Hantek - Tekway - DSO hack - get 200MHz bw for free

[tinhead]

hehe i actually don't really worry

[SoftwareSamurai]

- i promised Han/Tekway to not create any new USB hacks
- i wish Han/Tekway will spend time on fixing firmware bigs and the SDK - and not on new protections only because i created another one USB hack for "lazy" ppl

Q. Does that mean the rest of us can't/shouldn't talk about the USB hacks?

[tinhead]

Q. Does that mean the rest of us can't/shouldn't talk about the USB hacks?

First of all for most ppl a DSO is a measurment device and they will use it for measurments.
However, a manufacturer can't stop ppl playing around, there will be always someone who will touch the hardware\firmware
and always someone talking about, so of course you can talk about it, why not.

You can be sure that this hack will not work forever, sooner or later Han/Tekway will change FPGA design or CPLD design
or even PCB design to provent hacks. For now all they can do was to change the software. If i release a new USB hack they
will again release new software protection - and to be very honest i think there are more important tasks on their to-do list
than new hack-protection.

The SDK was planned for end of January - not yet done, necessary firmware changes are bit buggy so they have to fix them first before SDK
can be released. Additionally Ethernet addon is planned (which is again a big change to firmware) - all these changes are
more important than a "hack for lazy ppl" - which USB hack is.

Someone who knows ARM architecture and familiar with Linux will not destroy DSO by "playing around",
more critical are let say "lazy ppl" who just don't know how to fix if something get wrong during hack.
The USB hack was maybe a good solution for the beginning, but there was also potential risk of device damage.
As i said, i could compile new USB hacks (12 pcs to cover all model changes), but this will increase the risk
(not only for beginners) - which is bad for manufacturer (warranty questions, bad statements about manufacturer and so on).

Therefore no USB hacks (except things which can't harm DSO, like fw-dump/fw-restore, Eth-enabler, whatever),

If you wish to hack buy a UART-> USB converter, learn about linux/vi, and hack via UART - or buy ARM JTAG and S3C2440
based board, backup DSOs NAND content over JTAG, restore to your S3C2440 dev board, hack there is restore back to DSO.

[SoftwareSamurai]

Yes, I do understand all of that. My question was more focused on the rest of us discussing USB modding (or modding in general) of these DSOs in this forum.

The reason I ask is because I'm a software engineer (over 20 years experience), I've got a DSO5102B and a USB TTL UART, I've been researching all of this for a little while now, and I'd like to document/discuss my findings with everyone here. But I just wanted to know what your policy was on others posting what could be considered...let's say "sensitive"...information regarding these DSOs. And when I saw your post saying that you promised not to post any more USB hacks, I thought it would be a good idea for me to ask first.

So tinhead, would it be okay with you if I were to start a new thread discussing in detail these DSO's internal workings (with some info regarding USB modding) and modding in general?

[tinhead]

But I just wanted to know what your policy was on others posting what could be considered...let's say "sensitive"...information regarding these DSOs. And when I saw your post saying that you promised not to post any more USB hacks, I thought it would be a good idea for me to ask first.

So tinhead, would it be okay with you if I were to start a new thread discussing in detail these DSO's internal workings (with some info regarding USB modding) and modding in general?

sure, but no issue at all. You can open a new thread or use this one (maybe even better) to discuss modding/internal things.

[tinhead]

So let's start other mods with Ethernet-addon schematics.

Attached working schematic (as pdf). There is nothing special except the RJ45 jack which can be

- Tyco 1888250-1 with LEDs (PCB mounted with Harwin Spacers R30-3001102 and double size 2mm pitch header)
[DK A98526-ND, DK 952-1502-ND]
or
- Tyco 5406298-1 without LEDs (PCB mounted with Harwin Spacers R30-3001502 and tripple size 2mm pitch header)
[DK 5406298-1-ND, DK 952-1506-ND]

The PCB itself is 70x62mm, screenshot of dimenssions for PCB with Tyco 1888250-1 RJ45 jack.

