Author Topic: The Dark Side of the Rigol Hack -- Bricked Scope & How to Fix it...  (Read 119793 times)

0 Members and 1 Guest are viewing this topic.

Offline adron

  • Contributor
  • Posts: 11
  • Country: se
Re: The Dark Side of the Rigol Hack -- Bricked Scope & How to Fix it...
« Reply #150 on: July 06, 2020, 11:46:15 pm »
Sorry about the late reply. These were the settings I used. Same?

I'll also throw in the C# program that I used to compare the dump to the rigol firmware image and to extract sections of it as a .hex file for writing. I have not cleaned it up, so there are hard coded paths and firmware offsets, but perhaps it can be useful.

Edit: I had some trouble dumping the flash sometimes, probably because of the state the hardware was in at the time that topflash started accessing it. I found that it was safest to always start by dumping the first 32 or so bytes from the flash before doing anything else, just to ensure that nothing else in the scope was using the data bus or address bus, and if those bytes came out wrong, I restarted before trying again.
« Last Edit: July 06, 2020, 11:53:05 pm by adron »
 
The following users thanked this post: rezinj, danand

Offline rezinj

  • Contributor
  • Posts: 5
  • Country: cn
Re: The Dark Side of the Rigol Hack -- Bricked Scope & How to Fix it...
« Reply #151 on: July 17, 2020, 06:14:12 am »
I used your setting file and started to read the dump file. i did it throuth xillinx prallel cable programmer and it took about 6 hours. once i used jlink programer the reading time was more(frequency should be very low_1khz). i read the dump file 2 times and each time it wase different. i have to say because my programer need power i turn on oscilloscope to source it throuth +3.3v pin.
 

Offline adron

  • Contributor
  • Posts: 11
  • Country: se
Re: The Dark Side of the Rigol Hack -- Bricked Scope & How to Fix it...
« Reply #152 on: July 17, 2020, 08:39:26 am »
I used the segger programmer clocked at 1 MHz; I started at 500 kHz and it was stable so I tried increasing. At 1 MHz I had no errors that seemed to be due to the clock frequency. Dumping the entire flash took a little over one hour, but it is only relevant to dump the parts that are written by the rom, which was the first half in my case. I used 15 cm interconnection wires, it is good to keep them short. The scope has to be powered, the programmer does not power the circuitry. I had a few instances of different dump because the scope was in a bad state when the JTAG interface took control, which caused the first few hundred bytes of the dumps to come out different. Every other time the dumps were exactly the same. When there was a problem, the beginning of the dump was alternating 0x25 0x00 bytes.
 
Compare your dumps: Do they differ in a few bits? Do they differ in many places but are same in some? Is there only a particular range that is different?

Try dumping only the first kilobyte so you can test quickly?
 

Offline rezinj

  • Contributor
  • Posts: 5
  • Country: cn
Re: The Dark Side of the Rigol Hack -- Bricked Scope & How to Fix it...
« Reply #153 on: July 17, 2020, 11:28:11 am »
are you sure about the setting that you uploaded? i used your setting and read several time. each time some different datas.
 

Offline adron

  • Contributor
  • Posts: 11
  • Country: se
Re: The Dark Side of the Rigol Hack -- Bricked Scope & How to Fix it...
« Reply #154 on: July 17, 2020, 12:56:50 pm »
are you sure about the setting that you uploaded? i used your setting and read several time. each time some different datas.

I am fairly sure about it. At least it was the settings file that I used for reading out my dumps, and I reloaded it a few times. It is possible that your oscilloscope is a different hardware version and that it requires different parameters. I screenshotted all of the settings as well, do they match what you had set up?

If most of the data that you read is the same but some differs, I would guess that you are clocking it too fast or that your adapter is malfunctioning. Are all your connections secure? Does detecting/validating the jtag chain work? Does detecting the flash type work?
 
The following users thanked this post: rezinj

Offline patty.o.furniture

  • Newbie
  • Posts: 2
  • Country: us
Re: The Dark Side of the Rigol Hack -- Bricked Scope & How to Fix it...
« Reply #155 on: July 18, 2020, 09:17:40 pm »
Thanks for posting the settings @adron. I've been crazy busy lately.

