Sniffing the Rigol's internal I2C bus

[pascal_sweden]

MrKrabs
You have got 500MHz DSO with this FW, but SysInfo show DS4014? Do you already have frequency response tests?

Is it possible to upgrade MSO4014 to MSO4054? Is the HW 100% identical? Has hack confirmed to be working not only in GUI, but also in actual frequency response test?

[johna]

You can test it with any digital signal that's lower. On 100 MHz scope if you watch 100 MHz square wave it'll look like 2 summed sines:

although maybe you can't capture much of the second harmonic.
I think even 40-50 MHz square wave will look that way on 100MHz scope. Maybe the clock output from a microcontroller...

[Altemir]

MrKrabs
Thank you very much! As soon as free time, I will try to do tests on the job's MSO4024 up to 2GHz. Can you make a patch to 350MHz test?

[AndersAnd]

Should I reset the options by putting the code for the trial options for the DS2102 back in and redo it?

You can't uninstall options by installing other options instead. You need to use the SCPI command :SYSTem:OPTion:UNINSTall command to uninstall keys. This has already been mentioned several times in this topic.

If you're not familiar with SCPI commands, read your scope's user's manual + programming guide, both documents has info about SCPI commands.

You can search this topic for :SYSTem:OPTion:UNINSTall for more info.

SCPI = Standard Commands for Programmable Instruments https://en.wikipedia.org/wiki/Standard_Commands_for_Programmable_Instruments

[ve7xen]

It's been a while since I've monitored this thread and it appears plenty of progress has been made. Excellent work everyone!

Took the opportunity to mirror a bunch more useful files permanently at http://www.gotroot.ca/rigol as well as setting up a cron job to pull down the complete thread every day as well. If there's anything else that should be there, send me files or PMs and I will make it so.

[eliocor]

Took the opportunity to mirror a bunch more useful files permanently at http://www.gotroot.ca/rigol as well as setting up a cron job to pull down the complete thread every day as well. If there's anything else that should be there, send me files or PMs and I will make it so.

Suggestion: it would be better if you can add date/time file was added to your repository.
Thanks for your work!

[Altemir]

MrKrabs
I wrote your fw to my MSO4024 for 500MHz and got interesting results. All is good. See my own topic today: many pictures requre processing.

[stuartk]

Posted by: AndersAnd
« on: Yesterday at 08:46:08 PM »


Quote from: stuartk on Yesterday at 03:11:33 PM

    Should I reset the options by putting the code for the trial options for the DS2102 back in and redo it?

You can't uninstall options by installing other options instead. You need to use the SCPI command :SYSTem:OPTion:UNINSTall command to uninstall keys. This has already been mentioned several times in this topic.

If you're not familiar with SCPI commands, read your scope's user's manual + programming guide, both documents has info about SCPI commands.

You can search this topic for :SYSTem:OPTion:UNINSTall for more info.

SCPI = Standard Commands for Programmable Instruments https://en.wikipedia.org/wiki/Standard_Commands_for_Programmable_Instruments

AndersAnd Thanks for pointing me in the right direction. I performed the following proceedure to reset it:

To erase options:

In Ultra Sigma:
Right click on the Scope USB Line
Select SCPI Control Panel
Paste:  SYSTEM:OPTION:UNINSTALL over the *IDN?
Send the command

It erased the options
The scope was back to the trial version even remembering the original number of minutes I had left.

I reapplied the code I used before and all the options vanished with the exception that the scope was now a DS2202 instead of a DS2102. 
(Windows even reinstalled the scope as a DS2202) 

I should have checked that the S/N was reset to DS2A0000000001

I reran the KeyGen using the mangled serial number and now it seems to work fine with all options with the exception of the loss of the serial number

The minimum timebase flipped from 5ns to 2ns

I appreciate your help, S.

[AndersAnd]

I should have checked that the S/N was reset to DS2A0000000001

I reran the KeyGen using the mangled serial number and now it seems to work fine with all options with the exception of the loss of the serial number

You can restore your DS2000's original serial number following this procedure: https://www.eevblog.com/forum/testgear/sniffing-the-rigol's-internal-i2c-bus/msg369122/#msg369122


Btw. What FW version do you have and what 4 letter code did you use to generate your key? I don't see CAN decoder listed?

With the latest FW installed:
Use DSEZ for 200 MHz with all other options enabled including CAN but without 50 ohm option from the A-series. [not listed here: http://riglol.3owl.com but still works]

Read about DSEZ and other codes here: https://www.eevblog.com/forum/testgear/sniffing-the-rigol's-internal-i2c-bus/msg356379/?topicseen#msg356379

[AndersAnd]

Took the opportunity to mirror a bunch more useful files permanently at http://www.gotroot.ca/rigol as well as setting up a cron job to pull down the complete thread every day as well. If there's anything else that should be there, send me files or PMs and I will make it so.

Suggestion: it would be better if you can add date/time file was added to your repository.
Thanks for your work!

Another suggestion: Ad folder for all the different Rigol series DS1000E/D, DS1000Z, DS2000, MS0/DS40000, DS6000, DSA8000, DP8000, DG4000 etc. and put the various files in the correct folders. It would make it much easier to navigate and find the relevant files for a specific Rigol product series.

[stuartk]

Hi Anders,

Two questions:

1. Is there any benefit to resetting the serial number to the actual number of the unit? Scope works fine now.

2. I would have to downgrade my FW from 00.00.01.00.05 down to the .02 FW for the patch to work.

Should I leave the FW at the 1.00.02 or upgrade it to the latest 00.02.01.00.03? Does one put the Keygen key in before or after the FW upgrade?

