Rigol MSO2000 series hacking

[Slappy_g]

[EDIT: I have added a detailed step-by-step guide further down on page 5.]

I did some searching and found conflicting information on this...

I was about to order an MSO2102A-S (the 100MHz version with the built-in signal generator).

Do any of the DS2000A hacks also work for the MSO2000A series, or am I SOL on attempting to unlock some options?  I honestly care less about the bandwidth as I do the extra memory buffer and advanced triggering options.  I could survive without the rest.

Has anyone had success with applying the DS2000A hacks on the MSO2000A machines?  Many thanks...

[MarcelM]

Yes,
I have successfully "upgraded" my MSO2072A using the rigup published here.
Just be aware that the latest non-downgradeable firmware version requires that you go the JTAG memory dump route described in the megathread about sniffing...
The added piece of mind (for me at least) is that I didn't have to muck about downgrading/upgrading any firmware, potentially bricking my new MSO.
Since I only entered the generated keys, the upgrades should stay intact after future upgrades.

I am completely happy with my fully unlocked 200MHz MSO2072A
(I initially went for the 300MHz, but decided against it for signal fidelity reasons)
Also, accurately probing a real 300MHz signal isn't trivial...

YMMV,

best of luck with your new MSO

Marcel

[Slappy_g]

Yes,
I have successfully "upgraded" my MSO2072A using the rigup published here.
Just be aware that the latest non-downgradeable firmware version requires that you go the JTAG memory dump route described in the megathread about sniffing...
The added piece of mind (for me at least) is that I didn't have to muck about downgrading/upgrading any firmware, potentially bricking my new MSO.
Since I only entered the generated keys, the upgrades should stay intact after future upgrades.

I am completely happy with my fully unlocked 200MHz MSO2072A
(I initially went for the 300MHz, but decided against it for signal fidelity reasons)
Also, accurately probing a real 300MHz signal isn't trivial...

YMMV,

best of luck with your new MSO

Marcel

Marcel,

Many thanks for your response. Never messed with JTAG connections before so I guess that will be a learning process for me.

Have you seen any reports of the signal generator function having any effect on the unlocking/upgrading process? If not, then I may order the 70MHz version versus the 100MHz version I was planning to get.

Sent from my SM-N900T using Tapatalk

[benjamin125]

Yes,
I have successfully "upgraded" my MSO2072A using the rigup published here.
Just be aware that the latest non-downgradeable firmware version requires that you go the JTAG memory dump route described in the megathread about sniffing...
The added piece of mind (for me at least) is that I didn't have to muck about downgrading/upgrading any firmware, potentially bricking my new MSO.
Since I only entered the generated keys, the upgrades should stay intact after future upgrades.

I am completely happy with my fully unlocked 200MHz MSO2072A
(I initially went for the 300MHz, but decided against it for signal fidelity reasons)
Also, accurately probing a real 300MHz signal isn't trivial...

YMMV,

best of luck with your new MSO

Marcel

Hi
Can you add the link  you did successfully hack your MSO2072A?
thank you !

[mscreations]

Yes,
I have successfully "upgraded" my MSO2072A using the rigup published here.
Just be aware that the latest non-downgradeable firmware version requires that you go the JTAG memory dump route described in the megathread about sniffing...
The added piece of mind (for me at least) is that I didn't have to muck about downgrading/upgrading any firmware, potentially bricking my new MSO.
Since I only entered the generated keys, the upgrades should stay intact after future upgrades.

I am completely happy with my fully unlocked 200MHz MSO2072A
(I initially went for the 300MHz, but decided against it for signal fidelity reasons)
Also, accurately probing a real 300MHz signal isn't trivial...

YMMV,

best of luck with your new MSO

Marcel

Marcel,

After performing the JTAG memory dump, what commands and options did you use with the rigup tool? Did you have to have anyone extract the keys from your dump file or did the tool do that automatically? What were the valid option codes for the MSO2000 series? Were they the same as for the DS2000 series?

Thanks! 

Jon

[PepeK]

Hi all,

I have just bought the MSO 2072 A,   SW  00.03.00.SP1,   HW  2.2.
Can somebody confirm that the link http://www.gotroot.ca/rigol/DS2000-03_00_01_03.7z" is the exact copy of the latest official firmware  00.03.00.SP1 ?
My plan is to try unlock all features + increase bandwidth but before doing it it would be nice to have some backup file as a safe point where to return.

Thank you. Peter.

[pascal_sweden]

Do you really need to open the scope and take a memory dump using the JTAG adapter?

I have read about the riglol tool which will generate a key simply based on the serial number of your scope. Or does this riglol tool only work for the DS series and not for the MSO series?

I am looking for confirmation if riglol tool which just requires serial number, also works for the MSO1074Z and MSO2072A series of scopes.

Can anyone out there confirm that he has successfully upgraded his MSO1074Z or MSO2072A series WITHOUT opening up his scope?

[mscreations]

After reading the entire "monster" thread (yes really...), I'm pretty sure that you do have to open it up. You need to get the key for the specific unit to make it work. On the DS2000 series, they have the patched firmware that allows them to easily get the keys, but that firmware was v.2 if i remember and v.3 is when the MSO was added. Not sure whether it'd be a good idea to flash that firmware to an MSO just to get the keys.

But at this point for me, it is still theoretical (at least for a little bit). I finally saved up enough to order mine tomorrow so here's to hoping for quick shipping! And then on to some hacking.

[milek22]

After reading the entire "monster" thread (yes really...), I'm pretty sure that you do have to open it up. You need to get the key for the specific unit to make it work. On the DS2000 series, they have the patched firmware that allows them to easily get the keys, but that firmware was v.2 if i remember and v.3 is when the MSO was added. Not sure whether it'd be a good idea to flash that firmware to an MSO just to get the keys.

But at this point for me, it is still theoretical (at least for a little bit). I finally saved up enough to order mine tomorrow so here's to hoping for quick shipping! And then on to some hacking.

I need help:
1 How to update MSO2072A to the full version without opening the oscilloscope?
2 Is there a FW update?
3.How to uzysk? HEX file and the key?
4 My SW 03 and HW 2.2
5 Which patched file .GEL the DS2000 can test?
thank you very much

[PepeK]

To Milek22 :

1 How to update MSO2072A to the full version without opening the oscilloscope?
As you have SW version 3 and HW version 2.2 it is not possible. Other people tried, the scope refuses a firmware downgrade.
Maybe a solution is to change a header of the 2.0 GEL to pretend it is 3.0.

2 Is there a FW update?
You have the latest firmware, in the future you can upgrade if Rigol releases a new GEL file.

5 Which patched file .GEL the DS2000 can test?
You can try http://gotroot.ca/rigol/DS2000(DSP)update_00.02.01.00.03%20(patched).zip but do not expect it works - see point 1.

[milek22]

To Milek22 :

1 How to update MSO2072A to the full version without opening the oscilloscope?
As you have SW version 3 and HW version 2.2 it is not possible. Other people tried, the scope refuses a firmware downgrade.
Maybe a solution is to change a header of the 2.0 GEL to pretend it is 3.0.

2 Is there a FW update?
You have the latest firmware, in the future you can upgrade if Rigol releases a new GEL file.

5 Which patched file .GEL the DS2000 can test?
You can try http://gotroot.ca/rigol/DS2000(DSP)update_00.02.01.00.03%20(patched).zip but do not expect it works - see point 1.

5 I did not read it but then the file .GEL
2 posts above colleague writes about the patched version of the DS2000 but without success.
This leaves us waiting for? new .GEL
3. How to run a generator "rigup-04"
best regards and thanks

[milek22]

Yes,
I have successfully "upgraded" my MSO2072A using the rigup published here.
Just be aware that the latest non-downgradeable firmware version requires that you go the JTAG memory dump route described in the megathread about sniffing...
The added piece of mind (for me at least) is that I didn't have to muck about downgrading/upgrading any firmware, potentially bricking my new MSO.
Since I only entered the generated keys, the upgrades should stay intact after future upgrades.

I am completely happy with my fully unlocked 200MHz MSO2072A
(I initially went for the 300MHz, but decided against it for signal fidelity reasons)
Also, accurately probing a real 300MHz signal isn't trivial...

YMMV,

best of luck with your new MSO

Marcel

I ask for a link, step by step how to unlock MSO2072A by JTAG?
thanks

[pascal_sweden]

The proposal to change the header of the firmware to make it think that it is newer firmware sounds promising.

Could anyone try this out?

I am looking for hack that works without opening up the scope. This counts for both the MSO2072A and the MSO1074Z.

With a bit of effort, it should be possible to come up with such a hack, that works without opening up the scope.
The whole Rigol community will benefit from this, as the majority of the people are not keen in opening up their scopes.

[mscreations]

As soon as I get my JTAG programmer I'm going to give it a try. I'll make a step by step after getting it working.

As for modifying the firmware I'd love to tackle that bit I don't have any clue where to start.

[PepeK]

Do not be afraid of opening the scope - I have done it today. It is not a problem to remove the warranty sticker without destroying it. Simply use some small piece of a waxed / oiled paper (for example a paper for laser printer stickers) and do some "saw type" movement. There is also a video on the youtube showing how to do it. My sticker has been removed completely and waits on a waxed paper in a bag for a case of a warranty repair - see photo.

Think : what do you prefer ? Install a hacked firmware where nobody can be 100% sure if is compatible with a current release of hardware or remove one stupid sticker for using the JTAG adapter and have serials numbers which you simply enter via Ultra sigma ?

[PepeK]

It is easy to open the scope : you need a Torx 10 screwdriver and a number 14 wrench.
Opening the scope is also a good opportunity to replace that ugly noisy fan with a silent one. According the datasheet it is about 35 dB and for 5 euros you can buy a 17 dB version. When my JTAG adapter arrive from China, I will inform you about the details.

1. Remove the four screws keeping the back panel - two are visible and two are hidden under the handle (adjust it to 45 degree angle) - see photos.
2. Remove the nut of the BNC connector using a wrench number 14.
3. Remove the 8 screws (4 at the top + 4 at the bottom) holding a shielding together.
4. Congratulations, you scope is now naked as Rigol created it 

There is a four pin connector having a "strong" 3.3 Volts, be careful, the voltage is here also when the scope is off (it is maybe a stand-by voltage). All pins are marked, use the Vcc. The JTAG from Blackin chip is also clearly visible. Do not use "weak" 3.3V from the JTAG connector.

[WesleyK]

Thanks, great pictures! Will surely be of help when I upgrade mine. Can you also tell something about the hack itself? Did you use windows or linux? If you used Windows, can you tell us something about the required steps as most info is based on hacking using a Linux system.

[PepeK]

Thanks, great pictures! Will surely be of help when I upgrade mine. Can you also tell something about the hack itself? Did you use windows or linux? If you used Windows, can you tell us something about the required steps as most info is based on hacking using a Linux system.

I do not have the JTAG adapter now - I am waiting for it to be delivered from China (cheap Altera USB blaster clone for approx 6 euro - there in no reason to buy Olimex for 55 euro) ... The plan is to use Linux, it is easy to create a bootable USB key with Ubuntu. The advantage is, a new operating system is not installed physically, it only runs from RAM. A dump file can be saved to any Windows disk drive, Ubuntu maps them without any problem. This is my first Linux experience, it is not complicated, everything is GUI based and all drivers are loaded automatically.

[milek22]

Thanks gentlemen.
Of course, the whole community formum will not open the oscilloscope.
First Colleague Pepek - on your photo pcb writes DS2000?
2 Do looks the same pcb board MSO 2072? I am your scobe jescze not opened.
3 Is the JTAG as below can be taken?


4 How to do it under Linux?
5 What are the commands you need to type?
Waiting for a description of how to do it step by step through JTAG.
Thank you

1 Support 1.5V, 1.8V, 2.5V, 3.5V and 5.0V.

2nd Support all ALTERA products: CPLD (MAX3000A, MAX7000 devices, MAX9000 and MAX II); FPGA (Stratix, StratixII, Cyclone, CYCLONEII, ACEX 1K, and FLEX 10K APEX20K); Active serial configuration device (EPCS1, EPCS4, EPCS16)

---- Now we have tested chip using this tool is: Cyclone (EP1C3, EP1C6, EP1C12, EP1C20); Cyclone II (EP2C5, EP2C8, EP2C35); Stratix (EP1S10, EP1S20, EP1S25); Stratix II (EP2S60); FLEX10K (EPF10K10, EPF0K30); ACEX1K (EP1K30); MAX7000 (MAX7128SLC84, MAX7128); AETC100 (MAX3000, MAX3128); MAXII (MAXII240, MAXII570, MAXII1270); EPCS (EPCS1, EPCS4, EPCS16); EPC (EPC1, EPC4)

3 Support AS, PS and JTAG program (with Verify and Bank Check function).

---- When we tested the chip above, the use of the different program mode: JTAG (Cyclone, CYCLONEII, Stratix II, Flex10K, Acex1K, MAX7000 and MAX3000A); AS (EPCS1, EPCS4, EPCS16); PS (Stratix, Stratix GX)

4 Support embedded logic analyzer function of SignalTapII

5 Support NIOS II communication and debugger - When you use it to debug your Black Gold, it will not pop-up warning

6 Faster - about 6 times than ByteblasterII

7 USB interface! - You do not need a PC with serial port now

8 100% compatible with Official ALTERA USB Blaster

[PepeK]

My scope is MSO 2072 A, SW : 3.0.SP1 and HW 2.2. There is no difference between DS 2072 A and MSO 2072 A  from the JTAG connector and memory dump point of view.
According to older posts here, the Altera USB blaster can be used - I have ordered exactly the same. I will add detailed instructions plus photos - delivery of USB blaster is expected in 2-3 weeks.

[Mark_O]

I am looking for hack that works without opening up the scope. This counts for both the MSO2072A and the MSO1074Z.

Yes, we know that.

With a bit of effort, it should be possible to come up with such a hack, that works without opening up the scope.

That is excellent news!  Please let us all know when you have it ready.    

Oh, sorry.  You meant a bit of someone else's effort.  None for you.  Silly me.   

The whole Rigol community will benefit from this, as the majority of the people are not keen in opening up their scopes.

Sounds like an opportunity for you to be a real hero then, and make a contribution.

[Gandalf_Sr]

Guys, I too have an MSO2072A with SW 3.0.SP1 and HW 2.2.

I ordered the $6 'Altera' USB Blaster from eBay, there's a sort option that filters by distance and I found a company in Colorado selling them.  I ordered it on 8/5/14 and it
is supposed to arrive today shipping USPS.

I'm a hardware guy and have no worries about hooking the JTAG connector up but the Linux commands scare me slightly; what if I reformat the memory or something else really bad? 

I have a Dell Netbook that boots to Ubuntu so I that's going to be my first attempt to do the JTAG dump.

Won't get to this before this weekend at the earliest.  I will try to get pictures for y'all.

[AntiCat]

I ordered the scope on monday.
I have a USB Blaster but the scope is delayed 2-3 weeks

[Gandalf_Sr]

I ordered the scope on monday.
I have a USB Blaster but the scope is delayed 2-3 weeks

Not sure where you are on the planet (or even if you ARE on the planet) but Tequipment.net web site says they have 23 in stock and you can get 6% discount by using the code EEVBLOG6 giving a final price of $1,164.66 with free shipping.  I have ordered other stuff from them in the past and they are good to deal with.

Perhaps you could cancel and reorder?

[mscreations]

I ordered the scope on monday.
I have a USB Blaster but the scope is delayed 2-3 weeks

Not sure where you are on the planet (or even if you ARE on the planet) but Tequipment.net web site says they have 23 in stock and you can get 6% discount by using the code EEVBLOG6 giving a final price of $1,164.66 with free shipping.  I have ordered other stuff from them in the past and they are good to deal with.

Perhaps you could cancel and reorder?

Yep! I ordered last Weds and got it on Monday. Very fast!

[AntiCat]

Not sure where you are on the planet (or even if you ARE on the planet) but Tequipment.net web site says they have 23 in stock and you can get 6% discount by using the code EEVBLOG6 giving a final price of $1,164.66 with free shipping.  I have ordered other stuff from them in the past and they are good to deal with.

I'm from Switzerland so it is an additional 130$ for shipping and 200$ for import taxes. This is approximately the same as the local distributor. At this price range I prefer to have a point of contact nearby. However your suggestion is very tempting..

[milek22]

gentlemen,
I have a question:
1 - Now I was left with 1720 min. Trial Version.
2 .-- As time runs out Tial Version is no longer possible for a JTAG or upgrade done by the official Version
Thank you.

[PepeK]

gentlemen,
As time runs out Tial Version is no longer possible for a JTAG or upgrade done by the official Version
Thank you.

You can enter a code to have some special features any time. During a trial period or after it expires. It does not matter if code is bought officially or created with the rigol hack tool based on a data obtained via JTAG memory dump.

[Slappy_g]

OK guys - had the scope for a bit (MSO 2072A, latest SW, HW 2.02), and got it opened up today since my Olimex OCD-ARM-JTAG arrived from Sparkfun.

I'm running into an issue on Win 7 x64, even when running this from a command prompt as admin.  Any ideas?  Unplugging/replugging and reinstalling drivers does not seem to help.  I do have a functioning COM11: port for the debugger device.

Code: [Select]

GO!:>bfin-gdbproxy.exe --debug bfin --frequency=500000

Remote proxy for GDB, v0.7.2, Copyright (C) 1999 Quality Quorum Inc.
MSP430 adaption Copyright (C) 2002 Chris Liechti and Steve Underwood
Blackfin adaption Copyright (C) 2008 Analog Devices, Inc.

GDBproxy comes with ABSOLUTELY NO WARRANTY; for details
use `--warranty' option. This is Open Source software. You are
welcome to redistribute it under certain conditions. Use the
'--copying' option for details.

debug:     bfin: bfin_open ()
Found USB cable: ARM-USB-OCD
error: Couldn't connect to suitable USB device.
error:     bfin: cable initialization failed
debug:     bfin: bfin_open ()
Found USB cable: ARM-USB-OCD
error: Couldn't connect to suitable USB device.
error:     bfin: cable initialization failed
^C
GO!:>


[Slappy_g]

Replying to myself...

I am trying this option now - hope it's helpful to people:

• Download urJTAG (from http://urjtag.org/)
• Install it... (I recommend NOT running installer as admin and putting it somewhere within your user profile directory - if you don't know what that means, use Google)
• Launch the JTAG Shell icon it puts in your start menu - handy!
• type these commands:
• cable arm-usb-ocd
• frequency 5000000
• detect
• initbus bf526_ezkit
• readmem 0x00000000 0x001FFFFF output.dmp
• Hope and pray that it works - since it's midnight here, I'm hoping I didn't do something stupid so far.
• Also, I recommend pointing a nice strong fan at the device while you're dumping the RAM, as the FPGAs get HOT!

