Author Topic: Sniffing the Rigol's internal I2C bus  (Read 1076904 times)

0 Members and 3 Guests are viewing this topic.

Offline marmad

  • Super Contributor
  • ***
  • Posts: 2986
  • Country: aq
    • DaysAlive
Re: Sniffing the Rigol's internal I2C bus
« Reply #375 on: July 09, 2013, 08:56:22 PM »
Tried the procedures in sequence as you mentioned....

FW initially downgraded to FW.00.01.00.05

Rebooted and flashed again (USB method) with FW.00.01.00.03, this completed fully and the scope rebooted automatically. Still
as a DS2202.

Re-installed FW 01.01.00.02 on re-boot (help button method)   

Scope is still a DS2202.

Well clearly the firmware upgrade bug was not invoked - the update didn't freeze. No reason to use the boot loader process after this since it wouldn't have done anything - and this doesn't answer the question of whether your model number is changed in both copies of memory or not.

It's a pity there isn't a copy of FW 00.01.00.02 around.
« Last Edit: July 09, 2013, 08:58:47 PM by marmad »
 

Offline orbiter

  • Frequent Contributor
  • **
  • Posts: 601
  • Country: gb
  • -0 Resistance is Futile
Re: Sniffing the Rigol's internal I2C bus
« Reply #376 on: July 09, 2013, 09:13:21 PM »
< agreed mate.

I think something maybe happening in memory before the FW has loaded up fully (see yellow screen previous page) this yellow screen shows on almost every
cold boot for me (although not temperature related.) I get no beeps and the relays don't click either. Only started following FW switching :)

Anyway.. Sometimes (after 20 secs) the relays will click & the screen will show as normal, other times the scope will need a second boot to start normally.

Perhaps for the guys including me that can't go back, a damaged or corrupt piece of left over FW code is trying to load at a boot, before correct FW?
« Last Edit: July 09, 2013, 09:27:06 PM by orbiter »
 

Offline orbiter

  • Frequent Contributor
  • **
  • Posts: 601
  • Country: gb
  • -0 Resistance is Futile
Re: Sniffing the Rigol's internal I2C bus
« Reply #377 on: July 09, 2013, 10:17:09 PM »
I've given up trying for the moment mate.. I need to use the scope. I may try later.

I could really do with some more help getting it back to a DS2702 though, as I'd like to see if that would clear the error (I believe) regarding my yellow screen on cold boot..
http://www.eevblog.com/forum/testgear/sniffing-the-rigol%27s-internal-i2c-bus/420/.

Cheers
 

Offline orbiter

  • Frequent Contributor
  • **
  • Posts: 601
  • Country: gb
  • -0 Resistance is Futile
Re: Sniffing the Rigol's internal I2C bus
« Reply #378 on: July 09, 2013, 10:24:52 PM »
Also, have you tried the default settings option?  I think if you press/hold one of the side menu buttons (6th one down?  not sure) it reverts the scope to factory settings.  This might also be worth trying.

Yes tried that a few times mate at various stages with different FW's. That button just resets the scope settings to default. 
 

Offline adcajo

  • Newbie
  • Posts: 3
Re: Sniffing the Rigol's internal I2C bus
« Reply #379 on: July 10, 2013, 05:50:42 PM »
But - the procedure described above is exactly what made my DS2072 turned into to a DS2202 in the first place...
 

