Geeess, it boggles the mind. Somebody had to sit there and think all this stuff up when designing a scope like that. Well, there'd be a team I bet but still. Amazing engineering.
Great video Dave! At last not a review, not a mailbag but real stuff :) Its not that I don't like reviews or teardowns but there are so many of those on your blog... Please make more videos like this one + design/build video :) it's bin a while I wait and wait for you to star new build/design or finish some old ones that you have started in the past like PSU. P.S. in this type of probing situation I use even thinner enameled wire (magnet wire), less likely to tear off PCB trace with them.
When it comes to solder little wires to probe chips, I often apply a little solder blob on the end of a insulated copper wire, put this next to the pin I want to probe and use a bigger soldering tip to heat up the whole wire and make a connection to the pin like that. This proved to work reasonably well down to 0.5 mm pitch QFPs
I really hate it when companies deliberately limit features. If the manufacturing and developing costs are the same, why not make only better version!? And if companies would still argue that the cost of limited products is indentical to full blown, I have a good antiargument: How much does it cost to make special limiting software+hardware!? !!! Such decisions are only slowing down development and progress of electronics !!!
+ZiGa:S Ikr, technically if they sell the exact same hardware for less, by limiting it in software then they would either lose money (I doubt that) or they are just ripping people that buy anything higher then the base model (very likely). basically they are selling 300Mhz scopes for the price of 100Mhz. I'd have more respect and I suspect that they would sell so many more scopes if they didn't limit it like that. This would allow them to build even higher end scopes 650-750 (1000Mhz) for people that could afford that "fake" 300Mhz. I wouldn't mind paying 1798€ for that scope, but now that I know it's software I'd rather pay the 1098€ and get the full 300Mhz... 700€ for the exact same hardware is not an option it's almost 50% more for 2 bits of data! Like Dave said the 300Mhz limit is just in the front end, but that chip could do 650, 750 or full (900Mhz-1000Mhz) instead of selling us 2 bits for 700€ how about they build the best of the best and price it appropriately.
@@svampebob007 What you are ignoring is the important fact that some customers cannot afford the price of the 300 MHz scope. They would either lose those low-end customers or lose margin on the 300 MHz version. It's no doubt annoying, but less so than airlines selling the exact same seat at widely different prices depending on a whole slew of artificial criteria.
Perhaps this analog attenuation is needed for noise considerations, to start with, but the limit could be anywhere else on the application FW of the scope. They are processing all the data digitally, so a digitall filter is likely to happen appart from the analog one.
I am not convinced that only hacking that chip would do. So if you feed a 300MHz signal into a scope which "thinks" it will only get 100MHz signals it will still only sample with an apropriate sample rate of xx Gsamples/s. So if you hack the input it will get a 300MHz signal through but with the same sample rate which may be undersampling?
Yep, not to mention the limits imposed by the time per division selection - may not be able to see or analyze the signal in detail (just a compressed band on the screen.) There may also be further filtering for antialiasing. If not, you could use the aliasing to your advantage to see a cyclic signal, but the usefulness would be limited. Good snooping anyway.
+Carstens RasPi, Arduino und 3D Druck Experimente The sample rate on all models is the same. It's only a matter of not having a faster timebase setting.
Probably the easiest way to hack a lower end license is to cut the traces to the tri state bus at three pins and tie those three pins low- that way you will get the full bandwidth every time the chip select goes low to write to the SPI
+EEVblog ahh yes. For some reason I'm thinking parallel. I guess a klouge would be to hook in your microcontroller and read what the bus writes when chip select is low, then wait a few hundred cock cycles to make sure nothing else is writing, and spit the bits back out after modifying the ones of interest. Just don't turn the knob too quickly!
Maybe. The hackability is, in my opinion, the success of the Rigol ds range among hobbyists. Rigol would not be that popular if they weren't be able to hack. And I think mainly hobbyist do those hacks. I wouldn't hack my bosses scope because there is a risk involved and you wouldn't be able to send it round Rigol again for warranty, maintenance and calibration.
Does it fail to trigger because the LMH6518 is not outputting anything during an SPI access? Should hook a probe up to the OUT aux and see if it doesn't trigger when it is switching bandwidth.
Isn't there some sort of solvent or acid you could use (@ 11:40) to dissolve the solder mask but not harm the traces or PCB? Just a tiny drop on that via would probably be immensely easier than trying to melt / scrape it away.
I think hacking only the amplifier via that SPI (chip in the middle) may not be enough, because even if you can get ride of that filter most likely you have to unlock the software too (the software has to know the available bandwidth to list and use the controls and settings accordingly)
+Zoltán-Csaba Nyiró Yes, I was thinking the same thing. At the very least, the software will be running under the assumption of a lower bandwidth, which means other settings of the other chips may be all out of wack, as well as the software having bugs. But even if that is not the case, more than likely, the bandwidth is both hardware AND software limited, to make such modifications more difficult than a single fix.
