Sniffing the Rigol's internal I2C bus

[jonese]

That's not a correct comparison.  Linksys doesn't sell higher end routers, there was no lost sales.  The chipset, OS, and flash was changed for cost reduction.

[KuchateK]

That's not a correct comparison.  Linksys doesn't sell higher end routers, there was no lost sales.  The chipset, OS, and flash was changed for cost reduction.

From Wiki:

Linksys released the WRT54GL in 2005 to support third-party firmware based on Linux, after the original WRT54G line was switched from Linux to VxWorks, starting with version 5. The WRT54GL is technically a reissue of the version 4 WRT54G.

Demand had to be very high to justify such move.

Edit: They were acquired by Cisco in 2003, so I'm sure they lost some sales on the high end.

[BlueLaser]

So regarding these DSA9 codes, has anyone verified whether the 2nd self-cal event causes the options to be reset or any original options timer values to be zeroed?

[Harvs]

So regarding these DSA9 codes, has anyone verified whether the 2nd self-cal event causes the options to be reset or any original options timer values to be zeroed?

I don't really get what you mean about the second self-cal.  However, yes, when you stick the DSA9 code in, all the trial options are zeroed, since while it's running it believes you have the official version of all the options.  When you reboot, you now have no options at all.  That's why I posted the RPi code to upload the key on boot.

[BlueLaser]

I was referring to the known issue of FW v.01.00.00.03 (item 6 of the other major ds2072 thread) where the 2nd self-cal expires the trial options.  I did see that the timers temporarily disappear after entering the code showing "official version" but after power cycle, the original time remaining does return to the trial options installed.  (As others have noted, the 2ns time base indeed does remain!  )

[zibadun]

In case somebody uses IP to talk to the scope

found a small VXI-11 module here https://github.com/alexforencich/python-vxi11

After installing the module, a short python script:

import vxi11
rigol = vxi11.Instrument("192.168.x.x")
print(rigol.write(":SYSTem:OPTion:INSTall LLLLLLL<your favorite code>LLLLLLLLLL"))

does the magic. 


BTW, on 03 firmware with the "original" trial options looks like the clock is ticking while using the DSA9 code. After the reboot the options remaining time is down, so I expect to lose them forever eventually.

[Harvs]

Nice module I'll keep that in mind for future.

Just keep in mind like I said in an earlier post that installing the option resets the scope to the default state. Personally this would annoy me no end, so I read out the scope's setup first, install the code, then send it back to it.

[zibadun]

Nice module I'll keep that in mind for future.

Just keep in mind like I said in an earlier post that installing the option resets the scope to the default state. Personally this would annoy me no end, so I read out the scope's setup first, install the code, then send it back to it.

I saw your script Harvs which is what made me look for the tcp/ip version. Nice work.

I've  never even heard of  vxi-11 protocol until I looked at the ultra sigma scpi packets in wireshark.  What an obscure thing

[Harvs]

It may look obscure at first, but it's just a specific implementation of Remote Procedural Calls.

I've been looking for a Java implementation, but haven't really found anything great.  So I'm currently building the bare bones of the VXI11 in Java, because I'm building an Android tablet app for the scope.

[darrylp]

Okay just received a DS2072 not turned on yet, but rigols packing slip has June 4th 2013.
So in the UK they are fresh stock. Fingers crossed all features still available :-)

--
 Darryl

[marmad]

Okay just received a DS2072 not turned on yet, but rigols packing slip has June 4th 2013.
So in the UK they are fresh stock. Fingers crossed all features still available :-)

It will take awhile before any counter-measures Rigol may / may not do to prevent hacking would filter their way down to actual stock (or FW). I don't think it's anything any owner (or prospective owner) would have to even consider for a few months. This latest FW (release date: 28 June) would have been highly unlikely to change anything - since actions would have to be proposed, agreed upon, and then formally stated and passed on to coders.

[darrylp]

Okay just received a DS2072 not turned on yet, but rigols packing slip has June 4th 2013.
So in the UK they are fresh stock. Fingers crossed all features still available :-)

--
 Darryl

Its come with few.03

--
 Darryl

[gierig]

OK here my experience with the DSA9 on my ds2102.

applied with 03 firmware.  update to latest 01.01.00.02 firmware today.
I got still all the settings and functions that a 2202 should have (BW Filter, 2ns/div,)

have somebody already tested the hardware with the new Bandwith Settings ?
I there a Real Increase ? on the Analog AMP ?
Where is the real -3db point with this settings on ? My generators are only up to 20Mhz)









 

[gierig]

That looks more like a Compare between  un"modeled" Units. Or how i have to interpret it ?

