Author Topic: The Dark Side of the Rigol Hack -- Bricked Scope & How to Fix it...  (Read 105013 times)

0 Members and 1 Guest are viewing this topic.

Offline Bruzzel

  • Newbie
  • Posts: 2
  • Country: de
Re: The Dark Side of the Rigol Hack -- Bricked Scope & How to Fix it...
« Reply #125 on: February 23, 2019, 05:29:08 pm »
I have fix my Rigol DS1042C.
I have unsolder the flash and read it. I found the first part of the firmware file identical at the flash, only the first 20 byte was cut off and the last bytes were different.

I suspect the following: 

The ds1000 firmware starts after 20 byte at the firmware USB file and ends at address 0x1FFFFF.
The ds1000D/E firmware file starts after 21 bytes at the firmware USB file and have double length up to 0x3FFFFF.
 
The DS1042C firmware update is a very stupid program. If it finds a file with the name “DS1000DUpdate.RGL” at the USB stick it cut off the first 20 bytes an write it 1:1 to the flash without any check.
 
Only the bytes after address 0x1FFF00 are not changed because there are individual data about the scope (model, serial no. etc.) and after 0x200000 there are some other calibration data.

The A21 = address input and WE# = Write Enable input are not connected at my Rigol DS1042C with flash S29GL032A.

After cut off the first 20 bytes of the firmware file and program the bytes 0x000000 to 0x1FFF00 to the flash and solder it back to the board the rigol works correct.  :-+

It is not easy to solder a TS048 device!  :--

I have made a firmware update to 3.7.1 and change it to a CA1102C 100Mhz model, see Andreas Schuler's homepage:
http://codenaschen.de/tichyblog/index.php?action=blog&entry=17_Hacking%20Rigol%20DS1022C%20DS1042C%20DS1062C%20DS1102C]
[url]http://codenaschen.de/tichyblog/index.php?action=blog&entry=17_Hacking%20Rigol%20DS1022C%20DS1042C%20DS1062C%20DS1102C
[/url]

Thank you drieg for help!   :-+
 

Offline giov

  • Newbie
  • Posts: 3
  • Country: fr
Re: The Dark Side of the Rigol Hack -- Bricked Scope & How to Fix it...
« Reply #126 on: March 06, 2019, 01:46:04 pm »
Hi,
I was trying to upgrade my DS1102D to last firmware, and after few minutes stuck a 50% I decided to reboot it :bad idea  |O
Now I only got white screen and random keyboard status after each reboot.
I have no idea how to get it alive again : I have no programmer, and I don't know how to use JTAG interface  :-[ .
Can someone help me out ?
 

Offline ivi_yak

  • Regular Contributor
  • *
  • Posts: 70
  • Country: 00
Re: The Dark Side of the Rigol Hack -- Bricked Scope & How to Fix it...
« Reply #127 on: March 06, 2019, 04:11:00 pm »
Hi, in this case only reflash memory help
eevblog
 

Offline giov

  • Newbie
  • Posts: 3
  • Country: fr
Re: The Dark Side of the Rigol Hack -- Bricked Scope & How to Fix it...
« Reply #128 on: March 06, 2019, 04:24:58 pm »
OK, How can I reflash ? Do I need a programmer of is it possible via jtag ?
 

Offline ivi_yak

  • Regular Contributor
  • *
  • Posts: 70
  • Country: 00
Re: The Dark Side of the Rigol Hack -- Bricked Scope & How to Fix it...
« Reply #129 on: March 06, 2019, 05:03:28 pm »
You need to build jtag chain, basically it's BlackFin and altera and using wiggler cable or j-link get your dump.
eevblog
 

Offline giov

  • Newbie
  • Posts: 3
  • Country: fr
Re: The Dark Side of the Rigol Hack -- Bricked Scope & How to Fix it...
« Reply #130 on: March 06, 2019, 09:07:23 pm »
I have got a pirate's v3 card, and I installed openocd : can I reflash with it ?
 