Offline Orange

  • Frequent Contributor
  • **
  • Posts: 252
  • Country: nl
Re: Sniffing the Rigol's internal I2C bus
« Reply #380 on: July 10, 2013, 07:22:11 PM »
:system:option:install LLLLLLLRLGLLDSDSARLLLLLLLLLL   ( makes 2102 )
:system:option:install LLLLLLLRLGLLDSDSAZLLLLLLLLLL   ( makes 2202)


Code tabel:

DSAx, 2202, 2102,  mem56, Decode, Trigger

2072

A   none
B   ==   ==   ==   ==   on
C   ==   ==   ==   on   ==
D   ==   ==   ==   on   on
E   ==   ==   on   ==   ==
F   ==   ==   on   ==   on
G   ==   ==   on   on   ==
H   ==   ==   on   on   on

2102

J   ==   on   ==   ==   ==   
K   ==   on   ==   ==   on
L   ==   on   ==   on   ==
M   ==   on   ==   on   on
N   ==   on   on   ==   ==
P   ==   on   on   ==   on
Q   ==   on   on   on   ==
R   ==   on   on   on   on

2202

S   on   ==   ==   ==   ==   
T   on   ==   ==   ==   on
U   on   ==   ==   on   ==
V   on   ==   ==   on   on
W   on   ==   on   ==   ==
X   on   ==   on   ==   on
Y   on   ==   on   on   ==
Z   on   ==   on   on   on

dont use below as activates 2102 and also 2202

2   on   on   ==   ==   ==
3   on   on   ==   ==   on
4   on   on   ==   on   ==
5   on   on   ==   on   on
6   on   on   on   ==   ==
7   on   on   on   ==   on
8   on   on   on   on   ==
9   on   on   on   on   on

According to this table the  "H" should turn it into a 2072. On mine it does not do this (even after a fresh reboot of the scope).
The only way to get back to a 2072 is with the VSA9 key. (on my system at least). I don't make a big deal out of it to use it in 2072 mode. Warranty sticker is voided anyhow.
Using FW 1.1.0.2
It might very well be that there are bugs in the key algorithms  :)
 

Offline MrsR

  • Regular Contributor
  • *
  • Posts: 116
  • Country: au
Re: Sniffing the Rigol's internal I2C bus
« Reply #381 on: July 10, 2013, 08:38:37 PM »
Works for my DS2072 perfectly, firmware 00.01.00.00.03.
As I still had my trial options available, I was a little hesitant to try this, but they are back to previous values after restart so nothing is lost.

VSA9LLL enabled all options as trial (2100+ minutes were added to remaining time for trigger, 56M and decode options) but 2ns timebase wasn't available.

DSA9LLL enabled 2ns timebase and 100M BW limit.

Great work, thanks  :-+

If you have a DS2072 with 56M  loaded (not trial version) would you lose it by putting DSA9LLL in ?????

Mrs R :-+
 

Offline Orange

  • Frequent Contributor
  • **
  • Posts: 252
  • Country: nl
Re: Sniffing the Rigol's internal I2C bus
« Reply #382 on: July 10, 2013, 09:29:31 PM »
Works for my DS2072 perfectly, firmware 00.01.00.00.03.
As I still had my trial options available, I was a little hesitant to try this, but they are back to previous values after restart so nothing is lost.

VSA9LLL enabled all options as trial (2100+ minutes were added to remaining time for trigger, 56M and decode options) but 2ns timebase wasn't available.

DSA9LLL enabled 2ns timebase and 100M BW limit.

Great work, thanks  :-+

If you have a DS2072 with 56M  loaded (not trial version) would you lose it by putting DSA9LLL in ?????

Mrs R :-+

I would not fiddle around with this if not absolutely needed. nobody knows exactly what happens with official keys, because nobody buys them, well at least the members from this forum  ;)
 

Offline marmad

  • Super Contributor
  • ***
  • Posts: 2986
  • Country: aq
    • DaysAlive
Re: Sniffing the Rigol's internal I2C bus
« Reply #383 on: July 10, 2013, 10:08:02 PM »
If you have a DS2072 with 56M  loaded (not trial version) would you lose it by putting DSA9LLL in ?????

Mrs R :-+

Not a problem. Official keys can be installed or uninstalled at will. If you put a code in which changes an official option to a trial, you can always re-enter the official key again to change it back to official.

nobody knows exactly what happens with official keys, because nobody buys them, well at least the members from this forum  ;)

There are a few of us members here with official keys.
 

