Sniffing the Rigol's internal I2C bus

[Gunb]

If we where to work on DS4k ... what would we do next?
We have the GEL files, are they enough or do we need JTAG dumps?

We have indications from GEL file (text strings for printing active options) that there are options for 200Mhz, 350Mhz, 500MHz, and "power analysis" that can be opened.

the DS4K keygen is also there if you read the thread then you will see (someware at page 30 +- 20). it is the same Pub-key as the 3k but the Option code is different but all dockumented somware in this thread)

Yes but you can't change the bandwidth and add "power analysis" with the keygen for DS4k, just like cosmos mentioned.

Yes, exactly. Would be an interesting to change the bandwidth.
Only for test purposes, of course. 

[excapealex]

I have read all the posts and threads about it, if I understand it, since the modification for the DS2072 seems to work also on the DS2072A,

I've seen no confirmation of that anywhere.  Precisely the opposite, in fact.

I want an oscilloscope for small home projects, and I would also buy a simple function generator (if possible also  arbitrary), the DS2072A-S has them both.. But the thing that interests me most of all is the possibility to decode serial signals.

In that case, get the DS1074Z-S... it's a no-brainer.  Cheaper than the DS2072A-S will be, available immediately, and known to work with the keygens.  Way more than enough capability for "small home projects".  The only constraint I'd mention there would be that if CAN protocol decoding is important to you, the 1074Z-S won't have it, and the 2072A-S will.

You are right, I read it quickly and I understood what I wanted to understand .. my fault!

The DS1074Z-S might be sufficient for my needs, 1 GSa / s instead of 2GSa / s are not a problem, as the 24Mpts instead of 56Mpts.

The CAN decoding currently does not interest me at all.

The features that interest me most are instead the Real-time Waveform Record / Replay and RS232/UART, I2C, SPI Trigger and Decoding function.

The function of signal generator would allow me just to avoid the purchase of an additional device.

Another obstacle may be the occasional need to work with signals greater than 70MHz.. On rigloldot3owldotcom I do not see listed a code to bring it to 100MHz.. Should I perhaps consider directly the DS1104Z-S?

Reading the posts, however, I am not able to figure out if for the DS1104Z-S it's also possible to generate valid codes for the various optional features, or if they only work on the DS1074Z/DS1074Z-S as for the DS2072 where is not yet known whether they can operate on the DS2072A-S.

Now I do not know really what to buy. -.- '
Probably the DS1074Z-S or the DS1104Z-S if the functions were certainly unlockable otherwise the DS2072 (not A) and a separate function generator..

All suggestions are welcome!

[olsenn]

What is this "power analysis" I keep reading about in oscilloscopes? Does this just mean measuring the power through a 50-ohm load (input) or do you program in a resistance/impedance and it tells you what power 'would' be dissipated?

[Gallymimus]

What is this "power analysis" I keep reading about in oscilloscopes? Does this just mean measuring the power through a 50-ohm load (input) or do you program in a resistance/impedance and it tells you what power 'would' be dissipated?

probably similar to this:

[true]

cybernet, do you think something similar is in DSxxxx series?

Anyone dump DSxxxx yet? If something like this exists on DSxxxx I can write a downgrader...

something is, probably in the internal filesystem - but not via CEN files unfortunatly.

yes, that's what I was seeing too, but I didn't look hard, been waiting for a fulldump and working on other things beyond full time

[bandgap]

Yay... DS2302  (Randomly got it, I guess?) This is a DS2202 unit.

[cybernet]

@DS4000

i had a look at the bandwidth upgrade possiblities for the DS4k ...
1. the evaluation of the optioncode is very different from the DS2k - without initialized BSS and a real memory dump a lot of guesswork is neede to figure something out.
2. the firmware has the provision to do the bandwidth upgrade - what i cant tell is if the code that triggers it is actually reachable by a valid optioncode

i think Uuup did extensive testing on the option codes, but i think its worth a shot to repeat that with a little bruteforce given the following facts:

there are 8 different options that can be enabled (0-4 = the known ones) 5,6,7 = are bandwidth upgrades (so the bandwidth code should be the 3 bits left to the known codes ... *guessworkhere*)

i can see code that uses the 12 LSB bits of the option code, and does "something" with it - there are code references that then go on to change the model type (=bandwidth change), but without proper BSS setup its not possible to figure it out anymore.
Just probing the indvidiual 5,6,7th bits might not be enough, it could be a "combination" thats needed.

what i would do if i had a DS4k:

use the RLGLLDS keyformat - and bruteforce the remaining possible bits <B>

Code: [Select]

     A       B       C       D
   54321   54321   54321   54321

   10000   000BB   BBBBB   x0000   FlexRay Decode or alternate option
   10000   000BB   BBBBB   0x000   CAN Decode or alternate option
   10000   000BB   BBBBB   00x00   I2C Decode or alternate option
   10000   000BB   BBBBB   000x0   SPI Decode or alternate option
   10000   000BB   BBBBB   0000x   RS232 Decode or alternate option
i guess you could do it with python via LXI easily within a resonable timeframe

[AndersAnd]

Yay... DS2302  (Randomly got it, I guess?) This is a DS2202 unit.