Offline reza chavoshi

  • Newbie
  • Posts: 1
  • Country: ir
Re: The Dark Side of the Rigol Hack -- Bricked Scope & How to Fix it...
« Reply #131 on: September 30, 2019, 11:47:43 am »
Dear all,
I have faced unsuccessful firmware upgrade (to version:00.04.02.01.00) issue with my rigol DS1052E (My oscilloscope display remains white after booting up and some keys lit up randomly)
As I checked this topic it can be solved by reprogramming the flash IC (part no is: S29GL064N90TF104) with a copy of a healthy dump file.
I have a universal programmer with TSOP48 socket and all I need now is the dump file (copy of hex file stored in the flash chip). :-BROKE
I would be really thankful if any one can send me the file so that I can fix my oscilloscope. |O |O
Many Thanks.
 

Offline Dimas77

  • Newbie
  • Posts: 3
  • Country: ua
Re: The Dark Side of the Rigol Hack -- Bricked Scope & How to Fix it...
« Reply #132 on: October 21, 2019, 09:29:33 pm »
Help me. My Rigol 1102E freezes after firmware upgrade (to version 00.04.02 sp1) and shows the shifted lines. I read the dump file, but cannot edit it.
« Last Edit: October 22, 2019, 06:06:01 am by Dimas77 »
 

Offline Fungus

  • Super Contributor
  • ***
  • Posts: 11118
  • Country: 00
Re: The Dark Side of the Rigol Hack -- Bricked Scope & How to Fix it...
« Reply #133 on: October 22, 2019, 11:47:29 am »
Help me.

Read the messages right above yours in this thread, especially this one.

No, it's not good news.
« Last Edit: October 22, 2019, 11:49:58 am by Fungus »
 

Offline Dimas77

  • Newbie
  • Posts: 3
  • Country: ua
Re: The Dark Side of the Rigol Hack -- Bricked Scope & How to Fix it...
« Reply #134 on: October 22, 2019, 01:14:47 pm »
Today changed and rewritten a memory dump.  From the official update, Rigol 4.02.01 cut off the beginning of x21, and copied from the address x000000 to x400000 + information about the serial number.  The oscilloscope came to life, but shows overestimated values.  did auto-calibration - thought it would help.  restarted the oscilloscope, now it shows a white screen.  :-BROKE
« Last Edit: October 22, 2019, 07:16:03 pm by Dimas77 »
 

Offline Dimas77

  • Newbie
  • Posts: 3
  • Country: ua
Re: The Dark Side of the Rigol Hack -- Bricked Scope & How to Fix it...
« Reply #135 on: October 26, 2019, 03:04:18 pm »
Does anyone have a dump of S29GL064N90TF104 Rigol 1102/1052? Please share for me.
 
The following users thanked this post: ur4mui

Offline ur4mui

  • Newbie
  • Posts: 1
  • Country: ua
Re: The Dark Side of the Rigol Hack -- Bricked Scope & How to Fix it...
« Reply #136 on: November 05, 2019, 08:51:56 pm »
have oscilloscope DS1052E how to connect WIGGLER cable .please draw.photo below.Thanks
 

Offline ivi_yak

  • Regular Contributor
  • *
  • Posts: 70
  • Country: 00
Re: The Dark Side of the Rigol Hack -- Bricked Scope & How to Fix it...
« Reply #137 on: April 30, 2020, 10:24:03 pm »
Hi every one if you need more details pls reply
eevblog
 

Offline adron

  • Contributor
  • Posts: 9
  • Country: se
Re: The Dark Side of the Rigol Hack -- Bricked Scope & How to Fix it...
« Reply #138 on: May 11, 2020, 06:40:53 am »
I managed to brick my DS1052E by trying to upgrade to the latest firmware, https://beyondmeasure.rigoltech.com/acton/attachment/1579/f-0724/1/-/-/-/-/DS1000EUpdate.zip?sid=TV2:Q2jKaGpUj and now I am trying to recover. What software are you using to dump/rewrite the flash through the jtag connection?
 

