Author Topic: The Dark Side of the Rigol Hack -- Bricked Scope & How to Fix it...  (Read 147132 times)

0 Members and 2 Guests are viewing this topic.

Offline rudinietz

  • Newbie
  • Posts: 1
Re: The Dark Side of the Rigol Hack -- Bricked Scope & How to Fix it...
« Reply #50 on: December 11, 2010, 04:10:11 pm »
Hi,

I have a RIGOL DS1052D with LA-Module. After the hack to the DS1102 the noise  (<200ns/Div) is very high.
There can I find the original Firmware 00.02.04.01.00 for the HW58 DS1000D?

Please help me!
Thanks
 

Offline driegTopic starter

  • Regular Contributor
  • *
  • Posts: 85
  • Country: cz
    • Silcon Electronics
Re: The Dark Side of the Rigol Hack -- Bricked Scope & How to Fix it...
« Reply #51 on: December 11, 2010, 10:36:17 pm »
@msh959
If you have the possiblitily to read/write the flash, you can send me only the dump file, otherwise you have to send me the mainboard or the flash chip.

@rudinietz
Try to ask Rigol for the fresh FW file for your unit.
Bricked Rigol? This thread might be of any help.
 

Offline darrylp

  • Regular Contributor
  • *
  • Posts: 127
  • Country: gb
Re: The Dark Side of the Rigol Hack -- Bricked Scope & How to Fix it...
« Reply #52 on: December 14, 2010, 10:37:58 pm »
so Drieg, do you have a copy of the 02.05 firmware yet ?

can i ask how you are recovering most of the failed flash attempts ?  does the JTAG connect to the flash chip ?


 

Offline driegTopic starter

  • Regular Contributor
  • *
  • Posts: 85
  • Country: cz
    • Silcon Electronics
Re: The Dark Side of the Rigol Hack -- Bricked Scope & How to Fix it...
« Reply #53 on: December 17, 2010, 08:57:55 am »
No, I don't have 02.05 FW yet. If anyone has it, I'd be interesing to look at it...

Check my 1st post in this thread for your question. Usually the flash desolder/read/write/solder cycle is needed. The JTAG connects to Blackfin only.
Bricked Rigol? This thread might be of any help.
 

Offline darrylp

  • Regular Contributor
  • *
  • Posts: 127
  • Country: gb
Re: The Dark Side of the Rigol Hack -- Bricked Scope & How to Fix it...
« Reply #54 on: December 17, 2010, 10:36:34 am »
No, I don't have 02.05 FW yet. If anyone has it, I'd be interesing to look at it...

Check my 1st post in this thread for your question. Usually the flash desolder/read/write/solder cycle is needed. The JTAG connects to Blackfin only.



first post, had indicated the blackfin jtag was daisy chained to the flash....
"The most common problem is totally dead scope after unsuccessful firmware "downgrade/upgrade". The only way to recover it is to reprogramm the flash chip (Spansion S29GL064N90TFI04) either via BlackFins's JTAG interface or in external programmer."


i've got a circuit board with the 02.05....    i've not got the tools to de-solder the flash.... but would be willing to send the board to you, if you have the tools to do the job.  ie. remove the flash, save copy,  place a lower version,  up the model number ;) ,  and then return the 02.05 firmware ?
of course i'd cover the postage both ways, but wouldn't want to send it until the new year ( as my country ( the UK ) is very back-logged on deliveries with the bad weather and the xmas rush )

prehaps continue in email ?
 

Offline Fraser

  • Super Contributor
  • ***
  • Posts: 13148
  • Country: gb
Re: The Dark Side of the Rigol Hack -- Bricked Scope & How to Fix it...
« Reply #55 on: December 17, 2010, 11:23:23 am »
if you have the tools to do the job.  ie. remove the flash, save copy,  place a lower version,  up the model number ;) ,  and then return the 02.05 firmware ?
prehaps continue in email ?