Now put in a tiny 6 pin attiny and done :) BTW. Does this scope have JTAG or something like that accessible? If it has then maybe it can be just soft modded.
I've been thinking about getting a scope for a while now. Not sure if this is a good first scope... maybe the Rigol DS1052E might be a better entry into the world of scoping things.
+John Ioannou - ya like Tyler said, get the 1054Z. The 1052E is the older model and there is no reason to buy it. I mean unless you found a new unused 1052E for $25 (not missing a zero) you would be best served spending that money on the 1054Z.
+EEVblog I think it's worth a bit more than that, up to 1/3 of what a new 1054Z is worth wouldn't be unreasonable. My first scope was a 1052E and now (4 years later) I have a 1054Z. It was only the 4 channels that made me upgrade in the end - the extra functionality is nice but not needed. The usability of the 1054Z is worse in some aspects and a steeper learning curve. The market value of a second hand 1052E is still at least half of a new 1054Z so it's not a problem to move them on if you outgrow the feature set.
Thanks for your input, guys. Greatly appreciated. I guess it's unanimous, I'll go for the 1054Z instead. Well, unless I can get the 1052E for real cheap.
+TheTruthSentMe Maybe they could save.. or not... but a lot of factors here: maybe they are not Chinese and they don't thinking how to put cheapest carpest shittest chips in their products to save 1$ per unit or maybe they are using this chip elsewhere in other products and they order large quantities and have big stock of them which is cheaper than ordering small quantity specific chip for one product. Also may be there is no other good chip which satisfies them. Or maybe their engineers are familiar with this chip and doesn't want to change anything and start mucking with new chip if it's not necessary. there could be thousands of maybe's :)
You can either change the scope's firmware to send the command you want (that's the cleaner solution) or you could solder a microcontroller there to watch the line and when it sees a command going to the amplifier, resend the same command, only this time with a higher bandwidth limit.
+pkplex You can't lift pins on a LCC (Leadless Chip Carrier) package. You'd have to cut the track, not hard, but not pretty. You'd only have to cut the CS track though.
Do you think the software could have issues with the higher bandwidth signals? For example it could be that the software doesn't expect to see 300MHz signals at full gain when it has set the limit to 100MHz. Could this mess up triggering, averaging or cause jitter?
+superdau No, because they would have to store the setting somewhere else. If you store a setting twice then you risk the setting falling out of sync. If there is confusion then the hardware setting would take precedence
R&S now may think of some "board level SSL SPI"? It may need a non-volatile encryption key put in such a device like the VGA, unlikely to be available soon. Maybe they just lower the price for the higher bandwidth licenses so no "bandwidth pirate" kit becomes popular? At least you have to open the scope and install it which is more work and risk than installing a key. And you also would need to install new bandwidth selector switches on the outside to change to all your wanted bandwidths. But 700-1000EUR price difference at a 800EUR base price can justify some hacking, bodging and even losing warranty.
***** Don't forget the emerging markets in Asia and eastern Europe. They don't care about losing the warranty to get a 300MHz scope for half the price, it just does not make economic sense. In the very rare case they might need warranty they can just try to fix it themselves or buy a new one because the warranty is simply not worth 800EUR more for a 800EUR scope. I guess having no warranty issues will likely be more than 95% of the cases.
+Raymund Hofmann The companies that do this don't care is people hack them. Rigol don't care, in fact they are likely happy at the extra sales. Fact is a very small percentage of the market actually know about hacks or would bother to do it.
EEVblog Is someone buying a Scope only because he knows he can hack the bandwidth? I don't think this translates to extra sales, but rather to a little more advertisement with maybe a slight loss on total sales because less high bandwidth licenses. Someone should do a Adruino educational project called "bandwidth pirate". All these people with their Adruinos want to employ them in some way ...
+Raymund Hofmann I definitely like stuff more that I can hack in some way, even if I don't need it. So for me it definitely is something I take into consideration when buying a product. I would never buy (and never have) an Apple product for example for the same reason (also I like to repair everything I can and they are on the more annyoing end for that).
Ooow how cunning :-D i suppose you would have to use a switchable tristate buffer to allow a pic chip or similar to isolate the chip for a split second, then spit out a new frame of serial data to the isolated chip.
+EEVblog Rather than act as a man in the middle which would require you to forward all the other packets could you maybe just sit a controller on the bus and program it to send the 750MHz signal to the chip straight after it hears the 100MHz or 200MHz command? That would ensure you didn't interfere with the other signals.