[MattSR]

Awesome work guys! I think I'll buy the MSO2702A now instead of the DSO2702A

[Gandalf_Sr]

OK, so I saw Slappy_g's post and thought I'd try his route using Windows rather than Linux.

I downloaded urJTAG vn 10 but it would't install in Windows 7, 64 bit, but then it did when I right clicked and ran as admin.

My problem is that windows can't find a driver for my el-cheapo eBay 'Altera' USB Blaster, it sees it but there's a yellow triangle in system devices and it says the driver isn't loaded.

Any ideas?

[Macman]

<snip>
Also, I recommend pointing a nice strong fan at the device while you're dumping the RAM, as the FPGAs get HOT![/li][/list]

When I did the JTAG dump I routed the JTAG cables out of the corner of the shielding and temporarily put the rear shieling back on so that it would be cooled in the normal way.

It will be interesting to see if you can get it to work in Windows with urJTAG.
Is there any reason you only dumping to 0x001FFFFF?

@Gandalf_Sr
You can download a Windows driver from the Altera website which should work OK with the clone USB blaster.

[Mark_O]

My problem is that windows can't find a driver for my el-cheapo eBay 'Altera' USB Blaster, it sees it but there's a yellow triangle in system devices and it says the driver isn't loaded.

Any ideas?

If you didn't get one of the little mini-CDs with the device, the actual Altera drivers here may work for you...

http://www.altera.com/download/drivers/dri-index.html

[Slappy_g]

It will be interesting to see if you can get it to work in Windows with urJTAG.
Is there any reason you only dumping to 0x001FFFFF?

Yeah, the reason was that I was sleep deprived. I started the proper range after I realized that and promptly fell asleep on my keyboard. I'm about to go and see if it worked.

Sent from my SM-N900T using Tapatalk

[Gandalf_Sr]

Thanks guys, the el-cheapo USB Blaster came with instructions in Chinese but no drivers.  It looks like I may have to download a free version of quartus to get the drivers 

[Gandalf_Sr]

Aside from Windows deciding to take half an hour downloading updates, I did manage to get drivers installed for the 'Altera' USB Blaster.

I installed urJTAG but when I try to run the shell I get an error window telling me that libusb0.dll is missing from my system.  Any suggestions?

[Slappy_g]

So, rigup is reporting that it can't find any keys in my memory dump...


Any ideas?

Sent from my SM-N900T using Tapatalk

[Gandalf_Sr]

I gave up on Windoze and ran up my tiny little Dell Netbook powered by an Intel Atom processor.

That netbook cane with XP but it was so slow that I wiped Windows and installed Ubuntu, mainly cos there's a version for the Dell Netbook.

Following the instructions on the MEGA thread did not appear to go completely smoothly - the install of blackfin went OK but the following issues occurred:

1. The command to set the speed to 5000000 didn't work, the system responded that the speed of the USB Blaster was locked at 12000000 (12 MHz)

2. when I did the part where you test GDB by issuing the info mem command at the (GDB) prompt, it gave me the following message...

Warning: Can not parse XML memory map; XML support was disabled at compile time
There are no memory regions defined

Anyway, I pressed on and started the 'dump binary memory and it seems to be running, the server window shows what appear to be block reads and I'm up to 02D0XXXX after 47 minutes - my simple math suggests that it will take just over 2 hours to complete.

Watch this space....

[Gandalf_Sr]

So, rigup is reporting that it can't find any keys in my memory dump...


Any ideas?

Sent from my SM-N900T using Tapatalk

Bummer 

Do you have the right dump?

[Slappy_g]

Bummer 

Do you have the right dump?

I do. Definitely has good data in it, as I checked with a hex editor. I used the model number ds2072a when running rigup, as it doesn't accept the MSO model numbers.

Is there a step I'm missing here?

Sent from my SM-N900T using Tapatalk

[Gandalf_Sr]

Bummer 

Do you have the right dump?

I do. Definitely has good data in it, as I checked with a hex editor. I used the model number ds2072a when running rigup, as it doesn't accept the MSO model numbers.

Is there a step I'm missing here?

Sent from my SM-N900T using Tapatalk

I don't think you've missed a step, Marcel has said that he used Linux cos he'd heard of people having problems in Windoze, I am up to 06A0XXXX of 07FFFFFF so I should know fairly soon if it's worked for me.  Do you have access to a Linux machine?

[PepeK]

There is a user from France, MarcelM reporting success on MSO 2072 A, SW 3.0.SP1 and HW 2.2 using JTAG. Is is a bit difficult to find here the exact post but he has done nothing special, simply connected JTAG and used rigol.exe.

[PepeK]

It is not necessary to have a Linux machine. I am waiting for my JTAG adapter to be delivered and during this time I arranged an usb key with a bootable Ubuntu (look for "universal-usb-installer" and "ubuntu 14.0.1 desktop i386" or "x64".

[Slappy_g]

Excellent idea...  Trying now.

UPDATE: So, that string does not appear to be in the dump file anywhere...  The file is exactly 128MB in size, and appears to contain lots of identifiable strings including my serial number and the entire contents of the HTML help system.

It doesn't make sense that it would be a "corrupted" dump if I'm seeing real, readable data, but I guess I'm not sure what I'm supposed to see.  Is there a different way to try the dump?  I ended up switching to the WinUSB driver and using the bfin-gdbproxy and bfin-elf-gdb approach.

Can you find the hex pattern "020084001000" in your dump file, as in the rigup utils.c file?

KeyData* ScanKeys(const void *data, size_t datasize)
{
  /*
    Offset   Data
      0      02 00 84 00 10 00
      6      <16 bytes of XXTEAKey>
     22      20 00
     24      <16 bytes of RC5Key1>
     40      <16 bytes of RC5Key2>
     56      08 00
     58      <8 bytes of bit-shuffled ECC public key>
     66      40 00
     68      <64 bytes of some ASCII-HEX data>
    132      <END>
  */

I used rigup 0.4: "rigup ds2072a ds2k_00_sdram.bin"

Peter

[Slappy_g]

Below is the advanced system information before I made the dump. Is your system information differently?

Peter

OK, so I enabled advanced info (Trigger Menu, Menu7, Menu6, Menu7, Utility all pressed in quick succession).

Now, I see the same thing you do...

SW: 00.03.00.01.03
HW: 1.1.2.2.0

[PepeK]

Below is the advanced system information

How do you access that detailed info ? I can invoke only a simplified version of that popup window.

[Slappy_g]

Below is the advanced system information

How do you access that detailed info ? I can invoke only a simplified version of that popup window.

About to edit my previous response.  Look above in 2 minutes.

[PepeK]

Thank you, Pedre, I see also the extended system info now. All versions are exactly the same as yours.
So, as there are reports about successful hacking of exactly same model of the scope, there should be some JTAG adapter / toolchain problem is hack does not work.

[Slappy_g]

OK, so I just re-ran the SDRAM dump - exactly the same way as before.  Same output file size, same gdbproxy messages, etc.

And, go figure, there's the key!  Now, the thing I did which was different than before was that I made sure the scope was in RUN mode.  Last dump I did, I had the scope in STOP mode, so not sure if that had an impact, but it sure seems to have worked!

Now, I'm going to try to use the DS2072A model name to generate the licenses...

[Slappy_g]

Success! Happily running @ 200 MHz with all options.

I'll consider bumping up to 300 if I ever feel I really need it, but I have seen conflicting reports here of decreased accuracy on all signals with that option turned on.

Sent from my SM-N900T using Tapatalk

[miguelvp]

Do the 16 Digital channels work as well after your modification?

[Gandalf_Sr]

Glad you got your working Slappy, I may have to revert to the Windoze option.

So my first attempt failed because I added an extra 'f' to the upper address '0x07fffffff' so I aborted

Then I left it running on pass 2 while I went for dinner; I came back and it seems there was an error.

Trying again but this time I didn't get the error saying that I was stuck at 12000000 for the USB blaster.

When I specify ~/xyzzy.bin for the file should I expect that file to be in the bin directory?

[milek22]

gentlemen,

I have a version of RIGOL
1 how to make a memory dump?
2 how and when to use "rigup" ??
3 how to make the file "HEX" in the photo above?
4 how to generate the keys?
Thank you

[PepeK]

When I specify ~/xyzzy.bin for the file should I expect that file to be in the bin directory?

~ means in Linux your home directory : / home / userNameOfLoggedUser

[PepeK]

1 how to make a memory dump?
2 how and when to use "rigup" ??
3 how to make the file "HEX" in the photo above?
4 how to generate the keys?

1. Open the scope, connect JTAG ... described in this thread and also other threads here. According your scope's version, it is the only working way now.
2. Rigup is used on the memory dump obtained in the step 1
3. I do not understand, do you mean hex file = the memory dump ?
4. Keys are generated via rigup-0.4 tool

[Gandalf_Sr]

OK, so far I have not generated a .bin file at all, at least I can't find a file that has the xxxxx.bin name I asked for with 'dump binary memory', I've researched Ubuntu and found how to see hidden files.

I was using blackfin-toolchain-2014R1_45-RC2.i386.tar.bz2 and now I'm going to try blackfin-toolchain-2013R1_45-RC1.i386.tar.bz2

Using the 2014 version, the dump happened but, at the end, I got a message saying 'Reply contains invalid hex digit 116 and then goes back to the (gdb) prompt

I'm also going to make sure the scope is running.  If this doesn't work, I'll switch to a different computer.

Any suggestions are welcome.

[Gandalf_Sr]

I have the Ubuntu Netbook dump running but I got the error at the stage of testing the memory using '(gdb) info dump' which replied that it could not parse XML because that feature was not included at compile time.  I'll leave that dump running but suspect it will be the same as the previous ones.

PLANB...
I'm trying to follow in Slappy's footsteps, I downloaded urJTAG, managed to install on my Windows 7-64 system (you have to run the install as Admin), but then got an error every time I tried to run it with my el-cheapo 'Altera' USB Blaster from eBay saying it couldn't find the libusb0.dll driver - I believe I've just solved that issue

I downloaded libusb-win32 from here http://sourceforge.net/projects/libusb-win32/files/libusb-win32-releases/1.2.6.0/ . I used libusb-win32-bin-1.2.6.0.zip

Next I unpacked the libusb-win32-bin-1.2.6.0 folder to C:/Temp and then opened the bin folder and installed install-filter-win.exe (I think)

Next I ran the inf-wizard.exe file while my USB Blaster was plugged in, it found and created an inf file and then offered to install it, I accepted.

Now I can run 'JTAG Shell' from start and interact with the command prompts.

This is a great resource http://sourceforge.net/p/libusb-win32/wiki/Home/

[Gandalf_Sr]

Getting frustrated 

I can't get urJTAG to see my USB Blaster so that has got nowhere so far.

And my Netbook keeps giving me the 'Reply contains invalid hex digit 116' error after a 2 hour dump.

I found a post by 0xPIT on page 232 of the MEGA thread https://www.eevblog.com/forum/testgear/sniffing-the-rigol's-internal-i2c-bus/3465/ which says that he's solved this problem but I struggled to follow his instructions;

I have a weird dump running but here's what I did...
everything as per the normal instructions on P165 of the mega thread up to

# cd opt/uClinux-45/bfin-uclinux/bin
# ./bfin-uclinux-gdb
(gdb) target remote :2000
Remote debugging using :2000
0xffa0142e in ?? ()
(gdb)

Then I used his 'set debug remote 1' and 'set remotelogfile /tmp/log' commands which gave no errors and were accepted (I think) because the (gdb) prompt returned?

Then I started a dump normally using 'dump binary memory ~/myfilename.bin   0x00000000 0x07FFFFFF' and now there's zillions of characters flying across my (gdb) screen - presumably all being put into a log file somewhere!

According to 0xPIN, the dump will end with the same 116 error but all the data that's returned will be in the log file.  What I'm not clear about is how to find, open, and run the awk commands against that file so as to only keep the lines that begin with +r $ as per his instructions...

I then awk'd the logfile to include only lines starting with +r $ and then removed this string using vi (:%s/^r\ +$//g)
Now I used xxd -p -r to convert the hexdump to binary and ran rigup on it, which worked fine.

Can anyone clarify what I have to do once this dump is finished?  Is  '+r $' the actual text that starts off a line that's returned data?  and that last bit looks like Greek to me!

[Gandalf_Sr]

Now I'm getting pissed off

The latest dump using my Ubuntu Netbook finished but I can't find any log file.

My urJTAG install on my Wind 7-64 laptop can't see the USB-Blaster so that option's hasn't worked so far

Considering what to try next...

1. Run up my Raspberry PI and follow the instructions here http://sourceforge.net/p/urjtag/discussion/682993/thread/d31f1840/
2. Download a different Linux image and boot one of my PCs from it and try that
3. Solve my issues on the Netbook - e.g. find the missing log file
4. Solve the issue where urJTAG can't see the USB Blaster

Beer O'Clock 

[PepeK]

Now I'm getting pissed off

Considering what to try next...

3. Solve my issues on the Netbook - e.g. find the missing log file

Log file must be somewhere in the file system. Which linux command have you used ?

[Gandalf_Sr]

Log file must be somewhere in the file system. Which linux command have you used ?

Thanks for chipping in PepeK, I found a log file but it had 386 bytes in it.

Now I have been pursuing the urJTAG option, I fought with the driver for the 'Altera' USB Blaster and got urJTAG to connect to it, then when I asked for frequency of 5000000, it told me that the Blaster was fixed at 12000000 and detect didn't find the BF device, just timeout errors.

If I don't get a better suggestion by tomorrow morning, I think I'll order the $70 Olimex FT2xxx device and hope that works like it did for Slappy. Or are there any other FT2232-based recommendations from anyone?

[Slappy_g]

Do the 16 Digital channels work as well after your modification?

They work perfectly!

Sent from my SM-N900T using Tapatalk

[Slappy_g]

Log file must be somewhere in the file system. Which linux command have you used ?

Thanks for chipping in PepeK, I found a log file but it had 386 bytes in it.

Now I have been pursuing the urJTAG option, I fought with the driver for the 'Altera' USB Blaster and got urJTAG to connect to it, then when I asked for frequency of 5000000, it told me that the Blaster was fixed at 12000000 and detect didn't find the BF device, just timeout errors.

If I don't get a better suggestion by tomorrow morning, I think I'll order the $70 Olimex FT2xxx device and hope that works like it did for Slappy. Or are there any other FT2232-based recommendations from anyone?

I strongly recommend the olimex device from sparkfun. $70, but it works.

Also, I ended up using the winusb driver and the bfin-toolchain in win 7 x64. UrJTAG was creating "weird"  dumps.

Sent from my SM-N900T using Tapatalk

[Slappy_g]

gentlemen,

I have a version of RIGOL
1 how to make a memory dump?
2 how and when to use "rigup" ??
3 how to make the file "HEX" in the photo above?
4 how to generate the keys?
Thank you

I'm guessing from some of your phrasing that English is not your first language. I noticed that you have asked several repeated questions in this thread even though answers have been given.

I would suggest following the steps I listed, then using the forum search with the keywords: JTAG, ds2072a. This will answer your questions, I believe.

Also, it looks like you have the signal generator option, based on your picture. I'm not sure if that model works or not.

Sent from my SM-N900T using Tapatalk

[Gandalf_Sr]

...Also, I ended up using the winusb driver and the bfin-toolchain in win 7 x64. UrJTAG was creating "weird"  dumps...

Thanks, am I right in saying that bfin-toolchain runs in a command prompt under Windows?

It's interesting but this whole debacle has led me to read more about JTAG that I ever would have done unless I had a project on it.  It's interesting that all the manufacturers, Atmel, Actel, TI, etc. etc. all have different interface boards to talk JTAG.  It seems that the FTDI FT2232 device will probably end up being adopted by all as it's so well integrated with windows wrt drivers etc.

[Slappy_g]

Thanks, am I right in saying that bfin-toolchain runs in a command prompt under Windows?

It's interesting but this whole debacle has led me to read more about JTAG that I ever would have done unless I had a project on it.  It's interesting that all the manufacturers, Atmel, Actel, TI, etc. etc. all have different interface boards to talk JTAG.  It seems that the FTDI FT2232 device will probably end up being adopted by all as it's so well integrated with windows wrt drivers etc.

So, yes, I did just do it in Windows.

Sent from my SM-N900T using Tapatalk

[Gandalf_Sr]

Thanks, am I right in saying that bfin-toolchain runs in a command prompt under Windows?

So, yes, I did just do it in Windows.

Sent from my SM-N900T using Tapatalk

Hmmm, makes me wonder if I just downloaded blackfin into Windows, it would run with my 'Altera' USB Blaster?  I know you used the Sparkfun debugger based on the FT2232 - I have one on order - but I'm going to dig deeper into the bfin option.

Thanks

[Gandalf_Sr]

...I strongly recommend the olimex device from sparkfun. $70, but it works.

Also, I ended up using the winusb driver and the bfin-toolchain in win 7 x64. UrJTAG was creating "weird"  dumps.

Sent from my SM-N900T using Tapatalk

Slappy, please can you give a few more details on how you downloaded and ran bfin under Windows?  I get the idea of having a background service running, this is what I was trying  to do in Ubuntu, but:

What files did you download?
What commands did you issue?

Thanks in advance.

[Slappy_g]

OK, as requested by Gandalf_Sr, here is my detailed step-by-step guide to my *working* hack on the MSO2072A.   

I am NOT going to detail general Windows tasks.  If you don't know it, Google is your friend.  Please keep general Windows questions to other threads.