RJ45 jack is mounted on bottom side, it is a bit tricky due the fact that there is almost no space (1-3mm, depends on jack)
between jack and RAM on the DSO PCB. Everything else is on top of the PCB (of course except 2mm header) to
reduce EMI (bottom full grounded). The best would be 4layer PCB, but it works with 2layers too.

As the HanTekway DSO have already pre-compiled CS8900A drivers all we have to do is to edit
the /etc/init.d/rcS (just add these line before "/etc/rc.d/init.d/hotplug start" line)

insmod /dso/driver/dso-cs8900.ko
/sbin/ifconfig lo 127.0.0.1
/dso/app/setnet 00:11:38:33:44:55 1.2.3.4

where 1.2.3.4 is the IP address which will be used by DSO

and add this line before "/dso.exe" line

/etc/rc.d/init.d/netd start

This will load the CS8900A driver and start inetd with ftp and telnet enabled.
For FTP you wil of course login first time over telnet add add a user, e.g.
adduser myftp

The "/dso/app/setnet" is HanTekway compiled tool to make the network configuration easier,
however you can of course use ifconfig if you like it.

[SoftwareSamurai]

Okay, I'd like to share some info regarding the USB Update Firmware.

Note: All my work has been done using my Hantek DSO5102B w/ v2.06.2(101108.0) firmware.

While testing out the USB Update Firmware functionality (and how much I can do with it via the update script), I suddenly hit a wall where the Update Firmware would always fail (error 0xf7) no matter what I did. After tracking it down, I discovered that I had left a CTRL-M (CR) at the end of the logotype.dis file. (Obviously I had attempted to replace the file with one edited on my PC, which uses CR+LF instead of just LF.)

So the Update Firmware is scanning certain files for CTRL-M characters, and if it finds any, it will abort the update process with error 0xf7.

Here's the result of my testing of some files:
   sys.inf - not checked (probably because it's re-created after each successful update)
   tmpdst - not checked (also appears to be re-created after each successful update)
   logotype - not checked (ditto)
   logotype.dis - checked!
   upend - not checked
   update - checked! (but apparently no other files in the tekwayup_client directory are checked)

There may be other files scanned. These are just a few that I've tested directly.

Cheers!

[tinhead]

if you download the fw_backupV3.zip you will see what is always needed to allow an update,
in principle it is only the logotype.dis which need to be present in firmware file
and the content must match the content of logotype.dis in DSO root directory.

The CR+LF issue is just because the firmware update procedure does string compare.

If you decompile dso.exe you will see the "magic" arround ubdb.swi, logotype.dis,
ucUpdateType, ucSysType, ucSysBrand and ucUpdateBrand
- just look for UpdateSysFiles procedure.

[SoftwareSamurai]

if you download the fw_backupV3.zip you will see what is always needed to allow an update, in principle it is only the logotype.dis which need to be present in firmware file and the content must match the content of logotype.dis in DSO root directory.

I started my experimenting using one of those backup .up files. Eventually I ended up boiling it all down to just the upend file and the update file. I found that I was able to do just about any shell command in the update file. That's why I started experimenting with the USB Update Firmware feature. In fact, one of the first things I did was to do a complete copy of / onto a 4GB thumbdrive (not including things like /dev or /proc, etc).

The logotype.dis file I was referring to is the one located in the root of the main filesystem (/logotype.dis). If that file has a CR in it, the update will fail.

The CR+LF issue is just because the firmware update procedure does string compare.

Apparently so. I guess the string compare includes the LF at the end of the line(s), and fails when it has CR+LF at the end of any line.

If you decompile dso.exe you will see the "magic" arround ubdb.swi, logotype.dis, ucUpdateType, ucSysType, ucSysBrand and ucUpdateBrand - just look for UpdateSysFiles procedure.