+Wobblycogs Workshop That sounds great, as long as the data/CS lines that you would have to use do not get back to the other chips connected. Perhaps a tracing of that bus would be in order, know the creature better lol :-D
+zx8401ztv I'm new to ee but I'd assumed that setting the CS flag was how you picked which chip read the packet. I suppose one danger is that you could accidentally talk at the same time as another chip and I don't suppose such a simple data bus has anything like CDMA.
+Wobblycogs Workshop Hey im only a basic repairer so im likely not as clever as you are. But ive constructed old computer interfaces that were directly connected to the cpu, so i had to make sure the ti......ming was correct ha ha :-D, and no conflicting data Boom!!. The thing is dave has got us thinking about it, thats good :-)
One thing I would worry about: once you do hack the registers, how does the software react? Worst case is that it detects a tampering attempt and willingly bricks itself. Likely case is that the sofware will apply the correct limit _anyways_. Best case - but unlikely IMO - is that the software gets data async and it gets higher resolution data than it thinks it gets (in which case you still want a way to disable the hack so that the software isn't confused when you want to capture at lower frequencies)
+EEVblog i get you can talk to the capturing chip without the software knowing. but, the software has to get the captured data back somehow - and it will differ from what the software expects. either there will be more data than expected (then tampering detection can be performed), the same amount of data over a shorter timescale (in which case the scale will be displayed incorrectly) or, if the data is being sent as a continuous stream with the software responsible for buffering the data, in which case you don't get extra resolution, just a bit of aliasing. it's technically possible that the software sets the time resolution and then reads it back from the chip, but in that case I would like to have a serious talk with the programmer. I also don't see how the latter would work with limiting frequencies not supported by the chip.
"No the software does not have to read back the data" - then how does it get on the LCD screen? There might be a rendering coprocessor responsible for just the oscilloscope traces - by which I mean the wavey lines that show you the voltage over time - but I find that unlikely. But it doesn't matter, it's just a matter of defining which part shall be labeled as "the software". If by data you mean the scale settings then I agree, the software will trust the chip with that. But I mean, the chip has to transfer the stream of voltages captured and the software has to get the stream of voltages captured. In any case, the chip will have different idea about the time scale captured than the logic responsible for dumping it on the screen does. It's the latter that is wrong in its thinking. It has to surface somehow, even if that somehow is just a singular number on the screen. I have also considered the option that the data transfer rate is the same for every limiting option, it's just smoothed out to a different extent, but that would be kinda wasteful in terms of memory. I would also be surprised if the software thought it a good idea to let you zoom in much closer than what the maximum sample rate _should_ be. Plus, there's still the thing that the software does apply some limiting of its own, and I can't see how reconfiguring the chip could change _that_.
+Jan Dvořák Yep, your objection is the same one I have. Software has to have some consideration of the overall data rate to set its buffers right, etc. And just visually, if it doesn't know that it's capturing at a higher rate, it won't scale time units properly. Since in this case the upgrade is actually done in software, rather than in hardware at the factory, they probably modify the code to update more than just some register value in a chip and then have the software re-read that value later and scale everything based on it. The "master control" is probably some variable in some arbitrary memory location, which you'll have a hell of a time finding unless you disassemble the firmware. Not out of the question (I did this on one my LCD monitors once to disable the annoying 15-second power up picture, and also add a strobed backlight mode, but it took many full days of tracing around in the 8051 code). On the other hand, I've seen these modern scopes listing capture in the gigasamples/sec, even though they have only a few hundred MHz bandwidth, so merely adjusting the lowpass filter on the input might be sufficient as the scope is already oversampling many times even for twice the usual input bandwidth.
For some people it would be easier to hack the software instead of soldering a microcontroller to change the SPI communication. For Agilent InfiniiVision scopes there were even a command line switch for the main program (it uses EXE files and DLLs with a Windows CE system) to enable all licenses, if you started it from a telnet login on the scope :-) But I think they removed this for the latest firmware after it was found. So a hardware hack could be still a good idea, if you don't want to hack it again always after firmware updates.
+Frank Buss I'm one of the people that would have a much easier time hacking the hardware. I belong at a low level, being afraid of highs might explain why I don't do this high level stuff :P Though in reality it's because I get easily confused by all the text and abstraction, I can deal with bits and signals, then write my mess of a code that will do a good enough job.
You can see in the datasheet plots there is slightly more attenuation at the lower frequency setting. Since the frequency is limited elsewhere, this may have bought them a few tenths off a dB in insertion loss. This doesn't explain why they didn't use the full BW though. My only guess would be it could cause aliasing somewhere down the line
+jak p (skiguy09) - The filtering of the IC isn't perfect and changes from IC to IC and since the limit for this model line is set elsewhere in the scope there is no reason to play there. As for selecting the 750MHz instead of full (900MHz) if you look at the data sheet you can see the full setting actually has a bit of gain at the high end when setting full whereas the 750 setting is flatter. Selecting 650 instead might have been better still but not by much. Interesting stuff.
