Hacking the Rigol DHO800/900 Scope

[AceyTech]

Tried and followed the manual that provided

rk3399_rigol:/ $ su
rk3399_rigol:/ # cd /rigol/data
rk3399_rigol:/rigol/data # chmod 777 generate_all_options
rk3399_rigol:/rigol/data # ./generate_all_options

Rigol 'vendor.bin' encoder/decoder v1.2 - Zelea
-----------------------------------------------------------
Model: DHO814
SN:    DHO8AXXXXXXX
MAC:   XXXXXXXXXXX
-----------------------------------------------------------
Generating options for DHO814
-----------------------------------------------------------
RLU BW7T10 EMBD AUTO COMP
-----------------------------------------------------------
rk3399_rigol:/rigol/data # exit
rk3399_rigol:/ $ exit


And after reboot there are no additional options like CAN decoding.
FW version is:
Firmware Revision:   00.01.02
I did a whole backup beforehand and i did copy /rigol/data to my pc (Key.data and vendor.bin)

First, see the part of the guide that says:

To see the full version of the firmware, and not just its first three numbers, click the "About Product" item in the "Utility" menu three times in a row.
If the current firmware version is less than 00.01.02.00.02...

You can't see if it's fully updated without ^^

Then, you need to make it a 914/924 to get the decoders. 

Code: [Select]

./generate_all_options -M DHO914

[arturmariojr]

Is not the 914 model that has more options?

814: Parallel, RS232/UART, I2C, SPI
914: Parallel, RS232/UART, I2C, SPI, CAN e LIN

[airwolf1988]

I updated to latest FW that is on Rigol website.
Build date 24/01/03 20:10:46
00.01.02.00.02

Scope reports this as 00.01.02 - weird it should show minor as well.

Interesting enough, now I do have
Auto serial bus trigger and analysis license but status is Limit.
Not sure if it is time limited or anything else.

I will try and do some CAN tests tomorrow but it is a hay days here (farmers are baling and storing hay) and my phone is off the hook.

And yes 914 has more options, LA as well but that is HW dependent.

[AceyTech]

I updated to latest FW that is on Rigol website.
Build date 24/01/03 20:10:46
00.01.02.00.02

Scope reports this as 00.01.02 - weird it should show minor as well.

Interesting enough, now I do have
Auto serial bus trigger and analysis license but status is Limit.
Not sure if it is time limited or anything else.

Yeah, it's odd that we have to use an undocumented feature(Testmode) to uncover the full version number.  Without it, normal users wouldn't know which of the last few version updates they have loaded on their 'scope.  They didn't think that one thru.

Nobody here understands why Rigol adopted this nonsensical version numbering scheme. --especially given their release rate for updates.
My theory: The "Version Control" person/department is trying really hard to justify their employment.

[TomKatt]

The perception I get from the internet is that both Rigol and Siglent condone hacking at the hobbyist level.  If that is true - and it seems to be, as they don’t secure these products very strongly despite knowing the hacking occurs - it’s a bit strange that Rigol makes it so complicated.  Or, maybe Rigol is actually trying to prevent the hacks with the new models? 

[AceyTech]

The perception I get from the internet is that both Rigol and Siglent condone hacking at the hobbyist level.  If that is true - and it seems to be, as they don’t secure these products very strongly despite knowing the hacking occurs - it’s a bit strange that Rigol makes it so complicated.  Or, maybe Rigol is actually trying to prevent the hacks with the new models?

I think the common perception is that they are pretty sloppy in some areas of their design(s).  In this case it's in the Android implementation.  Wish I was a software guy. 


Hey, speaking of software:  Does anyone know how to send output msgs to the UART from the bash scripts?  I need to test something., Thanks!

[tv84]

the key file is derived cryptographically from the serial number in vendor.bin but I don't know if we have the secret key to do it.

Anybody...?

Unless you have inside info, there's no way to know that.

Why not random? Why not based in the MCU ID, the MAC address, etc, etc... Pick your number.

The day you see a validation of that pubkey, it's the day you'll find out how it's generated.

[tv84]

The most strange: when I access the About screen, the serial number and all original data is show, along with the new firmware code .....02.
There would be in Linux a way to search for my serial number inside any file?
Those information comes from querer, so?
 
I'll see tomorrow If the Rigol web control page (the one that we access by web  browsing by instrument IP address) gives me some Idea from where It takes such data.

That info is in the FRAM.

I've said this repeatedly but people don't like to read "hundreds" of pages, as Rigol first devised all of this (in the MSO5k and siblings) the vendor.bin and Key.data were only human representations of info that was in the FRAM. The scopes didn't do nothing with the files just per se.

