Author Topic: Sniffing the Rigol's internal I2C bus  (Read 1090682 times)

0 Members and 4 Guests are viewing this topic.

Offline ted572

  • Frequent Contributor
  • **
  • Posts: 297
  • Country: ca
Re: Sniffing the Rigol's internal I2C bus
« Reply #4325 on: February 24, 2017, 05:15:26 AM »
Now the later firmware for the DSA815 includes 10 Hz resolution, rendering the most useful hack obsolete, did anyone work out how to remove licence keys from an 815?
No, we still do not know how to remove any previously installed option license.  But, it is not necessary to remove the license key.  The 10 Hz RBW will work fine now with, or without the license {option 3} activated.
« Last Edit: February 24, 2017, 05:17:07 AM by ted572 »
 

Offline Solder_Junkie

  • Regular Contributor
  • *
  • Posts: 66
  • Country: gb
Re: Sniffing the Rigol's internal I2C bus
« Reply #4326 on: February 24, 2017, 06:06:51 AM »
It would be nice to remove the licence keys in case it ever needs repair, the only hack that is useful to me is the 10Hz b/w one and that's now included.

No worries, I'll cross my fingers that it keeps working.
 

Offline Mike_H

  • Contributor
  • Posts: 6
  • Country: ca
Re: Sniffing the Rigol's internal I2C bus
« Reply #4327 on: March 09, 2017, 02:13:11 AM »
A quick post to say thank you to all the hard work that this thread represents.

After 3 days of reading and play, I was able to enable the options I wanted on my new to me 2302A.
For the record my firmware is 3.05

Thanks again!  :-+
 

Offline cybernet

  • Regular Contributor
  • *
  • Posts: 240
  • Country: 00
  • pm deactivated, use the search function ...
Re: Sniffing the Rigol's internal I2C bus
« Reply #4328 on: March 10, 2017, 12:02:01 PM »
fun to see that this rigol hacking is still going on ;-) :-DD
___________________
"all rights reversed :-)"
R0=-0x18;
UNLINK;
RTS;
 
The following users thanked this post: Carrington, Orange

Offline Gennady

  • Newbie
  • Posts: 1
  • Country: ru
Re: Sniffing the Rigol's internal I2C bus
« Reply #4329 on: March 11, 2017, 10:48:04 PM »
Hi all,
who used J-Link (J-Link V8 ARM USB-JTAG) to download memory dump from MSO1074Z, tell me please pinouts connection. TCK, TMS, TDI, TDO it's clear. But where to connect TRST, VREF, SRST (what pins of J-Link)?

Thanks for any help!
 

Offline Co6aka

  • Supporter
  • ****
  • Posts: 214
  • Country: us
Re: Sniffing the Rigol's internal I2C bus
« Reply #4330 on: March 12, 2017, 02:23:25 AM »
fun to see that this rigol hacking is still going on ;-) :-DD

Reminds me of "i aM eLiTe!!!! gIvE mE wArEz D00dZ!!!!!!!!!!"  :-DD

Co6aka says, "BARK! and you have no idea how humans will respond."
 

Offline mightyzen

  • Contributor
  • Posts: 36
  • Country: nl
Re: Sniffing the Rigol's internal I2C bus
« Reply #4331 on: April 01, 2017, 08:26:04 PM »
doing that since about a week or so - but the discovered TWI functions so far a slave mode, not master mode - a lot of stuff is happening via DMA transfers to from the fpga (assumption). they use VDK and threads, which makes reversing a pain in the ass, 8k subs, thousands of pointers ... im slowly approaching the right subs. if anyone has ida with the blackfin cpu from rigol homebrew, im happy to share my custom GEL loader, and IDA DB.

I'm looking into the firmware for the past weeks or so to try and enable the 50ohm option on a non-A ds2k model with v2 hardware. I would except this to be a simple enough patch as long I could find the handling of the scpi "CHAN1:IMP FIFTY" command.

I'm just lost in those 8k of subs and simply fail to find the references to the "FIFTY" and "OMEG" strings. Could some one please point me in the right direction?
 

Offline DoMaLo

  • Newbie
  • Posts: 2
  • Country: ru
Re: Sniffing the Rigol's internal I2C bus
« Reply #4332 on: April 03, 2017, 08:32:49 PM »
Hello everybody. I have MSO1104z, board version: 2.1.4, SV: 00.04.04.SP1. I took a dump using JLink Ultra + in JLink Commander and OpenOCD. Rigup 0.4.1 (MSO1000z) and 0.4.2 print "No keys" for both of dumps. What's can i do for unlocking my oscilloscope?
 

