Author Topic: DG4000 - a firmware investigation  (Read 207430 times)

0 Members and 2 Guests are viewing this topic.

Offline cybernetTopic starter

  • Regular Contributor
  • *
  • Posts: 247
  • Country: 00
  • pm deactivated, use the search function ...
DG4000 - a firmware investigation
« on: July 30, 2013, 09:15:44 pm »
started dumping memory via JTAG on the DG4000 - no probs at all exact same layout as the DS2000's JTAG - aux 3,3V can be stolen from the header next to it if needed for jtag adapter.
« Last Edit: July 30, 2013, 09:39:12 pm by cybernet »
___________________
"all rights reversed :-)"
R0=-0x18;
UNLINK;
RTS;
 

Offline cybernetTopic starter

  • Regular Contributor
  • *
  • Posts: 247
  • Country: 00
  • pm deactivated, use the search function ...
Re: DG4000 - a firmware investigation
« Reply #1 on: August 06, 2013, 07:14:56 pm »
___________________
"all rights reversed :-)"
R0=-0x18;
UNLINK;
RTS;
 

Offline synapsis

  • Regular Contributor
  • *
  • Posts: 140
  • Country: us
    • Blackcow
Re: DG4000 - a firmware investigation
« Reply #2 on: August 06, 2013, 08:50:53 pm »
 :-+

My now that I'm finished working on my truck (10 days in Arizona summer), maybe I can finally play with the DG4000.
 

Offline cybernetTopic starter

  • Regular Contributor
  • *
  • Posts: 247
  • Country: 00
  • pm deactivated, use the search function ...
Re: DG4000 - a firmware investigation
« Reply #3 on: August 17, 2013, 11:55:22 pm »
unless this is already public knowledge while looking for a way to change the model type, i stumbled over the secure code which is "2010" - this will enable the Test/Cal Submenu on the DG4062/FW 00.01.04
___________________
"all rights reversed :-)"
R0=-0x18;
UNLINK;
RTS;
 

Offline Sparky

  • Frequent Contributor
  • **
  • Posts: 449
  • Country: us
Re: DG4000 - a firmware investigation
« Reply #4 on: August 18, 2013, 12:30:38 am »
Here are links to DG4062 firmware (.GEL files), in case it is helpful to this effort :)

00.01.04.00.02 (date: 6/13/2012)

00.01.06.00.02 (date: 5/9/2013)

 

Offline Corporate666

  • Supporter
  • ****
  • Posts: 2008
  • Country: us
  • Remember, you are unique, just like everybody else
Re: DG4000 - a firmware investigation
« Reply #5 on: August 18, 2013, 12:59:59 am »
I'm getting excited!  :scared: :-/O
It's not always the most popular person who gets the job done.
 

Offline jasonbrent

  • Regular Contributor
  • *
  • Posts: 176
Re: DG4000 - a firmware investigation
« Reply #6 on: August 18, 2013, 01:17:59 am »
cybernet; thank you. Just in general, thank you. I appreciate you sharing the benefits of your curiosity.

-jbl
 

Offline cybernetTopic starter

  • Regular Contributor
  • *
  • Posts: 247
  • Country: 00
  • pm deactivated, use the search function ...
Re: DG4000 - a firmware investigation
« Reply #7 on: August 18, 2013, 01:26:56 am »
Here are links to DG4062 firmware (.GEL files), in case it is helpful to this effort :)

00.01.04.00.02 (date: 6/13/2012)

00.01.06.00.02 (date: 5/9/2013)

thx
___________________
"all rights reversed :-)"
R0=-0x18;
UNLINK;
RTS;
 

Offline KedasProbe

  • Frequent Contributor
  • **
  • Posts: 646
  • Country: be
Re: DG4000 - a firmware investigation
« Reply #8 on: August 18, 2013, 08:54:23 am »
No didn't know that, thanks! good to know in case it's needed. :)
It works on my DG4102. (I have the same version 00.01.06.00.02)

The only extra thing I know so far (from this forum) was this extra version number info by pressing the first  third and fifth side button in the version screen.
« Last Edit: August 18, 2013, 10:02:22 am by KedasProbe »
Not everything that counts can be measured. Not everything that can be measured counts.
[W. Bruce Cameron]
 

Offline cybernetTopic starter

  • Regular Contributor
  • *
  • Posts: 247
  • Country: 00
  • pm deactivated, use the search function ...
Re: DG4000 - a firmware investigation
« Reply #9 on: August 27, 2013, 04:24:12 pm »
anyone with a 200Mhz DG4062 ?

this is has been done with jtag hackery, because im too lazy to reverse yet another piece of their cryptobs.
the way it works is that u place a file <something>.CEN which needs to contain a special header, and then some crypted bits and pieces, which will then update the model type.
the message says it updated model type & serial - but i dont see that happening atm it only gets passed the new model type - by forging the right jump and tweaking the arguments of the sub (e.g. string to new model type) a bit .. you can enabled whatever u like - and yes it sticks - i went for a DG4202 ;-) ... also tried a DG4162 - and there are more

you need to have a jtag adapter to do this, and u need to open the device

calibration is obviously off above 60Mhz (vpp, freq is fine) - time to play with the cal menu.