Did it say DS2302 when you received it, or what did you do to change it from DS2202 to DS2302?

[Carrington]

here is a little IDC script, that will try to convert anything that starts with "LINK" statement to a sub in IDA.
saves hours of stupid sub creation ...

In the latest firmware version (for DS2K) it found a total of 93:

Code: [Select]

Function at 4f276
Function at 4f298
Function at 4f2ba
Function at 4f34a
Function at 4f752
Function at 5007e
Function at 5048a
Function at 50bba
Function at 50c6c
Function at 50c96
Function at 50cbe
Function at 5134e
Function at 5d2f0
Function at ec5ea
Function at ec684
Function at ec694
Function at ec6e2
Function at ec732
Function at ec780
Function at ec8ca
Function at ec8fa
Function at ec92a
Function at ec968
Function at ec97a
Function at ec9b0
Function at ec9ca
Function at ec9dc
Function at ec9ee
Function at eca00
Function at eca12
Function at eca24
Function at eca34
Function at eca6c
Function at ecabc
Function at ecace
Function at ecae2
Function at ecb08
Function at ecb4e
Function at ecbee
Function at ecf02
Function at ecf26
Function at ecfb6
Function at ecfec
Function at ed002
Function at ed058
Function at ed070
Function at ed080
Function at ed090
Function at ed0ae
Function at ed0c2
Function at ed0d8
Function at ed10c
Function at ed280
Function at edf1e
Function at edf30
Function at edf42
Function at edf5e
Function at edf76
Function at edf8a
Function at edf9e
Function at edfb2
Function at edfc6
Function at edfd8
Function at edfea
Function at ee598
Function at ee5aa
Function at ee5be
Function at ee5ce
Function at ee5e0
Function at ee5f2
Function at ee604
Function at ee7e4
Function at ee7fa
Function at ee81a
Function at ee83c
Function at ee84c
Function at ee872
Function at ee88e
Function at f045e
Function at f04e8
Function at f0cb4
Function at f131c
Function at f26ba
Function at f26e6
Function at f2712
Function at f30d2
Function at f33be
Function at f3422
Function at f343a
Function at f3450
Function at 10c562
Function at 10c7b4
Function at 10cb0c
Function at 10d2ec
Function at 10d974
Function at 10d98e
Function at 10dede
Function at 10dfce
Function at 10dfea
Function at 10dffa
Function at 10e0d2
Function at 10e166
Function at 10e2dc
Function at 10e316
Function at 10e3d2
Function at 10ebd4
Function at 10ebea
Function at 22db4e
Function at 22df00
Function at 22f6f6
Function at 22f75c
Function at 22f7fc
Function at 22f81e
Function at 22f88e
Function at 22fc4e
Function at 23006a
Function at 230144
Function at 230476
Function at 2304f4
Function at 230564
Function at 230cde
Function at 230f94
Function at 2362ca
Function at 23919e
Function at 2391f8
Function at 2392e0
Function at 23aeb0
Function at 23aee6
Function at 23b0b6
Function at 23b16e
Function at 23b358
Function at 23b36e
Function at 23b75c
Function at 23d78a
Function at 23d882
Function at 24b8de
Function at 24bd8c
Function at 24beec
Function at 24c6ee
Function at 24c91a
Function at 24ca4e
Function at 24cc0a
Function at 24ccc6
Function at 251852
Function at 251890
Function at 2518be
Function at fd1bf0

I don't understand how you handle all this assembly code so easy. Is amazing...

[Carrington]

Yay... DS2302  (Randomly got it, I guess?) This is a DS2202 unit.

Did it say DS2302 when you received it, or what did you do to change it from DS2202 to DS2302?

I'm beginning to think that is not necessary to change any trt to reach 300 MHz, i.e. only is necessary send the SPI command (350MHz or 6xxMHz I don't remember exactly) to the LMH6518.
Frequency BW is sent even when you only change the scale for V/DIV.