Offline Gluk

  • Contributor
  • Posts: 9
  • Country: ru
Re: Sniffing the Rigol's internal I2C bus
« Reply #4333 on: April 06, 2017, 08:24:39 AM »
What do you think about resistors near 3k \$\Omega\$  near by FPGA and JTAG header in the  :-BROKE MSO1074z? May be is it  config divider?
« Last Edit: April 07, 2017, 07:19:56 AM by Gluk »
 

Offline DoMaLo

  • Newbie
  • Posts: 2
  • Country: ru
Re: Sniffing the Rigol's internal I2C bus
« Reply #4334 on: April 07, 2017, 06:22:14 PM »
I think that these are resistors for pull-up and pull-down JTAG chain. Because I was working with Actel FPGA and typical JTAG chain
ProASIC3E Flash Family for FlashPro has resistors. Circuit that I used for my project in attachment.
« Last Edit: April 07, 2017, 06:59:50 PM by DoMaLo »
 

Offline Gluk

  • Contributor
  • Posts: 9
  • Country: ru
Re: Sniffing the Rigol's internal I2C bus
« Reply #4335 on: April 07, 2017, 10:39:43 PM »
Friends, yes! resistors near JTAG header set the config. They has title "hardware version" and "sp version". Upper resistor line is pull-up, lower - is pull-down.

Do somebody want to play with this pull-up-down? $)
 

Offline Gluk

  • Contributor
  • Posts: 9
  • Country: ru
Re: Sniffing the Rigol's internal I2C bus
« Reply #4336 on: April 07, 2017, 11:48:05 PM »
Quote
the JTAG pullup/down resistors are there purely to enable robust JTAG data transfer.

This resistors not connected to the jtag pins!



It connected to the pins near JTAG. And it has title!
 

Online ebastler

  • Frequent Contributor
  • **
  • Posts: 718
  • Country: de
Re: Sniffing the Rigol's internal I2C bus
« Reply #4337 on: April 08, 2017, 12:03:42 AM »
This resistors not connected to the jtag pins!
It connected to the pins near JTAG. And it has title!

Yes, I realized that and pulled my earlier post in the meantime. But I am afraid the "version" resistors are there simply to let the software know about different historical board revisions, which may require slightly different software control. I don't think these will enable any options.

After all, one can buy software upgrade codes for the MSO scopes, right? As these upgrades do not require the user to re-solder any internal resistors, I believe that the options are enabled and disabled purely based on keys stored in EEPROM.
 

Online ebastler

  • Frequent Contributor
  • **
  • Posts: 718
  • Country: de
Re: Sniffing the Rigol's internal I2C bus
« Reply #4338 on: April 08, 2017, 12:05:42 AM »
On a more general note, I must admit that I have lost track of this thread. Is there a proven method for enabling options on the MSO1000Z and DS1000Z-plus scopes? If so, could someone post a summary or a link please? Many thanks!
 

Offline Gluk

  • Contributor
  • Posts: 9
  • Country: ru
Re: Sniffing the Rigol's internal I2C bus
« Reply #4339 on: April 08, 2017, 01:20:05 AM »
ebastler, Yes! Now I'm doing it. Some later I can post summary.
Or just see page #150, post by smgvbest
 

Online ebastler

  • Frequent Contributor
  • **
  • Posts: 718
  • Country: de
Re: Sniffing the Rigol's internal I2C bus
« Reply #4340 on: April 08, 2017, 03:32:43 AM »
ebastler, Yes! Now I'm doing it. Some later I can post summary.
Or just see page #150, post by smgvbest

Ahhh, that indeed looks like step-by-step instructions, and nicely illustrated too!
Wow, how did you find that post in the 174-page thread?  :-+

Once you have confirmed that this works, maybe we can ask andyturk (who started this thread) to include a link in the first post.
 

Offline McBryce

  • Frequent Contributor
  • **
  • Posts: 909
  • Country: de
Re: Sniffing the Rigol's internal I2C bus
« Reply #4341 on: April 09, 2017, 09:23:31 PM »
ebastler, Yes! Now I'm doing it. Some later I can post summary.
Or just see page #150, post by smgvbest

Ahhh, that indeed looks like step-by-step instructions, and nicely illustrated too!
Wow, how did you find that post in the 174-page thread?  :-+

Once you have confirmed that this works, maybe we can ask andyturk (who started this thread) to include a link in the first post.

I used the method on page 150 from smgvbest to "liberate" my MSO1104z-s and can confirm that it works.

McBryce.
 

Offline edgelog

  • Newbie
  • Posts: 4
  • Country: se
Re: Sniffing the Rigol's internal I2C bus
« Reply #4342 on: April 21, 2017, 02:58:50 AM »
I have the exact same version as DoMaLo (v00.04.04.SP1, board 2.1.4. Tried with Olimex, dumping the memory during the bootup logo and after at various intervals. All the dump files look good, as judged by all the strings in there looking reasonable (there's a lot of them, HTML pages, CSS files, a lot of help strings), but rigup 0.4.1 for MSO1000z says "no keys".

