Author Topic: Sniffing the Rigol's internal I2C bus  (Read 1349317 times)

0 Members and 2 Guests are viewing this topic.

Offline cybernet

  • Regular Contributor
  • *
  • Posts: 246
  • Country: 00
  • pm deactivated, use the search function ...
Re: Sniffing the Rigol's internal I2C bus
« Reply #625 on: July 24, 2013, 07:27:38 AM »
hi mickpah,

check http://urjtag.org/book/_system_requirements.html - as the uclinux jtag proxy is using urjtag i would believe all of them are supported.

a dump from the bfin-jtag tool lists:

Code: [Select]
List of supported cables:
ARCOM           Arcom JTAG Cable
ByteBlaster     Altera ByteBlaster/ByteBlaster II/ByteBlasterMV Parallel Port Download Cable
DLC5            Xilinx DLC5 JTAG Parallel Cable III
EA253           ETC EA253 JTAG Cable
EI012           ETC EI012 JTAG Cable
FT2232          Generic FTDI FT2232 Cable
ARM-USB-OCD     Olimex ARM-USB-OCD[-TINY] (FT2232) Cable
ARM-USB-OCD-H   Olimex ARM-USB-TINY-H (FT2232H) Cable
Flyswatter      TinCanTools Flyswatter (FT2232) Cable
gnICE           Analog Devices Blackfin gnICE (FT2232) Cable (EXPERIMENTAL)
gnICE+          Analog Devices Blackfin gnICE+ (FT2232H) Cable (EXPERIMENTAL)
JTAGkey         Amontec JTAGkey (FT2232) Cable
KT-LINK         KrisTech KT-LINK (FT2232H based) Cable
milkymist       Milkymist JTAG/serial (FT2232) Cable
OOCDLink-s      OOCDLink-s (FT2232) Cable (EXPERIMENTAL)
Signalyzer      Xverve DT-USB-ST Signalyzer Tool (FT2232) Cable (EXPERIMENTAL)
Turtelizer2     Turtelizer 2 Rev. B (FT2232) Cable (EXPERIMENTAL)
USB-JTAG-RS232  USB<=>JTAG&RS232 (FT2232) Cable (EXPERIMENTAL)
usbScarab2      KrisTech usbScarabeus2 (FT2232) Cable
USB-to-JTAG-IF  USB to JTAG Interface (FT2232) Cable (EXPERIMENTAL)
gpio            GPIO JTAG Chain
ICE-100B        Analog Devices ICE-X Cable (0x064B)
IGLOO           Excelpoint IGLOO JTAG Cable
jlink           Segger/IAR J-Link, Atmel SAM-ICE and others.
KeithKoep       Keith & Koep JTAG cable
Lattice         Lattice Parallel Port JTAG Cable
Minimal         Minimal Parallel Port JTAG Cable
MPCBDM          Mpcbdm JTAG cable
TRITON          Ka-Ro TRITON Starterkit II (PXA255/250) JTAG Cable
UsbBlaster      Altera USB-Blaster Cable
vsllink         Versaloon Link -- http://www.versaloon.com.
WIGGLER         Macraigor Wiggler JTAG Cable
WIGGLER2        Modified (with CPU Reset) WIGGLER JTAG Cable
xpc_ext         Xilinx Platform Cable USB external chain
xpc_int         Xilinx Platform Cable USB internal chain

maybe you find a cheaper option, for me it was the amontec ...
___________________
"all rights reversed :-)"
R0=-0x18;
UNLINK;
RTS;
 

Offline zombie28

  • Regular Contributor
  • *
  • Posts: 69
Re: Sniffing the Rigol's internal I2C bus
« Reply #626 on: July 24, 2013, 07:29:38 AM »
i also looked at the DSA file for a couple of hours, not much luck - so far i didnt spot any hidden packed formats

There is clear text in DSA file: "The length of license key must be less than 20 characters", so they may be using different encoding method than in DS2k.
 

