Rigol HDO1000 Serial Boot Capture for Hack + R&S MXO4 play
ฝัง
- เผยแพร่เมื่อ 10 ก.พ. 2025
- Turns out it wasn't that easy to capture the serial output of the Rigol HDO1000 scope for potential hacking. And the new R&S MXO4 beast of a scope had some issues.
Forum hack thread: www.eevblog.co...
Support the EEVblog on:
Patreon: / eevblog
Odysee: odysee.com/@ee...
EEVblog Web Site: www.eevblog.com
Main Channel: / eevblog
EEVdiscover: / eevdiscover
AliExpress Affiliate: s.click.aliexpr...
Buy anything through that link and Dave gets a commission at no cost to you.
Donate With Bitcoin & Other Crypto Currencies!
www.eevblog.co...
T-Shirts: teespring.com/s...
#ElectronicsCreators #Rigol #Hack
Cant wait for videos on the R&S Scope. I'm especially excited about the 4.5 million updaters per second!.
Haven't measured that yet but I will.
@@EEVblog2 The Rigol manual for this series of oscilloscopes mentions another model HDO 2000
You should be able to use Putty to connect at an arbitrary baud rate.
Most generic USB to serial adapters can do up to 2MBaud (eg cp2012, ch340 etc etc)
Yep, perfect "specific solution". A generic serial TTL to USB chip.
RealTerm can also do arbitrary baud rates
Mot 16550's can't even do 500k. It depends on a number of hardware factors. I have a few Cisco boards that can handle async rates to 8M (i.e. bus speed) - 'tho IOS says it'll go up to "Max Int" [4294967295] :-) (NM's are PCI, so it might could do it.)
Yeah, I use SecureCRT too, you can also set it to dump the output to a log file. I think PuTTy can do it too.
CP2102 works up to 1Mbit.
Maybe, after the bootloader stuff, the console is switched to a much slower baudrate for the rest of the boot process. That could explain the Zeros you were seeing.
Same thing with DHO800 and DHO900. U-Boot first stage goes with much higher baudrate. After that next stages and kernel does 115200. BTW. When I made my own build with Debian I also chose 115200 - I have too long wire in my cheap USB/UART converters to handle much more than that.
Using R&S and Keysite to hack a Rigol. Priceless.
Used a FT232R years ago at 1MBaud for some automotive sensors, "streaming" measurement data ... had to write my own software for this, but puTTY also did a great job testing the connection during debugging 😀
The HDO4000 manual mentions the 800Mhz version but only for 50 ohms input, in fact the limit of this oscilloscope is located at 500Mhz.
Looking forward to the R&S lockup video :)
A video link is on the forum hack thread
I really like how you toss multi thousand euro equipment at the problem, whilst a 20ct CH340 would do the business as well. 😁
I use high baud rates (3MBaud/s) to flash ESP8266/ESP32 in production settings to make it somewhat time efficient. :)
Would love to hack around on this scope, but I guess I have to wait for the hackers who can afford this scope to do the hacking. 😅
Thanks for introducing me to this nice scope, Dave. :)
😢😢😢my DHO1072 hangs and restart with rigol.scope app has stopped when I operate timebase controls on control panel (no customs no hacks) but works fine when I use with touch panel function or mouse. Cant find dho1072 original firm to reflash it...
The Rigol manual for this series of oscilloscopes mentions another model HDO 2000
What a beauty this MXO!
to hold the probe you could use washing line clothes pegs as we call them in the uk
11:43 this is effect of stupid interpolation between data points..
I think not using self identifying probe with that high end scope never came to the builders as a common use case so they put the options inito that extra menu
You can use FTDI FT232R which supports up to 3Mbps speed if you have one and RealTerm (v2) in which you can enter manually the baud rate. Also RealTerm support hex output in case of raw data.
And FT232H for higher rates up to 12M, and also rates where the FT232R's divisor doesn't work
@@mikeselectricstuffindeed, I've been using the FT232H to program firmware via JTAG, driven by OpenOCD (Linux), it is a very versatile adapter.
Use a cheap Sigrok logic analyser.
why didn’t you move the trigger point to the left of the screen?
CoolTerm also lets you enter a custom Baud rate
Millenial UX design :-)
I use 1M2 baud on STM32 embedded devices to minimize the timing impact for debugging output. Putty has no problem with that.
A standard CH340 converter makes up to 3Mbaud, a PL2303 even up to 12Mbaud. Putty Terminal should be able to handle this.
Maybe that's the catch that it is not easy to capture the data as a whole because ot available software / memory depth
Seemed strange that the serial adapter has a speed limitation. I had a generic bluepill STM32F1 laying around with serial monster firmware on it, nothing specialized at all. And infact using miniterm on linux (my goto) shows no issues at looping back the keys at 8Mboud through a screwdriver bit used to make the short. So that's probably a software limitation either in teraterm or windows.
What if we could get the $700 2 channel version. And then (later on, after saving up some more coins)... afford to buy a 2nd (same) $700 scope = $1400 total. But spreading the cost out over 2 purchases. Then use the 2nd scope could be aquired purely for harvesting those necessary missing components to upgrade the first scope. (Including the custom rigol ADC)... might sound a bit silly but how much money difference is there? When compared to the other higher end HDO scope that already comes like that?
to answer my own question... the HDO4204 is $2699. So then would potentially save around $1300. Since making the franken scope would cost around $1400 so nearly half price then? Ah, but it wouldn't be active though. Since active part is not populated on any of these HDO1000 series models. Although I wonder what is actually missing and needed there? How much of a challenge it would present.
@@dreamcat4 aside from populating the PCB and convincing the firmware to talk to active probes you’d also have to whip out the Dremel to make the necessary cutouts in the case below the BNCs.
@@mlenstra yes of course. if we are assuming that the software is either hackable or not (which ofc remains to be seen). i was more referring to the active section, if it had any unobtainium or calibrated components on it. that would be difficult to source. because if not (on the physical side) then making the necessary face plate changes would not really seem so bad imho. ofc active probes arent normally very cheap so there is that too to consider
Nice one Dave very interesting...thanks for the video. Now im curious to see what happened to the Oscilloscope :)
Wow that looks like a really shaky console boot. Not finding files etc...
Such horrible times, where a 2500$ device from the most reknowed company in it's field is a bugged mess and it isn't even special.
Docklight goes that high and you can have data in different formats.
Maybe USB 1.0/Low-Speed: 1.5 Megabits per second (Mbps)
Use PUTTY on windows in terminal mode... i use that upto 3 meg baud 😁
Use an 10 Yankee dollar LA from Ali, it works better then your 10000 Kangaroo dollar scope for serial data analyse.
This, the ones compatible with the old old Logic 8 protocol sample at 20MS/s
that would be the day.. when 5000 $ scopes have an 2 $ serial converter and a freaking software terminal integrated on that fancy touchscreen...
and help me god .. autodetection
R&S want to sell you their overpriced proprietary probes with special data pins 🤣
You have to pay to outfit probes for a 1.5Ghz scope.
Err, every scope manufacturer has their own special active probes. Rigol, Siglent etc
the chance that someone using an MXO4 is using a $5 probe is damned near ZERO !! It's really a non-issue for anyone using lab-quality gear...your bad!!