Well I haven't gotten to the point of decompiling dso.exe. I've just been experimenting with the update feature. But now that I've got my UART connected and working, it's much easier to "debug" when the update fails.

On your previous subject - I'm looking forward to the Ethernet add-on. I think that would be an excellent "upgrade" for these scopes!

[SoftwareSamurai]

Q. What's the file format for the .ico files? (e.g. hantek_DSO5202B_mid.ico) Anyone know? It looks like a .png or RGB format to me.

[tinhead]

Q. What's the file format for the .ico files? (e.g. hantek_DSO5202B_mid.ico) Anyone know? It looks like a .png or RGB format to me.

just like typical 8bit bmp (without header so yes only RGB data), BGR, LSB first. The actual data starts on 8 bit position of the file, the first and second positions are bitmap size (e.g. samll icons from icon dir have 14h 00h = 20 pix large).

So the hantek_DSO5202B_mid.ico is 497pix.

EDIT: byte 4h have afaik transparency information stored, so if you wish to replce picture manipulate only the data starting from 8h

[RFman]

Hi all,

I was about to purchase a Tekway DST1202 from a trader in China. But when the trader asked the manufacturer about supplying a Australian 240V power plug, he was told that they now don't supply Chinese traders with English menu oscilloscopes, they would only supply him oscilloscopes with Chinese menu. He was told this was to protect their overseas agents. He indicated that Hantek also wouldn't supply oscilloscopes with English menu.

I wonder if China have a Trade Practice Act (law), isn't that restricting free trade.

A search on Ebay didn't find any Tekways.

Does anyone know where a Hantek or Tekway DST1202 or DST1102 can be purchased for a reasonable price.

Thanks for your help.

[SoftwareSamurai]

Does anyone know where a Hantek or Tekway DST1202 or DST1102 can be purchased for a reasonable price.

What do you consider a "reasonable price"?

[pgup62]

Our prices (Elec3i) are the best in Europe, and for Australia, shipping costs from France are a bit expensive, but perhaps we can support half price for shipping. I can inquire Hantek to dropship to you . Although the pins on the Chinese plug are 1 mm (0.039 in) longer, the Australasian plug can be used with mainland Chinese socket, but contrary is not so sure, we must investigate about this.

[saturation]

But if they sell it to you, that isn't restricted, isn't it?  Seems like if you buy a Chinese product in China, why should they supply English or any other non-Chinese instructions?

Hi all,

I was about to purchase a Tekway DST1202 from a trader in China. But when the trader asked the manufacturer about supplying a Australian 240V power plug, he was told that they now don't supply Chinese traders with English menu oscilloscopes, they would only supply him oscilloscopes with Chinese menu. He was told this was to protect their overseas agents. He indicated that Hantek also wouldn't supply oscilloscopes with English menu.

I wonder if China have a Trade Practice Act (law), isn't that restricting free trade.

A search on Ebay didn't find any Tekways.

Does anyone know where a Hantek or Tekway DST1202 or DST1102 can be purchased for a reasonable price.

Thanks for your help.

[rf-loop]

Tekway


USD 580 and free shipping in this store in mainland China: Store http://www.aliexpress.com/fm-store/312788


(I have also talk in phone with this store man "Mr Pioneer Huang" But I did not buy becouse I find more economy solution (not only one scope))

Scope in this store http://www.aliexpress.com/product-fm/414433064-DHL-Free-Shipping-Tekway-DST1102B-Oscilloscope-2channels-100MHz-1GSa-s-7-TFT-16-digit-color-800-wholesalers.html


In Ali you can also chat with seller and this seller also answer phone if you want check for security. (you ask his phone if you need)
Also you can buy with safe system (seller get money after you get scope - but you send money first...)
This seller write quite good english.

And also you can select with same price Hantek or Tekway (100MHz)
MOQ = 1pcs
price USD580
Shipping = Free by DHL (and I think also to Australia)

Power cord... normal power plug in scope end ... just as nearly all equipment you can buy compatible power cable in your country.
China normal electric is 50Hz 220 - 230Vac. (only what chance is this cable wall end, scope end is always same)

With same price my own opinion is "buy Tekway" mut this is only my opinion.

