Low Cost PCB's Low Cost Components

Author Topic: Sniffing the Rigol's internal I2C bus  (Read 1346947 times)

0 Members and 3 Guests are viewing this topic.

Offline LeoIt

  • Newbie
  • Posts: 4
  • Country: it
Re: Sniffing the Rigol's internal I2C bus
« Reply #4375 on: August 21, 2017, 08:16:30 AM »
Hello everybody,

I have a question about DSA815....

I searched a lot in the forum to get information about the component U1220 it is a SOIC8 marked as MQD2C.... I didn't find what is it, somebody out there could help, it seems connected to the 4 pins strip near to the power supply connector, I suppose it it something controlled by TWI or SPI ?

May be it is a serial flash that contains some calibration or configuration data ?

Any help is much appreciated !

Many Thanks.
« Last Edit: August 21, 2017, 08:19:37 AM by LeoIt »
 

Offline TurboTom

  • Frequent Contributor
  • **
  • Posts: 276
  • Country: de
Re: Sniffing the Rigol's internal I2C bus
« Reply #4376 on: August 21, 2017, 09:40:25 AM »
This chip appears to be an 8 bit microcontroller, MC9S08QD2, see the datasheet here: http://www.nxp.com/docs/en/data-sheet/MC9S08QD4.pdf.

If the 2k of memory that it contains is enough for calibration data is something I'ld doubt. But it chould well be involved in license management. Yet more probable is that it's used for something much more mundane, like generating a power good signal/reset circuitry as it features four A/D channels. Food for thought...

Cheers,
Thomas
 

Offline LeoIt

  • Newbie
  • Posts: 4
  • Country: it
Re: Sniffing the Rigol's internal I2C bus
« Reply #4377 on: August 22, 2017, 05:58:12 AM »
Thank you very much TurboTom !

You are right, it sould be HCS08 Micro, the Power supply pins are quite strange, not much used (+3 and -4)  and are compatible, also the strip connectio to pin 1 - Reset and  2 - BKGD are conneted to the strip (probably used to pogram o configuration and.... Single wire "debugging" ;-).....

I agree with you, its memory (2K Flash) is too small for DSA calibration data.....

Because its power supply seems separated from the main DSP and related chips, I think it will be used to power up the instruments....
I mean to make the fading blink of the ON/OFF button and to check its status to turn ON and OFF the entire system.

I hope, but not sure, it is not used like a sort of harware key to identify each device.
Or used to store the MAC address and other unique information of the instrument (but for this they should use the U1105 FRAM .... ? ).

Thank you again for your help....

Bye...
 

Offline TurboTom

  • Frequent Contributor
  • **
  • Posts: 276
  • Country: de
Re: Sniffing the Rigol's internal I2C bus
« Reply #4378 on: August 23, 2017, 03:10:45 AM »
You're most probably right: The HCS08 variant appears to be part of several of Rigol's designs that feature the BlackFin processor as the digital core and a soft power button, see here the DS2000 (as per Dave's teardown photos, in the lower right corner, yet here it's the 4kB variant):
https://www.flickr.com/photos/eevblog/8022098878/in/album-72157631618295437

Similar situation for the DM3068, the DG4000 series and also the DS4000, yet in the latter Rigol uses a higher pin count / memory variant of the HCS08 series, the MC9S08JM60.

In contrary, the DS1000Z series doesn't seem to contain the HCS08 controller and this instrument features a "hard" power switch, so the usage of the controller for the soft power circuitry is very likely.

Cheers.
Thomas
« Last Edit: August 23, 2017, 03:13:03 AM by TurboTom »
 

Offline chevdor

  • Newbie
  • Posts: 1
  • Country: de
Re: Sniffing the Rigol's internal I2C bus
« Reply #4379 on: August 24, 2017, 07:48:19 AM »
I have seen some questions several times (while searching myself) so I will try to provide a few facts based on my trials.

Using a Mac with an Olimex ARM-USB-OCH-H does work.
Just don´t expect to see anything in /dev/cu*. This is OK so.

My scope is a MSO1104Z-S. This is a recently purchased (2017-08) scope with the latest firmware (00.04.04.SP3).
The board shows version v01.04_20141024 on the PCB.