[bandgap]

Yay... DS2302  (Randomly got it, I guess?) This is a DS2202 unit.

Did it say DS2302 when you received it, or what did you do to change it from DS2202 to DS2302?

No, it definitely said DS2202 when I got it. Here are steps that I performed that resulted in this:

1) "Upgraded" to FW#00.00.01.00.05 thinking it was most recent version (already had 0.02, but failed to read properly.)
2) Used RiGen-2b1 in windows to play around with resetting the trial options (worked.)
3) Read more in this thread and realized 0.02 was the most recent FW and re-applied it.
4) Trial options disappeared so used the riglol-x86_64-linux in linux and generated a permanent key (just happened to have a linux machine nearby when I did it this time.)
5) DS2202 became a DS2302 with new BW limit option of 200MHz and new time scale of 1ns/div.

-Clayton

[AndersAnd]

http://riglol.3owl.com is online again. Not sure why it was down.

DDOS attack (IP Nullrouted)

http://riglol.3owl.com is down again.

And http://riglol.3owl.com is down again again.

I have set up some storage on my server for files related to this "investigation", including SPI traffic captures and an I2C dump.

http://gotroot.ca/rigol/

I can host too if a mirror is needed

Maybe you guys should mirror studio25's RigLOL web app. http://riglol.3owl.com seems to be down half the time.

I can see http://gotroot.ca/rigol/ already has some of studio25's earlier work (Rigol_DS2000_patch.zip and Rigol DS2000 trial hack.rar) but not his latest Riglol web app.

Riglol 1.03c (studio25's latest version) attached in zip folder.

[BitBucket]

Hi, I'm new here.


I recently bought a DS2102 (HW 1.0, FW 00.00.01). DS2A........

A Rigol distri techy made me loose my option evaluation times  .
While trying to improve acuracy he advised to start Self Calibration.
Afterwards, option evaluation times were set to 'Expired'.
He admitted that he forgot to warn me about this FW-flaw.
This leaves me no choice than to hack the options back on.

I read related threads partly but quit, they are way too big.

Questions
1. Should I first update to FW 00.01.01.00.02 and then hack the options or the other way around?
2. What is the best option hack tool to use (RiGen 1v/v2, RigLol, dstool, other)?
    I use Windows but we have a MAC too. I do not want the serial# set to ....00000001
3. In case I ever need to return the DSO for repair, how to set all options to 'Expired'?


Thank you,
BitBucket

[AndersAnd]

Questions
1. Should I first update to FW 00.01.01.00.02 and then hack the options or the other way around?
2. What is the best option hack tool to use (RiGen 1v/v2, RigLol, dstool, other)?
    I use Windows but we have a MAC too. I do not want the serial# set too ....00000001

Use http://riglol.3owl.com, I think it's the only tool still maintianed. Read and follow the steps in my post here: https://www.eevblog.com/forum/testgear/sniffing-the-rigol's-internal-i2c-bus/msg324768/?topicseen#msg324768

3. In case I ever need to return the DSO for repair, how to set all options to 'Expired'?

Use the SCPI command ":SYSTem:OPTion:UNINSTall". Search the topic for :SYSTem:OPTion:UNINSTall for more info.

[BitBucket]

@AndersAnd


Thank for replying so quickly. OK, I will use http://riglol.3owl.com.
Weird, that site had an adbanner from the provider today, later content was back.

I'm not familiar with the SCPI-tool. Where can I find it?

I read somewhere that some tools cause a serial# ....00000001. Is the tool at that site safe to use?


Greetz,
BitBucket.

[AndersAnd]

I read somewhere that some tools cause a serial# ....00000001. Is the tool at that site safe to use?

Only if you have one of the earliest firmware versions installed while entering the option keys. So update to the latest firmware before entering any option keys top avoid clearing the serial#.

I'm not familiar with the SCPI-tool. Where can I find it?

As I already wrote search the topic for :SYSTem:OPTion:UNINSTall for more info.

And read your scope's user's manual + programming guide, info about SCPI is in both documents.

SCPI = Standard Commands for Programmable Instruments https://en.wikipedia.org/wiki/Standard_Commands_for_Programmable_Instruments

I think you have been spoon fed enough by now.

[jamesb]

I have a feeling that the >200MHz BW is a hardware version limited upgrade.