I'd look in the firmware around the licensing code. Probably a firmware mod. Or of course search the net for anyone who has done that, but it may be too rare. Not that I do things like that... I guess maybe you could sort of time warp it so it seems to work like half as fast at twice the sampling rate and then software correct it.
+Joost B I believe that the bus is zero-dominant so the only altering you could make is to switch it from your limit to unlimited bandwidth mode and I would not reccomend that. Rather than altering the bus it would be better to cut the traces and put your micro between the programmable amplifier and the rest of the bus so it logically completely replaces it. The microcontrolles will be able to receive the packet from the rest of the scope and then construct and send a new one to the amplifier with no danger of messing any other communication. This would be a much cleaner hack.
+Кирилл Рагузин Yes. That is exactly what I meant. That would be a simple solution. But I wonder if the license also changes some settings like the minimum div/s you can select. Some scopes I had did that as well.
+Martynas Mirauskas My thought exactly. Intercept CS line, wait for CS IN to be active, Bitbang it in, AND mask it, flip CS OUT active, bitbang it out, turn off again. Easy peasy lemon squeezy. That would make for a nice project. My thought is that if there are 3 other SPI devices that are being written to when bandwidth limit is selected, they might also have something to do with the model dependent speed limit too.
+bobdring - Yes, each channel would have it`s own attenuator/amplifier circuit. And those additional SPI signals we saw would likely be for the other channels. Good point.
It is, you learnt how to hack the base model and make it like the high end model. Learning how to hack something is still learning and learning is a form of education.
+kulgan96 What does it have to do with safety or security? It's just the bandwidth selection, nothing life threatening going on here. And I doupt many people will be able to override those settings, so not really any danger to value either.
I find this kind of hardware-crippling software shenanigans to be objectionable. Why put out intentionally crippled versions except to squeeze a few more pennies out of users who want to use the full capabilities of your hardware? make one version, sell that at cost, everyone's happy, no? good on ya dave! fight the powah ;-)
It's the other way around. You make the expensive version as your main product, that's what you rely on to make you back all the money you put into R&D. You only release the limited, cheaper version to make extra money.
+EEVblog Never tried, but I think it's possible to separate those pins from the line, by de-soldering the chip, putting a piece of kapton tape on those pads, and then re-soldering the chip so that the hack only affects that chip, without interrupting the line...
RPBCACUEAIIBH I'm fully aware of that, but usually only the people who are subscribed (and therefore enjoy the content) see the video in the first two minutes
"Hoy!"
I also say this at the start of every video. :) Please never stop this tradition.
I bet R&S are very grateful for your insights :-)
Geeess, it boggles the mind. Somebody had to sit there and think all this stuff up when designing a scope like that. Well, there'd be a team I bet but still. Amazing engineering.
Great video Dave! At last not a review, not a mailbag but real stuff :) Its not that I don't like reviews or teardowns but there are so many of those on your blog... Please make more videos like this one + design/build video :) it's bin a while I wait and wait for you to star new build/design or finish some old ones that you have started in the past like PSU.
P.S. in this type of probing situation I use even thinner enameled wire (magnet wire), less likely to tear off PCB trace with them.
Thumb up to that, I share your opinion :)
14:20 EEVBlog PSA: Never probe your own clacker, always get outside assistance
When it comes to solder little wires to probe chips, I often apply a little solder blob on the end of a insulated copper wire, put this next to the pin I want to probe and use a bigger soldering tip to heat up the whole wire and make a connection to the pin like that. This proved to work reasonably well down to 0.5 mm pitch QFPs
I really hate it when companies deliberately limit features. If the manufacturing and developing costs are the same, why not make only better version!?
And if companies would still argue that the cost of limited products is indentical to full blown, I have a good antiargument: How much does it cost to make special limiting software+hardware!?
!!! Such decisions are only slowing down development and progress of electronics !!!
+ZiGa:S Ikr, technically if they sell the exact same hardware for less, by limiting it in software then they would either lose money (I doubt that) or they are just ripping people that buy anything higher then the base model (very likely).
basically they are selling 300Mhz scopes for the price of 100Mhz.
I'd have more respect and I suspect that they would sell so many more scopes if they didn't limit it like that.
This would allow them to build even higher end scopes 650-750 (1000Mhz) for people that could afford that "fake" 300Mhz.
I wouldn't mind paying 1798€ for that scope, but now that I know it's software I'd rather pay the 1098€ and get the full 300Mhz... 700€ for the exact same hardware is not an option it's almost 50% more for 2 bits of data!