You guys probably saw the great video at: http://www.youtube.com/watch?time_continue=7&v=OvcGn_ScG5w
This video helps a lot if you take your time. Highly recommended. Yes, you will need to open your scope.

A little surprise though, the JTAG headers are not longer part of the board. You still have the holes and traces in the PCB but no header. Surprising but not really an issue.

New comers will probably miss the openocd config files. They are here:
https://raw.githubusercontent.com/arduino/OpenOCD/master/tcl/target/imx28.cfg
https://raw.githubusercontent.com/arduino/OpenOCD/master/tcl/interface/ftdi/olimex-arm-usb-ocd-h.cfg

Compiling rigup on a Mac is a breeze. Follow the guides.

You may get an error when running openocd:
Error: An adapter speed is not selected in the init script. Insert a call to adapter_khz or jtag_rclk to proceed.

No panic, you can add the following line:
Code: [Select]
adapter_khz 5000as line 34 in imx28.cfg

I did a few tests regarding the speed. Some failed, I am not sure whether it was due to the speed or the temperature.
I used a few fans during the process...

adapter_khz 1000 => works, just damn slow. Expect a dump in around 40-50 minutes. I did not wait...
adapter_khz 5000 => works. Around 10:30 minutes for the dump.
adapter_khz 8000 => failed me, the scope rebooted
adapter_khz 10000 => failed me, the scope rebooted

With
Code: [Select]
adapter_khz 5000, the dump will take about 10:30 minutes. I got it to work 2/2 times with pins simply hanging around in the PCB holes... Do not shake your desk  :-DD and make sure your fan does not move things around too much.

I did not apply the 0x1C080 (100 MHz) obviously.

Respect to the team who put that together.  :-+

Rigol plays it smart on that one as I am sure they are aware that they end up selling more of there 'hackable' scopes, thus making more $$$ than selling a few software options that are anyway harder to buy on their site than it is to find this thread!

A little warning though, you do need a few tools to get this to work:
- TX10 screwdriver
- 14mm flat wrench helps
- a fan is probably recommended
- a good lamp :)
- some stickers (not for the sticker, but for the waxed paper supporting them)
- clean headers (2x 5 pins). Those won´t be soldered so clean them up or use new ones. Forget those 5 years old headers you used 20 times...
- a few clean cables: if you start messy, chances of success will decrease...

Good luck

« Last Edit: August 30, 2017, 06:32:55 PM by chevdor »
 

Offline El Viking

  • Newbie
  • Posts: 1
  • Country: fr
Re: Sniffing the Rigol's internal I2C bus
« Reply #4380 on: September 02, 2017, 11:39:33 PM »
hi,

On a MSO1074z, software version 00.04.04.SP1, board version 2.1.4 a very new scope, delivery this week. Jtag was not populated.
I use a PC on W10-64-pro.
I setup olimex arm...h (some problems with driver solve with zadig).
I use rigup w64 version 0.4.2 from
I dump memory with openocd 0.10.0

first time I have used rigup-0.4.2-x86_64-win.zip  ==>good txt file, with good serial number, but license number don't run==>invalide licence
I made many dump.... same txt file, same key...
Second time I try with rigup-0.4.2-i686-win.zip==> same txt file, but license key accepted by the scope...
Now MSO is full option, I have all ready testing the RS232 decode, it run correctly.

Many thankssss to the working team!!!!


 

Online ironcurtain

  • Contributor
  • Posts: 11
  • Country: 00
Re: Sniffing the Rigol's internal I2C bus
« Reply #4381 on: November 08, 2017, 04:33:52 PM »
I'm really considering getting a Rigol since I have to diagnose some RFI issues in some projects and it will come handy for lots of stuff down the line. I have IDA 6.X with the decompilers (did not pay for the last upgrade haha!) and can do reversing if needed.

What is the status of the hack right now? Is there a bandwidth upgrade from 70 to 100 or 100 to 200 as it used to be? How about options?
If I end up getting a Rigol I will likely buy off Baronix since I'm in Europe... so I'm limited to whatever they are shipping right now.

Luckily it seems you can downgrade FW since they don't use any sort of e-fuses...

Cheers!
 