Darrylp,

If Drieg is willing to do the work for you, I would recommend that you not return your scope to FW2.05 unless Drieg finds that the hardware requires it. As you have HW58 it is very likely that FW2.04SP1 will work perfectly with it and you will then have the ability to do further unofficial firmware updates in the future. FW2.05 would appear to be just a countermeasure release, hobbled to prevent unofficial firmware updates. From my understanding, Rigol were not intending to make any significant improvements to the 2.04 firmware. It's your decsion but given the opportunity I would prefer FW2.04SP1 to FW2.05.
If I have helped you please consider a donation : https://gofund.me/c86b0a2c
 

Offline darrylp

  • Regular Contributor
  • *
  • Posts: 127
  • Country: gb
Re: The Dark Side of the Rigol Hack -- Bricked Scope & How to Fix it...
« Reply #56 on: December 17, 2010, 01:27:24 pm »
if you have the tools to do the job.  ie. remove the flash, save copy,  place a lower version,  up the model number ;) ,  and then return the 02.05 firmware ?
prehaps continue in email ?

Darrylp,

If Drieg is willing to do the work for you, I would recommend that you not return your scope to FW2.05 unless Drieg finds that the hardware requires it. As you have HW58 it is very likely that FW2.04SP1 will work perfectly with it and you will then have the ability to do further unofficial firmware updates in the future. FW2.05 would appear to be just a countermeasure release, hobbled to prevent unofficial firmware updates. From my understanding, Rigol were not intending to make any significant improvements to the 2.04 firmware. It's your decsion but given the opportunity I would prefer FW2.04SP1 to FW2.05.


yes, i see what you are saying, but the calibration data,  its location ( inferred by Drieg, to be easily corrupted and matched to hardware and firmware level ) would be wrong....  doing a replace of the 2.05 when done, means the scope will work.

if Drieg has ( i'm sure he does ) a DS1052e,  then he can use the board (my board ) with his screen / buttons whilst on a lower version of firmware .... even a calibration to see how it works,  and if needed can be returned to the 'snapshot copy of the firmware before calibration'

it's up to him,   hopefully from it, we will have a binary firmware 2.05 ( which can be used to flash back onto 'scopes )  i'm guessing the newer firmware is looking for a new upgrade filename,  and maybe some checksum (  once we have the file, we can see the CRC of it.  and maybe a file version inside the firmware rather than just in the header 21 bytes.)

either way, we move a step in the right direction to being able to 'unlock' the higher bandwidth in software of the DS1052e scopes. 

ps. this board in question 02.05 firmware is listed as H/W 58. so still no news of a newer hardware revision from the factory.


 

Offline driegTopic starter

  • Regular Contributor
  • *
  • Posts: 85
  • Country: cz
    • Silcon Electronics
Re: The Dark Side of the Rigol Hack -- Bricked Scope & How to Fix it...
« Reply #57 on: December 20, 2010, 10:05:11 am »
Aurora is right, if you have HW58, you should be able to run 02.04 SP1 without problems (after Self-Cal).

Unfortunately the flash dump and the firmware file are two (more or less) different things. Most probably they changed file header and/or implemented some kind of protection/encryption or maybe changed the file structure too. To be able to create working FW file from the flash dump, you have to exactly know how.

I think the only way is to wait until somebody manages to get the oficial 2.05 FW file...
Bricked Rigol? This thread might be of any help.
 

Offline killerwhale

  • Contributor
  • Posts: 20
Re: The Dark Side of the Rigol Hack -- Bricked Scope & How to Fix it...
« Reply #58 on: December 24, 2010, 03:33:58 am »
Hi, drieg. If we had a 2.05 FW dump file, would it not be possible by disassembling it to find out exactly how this firmware decides if the update is possible? Of course, if we could somehow find the entry point, init values, etc. Or am I missing something?
 