So, they could work without the files present, and could even re-generate them...

The mess they did with the Android porting may have disrupted some of this but, in essence, it should be similar.

[Fungus]

the key file is derived cryptographically from the serial number in vendor.bin but I don't know if we have the secret key to do it.

Unless you have inside info, there's no way to know that.

Why not random? Why not based in the MCU ID, the MAC address, etc, etc... Pick your number.

Because:

a) If you look at Key.data it starts with the text "brainpool", ie. they use RFC5639 elliptic curve cryptography. It's not random.

b) When you purchase keys they ask for your serial number so it has to be linked to that.

[tv84]

a) If you look at Key.data it starts with the text "brainpool", ie. they use RFC5639 elliptic curve cryptography. It's not random.

b) When you purchase keys they ask for your serial number so it has to be linked to that.

a) Or you are being intellectually dishonest with me or you don't understand what you are talking about. When you say that the key is derived "cryptographically" from the S/N, what do you imagine that magic "cryptographic" operation might be? I perfectly know what is ECC and how keys are generated. The magic operation (whatever you imagine it could be) that you were inferring that would produce a key-pair from a S/N could be exactly the same I was inferring that would be used to create the key-pair from a random seed.

b)  Why couldn't they ask you for the S/N if they had a database with all your purchase info indexed by S/N? Because that's how most of the other players do.

[Fungus]

The magic operation (whatever you imagine it could be) that you were inferring that would produce a key-pair from a S/N could be exactly the same I was inferring that would be used to create the key-pair from a random seed.

What would be the point? To make life more difficult...?

Serial number is the simplest and doesn't require databases or any other infrastructure.

if they had a database with all your purchase info...

I'm not a corporation with a corporate account.

[Lathe26]

I just network scanned what ports my oscilloscope had listening for connection on (ports 1-2000).  As expected the ports for FTP (21-22), HTTP (80), and HTTPS (8080) were listening for connections.

However, port 111 is also listening for network connections.  Google says that that is used for RPC (Remote Procedure Calls), but quick tests with `rpcinfo` didn't work.  Anyone have any ideas what this port is being used for?

[Fenstergucker]

IHowever, port 111 is also listening for network connections.  Google says that that is used for RPC (Remote Procedure Calls), but quick tests with `rpcinfo` didn't work.  Anyone have any ideas what this port is being used for?

Port 111 can be used to search for LXI resp. VXI instruments in the network. A broadcast is sent to the port via UDP and a TCP port is received in response for further communication via LXI resp. VXI/RPC.

Peter

[shapirus]

/rigol/tools/pmapService listens on port 111.

It's apparently some kind of portmap implementation. No idea where it forwards connections on that port to. A quick look at `strings pmapService` didn't reveal anything immediately obvious.

[Lathe26]

Thanks.

I just ran a complete TCP port scan (1-65535) and found a few more ports:

• 5555 - a raw SCPI stream (e.g., just type in *IDN? and scope will reply
• 20712 - no idea what this port does
• 55555 - adb access

Any ideas on TCP port 20712?

[vsantos90]

I was looking for some way to create an image from the complete sdcard without opening the scope (I bought it one week ago, I don't want to have warranty problems so far), then I'll share the process that worked for me:

Code: [Select]

adb connect IP:55555
adb root
adb remount
adb pull /dev/block/mmcblk0 rigol-dho804.img

In the terminal, you should be able to see that the pull command shows some sort of buffer, seems like you have a progress and it stuck at some point.
But if you refresh the folder where the file will be persisted, and also click on the .img file Properties, you'll be able to see that the image file slowly increases in size.

The whole process takes about 2h.

This is the first time I'm doing a backup from an Android device from the adb, so I'm not totally sure if it worked. I'm considering that the image should be fine due to the size around 30GB.
For the next steps I will look for any way to mount this img in Windows or I need to buy a 32GB sdcard to flash it.

[vsantos90]

As alternative method, for those who prefer dd (linux fellows  ), the method below also worked for me (I'm running Windows 11).

• Install Cygwin: https://www.cygwin.com/?ref=itsfoss.com
• All the binaries required are available from the standard Cygwin installation.
• Include the Cygwin binaries to the Path variable (in my case the path is C:\cygwin64\bin)
• Open a cygwin terminal and type the commands below:

Code: [Select]

adb connect ip:55555
adb shell su root dd if=/dev/block/mmcblk0 | pv -i 0.5 > dho804.img

The whole process takes about 2h (not different than the adb pull method).
After that you have a default image, so that you can hack your scope and still sleep in peace.

[vsantos90]

Sharing information regarding alternative remote access to the scope.

