Author Topic: You can't unlock a MSO1000Z series scope without a memory dump and other lessons  (Read 3098 times)

0 Members and 1 Guest are viewing this topic.

Offline serendipity

  • Newbie
  • Posts: 2
  • Country: ca
So, having done a lot of research and made my fair share of mistakes, I would like to add to the collective wisdom / noise on this forum.

After I:
  • spent a great deal of time wondering why my MSO1074Z doesn't like riglol keys, even with the MSO1000Z patches
  • completely botched my warranty void sticker
  • spent 42 hours (sic) on a JTAG memory dump
  • got locked out of my scope for entering the wrong option keys (12 hours at a time) for more than I can count
  • list of mistakes keeps going. I am a terrible hacker. :-[
I finally unlocked the options on my MSO1074Z. I've decided to document my mistakes and hope no one else makes them.

So, here we go:
  • riglol does not generate correct keys, even when patched with the MSO1000Z_private_key
    From comparing , this post and my own experiences, I've come to the conclusion that, RC5KEY1, RC5KEY2 and XXTEAKEY are different for each scope. The public and private keys for all Rigol MSO1000Z scopes are the same. I've generated keys with Riglol (with MSO1000Z private key patch) and they don't work. rigup works, but it actually uses the RC5 and xxtea keys. The riglol tool doesn't know about this and can't possibly generate the correct codes.
  • :SYSTem:OPTion:INSTall does not take dashes
    :SYSTem:OPTion:INSTall HBHBHBH-BHBHBHB-HBHBHBH-BHBHBHB
    is incorrect.
    :SYSTem:OPTion:INSTall HBHBHBHBHBHBHBHBHBHBHBHBHBHB
    is correct.
    While we are at it, this Python code works:
    import vxi11
    i = vxi11.Instrument('192.168.0.100')
    i.ask('*IDN?')
    #No dashes in activation number
    i.write(':SYSTem:OPTion:INSTall HBHBHBHBHBHBHBHBHBHBHBHBHBHB')

    Just remember to install python-vxi11
  • Get yourself a FTDI based JTAG programmer before doing a memory dump.
    I must have the cheapest Altera USB Blaster clone that money could buy. It look me me nearly 2 days to complete the memory dump. I am not kidding:
    > dump_image mso1074z.bin 0x40000000 0x3FFFFFF
    dumped 67108863 bytes in 153915.625000s (0.426 KiB/s)

    Yes, that's 426B/s. Uh... thats like 10% of what I got over a dialup connection. Don't do what I and this fellow did. Had I read his post before this, I would have borrowed the faster JTAG programmer from work before I left on Friday. Proportedly, OpenOCD works better with FTDI based JTAG cables.
  • You don't need to wait for the memory dump to finish to run rigup
    I was able to extract all the keys that I needed about 28MB into the memory dump. I thought I would finish the memory dump for good measure, but it surely wasn't necessary.
  • You don't need to modify rigup if you have a serial number beginning with DS1ZC
    Looking at the source code of the patched rigup tool (rigup-0.4.1-mso1000z.zip), I thought it only worked for oscilloscopes with serial numbers beginning with DS1ZD. In utils.c, there's this following line:
    if ( serialNumber[4]!='D' && serialNumber[3]!='Z' && serialNumber[2]!='1' && serialNumber[1]!='S' && serialNumber[0]!='D' )
    This got me concerned as my scope's serial number began with DS1ZC. Turns out this if statement never evaluates true (set a breakpoint, never hit during debug).
  • Don't link rigup with -Wl,-dead_strip
    As this fellow said at the end of his post, remove the -Wl,-dead_strip from the LDFLAGS parameter of the Makefile for rigup. Don't know why it seg faults on my computer, but it does. So, remove it and you'll be fine.

There's a lot of great information on this forum. The only problem is, its really hard to find it. It would be better organized as a Wiki. But who am I to complain... I am too lazy and penny pinching to start one myself!

EDITS: minor typos
« Last Edit: October 08, 2015, 11:27:35 AM by serendipity »
 
The following users thanked this post: ivi_yak

Offline pickle9000

  • Super Contributor
  • ***
  • Posts: 2131
  • Country: ca
That's a winner, nice job.

I have watched a fair number of your vids. You do an excellent job.
 

Offline pascal_sweden

  • Super Contributor
  • ***
  • Posts: 1368
  • Country: no
Can't you do a memory dump without opening the scope?
There is an undocumented SCPI/LXI command to perform a memory dump through network interface.

No need to open up your scope, mess around and void your warranty.
Why make things more difficult than they are?
 

Offline Orange

  • Frequent Contributor
  • **
  • Posts: 261
  • Country: nl
Can't you do a memory dump without opening the scope?
There is an undocumented SCPI/LXI command to perform a memory dump through network interface.

No need to open up your scope, mess around and void your warranty.
Why make things more difficult than they are?
What is this 'undocumented command' then look like ??
 

Offline Luddi

  • Contributor
  • Posts: 6
  • Country: de
 

Offline Howardlong

  • Super Contributor
  • ***
  • Posts: 3694
  • Country: gb
 

Offline serendipity

  • Newbie
  • Posts: 2
  • Country: ca
I have watched a fair number of your vids. You do an excellent job.

I didn't do those videos. I am just quoting someone else' work.

Can't you do a memory dump without opening the scope?
There is an undocumented SCPI/LXI command to perform a memory dump through network interface.

No need to open up your scope, mess around and void your warranty.
Why make things more difficult than they are?
What is this 'undocumented command' then look like ??

I think you are referring to the :SYST:UTIL:READ? command. I tried it on my MSO1074Z running firmware 4.00 and 4.03. The command didn't work with either firmware.
 

Offline Howardlong

  • Super Contributor
  • ***
  • Posts: 3694
  • Country: gb
There is a thread specifically on the MSO1074Z hacking here http://www.eevblog.com/forum/testgear/is-the-rigol-mso1074z-hackable/ which has links to the specific posts.

It seems as though the serial numbers have since been modified slightly.

My core dump took about 15 minutes, there's an adapter_khz setting for some JTAG adapters.

I agree that a wiki would be good... I think more than enough people have gone through the pages to justify that, are you offering? :-)

Sandra's post here in particular is probably a good one too http://www.eevblog.com/forum/testgear/sniffing-the-rigol's-internal-i2c-bus/msg569236/#msg569236
 


Share me

Digg  Facebook  SlashDot  Delicious  Technorati  Twitter  Google  Yahoo
Smf

 

http://opalkelly.com/