[ve7xen]

have somebody already tested the hardware with the new Bandwith Settings ?
I there a Real Increase ? on the Analog AMP ?
Where is the real -3db point with this settings on ? My generators are only up to 20Mhz)

Yes, I verified it on an 'optioned' DS2072 in this post as being ~230MHz, which matches Wim13's chart nicely.

The frontend on these scopes is all the same. They are using the programmable filters in the LMH6518 PGA to achieve the bandwidth limiting. Given that I'm surprised to see a difference between DS2102 and DS2072 in Wim's charts, since the PGA doesn't offer a 70MHz filter.

Anyway the code works.

[darrylp]

Given that I'm surprised to see a difference between DS2102 and DS2072 in Wim's charts, since the PGA doesn't offer a 70MHz filter.

I've asked this before with no response, but could it be that these are the bandwidth settings in the LMH6518 for each model?

DS2072 --> 100
DS2102 --> 200
DS2202 --> 350

i'd say very much so.   remember thats the gain limit not  a filter cutoff freq.

the stock 100mhz ds2102 looks to get the most benefit from the three selectable gains above.  the 200mhz option starts hitting other limits in the front end.

--
 Darryl

[Nomen luni]

Quote from: gierig on Today at 04:49:13 AM

    That looks more like a Compare between  un"modeled" Units. Or how i have to interpret it ?

Well if you look at the line for the 2202, you can see the -3 dB point is at 225 Mhz
for the 2072 the -3 dB is at about 115 Mhz..etc...

To ask the question again.. is this a measurement of the hacked or stock DS2072 bandwidth, Wim13? Ve7xen seems to be confirming that the hack 2072 offers a true 200MHz bandwidth.

[gierig]

Thanks, so make it sense in my eyes.

[CodyShaw]

Can we please get a summary of what each hack in this thread does so far.

There is the FRAM hack - what CAN it enable?

There is the special key hack - what CAN it enable?  Is it permanent in some firmware revisions?

I agree, this would be great.

I ordered a 2072 a few weeks ago from TEquipment, and I have been looking forward to getting my hands dirty hacking it to bits. I saw some hardware hacks coming along when i checked a few weeks ago, this is just fantastic what seems to have popped up in no time.

Very excited! Maybe I can help once I get my scope!

[synapsis]

I'm sure someone at Rigol is following this thread: This thread made me purchase a DS2072 this morning. Being hackable is a major selling point when I'm looking for something. (I've been known to use Linksys WRT54GL routers as microcontrollers, etc...)

I ordered from TEquipment, but unfortunately it looks like I'll be waiting awhile. I was considering an Agilent 2000 and then saving up for the SPI/I2C ability I need later (for $500?!), but it looks like my first real DSO will be a Rigol.

I learn so much from this site, and appreciate everyone willing to share the information.

[CodyShaw]

I just read a few pages back about a few people ordering their scopes on June 26th-28th from TEquipment and already receiving a shipping number...

Not fair! I ordered mine on June 12, here's my status:

To Be Shipped
Estimated Ship Date: 07/02/2013
Note: In Warehouse, Pulled for Shipping

Lousy. This was a birthday gift for myself (June 2nd). Lucky bastards got theirs shipped first!

I also checked my shipping status a hour and a half ago... It said my estimated ship date was a week ago, yet it hadn't shipped. Sent them a message asking what was going on, and now it's been updated to a ship date of today..

[ve7xen]

Ve7xen seems to be confirming that the hack 2072 offers a true 200MHz bandwidth.

I did some slightly more rigorous measurement tonight. I unfortunately don't have a decent 50R thru to use with this scope, so I am using a cheap T and cheap 50R termination - they are dodgy and probably responsible for some of the rolloff. The signal is 100mV RMS per the generator.

[Bitstream]

I spent about an hour last night reading through the DS2000 hacks -very interesting and superb work by several people. 

