Sniffing the Rigol's internal I2C bus

[Rigby]

People with A-models were reporting that keygen doesn't work with the new firmware, but g***! (with a non-A model) reported that it worked for him.

And now I know why - Rigol didn't bother to change the public key either. I found the old public key in the new firmware (encoded by the same bit shuffling algorithm I described earlier). The sequence of encoded bytes is as follows: 97 58 B9 DE 24 C5 11 10, which obviously translates to "8445B2BE29E5C7". I believe Rigol didn't change the keys to maintain backward compatibility with previously sold license codes.

So why isn't the keygen working, then?

Thank you for jumping in and working on this, by the way.  I love it when a community comes together.

[marmad]

And now I know why - Rigol didn't bother to change the public key either. I found the old public key in the new firmware (encoded by the same bit shuffling algorithm I described earlier). The sequence of encoded bytes is as follows: 97 58 B9 DE 24 C5 11 10, which obviously translates to "8445B2BE29E5C7". I believe Rigol didn't change the keys to maintain backward compatibility with previously sold license codes.

So the keygen only has to be modified to work with the changed A-model "DS2Dxxxxxxxxx" serial numbers?

Edit: Ahh... I just noticed you edited your post to reflect the possibility of two public keys.

It seems to me that it's likely the presence of a "D" serial number (or jumpers/pull-ups on the PCB) involves using a different public key/technique - and also the availability of the CAN option and 50 Ohm input (which non-A model Hardware v.2 owners are unable to access).

[alank2]

There has to be some other cause.  Could they have limited the seed (which has been a wide open int32) to a specific value?

[zombie28]

So why isn't the keygen working, then?

They may use two separate keys or different hashing/encoding algorithms for 'non-A' and 'A' license codes.

[cybernet]

They may use two separate keys or different hashing/encoding algorithms for 'non-A' and 'A' license codes.

that explains why the verification routines look a bit different ... i wish the stupid ida signatures would work better, kinda sick of going over the miracl lib again
given the possibility to patch firmware, it probably easier to override it now, then to update the keygen (if the private key can be found this time)

Code: [Select]

SDRAM:EE7440 ECC_8445B2BE29E5C7:   dd 0xDEB95897           # DATA XREF: sub_71C7E+24?
SDRAM:EE7444                 dd 0x1011C524


[olsenn]

I've read several reports that 300MHz has been enabled in the DS2000 (not 'A') scopes, but that it wasn't actually providing 300MHz? Can anybody confirm or deny this? Also, can the lo-z input be toggled from the menu now?

[Rigby]

I've read several reports that 300MHz has been enabled in the DS2000 (not 'A') scopes, but that it wasn't actually providing 300MHz? Can anybody confirm or deny this? Also, can the lo-z input be toggled from the menu now?

Enabled, yes.  Actually 300MHz?  I don't know.  The 50ohm impedance is present only on the A models and I believe this is a change in the actual hardware that is only present on the A models.

[mtdoc]

I've read several reports that 300MHz has been enabled in the DS2000 (not 'A') scopes, but that it wasn't actually providing 300MHz? Can anybody confirm or deny this? Also, can the lo-z input be toggled from the menu now?

If you look back a few weeks in this thread you'll see that actual 300MHz bandwidth has been confirmed by several posters by both rise time measurements and -3dB frequency testing.

Personally, I don't have the equipment to confirm the actual bandwidth on mine but I can confirm that it is >200MHz.

[marmad]

The 50ohm impedance is present only on the A models and I believe this is a change in the actual hardware that is only present on the A models.

I believe the DS2000A is HW identical to the DS2000 HW revision 2.0  - except perhaps for some jumpers or setting pull-up resistors. I think Rigol designed the new PCBs to be able to be used for filling existing DS2000 orders - while starting up production of the new A and A-S models.

I think the ONLY reason 50 Ohm impedance (and CAN trigger/decoding) is not available on non-A HW revision 2.0 models is product differentiation.

[Rigby]

I believe the DS2000A is HW identical to the DS2000 HW revision 2.0  - except perhaps for some jumpers or setting pull-up resistors.

Are you basing that on anything known?  I mean no offense.  You've been saying this for a while, so clearly you're sure.  I've not seen any proof (enable A features on hardware sold as non-A) yet.

I think Rigol designed the new PCBs to be able to be used for filling existing DS2000 orders - while starting up production of the new A and A-S models.

Backward compatibility on new hardware does not necessitate forward compatibility on old hardware.  You're probably right, and I think we'll eventually discover a serial number "line in the sand" or board revision where the inclusion of the 50-ohm option starts.

[staze]

[

I think Rigol designed the new PCBs to be able to be used for filling existing DS2000 orders - while starting up production of the new A and A-S models.

Backward compatibility on new hardware does not necessitate forward compatibility on old hardware.  You're probably right, and I think we'll eventually discover a serial number "line in the sand" or board revision where the inclusion of the 50-ohm option starts.

Yes, hardware version 2. It HAS the 50ohm terminator... and can be switched on with SPI. We just need to figure out how to enable it in the GUI.

I still have a feeling this is nothing more than the firmware checking the serial number, and enabling options based on that. It's the simplest way programmatically, and it would seem Rigol is all about simple.