• PREREQUISITE 1: Windows 7 64-bit.  If using UAC, you MUST run the command prompt as administrator.
• PREREQUISITE 2: Download the 32-bit Blackfin toolchain 2014R1 from here: http://sourceforge.net/projects/adi-toolchain/files/2014R1/2014R1_45-RC2/blackfin-toolchain-win32-2014R1_45.exe/download
• PREQUISITE 3: This is tricky.  Get your JTAG adapter and drivers installed.  Being loaded with disposable income  , I used the Olimex from Sparkfun - $71 of goodness: https://www.sparkfun.com/products/7834.
• PREREQUISITE 4: Figure out how to hook up the circuit to the JTAG header using pull-up resistors, etc.  This is WAY beyond the scope of this post.
• Install the drivers for the JTAG adapter as attached - there are instructions on Sparkfun and Olimex's sites.  This is left as an exercise for the reader.
• I then installed the WinUSB driver for the first Olimex device in the list using the handy Zadig driver installer from here: http://zadig.akeo.ie/
• Install the Blackfin toolchain on a folder on your desktop and go to that directory, and then into the subfolder elf\bin
• Open 2 command prompts as administrator in this folder.  Yes, two.
• In command prompt 1, run the following: bfin-gdbproxy.exe --debug bfin --frequency=5000000
• [Make sure that the frequency is 5 million, not 500,000]
• If you followed so far, you should get a message stating that the gdbproxy is waiting on port 2000.  This is basically an intermediary program that will allow the special bfin version of the Gnu Debugger (GDB) to "speak JTAG" - it's like talking dirty to the chip, but better!
• Keep window 1 open, Trebek, you scurvy bastard!   (Saturday Night Live reference, there)
• In command prompt 2, run bfin-elf-gdb.exe with no parameters.  You must run THIS version of GDB.
• For the next 2 lines, type these comamnds at the (gdb) prompt:
•    target remote :2000
•    info mem
• If it worked, you should see a list of 8 regions (from 0-7).  If it didn't work, you suck, or your drivers suck.  Fix that, then CTRL-C both command prompts and relaunch the proxy then GDB until you get success.
• Now, as the two girls one cup people said, we will begin the dump.  OK, that was gross.  The command follows and will take a LONG time.  Watch the gdbproxy window for periodic messages.
• dump binary memory ds2k_00_sdram.bin 0x00000000 0x07FFFFFF
• When done, type quit to exit GDB.
• Kill both command prompts.  ...WITH FIRE!
• Your dump file will be in the same folder as the executables (the subdirectory of the Bfin-toolchain install)
• Move that file to where you have rigup.exe
• Run: rigup.exe scan ds2k_00_sdram.bin
• You should get your private keys.  If you get a keys not found message like I did, make sure your scope is in RUN mode and has an active trace then re-dump the SRAM.
• Now, prepare your champagne glass and run this:
• rigup.exe DS2072A ds2k_00_sdram.bin
• Enter your keys into the scope however the hell you want, and send a bottle of tequila my way, if you like. 

Whew!  It's late and I feel goofy, so you'll have to deal with my terrible humor in there.  To me, the toughest part was matching up the JTAG pinouts and opening the case without breaking the sticker, in that order.  The drivers part was pissy, but once figured out, no big deal.  For the record, do NOT bother with urJTAG.

[Gandalf_Sr]

Slappy, you are GOD-LIKE!  I now see that it's possible that my issue is that I missed the WinUSB driver step from zadig...  can you explain to us mere mortals what that does?

[Slappy_g]

Slappy, you are GOD-LIKE!  I now see that it's possible that my issue is that I missed the WinUSB driver step from zadig...  can you explain to us mere mortals what that does?

Thanks! The tool just does a targeted driver reinstall for a given device. Since there are so many driver models, using this to pick is much easier.

Just remember to run it as admin.

Sent from my SM-N900T using Tapatalk

[milek22]

Great job Slappy_g. Thanks.
1 Can you do ALTERA USB?
2.Na diagram Cybernet pins are: TMS / TCLK / TRST / SRST / TDI / TD0 / GND / V3.3.
3.Prosz? of counterparts OLIMEX pins for ALTERA

4 Do I need to buy OLIMEX to do it?
5 Can Win 7 32bit can be?

Is pin TCLK corresponds ALTERA pin 1?
Where to give UTST3,3V in ALTERA - pin 4 or 7?
Thank you very much.

[PepeK]

@Milek :

If you search / check the long thread "sniffing internal Rigol I2c bus", there are nice photos showing how to connect the JTAG to the scope. Approx at page 168 - try it.
I hope my JTAG adapter arrive in next two weeks and I will post here an exact info.

BTW : do you use Google translator ?

[Gandalf_Sr]

@Milek

Check out the diagram in post#2433 on this page https://www.eevblog.com/forum/testgear/sniffing-the-rigol's-internal-i2c-bus/2433

I will warn you that I used an 'Altera' USB Blaster from eBay.  It connected to the JTAG using the diagram in post#2433 - it seemed to work at first but it always finished with the error 116 problem.

I haven't tried it yet but apparently, if, at the (gdb) prompt, you type 'set remotetimeout 10' just before you issue the memory dump command, it works.  I may try that tonight.

Google 'gdb commands' to see all the possible commands explained.

[Slappy_g]

@ Milek

I don't have an Altera device, so I can't help you much there. Win 7 x86 should work just as well as my x64 version, so no problem there. Plenty of people are still using that version.

My 2 cents are to use something based on an FTDI2xxx chip, as those seem to have the best driver support.

Sent from my SM-N900T using Tapatalk

[milek22]

Gentlemen. I can not move. I "ALTERA USB BLASTER".
How to install drivers without connecting the JTAG in scope?
I wanted to check ALTERA without USB JTAG cable but how to do it?
Thanks

[Gandalf_Sr]

Gentlemen. I can not move. I "ALTERA USB BLASTER".
How to install drivers without connecting the JTAG in scope?
I wanted to check ALTERA without USB JTAG cable but how to do it?
Thanks

Milek, I tried again last night using the 'set remotetimeout 10' option Ubuntu but it does not work.  If you want to try, here is my connection diagram.  I am waiting for a different JTAG programmer to arrive in the mail.

[Slappy_g]

@Gandalf_Sr

Great diagram! One of the better ones on this site.

So, I have to ask, did you throw your money in a giant fire pit and go for the Olimex adapter?

Sent from my SM-N900T using Tapatalk

[Gandalf_Sr]

@Slappy

Thanks for the kind words about my diagram.

I ordered a bus blaster V3 from seeedstudio http://www.seeedstudio.com/depot/Bus-Blaster-v3-p-1415.html - it's on the FedEx truck for delivery so I might get to try it tonight.  It's based on the FT2232H and it's set up to work as a KT-link device (JTAGkey) under urJTAG by default.

I complained on eBay and am supposed to be getting a 90% refund on the el-cheapo 'Altera' USB Blaster plus I ordered an Olimex adapter at work so I can borrow that if all else fails  O0

I don't give up easily 

[milek22]

I opened my ALTERA and a processor
  "SILABS
F321
ECLOW7
1402 "
see photo

[Gandalf_Sr]

@Milek

That is not the same as my USB Blaster.  I would make the interface cable and try it and see if it works.

[Macman]

@Milek22

I did the JTAG memory dump with a USB blaster which looks the same as yours and also uses the same chips. It worked first time for me.

I did things a bit different to  Gandalf_Sr.  I didn't connect the 3.3V supply to the scope's JTAG header and didn't connect the SRST and TRST lines to the USB blaster. Also only one of the ground pins needs to be connected. See the lower of the 2 diagrams on page 170 of the 'Sniffing the I2C bus' thread.

I used 'Universal USB Installer' (UUI) to make a boot USB pen drive. XUBUNTU 32 bit was selected for the distribution and I set a reasonable value for the persistent file size. The blackfin tool chain file I used was blackfin-toolchain-2013R1_45-RC1.i386.tar.bz2.  Note this is the 32 bit version of the toolchain.

Hope that's of help.

[Gandalf_Sr]

Thanks for the input Macman.  It's good to know that someone has done the dump using a USB Blaster like the one Milek has, mine has an ST32 micro chip inside it.  I've heard others saying that the reset pins don't need to be connected.

My Bus Blaster seems to have arrived and I've made a harness cable to connect it to the MSO2072A.  I hope to attempt the dump tonight using Windows and urJTAG as per Snappy's detailed instructions at the bottom of page 5; I have left out the pull up resistors on the RST lines because they appear to be driven by the voltage level translator on the Bus Blaster.

 

[mscreations]

I am hoping that someone can give me some help. I got my Altera USB Blaster (chinese clone) today, hooked it up and I'm getting some trouble getting bfin-gdbproxy to work. This is what I get when I run it:

Code: [Select]

# sudo ./bfin-gdbproxy --debug bfin --frequency=5000000

Remote proxy for GDB, v0.7.2, Copyright (C) 1999 Quality Quorum Inc.
MSP430 adaption Copyright (C) 2002 Chris Liechti and Steve Underwood
Blackfin adaption Copyright (C) 2008 Analog Devices, Inc.

GDBproxy comes with ABSOLUTELY NO WARRANTY; for details
use `--warranty' option. This is Open Source software. You are
welcome to redistribute it under certain conditions. Use the
'--copying' option for details.

debug:     bfin: bfin_open ()
Found USB cable: UsbBlaster
Connected to libftdi driver.
warning: USB-Blaster frequency is fixed to 12000000 Hz
warning: TDO seems to be stuck at 0
error:     bfin: detecting parts failed
debug:     bfin: bfin_open ()
Found USB cable: UsbBlaster
error: Couldn't connect to suitable USB device.
error:     bfin: cable initialization failed

My major concern is that when I first hooked it up I *might* have had the cable included in the usb blaster connected incorrectly (it is not terribly obvious which way it should have gone). Now my question is whether the scope might be damaged or if the usb blaster might be damaged (or something else entirely).

I have tried it with the TRST and SRST pins connected and not connected.

EDIT: I've tried the USB Blaster with another JTAG device and have not had any luck either. Ordered an Olimex programmer from Sparkfun and had it overnighted. I'll give it another go when it arrives...

[milek22]

Colleagues. Please check the JTAG scheme.
I drew as suggested by a colleague Marcman.
It has to be connected to VCC 3.3V with PCB SCOPE?
Please write or diagram is OK? What drew badly?
Thanks a lot.

[Gandalf_Sr]

Colleagues. Please check the JTAG scheme.
I drew as suggested by a colleague Marcman.
It has to be connected to VCC 3.3V with PCB SCOPE?
Please write or diagram is OK? What drew badly?
Thanks a lot.

Milek, it looks OK but you need 1 more wire. You need +3.3 volts from somewhere (most have used the pin marked VCC on the 4 pin header on the main board) to supply the voltage that will be used for the MSO2072A side of the JTAG signals.

If you took the diagram that I drew and took away the nSRST and nTRST wires, you would have your diagram plus the change I just mentioned.

[Gandalf_Sr]

I tried the Bus Blaster V3 last night - it didn't work; I couldn't get gdb or urJTAG talking to the Bus Blaster properly.  It's the story of my life that I end up wasting time and money chasing cheap solutions, I should have just bought the Olimex device 

Although the Bus Blaster is FT2232H-based, it also uses a Xilinx CPLD that needs to be programmed and the driver support is flaky at best.  I did find a file in the support forum (that doesn't show much activity after 2012) called BBv3.zip made up by a guy called Joe Fitzpatrick that seems to show the solution to my issues so I will try his driver files tonight.

If that fails, then I will get my hands on an Olimex JARM-USB-OCD programmer next week.

[Macman]

@Gandalf_Sr
I just hope the Olimex JTAG adapter works for you. The only other thing you could have tried is using the same build of Linux and Bluefin toolchain that I used, but I guess your patience has been tried enough already and you might as well wait for the Olimex adapter because you can be sure that it should work.

@milek22
I agree with Gandalf_Sr your diagram looks good except for needing to connect 3.3v to the wire coming from pin 4 of your USB blaster. If you want to save some wiring you only need to connect to one of the ground pins at each end.

[milek22]

I made a patch.
Just like now would we?

[PepeK]

I made a patch.
Just like now would we?

Seems to be ok now. I keep fingers crossed !

[Macman]

I made a patch.
Just like now would we?

If I remember correctly the VCC pin was the second pin on the 4 pin header, you may want to check this.

[Gandalf_Sr]

I made a patch.
Just like now would we?

If I remember correctly the VCC pin was the second pin on the 4 pin header, you may want to check this.

AND you need to connect +3.3V to pin 1 of your JTAG-SCOPE header

[Macman]

AND you need to connect +3.3V to pin 1 of your JTAG-SCOPE header

It would be best not to connect to PIN 1 of the  JTAG-SCOPE header because it is not known if the 2 3.3v supplies are derived from the same regulator. If they aren't, connecting the two together would be a bad idea. If works without connecting to pin 1, so there is no point in tempting fate.

[Gandalf_Sr]

I accept Macman's argument, leave pin 1 disconnected.

[PepeK]

The only purpose of that 3.3V is to power an internal buffer of the JTAG adapter. I mean a circuit like 74 AHC 245 or 74 LXVC 245. Those JTAG adapters are designed for a wide family of devices, so their output buffer is powered from a target device.

There is no reason to inject 3.3V to the scope's JTAG connector and this can be dangerous as we know nothing about the designer's idea behind (how many voltage regulators are there and so on).

[Slappy_g]

I tried the Bus Blaster V3 last night - it didn't work; I couldn't get gdb or urJTAG talking to the Bus Blaster properly.  It's the story of my life that I end up wasting time and money chasing cheap solutions, I should have just bought the Olimex device 

Although the Bus Blaster is FT2232H-based, it also uses a Xilinx CPLD that needs to be programmed and the driver support is flaky at best.  I did find a file in the support forum (that doesn't show much activity after 2012) called BBv3.zip made up by a guy called Joe Fitzpatrick that seems to show the solution to my issues so I will try his driver files tonight.

If that fails, then I will get my hands on an Olimex JARM-USB-OCD programmer next week.

Just a quick thought about why you may have had issues. The adapter I used was the one whose model number did not end in H. There have been reports of major driver issues with the high speed chip in Windows 7 and Windows 8.

In fact, read the comments on the sparkfun product page. You will see someone stating that exact point.

Sent from my SM-N900T using Tapatalk

[onlooker]

A J-Link v8 may work(?). It is about $13 on ebay (understandably, it will be a clone). 

[Gandalf_Sr]

Well the Bus Blaster is not working.  Despite attempts to get help from Ian at Dangerous Prototypes, I've failed.  Anyone following this thread should learn from my mistakes, just buy the Olimex ARM-USB-OCD from Sparkfun.

Bollocks! 

[PepeK]

I see there is a separate topic related to that unbelievable noisy fan in the Rigol's scopes, but why not to replace  a fan, when the scope is opened for JTAG dump ?

I have done it today. Let me share some noise level measurements done with a smartphone :
1. Scope is off, quiet room : 20 dB
2. Scope is on, smartphone located 10 cm in front of the scope : 50 db !

And now, when the new Noiseblocker 60 x 60 x 25 mm fan, model XR2 is installed (costs 6.50 euro) :
1. Scope is off, quiet room : 20 dB
2. Scope is on, smartphone located 10 cm  in front of the scope : 30 db, very nice, incomparable to the original fan.

Conclusion : highly recommended replacement, no risk of warranty loss, as the fan is plugged into a connector. If somebody is interested, photos can be attached.

[iDevice]

Did you check that the Noiseblocker is specified for equivalent air flow and (more important) pressure ?

[WesleyK]

See this post:
https://www.eevblog.com/forum/testgear/who-has-replaced-a-rigol-oscilloscope-fan-because-of-noise/msg497352/#msg497352
It moves slightly less air but that should be ok in normal operating conditions.

[PepeK]

Did you check that the Noiseblocker is specified for equivalent air flow and (more important) pressure ?

Air flow is a bit lower. I will measure the temperature inside after 1 hour of operating and share it here. I do not expect troubles, as the room temperature is max 25 degrees Celsius.

[milek22]

Gentlemen.
I need drivers for USB JTAG-BLASTER - Win7.
Can someone give a link to strowników?
Win7 does not see me cards USB-BLASTER.
I have a question: Do you need to connect the USB-Blaster JTAG-SCOPE to install drivers
Thank you very much.

[Gandalf_Sr]

Might be getting somewhere but I'm stuck again...

After much frigging around, I finally managed to get my Bus Blaster running.  Now it's connected to the MSO2072A and talking to the BF526.

The problem appears to be that the readmem command always tells me that it can't dump the contents of external memory, it seems not to matter what range I type in for the second value, I tried 0x0000FFFF, the response is still exactly the same as the dump below.  I'm trying to follow Slappy_g's instructions on page 3 of this topic but I always get the response below.  What are the missing steps 4,5 & 12?  Any ideas?

Code: [Select]

UrJTAG 0.10 #1869
Copyright (C) 2002, 2003 ETC s.r.o.
Copyright (C) 2007, 2008, 2009 Kolja Waschk and the respective authors

UrJTAG is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
There is absolutely no warranty for UrJTAG.

jtag.c:518 main() Warning: UrJTAG may damage your hardware!
Type "quit" to exit, "help" for help.

jtag> cable jtagkey interface=0
Connected to libftd2xx driver.
jtag> frequency 5000000
Setting TCK frequency to 5000000 Hz
jtag> detect
IR length: 5
Chain length: 1
Device Id: 00100010011111100100000011001011 (0x227E40CB)
  Manufacturer: Analog Devices (0x0CB)
  Part(0):      BF526 (0x27E4)
  Stepping:     2
  Filename:     c:\program files (x86)\urjtag\data/analog/bf527/bf527
bfin-part-bfin.c:155 bfin_wait_ready() Warning: untested cable or frequency, set
 wait_clocks to 21
jtag> initbus bf526_ezkit
jtag> readmem 0x00000000 0x001FFFFF output.dmp
Error: blackfin.c:87 bfin_bus_area() out of bounds: reading external memory not
supported
jtag>

[PepeK]

@Gandalf :

Do you use two separate console windows ? (gdbproxy + gdb )

What is returned when you type the "info mem" as gdb command ?

The gdb command for a dump is "dump binary memory destination_file  0x00000000 0x07FFFFFF".

[Gandalf_Sr]

@PepeK

I was attempting to use urJTAG; as far as I know, urJTAG only runs with the one command window and the commands are different to (gdb).

I am doing it wrong? Anybody?

[iDevice]

Did you check that the Noiseblocker is specified for equivalent air flow and (more important) pressure ?

Air flow is a bit lower. I will measure the temperature inside after 1 hour of operating and share it here. I do not expect troubles, as the room temperature is max 25 degrees Celsius.

Yes but remember, air flow is not the whole story.
Pressure is as important because air flow is measured in open air.
As soon as you load the fan, air flow drops.
One of the reason these silent fans are low noise is because they rotate slowly and blades have a different shape.
The major drawback is that they are not capable of much pressure, which means that as soon as they are loaded with a relatively cluttered enclosure, air flow drops to almost nothing sometimes.
I experienced that in one of my analog scope and I had to go back to a relatively more noisy fan to have sufficient cooling.
Open air flow characteristics were equivalent though.
So beware...

[PepeK]

@PepeK
I was attempting to use urJTAG; as far as I know, urJTAG only runs with the one command window and the commands are different to (gdb).
I am doing it wrong? Anybody?

Sorry, I mean Linux way, I have not recognized you are using urJTAG in Win. Have you ever considered the Linux way ? It is possible to boot from an USB key and nothing is installed physically on the computer.

[Slappy_g]

@PepeK

I was attempting to use urJTAG; as far as I know, urJTAG only runs with the one command window and the commands are different to (gdb).

I am doing it wrong? Anybody?

Sorry, I had terrible luck with urJTAG, and ended up giving up after no success.

[Gandalf_Sr]

@Slappy_g

So your multi-point bullet list is for gdb?  If yes, is it under Linux or Windows?  I think you went Windows.

I too am unimpressed with urJTAG, the Olimex ARM-USB-OCD is supposed to arrive next Wednesday.