Ie. I am unable to replicate the results with the following variables:

Base (real) model: DS2202
SW: 00.01.01.00.02
HW: 1.0.1.0.0
FPGA:
 SPU: 03.01.05
 WPU: 00.06.05
 CCU: 12.29.00
 MCU: 00.05

Private key used: 8EEBD4D04C3771
Option code: DSAZ

[AndersAnd]

I have a feeling that the >200MHz BW is a hardware version limited upgrade.

Ie. I am unable to replicate the results with the following variables:

Base (real) model: DS2202
SW: 00.01.01.00.02
HW: 1.0.1.0.0
FPGA:
 SPU: 03.01.05
 WPU: 00.06.05
 CCU: 12.29.00
 MCU: 00.05

Private key used: 8EEBD4D04C3771
Option code: DSAZ

But that's the same hardware and software versions Bandgap has:

[jamesb]

Good point 

I am not sure where I am going wrong then .. I am following the "instructions" to the T and I have yet to achieve the same results.
Perhaps it is just a lucky key?

Has anyone else had any promising results?

[bandgap]

Good point 

I am not sure where I am going wrong then .. I am following the "instructions" to the T and I have yet to achieve the same results.
Perhaps it is just a lucky key?

Has anyone else had any promising results?

Ok, I have a theory. jamesb said he used option code DSAZ. This turns on all options including 200MHz, but not 100MHz. I used DSA9 which turns on all options including both 100MHz and 200MHz. Maybe turning both of these on with option 9 instead of Z has sort of an additive effect and tells the scope to operate up to 300 MHz.

Just a theory...

So try it and let us know jamesb! You'd be a good test since your scope is identical to mine in hardware and everything.

-Clayton

[danfloun]

I've set a mirror up for both sites above.

Mirrors are updated twice a day but only adding/updating new files so no worry about server impact.

http://rigol.avotronics.co.uk

If site owners have issue with this I'll gladly take them down. Just pm me your woes.

Cheers
Danny

[AndersAnd]

I've set a mirror up for both sites above.

Mirrors are updated twice a day but only adding/updating new files so no worry about server impact.

http://rigol.avotronics.co.uk

If site owners have issue with this I'll gladly take them down. Just pm me your woes.

Cheers
Danny

Just added your RigLOL mirror site to my step-by-step guide here: https://www.eevblog.com/forum/testgear/sniffing-the-rigol's-internal-i2c-bus/msg324768/#msg324768

Btw. what happens if it mirrors http://riglol.3owl.com while it's down at redirects to this 3owl landing page:

We at 3owl.com offer 100% Free Php Web Hosting. Unlimited Disk and Bandwidth.
Click Signup Now to Get Started!

Will it mirror the landing page or keep the original while it's down?

[Avotronics]

I've set a mirror up for both sites above.

Mirrors are updated twice a day but only adding/updating new files so no worry about server impact.

http://rigol.avotronics.co.uk

If site owners have issue with this I'll gladly take them down. Just pm me your woes.

Cheers
Danny

Just added your RigLOL mirror site to my step-by-step guide here: https://www.eevblog.com/forum/testgear/sniffing-the-rigol's-internal-i2c-bus/msg324768/#msg324768

Btw. what happens if it mirrors http://riglol.3owl.com while it's down at redirects to this 3owl landing page:

We at 3owl.com offer 100% Free Php Web Hosting. Unlimited Disk and Bandwidth.
Click Signup Now to Get Started!

Will it mirror the landing page or keep the original while it's down?

That's a good point. I'll have to add a bit of conditional code somewhere.
Glad you're think straight! :-/

[Avotronics]

I've set a mirror up for both sites above.

Mirrors are updated twice a day but only adding/updating new files so no worry about server impact.

http://rigol.avotronics.co.uk

If site owners have issue with this I'll gladly take them down. Just pm me your woes.

Cheers
Danny

Just added your RigLOL mirror site to my step-by-step guide here: https://www.eevblog.com/forum/testgear/sniffing-the-rigol's-internal-i2c-bus/msg324768/#msg324768

Btw. what happens if it mirrors http://riglol.3owl.com while it's down at redirects to this 3owl landing page:

We at 3owl.com offer 100% Free Php Web Hosting. Unlimited Disk and Bandwidth.
Click Signup Now to Get Started!

Will it mirror the landing page or keep the original while it's down?

I've just shortened the riglol mirror slightly, you'd better update it on the other page, its: http://rigol.avotronics.co.uk/riglol

[AndersAnd]

I've just shortened the riglol mirror slightly, you'd better update it on the other page, its: http://rigol.avotronics.co.uk/riglol

Done.
Btw I see 2 different usernames, danfloun and Avotronics, is this the same person?