I can dump the ROM with your settings just fine at 4 MHz. Only a few bytes change here and there between power cycles, but it's the same one or two addresses. I went down to 1 MHz with the same behavior so I'm hoping it's normal.

My dump starts to differ very early on, at address 0xFFEB, but I find long chains of bytes from the RGL data scattered throughout the dump. They tend to be on page boundaries. It's very odd to me.

The other thing I noticed is that I can't seem to write to the low addresses. Probably need to change AWE_B to '0' for that to work.
 

Offline rezinj

  • Contributor
  • Posts: 5
  • Country: cn
Re: The Dark Side of the Rigol Hack -- Bricked Scope & How to Fix it...
« Reply #156 on: July 19, 2020, 05:18:42 am »
i agree with you. my hardware version is different than others. for example my flash ic is on the buttom layer. how can i found out i read the flash right? i'm sure aboaut reading the chain. should i use multimeter to check the pin connection of flash and other ICs?
 

Offline rezinj

  • Contributor
  • Posts: 5
  • Country: cn
Re: The Dark Side of the Rigol Hack -- Bricked Scope & How to Fix it...
« Reply #157 on: September 01, 2020, 07:03:48 pm »
any one know where Mr drieg is? i was in connect with him via Gmail. he told me send your dump file for me to repair it. i sent my dump file to him and now he dosen't answer me! any one know him? any one know how i can connect him? any thing bad happend to him?
 

Offline darciopp

  • Newbie
  • Posts: 3
  • Country: br
Re: The Dark Side of the Rigol Hack -- Bricked Scope & How to Fix it...
« Reply #158 on: September 04, 2020, 03:30:04 am »
Hello Folks

Anyone here would like to get my DS1052E board to bring it back to life, since it is bricked after an original rigol firmware "upgrade"?

I can pay for that.

Please, PM me!

 

Offline MiguelAReis

  • Newbie
  • Posts: 2
  • Country: pt
Re: The Dark Side of the Rigol Hack -- Bricked Scope & How to Fix it...
« Reply #159 on: September 09, 2020, 09:24:59 am »
Hello, I managed to dump my bricked DS1102E's Flash. Can someone fix it for me? I have no idea on how to do it.

Thanks
 

Offline darciopp

  • Newbie
  • Posts: 3
  • Country: br
Re: The Dark Side of the Rigol Hack -- Bricked Scope & How to Fix it...
« Reply #160 on: September 09, 2020, 01:56:00 pm »
Welcome to the Happy Rigol Bricks Owners Club.

Maybe some units were counterfeit or "after hours" production from a third party manufacturer and Rigol decided that it was hurting its business.

Maybe some genius thought "Lets brick them, just like FTDI made with the counterfeit USB-UART bridge chips" and voilá: a complete set of unusable products. Very clever!

Do they have the right to do it? Sure, but this raised only anger from the community. I can't believe that there wasn't another way to get this around.
 

Offline MiguelAReis

  • Newbie
  • Posts: 2
  • Country: pt
Re: The Dark Side of the Rigol Hack -- Bricked Scope & How to Fix it...
« Reply #161 on: September 11, 2020, 10:21:40 am »
Well I managed to unbrick my DS1102E but now the serial number is gone and it says its mode is the DS1052E. If anyone could help, I would appreciate it.
 

Offline tamamontu

  • Newbie
  • Posts: 3
  • Country: au
Re: The Dark Side of the Rigol Hack -- Bricked Scope & How to Fix it...
« Reply #162 on: January 20, 2021, 06:07:42 am »
Hi There,

I tried to update firmware on my DS1052E and its got bricked. Original firmware was 00.02.01 SP3, i tried to upgrade to 00.04.02.01.00 firmware upgrade process went ok but after restarting the oscilloscope its not working any more, just see white screen.