Offline cybernet

  • Regular Contributor
  • *
  • Posts: 246
  • Country: 00
  • pm deactivated, use the search function ...
Re: Sniffing the Rigol's internal I2C bus
« Reply #627 on: July 24, 2013, 07:32:01 AM »
i also looked at the DSA file for a couple of hours, not much luck - so far i didnt spot any hidden packed formats

There is clear text in DSA file: "The length of license key must be less than 20 characters", so they may be using different encoding method than in DS2k.

yes but no code segments, only data stuff - and 2 times magic bytes for the xilinx fpga bitstreams (as in ds2000 files)

Code: [Select]
xilinx fpga offsets - magic bytes: 0xAA 0x99 0x55 0x66

0x76DBB
0x13AD32
___________________
"all rights reversed :-)"
R0=-0x18;
UNLINK;
RTS;
 

Offline M. András

  • Super Contributor
  • ***
  • Posts: 1018
  • Country: hu
Re: Sniffing the Rigol's internal I2C bus
« Reply #628 on: July 24, 2013, 07:48:24 AM »
hahh according to that pdf file it have 3 damn 32MB ddr2 memory for aquisition, is that sooo expensive to stick a simple pc memory card in the scope for this purpose? and it costs hundreds of dollar premium? :palm:

32MB x 16 bits - so 3x 64MB x 8 bits.
thanks for the correction but the modules themselves still cheap looking at random chips at digikey with the same sizes, 6-9/chip at 1k quantity, thats still doesnt qualify for me not including more memory as standard on every scope unless its already hit the upper limit of that fpga inside the this rigol scope,
sorry for the off topic but i can tear out my hair when i see things like this asking 300bucks for the remaining memory size from that max 30bucks worth of memory
 

Offline mickpah

  • Regular Contributor
  • *
  • Posts: 148
  • Country: au
    • Yeti Hacks
Re: Sniffing the Rigol's internal I2C bus
« Reply #629 on: July 24, 2013, 07:56:39 AM »

maybe you find a cheaper option, for me it was the amontec ...

thanks, I did in total cost.
It's a bit of sore point here. The media here call it the Australian tax. Companies like MS, apple adobe and others add 15%-20% for no other reason that we are an isolated market and they can. The polite term I think is being rogered
 

Offline cybernet

  • Regular Contributor
  • *
  • Posts: 246
  • Country: 00
  • pm deactivated, use the search function ...
Re: Sniffing the Rigol's internal I2C bus
« Reply #630 on: July 24, 2013, 07:58:01 AM »
good point is u can use it for other stuff as well ;-) reversed a few other things by now with it, so worth every $ ;)
___________________
"all rights reversed :-)"
R0=-0x18;
UNLINK;
RTS;
 

Offline synapsis

  • Regular Contributor
  • *
  • Posts: 139
  • Country: us
    • Blackcow
Re: Sniffing the Rigol's internal I2C bus
« Reply #631 on: July 24, 2013, 07:59:50 AM »
sorry for the off topic but i can tear out my hair when i see things like this asking 300bucks for the remaining memory size from that max 30bucks worth of memory

This is why I waited to buy my scope, and partially why I got involved in making an app.

But it did lead to another sale from them, my DG4062 should be here within the week.
 

Offline M. András

  • Super Contributor
  • ***
  • Posts: 1018
  • Country: hu
Re: Sniffing the Rigol's internal I2C bus
« Reply #632 on: July 24, 2013, 08:03:09 AM »
sorry for the off topic but i can tear out my hair when i see things like this asking 300bucks for the remaining memory size from that max 30bucks worth of memory

This is why I waited to buy my scope, and partially why I got involved in making an app.

But it did lead to another sale from them, my DG4062 should be here within the week.
yeah thats a driving force, i hope i can get enough money to buy the little ds2k in less then 3 months cos im in need of a scope anyway and the agilent 3k 200mhz mso is way out of my paygrade atm (1.5years of salary)
 

Offline cybernet

  • Regular Contributor
  • *
  • Posts: 246
  • Country: 00
  • pm deactivated, use the search function ...
Re: Sniffing the Rigol's internal I2C bus
« Reply #633 on: July 24, 2013, 08:14:07 AM »
Blessed google LOL:

*.pdf site:www.tequipment.net/ProductImages/Rigol/

*Declassification*.pdf site:www.tequipment.net/ProductImages/

http://lmgtfy.com/?q=you+know+how+to+use+google%2C+we+are+impressed+!
___________________
"all rights reversed :-)"
R0=-0x18;
UNLINK;
RTS;
 