Offline driegTopic starter

  • Regular Contributor
  • *
  • Posts: 85
  • Country: cz
    • Silcon Electronics
Re: The Dark Side of the Rigol Hack -- Bricked Scope & How to Fix it...
« Reply #59 on: December 25, 2010, 07:24:33 pm »
That would be definitely possible, as long as you have enough time, skills and tools to do so... ;)
Bricked Rigol? This thread might be of any help.
 

Offline scrat

  • Frequent Contributor
  • **
  • Posts: 608
  • Country: it
Re: The Dark Side of the Rigol Hack -- Bricked Scope & How to Fix it...
« Reply #60 on: December 25, 2010, 11:31:41 pm »
Aurora is right, if you have HW58, you should be able to run 02.04 SP1 without problems (after Self-Cal).

Unfortunately the flash dump and the firmware file are two (more or less) different things. Most probably they changed file header and/or implemented some kind of protection/encryption or maybe changed the file structure too. To be able to create working FW file from the flash dump, you have to exactly know how.

I think the only way is to wait until somebody manages to get the oficial 2.05 FW file...

I don't have a clear view of the whole thing (memory inside the Rigol). Could you please explain more in detail?
Are there two programmed memories, one inside the Blackfin and one on a flash chip? Where is (more probably) the calibration data contained? How did you guess that? Did you manage to extract the calibration data among all the memory?
I know this could be part of your professional knowledge, but I'd spend some money to have your insight! ;)

Another reason why I'm asking is that, if it's like I figured it out, writing all data taken from a 2.04SP1 (or 2.X) scope onto a newer one will make the hack possible, maybe at the cost of desoldering/writing/soldering and loosing calibration data.
Am I so wrong?

Thanks,
Sandro
One machine can do the work of fifty ordinary men. No machine can do the work of one extraordinary man. - Elbert Hubbard
 

Offline Fraser

  • Super Contributor
  • ***
  • Posts: 13148
  • Country: gb
Re: The Dark Side of the Rigol Hack -- Bricked Scope & How to Fix it...
« Reply #61 on: December 27, 2010, 09:41:22 pm »
FW 2.05 appears to be hackable  :-)

See here: https://www.eevblog.com/forum/index.php?topic=553.345

Having just checked 'Killerwhales' firmware file, it appears that Rigol changed the header contents to something non ASCII except for the DS1000E identifier. I presume Killerwhale has cut the header from a copy of FW2.05 but know not where he got it from.
« Last Edit: December 27, 2010, 09:54:27 pm by Aurora »
If I have helped you please consider a donation : https://gofund.me/c86b0a2c
 

Offline msh959

  • Newbie
  • Posts: 2
Re: The Dark Side of the Rigol Hack -- Bricked Scope & How to Fix it...
« Reply #62 on: January 16, 2011, 12:36:30 pm »
Hi everyone,
I have DS1102E.About one month ago I wanted to update the firmware.So I downloaded a firmware and when I tried to update my Rigol it crashed and it didn't show anything in the LCD, so I started to search and find a way to repair it and suddenly I found Drieg in this forum.I send an E-mail to him and I told him what happen to my oscilloscope.After some question I found that the best way is to send the main board to him because I don't have a device to demount the spansion  IC. I live in Asia so it take 8 days to arrived.After that he sent a mail to me that he get the board and fix it.
I think the best way is to send the main board to him. You can just send An E-mail to him and ask him to help.When it finish and he send it back to you, you pay him for his work.
I'm really happy.I turn my Rigol on and saw the 2.05 version on the screen. :)
 