Also you can use PayPal
There is also Escrow (littlebit more safety) system between you and seller.

[RFman]

Thanks rf-loop and all for your help.

Mr Pioneer Huang was one of the Chinese traders who said that he only had Telway oscilloscopes with Chinese Menu (display). Another Chinese trader said that both Tekway and Hantek would now only supply him with Chinese Menu oscilloscopes. And that the reason was to protect their overseas agents. It was only when he talked to the manufacturers that he found this out.

Maybe it looks as if purchasing oscilloscopes from China is impossible if you want a Tekway or Hantek English menu (display) oscilloscope.

When I say a English Menu, I mean the display on the oscilloscope, not the user instructions as I should be able to download that from the internet.

Is this restricting free trade? I would say yes because you can't purchase a English display oscilloscope from a Chinese trader, you have to go through the manufacturer's agents in another country. Maybe someone who lives in China may want a English Menu display.

Question, will the hack also fix the language problem if there is a command to change the language?

Thanks all for your help.

[tinhead]

RFman

why you just don't red this thread ? The only difference is the enclosure, so if you can work with chinese fron panel
buy in china - the firmware (so that what will be displayed ) can be changed to one of the supported languages.

[project]

I finally got time to mod my 5102 today. problem for me is I don't have rs232-ttl/cmos adapter or arm jtag adapter in hand. Spend few mins to figue out that i can build those adapter by myself without waiting shipping. while digging parts, I found a board from a tape library has a max232 with one set rs232-ttl ports not been used, this make thing more easy, get proper cable/wire and connecor, open up DSO, and connect to computer.While DSO booting hit Crtl-C then go into shell, then just did as Tinhead's first post, after reboot with a caliberation, a 200Mhz bw reborn. Copy .ico for 5202 to /logo without delete old 5102 .ico, make thing more perfect.

I check the power board, The reserve fan connector has a dedicated 12v power supply(7812). But I would like the fan run less speed, I connect the fun to 5v on board, not even can hear fan noise.

And next thing is obtain newer firmware, 2.06.2 has few bugs.

Thanks Tinhead again.

[tinhead]

I check the power board, The reserve fan connector has a dedicated 12v power supply(7812). But I would like the fan run less speed, I connect the fun to 5v on board, not even can hear fan noise.

replace the 7812 by 7805, it is oly dedicated for fan, so no big deal - and of course less stress for the 5V on main PCB.

[project]

replace the 7812 by 7805, it is oly dedicated for fan, so no big deal - and of course less stress for the 5V on main PCB.

That's what I'm gonna to do, but not now.

[Igor]

Question, will the hack also fix the language problem if there is a command to change the language?

See my questions on Tekway DST1102 in the Chinese version of Tinhead, and answers, starting with # 212 in this forum thread.


Pages Tekway and Hantek in the English version from Aliexpress :
http://www.aliexpress.com/fm-store/312788/210894552-414442182/DHL-Free-Shipping-Tekway-DST1062B-Oscilloscope-2channels-60MHz-1GSa-s-7-TFT-16-digit-color-800.html

http://www.aliexpress.com/fm-store/312788/210894552-414433064/DHL-Free-Shipping-Tekway-DST1102B-Oscilloscope-2channels-100MHz-1GSa-s-7-TFT-16-digit-color-800.html

http://www.aliexpress.com/fm-store/312788/210894552-414455314/DHL-Free-Shipping-Tekway-DST1202B-Oscilloscope-2channels-200MHz-1GSa-s-7-TFT-16-digit-color-800.html

http://www.aliexpress.com/fm-store/312788/210894552-414452263/DHL-Free-Shipping-Hantek-DSO5062B-Oscilloscope-2channels-60MHz-1GSa-s-7-TFT-16-digit-color-800.html

http://www.aliexpress.com/fm-store/312788/210894552-414451305/DHL-Free-Shipping-Hantek-DSO5102M-Oscilloscope-2channels-100MHz-1GSa-s-7-TFT-16-digit-color-800.html

http://www.aliexpress.com/fm-store/312788/210894552-414454351/DHL-Free-Shipping-Hantek-DSO5202B-Oscilloscope-2channels-200MHz-1GSa-s-7-TFT-16-digit-color-800.html