There is an application called scrcpy which allows you to remote control the scope:
https://github.com/Genymobile/scrcpy

• Download the application and unzip it
• In a terminal, connect to your device: adb connect <scope_ip>:55555
• Double click the scrcpy.exe application, at the previously unzipped folder

In my case, I have only the scope as connected device, then scrcpy connects automatically to it.

I read is other posts that some users managed to modify the WebControl.apk to improve the resolution (amazing job btw). 
I know that a "native" solution is always better than relying on third-party software, but maybe this scrcpy application can be an alternative for the persons that are not interested or do not have much time to go deep into the apk modification topic. I attached a picture with the comparison.

Some pictures of what can be done (I'm using the Zone Launcher to avoid connecting a wireless keyboard/mouse to the scope):

[AceyTech]

Sharing information regarding alternative remote access to the scope.

There is an application called scrcpy which allows you to remote control the scope:

Thank you for sharing your findings.  Proof positive that giant threads like this without a summary page or decent moderators get unwieldy and TL;DR.  Things tend to circle back and "get discovered" again every month or two here.

Back in February and again in March, scrcpy was mentioned and they talked about pretty severe motion artifacts that makes it fairly unusable for some.  A forum search will reveal more if you're curious.

BTW, To newer scope owners: the stock WebControl app is not perfect, but it's pretty useful as-is, without hackin' about.  Try it out!


AndyBig's guide to upgrade/hack DHO scopes

[mrisco]

Sharing information regarding alternative remote access to the scope.

There is an application called scrcpy which allows you to remote control the scope:
https://github.com/Genymobile/scrcpy

Perhaps by disabling the stock WebControl we could get better performance in ScrCpy.

[vsantos90]

Sharing information regarding alternative remote access to the scope.

There is an application called scrcpy which allows you to remote control the scope:

Thank you for sharing your findings.  Proof positive that giant threads like this without a summary page or decent moderators get unwieldy and TL;DR.  Things tend to circle back and "get discovered" again every month or two here.

Back in February and again in March, scrcpy was mentioned and they talked about pretty severe motion artifacts that makes it fairly unusable for some.  A forum search will reveal more if you're curious.

BTW, To newer scope owners: the stock WebControl app is not perfect, but it's pretty useful as-is, without hackin' about.  Try it out!


AndyBig's guide to upgrade/hack DHO scopes

You're right, when I was reading the content from the previous pages I was looking for instructions to unlock the scope, didn't pay attention to the comments regarding scrcpy.
I saw in other forums that usually a list with useful things/bugs found is pinned in the first page or even in a separated topic. Especially for bugs such approach would be very good.

Webcontrol apk definitely isn't bad, nothing to complain about it so far, but it doesn't allow me to control the scope. With scrcpy I'm able to access all the touch shortcuts I've configured with Zone Launcher, then I can navigate to the other apps I have installed or to the system settings and return to the scope application without mouse/keyboard connected to the scope.
Regarding the latency, I see no difference from the WebControl at this point. However, this h264 codec available doesn't seems to be the most efficient one.

[GeorgeX]

Hello everone. I'm newbie here, so i am say Hello.

I have couple weeks DHO804. First what i've do that unlock with vendor file.  Every thing went fine.
Second, i tryed to instal modded sparrow.apk (early version 0.21), and this step not went well.
New apk, is not to want install, but i've deinstalled the old one. Rigol stuck on "rigol" screen.
Fortunately i have maked copy original file and i installed back previous version (original).
From that moment i get often stuck on rigol screen, or blank screen, or rigol screen and then black without backlit screen
At this time, cannot to conect via adb to the oscilloscope. Just like brick. Sometimes (rare) boot normal.
I know in orgilinal GEL file firmware there is sparrow.apk, but i don't know how to repack. I thought install original one when
Rigol bootup normaly. Someone tell me how to repack GEL file? Or maybe other help?
For the records Rigol have waranty void  stickers and i thougt not remove.

[mrisco]

At this time, cannot to connect via adb to the oscilloscope. Just like brick. Sometimes (rare) boot normal.

Uninstalling Sparrow.apk should not affect your ability to connect using ADB. Perhaps it would be better to restore the backup of the card and start again from the beginning.

[GeorgeX]

At this time, cannot to connect via adb to the oscilloscope. Just like brick. Sometimes (rare) boot normal.

Uninstalling Sparrow.apk should not affect your ability to connect using ADB. Perhaps it would be better to restore the backup of the card and start again from the beginning.

I think the same. But i wondering how to do this without openig case? (warranty sticker) and unfortunately i don't have maked backup of card.

[GeorgeX]

Can someone share SD card dump Rigol DHO804? I mean stock version, maked via adb.
Please.