Like Dave said the 300Mhz limit is just in the front end, but that chip could do 650, 750 or full (900Mhz-1000Mhz)
instead of selling us 2 bits for 700€ how about they build the best of the best and price it appropriately.
@@svampebob007 What you are ignoring is the important fact that some customers cannot afford the price of the 300 MHz scope. They would either lose those low-end customers or lose margin on the 300 MHz version. It's no doubt annoying, but less so than airlines selling the exact same seat at widely different prices depending on a whole slew of artificial criteria.
But what about the sampling rate? Would they not decrease that for the lower bandwidth scopes? I sure would.
Perhaps this analog attenuation is needed for noise considerations, to start with, but the limit could be anywhere else on the application FW of the scope. They are processing all the data digitally, so a digitall filter is likely to happen appart from the analog one.
Lovely - that solder-blob mirror ~ 9:00 .
I am not convinced that only hacking that chip would do. So if you feed a 300MHz signal into a scope which "thinks" it will only get 100MHz signals it will still only sample with an apropriate sample rate of xx Gsamples/s. So if you hack the input it will get a 300MHz signal through but with the same sample rate which may be undersampling?
Yep, not to mention the limits imposed by the time per division selection - may not be able to see or analyze the signal in detail (just a compressed band on the screen.) There may also be further filtering for antialiasing. If not, you could use the aliasing to your advantage to see a cyclic signal, but the usefulness would be limited. Good snooping anyway.
+Carstens RasPi, Arduino und 3D Druck Experimente The sample rate on all models is the same. It's only a matter of not having a faster timebase setting.
The price range is certainly "reasonable".
"... probe it's own clacker" hahahha!
+Heath Wells You gotta see the extended video for the clacker probing!
When you use both channels on this scope, are they both 300MHz? The brochure mentions something about 2x1GS/s or 1x2GS/s.
Nice, your hand is going crazy at 9:40
Really enjoyed this one, thanks for sharing.
Probably the easiest way to hack a lower end license is to cut the traces to the tri state bus at three pins and tie those three pins low- that way you will get the full bandwidth every time the chip select goes low to write to the SPI
+Barrett P But then the attenuation won't work.
+EEVblog ahh yes. For some reason I'm thinking parallel. I guess a klouge would be to hook in your microcontroller and read what the bus writes when chip select is low, then wait a few hundred cock cycles to make sure nothing else is writing, and spit the bits back out after modifying the ones of interest. Just don't turn the knob too quickly!
Making friends with R&S?
Maybe. The hackability is, in my opinion, the success of the Rigol ds range among hobbyists. Rigol would not be that popular if they weren't be able to hack. And I think mainly hobbyist do those hacks. I wouldn't hack my bosses scope because there is a risk involved and you wouldn't be able to send it round Rigol again for warranty, maintenance and calibration.
Does it fail to trigger because the LMH6518 is not outputting anything during an SPI access? Should hook a probe up to the OUT aux and see if it doesn't trigger when it is switching bandwidth.
Isn't there some sort of solvent or acid you could use (@ 11:40) to dissolve the solder mask but not harm the traces or PCB? Just a tiny drop on that via would probably be immensely easier than trying to melt / scrape it away.
+John Drachenberg Solder mask is pretty impervious stuff. Anything that could disvolve it likely to do more damage.
You misread table 6... bits are backwards (D8, D7, D6) you must look in table for 1 0 0 if you read from left to the right 👉
I think hacking only the amplifier via that SPI (chip in the middle) may not be enough, because even if you can get ride of that filter most likely you have to unlock the software too (the software has to know the available bandwidth to list and use the controls and settings accordingly)
+Zoltán-Csaba Nyiró Yes, I was thinking the same thing. At the very least, the software will be running under the assumption of a lower bandwidth, which means other settings of the other chips may be all out of wack, as well as the software having bugs. But even if that is not the case, more than likely, the bandwidth is both hardware AND software limited, to make such modifications more difficult than a single fix.
Now put in a tiny 6 pin attiny and done :) BTW. Does this scope have JTAG or something like that accessible? If it has then maybe it can be just soft modded.
I wish there was a hack to get one of their 4 channel handheld models for 100 bucks.
Totally cool! Thanks Dave :)
I've been thinking about getting a scope for a while now. Not sure if this is a good first scope... maybe the Rigol DS1052E might be a better entry into the world of scoping things.
+John Ioannou the 1054Z is a lot more bang for your buck though... it is a bit more expensive, but not by much considering what you get!
+John Ioannou - ya like Tyler said, get the 1054Z. The 1052E is the older model and there is no reason to buy it. I mean unless you found a new unused 1052E for $25 (not missing a zero) you would be best served spending that money on the 1054Z.