Surprisingly, Aliexpress to describe instruments quoted Tinhead (see first post in this thread):

" What inside Tekway DST1xxxB:
4 x AD9288 ADCs (yes, for 1GSs overclocked to 125MHz in 8ns, 4ns and 2ns time base - like Instek GDS1102A)
2 x AD8370 amps (750MHz bw - input stage like Rigol)
2 x LMH6552 amps (1.5GHz bw - input stage like Rigol)
ADCMP562 ECL comparator (for trigger)
Altera Cyclone III FPGA (ADC sampling control and data acquisition)
Altera Max II CPLD (long/short memory management - copy protected)
Samsung S3C2440 (user i/o, UI interface, TFT control)
EEPROM with s/n
some NAND, SRAM and SDRAM memory and of course bunch of other things (no cheap parts which is good)"

Tinhead, You need to receive royalties!  

[rf-loop]

Thanks rf-loop and all for your help.

Mr Pioneer Huang was one of the Chinese traders who said that he only had Telway oscilloscopes with Chinese Menu (display). Another Chinese trader said that both Tekway and Hantek would now only supply him with Chinese Menu oscilloscopes. And that the reason was to protect their overseas agents. It was only when he talked to the manufacturers that he found this out.

Oh sorry, this time when I ask, he promise english text on the scope face (international model) and I ask many times just this becouse neraly all what I find in china sellers they have chinese version. (just as his picture for Tekway show it is english labeled front panel) So, my information is now "old". (it was around 2-3 weeks ago I ask by chat and also by phone) Also I ask both, Hantek and Tekway.

[tinhead]

the pictures on aliexpress (Tekway) are from someone else, actually from mala-electronic Tekway review,
https://www.eevblog.com/forum/index.php?topic=1571.msg31659#msg31659
so you should ask the seller about the real fron panael language before you buy.

You can even see on the picture below "Package List: all you see are what you buy!" a nice self-burned DVD with Germans
user manual - from pinsonne-electonic.de.

There is one thing you have to know, due the manufacturers restrictions these DSOs would have no manufacturer warranty outside china,
so if can live with that then aliexpress is right for you (even DOA warranty will be on your own cost). It have nothing to do with distributor
protection, is have only something to do with user satisfaction (if you add the express shipment fee to the aliexpress price and TAX you
will see there is alomost no difference in price - compared aliexpress Hantek 60Mhz and Elec3i price within EU is only 30EUR diff, but full warranty).




Btw, the first revision of Tekway DSOs have dark blue "Tekway logo" and gray model name - the sticker above display,

like this one : https://www.eevblog.com/forum/index.php?topic=1571.msg33560#msg33560

-  most chinese sellers on Taobao will have the first revision.

the second revision (with not soldered jtag and i/o header but with heatsinks on ADCs and FPGA) have
black model name and light blue logo (like from mara-electronic review)

[Bored@Work]

Be very careful with buying via Alibaba, whatever their name of the day is (Aliexpress, Taobao, ...).

Recently the shit hit the fan as it turned out that at least 2300 fraudulent "gold sellers" (think organized crime) managed to setup shop there, and - this is the worst part - with the help of around 100 Alibaba employees. Alibaba management looked away for two years before they couldn't deny it any more and two managers were made the fall guys. Alibaba and the 2300 thieves ...

If you think Alibaba is squeaky-clean now, and they got rid of all their criminal employees and sellers, well, just Google "Alibaba fraud". It goes on and on and on.