I've done some playing around with my DP712. Slurped the main firmware image off the SPI flash chip inside before and after the trial ran out. Unfortunately the license data is actually stored on an FRAM chip that I missed the first time I took it apart.
For anyone searching, I
posted earlier in the year on the wrong thread about dumping the firmware of the DP711/DP712, and have had a few attempts at reverse engineering it to figure out how to generate license keys to unlock options without the intrusive FRAM hack.
I'm currently stuck on figuring out the memory layout in order to relate addresses in the code to actual data. I haven't worked a whole lot with assembly, and never with 8051 / MCS-51 before. In case anyone wants to take a look at this, here's a everything I know so far. DM me if you want a copy of the dump.
TargetThe manual for the DP711 states that the following serial command can be used to unlock the device instead of the keypad/UI:
LIC:SET <keyWithoutDashes>This seems like the most promising lead to find the licence key algorithm without needing to go through all of the UI related code.
Hardware infoThe digital board in the DP711 has a CME-M5 FPGA + 8051 combo chip, an IS42/45S81600F 128Mbit DRAM, and stores its firmware on a Winbond W25Q128FVSG 128mbit SPI flash.
- CME-M5 datasheet:
http://www.capital-micro.com/PDF/CME-M5_Family_FPGA_Data_Sheet_EN060418.pdf- 128Mbit DRAM datasheet:
http://www.issi.com/WW/pdf/42-45S81600F-16800F.pdf- 128Mbit SPI Flash datasheet:
https://www.pjrc.com/teensy/W25Q128FV.pdfThe full FPGA/8051 chip model is CME-M5C06N0. It only supports the Keil C51 compiler for the 8051 side of the processor. This variant of the chip has no internal flash, which is why the SPI flash is (conveniently) present.
The 8051 side of the FPGA is documented as a R8051XC2 IP core. This uses a "MCS-51 compatible" instruction set, but has many more peripherals than a generic 8051.
- IP Core:
https://ip.cadence.com/uploads/450/cdn-dsd-sys-r8051xc2-ip-pdfNotes from datasheetsThe CMS-M5 has 128K of SRAM accessible by the 8051 MCU. The MCU can use an extended memory mode, accessing the FPGA fabric. I'm unsure if this is used:
--- 0x07FFFFF
|
| FP "Fabric" Expand
|
--- 0x020000
--- 0x01FFFF
|
| 128K SRAM
|
--- 0x0
The datasheet suggests that FPGA images are about 0x30000 bytes.
ObservationsThe flash chip is read from address 0x0 at power on after a few flash configuration commands, then at 0x091000 a short while later. The latter address appears to be 8051 assembly. This lines up with what the datasheet suggests.
The FPGA bitstream is likely encrypted, but it does not appear relevant to reversing a license key. The datasheet does not indicate that the MCU code can be encrypted like the bitstream can be.
There are two copies of system settings at 0xCE000 and 0xCE800. About 690 bytes are read from here when entering and exiting the System menu, and when hitting the Timer key. The two strings at the start of this settings data are the calibration date and calibration screen password.
Addresses of interestVisualization of the flash dump attached. One of the FPGA bitstreams is probably the IP core for the MCU, with the other one being Rigol's own bitstream, assuming they're actually using the FPGA portion of the chip rather than using it purely as a microcontroller.
Bootloader / FPGA core: 0x0
Firmware: 0x091000
The 8051 firmware appears to be split into 4 x 32K sections, identifiable by blocks of NOPs padding at 32K boundaries. This aligns with the 128K of code/data SRAM stated in the datasheet. The sections are:
- 0x91000 to 0x98FFF
- 0x99000 to 0xA0FFF
- 0xA1000 to 0xA8FFF
- 0xA9000 to 0xB0FFF
From 0xB1000 there's about 1582 bytes that look like instructions (visually similar to the other 4 sections above, but doesn't fit into the above blocks.
After this, the SPI flash appears to be used for persistent storage of settings. This has been verified using a logic analyzer with the DP711 turned on and using the System and Memory functions to change/save settings.
Two copies of system settings at:
- 0xCE000
- 0xCE800
Some user settings (Memory button) at: 0x100000
- These appear to be 33 bytes long
- Start with 0x01 when set, otherwise 0x0
- Appears to reference the blocks below (quite spaced out)
Interesting data addresses:
- Device serial number at 0x0ca000
- Serial command strings near 0x0cf000
- Help text near 0x0d2000
- Licensing related text near 0x0d6000
The LIC:SET serial command might lead quickly to the key. "LIC" appears near other serial command strings at 0x0d025e.