Re: RIGOL 100MHz Hack (DS1052E --> DS1102E) Verified for Firmware 2.04

Anything not related to a specific project.

RIGOL 100MHz Hack (DS1052E --> DS1102E) Verified for Firmware 2.04

Postby IPenguin » Sat Jul 24, 2010 10:07 pm

I am not sure if this board is the right place to post this but then I got inspired by RJSC's post in the hardware biz section/"distributors be aware" thread on this board in which he "complained" about RIGOL Technologies selling the same digital storage oscilloscope in a 50MHz version (DS1052E) and a 100MHz version (DS1102E) - hardware and firmware are identical, just a few configuration bytes and the model sticker are different (see discussions on the EEVblog.com and RCGroups.com boards and on the hackaday.com site) - so here I go.

After watching David L. Jones' video blogs #70 and #77 on EEVblog.com and since I had planned on buying a low-cost DSO for some time anyway and a local distributer had an attractive summer special, I ordered a RIGOL DS1052E and applied the hack within one hour after unboxing the unit.

The DS1051E came with the new software Ver. 2.04 that prevents the hack from being applied directly (by disabling the model and serial number modification SCPI commands that had been used to perform the hack via RS-232 or USB with earlier software versions). So I downgraded the software to Ver. 2.02 SP2 first (as described by David in his blog #70) and then executed the actual hack (as described by David in his blog #77) successfully.

I have written up a detailed summary of how I executed the hack and share it as a PDF document attached below
- to oppose rumors being spread that the hack can not be performed anymore on DS1052Es sold lately (with software Ver. 2.04) - documentation accompanying my unit suggest that it was shipped from China on or after June 19, 2010 (so there is no guarantee that the hack will work on other units shipped earlier or later)
- to document the exact steps of how I applied the hack and to share this information with whoever may be interested
- to make all looking into buying "cheap" DS1102Es from "unknown" sources (non-official RIGOL distributors/resellers) aware of the fact how easy it is to hack a DS1052E into a DS1102E ... and the likelyhood of some "black sheep" jumping on this bandwaggon and trying to mod and relable DS1052Es and resell them as DS1102Es ;)
- but not to encourage anyone who would not try the hack anyway - rather to help those who will attempt the hack anyway to stay clear of some not so obvious pitfalls (I spent a few hours watching David's blogs, reading the various posts on the sites mentioned above and RIGOL docs before I felt cofident that I would be able to apply the hack and ordered the unit)

There is no certainty that RIGOL does not use selected components/assemblies for the 100MHz DS1102E models but it appears rather unlikely. On the above mentioned boards owners of DS1102Es have compared markings of critical components (ADC, memory chips etc) with the markings on the same components in DS1052Es and found no significant differences (except between different revisons or assemblies). On the other side there is no guarantee as well, that the hack can be applied to all DS1052Es and that units will work properly after the hack has been applied. In any case the hack will void the manufacturer's warranty!

In my opinion the Rigol DS1000E series DSOs (still) offer the best value for the money in their class. With prices dropping below US$ 400 for the DS1052E (inluding national shipping and a carrying case - however, not the original RIGOL case) they open up new possibilities for students, hobbyists and professionals that were out of reach before ... I am about to ban the rather cumbersome Hameg and Tektronix analog scopes from the lab but I will keep them as in some cases there is nothing that can beat a good analog scope ;)

After I found and looked at the D model firmware (comes in the same software update packages as the firmware for the DS1052E) I have ordered a DS1052D (basically the same as a DS1052E but with an integrated 16-channel logic analyzer) and will check if the hack will work on this model, too (essentially attempting to hack a DS1052D into a DS1102D) ... most distributors have special "summer break" offers atm with discounts ranging from US$ 100 to US$ 300 or even more depending on the models ...

/EDIT/

As of software/firmware version 00.02.04.00.03 it is no longer possible to downgrade with standard RIGOL firmware packages to a version that will allow the hack (you can see the full firmware version by checking via the Utility --> System Info screen)! You will need a modified firmware image or modify the version number in an original image with a hex editor yourself!

See polossatik's "changing the rigol DS1052E to DS1102E using USB , the dummy guide" for details and a safer procedure to perform the hack via the USB port!

