHO900_GUI/discussions/5

Some protective cases:
https://eleshop.eu/rigol-bag-800.html
https://www.aliexpress.com/item/1005005213947242.html (select large size)
https://www.aliexpress.com/item/33004483750.html
https://www.aliexpress.com/item/1005006312639453.html

Front cover:
https://grabcad.com/library/rigol-dho-800-900-front-cover-1


artur

[ebastler]

My question: is it possible to execute Bode analyzes with an external function generator, as my model doesn't have the internal function generator? The menu option is not shown.

Congratulations on fixing and upgrading your scope!

Unfortunately external function generators are not supported for Bode analysis. It's an approach Rigol has not implemented on any of their scopes -- they always rely on a built-in module. While Rigol is not offering the signal generator as a retrofittable option either, user @mechatrommer here is working on a reverse-engineered signal generator module that can be added to DHO800 and 900 scopes.

[airwolf1988]

Tried and followed the manual that provided

rk3399_rigol:/ $ su
rk3399_rigol:/ # cd /rigol/data
rk3399_rigol:/rigol/data # chmod 777 generate_all_options
rk3399_rigol:/rigol/data # ./generate_all_options

Rigol 'vendor.bin' encoder/decoder v1.2 - Zelea
-----------------------------------------------------------
Model: DHO814
SN:    DHO8AXXXXXXX
MAC:   XXXXXXXXXXX
-----------------------------------------------------------
Generating options for DHO814
-----------------------------------------------------------
RLU BW7T10 EMBD AUTO COMP
-----------------------------------------------------------
rk3399_rigol:/rigol/data # exit
rk3399_rigol:/ $ exit


And after reboot there are no additional options like CAN decoding.
FW version is:
Firmware Revision:   00.01.02
I did a whole backup beforehand and i did copy /rigol/data to my pc (Key.data and vendor.bin)