Offline H.O

  • Frequent Contributor
  • **
  • Posts: 528
  • Country: se
Re: Sniffing the Rigol's internal I2C bus
« Reply #4382 on: November 11, 2017, 03:28:39 AM »
"A Rigol" is pretty vague since they have at least 4 different series of scopes and DSO/MSO models in each series (except possibly the DS6000 series). If I'm not mistaken the unlock process is a bit different on different models. For some you might need to dump the firwmware while on other all you need to do is generate an option key and install it.

I'm not up to speed on it all but if you specify which model you're considering someone might give you a better answer.

With that said, their Ultra Vision platform is >5 years old now and depending on your needs there might be other suitable options.
 

Online wldshy

  • Newbie
  • Posts: 4
  • Country: cn
Re: Sniffing the Rigol's internal I2C bus
« Reply #4383 on: November 14, 2017, 01:00:36 AM »
hi,
I really wanna know, whether the new Rigol DS2000E/4000E series can be hacked. especially the DS4014E is a very affordable choice, only if can be hacked to 500MHz BW.
 

Online ironcurtain

  • Contributor
  • Posts: 11
  • Country: 00
Re: Sniffing the Rigol's internal I2C bus
« Reply #4384 on: November 18, 2017, 02:02:11 PM »
"A Rigol" is pretty vague since they have at least 4 different series of scopes and DSO/MSO models in each series (except possibly the DS6000 series). If I'm not mistaken the unlock process is a bit different on different models. For some you might need to dump the firwmware while on other all you need to do is generate an option key and install it.

I'm not up to speed on it all but if you specify which model you're considering someone might give you a better answer.

With that said, their Ultra Vision platform is >5 years old now and depending on your needs there might be other suitable options.

Thanks a lot for responding. I should have been more specific:

- I would like at least 200MHz achievable bandwidth either thru hacks or off the shelf. If I can score a DSO going higher than that through hacks, that would be great.
- Use will be debugging, looking at unknown signals from MCUs, diagnosing issues with resonators and some RF work, mostly repairs and such.
- I would love to have the ability to get FFTs and other math transformations. If it has a built-in decoder for signals... that would even be better!

I was looking at this Siglent unit:
https://www.batronix.com/shop/oscilloscopes/Siglent-SDS1202X+.html

But Rigol seems a lot more geared towards hobbyists, so I will definitely appreciate your suggestions.  Either way I have reverse engineering experience and got the necessary tools at hand including a (legitimate) pro licensed IDA with decompilers :)
 

Offline H.O

  • Frequent Contributor
  • **
  • Posts: 528
  • Country: se
Re: Sniffing the Rigol's internal I2C bus
« Reply #4385 on: November 18, 2017, 11:50:03 PM »
FFT is not something I personally use but from what I understand Rigol isn't doing very well in that department (you can Always export the data and perform the FFT on the PC if needed).

Since you're considering the Siglent SDS1202X I'm guessing 2 channels is "all you need"? If that's the case and 200MHz is "enough" then there's a lot to choose from but I'd personally put 4 channels way above good FFT functionality and I would not spend money on a built in function gen, I think it's better to have a separate unit. But that's me.

Take a look at the Siglent SDS1202X-E, and if you need four channels wait for the four channel version in that series (I hear Dave has one for teardown/Review so it'll probably show up sooner than later).

I don't know about hacks on anything except Rigol and I don't know if the new DS2000E and DS4000E series are hackable and if so to what extent. All I can really say from personal experience is that the DS4000 series ARE (closed case) hackable to enable full bandwidth (500MHz) and all the options (which you now get for free now anyway).

There are SO many considerations to make (which is shown again and again and again in all the "which scope is right for me threads") but, as was said in another thread if you want 4 channels and lot bandwidth then a DS4014 probably STILL is a good option despite it being 5-6 years old now.

For a general purpose scope, today, I'd want the R&S RTB2000 and I probably would've gotten one if the bastards would have offered the introductor deal in Europe and not only in the US.

And at the lower end the upcoming 4 channel Siglent is going to be interesting, since you mention 200MHz that might just be the unit for you.

But comparing a $400-500 Siglent SDS1202X-E to a $2000 Rigol DS4000 or a $3000 RTB2004 (200MHz) isn't really "fair" from any perspective.
 


Share me

Digg  Facebook  SlashDot  Delicious  Technorati  Twitter  Google  Yahoo
Smf