Offline Carrington

  • Super Contributor
  • ***
  • Posts: 1138
  • Country: es
Re: Sniffing the Rigol's internal I2C bus
« Reply #634 on: July 24, 2013, 08:17:13 AM »
I deleted my previous message, I consider it inappropriate and does not contribute to anything. Sorry.  :-[

http://www.tequipment.net/ProductImages/Rigol/DSA815/media/DSA815_doc_3.pdf
« Last Edit: July 24, 2013, 09:42:11 AM by Carrington »
My English can be pretty bad, so suggestions are welcome. ;)
Space Weather.
Lightning & Thunderstorms in Real Time.
 

Offline marmad

  • Super Contributor
  • ***
  • Posts: 2986
  • Country: aq
    • DaysAlive
Re: Sniffing the Rigol's internal I2C bus
« Reply #635 on: July 24, 2013, 09:01:33 AM »
thanks for the correction but the modules themselves still cheap looking at random chips at digikey with the same sizes, 6-9/chip at 1k quantity, thats still doesnt qualify for me not including more memory as standard on every scope unless its already hit the upper limit of that fpga inside the this rigol scope,
sorry for the off topic but i can tear out my hair when i see things like this asking 300bucks for the remaining memory size from that max 30bucks worth of memory

This is a discussion that has happened dozens of times already on this forum regarding development costs versus option costs. If you tear your hair out about this, what do you do for the cost of software only options (triggers, decodes, etc) which are just unlocked portions of FW code?  :)

BTW, the memory is connected via matched impedance traces to the two FPGAs, so I doubt just sticking a PC memory card in would provide the same performance.
« Last Edit: July 24, 2013, 09:13:13 AM by marmad »
 

Offline true

  • Frequent Contributor
  • **
  • Posts: 290
  • Country: us
  • INTERNET
Re: Sniffing the Rigol's internal I2C bus
« Reply #636 on: July 24, 2013, 10:48:50 AM »
Updated code with zombie28's ecssign, removed seed.

I can confirm during a Security Erase does not revert the model, fix the serial, nor change license options.

EDIT: see my post slightly further ahead for updated code
« Last Edit: July 25, 2013, 10:59:02 AM by true »
 

Offline jonese

  • Contributor
  • Posts: 21
  • Country: ca
Re: Sniffing the Rigol's internal I2C bus
« Reply #637 on: July 24, 2013, 12:17:18 PM »
One thing to consider that most here won't have noticed because they have a 2072.

I have a 2102.  I, like a lot of people, played originally with the LLLL VSA/DSA keys before the actual algo was discovered.  When I uninstalled those trials before installing the correct key for a 2202, my unit reverted to a 2072 and not it's true 2102 model.  Applying the proper key did pushed it to 2202, my serial number is still valid.

It would seem the steps I took before installing the proper key removed the type of model branding that my unit had from the factory and it looks like it defaulted to the base model of 2072 instead of 2102.  My concern is that if/when the next firmware comes out that changes things around, I will be left with a 2072 base model.

There must be another piece of data that is stored in the unit to tell it what model it actually is.  Would be nice to put that back (even via JTAG if need be).
 

Offline alank2

  • Super Contributor
  • ***
  • Posts: 1710
Re: Sniffing the Rigol's internal I2C bus
« Reply #638 on: July 24, 2013, 02:43:21 PM »
One thing to consider that most here won't have noticed because they have a 2072.

I have a 2102.  I, like a lot of people, played originally with the LLLL VSA/DSA keys before the actual algo was discovered.  When I uninstalled those trials before installing the correct key for a 2202, my unit reverted to a 2072 and not it's true 2102 model.  Applying the proper key did pushed it to 2202, my serial number is still valid.

What if what we've been calling the test keys are really configuration keys?  Maybe it isn't a bug that the model number STAYS across reboots, but the other options do not.  Maybe this is how they make a 2102 a 2102 at the factory.