[Bukurat]

@Slappy_g

Your post gave me some hope as I have been trying to get the Olimex ARM-USB-OCD working on Windows 7 32 bit.

Following your post I swapped out the Olimax drivers for the WinUSB ones using Zadig, now I'm seeing a warning message about TD0 being stuck at 0.

Did you encounter this in your travels?
Do you know if its possible to test communication with the Olimex ARM-USB-OCD device without attaching it to a TAG connector?



 

[navzptc]

@Slappy_g

Your post gave me some hope as I have been trying to get the Olimex ARM-USB-OCD working on Windows 7 32 bit.

Following your post I swapped out the Olimax drivers for the WinUSB ones using Zadig, now I'm seeing a warning message about TD0 being stuck at 0.

Did you encounter this in your travels?
Do you know if its possible to test communication with the Olimex ARM-USB-OCD device without attaching it to a TAG connector?

I had that problem when I installed the 'H' version on Win 7 64 bit, and it all came down to the drivers 

I stumbled across these drivers (H version) and after installing the drivers and following Slappy_g's excellent write up am now fully up and running 

If you try and run the program NOT connected to the JTAG header it will come up with an error message, but not the TDO stuck one.

Good luck, you will get there eventually!!

Andy

[mscreations]

Just a point of advice for anyone looking to do this. Don't waste your time or money with the cheap chinese USB Blaster clones... I had an Olimex adapter overnighted and it is currently dumping the memory without issue (Running Ubuntu 14.04LTS 64bit). I'll report back after getting it dumped and trying to do the key generation whether I run into any problems, but so far it has been FAR less painless then mucking about with that chinese crap I bought the first time.

AND... COMPLETE SUCCESS!! Took about 30 minutes or so to dump the memory and then used rigup on the resulting memory dump. Few seconds later I had my key. Now I've got an optioned MSO2202A!

[Bukurat]

I had that problem when I installed the 'H' version on Win 7 64 bit, and it all came down to the drivers 

I stumbled across these drivers (H version) and after installing the drivers and following Slappy_g's excellent write up am now fully up and running 

If you try and run the program NOT connected to the JTAG header it will come up with an error mmy WIN essage, but not the TDO stuck one.

Good luck, you will get there eventually!!

Andy

This morning I tried installing everything on my Win 7 64 bit laptop, following Slappy_g's post.

It doesn't find the device at all.


C:\GNU Toolchain\elf\bin>bfin-gdbproxy.exe --debug

Remote proxy for GDB, v0.7.2, Copyright (C) 1999 Quality Quorum Inc.
MSP430 adaption Copyright (C) 2002 Chris Liechti and Steve Underwood
Blackfin adaption Copyright (C) 2008 Analog Devices, Inc.

GDBproxy comes with ABSOLUTELY NO WARRANTY; for details
use `--warranty' option. This is Open Source software. You are
welcome to redistribute it under certain conditions. Use the
'--copying' option for details.

debug:     bfin: bfin_open ()
error:     bfin: cable initialization failed
debug:     bfin: bfin_open ()
error:     bfin: cable initialization failed
^C
C:\GNU Toolchain\elf\bin>


This was with the Olimex ARM-USB-OCD connected, but not the DSO.

On the 32 Bit Win 7 laptop it at least finds the Olimex adapter. and appears to connect to it as the LED changes from green to red and it tells me its using the libftdi driver!

Mine is not the H version adaptor.

I get the TDO stuck low error message irrespective of whether its connected to the DSO or not.

[Bukurat]

Just a point of advice for anyone looking to do this. Don't waste your time or money with the cheap chinese USB Blaster clones... I had an Olimex adapter overnighted and it is currently dumping the memory without issue (Running Ubuntu 14.04LTS 64bit). I'll report back after getting it dumped and trying to do the key generation whether I run into any problems, but so far it has been FAR less painless then mucking about with that chinese crap I bought the first time.

AND... COMPLETE SUCCESS!! Took about 30 minutes or so to dump the memory and then used rigup on the resulting memory dump. Few seconds later I had my key. Now I've got an optioned MSO2202A!

Are you using the blackfin toolchain?.If so, which one?

I have an old IBM laptop that has Ubuntu 32 bit installed.

[Gandalf_Sr]

Just a point of advice for anyone looking to do this. Don't waste your time or money with the cheap chinese USB Blaster clones... I had an Olimex adapter overnighted and it is currently dumping the memory without issue (Running Ubuntu 14.04LTS 64bit). I'll report back after getting it dumped and trying to do the key generation whether I run into any problems, but so far it has been FAR less painless then mucking about with that chinese crap I bought the first time.

AND... COMPLETE SUCCESS!! Took about 30 minutes or so to dump the memory and then used rigup on the resulting memory dump. Few seconds later I had my key. Now I've got an optioned MSO2202A!

I can120% definitely, positively, agree with this statement.  My new MSO2072A has been sitting on the bench, opened up, while I ordered, waited for, set up, and failed with:

1. A $7 'Altera' USB Blaster from eBay
2. A Bus Blaster from dangerousprototypes.com

I tried Ubuntu, Windows, gdb, and urJTAG.  If you want to do this, buy the Olimex device from Sparkfun.

The Olimex JTAG-USB-OCD is supposed to arrive tomorrow....

[leppie]

I tried Ubuntu, Windows, gdb, and urJTAG. 

Is using OpenOCD not possible? Has anyone tried with a JLink clone?

[mscreations]

Just a point of advice for anyone looking to do this. Don't waste your time or money with the cheap chinese USB Blaster clones... I had an Olimex adapter overnighted and it is currently dumping the memory without issue (Running Ubuntu 14.04LTS 64bit).

Are you using the blackfin toolchain?.If so, which one?

I have an old IBM laptop that has Ubuntu 32 bit installed.

I used the 64 bit 2004 r1 45 blackfin tool chain.

[Macman]

There seems to be some different versions of the Altera Clone blaster. The one I have which uses the Silabs F321 chip and works fine (although quite slowly) with the 32 bit version of the toolchain. I used the 32bit version as I seem to remember it being metioned somewhere  that there were problems trying to use the 64 bit version with the clone USB blasters.

[Gixy]

Hi guys,
First of all, congratulations for your tremendous work, very impressive!
I'm preparing the future hacking of the MSO2072A I intend to order and started to download everything to comply with the Slappy_g procedure. Problem: Avast anti-virus software is detecting a malware (win32:EVo-gen) in the Blackfin Toolchain for windows .exe. Is it a false alert and can I in your opinion download safely this file (which is not so easy with Avast running...)?
Thx in advance,
Denis

[Bukurat]

Hi guys,
First of all, congratulations for your tremendous work, very impressive!
I'm preparing the future hacking of the MSO2072A I intend to order and started to download everything to comply with the Slappy_g procedure. Problem: Avast anti-virus software is detecting a malware (win32:EVo-gen) in the Blackfin Toolchain for windows .exe. Is it a false alert and can I in your opinion download safely this file (which is not so easy with Avast running...)?
Thx in advance,
Denis

I saw that on the download to the 64 bit Win install.  I turned off the virus checker while downloading and added the program to the do not scan list while installing.   It's complaining about the uninstall program in the installer.
It you let it scan while installing it will drop that one in the chest.
 
Once I uninstall I'll run a full scan on the Laptop just to be sure. It didn't complain when I downloaded the 32 bit version on another laptop

[Slappy_g]

Might be getting somewhere but I'm stuck again...

After much frigging around, I finally managed to get my Bus Blaster running.  Now it's connected to the MSO2072A and talking to the BF526.

The problem appears to be that the readmem command always tells me that it can't dump the contents of external memory, it seems not to matter what range I type in for the second value, I tried 0x0000FFFF, the response is still exactly the same as the dump below.  I'm trying to follow Slappy_g's instructions on page 3 of this topic but I always get the response below.  What are the missing steps 4,5 & 12?  Any ideas?

I've been away a few days...  I missed this post.  There are no missing steps - I was just skipping some lines to make the formatting easier and got lazy.

[Slappy_g]

Hi guys,
First of all, congratulations for your tremendous work, very impressive!
I'm preparing the future hacking of the MSO2072A I intend to order and started to download everything to comply with the Slappy_g procedure. Problem: Avast anti-virus software is detecting a malware (win32:EVo-gen) in the Blackfin Toolchain for windows .exe. Is it a false alert and can I in your opinion download safely this file (which is not so easy with Avast running...)?
Thx in advance,
Denis

As I indicated in my post, I have used the 32-bit toolchain running under Windows 7 64-bit.  Weird, but I didn't want to take changes with the x64 toolchain.  I have not had any virus warnings from my AV tools, so I'm guessing it's a false positive, provided you got it from the original source and not some other site.

[Slappy_g]

@Slappy_g

Your post gave me some hope as I have been trying to get the Olimex ARM-USB-OCD working on Windows 7 32 bit.

Following your post I swapped out the Olimax drivers for the WinUSB ones using Zadig, now I'm seeing a warning message about TD0 being stuck at 0.

Did you encounter this in your travels?
Do you know if its possible to test communication with the Olimex ARM-USB-OCD device without attaching it to a TAG connector?

I had that problem when I installed the 'H' version on Win 7 64 bit, and it all came down to the drivers 

I stumbled across these drivers (H version) and after installing the drivers and following Slappy_g's excellent write up am now fully up and running 

If you try and run the program NOT connected to the JTAG header it will come up with an error message, but not the TDO stuck one.

Good luck, you will get there eventually!!

Andy

Glad it worked for you!  Thanks also for posting these drivers.  They will be helpful to anyone with the -H version of the product.  Out of curiosity, how long did your process take?  I'm guessing the H version is much faster.  Mine took 1-2 hours or so.

[Slappy_g]

On the 32 Bit Win 7 laptop it at least finds the Olimex adapter. and appears to connect to it as the LED changes from green to red and it tells me its using the libftdi driver!

Mine is not the H version adaptor.

I get the TDO stuck low error message irrespective of whether its connected to the DSO or not.

As much as it sounds like the default help desk answer...  try rebooting.  Failing that, check to ensure that you are running the command prompts as administrator.  If the title bar does not say "Administrator: Command Prompt" explicitly, then you are not.  That can often be a problem, as low-level port I/O can be flaky without elevation of rights.

[Bukurat]

It's dumping as I write.

I redid all the cabling from the ARM-USB-OCD adaptor, this time leaving the supplied cable off and connecting directly to the pins on the adaptor.

For anyone using Windows, turn your Virus scanner off before running the programs. Avast insists on deep scanning anything it doesn't know about and this stuffs up the timing.

Edit.

All done!

[navzptc]

Out of curiosity, how long did your process take?  I'm guessing the H version is much faster.  Mine took 1-2 hours or so.

Slappy_g, to read to 0x01FFFFFF to dump SRAM contents takes 5m 36s (Just timed it!), which works out to 22.5m approximately for a dump to 0x07FFFFFF - sounds about right for when I did that on my initial run on getting it all set up - Looks like the 'H' version is a lot quicker then 

Andy

[Gandalf_Sr]

Out of curiosity, how long did your process take?  I'm guessing the H version is much faster.  Mine took 1-2 hours or so.

Slappy_g, to read to 0x01FFFFFF to dump SRAM contents takes 5m 36s (Just timed it!), which works out to 22.5m approximately for a dump to 0x07FFFFFF - sounds about right for when I did that on my initial run on getting it all set up - Looks like the 'H' version is a lot quicker then 

Andy

So what's the actual required upper dump memory limit?  I think it's 0x07FFFFFF am I right?

[navzptc]

Out of curiosity, how long did your process take?  I'm guessing the H version is much faster.  Mine took 1-2 hours or so.

Slappy_g, to read to 0x01FFFFFF to dump SRAM contents takes 5m 36s (Just timed it!), which works out to 22.5m approximately for a dump to 0x07FFFFFF - sounds about right for when I did that on my initial run on getting it all set up - Looks like the 'H' version is a lot quicker then 

Andy

So what's the actual required upper dump memory limit?  I think it's 0x07FFFFFF am I right?

I'm using my JTAG on my DSA815-TG to try and recover my lost calibration data, and only read to 0x01FFFFFF - The DSA only has 32MB SRAM and I believe that the DSO memory map is also the same and that there is no need to go to 0x07FFFFFF.

Andy

[PepeK]

So what's the actual required upper dump memory limit?  I think it's 0x07FFFFFF am I right?

The "rigup.exe" tool is searching for some (as I remember 8 bytes long) binary pattern in the memory dump file. This signals that private key section follows. If those people who have done hack successfully post here which address is it in their dump file, we can narrow the address range for a dump (and make it faster).

[Slappy_g]

So what's the actual required upper dump memory limit?  I think it's 0x07FFFFFF am I right?

The "rigup.exe" tool is searching for some (as I remember 8 bytes long) binary pattern in the memory dump file. This signals that private key section follows. If those people who have done hack successfully post here which address is it in their dump file, we can narrow the address range for a dump (and make it faster).

Here's my contribution.  I have highlighted the semaphore bits that mark the start of the key block.  I have blacked out the rest, since I don't trust all you slackers...   

So the base address you could start the dump, would be 01B5E000, and capture through 01B5EFFF.  Boy, I wish I had known that.  Would have saved me HOURS.

[Gixy]

Thx Slappy_g,
Does that means that the item #19 of your step by step procedure should be updated?

[Macman]

If you are only doing a partial memory dump you will need to use a range that includes the serial number as well as the keys.
On my scope the serial number is at  00EBA382 and the keys are at 01B5EC08 so I would suggest a dump range of 00EBA000 to 01B60000.

[Slappy_g]

Thx Slappy_g,
Does that means that the item #19 of your step by step procedure should be updated?

Basically, yes, I could update the instructions, but I want to wait until we have confirmation from more people on their memory location.

For now, the instructions are safer as-is.

[Gandalf_Sr]

Cool!  I have the Olimex widget in my hands now, unfortunately, it's my wife's birthday and I suspect I'll be unable to creep off into my mancave tonight to do  the dump deed but I feel the end of my epic 'War and Peace' saga of trying to get this done is in sight.

[milek22]

HELP
Please urgent help.
It seems that he sees the USB BLASTER
Ponirzej see PHOTO
I plugged ALTERA USB BLASTER JTAG - SCOPE.
>> What do I do now?
>> Type "bfin-gdbproxy.exe --debug bfin --frequency = 5000000"
Then start - bfin-elf-gdb.exe
then what?
day...

[Macman]

@Milek
Open another command window in the same directory (leave the existing command window open).
Type the following in the new command window:

bfin-uclinux-gdb (you will need to replace this with the Windows GDB name)
target remote :2000
dump binary memory ds2k_00_sdram.bin   0x00EBA000  0x01B60000

[milek22]

new command window: bfin-uclinux-gdb
I run a second window "bfin-proxy?
when I type "bfin-gdbproxy.exe --debug bfin --frequency = 5000000" and what window?

[Macman]

@Milek,

I thought you had already got the proxy running because of the screen shot you posted.

You need 2 command windows open in the directory where the blackfin toolchain binary files are.
In the first window you type the proxy command line you mentioned.

Then in the second command window you type the lines in the previous post. You may need to change the name of the GDB program to match the file names you have in the bin directory. Look at a list of file mnames in the directory, it should be obvious.

<edit>
Just as a tip.
An easy way to open a command window in a specific directory is to hold down the shift key and right click on the directory then select 'Open command window here'

[milek22]

how to open a second window "bfin-gdbproxy.exe" it writes falided usb cable,
In any window, you can not write anything
What's going on?

[Macman]

Can you post a screen shot of the command windows you have open?

[Macman]

@Milek

If you have the cable connected correctly and you still can't get the bfin-gdbproxy to work it could be that the Blackfin tool chain is not compatable with the altera driver. If you can't get the bfin-gdbproxy to work there is no point in going on to start gdb in the other window.

I never tried in doing the Dump in Windows because all the sucessful reports I saw were done using Linux and I did't want the hassle of trying untested things in Windows.

If it is still not working I guess you have 2 choices, purchase the Olimex adapter or use Linux with your existing altera blaster clone.

[milek22]

I have a dump of the proxy

[Macman]

It looks like it is outputting the help screen because you have typed the parameters incorrectly.
press control C and shutdown the command window. Open the command window again and try again.

edit
I just noticed in the line in your previous post you had 'frequency = 5000000' this should be 'frequency=5000000' i.e. without the spaces.

[milek22]

You're right mate. Thanks a lot. Now I think it is ok?
See photo and text

[Macman]

OK Looks good so far. Leave this command window open and open a second command window and type the GDB line I gave a few posts back.

[milek22]

Give me an example ok? what name do I replace windows? I'm afraid a little bit and I want to type correctly.
if so i have to enter a string with a space?
bfin-uclinux-gdb target remote: 2000 binary memory dump ds2k_00_sdram.bin 0x00EBA000 0x01B60000

[Macman]

In the command window just type:
bfin-uclinux-gdb
Then type the following 2 lines:

target remote :2000
dump binary memory ds2k_00_sdram.bin   0x00EBA000  0x01B60000

Note the ':' is next to the 2000
Don't worry if it is the wrong program name it just will not work. If it rejects just tell be the directory path you opened the command window in and I will give you the correct name.

[Macman]

Once the dump starts leave the first command window will continuously output debug messages as the dump progresses. The second command window (the one you are typing the commands in to now will not show any further output until the dump is complete, which I would expect to take around 20 minutes.

[milek22]

I think I'm doing well and see photo below
"You can not connect because the computer firmly refuses to" connect "
Probably in linux I must try

[Macman]

That screen shot you've posted there is of the GDB proxy command window and looks as I would have expected it to except that you have Control C'd out of it so it is no longer running(edit: I see you have changed the screen dump now). I would suggest you reboot your PC/laptop and start again.

edit
The main reason it did not work is because you had terminated the GDB proxy by control C. Once it is running leave do not type anything else in that command window.

I've just the name of GDB for the program name you need:

After the proxy is running correctly in the first command window, in the second command window type:

bfin-elf-gdb

Then type the following 2 lines:

target remote :2000
dump binary memory ds2k_00_sdram.bin   0x00EBA000  0x01B60000

[milek22]

Colleague again you racje.Jeste? GREAT.
I threw SDRAM.bin
The catalog >> Rigup opened the command line
Rigup >> found my MEMORY SDRAM.bin
>> It displays help messages
> What should I enter?

[Macman]

you should enter: rigup ds2072a ds2k_00_sdram.bin

edit:
You need to put your dump file in the rigup directory.
Open a command window in the rigup directory and then type:

rigup ds2072a ds2k_00_sdram.bin

[milek22]

SUCCESS Colleague
I have the keys to the various options
Which do you suggest I use?

[Macman]

I used the NSEQ key for all options and 200MHz but you could use the NS8H key for 300MHz if you think it would be of benifit to you.
Unless you need 300MHz bandwith you are probably better off going with the 200MHz option.