I also looked through the dump file for anything similar to the pattern given in rigup utils.c, in the ScanKeys function, and I can find nothing that matches the length of the keys or the hex prefix of the block.

It looks to me as if the keys simply aren't there anymore.  :palm:
 

Offline Gluk

  • Contributor
  • Posts: 9
  • Country: ru
Re: Sniffing the Rigol's internal I2C bus
« Reply #4343 on: April 21, 2017, 07:25:18 PM »
I have the exact same version as DoMaLo (v00.04.04.SP1, board 2.1.4. Tried with Olimex, dumping the memory during the bootup logo and after at various intervals. All the dump files look good, as judged by all the strings in there looking reasonable (there's a lot of them, HTML pages, CSS files, a lot of help strings), but rigup 0.4.1 for MSO1000z says "no keys".

Make dump after boot complete! Early dump don't has keys. I used rigup-0.4.2-x86_64-win and got keys, and hacked it complitely.
 

Offline edgelog

  • Newbie
  • Posts: 4
  • Country: se
Re: Sniffing the Rigol's internal I2C bus
« Reply #4344 on: April 22, 2017, 03:59:44 AM »
Make dump after boot complete! Early dump don't has keys. I used rigup-0.4.2-x86_64-win and got keys, and hacked it complitely.

I have tried rigup-0.4.2-x86_64-win.exe with 6 different file dumps taken at varying points in time, all the way from during the logo to more than five minutes after the boot completed, and nothing but "no keys". What version of firmware do you have? Same as mine (00.04.04.SP1)?
 

Offline edgelog

  • Newbie
  • Posts: 4
  • Country: se
Re: Sniffing the Rigol's internal I2C bus
« Reply #4345 on: April 22, 2017, 05:29:09 AM »
Ok, found the problem. Rigup was modified to work with the MSO1000z series by looking for a block of bytes beginning with the sequence 01 00 84 00 10 00, while the DS1000z (and other models?) use 02 00 84 00 10 00. By poking around with a hex editor in the dump files, I found that for my scope at least, that sequence is 02 00 84 00 10 00, which you're not supposed to see in an MSO. So not all MSOs are alike.

Just for clarity, this MSO1104Z with firmware 00.04.04.SP1 uses the sequence 0x02 0x00 0x84 0x00 0x10 0x00.

Fix: if you download the rigup-0.4.1-mso1000z.zip from gotroot.ca, open utils.c, in the function ScanKeys() uncomment the first static const and comment out the second, so it looks like this afterwards:

Code: [Select]
const unsigned int sequenceSize = 6 + 16 + 2 + 2*16 + 2 + 8 + 2 + 64;
static const uint8_t seq_1_ref[] = {0x02, 0x00, 0x84, 0x00, 0x10, 0x00};
//static const uint8_t seq_1_ref[] = {0x01, 0x00, 0x84, 0x00, 0x10, 0x00};

Then recompile:

Code: [Select]
make clean
make all

After this, I got all the keys, could generate all licenses, and all of them were accepted. Yay!
« Last Edit: April 22, 2017, 05:54:54 AM by edgelog »
 

Offline Gluk

  • Contributor
  • Posts: 9
  • Country: ru
Re: Sniffing the Rigol's internal I2C bus
« Reply #4346 on: April 22, 2017, 07:17:58 AM »
edgelog, is it a joke from Rigol with latest firmware?  :phew:
 

Offline edgelog

  • Newbie
  • Posts: 4
  • Country: se
Re: Sniffing the Rigol's internal I2C bus
« Reply #4347 on: April 22, 2017, 07:28:38 AM »
Maybe, but it did have me worried for a while.
I think  maybe the solution would be for rigup to accept 0x01 and 0x02 in that sequence. It's unique anyway.
 

Offline mightyzen

  • Contributor
  • Posts: 36
  • Country: nl
Re: Sniffing the Rigol's internal I2C bus
« Reply #4348 on: April 22, 2017, 10:36:36 PM »
doing that since about a week or so - but the discovered TWI functions so far a slave mode, not master mode - a lot of stuff is happening via DMA transfers to from the fpga (assumption). they use VDK and threads, which makes reversing a pain in the ass, 8k subs, thousands of pointers ... im slowly approaching the right subs. if anyone has ida with the blackfin cpu from rigol homebrew, im happy to share my custom GEL loader, and IDA DB.

Any one got that IDA DB (*.idb) from Cybernet back in 2013?
 


Share me

Digg  Facebook  SlashDot  Delicious  Technorati  Twitter  Google  Yahoo
Smf