+ElmerFuddGun Yeah ,I would not buy the 1052E unless is was like $100 or something.
+EEVblog I think it's worth a bit more than that, up to 1/3 of what a new 1054Z is worth wouldn't be unreasonable. My first scope was a 1052E and now (4 years later) I have a 1054Z. It was only the 4 channels that made me upgrade in the end - the extra functionality is nice but not needed. The usability of the 1054Z is worse in some aspects and a steeper learning curve. The market value of a second hand 1052E is still at least half of a new 1054Z so it's not a problem to move them on if you outgrow the feature set.
Thanks for your input, guys. Greatly appreciated. I guess it's unanimous, I'll go for the 1054Z instead. Well, unless I can get the 1052E for real cheap.
Can you hack another oscilloscope, for educational purposes ;)
+zerpBot
For free bandwidth
If they don't have any model going higher than 300MHz bandwidth, why put in a 900MHz chip? Couldn't you save cost here?
+TheTruthSentMe Maybe they could save.. or not... but a lot of factors here: maybe they are not Chinese and they don't thinking how to put cheapest carpest shittest chips in their products to save 1$ per unit or maybe they are using this chip elsewhere in other products and they order large quantities and have big stock of them which is cheaper than ordering small quantity specific chip for one product. Also may be there is no other good chip which satisfies them. Or maybe their engineers are familiar with this chip and doesn't want to change anything and start mucking with new chip if it's not necessary. there could be thousands of maybe's :)
can explain what is going on? I iz confuzed. how do you edit the chip's settings?
You can either change the scope's firmware to send the command you want (that's the cleaner solution) or you could solder a microcontroller there to watch the line and when it sees a command going to the amplifier, resend the same command, only this time with a higher bandwidth limit.
Like this kind of investigation. Thumbs up!!!
Interesting. How would you go about the actual 'man in the middle' hack physically? Would you lift the chip select pin or something?
+pkplex You can't lift pins on a LCC (Leadless Chip Carrier) package. You'd have to cut the track, not hard, but not pretty. You'd only have to cut the CS track though.
Hmm, would it be semi possible to lift the chip off, and then shove some kapton tape over the CS pad and then chuck the chip back on?
you will make another enemy apart of Rigol.
Your logic.is right. But they do not think thks way. He say so long time ago.
Nice mate! Love it!
Do you think the software could have issues with the higher bandwidth signals? For example it could be that the software doesn't expect to see 300MHz signals at full gain when it has set the limit to 100MHz. Could this mess up triggering, averaging or cause jitter?
+superdau No, because they would have to store the setting somewhere else. If you store a setting twice then you risk the setting falling out of sync. If there is confusion then the hardware setting would take precedence
R&S now may think of some "board level SSL SPI"?
It may need a non-volatile encryption key put in such a device like the VGA, unlikely to be available soon.
Maybe they just lower the price for the higher bandwidth licenses so no "bandwidth pirate" kit becomes popular? At least you have to open the scope and install it which is more work and risk than installing a key.
And you also would need to install new bandwidth selector switches on the outside to change to all your wanted bandwidths.
But 700-1000EUR price difference at a 800EUR base price can justify some hacking, bodging and even losing warranty.
*****
Don't forget the emerging markets in Asia and eastern Europe. They don't care about losing the warranty to get a 300MHz scope for half the price, it just does not make economic sense.
In the very rare case they might need warranty they can just try to fix it themselves or buy a new one because the warranty is simply not worth 800EUR more for a 800EUR scope.
I guess having no warranty issues will likely be more than 95% of the cases.
+Raymund Hofmann The companies that do this don't care is people hack them. Rigol don't care, in fact they are likely happy at the extra sales. Fact is a very small percentage of the market actually know about hacks or would bother to do it.
EEVblog
Is someone buying a Scope only because he knows he can hack the bandwidth?
I don't think this translates to extra sales, but rather to a little more advertisement with maybe a slight loss on total sales because less high bandwidth licenses.
Someone should do a Adruino educational project called "bandwidth pirate".
All these people with their Adruinos want to employ them in some way ...
+Raymund Hofmann
I definitely like stuff more that I can hack in some way, even if I don't need it. So for me it definitely is something I take into consideration when buying a product. I would never buy (and never have) an Apple product for example for the same reason (also I like to repair everything I can and they are on the more annyoing end for that).
Ooow how cunning :-D
i suppose you would have to use a switchable tristate buffer to allow a pic chip or similar to isolate the chip for a split second, then spit out a new frame of serial data to the isolated chip.
+zx8401ztv Either that or break into the data line as well as CS. It doesn't seem to read anything back out of the chip, so that makes it easier.