FW 0.4 models:
Code: [Select]
ROM:CB1924 aDg4052_0:      ascii "DG4052",0       
ROM:CB192C aDg4062_5:      ascii "DG4062",0       
ROM:CB1934 aDg4072_1:      ascii "DG4072",0       
ROM:CB193C aDg4102_0:      ascii "DG4102",0       
ROM:CB1944 aDg4162_0:      ascii "DG4162",0       
ROM:CB194C aDg4072e_0:     ascii "DG4072E",0     
ROM:CB1954 aDg4202_0:      ascii "DG4202",0       
ROM:CB195C aDg4072a_0:     ascii "DG4072A",0   
ROM:CB1964 aDg4102a_0:     ascii "DG4102A",0   
ROM:CB196C aDg4162a_0:     ascii "DG4162A",0   
ROM:CB1974 aDg4202a_0:     ascii "DG4202A",0   
ROM:CB197C aDg4102e_0:     ascii "DG4102E",0   

did a fw upgrade to 0.6 afterwards, model type sticks  :-+
« Last Edit: August 27, 2013, 08:36:47 pm by cybernet »
___________________
"all rights reversed :-)"
R0=-0x18;
UNLINK;
RTS;
 

Offline KedasProbe

  • Frequent Contributor
  • **
  • Posts: 646
  • Country: be
Re: DG4000 - a firmware investigation
« Reply #10 on: August 27, 2013, 05:16:33 pm »
Were you also able to measure if the rise/fall time changed after you changed your 60MHz to 160/200MHz?
Not everything that counts can be measured. Not everything that can be measured counts.
[W. Bruce Cameron]
 

Offline synapsis

  • Regular Contributor
  • *
  • Posts: 140
  • Country: us
    • Blackcow
Re: DG4000 - a firmware investigation
« Reply #11 on: August 27, 2013, 06:00:59 pm »
If it takes the information from a file you provide, it sounds like it could be possible to update the model through a hidden menu with a crypto-signed file on a USB stick. (I don't know, I haven't looked through the firmware.)
 

Offline cybernetTopic starter

  • Regular Contributor
  • *
  • Posts: 247
  • Country: 00
  • pm deactivated, use the search function ...
Re: DG4000 - a firmware investigation
« Reply #12 on: August 27, 2013, 06:01:29 pm »
Were you also able to measure if the rise/fall time changed after you changed your 60MHz to 160/200MHz?

only got my DS2062 erm 2202 ;-) - sine wave looks good, but amplitude drops after 60mhz, i played with the call thingy, and probably need some true rms voltmeter to correct it.
the way it works that u go over the items one by one, and input the measured values, then save the results ... "LOAD" is the one thats for the output regulation.

for me its not super important because im more after quick arb and rect than sine stuff ..
___________________
"all rights reversed :-)"
R0=-0x18;
UNLINK;
RTS;
 

Offline cybernetTopic starter

  • Regular Contributor
  • *
  • Posts: 247
  • Country: 00
  • pm deactivated, use the search function ...
Re: DG4000 - a firmware investigation
« Reply #13 on: August 27, 2013, 06:02:16 pm »
If it takes the information from a file you provide, it sounds like it could be possible to update the model through a hidden menu with a crypto-signed file on a USB stick. (I don't know, I haven't looked through the firmware.)

true, u can do that - and u can add calibrations, and it seems u can even replace the builtin arb tables ;-)
___________________
"all rights reversed :-)"
R0=-0x18;
UNLINK;
RTS;
 

Offline synapsis

  • Regular Contributor
  • *
  • Posts: 140
  • Country: us
    • Blackcow
Re: DG4000 - a firmware investigation
« Reply #14 on: August 27, 2013, 06:25:01 pm »
Once I get time to play with my DG4000, I can put it on my HP 5335A 200Mhz counter (with Rubidium reference) to check rise/fall/amplitude.
 

Offline cybernetTopic starter

  • Regular Contributor
  • *
  • Posts: 247
  • Country: 00
  • pm deactivated, use the search function ...
Re: DG4000 - a firmware investigation
« Reply #15 on: August 27, 2013, 07:30:20 pm »
Once I get time to play with my DG4000, I can put it on my HP 5335A 200Mhz counter (with Rubidium reference) to check rise/fall/amplitude.

PM3082 (CRO) and DS2 show slightly below 5ns risetime/falltime for a 50mhz square wave
___________________
"all rights reversed :-)"
R0=-0x18;
UNLINK;
RTS;
 

JuanPC

  • Guest
Re: DG4000 - a firmware investigation
« Reply #16 on: August 28, 2013, 01:43:20 am »
Im not a Rigol fan, but coudnt help notice that the FW is 9.7MB?

the Instek GDS-3352 is 18MB.