I still wonder if there is a risk associated with older firmware (FW05) and setting both the 2102 and 2202 bits at the same time that causes the S/N to get mangled to a 14 digit ending in 00001.  But maybe the factory could set one bit or the other safely even with FW 05.

jonese:  If your unit is back to thinking it is a DS2072, just load the key that will turn it into a DS2102 again:

LLLLLLL-RLGLLDS-DSAJLLL-LLLLLLL
« Last Edit: July 24, 2013, 11:45:02 PM by alank2 »
 

Offline bleckers

  • Contributor
  • Posts: 10
  • Country: au
Re: Sniffing the Rigol's internal I2C bus
« Reply #639 on: July 24, 2013, 07:10:44 PM »
Updated code with zombie28's ecssign, removed seed.

I can confirm during a Security Erase does not revert the model, fix the serial, nor change license options.

You need to change your argument check to be the following:
Code: [Select]
if (!((argc == 3 && strlen(private_key)) || argc == 4)) {
show_help(argv[0]);
exit(-1);
}

serial = strtoupper((unsigned char*)argv[1]);
options = strtoupper((unsigned char*)argv[2]);

if (argc == 4) {
priv_key = strtoupper((unsigned char*)argv[3]);
} else {
priv_key = strtoupper((unsigned char*)private_key);
}
Otherwise it doesn't accept the private key correctly and won't run if you don't put the private key in the command line options.
 

Offline Chalky

  • Regular Contributor
  • *
  • Posts: 91
  • Country: nz
Re: Sniffing the Rigol's internal I2C bus
« Reply #640 on: July 24, 2013, 07:52:14 PM »
:SYSTem:OPTion:INSTall LLLLLLLRLGLLDSDSA9LLLLLLLLLL
:SYSTem:OPTion:UNINSTall

:system:option:install LLLLLLLRLGLLDSVSA9LLLLLLLLLL
:SYSTem:OPTion:UNINSTall

Still DS2202  |O
Try without the uninstall, worked for me.
 

Offline olsenn

  • Frequent Contributor
  • **
  • Posts: 997
Re: Sniffing the Rigol's internal I2C bus
« Reply #641 on: July 25, 2013, 01:15:01 AM »
Going back to the .sys file for updating the DSA815: this file appears to contain the updates for all board components, inclusing the FPGA's as well as the MCU. Perhaps this file is merely a container for individual firmwares?

Does having a serial number and a licence key allow the encryption keys to be reverse engineered, assuming some of the keys/primes from the DS2000 are similar accross all Rigol lines?
« Last Edit: July 25, 2013, 01:46:35 AM by olsenn »
 

Offline Majorstrain

  • Contributor
  • Posts: 38
Re: Sniffing the Rigol's internal I2C bus
« Reply #642 on: July 25, 2013, 07:03:27 AM »
 

Offline Maalobs

  • Contributor
  • Posts: 16
  • Country: se
Re: Sniffing the Rigol's internal I2C bus
« Reply #643 on: July 25, 2013, 07:06:42 AM »
Going back to the .sys file for updating the DSA815: this file appears to contain the updates for all board components, inclusing the FPGA's as well as the MCU. Perhaps this file is merely a container for individual firmwares?

I know nothing of it, but I got the impression that the DS2000 GEL-file also contains data for several firmwares in the oscilloscope, because both the software version and SPU/WPU/CCU/MCU version-numbers are changed when the scope is flashed.
« Last Edit: July 25, 2013, 07:35:47 AM by Maalobs »
 

Offline IanJ

  • Frequent Contributor
  • **
  • Posts: 716
  • Country: scotland
  • Pro EE guy many years ago, now it's a hobby.
    • IanJohnston.com
Re: Sniffing the Rigol's internal I2C bus
« Reply #644 on: July 25, 2013, 07:18:16 AM »
Your famous now 8)
http://hackaday.com/2013/07/24/a-keygen-for-the-rigol-2000-series-scopes/
Can I have your autograph?
;)

Don't forget Dave will be lapping this up also......the traffic through eevblog.com will surely increase as a result!

Ian.
 

Offline cybernet

  • Regular Contributor
  • *
  • Posts: 246
  • Country: 00
  • pm deactivated, use the search function ...
Re: Sniffing the Rigol's internal I2C bus
« Reply #645 on: July 25, 2013, 07:31:00 AM »
Going back to the .sys file for updating the DSA815: this file appears to contain the updates for all board components, inclusing the FPGA's as well as the MCU. Perhaps this file is merely a container for individual firmwares?