- 07/27/2010 - Update to rev. 1.01 - added using Notepad to prepare the strings and then copy&paste them to HyperTerminal.
- 08/01/2010 - Added an addendum for using Hercules SETUP Utility instead of Hyperterminal
Attachments
RIGOL_DS1051E_2_DS1102E_Hack_1_01.pdf
(365.21 KiB) Downloaded 4648 times
Last edited by IPenguin on Thu Aug 12, 2010 11:48 pm, edited 1 time in total.
User avatar
IPenguin
Global Moderator
Global Moderator
 
Posts: 430
Joined: Mon Nov 16, 2009 3:16 am

Re: RIGOL 100MHz Hack (DS1052E --> DS1102E) Verified for Firmware 2.04

Postby rsdio » Sun Jul 25, 2010 2:23 am

Note the Extended temperature Bus Pirate announced on July 20.  This is an over-spec'd Bus Pirate which exists simply because supply of the "normal" chip was limited, and thus a run of "extended" boards was made.  Even on production runs as small as DP's, there's no guarantee that availability won't alter the available chips.

Just because some DS1052E models appear to have full-spec DS1102E chips doesn't mean that every one of them will.  Maybe RIGOL got a deal on the faster chips and just put them in all products.  Or, maybe the slower chips were unavailable, and they decided to continue production rather than hold up sales.  At any moment, supply and availability could cause the parts on the DS1052E to drop below the 100 MHz capabilities, and you'd have no easy way of finding out what parts to change.

Also, there could easily be quality differences in the parts that are not clearly marked.  Then again, if you're happy paying for a 50 MHz scope and trusting that it is accurate at 100 MHz, then have fun!
Last edited by IPenguin on Tue Jul 27, 2010 9:25 am, edited 1 time in total.
User avatar
rsdio
Developer
Developer
 
Posts: 1404
Joined: Sun Feb 28, 2010 10:53 pm
Location: Seattle

Re: RIGOL 100MHz Hack (DS1052E --> DS1102E) Verified for Firmware 2.04

Postby Sjaak » Sun Jul 25, 2010 4:26 am

Nice tutorial!

I agree with rsdio that there is a chance that a partciular batch won't perform to the max. Thus makes the hack only usable for the hobbyist.
User avatar
Sjaak
Fellow
Fellow
 
Posts: 3035
Joined: Sun Jan 03, 2010 2:45 pm
Location: Hiero

Re: RIGOL 100MHz Hack (DS1052E --> DS1102E) Verified for Firmware 2.04

Postby rct » Sun Jul 25, 2010 11:28 am

This is a very nicely done guide.  However I think it's missing an important caveat

It appears from the behavior people have seen, the rigol isn't doing any processing of the serial input, it appears to be copied directly to memory, with no bounds checking.  There is no editing.  If the user makes a mistake and hits backspace, the local echo will make it look like it worked, however, a backspace character will get stored in memory.  So for each "mistake", that gets backspaced over and corrected, the serial or model string will be two bytes longer!  It's not clear whether what the effects of overflowing the model / serial number strings are, but I think it's best to avoid it. 

Ideally people would use a serial terminal that is better suited to hardware hacking like Hercules, Realterm, bray++ where you can have more control.

Alternatively I would at a minimum suggest that they type the string someplace else like notepad and then copy & paste it when they are sure it is correct.
rct
Full Member
Full Member
 
Posts: 115
Joined: Tue Mar 02, 2010 5:26 pm

Re: RIGOL 100MHz Hack (DS1052E --> DS1102E) Verified for Firmware 2.04

Postby rct » Sun Jul 25, 2010 11:44 am

Sjaak wrote:I agree with rsdio that there is a chance that a partciular batch won't perform to the max. Thus makes the hack only usable for the hobbyist.


I'd suspect it might even vary from unit to unit and that they sort and then "badge" the assembled units after testing their performance, just like processors and other parts.

(I had known about the way processor's clock speeds are selected as a result of testing for a long time, but hadn't thought about it applying to something as something as simple as a resistor.  Ian's recent post made that really click for me.

