Author Topic: Sniffing the Rigol's internal I2C bus  (Read 1355950 times)

0 Members and 1 Guest are viewing this topic.

Offline mightyzen

  • Contributor
  • Posts: 36
  • Country: nl
Re: Sniffing the Rigol's internal I2C bus
« Reply #4325 on: April 01, 2017, 08:26:04 PM »
doing that since about a week or so - but the discovered TWI functions so far a slave mode, not master mode - a lot of stuff is happening via DMA transfers to from the fpga (assumption). they use VDK and threads, which makes reversing a pain in the ass, 8k subs, thousands of pointers ... im slowly approaching the right subs. if anyone has ida with the blackfin cpu from rigol homebrew, im happy to share my custom GEL loader, and IDA DB.

I'm looking into the firmware for the past weeks or so to try and enable the 50ohm option on a non-A ds2k model with v2 hardware. I would except this to be a simple enough patch as long I could find the handling of the scpi "CHAN1:IMP FIFTY" command.

I'm just lost in those 8k of subs and simply fail to find the references to the "FIFTY" and "OMEG" strings. Could some one please point me in the right direction?
 

Offline DoMaLo

  • Newbie
  • Posts: 2
  • Country: ru
Re: Sniffing the Rigol's internal I2C bus
« Reply #4326 on: April 03, 2017, 08:32:49 PM »
Hello everybody. I have MSO1104z, board version: 2.1.4, SV: 00.04.04.SP1. I took a dump using JLink Ultra + in JLink Commander and OpenOCD. Rigup 0.4.1 (MSO1000z) and 0.4.2 print "No keys" for both of dumps. What's can i do for unlocking my oscilloscope?
 

Offline Gluk

  • Contributor
  • Posts: 9
  • Country: ru
Re: Sniffing the Rigol's internal I2C bus
« Reply #4327 on: April 06, 2017, 08:24:39 AM »
What do you think about resistors near 3k \$\Omega\$  near by FPGA and JTAG header in the  :-BROKE MSO1074z? May be is it  config divider?
« Last Edit: April 07, 2017, 07:19:56 AM by Gluk »
 

Offline DoMaLo

  • Newbie
  • Posts: 2
  • Country: ru
Re: Sniffing the Rigol's internal I2C bus
« Reply #4328 on: April 07, 2017, 06:22:14 PM »
I think that these are resistors for pull-up and pull-down JTAG chain. Because I was working with Actel FPGA and typical JTAG chain
ProASIC3E Flash Family for FlashPro has resistors. Circuit that I used for my project in attachment.
« Last Edit: April 07, 2017, 06:59:50 PM by DoMaLo »
 

Offline Gluk

  • Contributor
  • Posts: 9
  • Country: ru
Re: Sniffing the Rigol's internal I2C bus
« Reply #4329 on: April 07, 2017, 10:39:43 PM »
Friends, yes! resistors near JTAG header set the config. They has title "hardware version" and "sp version". Upper resistor line is pull-up, lower - is pull-down.

Do somebody want to play with this pull-up-down? $)
 

Offline Gluk

  • Contributor
  • Posts: 9
  • Country: ru
Re: Sniffing the Rigol's internal I2C bus
« Reply #4330 on: April 07, 2017, 11:48:05 PM »
Quote
the JTAG pullup/down resistors are there purely to enable robust JTAG data transfer.

This resistors not connected to the jtag pins!



It connected to the pins near JTAG. And it has title!
 

Offline ebastler

  • Super Contributor
  • ***
  • Posts: 1208
  • Country: de
Re: Sniffing the Rigol's internal I2C bus
« Reply #4331 on: April 08, 2017, 12:03:42 AM »
This resistors not connected to the jtag pins!
It connected to the pins near JTAG. And it has title!

Yes, I realized that and pulled my earlier post in the meantime. But I am afraid the "version" resistors are there simply to let the software know about different historical board revisions, which may require slightly different software control. I don't think these will enable any options.

After all, one can buy software upgrade codes for the MSO scopes, right? As these upgrades do not require the user to re-solder any internal resistors, I believe that the options are enabled and disabled purely based on keys stored in EEPROM.
 

Offline ebastler

  • Super Contributor
  • ***
  • Posts: 1208
  • Country: de
Re: Sniffing the Rigol's internal I2C bus
« Reply #4332 on: April 08, 2017, 12:05:42 AM »
On a more general note, I must admit that I have lost track of this thread. Is there a proven method for enabling options on the MSO1000Z and DS1000Z-plus scopes? If so, could someone post a summary or a link please? Many thanks!
 