I read through the forum and trying to figure out how to read the flash. At the start of the forum it  was mentioned to desolder the flash chip half way through the forum i saw a photo where in JTAG connector was connected to the pins on the board and didnt need any desoldering.
https://www.eevblog.com/forum/blog/the-dark-side-of-the-rigol-hack-bricked-scope-how-to-fix-it/msg3115944/#msg3115944

I got a Olimex ARM-USB-Tiny Jtag adapter board could that be used to read the flash contents.

Would any one have a hex dump for firmware V 00.02.01 SP3 Pls.

Thanks
 

Offline darciopp

  • Newbie
  • Posts: 3
  • Country: br
Re: The Dark Side of the Rigol Hack -- Bricked Scope & How to Fix it...
« Reply #163 on: January 20, 2021, 12:54:30 pm »
I tried to update firmware on my DS1052E and its got bricked.

Welcome to the club!

I'm trying to get mine back to life again with no success too
 

Offline tamamontu

  • Newbie
  • Posts: 3
  • Country: au
Re: The Dark Side of the Rigol Hack -- Bricked Scope & How to Fix it...
« Reply #164 on: January 21, 2021, 07:30:14 am »
I got a older firmware version file .RGL for this scope. Could some one please explain how to program this to the flash would help a lot to recover the scope.

thanks
 

Offline eleknam

  • Newbie
  • Posts: 2
  • Country: uz
Re: The Dark Side of the Rigol Hack -- Bricked Scope & How to Fix it...
« Reply #165 on: January 23, 2021, 07:17:30 am »
Hi help my DS1102CD. After update bricked DS1102 )). How to extract the dump from the   DS1000EUpdate.RGL file.
« Last Edit: January 23, 2021, 07:40:38 am by eleknam »
 

Offline danand

  • Contributor
  • Posts: 6
  • Country: de
Re: The Dark Side of the Rigol Hack -- Bricked Scope & How to Fix it...
« Reply #166 on: January 24, 2021, 11:11:09 pm »
Hi,
when I bought my DS1052E, I did the 100mhz hack (over serial) and upgraded the firmware to 02.04. It went all well and good.
Time flies and my first child was born, second child followed and all my electronics hobby dried up.

Yesterday I built up my electronics workbench again and thought it would be a good idea to update the oscilloscope, since there have been a few firmware updates.

Well, or not so well: the firmware update ran, the DS1052e restarted and after short flickering a black screen is the only thing which is coming up.

I currently have no idea how to solve it on my own, and I am afraid to kill of the calibration data by tinkering around on my own.
I sent Drieg a message, but I am not confident if he still fixes boards, since he started this 10 years ago ...



 

Offline adron

  • Contributor
  • Posts: 11
  • Country: se
Re: The Dark Side of the Rigol Hack -- Bricked Scope & How to Fix it...
« Reply #167 on: January 27, 2021, 09:53:31 am »
Hi,
when I bought my DS1052E, I did the 100mhz hack (over serial) and upgraded the firmware to 02.04. It went all well and good.
Time flies and my first child was born, second child followed and all my electronics hobby dried up.

Yesterday I built up my electronics workbench again and thought it would be a good idea to update the oscilloscope, since there have been a few firmware updates.

Well, or not so well: the firmware update ran, the DS1052e restarted and after short flickering a black screen is the only thing which is coming up.

I currently have no idea how to solve it on my own, and I am afraid to kill of the calibration data by tinkering around on my own.
I sent Drieg a message, but I am not confident if he still fixes boards, since he started this 10 years ago ...

I did just about exactly the same thing: Back to electronics after having kids, then stupidly assuming that it would be a good idea to start off by updating the firmwares to the latest versions on all my equipment, and ending up with a bricked scope. But it can all be rescued with a couple hours of work if you have (or buy) a JTAG interface that works with the topflash jtag programmer, and hook that up to the scope.
 
The following users thanked this post: danand

Offline danand

  • Contributor
  • Posts: 6
  • Country: de
Re: The Dark Side of the Rigol Hack -- Bricked Scope & How to Fix it...
« Reply #168 on: January 31, 2021, 02:09:26 pm »
My dump starts to differ very early on, at address 0xFFEB, but I find long chains of bytes from the RGL data scattered throughout the dump. They tend to be on page boundaries. It's very odd to me.