Offline nasser32

  • Newbie
  • Posts: 1
Re: The Dark Side of the Rigol Hack -- Bricked Scope & How to Fix it...
« Reply #63 on: February 11, 2011, 09:45:11 pm »
Hi everyone,
Youuuuuuuuuuuuuuuuuuhooooooooooooooooooo!!!
My RIGOL scope works fine again thanks to Mr. Drieg.
One year ago, I bought a RIGOL DS1052 scope and it was a good companion until I tried to hack it to a 1102.
I mistyped a character meanwhile and Yes, my scope ruined. It couldn't be used any more.
I searched to find some way to repair it. but I found that I can't do anything by myself.
when there was no hope,  I found Mr. Drieg and emailed him. after some questions about my problem, he could find a way to repeir it.
he did something for me that no one could do. he repair it "REMOTELY". he sent me a special manipulated firmware which could repair my scope even without openning its case.
He is so tallent I believe.
If you have a similar problem, ask him for help. I bet you'll never regret. this is the closest approach to repair your damaged scope.

>>>>  **** THANK YOU MR. DRIEG FOR YOUR GREAT HELP **** <<<<
 

Offline tonva

  • Newbie
  • Posts: 6
Re: The Dark Side of the Rigol Hack -- Bricked Scope & How to Fix it...
« Reply #64 on: April 03, 2011, 07:05:46 pm »
That would be definitely possible, as long as you have enough time, skills and tools to do so... ;)
Well, as for me, time and skills enough (retired), just tools missing. May be some cooperation will be useful for all involved?
 

Offline tonva

  • Newbie
  • Posts: 6
Re: The Dark Side of the Rigol Hack -- Bricked Scope & How to Fix it...
« Reply #65 on: April 03, 2011, 07:17:27 pm »
FW 2.05 appears to be hackable ..........
Current DS1052E's come with 02.05.02.00 firmware so the hack for 02.05.01 does not work.
The only long-term solution I see is some "nondestructive" method of firmware downgrade not based on Rigol's update tools.
(using JTAG or so). Has anyone some idea how it can be done?     
 

Offline d.giddy

  • Newbie
  • Posts: 1
Re: The Dark Side of the Rigol Hack -- Bricked Scope & How to Fix it...
« Reply #66 on: April 06, 2011, 10:30:27 am »
Very pleased to report that Drieg has managed to get my dead DS1052 going again. Here's my story:

- Purchased a DS1052E
- "Upgraded" it to a DS1102E using the widely available USB firmware procedure - seemed to work fine.
- Further updated the firmware to 02.04.03 to get the menus back - seemed to work fine.
- Have since then had an intermittent problem where the scope didn't always boot. Often got to the splash screen and then went to a grey screen with a few wavy lines. Usually only a problem if it had been in use for a while and then was turned off and turned back on. Would fairly reliably start when it was cold, but rarely if it was hot.
- Decided to downgrade back to the 02.02 firmware that I used for the initial patch in the hope of making the start more reliable. In the process the load seemed to fail about 80% through and after power cycling, I get a screen with wavy lines only - no splash screen.
- I sent the main board to Drieg who's got it going now with firmware 02.05.

Thanks Drieg!
 

Offline DenisRU

  • Newbie
  • Posts: 1
Re: The Dark Side of the Rigol Hack -- Bricked Scope & How to Fix it...
« Reply #67 on: April 28, 2011, 12:59:25 pm »
Sorry for my english.

     Hi everyone!  I live in Russia. I wanted to tell you my story how I killed my Oscilloscope Rigol DS1052E. He came to me with firmware 00.02.05.02., At that time upgrate in DS1102E  was impossible. Not long ago there was information about how to do it. https://www.eevblog.com/forum/index.php?topic=553.msg42404#msg42404.
     In short, I flashed it. ... .. After that it could not run. The mood has fallen. I will not tell you how I did it ...
     I turned to Drieg. He told me to read a dump from the chip Spansion S29GL064N90TFI04 and send it back to him. If you’re interested in programming, I had a Triton + V5.7T http://www.triton-prog.ru. I ordered an adapter for this chip. Not the first time but I managed to read the data correctly.  Posted the dump to Drieg. Soon he sent me a corrected dump. I flashed the chip and soldered it in place. After that, my Rigol alive.
      I would like to express my deep gratitude to Drieg. Thanks very much to him! The world is not without good people. For more of these ...