[milek22]

OK buddy. The keys have to enter in scope? Is the command line?
When I turn off the scope? Can I make a JTAG cable off of SCOPE?
I'm buddy helped, not know how you have to repay

[Macman]

You should now power down the scope, remove the JTAG cables, put the shielding back on the scope.
turn on the scope.
Press the Utility key.
Press the Down Arrow key.
Select Options.
Select Setup.
Select Editor ON.

Now you can enter the key.

Assuming the key is accepted, turn Off the scope and reassemble and enjoy your upgraded scope.

[milek22]

I did exactly as you wrote. I already have a rich version. Thanks to you.
Thanks again and I cordially greet.
 

[Macman]

At least we know the some of the Alera blaster clones work with windows as well as Linux.

Just out of interest, do you remember how long it tool to dump the file? I guessed it should have been 20 minutes. I got you to do a partial dump because that is all that should have been needed. When I did it I did a full dump that took about 3 hours.

[milek22]

It took 15-20 min. Olimex ordered and here you are, Altera did. How to cool off a bit of a write post step by step how it was done. Of course, thanks to you.

[PepeK]

It took 15-20 min. Olimex ordered and here you are, Altera did. How to cool off a bit of a write post step by step how it was done. Of course, thanks to you.

Congratulations ! Which Altera blaster have you used ? It would be nice if you post here its photo + a photo of the PCB inside + a name of the eBay seller.
This will save another people's money, as the price difference between Olimex and Chinese clones is quite large.

[Macman]

@Pepek
Milek has already posted a picture of the internals on page 6 of this thread.
The link to the Altera blaster I used which looks the same as Milek's is http://www.ebay.com/itm/Mini-USB-Blaster-ALTERA-Cable-for-FPGA-CPLD-NIOS-JTAG-Altera-Programmer-/181379827152?ssPageName=ADME:L:OC:GB:3160

[Gandalf_Sr]

OK guys.....

Eventually, I got to run the JTAG dump with the Olimex ARM-USB-OCD, here are a couple of pointers....

1.  When you run the Zadig utility, the drop down appears to be empty, you have to go into the menus and choose Options>List All Devices and the list will fill with the available items.
2.  After the dumps, I could not find my files, they were not in the .exe directory of bfin.  I went wandering through all the system directories and eventually found them in a SysWOW64 directory.

Now I ran rigup scan <filename> against them and I have the following...

RC5KEY1:        XXXXXXXXXXXXXXXXXXXXXXXXXXXXX
RC5KEY2:        XXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXTEAKEY:       XXXXXXXXXXXXXXXXXXXXXXXXXXXXX
PUBKEY:         xxxxxxxxxxxxxxxxxx
PRIVKEY:        XXXXXXXXXXXXX
SERIAL:         DS2FXXXXXXXXX

I think I'm there, how do I know which one is which?

[Slappy_g]

OK guys.....

Eventually, I got to run the JTAG dump with the Olimex ARM-USB-OCD, here are a couple of pointers....

1.  When you run the Zadig utility, the drop down appears to be empty, you have to go into the menus and choose Options>List All Devices and the list will fill with the available items.
2.  After the dumps, I could not find my files, they were not in the .exe directory of bfin.  I went wandering through all the system directories and eventually found them in a SysWOW64 directory.

Now I ran rigup scan <filename> against them and I have the following...

RC5KEY1:        XXXXXXXXXXXXXXXXXXXXXXXXXXXXX
RC5KEY2:        XXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXTEAKEY:       XXXXXXXXXXXXXXXXXXXXXXXXXXXXX
PUBKEY:         xxxxxxxxxxxxxxxxxx
PRIVKEY:        XXXXXXXXXXXXX
SERIAL:         DS2FXXXXXXXXX

I think I'm there, how do I know which one is which?

I thought I had specified to use the all devices option in my instructions. Hmm...

Also, you now need to run RIGUP DS2072A FILENAME.BIN

That will give you the keys for each option type. Note that I strongly recommend avoiding the 300 MHz option. Go for 200 + all options.

Sent from my SM-N900T using Tapatalk

[Gandalf_Sr]

  SUCCESS!

The key worked perfectly, the scope is back together, it reports all options +200 MHz.

One bit that was worrying me was that you enter DS2072A even though the scope is an MS2072A but you have to enter DS2072A

Thank you so much for everybody that helped, especially Slappy_g, MarcelM, Teneyes, and 0xPIT

What are the concerns you have over applying the 300 MHz option? If I wanted to try it, do I just enter that key or do I have to uninstall the one I just entered?

[mscreations]

What are the concerns you have over applying the 300 MHz option? If I wanted to try it, do I just enter that key or do I have to uninstall the one I just entered?

Congratulations on the success!

As for skipping  the 300 MHz option, the mega thread had some posters that said they had issues with the 300MHz option (such as freezing and what not). That was the primary reason I skipped it.

The other reason is that some people have said that the scope still doesn't quite have enough "hardware" to keep up with that kind of signal.

[Slappy_g]

SUCCESS!

The key worked perfectly, the scope is back together, it reports all options +200 MHz.

One bit that was worrying me was that you enter DS2072A even though the scope is an MS2072A but you have to enter DS2072A

Thank you so much for everybody that helped, especially Slappy_g, MarcelM, Teneyes, and 0xPIT

What are the concerns you have over applying the 300 MHz option? If I wanted to try it, do I just enter that key or do I have to uninstall the one I just entered?

Glad you're up and running!

As to the 300 MHz, I follow the conservative 10x sampling rule. 2 GHz sampling rate means I don't want to go above 200 MHz for good signal reproduction.

Sent from my SM-N900T using Tapatalk

[Bukurat]

SUCCESS!

The key worked perfectly, the scope is back together, it reports all options +200 MHz.

One bit that was worrying me was that you enter DS2072A even though the scope is an MS2072A but you have to enter DS2072A

Thank you so much for everybody that helped, especially Slappy_g, MarcelM, Teneyes, and 0xPIT

What are the concerns you have over applying the 300 MHz option? If I wanted to try it, do I just enter that key or do I have to uninstall the one I just entered?

Glad you're up and running!

As to the 300 MHz, I follow the conservative 10x sampling rule. 2 GHz sampling rate means I don't want to go above 200 MHz for good signal reproduction.

Sent from my SM-N900T using Tapatalk

Just thinking aloud, early in one of the many threads so this instrument it was suggested that the bandwidth restriction was due to a filter early in the signal path.  If the bandwidth is quoted at 3db points would it not be better to open up the bandwidth to max 300Mhz to get a better response at 200Mhz?

I don't have anything that gives me a reproducible accurate signal at 200Mhz. Perhaps someone with the the necessary equipment to hand could check.

[Slappy_g]

Just thinking aloud, early in one of the many threads so this instrument it was suggested that the bandwidth restriction was due to a filter early in the signal path.  If the bandwidth is quoted at 3db points would it not be better to open up the bandwidth to max 300Mhz to get a better response at 200Mhz?

I don't have anything that gives me a reproducible accurate signal at 200Mhz. Perhaps someone with the the necessary equipment to hand could check.

Yeah, it's worth investigating. My fear was of aliasing and other artifacts, due to the sampling rate being fixed.

There was part of me screaming "UNLOCK ALL OF THE THINGS!!!111one" but I held it in check. I don't really need that kind of bandwidth.

[Gixy]

Let's assume a signal of 300MHz. At 2Gs/s, that gives a ratio of 6.67 samples per period and a theorical amplitude error of 1.1%. For 200MHz, the error is 0.5% (10 samples per period). Higher frequencies leading to artefacts are supposed to be filtered in the first stages. Nevertheless, application cases for this bandwith are not very common...

[Gandalf_Sr]

I entered the 300 MHz option key today and it now shows the 200 and 300 MHz options separately at the bottom of the options list.  Not sure what I gain by having both?  The minimum horizontal timescale is now 1 nS and everything seems to work fine.

FYI, the probes that come with the MSO2072A are 10:1 but the option 'upgrade' reset the channels to X1.

[AntiCat]

I'm from Switzerland so it is an additional 130$ for shipping and 200$ for import taxes. This is approximately the same as the local distributor. At this price range I prefer to have a point of contact nearby. However your suggestion is very tempting..

I gave up on the Swiss distributor and ordered mine from drieg (forum user). I received a super friendly forthcoming service. His online shop mixes up the VAT so if you live in Europe and are considering to order drop him an email for a price quote without TAX.

I would like to hank Slappy_g and PepeK for the great guide. It made my life very easy 

It looks like Rigol released a new Firmware last week. Did any one try it?

[Slappy_g]

@AntiCat

Thanks and glad to hear it helped!

As to firmware, say what?! There's a new one out? Hmm....

Sent from my SM-N900T using Tapatalk

[AntiCat]

@AntiCat
As to firmware, say what?! There's a new one out? Hmm....

I could be wrong.
http://beyondmeasure.rigoltech.com/acton/form/1579/0012:d-0001/1/index.htm?id=0012
Shows DS/MSO2000/A/-S: 00.03.01

Latest I saw on this Board was DS/MSO2000/A/-S: 00.03.00 SP1

[Slappy_g]

@AntiCat
As to firmware, say what?! There's a new one out? Hmm....

I could be wrong.
http://beyondmeasure.rigoltech.com/acton/form/1579/0012:d-0001/1/index.htm?id=0012
Shows DS/MSO2000/A/-S: 00.03.01

Latest I saw on this Board was DS/MSO2000/A/-S: 00.03.00 SP1

Unfortunately, I think that is the same thing. It's the difference in how it is displayed internally versus on the about screen.

Sent from my SM-N900T using Tapatalk

[navzptc]

Having had to help a friend out try to get his Olimex JTAG working, and following on from Slappy_g's excellent write up, I thought I would also post the information here on how to set up the Olimex reader with Win 7 64bit - I am sure this will also be the same for 32 bit

Drivers used are the ARM-USB-OCD-H-Drivers I posted a few pages back - Presume they would also work on non 'H' version.

Any reference to Capturexx is the screen shot that goes with the write up.

1.    Right here we go – Attach Olimex JTAG reader to USB port, hopefully you will hear the beep and 2 'other devices' will have appeared in Device Manager.
 
2.    Right click first ‘other device’ (Olimex) – update driver software – browse my computer for driver software – enter location in window (browse button to find directory) then ‘next’ – ‘Capture2
 
3.    Choose ‘Install this driver software anyway’ option – Capture3
 
4.    Success, it has installed the driver for USB serial converter A – Capture4
 
5.    Repeat steps 2~4 for remaining ‘other device’ and USB Serial converter B installed – Capture5
 
6.    You should now have 2 new ‘other devices’ (USB Serial Ports) – (If not press rescan icon on icon bar at top of device manager) AND USB Serial Converters A & B under USB Conrollers – Capture6
 
7.    Right click first ‘other device’ (USB Serial Port) – update driver software – browse my computer for driver software – enter location in window (browse button to find directory) then ‘next’ – ‘Capture7
 
8.    Once again ‘Install this driver software anyway’ – Capture8
 
9.    We now have a new USB Serial Port (Com12 in MY case) under Ports – Capture9
 
10.    Repeat above for remaining ‘other device’ (USB Serial Port) as above – Capture10
 
11.    So far, so good    - We should now have 2 new USB Serial Ports and 2 new USB Serial Converters A & B – Capture11
 
12.    Now load Zadig – Choose Olimex (Interface 0) and press replace driver button – Capture12 & 13 (See Slappy_g's post on page 5)
 
13.    Device Manager should now have changed to 1 USB Serial Port (COM13 in MY case), USB Serial Converter B and Olimex (Interface 0) – Capture14
 
14.    Now the Fun Starts!! Connect Olimex to DSO and switch DSO on - Open up your Blackin ‘bin folder’, open up 2 command windows (shift/right click) in ‘bin’ folder, and in first Command window type : ‘ bfin-gdbproxy.exe --debug bfin --frequency=5000000 ‘    - Capture15
 
15.    Hopefully it will work and show as per the image.
 
16.    If we do get this far,  in second Command window type: ‘ bfin-elf-gdb.exe  THEN target remote :2000 THEN info mem ‘ – Capture16
 
17.    By Now I hope you are cheering 

18     Then type in second Command window: dump binary memory <filename>.bin 0x00000000 0x01FFFFFF   Use a name of your choice for <filename>

Andy

[DocSnyder]

Hello Peter,

that sounds very interesting. Can you describe it a bit further? How did you copy those parts together? Maybe this is the most elegant way ever.

Thanks

[Gandalf_Sr]

@navzptc

Thanks for the write up on adding the drivers.  I used the driver set that Slappy_g linked to at the end of his big list of instructions.  I don't know why but my dump.bin file ended up in the C:\Windows\SysWOW64 directory, not in the same folder as the bfin.exe files.

This link http://www.samlogic.net/articles/32-64-bit-windows-folder-x86-syswow64.htm explains the SysWOW64 thing.

[Gandalf_Sr]

@PeDre

Interesting.  How do you connect to the DS2072A?  Is it using LAN or USB?  Where do you get the SCPI utility?  This could be a much simpler route to get the memory dump if you don't need to take the back off the scope, buy a JTAG system, and make an interface cable.

[DocSnyder]

Peter, what is name of this tool you used to get the answers of the scope saved?

Thanks

[Gandalf_Sr]

Also, Slappy_g has a much smaller memory range to dump so it's possible that a single :SYST:UTIL:READ? LLLLLLLLL,HHHHHHHHH command will grab the license key data if we come up with the right numbers.  If you google "SCPI Rigol" you'll get hits for how to do this, looks like you can connect using USB or LAN but I'm not sure what the best tool is - PeDre?

[AntiCat]

:SYST:UTIL:READ? 1,1048576

  is the only comment I can come up with. Great discovery!!! 

[DocSnyder]

Now I have to wait for my MSO2072A to arrive. If this works, the Olimex ARM USB i recently bought is useless. @Peter: Great Tool. I mean the main purpose of it.

[HiassofT]

You can read the memory of the MSO2072A with a SCPI command.
Here, each in 1 MB increments up to 32 MB:

:SYST:UTIL:READ? 1,1048576

Thanks a lot for sharing this information!

It looks like the READ? command also accepts ranges larger than 1MB, so with :SYST:UTIL:READ? 1,33554432 you can read a 32MB memory block with a single command - and don't need to merge all the chuncks.

IMO the easiest way to issue SCPI commands is to use netcat (for example "ncat" from nmap.org or the openbsd "nc" on Linux) - just connect to TCP port 5555.

With ncat from nmap.org you can get a 32MB dump with this one-liner (tested on Linux and Windows XP):

Code: [Select]

echo :SYST:UTIL:READ? 1,33554432 | ncat -i 1 IP-ADDRESS-OF-SCOPE 5555 > memory.dump
so long,

Hias

[centon1]

https://www.eevblog.com/forum/Smileys/default/icon_smile_thumbsup.gifWooHoo!

I was just about to tackle the JTAG route using a $6.00 eBay USB Blaster and was getting ready to slip the warranty seal when I read Peter's post.

Well, twenty minutes later without lifting the seal and without opening the case my mso2072a now reports as an mso2202a. Yippe!

I would just like to thank PeDre, Slappy_g, Gandalf_Sr and others for their efforts, expertise and tenacity. Your selflessness in sharing information and knowledge makes this a better forum and a better 'blue marble' in which to participate daily. https://www.eevblog.com/forum/Smileys/default/clap.gif

This not so young noob truly thanks you.

Have a great one. Cheers

[conte_vlad]

It is my program for the screenshots, but can also send SCPI commands.

http://peter.dreisiebner.at/rigol-bildschirmkopie-lan/

For the LAN connection no driver or installation is necessary.

Peter

 

thanks,thanks,thanks,thanks,thanks,thanks,thanks,thanks,thanks,thanks,thanks,
thanks,thanks,thanks,thanks,thanks,thanks,thanks,thanks,thanks,thanks,thanks,
thanks,thanks,thanks,thanks,thanks,thanks,thanks 

all updated on MSO but no way for 200 and 300MHz, I will investigate more

[WesleyK]

Woah, great work! Just unlocked all options + 200Mhz in <30 minutes. I used these posts:

Rigol Bildschirmkopie:
https://www.eevblog.com/forum/testgear/rigol-mso2000-series-hacking/msg508936/#msg508936

Config file for SCPI
https://www.eevblog.com/forum/testgear/rigol-mso2000-series-hacking/msg508969/#msg508969
Use this file to overwrite the one in your "resources" folder in Rigol Bildschirmkopie. Thanks to Pedre for the application + config file.

SCPI command:
:SYST:UTIL:READ? 1,33554432
to get a 32MB dump without the need to merge any files.

I then used Rigup as described earlier in this thread by Slappy_G to get my serial codes. Inputting the serial key was the hardest part  with the not that great multi purpose rotary encoder.. Took me a few minutes but its now reporitng as a MSO2202A with all options installed.
Thanks again

[ulrik]

Well done Peter!    Well done to all in this thread who made really great contributions! 

:SYST:UTIL:READ?  seems to be a undocumented SCPI command, isn't it? At least I couldn't find it in rigols programmers handbook - Hmmm - I can imagine why...     
Is more known about other SYST:UTIL commands? Have some other undocumented SCPI commands been discovered yet?

Is it possible to send a batch of SCPI commands (a macro?) with Peters software?

[mscreations]

Nicely done!

I have verified that you can quickly get a dump using the SCPI method. Run the program below (it's in German? but it's easy enough to figure out what you need to do.) In the opening screen, click on select and find your device on the LAN. Then choose Device and SCPI-Command. Run the following SCPI command (tested on MSO2072A) ":SYST:UTIL:READ? 15441920, 13262848". These numbers correspond to the 0x00EBA000 and 0x01B60000 addresses from slappy_g. By shortening the memory dump, this takes a minute at most to do the dump.

After it finishes, click Save and save it in the same directory as rigup. Then just run "rigup ds2072a filename.dump.scpi" replacing filename.dump.scpi with the appropriate filename.

It is my program for the screenshots, but can also send SCPI commands.

http://peter.dreisiebner.at/rigol-bildschirmkopie-lan/

For the LAN connection no driver or installation is necessary.

Peter

[Slappy_g]

@Pedre:

Excellent find! I'll update my instructions tonight!

Sent from my SM-N900T using Tapatalk

[conte_vlad]

 

all done, MSO2102A all option +300MHz. Great job

[HiassofT]

:SYST:UTIL:READ?  seems to be a undocumented SCPI command, isn't it? At least I couldn't find it in rigols programmers handbook - Hmmm - I can imagine why...     
Is more known about other SYST:UTIL commands? Have some other undocumented SCPI commands been discovered yet?

The SCPI command table seems to be located at around 0x00F0EC00. You can read it with ":SYST:UTIL:READ? 15789057,20000".