Online darrylp

  • Regular Contributor
  • *
  • Posts: 122
  • Country: gb
Re: Sniffing the Rigol's internal I2C bus
« Reply #384 on: July 10, 2013, 11:26:41 PM »
Our very own Mr Jones on here has a fully loaded DS2202 ;-)

So Dave, are you reading ?

--
 Darryl

 

Offline Chet T16

  • Frequent Contributor
  • **
  • Posts: 511
  • Country: ie
    • Retro-Renault
Re: Sniffing the Rigol's internal I2C bus
« Reply #385 on: July 11, 2013, 12:01:17 AM »
I have a code to unlock 100MHz and serial decode on mine. I thought it was interesting that it was a single code.
Chet
www.chet.ie - projects/electronics blog
BSc Engineering Science - Electronics
Studying ME Computer and Electronics
 

Offline Orange

  • Frequent Contributor
  • **
  • Posts: 252
  • Country: nl
Re: Sniffing the Rigol's internal I2C bus
« Reply #386 on: July 11, 2013, 12:56:15 AM »
If you have a DS2072 with 56M  loaded (not trial version) would you lose it by putting DSA9LLL in ?????

Mrs R :-+

Not a problem. Official keys can be installed or uninstalled at will. If you put a code in which changes an official option to a trial, you can always re-enter the official key again to change it back to official.

nobody knows exactly what happens with official keys, because nobody buys them, well at least the members from this forum  ;)

There are a few of us members here with official keys.
Yes, there are always exceptions to the rule.
 

Offline Marc M.

  • Regular Contributor
  • *
  • Posts: 122
  • Country: us
Re: Sniffing the Rigol's internal I2C bus
« Reply #387 on: July 12, 2013, 05:54:58 PM »
Good News Everyone!  I found a nice little stand alone utility for Windows users that will send either the DSAZ key or the VSA9 key to your DS2072 via USB.  It will auto-detect any 2000 series scope attached to the computer and provides a button for either key.  It pulls your current configuration, sends the key, then restores your configuration.  The only files it requires on your system are the NI VISA drivers.  Tested it on my Win 7 system and it works like a charm :-+ :-+ :-+.

Marc -
Don't replace the cap, just empty the filter!
 

Offline Orange

  • Frequent Contributor
  • **
  • Posts: 252
  • Country: nl
Re: Sniffing the Rigol's internal I2C bus
« Reply #388 on: July 12, 2013, 11:07:46 PM »
Good News Everyone!  I found a nice little stand alone utility for Windows users that will send either the DSAZ key or the VSA9 key to your DS2072 via USB.  It will auto-detect any 2000 series scope attached to the computer and provides a button for either key.  It pulls your current configuration, sends the key, then restores your configuration.  The only files it requires on your system are the NI VISA drivers.  Tested it on my Win 7 system and it works like a charm :-+ :-+ :-+.

Marc -
You also need to install the RIGOL DS2000 USB driver software....
 

Offline Orange

  • Frequent Contributor
  • **
  • Posts: 252
  • Country: nl
Re: Sniffing the Rigol's internal I2C bus
« Reply #389 on: July 13, 2013, 02:44:06 AM »
You also need to install the RIGOL DS2000 USB driver software....

Are you sure - I just loaded only the ni visa runtime and nothing else and it worked for me on win7 x64.  The DS2072 was recognized as USB Test and Measurement Device (IVI) so either the driver came with the ni visa runtime or could have been part of windows maybe...
I deinstalled all, and tried it again. Its now OK. NI package contains a generic instrument USB driver.
 
 

Offline MrsR

  • Regular Contributor
  • *
  • Posts: 116
  • Country: au
Re: Sniffing the Rigol's internal I2C bus
« Reply #390 on: July 13, 2013, 06:43:35 AM »
The mistake I made in buying the 2072 is the very slow rise time 5ns,I need a faster rise time my cheap Siglant scope that I chucked in a cupboard has a5ns rise time and it cost $270 AU.

