Rigol DS10xxZ firmware re-write

[hexreader]

Question: Is it necessary to reprogram the FPGA in the initial phase? Can't you leave the FPGA as-is and just work on the main firmware?

I was thinking that I might output a square wave on each FPGA output to help me trace the wiring - since I cannot get to BGA pins.

Where is the main firmware stored?   ...  and what device is firmware run on please?

Many thanks for the help with my understanding, which is improving steadily.

By the way.....   I have no illusions of writing new scope software - I am simply learning, experimenting and having fun. Sorry to disappoint 

[Rerouter]

Out of curiosity, could you not toggle the pins through a normal jtag boundary scan? rather than trying to re flash it? it would only need to be 2-3Hz

[hexreader]

Out of curiosity, could you not toggle the pins through a normal jtag boundary scan? rather than trying to re flash it? it would only need to be 2-3Hz

No idea.....

Seems you know far more than I do 

Tell me what to do and I will give it a go...

I am just a hobby programmer with a lot of enthusiasm and spare time, but limited knowledge and skill.

Where is the main firmware stored?   ...  and what device is firmware run on please?     .... many thanks, hexreader

[Fungus]

You could start by watching this:

[hexreader]

Got it - thanks

Looks like there is another dev board to buy and a tool-chain to download.

This is a seriously big task

[dorin]

First of all, I'd like to applaud this initiative, as any ambitious open source project. 
Now, I don't know if someone mentioned this already but before embarking on such a bold journey I think it's good to understand all its aspects such as to prevent bitter disappointment.

Designing good software for an oscilloscope is more complex than designing good hardware. Listen to Siglent CEO answer to Dave's question at 03:23 :
https://youtu.be/v9M397sUkEA?t=3m23s

[mikeselectricstuff]

Out of curiosity, could you not toggle the pins through a normal jtag boundary scan? rather than trying to re flash it? it would only need to be 2-3Hz

FPGA code is held externally, so you can load a new bitstream over JTAG for reversing which only lasts until power cycle

[hexreader]

FPGA code is held externally, so you can load a new bitstream over JTAG for reversing which only lasts until power cycle

Thanks, that works great on dev board, so presumably it will work just as well on scope.

I think I will wait until I have a SPI flash image before trying it though - just to be doubly sure.

Progress is slow, but headed the right way....

[mikeselectricstuff]

FPGA code is held externally, so you can load a new bitstream over JTAG for reversing which only lasts until power cycle

Thanks, that works great on dev board, so presumably it will work just as well on scope.

I think I will wait until I have a SPI flash image before trying it though - just to be doubly sure.

Progress is slow, but headed the right way....

Doing an SRAM download won't affect anything

[theorbtwo]

Hello, folks!
I've recently got a ds1054z, and have been poking in the firmware in IDA, and researching what tidbits of useful information have been posted already.  My file full of random notes can be seen at https://github.com/theorbtwo/rigol-ds1000z-stuff/blob/master/info.  A dump of the SCPI command table, along with a bit of code to expand out the tree and attempt to find the command in the documentation, is at https://github.com/theorbtwo/rigol-ds1000z-stuff/blob/master/commands.pl, and finally the output of that script is at https://github.com/theorbtwo/rigol-ds1000z-stuff/blob/master/commands3.txt, along with a (very small) amount of notes from reverse-engineering the firmware inline.  Undocumented commands are marked with a leading "!".  Particularly intersting-looking ones include :vendor:configure (and ?), :system:udevice (and ?), :system:flash:write, :system:information?, :test:{progress,lower,upper,mode,operate}?, with non-? versions of mode and operate, :calibrate:output? and :calibrate:lfstart.

Pull requests for information I've missed *very* welcome.  Replies to this post with information I have missed are also welcome.  Information on how to share my work in IDA without putting myself out on a limb legally *very* welcome.  Ideas on what I should be looking for also welcome.

[ivi_yak]

hi, i have bricked rigol ds1302 and i am want to test your firmware. How i can upload firmware to oscill ?

[zl2wrw]

[SNIP] Information on how to share my work in IDA without putting myself out on a limb legally *very* welcome.  [SNIP]

I'll admit that I haven't used IDA (but I am aware of what it is and what it does).

I am not an IP lawyer, but what about distributing the delta between your commented, reverse engineered IDA file and a plain IDA file of the firmware that anyone can easily produce from their own 'scope? 

That way you would not be distributing Rigol's copyrighted code, merely a file which contains your comments etc and (machine readable) information on where to insert it into a locally generated file which already contains Rigol's code. Persons using your diff would of course have to obtain their own dump of the same firmware version that you used.


Another approach (which works for people without IDA licenses) is to distribute a symbol table of memory addresses and what you think they are used for (variables, subroutines, interrupt handlers, etc), which someone can then use to understand locally produced disassembly of the copyrighted code (again, you do not distribute Rigol's code, just a list of what addresses do what).

[DC1MC]

Hello everybody, I'm resurrecting this dead thread to ask for your help, I've got somehow a (semi)defective Rigol DS1104Z main board and I would like to reactivate it just for fun.
this being the most "low-level" thread that I could found, I want to ask for your help regarding the LCD connector (pinout) and eventually finding a compatible LCD, plus the same for the power-supply.
Also if there are some schematics and in the end if somebody has a bricked device and wants to part of front panel, power/supply and case, pleas ePM me.

 Thanks,
 DC1MC
 

[Datman]

This topic is about a new firmware. Please open a thread in Repair.

[RoGeorge]

Thank you all for sharing the work.

Here's a random dump of things that need to be done (and with an estimation of difficulty), non-exhaustive of course.

• S: Figure out JTAG port to Xilinx FPGA pinout (Thank you, JJalling! https://www.eevblog.com/forum/projects/rigol-ds10xxz-firmware-re-write/msg1195497/#msg1195497)
• S: document findings in more details (frontpanel, IO, ...) in a public wiki
• S: find a better serial port for debug spew than the frontpanel IO
• M: Figure out connections between FPGA and iMX
• M: figure out existing iMX<>FPGA protocotol
• M: reverse input stage (analog stage etc., similar to what has been done for other scopes) Done, thanks Dave and Ink (https://www.eevblog.com/forum/projects/rigol-ds10xxz-firmware-re-write/msg1202261/#msg1202261)
• M: figure out, and reverse, role of the Actel FPGA
• M: figure out FPGA pinout to ADC
• M: figure out FPGA to memory pinout
• M: figure out how to easily (i.e. without risk to brick the thing) run custom code without opening the case
• L: reverse full scope PCB to schematics
• L: write host demo code to interface with existing FPGA and drive basic scope functionality
• L: re-implement FPGA firmware
• XL: architect and implement a "scope application"

Awesome news:
konnor found a way for running custom code (plugins) without opening the case: https://www.eevblog.com/forum/testgear/rigol-ds1000z-firmware-patch-plugins/