I was going to update the software on my scope and try the license key hacks.  My current firmware is 00.00.01.00.02.  However, when I read the other version information, I noticed that my hardware is newer than what's been reported by others:

Model DS2072
Software =00.00.01.00.02
Hdw =1.1.0.0     <======================
FPGA version:
   SPU 03.01.02
   WPU 00.06.00
   CCU 12.29.00
   MCU 00.05

Others have reported V1.0.1.0 hardware.  Has anybody tried the firmware updates on the version 1.1.0.0 hardware?  Should I be worred it could brick my scope?  I did try all the license key hacks with th 00.00.01.00.02 software but none of them worked.  I'm hoping it's just due to the downlevel software but I'm a bit apprehensive of bricking the scope if the 00.00.01.00.05 and 00.01.00.00.03 firmware levels aren't compatible with the 1.1.0.0 hardware.

[cybernet]

sry, but its not that simple ;-)
try something like this but reversed.

Code: [Select]


unsigned char codemap_ee00d0[]={ 0x0, 0x0, 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f,
                                 0x0, 0x0, 0x0,  0x0,  0x0,  0x0,  0x0,  0x0,  0x1,  0x2,
                                 0x3, 0x4, 0x5,  0x6,  0x7,  0x0,  0x8,  0x9,  0xa,  0xb,
                                 0xc, 0x0, 0xd,  0xe,  0xf,  0x10, 0x11, 0x12, 0x13, 0x14,
                                 0x15,0x16, 0x17 };

unsigned char codemap_20688e[]={ 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30,  /* 0-9 = 0x30 */
                                 0x37, 0x37, 0x37, 0x37, 0x37, 0x37 };                                                             /* A-F = 0x37 */

/*
** Encryption Routine 1
*/
unsigned char *lic_code_map(unsigned char *lic_skipped)
{
 unsigned char lv1,lv2;
 unsigned char b1_mapped, b1_shifted, b1_remapped;
 unsigned char b2_mapped, b2_shifted, b2_remapped;
 unsigned char b3_mapped, b3_shifted, b3_remapped;
 unsigned char b4_mapped, b4_shifted, b4_remapped;
 unsigned char b5_shifted, b5_remapped;
 unsigned char *lic_mapbytes;

 lic_mapbytes=calloc(28, 1);
 if (!lic_mapbytes) return(0);

 lv1=lv2=0;
 while(lv1 < strlen((unsigned char*)lic_skipped))
 {
    b1_mapped =  codemap_ee00d0[ *(lic_skipped+lv1) - 0x30 ];
    b1_shifted = (b1_mapped / 2) & 0xf;
    b1_remapped = b1_shifted + codemap_20688e[b1_shifted];
    lic_mapbytes[lv2++]=b1_remapped;
    b1_mapped = b1_mapped & 0x1;

    b2_mapped =  codemap_ee00d0[ *(lic_skipped+lv1+1) - 0x30 ];
    b2_shifted =  ((b1_mapped << 0x3) | (b2_mapped / 4)) & 0xF;
    b2_remapped = b2_shifted + codemap_20688e[b2_shifted];
    lic_mapbytes[lv2++]=b2_remapped;

    b3_mapped = codemap_ee00d0[ *(lic_skipped+lv1+2) - 0x30 ];
    b3_shifted = ((b3_mapped / 8) | ( (b2_mapped & 0x3) << 2 )) & 0xF;
    b3_remapped = b3_shifted + codemap_20688e[b3_shifted];
    lic_mapbytes[lv2++]=b3_remapped;

    b4_mapped = codemap_ee00d0[ *(lic_skipped+lv1+3) - 0x30 ];
    b4_shifted = ((b4_mapped / 16 ) |((b3_mapped & 0x7) << 0x1)) & 0xf;
    b4_remapped = b4_shifted + codemap_20688e[b4_shifted];
    lic_mapbytes[lv2++]=b4_remapped;

    b5_shifted = b4_mapped & 0xF;
    b5_remapped = b5_shifted + codemap_20688e[b5_shifted];
    lic_mapbytes[lv2++]=b5_remapped;

    lv1 = lv1 + 4;
  }
  return(lic_mapbytes);
}

anyway, all possible option codes have been tried by now, there no more hidden stuff thats reachable via this method.

[cybernet]

well if u say so ;-)

PDUY9N9-QTS9PQS-WPLAETR-D3UJHYA is a DSAH code,  permanently enabling first 3 options. - if it matches the right serial