Bananas vs. Apples jajajaja  :-DD
 

Offline jsykes

  • Contributor
  • Posts: 31
  • Country: us
Re: DG4000 - a firmware investigation
« Reply #17 on: August 28, 2013, 01:55:09 am »
Once I get time to play with my DG4000, I can put it on my HP 5335A 200Mhz counter (with Rubidium reference) to check rise/fall/amplitude.

PM3082 (CRO) and DS2 show slightly below 5ns risetime/falltime for a 50mhz square wave

 
Will your "DG4202" go a bit higher in frequency limit than the 4162 in the square (50MHz), ramp (4MHz), pulse 40MHz) and harmonic (80MHz) modes  ?
 
 

Offline cybernetTopic starter

  • Regular Contributor
  • *
  • Posts: 247
  • Country: 00
  • pm deactivated, use the search function ...
Re: DG4000 - a firmware investigation
« Reply #18 on: August 28, 2013, 02:02:21 am »
Will your "DG4202" go a bit higher in frequency limit than the 4162 in the square (50MHz), ramp (4MHz), pulse 40MHz) and harmonic (80MHz) modes  ?

my DG4202

sine: 200M
square: 50M
ramp: 5M
pulse: 50M
harmonic: 100M
arb: 50M

vs DG4162 (acc. batronix homepage):

sine: 160M
square: 50M
pulse: 40M
ramp: 4M
harmonic: 80M
arb: 40M

so its an improvment id say  >:D

the model set routine copies a ton of values to non volatile memory, that determines the limits. manual tweaking probably doable to increase it even further, but i lack
the equipment to judge whats then outputted in terms of quality  :-//
« Last Edit: August 28, 2013, 02:45:05 pm by cybernet »
___________________
"all rights reversed :-)"
R0=-0x18;
UNLINK;
RTS;
 

Offline Rigby

  • Super Contributor
  • ***
  • Posts: 1476
  • Country: us
  • Learning, very new at this. Righteous Asshole, too
Re: DG4000 - a firmware investigation
« Reply #19 on: August 28, 2013, 02:19:24 pm »
Gee whiz, that's amazing.  nicely done.
 

Offline Uup

  • Regular Contributor
  • *
  • Posts: 82
  • Country: au
Re: DG4000 - a firmware investigation
« Reply #20 on: August 29, 2013, 07:36:16 am »
Nice work Cybernet!   :-+

Attached is the latest firmware (00.01.07.00.03)
 

Offline cybernetTopic starter

  • Regular Contributor
  • *
  • Posts: 247
  • Country: 00
  • pm deactivated, use the search function ...
Re: DG4000 - a firmware investigation
« Reply #21 on: August 29, 2013, 09:51:47 am »
Nice work Cybernet!   :-+

Attached is the latest firmware (00.01.07.00.03)

thx (yet another update, wow) - if someone is willing to look into the algo and how to reverse it let me know via PM. my holidays are over so got to do some real work the next weeks ;/
___________________
"all rights reversed :-)"
R0=-0x18;
UNLINK;
RTS;
 

Offline KedasProbe

  • Frequent Contributor
  • **
  • Posts: 646
  • Country: be
Re: DG4000 - a firmware investigation
« Reply #22 on: August 29, 2013, 04:05:20 pm »
Nice work Cybernet!   :-+

Attached is the latest firmware (00.01.07.00.03)
This file gives an error when trying to extract? (only empty folders)
edit: it does work with 7zip, not with winRAR or Windows 7 zip, Thanks for sharing
« Last Edit: August 29, 2013, 06:11:58 pm by KedasProbe »
Not everything that counts can be measured. Not everything that can be measured counts.
[W. Bruce Cameron]
 

Offline echen1024

  • Super Contributor
  • ***
  • Posts: 1660
  • Country: us
  • 15 yo Future EE
Hacking Rigol 4000
« Reply #23 on: September 02, 2013, 02:34:59 am »
So, I have decided to purchase the Rigol DG4062, and would like to know if it is hackable up to the 4102/4162.

Thanks.
I'm not saying we should kill all stupid people. I'm just saying that we should remove all product safety labels and let natural selection do its work.

https://www.youtube.com/user/echen1024
 

Offline BravoV

  • Super Contributor
  • ***
  • Posts: 7547
  • Country: 00
  • +++ ATH1
Re: Hacking Rigol 4000
« Reply #24 on: September 02, 2013, 02:48:55 am »
I guess it will be much better you join the huge thread Sniffing the Rigol's internal I2C bus, be prepared to crack open your scope, dump the firmware and post it there too, hopefully it will get "fixed" sooner rather than posting another new thread solely just for you.

Just a suggestion.  :-//



Share me

Digg  Facebook  SlashDot  Delicious  Technorati  Twitter  Google  Yahoo
Smf