A couple of things I found out from RIGOL China is:
/DS2000 can only have a max of 2 trial updates then that's it
/there are at least 2 versions of 03 software.
/a new version of 03 will come out which you will not lose the trial versions when doing a Re Cal.
/I have not found away to put more than 2 Re Cals. in.
/You lose the ability to use Official Trial versions if you do the Trial reload.
RIGOL China is very helpful at first but if (good English used) if they can't solve the problem in 3 emails they start talking pigeon Chinese English. This is used to stop you asking for more Help I think
I am still going to pester them though.

Mrs R :-+
 

Offline Chalky

  • Regular Contributor
  • *
  • Posts: 86
  • Country: nz
Return to original DS2072 model
« Reply #391 on: July 13, 2013, 08:28:01 PM »
But - the procedure described above is exactly what made my DS2072 turned into to a DS2202 in the first place...
This worked for me: install the '9' code, then install the '2' code, then do uninstall (no code needed), then reboot (might not be needed).

 My DS2072 was reporting as DS2202, now it is DS2072 again, and all features are as per DS2072.
 

Offline Chalky

  • Regular Contributor
  • *
  • Posts: 86
  • Country: nz
Re: Sniffing the Rigol's internal I2C bus
« Reply #392 on: July 13, 2013, 10:29:00 PM »
Posted app in the Software for Rigol forum: http://www.eevblog.com/forum/projects/software-tips-and-tricks-for-rigol-ds200040006000-ultravision-dsos/msg261360/#msg261360

Detects Rigol scopes on your local network, or any scope on USB, and auto-sends licence codes, and any other commands to the scope.
 

Offline MrsR

  • Regular Contributor
  • *
  • Posts: 116
  • Country: au
Re: Sniffing the Rigol's internal I2C bus
« Reply #393 on: July 14, 2013, 04:14:21 AM »


[/quote]

You could know this, because Rigol tells this in the datasheets, so there is no reason to complain, i think.

The 2072 is to the book 5 nSec, but because its bandwidth is 112 Mhz at 50 ohm, you get 3.2 nSec
And thats is also users here confirm and measure,

if you lower the termination resistor you can get more.

And you can for the time being ( unitl Rigol fixed it in the new FW ), try the test keys from this topic, to try 1.5 nSec

And as here before the latest FW is 00.01.01.00.02
[/quote]

Thanks,
Actually I had a DS2202, I had just hooked it up and it got fried, it lived for about 5 hours.
I didn't have enough money to buy another 200Meg version so got the 72 Meg one.
I didn't read the Spec. Sheet fully so the 5ns mistake.
Yep!!! my fault.
Mrs R
:-+
 

Offline Chalky

  • Regular Contributor
  • *
  • Posts: 86
  • Country: nz
Re: Sniffing the Rigol's internal I2C bus
« Reply #394 on: July 14, 2013, 08:10:16 AM »
Hi,

From your code, what do these codes do:

                        <string>:SYSTem:OPTion:INSTall EEEEEEEBEBEEBBBBN5EEEEEEEEEE</string>
                        <string>:SYSTem:OPTion:INSTall EEEEEEEBEBEEBBBBN6EEEEEEEEEE</string>
Hi there alank2, they are just examples, you need to replace them with your own codes.
 