:SYST:HVER? seems to report the hardware version - 2.2

WRITe might be the complement to READ?. LOCK, UNLock, ERASe and FLASh might be for accessing the flash - but as I have no intentions of bricking my scope I haven't played with them. Not sure what QSET might be for.

BTW: I did a full 128MB dump (took some 4 minutes using netcat) and it looks like there's nothing interesting above 32MB.

so long,

Hias

[Gandalf_Sr]

And I thought SCPI was a bush kangaroo! 

What would I know? They don't have kangaroos here in Somalia.

Well done PeDre for finding an awesome back door into the Rigol system.

Now I'm considering making a piece of techno-art comprising of 2 x 'Altera' USB Blasters, 1 x Bus Blaster, an Olimex ARM-USB-OCD, 2 x JTAG adapters, 3 x invoices for online purchases, and a voucher for 2 wasted weeks of my life, any ideas anyone? 

For those who think I've lost it, this was meant to be humorous.

[PepeK]

The Rigol product are unbelievable hacker friendly. I cannot image any reason for implementing a feature, which accepts commands for reading the internal RAM's content. They block something (like possibility to downgrade a firmware) but there is still a big backdoor. Why ?

[conte_vlad]

why? perhaps because a big market of low entry customer that see a great opportunity to pay less and have more, professionals anyway has the official version and the topmost are often out of hobbist budget suche if they can choose the choice goes to a free-upgradables items

Meanwhile..I am looking for a update also for my DG1032Z...if someone has anyidea  O0

[pascal_sweden]

This is the most convenient hacking approach ever! That deserves several Belgian beers

With this new finding, I really wonder why people are still opening up their Rigol scopes as of today.
There is still an active thread here on this forum where they use the conventional "open up your scope" way, with the title "Sniffing the Rigol's internal I2C bus".
Should we inform these guys about the new approach? =)

[Gandalf_Sr]

This is the most convenient hacking approach ever! That deserves several Belgian beers

With this new finding, I really wonder why people are still opening up their Rigol scopes as of today.
There is still an active thread here on this forum where they use the conventional "open up your scope" way, with the title "Sniffing the Rigol's internal I2C bus".
Should we inform these guys about the new approach? =)

I already did

[PepeK]

I can confirm, the command  ":SYST:UTIL:READ? 15441920, 13262848" works perfectly on my MSO 2072 A. The scope is connected via Lan cable.
SW 3.0.SP1
HW 2.2
The rigup.exe tool generates keys in miliseconds.

[PepeK]

The scope is unlocked now for all options and 200 MHz bandwidth. Thank to everybody.
BTW : I entered the unlock code manually via the scope's rotary encoder, it was not possible to send it as a SCPI command.

[eyteam]

The software will find the MSO1074Z at Port 617 and the screen copy works fine to.
But the ":SYST:UTIL:READ?" command will not work.
Firmware 4 Serial DS1ZC

[PepeK]

The software will find the MSO1074Z at Port 617 and the screen copy works fine to.
But the ":SYST:UTIL:READ?" command will not work.
Firmware 4 Serial DS1ZC

Have you included also the starting and ending memory range after the question mark ? Maybe there should be the starting address and block length but in all cases the "read' command should be followed by two comma separated numbers.

[eyteam]

Yes i had used ":SYST:UTIL:READ? 1,33554432" and some of the other preset in the config.ini

[kurra]

Firstly, thank you PeDre for this useful little utility. 

I have just tried it on my DS4014 (4000 series) and it does the screenshot OK, but I can't get the SCPI Read command to work 

I tried :SYST:UTIL:READ? 1,1048576 and clicked 'Send & Receive'.
I get an error (after a delay) that says 'There was an error when sending the SCPI command'.
[edit] I have realised this is what PeDre's program says when it times out, not getting a response from the scope[/edit]

The :SYSTEM:DATE? and :SYSTEM:TIME? commands work, so I guess SCPI is working, just not the memory read command.

Is there a list of valid SCPI commands anywhere?
[edit] I just found this document:  http://www.rigol.com/prodserv/DS4000/document/?act=view&itemid=490[/edit]

Ideas anyone?

[Luddi]

received my MSO2072A today
using "Bildschirmkopie" over LAN
+ rigup
+ 3min work

-> MSO2302A

BIG THANKS to all for their great work

[akshaykirti]

Just unlocked the MSO2202A using Bildschirmkopie tool. Had to dump the 32Mb file as the 12MB didn't work.
Used the rigup-0.4 tool to get the keys. Thanks everyone!

Used

Code: [Select]

:SYSTEM:OPTION:INSTALL <Key> to enter the key. Make sure you enter the key without dashes

Software: 03.01
Hardware:2.2
Scope:MS2202A (Not any more  )

 

[Ivan7enych]

My 2 cents,

:SYST:UTIL:READ? 15441920, 13262848
rigup-0.4
:SYSTEM:OPTION:INSTALL <Key>

This combination works fine, now upgrading the 2072A series scope becomes much easier than half a year ago (flashing hacked firmware to get the keys...)

Here are the pictures of a rise time before and after key installation on an MSO2072a MSO2302a. 

[lapoltba]

My 2 cents,

:SYST:UTIL:READ? 15441920, 13262848
rigup-0.4
:SYSTEM:OPTION:INSTALL <Key>

This combination works fine, now upgrading the 2072A series scope becomes much easier than half a year ago (flashing hacked firmware to get the keys...)

Here are the pictures of a rise time before and after key installation on an MSO2072a MSO2302a. 

Wow.... 1.15ns!  I'm sold.

*edit: typo  ns, not ms

[Gandalf_Sr]

My 2 cents,

:SYST:UTIL:READ? 15441920, 13262848
rigup-0.4
:SYSTEM:OPTION:INSTALL <Key>

This combination works fine, now upgrading the 2072A series scope becomes much easier than half a year ago (flashing hacked firmware to get the keys...)

Here are the pictures of a rise time before and after key installation on an MSO2072a MSO2302a. 

Wow.... 1.15ms!  I'm sold.

Not mS, not even uS, but nS

[lapoltba]

Whoops!  Typo on my part.  I did mean ns, that is fantastic.

[Ivan7enych]

To get smallest rise time, you need -
1 a very good signal source (in my case it is a test pins on an old tek tds744 scope, it's rise time I suppose < 500ps ),
2 connect probe to the source with as short as possible wires, to connect ground I use a small spring found in probe accessories. Standard 10cm ground connector makes rise time worse and produces additional ringing.

[bithead]

This is awesome.

I decided to get the DS2072a because of Dave's video comparing the DS2072a and the DS1052e.  I was previously considering the 1052 because of the price and it's ability to be hacked for 100MHz -- I figured the extra functions with the 2072 more than made up for the loss of 30MHz of bandwidth.

But here I am, after taking delivery of a DS2072a yesterday, with a scope that thinks it's a DS2202a with all the options, after typing THREE COMMANDS.

You guys are awesome.

[marmad]

-- I figured the extra functions with the 2072 more than made up for the loss of 30MHz of bandwidth.

BTW, the bandwidth of an unhacked DS2072 is something around 115MHz (the 70MHz moniker is just marketing) - so you would have had 100MHz even without the hack. The DS2202's BW is around 225MHz.

[etl17]

One more successful story here. DSO2072A-S --> DSO2302A-S + All options.

Thank you!   :-)

[thepie999]

What a wonderful thread! I should have read this before I paid $200 for the decoding...

Thanks everybody! 

[NZST205]

I have the DS2072A with SW 00.03.00.SP1 and HW 2.0 and have setup a number of Windows machines to try using DS2000A_Upgrade_Utility_1_0_0_1_Installer.exe to upgrade it. The Upgrade Utility seems to perform as described but when I boot the scope into update mode and insert the USB drive the CH1 light doesn't blink, instead all light turn on and stay on. I have tried 4 different USB drives varying in size from 1 to 32Gb.
They all behave the same.
I have therefore concluded that the combination of SW and FW is such that I must adopt an alternative method.
The next approach planned is to us the SCPI Method described elsewhere.
What I can't find is the "rigup.exe" file mentioned. I assumed it was installed from within "DS2000A_Upgrade_Utility_1_0_0_1_Installer.exe" but a search doesn't find it, I am running Win 7 Ultimate SP1.
Can someone please advise where I might find that file please so I can try the SCPI method ? 

[dogcatdog]

Thanks for the utility, worked for the DS2702A   SW 00.03.00.SP1 and HW 2.0
just activated literally 5 mins ago.

[NZST205]

I can't seem to find what format to save the SCPI file in (of the 4 options). ASCII creates a 15kb file and the three byte formats saves files all over 200 MBs. Perhaps as I am running Windows 7 Ultimate un Parallels it may be mucking things up. Can anyone please provide me with some guidance ?

[akshaykirti]

Can someone tell me what signal fidelity issues they had with 300MHz? My scope is 200 MHz by default.

I'm just wondering. The maximum I ever test is like under 20Mhz anyways. All Hail PLL's

[kqkq]

The software will find the MSO1074Z at Port 617 and the screen copy works fine to.
But the ":SYST:UTIL:READ?" command will not work.
Firmware 4 Serial DS1ZC

Just got the same problem on MSO1104Z.
Any solutions?

[boeserbaer]

Hi All,

Success with a newly received MSO2072.  Used the SCPI command.  It confused me that rigup.exe wanted ds2072a as its model number for the MSO series.  This is the command line I used:

rigup ds2072a 2072.scpi
note: 2072.scpi was the filename of my memory dump.  ds2072a is an argument used by rigup.exe to generate keys.

SW version 00.03.00.01.03
Hardware version 1.1.2.2.0
FPGA version:
spu 04.00.07
wpu 01.01.03
ccu 12.29.00
mcu 00.06
lan 01.01.03

This scope was purchased from inventory (tequipment.net), and was shipped 17Dec2014.

Best Regards

note: modified to show full  FW version

[Dave92F1]

:SYST:UTIL:READ? 15441920, 13262848
rigup-0.4
:SYSTEM:OPTION:INSTALL <Key>

That's the best summary in this thread (thanks).

But I'm getting "There was an error when sending the SCPI command." after sending ":SYST:UTIL:READ? 1,1048576" using Peter's RigolBildschirmkopie.  I can get screenshots OK, and the scope replies properly to other SCPI commands, but not :SYST:UITL:READ.

I have a DS2072A, already patched to 300 MHz and all options (see status screenshot below) - I want to update it to firmware 03.00.01.03.

* Can I update by putting DS2000Update.GEL on a USB stick and installing, or will that break the 300 MHz+options?

* How can I fix the "There was an error when sending the SCPI command." error?

And, while I'm asking questions,

* What was changed in the firmware in 3.x?

--Dave

[Eng_hassan85]

I would like also to say this is really awesome thread 

I got my DS2072A yesterday .. and now all options unlocked and B.W of 300 MHz active ..

I used the Option of rigup with the soultion from Peter (you are really a star ) and it worked like charm 

Thanks guys .. you really made my day .. Keep up !!

[remilton]

I would like also to say this is really awesome thread 

I got my DS2072A yesterday .. and now all options unlocked and B.W of 300 MHz active ..

I used the Option of rigup with the soultion from Peter (you are really a star ) and it worked like charm 

Thanks guys .. you really made my day .. Keep up !!

Congrats!  Did you use the JTAG method or SCPI commands to get your memory dump?

[TitusPullo]

Hi everybody,

I have been following the several hundred pages of discussions related to the Rigol 2000 series scopes in the past few days and have finally decided to order a DS2072A.
Well, it arrived today and besides the fan being way too noisy and the "stench" of new electronic equipment enhancing the air, my impression is quite favourable.
I have a few 20-30 year old (heavy and bulky) analog scopes here, which are slowly starting to die on me, so this will probably replace them in most situations.

Of course I tried to rig up the device and was surprised that it allows me to enhance the bandwidth to 100MHz, but no more than that (neither 200 nor 300 work).
It must have to do with the software revison  03.01.00.04, which is installed. Can anybody else confirm this experience?
Obviously the keys are still working, as all other options are available now. Or is it that the hw-rev 1.0.2.0.2 has some limitations, which are set via strappings on the board?
Well, it still triggers on 5ns pulses, so I don't expect this to be much of a limitation for my intended usage.

Btw. cudos to all the involved people, who did all the work, testing  and research, code writing/breaking etc. (too long a list to name them here, but I guess they know)

[Eng_hassan85]

Congrats!  Did you use the JTAG method or SCPI commands to get your memory dump?

Thanks hope you too to upgrade if not yet  .. I used the SCPI command .. I am going to share the steps exactly taken to help anyone need to follow this method

after connecting my Scope into LAN and used Peter Program I followed the below steps :

0- Install the software provided with your scope "Ultra Sigma " and restart your machine .
1- start Peter Program and search for the Scope (either USB connection or Lan Connection ) it will appear in the program .. copy the Address of it .. you will use it with the commands below .
2- start SCPI command window from the program itself and enter the below command after updating the Scope address into it .
echo :SYST:UTIL:READ? 15441920,13262848 | ncat -i 1 TCPIP::<IP Address here for the Scope (from peter program)>::INSTR 5555
be patient it  will take some time around 10  minutes !
3- Use the save button to save the memory dump into a file in your local drive say name it (DS2072A_sdram.bin).
4- Open CMD window and navigate to where you have the file that you created .
5- rigup scan DS2072A_sdram.bin > EC-keys.txt
6- rigup DS2072A DS2072A_sdram.bin > Options.txt , note the bold "A" here as without the A it was not working .
7- the generated file "Options.txt" will contain all the needed Keys in the below form :

NSEH:  xxxxxx-xxxxxx-xxxxxx-xxxxxx    All options, no bandwidth upgrade
NSER:  xxxxxx-xxxxxx-xxxxxx-xxxxxx    All options, bandwidth 100 MHz
NSEQ:  xxxxxx-xxxxxx-xxxxxx-xxxxxx    All options, bandwidth 200 MHz
NS8H:  xxxxxx-xxxxxx-xxxxxx-xxxxxx    All options, bandwidth 300 MHz

8- back to your Scope and use the Utility >> Editor to enter the Key you want and Bingo  you are done .

Hope this will be useful to anyone interested in this method as this method has advantage to not avoid any warranty and not taking apart your Scope

[remilton]

Congrats!  Did you use the JTAG method or SCPI commands to get your memory dump?

Thanks hope you too to upgrade if not yet  .. I used the SCPI command .. I am going to share the steps exactly taken to help anyone need to follow this method

after connecting my Scope into LAN and used Peter Program I followed the below steps :

0- Install the software provided with your scope "Ultra Sigma " and restart your machine .
1- start Peter Program and search for the Scope (either USB connection or Lan Connection ) it will appear in the program .. copy the Address of it .. you will use it with the commands below .
2- start SCPI command window from the program itself and enter the below command after updating the Scope address into it .
echo :SYST:UTIL:READ? 15441920,13262848 | ncat -i 1 TCPIP::<IP Address here for the Scope (from peter program)>::INSTR 5555
be patient it  will take some time around 10  minutes !
3- Use the save button to save the memory dump into a file in your local drive say name it (DS2072A_sdram.bin).
4- Open CMD window and navigate to where you have the file that you created .
5- rigup scan DS2072A_sdram.bin > EC-keys.txt
6- rigup DS2072A DS2072A_sdram.bin > Options.txt , note the bold "A" here as without the A it was not working .
7- the generated file "Options.txt" will contain all the needed Keys in the below form :

NSEH:  xxxxxx-xxxxxx-xxxxxx-xxxxxx    All options, no bandwidth upgrade
NSER:  xxxxxx-xxxxxx-xxxxxx-xxxxxx    All options, bandwidth 100 MHz
NSEQ:  xxxxxx-xxxxxx-xxxxxx-xxxxxx    All options, bandwidth 200 MHz
NS8H:  xxxxxx-xxxxxx-xxxxxx-xxxxxx    All options, bandwidth 300 MHz

8- back to your Scope and use the Utility >> Editor to enter the Key you want and Bingo  you are done .

Hope this will be useful to anyone interested in this method as this method has advantage to not avoid any warranty and not taking apart your Scope

Thank you for the fine detail.  The info is always on the blog but can be difficult to assemble as it is a bit piece meal.

I will be getting my DS2072a next week(my second one).  I will be wait a few days to hack though as first scope I received had a habit of locking up often and I want to make sure this one is working well before I unlock it.

[TitusPullo]

Update:

after glancing through the (huge) thread, I found this remark: All Options + 300Mhz" YOU SHOULD USE NS8N - Sure enough, that did the trick for 300MHz.
Of course this is pushing the scope, as you can see if you apply a 635MHz signal with a 1G samplingrate.
However the signal fidelity is not bad and although I was aiming for 200 MHz I think I will just leave it like this.

[Teneyes]

New Firmware for DS1000Z and MSO/DS2000 Here

[sidener]

Has anyone had any experience reading the memory and decoding the option keys from a Rigol Arbitrary Waveform Generator like the DG5072 using the same technique as on the MSO2000 series?

[infinitybit]

I just unlocked the MSO2072A-S using using Bildschirmkopie tool.  The command echo :SYST:UTIL:READ? 15441920,13262848 | ncat -i 1 TCPIP::<IP Address here for the Scope>::INSTR 5555 didn't seem to work.  Instead I used :SYST:UTIL:READ? 1,33554432.  I had to dump the whole 32 megs because rigup didn't find any keys in 12 meg chunk.

Thank you to everyone who made this possible.

[Purevector]

Update:

after glancing through the (huge) thread, I found this remark: All Options + 300Mhz" YOU SHOULD USE NS8N - Sure enough, that did the trick for 300MHz.
Of course this is pushing the scope, as you can see if you apply a 635MHz signal with a 1G samplingrate.
However the signal fidelity is not bad and although I was aiming for 200 MHz I think I will just leave it like this.

To clarify, NS8N should result in All Options -56Meg + 300Mhz.  In other words, you should not have the deep memory option installed.  To get deep memory, you also need to install NSEH.  If you got 56Meg memory using just NS8N, that would be the first reported case I believe.

[TitusPullo]

Update:

after glancing through the (huge) thread, I found this remark: All Options + 300Mhz" YOU SHOULD USE NS8N - Sure enough, that did the trick for 300MHz.
Of course this is pushing the scope, as you can see if you apply a 635MHz signal with a 1G samplingrate.
However the signal fidelity is not bad and although I was aiming for 200 MHz I think I will just leave it like this.

To clarify, HS8N should result in All Options -56Meg + 300Mhz.  In other words, you should not have the deep memory option installed.  To get deep memory, you also need to install NSEH.  If you got 56Meg memory using just NS8N, that would be the first reported case I believe.