* http://dangerousprototypes.com/2010/07/01/actual-values-of-10-tolerance-resistors
rct
Full Member
Full Member
 
Posts: 115
Joined: Tue Mar 02, 2010 5:26 pm

Re: RIGOL 100MHz Hack (DS1052E --> DS1102E) Verified for Firmware 2.04

Postby IPenguin » Sun Jul 25, 2010 12:17 pm

@rsdio: Eventhough Ian called it "Extended Temperature BusPirate" there was never one - the extended temperature PIC 24FJ64GA002-E/SS MCU doesn't make the whole BusPirate extended temperature conformant in particular not if none of the other components used on the board meet extended temperature specs.

Ian wrote:... The E chips are rated for -40c to 125c, compared to -40c to 85c with standard industrial chips. In practical terms this doesn’t mean anything because another component might not like higher temperatures, and internal oscillator doesn’t allow for overclocking. ...


The headline was a neat eyecatcher,so. :)

I can see why you used the "Extended Temperature BusPirate" example as a lead-in for what I think are arguments against hacking 50 MHz DS1052Es and against trusting the hacked units to conform with the specs of the 100MHz DS1102Es. Eventhough I agree that professionals should not (and for good reasons will not) hack DS1052Es and trust the hacked units to comply with DS1102E specifications I am inclined to say that the example of the "Extended Temperature BusPirate" would rather be an argument for the hack than against it - at least for hobbyists who have looked into the details of the DS1000E series design and what the hack actually does ;)

Until the last model update in 2008 Mercedes-Benz used to sell an ML280CDI model and a ML320CDI model ... both had absolutely the same engine (6-cylinder, 2987ccm) - actually they were identical cars (when ordered/manufactured with the same extras/configuration) but for the ML280CDI's fuel injection control system using different parameters that reduced the max power by 25kW (and the max. torque by 70Nm) compared to the ML320CDI -  throtteled by a few different bytes in the firmware - production cost was the same but the ML280CDI sold for a few thousand EUR/US$ less than the ML320CDI.

This is not the only case of a product series that has been designed and was/is being manufactured to the specs of models of the same product line with higher performance and more features that get throtteled/limited after quality control then get labled/branded differently and are sold as (performance- and featurewise) lower ranking models of the line or a different brand at lower prices. Actually this practice is rather common in the food, cosmetics and many other (technical and non-technical) markets.

The Blackfin DSP, the ADC, the memory, all "clocked" components run at the same frequency in the DS1052E and in the DS1102E ... essentially both models require components that meet the same specs. 

Anyway, I never intended to encourage anyone to hack a DS1052E into a  DS1102E. For this I made absolutely no statement if and how well a hacked DS1052E would meet the specs of a DS1102E. As a matter of fact this can only be established through a rather complex test and verification process that would have to be conducted for each (hacked) unit and would cost many times more than a brand new 100MHz DS1102E or even a 300MHz DSO (unless the test/calibration would be performed using the specific test/calibration process developed by and the equipment in place at the manufacturer).

The hack is known on the English speaking internet for at least 5 month now and to some people most likely for much longer. My reasoning for trying out the hack, documenting the procedure and making the document available was neither driven by jumping on a rolling bandwaggon nor by the idea to get my hands on a cheap 100MHz DSO. Quite the opposite:

a) I was confused by RJSC's comment in the "distributors beware" thread:

I just feel that we're being completely ripped-of when something like this is discovered: http://hackaday.com/2010/03/31/update-5 ... onversion/


and similar comments I read on some other boards. In my opinions such comments do great injustice to the manufacturer and distributors.

b) I was going to buy a low-cost 50-100MHz/1MSps DSOs for evaluation purposes anyway - actually to tear it apart and dissect it for inspiration (I told Ian about it a few month ago ;) - so I got the DS1052E and applied the hack for a start of the torture to come - the unit won't be in a condition to use it for professional lab work afterwards anyway :D

c) I started reading the relevant threads on the EEVblog.com and RCGroups.com boards and got even further confused (and more) - not about the details I learned about the general DS1000E design (it's a great design) but about certain less technical but rather "political/idiological" posts that appeared after the word was out and the obvious and less obvious consequences of false information spread and accusations made will bring along:

- once the word is out and spreading there is no real way of closing the lid again except by replacing the product with a different or modified design - in some way the manufacturer attempted this by shipping the units with a new firmware that disables the direct entry for the hack.
- people started accusing/taunting the manufacturer of/for making the hack so easy or even worse, accusing the manufacturer/distributors of ripping-of the customers with the higher price for the DS1102E while others called him stupid (in my eyes, rather emotional and unjustified assertions).
- some people even started to spread false information about how the hack should be performed
- quite a few people bought DS1052Es and attempted the hack - many succeeded (I am neither saying their DS1052E perform to the DS1102E specs after they hacked them nor do I claim they don't), quite a few failed, some because of false information that has been spread.
- some of those, who have contributed to the hack, even altered their position for what appears to be rather emotional than technical reasons.
- nothing can really stop those who have decided to attempt the hack from actually performing it except the lack of access to a hackable unit ... and truthful information that may lead to understandable/acceptable arguments against performing the hack

d) all this made me even more curious and since I was going to take the unit apart anayway, I decided to apply the hack first and make the protocol available
- to give those who are confused by the ongoing discussion but will attempt the hack anyway a guidline of how I applied the hack to a fairly new unit without running into any problem ... just imagine some high school kids who have saved up money for a DSO, learned about the hack, get a DS1052E, try to apply the hack and brick it. Hardly anything will stop them once they have decided to do it. However, if they read my protocol and it helps them to evade the pitfalls or it makes them think twice after reading the warnings and not hack the unit or at least learn something from it then it has served it's purpose.
- for the other reasons given in my first post.

I agree with rsdio and Sjaak that no professional should under any circumstances apply the hack to units that will be used for development, testing, validation etc. of any commercial products/equipment.

P.S. No worries, there will be no cars, motorcycles, trucks, planes, helicopters, ships, manufacturing or any medical/life-critical equipment that will have circuitry designed/tested with the help of a DSO hacked by me.
Last edited by IPenguin on Mon Jul 26, 2010 3:26 am, edited 1 time in total.
User avatar
IPenguin
Global Moderator
Global Moderator
 
Posts: 430
Joined: Mon Nov 16, 2009 3:16 am

Re: RIGOL 100MHz Hack (DS1052E --> DS1102E) Verified for Firmware 2.04

Postby IPenguin » Sun Jul 25, 2010 1:06 pm

rct wrote:... It appears from the behavior people have seen, the rigol isn't doing any processing of the serial input, it appears to be copied directly to memory, with no bounds checking.  There is no editing.  If the user makes a mistake and hits backspace, the local echo will make it look like it worked, however, a backspace character will get stored in memory.  So for each "mistake", that gets backspaced over and corrected, the serial or model string will be two bytes longer!  It's not clear whether what the effects of overflowing the model / serial number strings are, but I think it's best to avoid it. 

Ideally people would use a serial terminal that is better suited to hardware hacking like Hercules, Realterm, bray++ where you can have more control.

Alternatively I would at a minimum suggest that they type the string someplace else like notepad and then copy & paste it when they are sure it is correct.


Agreed & thank you for the suggestions ... I will at least add a stronger warning regarding not to edit strings within HyperTerminal and instructions on how to prepare the strings in notepad and copy&paste them to HyperTerminal.

Actually I misstyped the model number but noticed it before sending LF (010). I just switched the unit off and back on and the model number had not changed. It's the LF that initiates the previous string to be written to memory! Hercules may actually be the safest freely available utility to use for the RS-232 hack (except for using the hack via the USB port) as you can prepare up to 3 strings before actually sending them. I am not sure if I should alter the report/summary from using HyperTerminal to Hercules, so. Many people will be inspired by David's two video blogs and may be inclined to rather follow the procedure as presented by David ...

I'd suspect it might even vary from unit to unit and that they sort and then "badge" the assembled units after testing their performance, just like processors and other parts.