Offline ivi_yak

  • Regular Contributor
  • *
  • Posts: 70
  • Country: 00
Re: The Dark Side of the Rigol Hack -- Bricked Scope & How to Fix it...
« Reply #139 on: May 13, 2020, 09:48:07 am »
hxd hex editor :popcorn:
eevblog
 

Offline adron

  • Contributor
  • Posts: 9
  • Country: se
Re: The Dark Side of the Rigol Hack -- Bricked Scope & How to Fix it...
« Reply #140 on: May 13, 2020, 10:52:56 am »
hxd hex editor :popcorn:
I have hxd, for changing the flash file contents, what I meant was software for the actual communication through jtag. Are you perhaps using openocd or some custom software?
 

Offline ivi_yak

  • Regular Contributor
  • *
  • Posts: 70
  • Country: 00
Re: The Dark Side of the Rigol Hack -- Bricked Scope & How to Fix it...
« Reply #141 on: May 13, 2020, 06:21:25 pm »
topjtag
eevblog
 

Offline adron

  • Contributor
  • Posts: 9
  • Country: se
Re: The Dark Side of the Rigol Hack -- Bricked Scope & How to Fix it...
« Reply #142 on: May 31, 2020, 08:45:15 pm »
topjtag
Thanks!
I had some issues because I run 64-bit Windows 10 but finally managed to install topjtag flash programmer in a virtual machine. The JTAG chain seems to be working, and it detects the Analog Devices 627A50CBh and the Lattice Semi. 01281043h. Could you advise me on the right configuration to use to read and write the flash memory?
 

Offline adron

  • Contributor
  • Posts: 9
  • Country: se
Re: The Dark Side of the Rigol Hack -- Bricked Scope & How to Fix it...
« Reply #143 on: June 01, 2020, 10:59:00 am »
I read the flash memory twice just to be sure it was not getting random errors, and I get some rather strange differences between the flash contents and the RGL file I tried to update the firmware with. Other posts in this thread indicated that there was configuration data at high offsets in the flash, but I have only FF at those locations, and I have several differences at lower offsets. At the lower offsets, all differences seem to be one bit that is set in the rgl and not set in flash, mask 0x04. And then at the higher offsets, areas of FF where the RGL has data. Any ideas for what to do?

Diff at 00102F87 len 00000001  flash: A9   rgl:AD
Diff at 00105787 len 00000001  flash: 49   rgl:4D
Diff at 00107B87 len 00000001  flash: 08   rgl:0C
Diff at 00107F87 len 00000001  flash: 69   rgl:6D
Diff at 0010E787 len 00000001  flash: 08   rgl:0C
Diff at 00114787 len 00000001  flash: CB   rgl:CF
Diff at 00118787 len 00000001  flash: E2   rgl:E6
Diff at 0011D387 len 00000001  flash: 68   rgl:6C
Diff at 00121B87 len 00000001  flash: C2   rgl:C6
Diff at 00128387 len 00000001  flash: 29   rgl:2D
Diff at 0012A387 len 00000001  flash: 50   rgl:54
Diff at 0012EF87 len 00000001  flash: 01   rgl:05
Diff at 00131F87 len 00000001  flash: B1   rgl:B5
Diff at 00132387 len 00000001  flash: 28   rgl:2C
Diff at 00132F87 len 00000001  flash: B0   rgl:B4
Diff at 00133B87 len 00000001  flash: 62   rgl:66
Diff at 00134F87 len 00000001  flash: C0   rgl:C4
Diff at 00135387 len 00000001  flash: D1   rgl:D5
Diff at 00137387 len 00000001  flash: 10   rgl:14
Diff at 00137787 len 00000001  flash: 2A   rgl:2E
Diff at 00138F87 len 00000001  flash: 42   rgl:46
Diff at 00144787 len 00000001  flash: 71   rgl:75
Diff at 00145387 len 00000001  flash: 93   rgl:97
Diff at 00148F87 len 00000001  flash: B9   rgl:BD
Diff at 0014E787 len 00000001  flash: 5A   rgl:5E
Diff at 00152387 len 00000001  flash: 08   rgl:0C

Turned out I was wrong about the rest of the diffs too, I had a small error in my comparison script that only showed the last of a range of errors. Anything after 0x1ff800 in the update file has not been written to flash at all.