[NikWing]

but the S-version has extra hardware for the waveform gen I guess? (beside the extra BNC connectors on the back side)

[staze]

but the S-version has extra hardware for the waveform gen I guess? (beside the extra BNC connectors on the back side)

Correct.

[marmad]

Are you basing that on anything known?  I mean no offense.  You've been saying this for a while, so clearly you're sure.  I've not seen any proof (enable A features on hardware sold as non-A) yet.

Well, I always write 'I believe' or 'I think' - so I'm not absolutely sure. But I'm basing it on posted photos of HW revision 2.0 boards (showing the areas for AWG module add-on) - as well as other reliable information.

Here is a photo of the input stage of DS2000 HW revision 2.0 and 1.0 compared - with the 50 Ohm input resistor and extra relay clearly visible on 2.0 board.

[Rigby]

I still have a feeling this is nothing more than the firmware checking the serial number, and enabling options based on that. It's the simplest way programmatically, and it would seem Rigol is all about simple.

It is equally simple to check the version of a Rigol ASIC or the firmware revision of some other chip, and those things won't be nearly as easy to change post-manufacture.  Sure, you can change how the firmware does the checking, or change the value the firmware looks for, but if the ASIC itself won't enable 50 ohms, changing the firmware won't do much.

edit: i'm being a debbie downer, sorry.

[staze]

I still have a feeling this is nothing more than the firmware checking the serial number, and enabling options based on that. It's the simplest way programmatically, and it would seem Rigol is all about simple.

It is equally simple to check the version of a Rigol ASIC or the firmware revision of some other chip, and those things won't be nearly as easy to change post-manufacture.  Sure, you can change how the firmware does the checking, or change the value the firmware looks for, but if the ASIC itself won't enable 50 ohms, changing the firmware won't do much.

edit: i'm being a debbie downer, sorry.

Yes, but as I mentioned, you can enable 50ohms through SPI... so clearly that's just a GUI thing. =/

But yes, it could be checking something else. I'm just being a Ollie Optimist. =P

[WVL_KsZeN]

Here is another datapoint from a ds2072 after hacking it

"DS2202"
DS2a153602xxx
softw 00.01.01.00.02
hw 1.0.1.0.0
spu 03.01.05
wpu 00.06.05
ccu 12.29.00
mc 00.05

stupid of me, I didnt check the hw version before 'upgrading' to DSAZ with rigen v2.0b1. Seeing the other DS2072's reported with HW 2.0 and considering my serial, i think it's weird that mine is reporting HW1.0. I remember reading somewhere that DS2202 will not report the correct HW version, but I cannot find it back again..

Any clues?

[AndersAnd]

Any clues?

Don't turn it on, take it apart, as Dave's motto is. Then you can probably see the HW version on the PCB.

[cybernet]

fully official CAN and 300M Bandwidth on DS2000 (non A) ;-))))) *ole*
will post right option codes in a minute ...

[marmad]

fully official CAN and 300M Bandwidth on DS2000 (non A) ;-))))) *ole*
will post right option codes in a minute ...

Wow... fast 

[AndersAnd]

fully official CAN and 300M Bandwidth on DS2000 (non A) ;-))))) *ole*
will post right option codes in a minute ...

Great work as always, so Christmas came early this year 
Is the 50 ohm option enabled too for those with a non A model with HW ver. 2 with 50 ohm input already populated?

[cybernet]

for FW 00.02.01.00.03 - on a DS2000 (NON A version only !)

Code: [Select]

0x1C080    - DSEA - PROTOCOL ANALYSIS - CAN
0x1C040    - DSCA - BANDWIDTH - 300M Bandwidth (takes a reboot to show up in System Info)
0x1C020    - DSBA - (installs option, but i dont see it ?)
0x1C010    - DSAS - BANDWIDTH - 200M Bandwidth
<known codes still work - see elsewhere>

enable 0x1C0E7 -> all but 100/200M bandwidth-> DSHH
i wonder if 0x1C020 is the 50Ohm option, which my hw probably doesnt support.

UPDATE: despite being DS2302 model, bw limit option is only NONE,20M,100M - somebody better confirm that NONE = 300M ;-)

[cybernet]

And now I know why - Rigol didn't bother to change the public key either. I found the old public key in the new firmware (encoded by the same bit shuffling algorithm I described earlier). The sequence of encoded bytes is as follows: 97 58 B9 DE 24 C5 11 10, which obviously translates to "8445B2BE29E5C7". I believe Rigol didn't change the keys to maintain backward compatibility with previously sold license codes. Alternatively they may use two separate keys for 'non-A' and 'A' license codes.

they use the same curve parameter, but another point on the curve for the DS2000A - i will see if i can find the new point - if not, patch it so it reverts to the known parameters.
a modified gel will also tell if they use signed code now or not ... thanks for finding the obsfuscation - with that info it wasnt too hard.

[nack]

Wow cybernet, you keep blowing my mind with your knowledge and firmware modification skills 

[alank2]

So are you loading these codes with 00.01.01.00.02 and then upgrading to 00.02.01.00.03 to utilize them?