I know nothing of it, but I got the impression that the DS2000 GEL-file also contains data for several firmwares in the oscilloscope, because both the software version and SP/WPU/CCU/MCU version-numbers are changed when the scope is flashed.

DS2k file contains xilinx fpga streams too - as its 2 i would suspect one for the display fpga one for the sampling fpga
___________________
"all rights reversed :-)"
R0=-0x18;
UNLINK;
RTS;
 

Offline benemorius

  • Regular Contributor
  • *
  • Posts: 173
Re: Sniffing the Rigol's internal I2C bus
« Reply #646 on: July 25, 2013, 08:05:39 AM »
Your famous now 8)
http://hackaday.com/2013/07/24/a-keygen-for-the-rigol-2000-series-scopes/
Can I have your autograph?
;)

Don't forget Dave will be lapping this up also......the traffic through eevblog.com will surely increase as a result!

Ian.

Don't forget about Rigol either. Sales are going to go through the roof! Hopefully they notice and are able to figure out why. My money says either they will, or they have already. :-+
 

Offline Carrington

  • Super Contributor
  • ***
  • Posts: 1138
  • Country: es
Re: Sniffing the Rigol's internal I2C bus
« Reply #647 on: July 25, 2013, 10:21:36 AM »
I am sure the sales will continue going up, RIGOL have done a good work and, a good machine.  :-+
I hope that in the future RIGOL continue doing so.  ^-^

P. S.: I also want an autograph, in a DS2202 sticker.
« Last Edit: July 25, 2013, 10:23:38 AM by Carrington »
My English can be pretty bad, so suggestions are welcome. ;)
Space Weather.
Lightning & Thunderstorms in Real Time.
 

Offline true

  • Frequent Contributor
  • **
  • Posts: 290
  • Country: us
  • INTERNET
Re: Sniffing the Rigol's internal I2C bus
« Reply #648 on: July 25, 2013, 10:26:52 AM »
Updated code with zombie28's ecssign, removed seed.

I can confirm during a Security Erase does not revert the model, fix the serial, nor change license options.

You need to change your argument check to be the following:
Code: [Select]
if (!((argc == 3 && strlen(private_key)) || argc == 4)) {
show_help(argv[0]);
exit(-1);
}

serial = strtoupper((unsigned char*)argv[1]);
options = strtoupper((unsigned char*)argv[2]);

if (argc == 4) {
priv_key = strtoupper((unsigned char*)argv[3]);
} else {
priv_key = strtoupper((unsigned char*)private_key);
}
Otherwise it doesn't accept the private key correctly and won't run if you don't put the private key in the command line options.

I should have caught that, feel like an idiot, thanks! Fixed version attached.

EDIT: I shouldn't do this when tired. To the 3 who downloaded, please re-download, it was still bugged :(
« Last Edit: July 25, 2013, 10:56:06 AM by true »
 

Offline zombie28

  • Regular Contributor
  • *
  • Posts: 69
Re: Sniffing the Rigol's internal I2C bus
« Reply #649 on: July 25, 2013, 11:06:26 AM »
Going back to the .sys file for updating the DSA815: this file appears to contain the updates for all board components, inclusing the FPGA's as well as the MCU. Perhaps this file is merely a container for individual firmwares?

I think that I have just discovered structure of this file. It doesn't contain full firmware, it's a patch for NOR flash containing only blocks of bytes that have been modified. The structure is as follows:

- NULL terminated signature 'DSA800'
- string '000000000' - could be internal version of patched firmware
- 4 bytes, maybe dword (= 0x00000001)
- dword containing numer of patching blocks (= 14)
- table of block descriptors (in this case there are 14 descriptors)

each block descriptor contains 3 dwords:
- position of patching block in the file
- length of patching block
- destination address of this block in NOR flash

position of each block in the file is aligned on 4-byte boundary

Quote
Does having a serial number and a licence key allow the encryption keys to be reverse engineered, assuming some of the keys/primes from the DS2000 are similar accross all Rigol lines?

I've sent you PM
 


Share me

Digg  Facebook  SlashDot  Delicious  Technorati  Twitter  Google  Yahoo
Smf