+EEVblog Rather than act as a man in the middle which would require you to forward all the other packets could you maybe just sit a controller on the bus and program it to send the 750MHz signal to the chip straight after it hears the 100MHz or 200MHz command? That would ensure you didn't interfere with the other signals.
+Wobblycogs Workshop
That sounds great, as long as the data/CS lines that you would have to use do not get back to the other chips connected.
Perhaps a tracing of that bus would be in order, know the creature better lol :-D
+zx8401ztv I'm new to ee but I'd assumed that setting the CS flag was how you picked which chip read the packet. I suppose one danger is that you could accidentally talk at the same time as another chip and I don't suppose such a simple data bus has anything like CDMA.
+Wobblycogs Workshop
Hey im only a basic repairer so im likely not as clever as you are.
But ive constructed old computer interfaces that were directly connected to the cpu, so i had to make sure the ti......ming was correct ha ha :-D, and no conflicting data Boom!!.
The thing is dave has got us thinking about it, thats good :-)
No link to data sheet?
One thing I would worry about: once you do hack the registers, how does the software react? Worst case is that it detects a tampering attempt and willingly bricks itself. Likely case is that the sofware will apply the correct limit _anyways_. Best case - but unlikely IMO - is that the software gets data async and it gets higher resolution data than it thinks it gets (in which case you still want a way to disable the hack so that the software isn't confused when you want to capture at lower frequencies)
+Jan Dvořák The software does not know. It simply sends out the command, you intercept it and modify it.
+EEVblog i get you can talk to the capturing chip without the software knowing. but, the software has to get the captured data back somehow - and it will differ from what the software expects. either there will be more data than expected (then tampering detection can be performed), the same amount of data over a shorter timescale (in which case the scale will be displayed incorrectly) or, if the data is being sent as a continuous stream with the software responsible for buffering the data, in which case you don't get extra resolution, just a bit of aliasing. it's technically possible that the software sets the time resolution and then reads it back from the chip, but in that case I would like to have a serious talk with the programmer. I also don't see how the latter would work with limiting frequencies not supported by the chip.
+Jan Dvořák No the software does not have to read back the data. No need to do that if your hardware is reliable.
"No the software does not have to read back the data" - then how does it get on the LCD screen? There might be a rendering coprocessor responsible for just the oscilloscope traces - by which I mean the wavey lines that show you the voltage over time - but I find that unlikely. But it doesn't matter, it's just a matter of defining which part shall be labeled as "the software".
If by data you mean the scale settings then I agree, the software will trust the chip with that. But I mean, the chip has to transfer the stream of voltages captured and the software has to get the stream of voltages captured.
In any case, the chip will have different idea about the time scale captured than the logic responsible for dumping it on the screen does. It's the latter that is wrong in its thinking. It has to surface somehow, even if that somehow is just a singular number on the screen.
I have also considered the option that the data transfer rate is the same for every limiting option, it's just smoothed out to a different extent, but that would be kinda wasteful in terms of memory. I would also be surprised if the software thought it a good idea to let you zoom in much closer than what the maximum sample rate _should_ be. Plus, there's still the thing that the software does apply some limiting of its own, and I can't see how reconfiguring the chip could change _that_.
+Jan Dvořák Yep, your objection is the same one I have. Software has to have some consideration of the overall data rate to set its buffers right, etc. And just visually, if it doesn't know that it's capturing at a higher rate, it won't scale time units properly.
Since in this case the upgrade is actually done in software, rather than in hardware at the factory, they probably modify the code to update more than just some register value in a chip and then have the software re-read that value later and scale everything based on it. The "master control" is probably some variable in some arbitrary memory location, which you'll have a hell of a time finding unless you disassemble the firmware. Not out of the question (I did this on one my LCD monitors once to disable the annoying 15-second power up picture, and also add a strobed backlight mode, but it took many full days of tracing around in the 8051 code).
On the other hand, I've seen these modern scopes listing capture in the gigasamples/sec, even though they have only a few hundred MHz bandwidth, so merely adjusting the lowpass filter on the input might be sufficient as the scope is already oversampling many times even for twice the usual input bandwidth.
For some people it would be easier to hack the software instead of soldering a microcontroller to change the SPI communication. For Agilent InfiniiVision scopes there were even a command line switch for the main program (it uses EXE files and DLLs with a Windows CE system) to enable all licenses, if you started it from a telnet login on the scope :-) But I think they removed this for the latest firmware after it was found. So a hardware hack could be still a good idea, if you don't want to hack it again always after firmware updates.
+Frank Buss
I'm one of the people that would have a much easier time hacking the hardware.