« Last Edit: April 28, 2011, 01:02:18 pm by DenisRU »
 

Offline saturation

  • Super Contributor
  • ***
  • Posts: 4787
  • Country: us
  • Doveryai, no proveryai
    • NIST
Re: The Dark Side of the Rigol Hack -- Bricked Scope & How to Fix it...
« Reply #68 on: April 28, 2011, 01:49:53 pm »
Great story.  Drieg's icon is very well deserved, and this thread is a valuable part of the forum.



Sorry for my english.

     Hi everyone!  I live in Russia. I wanted to tell you my story how I killed my Oscilloscope Rigol DS1052E. He came to me with firmware 00.02.05.02., At that time upgrate in DS1102E  was impossible. Not long ago there was information about how to do it. https://www.eevblog.com/forum/index.php?topic=553.msg42404#msg42404.
     In short, I flashed it. ... .. After that it could not run. The mood has fallen. I will not tell you how I did it ...
     I turned to Drieg. He told me to read a dump from the chip Spansion S29GL064N90TFI04 and send it back to him. If you’re interested in programming, I had a Triton + V5.7T http://www.triton-prog.ru. I ordered an adapter for this chip. Not the first time but I managed to read the data correctly.  Posted the dump to Drieg. Soon he sent me a corrected dump. I flashed the chip and soldered it in place. After that, my Rigol alive.
      I would like to express my deep gratitude to Drieg. Thanks very much to him! The world is not without good people. For more of these ...




« Last Edit: April 28, 2011, 01:52:01 pm by saturation »
Best Wishes,

 Saturation
 

Offline HB-1905

  • Newbie
  • Posts: 1
Re: The Dark Side of the Rigol Hack -- Bricked Scope & How to Fix it...
« Reply #69 on: May 11, 2011, 08:31:00 pm »
Just another chapter in the bricked Rigol DS1052E story:
- planning for the 1052 to 1102 hack
- during the FW downgrade it all seems fine but the reboot prompt at the end did not appear
- switched off/on (perhaps a retry would have been a better idea...)
- ... the scope was not a scope anymore

Looking the internet for other victims and indeed, there were more! Also found Drieg's contact details on this blog. Amazing: being in trouble to find such a (possible) escape! Lucky me, he was able and especially willing to help me. Sent the mainboard since I lack the skills to do the repair on my own.

After only one week the board was back again being sent from The Netherlands. I noticed he did the repair in about one hour! I know, he is professional but nevertheless. On the board there is no trace whatsoever of this repair. Even the numbered label on the chip is placed back very carefully. The (de)soldering? Simply perfect.

So, Drieg did the repair, upgraded to FW 2.05 and did the hack for me. You might call this the safest way ... His skills and service are really remarkable. Also communicating to this guy is enjoyable. I would almost advice to brick your scope on purpose ...
 

Offline Kitsyboy

  • Newbie
  • Posts: 5
Re: The Dark Side of the Rigol Hack -- Bricked Scope & How to Fix it...
« Reply #70 on: June 09, 2011, 08:22:20 pm »
Same story here,

I have a DS1052D which was running a very old firmware version (0105). I tried to hack the scope with the serial interface. Instead of ending the strings with a Linefeed character I accidentally typed CR. followed by some backspaces. After that the initial configuration data of the scope was gone. In the hardware info screen the Hardware version was messed up and the scope was 30% off spec.
(a 10 Volt signal appeared to be 6 volt on the scope).
Drieg has succesfully helped me to restore the initial data. He truly as an awful lot of knowledge about the inner workings of this scope.

Thanks again Drieg for unbricking the scope, and to everyone I would say: Never use the serial method, use the USB method which is far more safe.
 