Offline cybernet

  • Regular Contributor
  • *
  • Posts: 240
  • Country: 00
  • pm deactivated, use the search function ...
Re: Sniffing the Rigol's internal I2C bus
« Reply #395 on: July 16, 2013, 08:11:07 AM »
"small" update from the key department - i have a fully working (forward) implementation of the license key check.
inputs are serial + license key - out comes valid or not and what features (i already explained that part) ;-) ... was a heavy ride, especially emulating the Blackfin ALU (its behaviour is integral part of their keys) - i almost bet they run the official keygen in an emulator for bfin ;-)

anyhow its now time to analyse input vs. output - and then figure out some shortcuts to a valid key in reverse. bruteforce will probably not work - most values are 2^64 - and if u ever wondered why it takes some time to "process" the input of a key - yes its doing a shitload of stuff with the input ...
if anyone is willing to invest time into reversing parts of their functions let me know, i will post some parts that need work  and some documentation later on. (its quite a brainfuck ;-)

also i only checked it with trial keys for now - no reason to believe that a offical key works otherwise but if someone could share an offical key + serial that would help.

« Last Edit: July 16, 2013, 10:28:22 AM by cybernet »
___________________
"all rights reversed :-)"
R0=-0x18;
UNLINK;
RTS;
 

Offline synapsis

  • Regular Contributor
  • *
  • Posts: 139
  • Country: us
    • Blackcow
Re: Sniffing the Rigol's internal I2C bus
« Reply #396 on: July 16, 2013, 10:25:52 AM »
Just got my DS2072 from Tequipment today. It's running SW 00.01.00 which was a little surprising to me, because I believe that's the SW that was running on Dave's unit in his review a year ago.

I just want to clarify the Self-cal procedure (my scope is a couple divs off at 500uV.) Does the Self-cal clear the hacked keys? I.e., should I self cal first, then enter the keys?
 

Offline cybernet

  • Regular Contributor
  • *
  • Posts: 240
  • Country: 00
  • pm deactivated, use the search function ...
Re: Sniffing the Rigol's internal I2C bus
« Reply #397 on: July 16, 2013, 10:54:32 AM »
https://github.com/CertiVox/MIRACL/tree/master/source

have fun. thats what rigol is using as their crypto engine - mrcore.c is basically what i reversed ...
« Last Edit: July 17, 2013, 01:03:09 AM by cybernet »
___________________
"all rights reversed :-)"
R0=-0x18;
UNLINK;
RTS;
 

Offline zibadun

  • Regular Contributor
  • *
  • Posts: 111
  • Country: us
Sniffing the Rigol's internal I2C bus
« Reply #398 on: July 17, 2013, 01:40:35 PM »
https://github.com/CertiVox/MIRACL/tree/master/source

have fun. thats what rigol is using as their crypto engine - mrcore.c is basically what i reversed ...

It looks like a very efficient public key encryption method (elliptic curve?).

"The primary benefit promised by ECC is a smaller key size, reducing storage and transmission requirements—i.e., that an elliptic curve group could provide the same level of security afforded by an RSA-based system with a large modulus and correspondingly larger key—e.g., a 256-bit ECC public key should provide comparable security to a 3072-bit RSA public key (see key sizes below)."



And what you did was key validation (I.e. checking the signature).  Do you think this can be taken further and private keys recovered?  That seems like a huge leap in difficulty. On the wikipeadia they talk about successfully using a network of a computers (2600 for 17 months) to recover a moderately sized key. Ouch!

http://en.m.wikipedia.org/wiki/Elliptic_curve_cryptography
 

Offline frenky

  • Supporter
  • ****
  • Posts: 733
  • Country: si
    • Frenki.net
Re: Sniffing the Rigol's internal I2C bus
« Reply #399 on: July 17, 2013, 04:50:18 PM »
On the wikipeadia they talk about successfully using a network of a computers (2600 for 17 months) to recover a moderately sized key. Ouch!
That was almost 10 years ago (2004). Perhaps with up-to date computers and with joint efforts from forum members we could recover some keys?
The idea is like searching for bitcoins. Every EEV user could download small piece of software, pick a range of input keys and let the computer do the magic for a few hours/days/months. ;)
Or could it be more efficient to use some microprocessors alike atmel or PIC to do the hard work?
 


Share me

Digg  Facebook  SlashDot  Delicious  Technorati  Twitter  Google  Yahoo
Smf