Offline Gluk

  • Contributor
  • Posts: 9
  • Country: ru
Re: Sniffing the Rigol's internal I2C bus
« Reply #4333 on: April 08, 2017, 01:20:05 AM »
ebastler, Yes! Now I'm doing it. Some later I can post summary.
Or just see page #150, post by smgvbest
 

Offline ebastler

  • Super Contributor
  • ***
  • Posts: 1208
  • Country: de
Re: Sniffing the Rigol's internal I2C bus
« Reply #4334 on: April 08, 2017, 03:32:43 AM »
ebastler, Yes! Now I'm doing it. Some later I can post summary.
Or just see page #150, post by smgvbest

Ahhh, that indeed looks like step-by-step instructions, and nicely illustrated too!
Wow, how did you find that post in the 174-page thread?  :-+

Once you have confirmed that this works, maybe we can ask andyturk (who started this thread) to include a link in the first post.
 

Offline McBryce

  • Super Contributor
  • ***
  • Posts: 1029
  • Country: de
Re: Sniffing the Rigol's internal I2C bus
« Reply #4335 on: April 09, 2017, 09:23:31 PM »
ebastler, Yes! Now I'm doing it. Some later I can post summary.
Or just see page #150, post by smgvbest

Ahhh, that indeed looks like step-by-step instructions, and nicely illustrated too!
Wow, how did you find that post in the 174-page thread?  :-+

Once you have confirmed that this works, maybe we can ask andyturk (who started this thread) to include a link in the first post.

I used the method on page 150 from smgvbest to "liberate" my MSO1104z-s and can confirm that it works.

McBryce.
 

Offline edgelog

  • Contributor
  • Posts: 38
  • Country: se
Re: Sniffing the Rigol's internal I2C bus
« Reply #4336 on: April 21, 2017, 02:58:50 AM »
I have the exact same version as DoMaLo (v00.04.04.SP1, board 2.1.4. Tried with Olimex, dumping the memory during the bootup logo and after at various intervals. All the dump files look good, as judged by all the strings in there looking reasonable (there's a lot of them, HTML pages, CSS files, a lot of help strings), but rigup 0.4.1 for MSO1000z says "no keys".

I also looked through the dump file for anything similar to the pattern given in rigup utils.c, in the ScanKeys function, and I can find nothing that matches the length of the keys or the hex prefix of the block.

It looks to me as if the keys simply aren't there anymore.  :palm:
 

Offline Gluk

  • Contributor
  • Posts: 9
  • Country: ru
Re: Sniffing the Rigol's internal I2C bus
« Reply #4337 on: April 21, 2017, 07:25:18 PM »
I have the exact same version as DoMaLo (v00.04.04.SP1, board 2.1.4. Tried with Olimex, dumping the memory during the bootup logo and after at various intervals. All the dump files look good, as judged by all the strings in there looking reasonable (there's a lot of them, HTML pages, CSS files, a lot of help strings), but rigup 0.4.1 for MSO1000z says "no keys".

Make dump after boot complete! Early dump don't has keys. I used rigup-0.4.2-x86_64-win and got keys, and hacked it complitely.
 

Offline edgelog

  • Contributor
  • Posts: 38
  • Country: se
Re: Sniffing the Rigol's internal I2C bus
« Reply #4338 on: April 22, 2017, 03:59:44 AM »
Make dump after boot complete! Early dump don't has keys. I used rigup-0.4.2-x86_64-win and got keys, and hacked it complitely.

I have tried rigup-0.4.2-x86_64-win.exe with 6 different file dumps taken at varying points in time, all the way from during the logo to more than five minutes after the boot completed, and nothing but "no keys". What version of firmware do you have? Same as mine (00.04.04.SP1)?
 

Offline edgelog

  • Contributor
  • Posts: 38
  • Country: se
Re: Sniffing the Rigol's internal I2C bus
« Reply #4339 on: April 22, 2017, 05:29:09 AM »
Ok, found the problem. Rigup was modified to work with the MSO1000z series by looking for a block of bytes beginning with the sequence 01 00 84 00 10 00, while the DS1000z (and other models?) use 02 00 84 00 10 00. By poking around with a hex editor in the dump files, I found that for my scope at least, that sequence is 02 00 84 00 10 00, which you're not supposed to see in an MSO. So not all MSOs are alike.

Just for clarity, this MSO1104Z with firmware 00.04.04.SP1 uses the sequence 0x02 0x00 0x84 0x00 0x10 0x00.