I did not use HS8N. The suggested strings were:

NSEH:  8YTNJME-...   All options, no bandwidth upgrade
NSER:  V3MPVKL-...    All options, bandwidth 100 MHz
NSEQ:  8BYN2C7-...    All options, bandwidth 200 MHz
NS8H:  QA9VQS4-...    All options, bandwidth 300 MHz

Of the above only NSER worked. After digging a little more I used NS8N = 0x1C0C3
==> this gave me all options including 56M pts + 300MHz.

It seems that UNISTALL does not work, so I wasn't able to try HS8N.

[Purevector]

I did not use HS8N. The suggested strings were:

NSEH:  8YTNJME-...   All options, no bandwidth upgrade
NSER:  V3MPVKL-...    All options, bandwidth 100 MHz
NSEQ:  8BYN2C7-...    All options, bandwidth 200 MHz
NS8H:  QA9VQS4-...    All options, bandwidth 300 MHz

Of the above only NSER worked. After digging a little more I used NS8N = 0x1C0C3
==> this gave me all options including 56M pts + 300MHz.

It seems that UNISTALL does not work, so I wasn't able to try HS8N.

Sorry, HS8N was a typo (corrected)... I meant NS8N.  Did you uninstall NSER before using NS8N?  I am the one who initially found the NS8N work around (https://www.eevblog.com/forum/testgear/sniffing-the-rigol's-internal-i2c-bus/msg468951/#msg468951), but on my scope, it did not enable 56Meg option.  I am just curious if it actually did on yours, or if you installed NS8N after NSER.

[TitusPullo]

I did not use HS8N. The suggested strings were:

NSEH:  8YTNJME-...   All options, no bandwidth upgrade
NSER:  V3MPVKL-...    All options, bandwidth 100 MHz
NSEQ:  8BYN2C7-...    All options, bandwidth 200 MHz
NS8H:  QA9VQS4-...    All options, bandwidth 300 MHz

Of the above only NSER worked. After digging a little more I used NS8N = 0x1C0C3
==> this gave me all options including 56M pts + 300MHz.

It seems that UNISTALL does not work, so I wasn't able to try HS8N.

Sorry, HS8N was a typo (corrected)... I meant NS8N.  Did you uninstall NSER before using NS8N?  I am the one who initially found the NS8N work around (https://www.eevblog.com/forum/testgear/sniffing-the-rigol's-internal-i2c-bus/msg468951/#msg468951), but on my scope, it did not enable 56Meg option.  I am just curious if it actually did on yours, or if you installed NS8N after NSER.

Exactly - I did not uninstall NSER but installed NS8N on top of it. Seems to have no adverse effects. I tried to get rid of the NSER with UNINSTALL - but that does not work - so I'm stuck with it.

[peter_3425]

Hello to all,
I just unlocked my DS2072A too, I don't need the funktion or the 300Mhz band width urgent because i am a hobby user. But i was interessted if it works with the description here. Great it really works   

After i had done this i wanted to test the command ":SYSTem:OPTion:UNINSTall" and all Options goes back to the "Trial Mode". The Model description goes back from DS2302A to DS2072A. But I don't reboot the scope and made some more measurements.

Then I discover that the time base after the unsinstall didn't go back from 1ns to 5ns as it is described in the datasheet and now the Rigol scope show a timebase (picture) of 500ps. Hmm interressting... however after a reboot and take it from the power socket it goes back to the normal time base.

regards

Software Version 00.003.01   

[soft4gsm]

One more MSO2072A (SW: 00.03.01 / HW: 2.2) unlocked.
Great work guys!
Thanks.

[Shadow]

Hello,
DS2072A, can not find keys.
I have read 32 mbytes dump via network, oscilloscope was in run mode but rigup tells that no key in dump.
SW 00.03.03.SP1
Do i have to use JTAG ?
WBR,

PS: Correct myself - i used incorrect version of rigup for other scope
After using correct version i could enable 200 MHz ( i don't need more   )
Thank's people...You did fu***ing huge JOB!!!! I think Rigol's users around the world wish you happy
WBR,

[Wmacky]

Awesome! 

Just got my 2072A.   Decided I didn't need an upgrade, and to put it off for months / years. I started reading this thread and that idea last all of 30 minutes.  She's now a mighty fine 300MHZ scope!

Thanks to all the contributors!

BTW A USB connection was tried first with the mem dump program,but kept getting send errors?   Switched to a Lan cable connection and the dump proceeded. It's late and I didn't have time to read the entire thread so I just stumbled through the menus on the DSO till I found a good place to type in the key.   

Bingo 

[Gandalf_Sr]

So, I'm still here lurking.  Am I right is understanding that, even with the latest and greatest firmware, the SCPI route still works?  I ask because I'm wondering if there's a newer firmware for my upgraded MSO2072A.

[JCK]

I just received my DS2072A and successfully  upgraded all options and 300MHz.  I had to use NSEH first, followed by NS8N, got "License unavailable" using the other bandwidth options first.  Many thanks to all for the many hours and hard work spent on this!!!

John

[arabesc]

I've successfully got a code from the rigup-0.4 for ds2302a - there's only one and it's NSEH - but my MSO2302A-S didn't accept it.
Is there something special about this scope?

[DG5SAY]

I've successfully got a code from the rigup-0.4 for ds2302a - there's only one and it's NSEH - but my MSO2302A-S didn't accept it.
Is there something special about this scope?

You have to do rigup again on the MSO. The code will be another than the code from the DS-Model.

[arabesc]

You have to do rigup again on the MSO. The code will be another than the code from the DS-Model.

Am I correct that I have to run rigup one more time with the same memory dump and ds2302a as the first argument, then it will generate a new code?

[DG5SAY]

You have to do rigup again on the MSO. The code will be another than the code from the DS-Model.

Am I correct that I have to run rigup one more time with the same memory dump and ds2302a as the first argument, then it will generate a new code?

You must do a memory dump from the DS2302A and a separate memory dump from the MSO2302A-s of course! Then run rigup with each of this memory dumps and you will get two separate codes. You have two different scopes with two different serial numbers (and different hardware).

[arabesc]

You must do a memory dump from the DS2302A and a separate memory dump from the MSO2302A-s of course! Then run rigup with each of this memory dumps and you will get two separate codes. You have two different scopes with two different serial numbers (and different hardware).

I'm using a memory dump from the MSO2302A-S device.
'ds2302a' is the command line parameter for the rigup utility that I'm using to genrate an unlock code.
And the scope (MSO2302A-S) doesn't accept the code.

[george2002]

Hello all eevblog users
Is there any news for unlocking DS2072A with 00.03.03.02.06 (00.03.03 SP2) installed ? i'm asking because i buyed oscilloscope installed with that version and as for today i tried hack him it with instructions:

Step-1: Installed software "Rigol Bildschirmkopie LAN/USB"   

Step-2: Make a memory dump with SCPI Command, :SYST:UTIL:READ? 1,33554432

Step-3: Use software Rigup to extract the correct license keys options

Step-4: With software UltraSigma and use SCPI command, SYSTem:OPTion:INSTall

^- oscilloscope says that license is wrong ...

2.

via this unlock guide:  http://www.gotroot.ca/rigol/D2072A%20Unlocking%20Guide.pdf

^- no luck to downgrade firmware ... as everyone says that firmware can't be downgraded to older than 00.03.....

and have no luck to hack it and i don't want to mess with jtag for now because osciloscope has varranty ...

If someone knows something i would be very grateful for any info because i bought this equipment with think of more capabilites and  i need them for measurments ...

Best Regards
George2002

[bineteri]

http://peter.dreisiebner.at/rigol-bildschirmkopie-lan/
For the LAN connection no driver or installation is necessary.

I used this program to get the memory dump and send the "install options" command. rigup.exe was used to generate the keys.

My Rigol is a DS2072A with software version 00.03.01, connected via LAN.

It worked like a charm

Thank you everyone.

[CustomEngineerer]

Hello all eevblog users
Is there any news for unlocking DS2072A with 00.03.03.02.06 (00.03.03 SP2) installed ? i'm asking because i buyed oscilloscope installed with that version and as for today i tried hack him it with instructions:

Yes, the hack works with the newest firmware. Keep trying and you'll get it. JTAG and Firmware downgrade are not necessary. I would strongly recommend going back and completely re-reading this thread and then try again. You will get it.

[CustomEngineerer]

Hello all eevblog users
Is there any news for unlocking DS2072A with 00.03.03.02.06 (00.03.03 SP2) installed ? i'm asking because i buyed oscilloscope installed with that version and as for today i tried hack him it with instructions:

Yes, the hack works with the newest firmware. Keep trying and you'll get it. JTAG and Firmware downgrade are not necessary. I would strongly recommend going back and completely re-reading this thread and then try again. You will get it.

I see now why so many people just getting their DS2000A keep asking about the downgrading the firmware and using JTAG.

 http://www.gotroot.ca/rigol/D2072A%20Unlocking%20Guide.pdf

This guide is an older version of the steps. Read through the thread linked below, its only 5 pages long and contains the most recent steps to unlock the DS2000A. I especially recommend getting the RigolBildschirmkopie program mentioned in that thread. You can use it to dump your scopes memory, and then to also input the unlock code once you have generated it.

https://www.eevblog.com/forum/testgear/unlockinghacking-the-rigol-ds2000a-series-scope-the-short-post/msg703044/#msg703044

[ZartPARZ]

Hi, everyone.

First, sorry to dig the old thread. I just want to contribute my experience and say thank to all people contributed in this thread.

I just got my MSO2072A scope. It come with all options except bandwidth in trial mode. The scope has 00.03.04.SP2 firmware and hardware version is 2.2. I try to hack it using information shared in this thread and susceed. All options change to never expire, including 300 MHz bandwidth. The model in system information is alsochange to MSO2302A.

This is the procedure I did:

Requirement
1. The scope, connect via LAN
2. RigolBildschirmkopie http://peter.dreisiebner.at/rigol-bildschirmkopie-lan/
3. rigup 0.4 http://www.gotroot.ca/rigol/

Procedure
1. Start RigolBildschirmkopie and find your scope (select button)
2. Dump scope memory using   :SYST:UTIL:READ? 1,33554432  (Device SCPI-Command)
3. Save data (tick "Save only informative data")
4. run rigup:   rigup ds2072a mem.bin
where ds2072a is your scope model and mem.bin is your memory dump file name, this work for my MSO2072A
5. Note the option codes (rigup generate codes with dash)
6. Send SCPI-Command to install the option you want, romove all dashes
:SYSTem:OPTion:INSTall XXXXXXXXXXXXXXXXXXXXXXXXXXXX
7. Done. Check your option in UTILITY/OPTIONS/Installed


All credits go to those who contribute in this thread.

Thank you.

[pascal_sweden]

For those who own an MSO2000 series. Can you make some YouTube videos?
At this moment there is only one YouTube video about this MSO, and I am looking for a more thorough YouTube video review.

Does the logic analyzer in the MSO2000 operate as a timing analyzer (rely on asynchronous sampling), or a state analyzer (use the system clock for sampling)? Or can it operate both as a timing analyzer and a state analyzer?

[wange]

Hi, everyone.

First, sorry to dig the old thread. I just want to contribute my experience and say thank to all people contributed in this thread.

I just got my MSO2072A scope. It come with all options except bandwidth in trial mode. The scope has 00.03.04.SP2 firmware and hardware version is 2.2. I try to hack it using information shared in this thread and susceed. All options change to never expire, including 300 MHz bandwidth. The model in system information is alsochange to MSO2302A.

This is the procedure I did:

Requirement
1. The scope, connect via LAN
2. RigolBildschirmkopie http://peter.dreisiebner.at/rigol-bildschirmkopie-lan/
3. rigup 0.4 http://www.gotroot.ca/rigol/

Procedure
1. Start RigolBildschirmkopie and find your scope (select button)
2. Dump scope memory using   :SYST:UTIL:READ? 1,33554432  (Device SCPI-Command)
3. Save data (tick "Save only informative data")
4. run rigup:   rigup ds2072a mem.bin
where ds2072a is your scope model and mem.bin is your memory dump file name, this work for my MSO2072A
5. Note the option codes (rigup generate codes with dash)
6. Send SCPI-Command to install the option you want, romove all dashes
:SYSTem:OPTion:INSTall XXXXXXXXXXXXXXXXXXXXXXXXXXXX
7. Done. Check your option in UTILITY/OPTIONS/Installed


All credits go to those who contribute in this thread.

Thank you.

Thousand thanks to you and of course both software providers! It was a 10 minute job to make me very happy.
Extrem helpfull, exact description!
Very happy to read in System Information
Model: MSO2202A (20 minutes ago was a MSO2072A)
Software Version: 00.03.04.SP2
Hardware Version: 2.2
all options permanent!

Power off, power on -> same reading!     

[Slappy_g]

Hi, everyone.

First, sorry to dig the old thread. I just want to contribute my experience and say thank to all people contributed in this thread.

I just got my MSO2072A scope. It come with all options except bandwidth in trial mode. The scope has 00.03.04.SP2 firmware and hardware version is 2.2. I try to hack it using information shared in this thread and susceed. All options change to never expire, including 300 MHz bandwidth. The model in system information is alsochange to MSO2302A.

This is the procedure I did:

Requirement
1. The scope, connect via LAN
2. RigolBildschirmkopie http://peter.dreisiebner.at/rigol-bildschirmkopie-lan/
3. rigup 0.4 http://www.gotroot.ca/rigol/

Procedure
1. Start RigolBildschirmkopie and find your scope (select button)
2. Dump scope memory using   :SYST:UTIL:READ? 1,33554432  (Device SCPI-Command)
3. Save data (tick "Save only informative data")
4. run rigup:   rigup ds2072a mem.bin
where ds2072a is your scope model and mem.bin is your memory dump file name, this work for my MSO2072A
5. Note the option codes (rigup generate codes with dash)
6. Send SCPI-Command to install the option you want, romove all dashes
:SYSTem:OPTion:INSTall XXXXXXXXXXXXXXXXXXXXXXXXXXXX
7. Done. Check your option in UTILITY/OPTIONS/Installed


All credits go to those who contribute in this thread.

Thank you.

I'm rejoining the forum after being away for a couple years, but it's great to see people still getting value from the old information.

Sent from my SM-N910T3 using Tapatalk

[TurboTom]

I recently got myself a DS2072A-S to replace a "prehistoric" TDS220  in my small "basement lab". I found it on the european Rigol clearance sales page: http://www.rigol.eu/clearance/#a_DS2072A-S

The price was quite good so I gave it a go, of course having the hacking options in the back of my mind. The instrument appeared unused but clearly had been taken out of the box before, so no problem here, just as specified in the description. Yet, directly when I powered it up, the "greyed-out" sign of the logic analyzer was displayed in the bottom row of the screen. Further tests showed it was working as expected, yet, I could select the digital inputs as trigger sources.

Since I anyway intended to swap out the multi-function encoder with a detented one, I disassembled the device and guess what I found: It countains the PCB with the fully populated MSO section (one more FPGA, all the input comparators and the corresponding "chicken food"... Even the socket that accepts the digital probe is installed.

One more thing that caught me by surprise is that the installed firmware is 00.03.05.00.01, a version that isn't available for download yet. The hack worked as described in this thread before -- thanks a lot for the nice step-by-step guide by the way!

Once the instrument was completely stripped of it´s covers (back and front), I powered it up and shorted the contacts of the logic analyzer menu button that was missing from the silicone switch membrane and of course, the menu and the LA traces popped up. So I guess after a certain "shakedown period", I´ll cut out the corresponding holes in the bezel (simple thing since there are anyway reinforced guides inside) and salvage a rubber key from an obsolete telly remote or similar scrap item. The only tricky thing might be making the LA probe set. I think I remeber someone reported the prices for a spare original one from Rigol are completely beyond reason.

Does anybody know if Rigol currently sells all their DS2072A-S with a full MSO board inside or was I just lucky to receive a "one-of-a-kind"?

Cheers,
Thomas

[Orange]

One more thing that caught me by surprise is that the installed firmware is 00.03.05.00.01, a version that isn't available for download yet. The hack worked as described in this thread before -- thanks a lot for the nice step-by-step guide by the way!

Firmware 3.05 can be downloaded from here
https://www.eevblog.com/forum/testgear/first-impressions-and-review-of-the-rigol-ds2072-ds2000-series-dso/msg997548/#msg997548

[TurboTom]

Finally I decided to make use of a grinder and converted my recently acquired DS2072A-S to a full MSO2302A-S. Opening up the slot for the parallel probe connector wasn't that difficult since it anyway had the guiding sleeve molded internally. Finding, modifying and attaching the missing "LA" key to the silicone rubber membrane caused me much more headache. But finally I found an obsolete VCR remote control with silicone buttons of the proper size that could be modified to fit the oscope's front panel half-way decently. I had the choice between the "volume" symbol or "P" for program up/down, so I went for the one with the "P" for "parallel"  .

It works perfectly well with the probe set from an MSO4000 but even though I've got that set, I'll probably make another, short one to use with this modified scope in my small basement lab. I'll have to check if I can get along with just plain ribbon cable if short enough (maybe 20cm) or if I definitely need high-impedance shielded wire. First I'll have to have a connector pcb made anyway.

Cheers,
Tom

[Gazza2]

Hello there, just wanted to let you guys know that I did not have any success with my new DS2072A with software version: 00.03.05.SP1 and hardware version 2.3 using the LAN method as rigup0.4 cant find any keys in the memory dump

[Daruosha]

Hello there, just wanted to let you guys know that I did not have any success with my new DS2072A with software version: 00.03.05.SP1 and hardware version 2.3 using the LAN method as rigup0.4 cant find any keys in the memory dump

Could you take a successful memory dump with RigolBildschirmkopie tool?

[Gazza2]

Hello there, just wanted to let you guys know that I did not have any success with my new DS2072A with software version: 00.03.05.SP1 and hardware version 2.3 using the LAN method as rigup0.4 cant find any keys in the memory dump

Could you take a successful memory dump with RigolBildschirmkopie tool?

 Yes that worked no problems

[Daruosha]

Hello there, just wanted to let you guys know that I did not have any success with my new DS2072A with software version: 00.03.05.SP1 and hardware version 2.3 using the LAN method as rigup0.4 cant find any keys in the memory dump

Could you take a successful memory dump with RigolBildschirmkopie tool?

 Yes that worked no problems

And what command did you use to generate the keys? does it show any error or the generated keys cannot be accepted by scope? Give us some more troubleshooting details and perhaps I can help.

[Gazza2]

Hello there, just wanted to let you guys know that I did not have any success with my new DS2072A with software version: 00.03.05.SP1 and hardware version 2.3 using the LAN method as rigup0.4 cant find any keys in the memory dump

Could you take a successful memory dump with RigolBildschirmkopie tool?

 Yes that worked no problems

And what command did you use to generate the keys? does it show any error or the generated keys cannot be accepted by scope? Give us some more troubleshooting details and perhaps I can help.