I'd say the whole subject is too sensitive for guessing and suspections - at least when it comes to the use of DSOs in professional projects. We know the hack works (on all units that are based on the same design/hardware revision with the proper firmware installed) and we can be sure that there will be variances for critical parameters between different units that require compensation/calibration. What is not known in general, the vast majority will never be able to verify and those who have the equipment and the expertise to verify but will most likely never attempt (because it will be far too expensive and/or time consuming) is if and how well a hacked DS1052E will comply with the DS1102E specs over the full operating range! Anyone who needs a 100MHz DSO and will rely on it to comply with the specifications will/should rather spend US$ 150-300 extra (this seems to be the current price difference range) and get a calibrated and tested/verified original DS1102E from an official RIGOL distributor.
Last edited by IPenguin on Mon Jul 26, 2010 3:31 am, edited 1 time in total.
User avatar
IPenguin
Global Moderator
Global Moderator
 
Posts: 430
Joined: Mon Nov 16, 2009 3:16 am

Re: RIGOL 100MHz Hack (DS1052E --> DS1102E) Verified for Firmware 2.04

Postby Sjaak » Sun Jul 25, 2010 1:43 pm

a) I was confused by RJSC's comment in the "distributors beware" thread:


I just feel that we're being completely ripped-of when something like this is discovered: http://hackaday.com/2010/03/31/update-5 ... onversion/


and similar comments I read on some other boards. In my opinions such comments do great injustice to the manufacturer and distributors.



I agree with that. For those that think they are ripped when they buy a (in this case) a 100MHz instead of , please consider that every design will cost lost of money of r&d and one of the ways to get their investment back is selling a crippled version. If they for example need to develop two seperate versions it would cost them lots more money. People seem to forget that stuff needs to be developped before it is available and the price is more then the sum of the bare components.

Your story about mercedes proves this. Actually I drive a car from Seat which has a 2.0 TDI engine. Mine is 140 bhp and they also sell a 170bhp version (same engine/different cpu) for a couple of bucks more.. So nothing new ;)

I agree however that Rigol should protect it better ;)

BTW i'm curious what you find by tearing it apart. Can we expect some pictures? :D
Last edited by Sjaak on Sun Jul 25, 2010 1:45 pm, edited 1 time in total.
User avatar
Sjaak
Fellow
Fellow
 
Posts: 3035
Joined: Sun Jan 03, 2010 2:45 pm
Location: Hiero

Re: RIGOL 100MHz Hack (DS1052E --> DS1102E) Verified for Firmware 2.04

Postby ian » Tue Jul 27, 2010 2:15 am

Great discussion. I'll post it up :)
Got a question? Please ask in the forum for the fastest answers.
User avatar
ian
Crew
Crew
 
Posts: 10577
Joined: Mon Jul 06, 2009 6:14 am

Re: RIGOL 100MHz Hack (DS1052E --> DS1102E) Verified for Firmware 2.04

Postby IPenguin » Tue Jul 27, 2010 9:21 am

Suggestions by rct:

1. Updated the summary/guide (to rev. 1.01) and included how to use Notepad to prepare the strings for the hack and to copy&paste them to HyperTerminal.

2. I have repeated the hack with the Hercules utility. It certainly makes the RS-232 hack much simpler compared to using HyperTerminal (preparing a doc now)!

@ian: consider the summary (PDF) and my posts GPL'd and released to the public domain!

@Sjaak, I will post (more) pictures once I will find the time to dissect the DS1052E and write a report. I intend to go rather careful and meticulous about it. :D
User avatar
IPenguin
Global Moderator
Global Moderator
 
Posts: 430
Joined: Mon Nov 16, 2009 3:16 am

Re: RIGOL 100MHz Hack (DS1052E --> DS1102E) Verified for Firmware 2.04

Postby rct » Tue Jul 27, 2010 10:52 am

IPenguin wrote:Actually I misstyped the model number but noticed it before sending LF (010). I just switched the unit off and back on and the model number had not changed. It's the LF that initiates the previous string to be written to memory!


It would seem reasonable that the action happen when the newline (linefeed) was read.    The theory that it was being written into the model or serial number string as the bytes were read, was a result of some seemingly able to set a model or serial string with no terminator and then getting a very long response back when trying to read it.  IIRC someone claimed that they could cause the no terminator behavior by typing the string and then power cycling.  On the other hand, someone who had gotten a flash and/or eeprom dump indicated there appeared to be 64 bytes between the model number and serial number and concluded that they reserved 64 bytes for each.

I've tried none of this however.  I'm just a hobbyist with the Rigol being my first and only scope.  My software curiosity is piqued but I'm trying to resist the temptation to do penetration testing on the scope firmware and do harm.