« Last Edit: June 05, 2020, 04:06:40 pm by adron »
 

Offline adron

  • Contributor
  • Posts: 9
  • Country: se
Re: The Dark Side of the Rigol Hack -- Bricked Scope & How to Fix it...
« Reply #144 on: June 05, 2020, 07:27:53 pm »
I rewrote the single bit errors with data from the RGL file and the scope seems to be working again. I then tried running the firmware update from USB again, and got the exact same single bit errors once more. Something seems to be reproducibly wrong. However, I have now settled for fixing the single bit errors and hopefully that is all that is required. I am unsure why so much of the RGL file is not written to flash?
 

Offline rezinj

  • Contributor
  • Posts: 5
  • Country: cn
Re: The Dark Side of the Rigol Hack -- Bricked Scope & How to Fix it...
« Reply #145 on: June 30, 2020, 10:41:04 am »
hi. i need to know what kin of programer i need. which software have to use to program flash via jtag. and do you have the file that i have to program in my oscilloscope?
 

Offline ivi_yak

  • Regular Contributor
  • *
  • Posts: 70
  • Country: 00
Re: The Dark Side of the Rigol Hack -- Bricked Scope & How to Fix it...
« Reply #146 on: July 01, 2020, 11:42:08 am »
I rewrote the single bit errors with data from the RGL file and the scope seems to be working again. I then tried running the firmware update from USB again, and got the exact same single bit errors once more. Something seems to be reproducibly wrong. However, I have now settled for fixing the single bit errors and hopefully that is all that is required. I am unsure why so much of the RGL file is not written to flash?

if you have a working dump I'll recommend flash it via MiniPro XGecu TL866II Plus programmer to be sure all fine
eevblog
 

Offline ivi_yak

  • Regular Contributor
  • *
  • Posts: 70
  • Country: 00
Re: The Dark Side of the Rigol Hack -- Bricked Scope & How to Fix it...
« Reply #147 on: July 01, 2020, 11:45:02 am »
hi. i need to know what kin of programer i need. which software have to use to program flash via jtag. and do you have the file that i have to program in my oscilloscope?
:scared: don't hesitate take a read 6 pages of this thread and you got all what you need to know
eevblog
 

Offline adron

  • Contributor
  • Posts: 9
  • Country: se
Re: The Dark Side of the Rigol Hack -- Bricked Scope & How to Fix it...
« Reply #148 on: July 02, 2020, 01:05:33 pm »
rezinj tried to contact me, but his/her inbox was full when I tried to reply. I connected everything to the jtag connections on the scope and used topjtag to read/write the flash memory. I used a https://www.segger.com/products/debug-probes/j-link/models/j-link-edu-mini/ Segger J-Link Edu Mini interface, with a SWD to JTAG adapter https://www.electrokit.com/produkt/adapterkort-jtag-2x10-2-54mm-till-swd-2x5-1-27mm/ and a bunch of wires and a resistor:
[attach=1]
 

Offline patty.o.furniture

  • Newbie
  • Posts: 2
  • Country: us
Re: The Dark Side of the Rigol Hack -- Bricked Scope & How to Fix it...
« Reply #149 on: July 03, 2020, 09:12:11 pm »
Could you advise me on the right configuration to use to read and write the flash memory?

Hey adron, it seems you figured it out. Can you provide us the settings you used? I can properly scan the chain but only read 0xFF's from my flash.
« Last Edit: July 07, 2020, 03:19:24 am by patty.o.furniture »
 


Share me

Digg  Facebook  SlashDot  Delicious  Technorati  Twitter  Google  Yahoo
Smf