Fix: if you download the rigup-0.4.1-mso1000z.zip from gotroot.ca, open utils.c, in the function ScanKeys() uncomment the first static const and comment out the second, so it looks like this afterwards:

Code: [Select]
const unsigned int sequenceSize = 6 + 16 + 2 + 2*16 + 2 + 8 + 2 + 64;
static const uint8_t seq_1_ref[] = {0x02, 0x00, 0x84, 0x00, 0x10, 0x00};
//static const uint8_t seq_1_ref[] = {0x01, 0x00, 0x84, 0x00, 0x10, 0x00};

Then recompile:

Code: [Select]
make clean
make all

After this, I got all the keys, could generate all licenses, and all of them were accepted. Yay!
« Last Edit: April 22, 2017, 05:54:54 AM by edgelog »
 

Offline Gluk

  • Contributor
  • Posts: 9
  • Country: ru
Re: Sniffing the Rigol's internal I2C bus
« Reply #4340 on: April 22, 2017, 07:17:58 AM »
edgelog, is it a joke from Rigol with latest firmware?  :phew:
 

Offline edgelog

  • Contributor
  • Posts: 38
  • Country: se
Re: Sniffing the Rigol's internal I2C bus
« Reply #4341 on: April 22, 2017, 07:28:38 AM »
Maybe, but it did have me worried for a while.
I think  maybe the solution would be for rigup to accept 0x01 and 0x02 in that sequence. It's unique anyway.
 

Offline mightyzen

  • Contributor
  • Posts: 36
  • Country: nl
Re: Sniffing the Rigol's internal I2C bus
« Reply #4342 on: April 22, 2017, 10:36:36 PM »
doing that since about a week or so - but the discovered TWI functions so far a slave mode, not master mode - a lot of stuff is happening via DMA transfers to from the fpga (assumption). they use VDK and threads, which makes reversing a pain in the ass, 8k subs, thousands of pointers ... im slowly approaching the right subs. if anyone has ida with the blackfin cpu from rigol homebrew, im happy to share my custom GEL loader, and IDA DB.

Any one got that IDA DB (*.idb) from Cybernet back in 2013?
 

Offline Blisk

  • Contributor
  • Posts: 40
  • Country: si
Re: Sniffing the Rigol's internal I2C bus
« Reply #4343 on: April 25, 2017, 05:55:46 PM »
Is there a list which oscilloscope is hackable and can be upgraded??
 

Offline lifeclock

  • Newbie
  • Posts: 2
  • Country: us
Re: Sniffing the Rigol's internal I2C bus
« Reply #4344 on: April 29, 2017, 05:47:20 AM »
Just want to confirm the hack still works on the scope below with a raspberry pi as the JTAG probe.

DS1074z-Plus
Software Version: 00.04.04.SP1
Board Version: 6.1.4

The jtag connector was missing on my board so I had to solder a connector in.
Memory dump took 4-5 hours, but beats spend money and waiting on shipping for a proper jtag probe.

Steps Followed


Good luck! And thanks to everyone that made this possible!



« Last Edit: April 29, 2017, 08:07:22 AM by lifeclock »
 

Offline kattyil

  • Newbie
  • Posts: 2
  • Country: sg
Re: Sniffing the Rigol's internal I2C bus
« Reply #4345 on: April 29, 2017, 07:30:56 PM »
Good day everyone,

my DSA-815TG runs with the current Firmware 1.18 under Hardware 0.04 and boot loader 1.03. Generating keys with RIGLOL and activating the same under 1.18 works perfectly fine, the 10Hz RBW option was accepted but obviously has no effect as this option is available per default these days. All other options except for the last one are active as expected.

The new option SSC-DSA is shown as inactive and has no trial license. Experimenting with code AAAG in Riglol has no effect.

Any thoughts? Where does the code sequence (AAAE or SAAE come from?)

Raj



 

Offline ted572

  • Frequent Contributor
  • **
  • Posts: 312
  • Country: ca
Re: Sniffing the Rigol's internal I2C bus
« Reply #4346 on: May 08, 2017, 08:01:20 AM »
Good day everyone,
My DSA-815TG runs with the current Firmware 1.18 under Hardware 0.04 and boot loader 1.03. Generating keys with RIGLOL and activating the same under 1.18 works perfectly fine, the 10Hz RBW option was accepted but obviously has no effect as this option is available per default these days. All other options except for the last one are active as expected.
Raj
Hello Raj: I understand from reading your post that you installed the Rigol Options with firmware 00.01.18 installed.
Although this is the first time that I have heard of anyone being able to use the Riglol Keygenerator for installing Option License Codes on the DSA815 with firmware 00.01.09 and above, on any hardware (old/new) version.
To follow this go to ->   http://www.eevblog.com/forum/testgear/spectrum-analyzer-rigol-dsa815/msg1203247/#msg1203247 
« Last Edit: May 09, 2017, 11:23:01 AM by ted572 »
 