2. I have repeated the hack with the Hercules utility. It certainly makes the RS-232 hack much simpler compared to using HyperTerminal (preparing a doc now)!


If it is possible to overrun the input buffers, than you'd be doing people a service by posting those instructions to replace all the hyperterminal instructions with no caustions on editing out there.

On a related note for your guide:  Starting with the 2.04 firmware, there apear to be commands to read (and probably set) calibration data. 
* http://www.rcgroups.com/forums/showpost.php?p=15479444&postcount=912

Mark_O made the suggestion to read and record those 7 values, which might be a good step before downgrading the firmware and changing things.

Thanks for helping others.
rct
Full Member
Full Member
 
Posts: 115
Joined: Tue Mar 02, 2010 5:26 pm

Re: RIGOL 100MHz Hack (DS1052E --> DS1102E) - Using Hercules SETUP Utility

Postby IPenguin » Sun Aug 01, 2010 12:08 am

@rct, agreed.

I repeated the hack using Hercules SETUP Utility instead of HyperTerminal - it makes the procedure easier and more foolproof ... using the USB hack is still the safest way to go, so!

Attached is the protocol/summary for the RS-232 hack using Hercules SETUP Utility instead of HyperTerminal.
Attachments
RIGOL_DS1051E_Hack_Hercules_Addendum.pdf
(227.12 KiB) Downloaded 2396 times
Last edited by IPenguin on Sun Aug 01, 2010 12:19 am, edited 1 time in total.
User avatar
IPenguin
Global Moderator
Global Moderator
 
Posts: 430
Joined: Mon Nov 16, 2009 3:16 am

Re: RIGOL 100MHz Hack (DS1052E --> DS1102E) Verified for Firmware 2.04

Postby kubsztal » Tue Aug 03, 2010 2:46 pm

rsdio wrote:RIGOL got a deal on the faster chips and just put them in all products.  Or, maybe the slower chips were unavailable, and they decided to continue production rather than hold up sales

IPenguin wrote:The Blackfin DSP, the ADC, the memory, all "clocked" components run at the same frequency in the DS1052E and in the DS1102E ... essentially both models require components that meet the same specs.

IPenguin wrote:I agree with rsdio and Sjaak that no professional should under any circumstances apply the hack to units that will be used for development, testing, validation etc. of any commercial products/equipment.


Guys,

both models claim 1Gsps, thus electronic components should be the same. In my opinion these scopes shouldn't be used by professionals at all due to the fact, that ADCs are overclocked 2,5x.

http://www.eevblog.com/images/DS1052E-ADC-FPGA.jpg
Last edited by kubsztal on Tue Aug 03, 2010 4:21 pm, edited 1 time in total.
kubsztal
Newbie
Newbie
 
Posts: 4
Joined: Fri Jan 15, 2010 3:42 am

Re: RIGOL 100MHz Hack (DS1052E --> DS1102E) Verified for Firmware 2.04

Postby polossatik » Thu Aug 12, 2010 2:56 am

Just letting people known that with newer 00.02.04.00.03 firmware (who is also reported as  02.04 in the rigol screen) you cannot "downgrade" anymore using the "standard" firmware files,
you need to make an (easy) change to the version header in the FW.
More info is in my changing the rigol DS1052E to DS1102E using USB , the dummy guide
Also already a few people have had problems with flashing new firmware into the rigol, resulting in a bricked Scope, it might be good to include the MD5 checks I added to my guide to minimise problems.
Last edited by polossatik on Thu Aug 12, 2010 2:59 am, edited 1 time in total.
polossatik
Newbie
Newbie
 
Posts: 2
Joined: Thu Aug 12, 2010 2:48 am

Re: RIGOL 100MHz Hack (DS1052E --> DS1102E) Verified for Firmware 2.04

Postby ian » Thu Aug 12, 2010 3:06 am

Argh, the pains of closed source :) In closed source they get to hide all this from everyone but the hard-core hackers. Our warts are all out in the open, I wonder if it contributes to the general impression of open source as second-rate (...and poor documentation...).
Got a question? Please ask in the forum for the fastest answers.
User avatar
ian
Crew
Crew
 
Posts: 10577
Joined: Mon Jul 06, 2009 6:14 am

Next

Return to General discussion