Offline rf-loop

  • Super Contributor
  • ***
  • Posts: 4061
  • Country: fi
  • Born in Finland with DLL21 in hand
Re: The Dark Side of the Rigol Hack -- Bricked Scope & How to Fix it...
« Reply #71 on: June 26, 2011, 09:46:54 am »
@Shafi

.... i was going to test it against my 400Mhz HP54502A scope, but when i turned on my old reliable, she is no longer reliable. It popped up with Calibration Memory checksum error. So i spent quite a few hours trying to recalibrate it and failing, it seems that the old HP is dead now  ???



Off Topic. if need continue, then other thread.

My opinion is that your HP54502A need only new NVRAM and then need do perfect recalibration just following exactly service manual.

(54502A is very sensitive in calibration prosedure and it fails very easy. Sometimes it need some small adjustment before selfcal go ok but inside scope adjustments need special knowledge and instrumets - other way it only go more bad. Also you need good perfect set of calibration cables. )

After NVRAM change it first need factory default and then do ALL steps exactly as service manual explain for calibrating - The manual does not contain any unnecessary words or sentences.

If selfcal fails in any step --> stop and start totally beginning with full factory defaults (reset all selfcal data).
If it fails all times in same step then need do service manual adjustments exactly with required instruments.
If still fails there is HW problem. (mostly littlebit bad input attenuator module.)
Selfcal cables need be perfect quality, many coaxial cables with cheap noname BNC connectors may cause problem becouse specially shield connectors are loose. Also old machine BNC connectors may be dirty. (use pure isopropyl alcohol or "dry" video cleaner. Front BNC' do not use whatever "contact spray", they may damage input attenuator module behind BNC)

BTW 54502A is good scope specially for timing measurements. It is 6 bit adc but it is not problem if use this scope for purposes for what it have designed. (extremely nice is that it have real 50 ohm inputs for rf work. This can not solve using 50 ohm terminator in normal high imbedance input scopes)

I drive a LEC (low el. consumption) BEV car. Smoke exhaust pipes - go to museum. In Finland quite all electric power is made using nuclear, wind, solar and water.

Wises must compel the mad barbarians to stop their crimes against humanity. Where have the wises gone?
 

Offline dimlow

  • Frequent Contributor
  • **
  • Posts: 301
  • Country: gb
  • Likes to be thought of as
    • Dimlow Ponders
Re: The Dark Side of the Rigol Hack -- Bricked Scope & How to Fix it...
« Reply #72 on: June 26, 2011, 11:54:50 am »
I have since fixed the scope, only needed some new NVRAM!
 

Offline rf-loop

  • Super Contributor
  • ***
  • Posts: 4061
  • Country: fi
  • Born in Finland with DLL21 in hand
Re: The Dark Side of the Rigol Hack -- Bricked Scope & How to Fix it...
« Reply #73 on: June 26, 2011, 12:56:13 pm »
I have since fixed the scope, only needed some new NVRAM!

Oh and just I find this: "dimlow on October 09, 2010, 12:43:39 PM"

So I have write comment to very old message what I accidentally find as I use some other "Search".

But, for common info, these scopes are most common  fails are repairable.
(today there is no company who make this quality in production or specially if look littlebit more old HP's)
EOOT (end of off topic ;) )
« Last Edit: June 26, 2011, 02:39:19 pm by rf-loop »
I drive a LEC (low el. consumption) BEV car. Smoke exhaust pipes - go to museum. In Finland quite all electric power is made using nuclear, wind, solar and water.

Wises must compel the mad barbarians to stop their crimes against humanity. Where have the wises gone?
 

Offline dimlow

  • Frequent Contributor
  • **
  • Posts: 301
  • Country: gb
  • Likes to be thought of as
    • Dimlow Ponders
Re: The Dark Side of the Rigol Hack -- Bricked Scope & How to Fix it...
« Reply #74 on: June 26, 2011, 01:47:48 pm »
I dont really see what your getting at, and im sure that last quote is not from me
 


Share me

Digg  Facebook  SlashDot  Delicious  Technorati  Twitter  Google  Yahoo
Smf