Same on my side:
comparing with HxD the first different block starts are 0xFFEB

The output of Program.cs is somehow differnt from i.e. FlexHEX binary compare.  I am currently in the situation that I don't want to overwrite important data inside the lower 4MB of the flash with the DS1000EUpdate.RGL file.

However, Programming via Topjtag results in Erase Timeouts. I checked out the static pins, but I have no idea what else I could do to get past the write timeouts. :-(

Cheers
Daniel
« Last Edit: January 31, 2021, 03:14:34 pm by danand »
 

Offline adron

  • Contributor
  • Posts: 11
  • Country: se
Re: The Dark Side of the Rigol Hack -- Bricked Scope & How to Fix it...
« Reply #169 on: January 31, 2021, 03:02:02 pm »
My Program.cs expects there to be a header on the RGL file. That might explain your differences if you removed the header.
 
The following users thanked this post: danand

Offline danand

  • Contributor
  • Posts: 6
  • Country: de
Re: The Dark Side of the Rigol Hack -- Bricked Scope & How to Fix it...
« Reply #170 on: January 31, 2021, 03:17:06 pm »
My Program.cs expects there to be a header on the RGL file. That might explain your differences if you removed the header.

Aha! That explains it.

PS C:\Users\daniel\Downloads> .\Program.exe
Diff at 0000FFEB len 00142E7E
Diff at 00190000 len 00006670
Diff at 00198000 len 00006775
Diff at 0019FFEB len 00030000
Diff at 001D2F03 len 0000000C  flash: 13:20:04:00:60:15:20:02:00:C0:17:20   rgl:00:00:00:00:00:00:00:00:00:00:00:00
Diff at 001D3000 len 0001CFEB
Diff at 001F8000 len 00208000

 

Offline danand

  • Contributor
  • Posts: 6
  • Country: de
Re: The Dark Side of the Rigol Hack -- Bricked Scope & How to Fix it...
« Reply #171 on: January 31, 2021, 05:16:13 pm »
I still struggle with programming the flash via TopJTAG. I always get Timeout while erasing 000000h to 001FFFh. 

All the rest of the flash can be erased without problems.

Also reading works reliable at 1Mhz.

Could anyone point me to a path what I could do to get around the timeouts?
« Last Edit: January 31, 2021, 09:58:52 pm by danand »
 

Offline danand

  • Contributor
  • Posts: 6
  • Country: de
Re: The Dark Side of the Rigol Hack -- Bricked Scope & How to Fix it...
« Reply #172 on: February 01, 2021, 10:58:09 am »
Somehow the flash worked so far. I have a mostly working screen again.
Firmware is flashed to 00.04.02 SP1 , but I only have asian fonts in the side menu.  At least I am a step forward.
 

Offline danand

  • Contributor
  • Posts: 6
  • Country: de
Re: The Dark Side of the Rigol Hack -- Bricked Scope & How to Fix it...
« Reply #173 on: February 01, 2021, 12:19:54 pm »
I got it!

I just created another USB Stick FAT32 formatted with the DS1000EUpdate.RGL File. Even without the right font, I did the update procedure again.

Then after powering off and on, the DS1052E came back to life :-)

So as long as you have the Segger J-Link-Mini, an adapter for 2.54 connector, a 1k Ohm resistore, a few jumpwires and a breadboard, you can revive the the Rigol DS1052E :-)

Thanks for all the great support :)

« Last Edit: February 01, 2021, 01:18:11 pm by danand »
 
The following users thanked this post: Andrew McNamara, eleknam

Offline eleknam

  • Newbie
  • Posts: 2
  • Country: uz
Re: The Dark Side of the Rigol Hack -- Bricked Scope & How to Fix it...
« Reply #174 on: February 02, 2021, 05:01:12 am »
Good afternoon, you can bring the wiring diagram of the wiring JTAG  DS1102CD
« Last Edit: February 06, 2021, 12:37:53 pm by eleknam »
 


Share me

Digg  Facebook  SlashDot  Delicious  Technorati  Twitter  Google  Yahoo
Smf