I belong at a low level, being afraid of highs might explain why I don't do this high level stuff :P
Though in reality it's because I get easily confused by all the text and abstraction, I can deal with bits and signals, then write my mess of a code that will do a good enough job.
What's the little bit of crud right off of pin 10's test point or via at around 9:05?
Wow, might just be a little bit of flux. Looked a lot more substantial at high magnification.
Why did they set 750 for the 300mhz license rather then set 350mhz?
You can see in the datasheet plots there is slightly more attenuation at the lower frequency setting. Since the frequency is limited elsewhere, this may have bought them a few tenths off a dB in insertion loss. This doesn't explain why they didn't use the full BW though. My only guess would be it could cause aliasing somewhere down the line
+jak p (skiguy09) - The filtering of the IC isn't perfect and changes from IC to IC and since the limit for this model line is set elsewhere in the scope there is no reason to play there. As for selecting the 750MHz instead of full (900MHz) if you look at the data sheet you can see the full setting actually has a bit of gain at the high end when setting full whereas the 750 setting is flatter. Selecting 650 instead might have been better still but not by much. Interesting stuff.
I'd look in the firmware around the licensing code. Probably a firmware mod. Or of course search the net for anyone who has done that, but it may be too rare. Not that I do things like that... I guess maybe you could sort of time warp it so it seems to work like half as fast at twice the sampling rate and then software correct it.
25:15 isn't the bandwidth limit changing as you change the timebase as well?
Will it be possible to but some pic/avr chip in between which detects that setting and alters the data.
+Joost B I believe that the bus is zero-dominant so the only altering you could make is to switch it from your limit to unlimited bandwidth mode and I would not reccomend that. Rather than altering the bus it would be better to cut the traces and put your micro between the programmable amplifier and the rest of the bus so it logically completely replaces it. The microcontrolles will be able to receive the packet from the rest of the scope and then construct and send a new one to the amplifier with no danger of messing any other communication. This would be a much cleaner hack.
+Кирилл Рагузин Yes. That is exactly what I meant. That would be a simple solution. But I wonder if the license also changes some settings like the minimum div/s you can select. Some scopes I had did that as well.
Have you done a review on those mini pocket sized scopes ? probably crap but still like your opinion
Cut traces in between that chip. solder dead bug attiny as "filter" for registers. simple
+Martynas Mirauskas My thought exactly. Intercept CS line, wait for CS IN to be active, Bitbang it in, AND mask it, flip CS OUT active, bitbang it out, turn off again. Easy peasy lemon squeezy. That would make for a nice project. My thought is that if there are 3 other SPI devices that are being written to when bandwidth limit is selected, they might also have something to do with the model dependent speed limit too.
wouldn't you have to do the hack for each channel chip?
+bobdring - Yes, each channel would have it`s own attenuator/amplifier circuit. And those additional SPI signals we saw would likely be for the other channels. Good point.
Hello. In 20:33 what is he doing and the states changed?
At 10:20 Dave mentions 30 AWG wire. And what does AWG stand for? AMERICAN WIRE GAUGE! USA - USA - USA!
I Hate knowing that I must pay for all the hardware and get limited in software on a scope
are you sill doing teardown Tuesdays?
flip some bits charge $100's, marketeers in control, crooks...
"just for educational purposes" haha sure xd
It is, you learnt how to hack the base model and make it like the high end model.
Learning how to hack something is still learning and learning is a form of education.
Yep
That is cool and kinda bad safety security settings
+kulgan96
What does it have to do with safety or security? It's just the bandwidth selection, nothing life threatening going on here. And I doupt many people will be able to override those settings, so not really any danger to value either.
I find this kind of hardware-crippling software shenanigans to be objectionable. Why put out intentionally crippled versions except to squeeze a few more pennies out of users who want to use the full capabilities of your hardware? make one version, sell that at cost, everyone's happy, no? good on ya dave! fight the powah ;-)
It's the other way around. You make the expensive version as your main product, that's what you rely on to make you back all the money you put into R&D. You only release the limited, cheaper version to make extra money.
2 dislikes in the first 20 minutes? u wot m8
+LeiserGeist They came in the first 2 minutes. The usual serial haters.
+EEVblog probably not the only time they came in the first 2 minutes
had to
+LeiserGeist There are always some people who dislike something... you can't make anything that everyone likes...
+EEVblog Never tried, but I think it's possible to separate those pins from the line, by de-soldering the chip, putting a piece of kapton tape on those pads, and then re-soldering the chip so that the hack only affects that chip, without interrupting the line...
RPBCACUEAIIBH
I'm fully aware of that, but usually only the people who are subscribed (and therefore enjoy the content) see the video in the first two minutes
deleted my first comment.. didn't read the title of the video lol
ENOUGH ABOUT OSCILLOSCOPES !!!!!