 I used rigup ds2073A memoryDump.scpi It comes up with Scanning 'memoryDump.scpi' failed: No keys

[Gazza2]

Just to help I used zor01's instructions from https://www.eevblog.com/forum/testgear/unlockinghacking-the-rigol-ds2000a-series-scope-the-short-post/100/

[Daruosha]

My suggestion is to upload your memory dump and send me link to download, I can investigate and check it out and see where the problem is, perhaps

[jps379]

I would like to say thank you to all the great people who worked to make this possible! My MSO2072A is now reporting to be a MSO2302A.

The MSO2702A came with the free options (using Rigol webpage to obtain a key) and
Software version 00.03.04.SP2
Hardware version 2.3

The steps i used were as below
1) Initially installed the key for all the options as provided by Rigol website (this is optional but i did it first anyway)
2) Connected to scope via LAN using RigolBildschirmkopie
3) Used RigolBildschirmkopie to dump the memory and saved to file
4) Used rigup 0.4 with the following command "rigup ds2072a memorydumpfile"

this resulted in 4 keys for:

a) all options, no bandwidth upgrade
b) all options, bandwidth 100MHz
c) all options, bandwidth 200MHz
d) all options, bandwidth 300MHz

5) I entered key d manually using the onscreen keyboard
6) Success !!!!

Thanks!

[AlphaRomeo]

Hi, everyone.

First, sorry to dig the old thread. I just want to contribute my experience and say thank to all people contributed in this thread.

I just got my MSO2072A scope. It come with all options except bandwidth in trial mode. The scope has 00.03.04.SP2 firmware and hardware version is 2.2. I try to hack it using information shared in this thread and susceed. All options change to never expire, including 300 MHz bandwidth. The model in system information is alsochange to MSO2302A.

This is the procedure I did:

Requirement
1. The scope, connect via LAN
2. RigolBildschirmkopie http://peter.dreisiebner.at/rigol-bildschirmkopie-lan/
3. rigup 0.4 http://www.gotroot.ca/rigol/

Procedure
1. Start RigolBildschirmkopie and find your scope (select button)
2. Dump scope memory using   :SYST:UTIL:READ? 1,33554432  (Device SCPI-Command)
3. Save data (tick "Save only informative data")
4. run rigup:   rigup ds2072a mem.bin
where ds2072a is your scope model and mem.bin is your memory dump file name, this work for my MSO2072A
5. Note the option codes (rigup generate codes with dash)
6. Send SCPI-Command to install the option you want, romove all dashes
:SYSTem:OPTion:INSTall XXXXXXXXXXXXXXXXXXXXXXXXXXXX
7. Done. Check your option in UTILITY/OPTIONS/Installed


All credits go to those who contribute in this thread.

Thank you.

Indeed, it works like a champ!  My brand new DS2072A now it says: DS2308A, all options installed, never expires. This is sweet. Thanks a million!  I'll buy the beers.  My only question is: will the scope hack survive a firmware update? 

[MrFox]

Indeed, it works like a champ!  My brand new DS2072A now it says: DS2308A, all options installed, never expires. This is sweet. Thanks a million!  I'll buy the beers.  My only question is: will the scope hack survive a firmware update?

Updating after the hack worked for me:
DS2072A
Software 03.04.SP2
Hardware 2.3

Used rigolbildschirmkopie to get the memory dump across LAN.
Then I used rigup 0.4 to get the keys (0.4.2 doesn't work), and I entered the 300MHz key manually.

After that I updated to 03.05.00.01 without losing anything.

[AlphaRomeo]

Updating after the hack worked for me:
DS2072A
Software 03.04.SP2
Hardware 2.3

Used rigolbildschirmkopie to get the memory dump across LAN.
Then I used rigup 0.4 to get the keys (0.4.2 doesn't work), and I entered the 300MHz key manually.

After that I updated to 03.05.00.01 without losing anything.

It survived, thanks a lot for your time.

[Cariad61]

Hi, everyone.

First, sorry to dig the old thread. I just want to contribute my experience and say thank to all people contributed in this thread.

I just got my MSO2072A scope. It come with all options except bandwidth in trial mode. The scope has 00.03.04.SP2 firmware and hardware version is 2.2. I try to hack it using information shared in this thread and susceed. All options change to never expire, including 300 MHz bandwidth. The model in system information is alsochange to MSO2302A.

This is the procedure I did:

Requirement
1. The scope, connect via LAN
2. RigolBildschirmkopie http://peter.dreisiebner.at/rigol-bildschirmkopie-lan/
3. rigup 0.4 http://www.gotroot.ca/rigol/

Procedure
1. Start RigolBildschirmkopie and find your scope (select button)
2. Dump scope memory using   :SYST:UTIL:READ? 1,33554432  (Device SCPI-Command)
3. Save data (tick "Save only informative data")
4. run rigup:   rigup ds2072a mem.bin
where ds2072a is your scope model and mem.bin is your memory dump file name, this work for my MSO2072A
5. Note the option codes (rigup generate codes with dash)
6. Send SCPI-Command to install the option you want, romove all dashes
:SYSTem:OPTion:INSTall XXXXXXXXXXXXXXXXXXXXXXXXXXXX
7. Done. Check your option in UTILITY/OPTIONS/Installed


All credits go to those who contribute in this thread.

Thank you.

I just cant get this to unlock the 300MHz bandwidth  with my DS2202A.  I have successfully achieved all options.

I have tried the NS8H code and the NS8N code generation, but all return licence not available.

I am on Current Software Version is 00.03.04.SP2

I have also tried entering the codes manually.

Any help much appreciated.

Paul

[window69]

hello,
i have just updated my new DS2072A with success using the next procedure:
software version: 00.03.05
hardware version: 2.3

    Connect your oscilloscope to your LAN
    Find out its IP address:
     Utility button, IO Setting, LAN Set.
    Download and install Rigol Bildschirmkopie LAN/USB
    Go in the Device/Select... menu and connect to your scope.
    Use the program to perform a memory dump.
     This is done through the Device/SCPI-Command... menu
    Do not forget to press "save" to write the memory dump file
     (name it DS2072A_sdram.bin)
    Install the DS2000A Upgrade utility.
     I got it from http://gotroot.ca/rigol/DS2000A_Upgrade_Utility_1_0_0_1_Installer.exe
    Copy the memory dump file to the upgrade utility install folder
    (usually C:\Program Files (x86)\DS2000A Upgrade Utility)
    In a windows command prompt, cd to the upgrade utility folder.
    Run the rigup command to extract your scope's private keys:
    rigup scan DS2072A_sdram.bin > EC-keys.txt
    Run the rigup command again to generate your option keys:
    rigup DS2072A DS2072A_sdram.bin > Options.txt
    Open the Options.txt file and choose a key that you want to use. You can either use your scope's interface to enter the key or use Rigol Bildschirmkopie LAN/USB to  send an SCPI command to install the options. I used the program to save time as the Rigol's onscreen keyboard is slow. If you opt to use the SCPI command, remove the dashes from the chosen key.
    Return to Rigol Bildschirmkopie LAN/USB and create a new SCPI command:
    :SYST:OPT:INSTALL A_KEY_FROM_OPTIONS_WITHOUT_DASHES

it was a big task to surge for the right procedure, because there are a lot of different ways witch will work or not.
so you know this worked for me!
now i have to test if everything is working fine!
if i run into some trouble, i will let you know.
thanks everyone for providing the necessary tools to do this.

[Blisk]

Is it still possible to upgrade MSO2072A to all options and 300MHz??
As I read somewhere it is some new hardware in it.

[dawid_m]

Another MSO2072A hacked!.
I can confirm - it is still possible. I have just hacked new MSO2072A purchased yesterday from authorized distributor to MSO2302A (all options unblocked)!
Software version: 00.03.05.SP1
Hardware version: 2.3

Thank you all for contribution to this thread and for providing necessary tools to upgrade scope so easily. 

[Blisk]

After buying Siglent I see now I should buy rigol and hack it.

[colorado.rob]

After buying Siglent I see now I should buy rigol and hack it.

If your needs are met with 2 analog channels, it's not a bad option.  Just remember, part of the cost difference between the 100MHz version and 200MHz version is in the more expensive 350MHz probes.  If you hack your scope and intend to use if for signals above 100MHz, you still need to buy probes designed of operating at that frequency.

[Blisk]

yes, but with rigol I get logic probes with oscilloscope and all can be unlocked.
With siglent I need to pay about half of price of oscilloscope.

[nctnico]

yes, but with rigol I get logic probes with oscilloscope and all can be unlocked.
With siglent I need to pay about half of price of oscilloscope.

That is because Siglent has been lowering the prices of their oscilloscopes to get some sales but it seems the price of the options went up. A couple of years ago the oscilloscopes where much more expensive.

[Genie]

 Hi all,

It seems that I am the only one stuck with a DS2072A unable to get to 300MHZ...
Bought it August 24, 2017, Serial DS2D184850XXX soft 03.05.SP3

It accepts all the license but not the 300MHZ. I used the Ultra Sigma way, The RigolBildschirmkopie,
Both methods through rigup0-4 and I obtain the same licenses code.

Any more Idea guy's?

[CustomEngineerer]

It sounds like you might be trying to install multiple licenses at the same time (or really one after another). If so, this is not the correct way to do it. I would recommend uninstalling the options with :SYSTem:OPTion:UNINSTall, then install a single key that includes both the 300MHz bandwidth and all options together. I think its the 'DSHH' one, though could be wrong on that. But to be clear, on the DS2000A scopes (as well as all Rigol scopes that I'm aware of), you only enter a single license key (that enables all options). And it doesn't matter if you send the license key over Ultra Sigma or RigolBildschirmkopie, both are doing the same exact thing.

Edit2: Interesting, I just checked the documentation from when I liberated my DS2000A and the code I used was 'NS8H', which was labelled 'All options, bandwidth 300MHz'. This was with rigup-0.4. Maybe try that if the other doesn't work.

[CustomEngineerer]

Just realized I told you the same thing in the other thread last week. So assuming you have already been through the steps I listed in the last post with the DSHH option. Looks like I might have been wrong, please try removing all options then using the NS8H key and see if that gives you the desired results. Sorry for the confusion.

[jeanguypataterub]

I tried to unlock but mine says license unavailable. I used the http://gotroot.ca/rigol/riglol/ generator.

Frustrated.

Pierre

[Sparky]

I tried to unlock but mine says license unavailable. I used the http://gotroot.ca/rigol/riglol/ generator.

Frustrated.

Pierre

Hi all,

It seems that I am the only one stuck with a DS2072A unable to get to 300MHZ...
Bought it August 24, 2017, Serial DS2D184850XXX soft 03.05.SP3

It accepts all the license but not the 300MHZ. I used the Ultra Sigma way, The RigolBildschirmkopie,
Both methods through rigup0-4 and I obtain the same licenses code.

Any more Idea guy's?

@ jeanguypataterub, Genie

Try 'NS8N' as the key. Read here for my experience and details on this.

[jeanguypataterub]

Just tried it again with NS8N and still got license is unavailable. 

Pierre

[tonylam]

Many thanks for the hack! I have done from upgrade my recent DS2072A to 300M with All Options!

I can only upgrade to 200M and can't upgrade to 300M before that until I do the steps below.

Purchased at December 2017
Model : DS2072A
Software Version : 00.03.05.SP3
Hardware Version : 2.3

1. Use rigup1.0 : >rigup ds2072a mem.bin
2. Write down NSEQ (200M All Options) Key
3. Enter it to scope and restart
4. Use rigup4.0 :
    >rigup scan mem.bin > keys.txt
    >rigup license keys.txt NS8N
5. Enter it to scope and restart
6. Done

Have a nice day!

[mmaseda]

Did you ever get it working?

[ddoocc]

Hi, i am not sure if this is too late or not, but i met the same problem and eventually solved it .
the point is the newest rigup version did not work on me, so i tried several older versions of rigup, finally a x86 version of rigup 0.4 saved me(and I am using an win64 os).
wish this may help

[Dmitriy_CBILIMON]

Hello, tell me on the firmware RIGOL DS2072A. Answer the mail skorobogatov1995@mail.ru, or throw off the program

[chg]

Many thanks, I was able to upgrade my DS2072A to 300 MHz with all options by this method!

Just to summarize, here's what I did:

You just need a Linux computer (I used a Raspberry Pi :-), netcat (nc) and rigup-0.4 (which comes with sources and can be compiled on Raspberry Pi by running "make").

1. Connect to the scope via LAN and dump memory into file "ds2072a.bin":
echo ':SYST:UTIL:READ? 1,33554432' | nc -w1 <Scope IP Address> 5555 | dd bs=1 of=ds2072a.bin

2. Then use rigup-0.4 to obtain NSEQ license (NSEQ = all options, bandwidth 200 MHz)
rigup ds2072a ds2072a.bin

3. Apply the NSEQ key on the scope:
echo ':SYST:OPT:INST <NSEQ license key without dashes>' | nc -w 1 <Scope IP Adress> 5555

4. Though rigup also generates an NS8H key for 300 MHz bandwith, I was unable to apply it. Obviously, the NS8N key is needed. To generate it, run:
rigup scan ds2072a.bin > keys.txt
rigup license keys.txt NS8N

5. Then apply this key:
echo ':SYST:OPT:INST <NS8N license key without dashes>' | nc -w 1 <Scope IP Adress> 5555

Scope details:

Model: DS2072A
Software Version: 00.03.05.SP4
Hardware Version: 2.0

Thanks again,
Christian

[eric80]

hello
I try with this method but unfornatly
 this method not work for me
perhaps this is the firmware was too recent  00.03.05.SP4

Eric

[robca]

I just got a used DS2072A, with firmware version 00.02.01 and HW version 2.0. It's in mint condition, and still even has 1564 minutes left in the options trials

I tried using RigolBildschirmkopie both via USB and ethernet, but I keep getting the "There was an error when sending the SCPI command." message.

I know communication with the scope works, because I can read the date and serial number. I start suspecting that the version of the firmware is too old to have that command implemented

I also tried using the Linux version echo ':SYST:UTIL:READ? 1,33554432' | nc -w1 <Scope IP Address> 5555 | dd bs=1 of=ds2072a.bin, with the same problems (cna get date and serial, the memory read doesn't work)

What would be my best bet? Update the firmware to a newer version (if so, which one), or use the original method in this thread https://www.eevblog.com/forum/testgear/unlockinghacking-the-rigol-ds2000a-series-scope-the-short-post/?

[stafil]

use the original method in this thread https://www.eevblog.com/forum/testgear/unlockinghacking-the-rigol-ds2000a-series-scope-the-short-post/?

I used that and worked without any problems. Only caveat, I had to use rigup4.0 (http://www.gotroot.ca/rigol/rigup-0.4.zip) as 4.2 didn't work.

[tv84]

1 - Download & unzip the latest "Rigol Bildschirmkopie LAN/USB" from http://peter.dreisiebner.at/rigol-bildschirmkopie-lan/
2 - Connect scope to LAN.
3 - Run the RigolBildschirmkopie.exe, click Device>Select>Search>Select.
4 - Do Device>SCPI-Command, then  Send & receive ":SYST:UTIL:READ? 1,33554432".
    Wait a long time (~5 to 10 min) for it to complete.
    Click Save, save it as "memoryDump.scpi" (save this file for future use!!)

[robca]

1 - Download & unzip the latest "Rigol Bildschirmkopie LAN/USB" from http://peter.dreisiebner.at/rigol-bildschirmkopie-lan/
2 - Connect scope to LAN.
3 - Run the RigolBildschirmkopie.exe, click Device>Select>Search>Select.
4 - Do Device>SCPI-Command, then  Send & receive ":SYST:UTIL:READ? 1,33554432".
    Wait a long time (~5 to 10 min) for it to complete.
    Click Save, save it as "memoryDump.scpi" (save this file for future use!!)

I downloaded the latest (2020-01-25) from here https://peter.dreisiebner.at/rigol-bildschirmkopie/index.htm (your link doesn't work anymore)
I connected thru LAN
I sent the *IDN? command, which works
I tried the :SYST:UTIL:READ? 1,33554432, and after 20 seconds or so I get a "There was an error when sending the SCPI command.".
Every other SCPI command works. Including screenshots, so I'm not sure what's wrong with the specific SYST command to dump the memory

Do I need to wait after that error message?

[tv84]

Do I need to wait after that error message?

You did "send & receive"?

[robca]

Do I need to wait after that error message?

You did "send & receive"?

Yes, I did. Same as for all other commands I tried. As I also mentioned, the same problem when sending the same command via the Linux shell (from another PC). Other commands work, the system memory dump doesn't seem to work

I'm not sure what else I can do, outside of trying a different firmware (and a factory reset)

[robca]

Replying to my own question for anyone else running into the same problem

I installed the DS2000A upgrade utility, and after flashing the temporary firmware (which I assume sends keys to the utility) everything now works. https://www.eevblog.com/forum/testgear/ds2000a-upgrade-utility/

Thanks for the help

P.S. after updating the firmware to 03.05.04 I can now get a memory dump. It looks like it was not enabled in my original firmware

[aterren]

Hi, everyone.

First, sorry to dig the old thread. I just want to contribute my experience and say thank to all people contributed in this thread.

I just got my MSO2072A scope. It come with all options except bandwidth in trial mode. The scope has 00.03.04.SP2 firmware and hardware version is 2.2. I try to hack it using information shared in this thread and susceed. All options change to never expire, including 300 MHz bandwidth. The model in system information is alsochange to MSO2302A.

This is the procedure I did:

Requirement
1. The scope, connect via LAN
2. RigolBildschirmkopie
    http://peter.dreisiebner.at/rigol-bildschirmkopie-lan/
    https://peter.dreisiebner.at/rigol-bildschirmkopie/index.htm 
3. rigup 0.4 http://www.gotroot.ca/rigol/

Procedure
1. Start RigolBildschirmkopie and find your scope (select button)
2. Dump scope memory using   :SYST:UTIL:READ? 1,33554432  (Device SCPI-Command)
3. Save data (tick "Save only informative data")
4. run rigup:   rigup ds2072a mem.bin
where ds2072a is your scope model and mem.bin is your memory dump file name, this work for my MSO2072A
5. Note the option codes (rigup generate codes with dash)
6. Send SCPI-Command to install the option you want, romove all dashes
:SYSTem:OPTion:INSTall XXXXXXXXXXXXXXXXXXXXXXXXXXXX
7. Done. Check your option in UTILITY/OPTIONS/Installed

All credits go to those who contribute in this thread.

Thank you.

After having my scope for many years, I finally did the upgrade using the process above (edited with new site).  It worked perfectly.  Thank you everyone.

[savageautomate]

Can someone send me the "RigolBildschirmkopie" software or post a valid link? 
The links in the thread above are no longer available.

Thank You!

[tv84]

Contact PeDre here. He's the author.