Offline smgvbest

  • Supporter
  • ****
  • Posts: 348
  • Country: us
    • Kilbourne Astronomics
Re: Sniffing the Rigol's internal I2C bus
« Reply #4347 on: May 11, 2017, 08:36:54 PM »
Good day everyone,
My DSA-815TG runs with the current Firmware 1.18 under Hardware 0.04 and boot loader 1.03. Generating keys with RIGLOL and activating the same under 1.18 works perfectly fine, the 10Hz RBW option was accepted but obviously has no effect as this option is available per default these days. All other options except for the last one are active as expected.
Raj
Hello Raj: I understand from reading your post that you installed the Rigol Options with firmware 00.01.18 installed.
Although this is the first time that I have heard of anyone being able to use the Riglol Keygenerator for installing Option License Codes on the DSA815 with firmware 00.01.09 and above, on any hardware (old/new) version.
To follow this go to ->   http://www.eevblog.com/forum/testgear/spectrum-analyzer-rigol-dsa815/msg1203247/#msg1203247

Ted,
I firmly believe the bootloader is the key here not the FW version or the combination of bootloader and firmware.   note his bootloader is
Quote
my DSA-815TG runs with the current Firmware 1.18 under Hardware 0.04 and boot loader 1.03
all having problems are using boot loader 1.04 such as myself.   I do not know what the interaction is with the boot loader but having followed this endless thread FOREVER it is more in common than anything else.

Has anyone looked at re-flashing bootloader 1.03 onto a DSA815?
does anyone know which bootloader they are using?

also note the new key format
old keys looked like
RUZ9H-5RUJKS-USSAW-23VUTY  (made up)
new look like
4f5RbEMlOl93wo5IOyoLWiYGR6jjUo (again made up)

and FWIW, those new keys don't work on Boot1.04, HW08,FW.18 even when supplied by rigol. :-// 
« Last Edit: May 11, 2017, 08:42:04 PM by smgvbest »
Sandra
(Yes, I am a Woman :p )
 

Offline ted572

  • Frequent Contributor
  • **
  • Posts: 312
  • Country: ca
Re: Sniffing the Rigol's internal I2C bus
« Reply #4348 on: May 11, 2017, 10:22:16 PM »
Ted, I firmly believe the bootloader is the key here not the FW version or the combination of bootloader and firmware.   note his bootloader is
Quote
my DSA-815TG runs with the current Firmware 1.18 under Hardware 0.04 and boot loader 1.03
all having problems are using boot loader 1.04 such as myself.   I do not know what the interaction is with the boot loader but having followed this endless thread FOREVER it is more in common than anything else.

Has anyone looked at re-flashing bootloader 1.03 onto a DSA815?
does anyone know which bootloader they are using?

also note the new key format
old keys looked like
RUZ9H-5RUJKS-USSAW-23VUTY  (made up)
new look like
4f5RbEMlOl93wo5IOyoLWiYGR6jjUo (again made up)

and FWIW, those new keys don't work on Boot1.04, HW08,FW.18 even when supplied by rigol. :-//

1. No one currently has been able to install or flash in a old/new/replacement/etc BootLoader.
2. I have a older DSA815 with Main Board 4 and BootLoader 3.  So I'm not having any issue here, just trying to aid others.
3. When Rigole released firmware (FW) 00.01.09 we all, with either the Older or the Newer DSA815 hardware were NO LONGER able to install previous/older FW.
4. Although, those of us with BootLoader 2 or 3 could/can still revert to the older/previous firmware and consequently activate the FW embedded Options using the RigLoL Keygenerator.  And it doesn't matter if the Trials are still there or not, the Options will be activated.  After all they are still there in the FW, and then we can re-install the newest FW update.  And all is still there.
5. Re. Your -> RUZ9H-5RUJKS-USSAW-23VUTY  (made up), where new look like -> 4f5RbEMlOl93wo5IOyoLWiYGR6jjUo (again made up).  This is not actually the case, you have to enter the code without any 'dashes' (hyphens) when you Activate a Option in either a Old or Newer DSA815.  This has always been true (no Change here what-so-ever).
6. I don't think that the version 4 BootLoader has anything to do with not being able to Activate the Option (hey, I could be wrong).
7. Although if you could get BootLoader 2 or 3 in your Newer DSA815, then you also would be able to downgrade to FW00.01.08, or earlier (with the FW Install Boot Method) and Activate the Options, and then install the very latest FW again.
8. If you are not familiar with the DSA815 'FW Install Boot Method' I posted it below (Reply #4355).
« Last Edit: May 11, 2017, 10:55:48 PM by ted572 »
 

Offline ted572

  • Frequent Contributor
  • **
  • Posts: 312
  • Country: ca
Re: Sniffing the Rigol's internal I2C bus
« Reply #4349 on: May 11, 2017, 10:50:46 PM »
The DSA815 'FW Install Boot Method'
 


Share me

Digg  Facebook  SlashDot  Delicious  Technorati  Twitter  Google  Yahoo
Smf