Thanks again, Stuart

[granz]

Thanks a lot, granz! Your tool made it much easier to recalculate the CRC and get the segment lengths & locations!

Glad it was useful.  Do you (or anyone else) happen to know what's missing from my understanding of the GEL file format?  I've only had limited time to spend poking around with a hex editor, but I'd like to fill in the last few gaps.  If I knew what's missing I could create (and post) a pair of tools, one to de-GEL and one to re-GEL with the correct CRCs after any code hacks.

Here's what I have for the segment info blocks currently:

typedef struct
{
    UInt32 Length;
    UInt32 Offset;
    UInt32 Check; // CRC32
    UInt32 UnknownA;
    UInt32 Address;
    UInt32 UnknownB;
    UInt32 UnknownC;
} SectionInfo;


Unknowns A, B, and C seem to be mostly zeroes.

[AndersAnd]

1. Is there any benefit to resetting the serial number to the actual number of the unit? Scope works fine now.

Probably not, but I would still do it in case you later have to send it in for a warranty repair or something.

Should I leave the FW at the 1.00.02 or upgrade it to the latest 00.02.01.00.03? Does one put the Keygen key in before or after the FW upgrade?

You should definitely upgrade to the latest FW, som fixes and improvements have been made + support for CAN decoding.
Uninstall all keys before upgrading. First apply new keys after upgrading to the latest FW.

[stuartk]

Hi Anders,

I used the windows KeyGen v.2.0b1 by synapsis
which was the most recent one I could find.
the code used was: DSAZ

[alank2]

You can restore your DS2000's original serial number following this procedure: https://www.eevblog.com/forum/testgear/sniffing-the-rigol's-internal-i2c-bus/msg369122/#msg369122

Excellent; I got my serial number fixed using this!!!

[AndersAnd]

Hi Anders,

I used the windows KeyGen v.2.0b1 by synapsis
which was the most recent one I could find.
the code used was: DSAZ

Use this web-based RigLol keygen made by EEVblog member studio25: http://riglol.3owl.com
UK mirror: http://rigol.avotronics.co.uk/mirrors/riglol/
Canadian mirror: http://www.gotroot.ca/rigol/riglol/

RigLol is the only keygen still maintained it seems, and it works on any operating system without installing anything. So there's no need to maintin different versions for Windows, Linux etc. RigLol is also very easy to use. Some have problems accesing the original site http://riglol.3owl.com, so if you do, try one of the two mirror sites instead.

1) Uninstall all options.

2) Restore serial# using procedure described here.

3) Upgrade to the latest FW 00.02.01.00.03.

4) Install DSEZ instead of DSAZ for 200 MHz with all options except for the 50 ohm option from the A-series.
Or instead install DSGH for 300 MHz with all options except for for the 50 ohm option from the A-series.
There's some debate whether 300 MHz works properly. Read marmad's and other's comments on this earlier in this in this topic and in the DS2000 review topic.
DSEZ = DSAZ + CAN decoder option, but only works with the latest FW.
DSGH = same as DSEZ but with 300 MHz instead of 200 MHZ.
Read about DSEZ and how to build other letter combinations here: https://www.eevblog.com/forum/testgear/sniffing-the-rigol's-internal-i2c-bus/msg356379/?topicseen#msg356379

Code: [Select]

y  CAN, 300, 50ohm   |   x  200, 100, Mem, Dec, Trig
E   on   ==   ==     |   Z   on   ==   on   on   on   <-  All 2202
G   on   on   ==     |   H   ==   ==   on   on   on   <-  All 2302

Where y = 3rd letter and x = 4th letter:
DSyx = DSEZ for 200 MHz with all options except 50 ohm
DSyx = DSGH for 300 MHz with all options except 50 ohm

Read about and download the different DS2000 FW versions in this topic: https://www.eevblog.com/forum/testgear/first-impressions-and-review-of-the-rigol-ds2072-ds2000-series-dso/

[Avotronics]

rigol.avotronics.co.uk is still down. I just have to transfer the backend database and it will be live again. Will be up Saturday.

[stuartk]

Hi Anders

I followed the procedure exactly to reset my S/N

wiped the keys
I entered my actual S/N
Selected my actual model # DS2102
Applied the patched FW

Now apparently I now own a DS2022 scope, whatever that is, with the S/N unchanged on the basic screen

On the detailed screen the S/N is correct however the model is still DS2022

I'm now unable to print screen from Ultra Sigma to show you, ouch!

Thanks, Stuart

[AndersAnd]

I followed the procedure exactly to reset my S/N

wiped the keys
I entered my actual S/N
Selected my actual model # DS2102
Applied the patched FW

Now apparently I now own a DS2022 scope, whatever that is, with the S/N unchanged on the basic screen

That's not following the procedure exactly, that's only the first 3 steps out of 12. Follow all 12 steps from start to finish to the letter, or at least to step 9 to be able to check correct serial number and model. Where's the steps from 4 and onwards?
"true" only did half the procedure too and had the same problem.
Read his posts: https://www.eevblog.com/forum/testgear/sniffing-the-rigol's-internal-i2c-bus/msg369783/#msg369783
And the reply: https://www.eevblog.com/forum/testgear/sniffing-the-rigol's-internal-i2c-bus/msg369833/#msg369833

1.  Requires 00.01.01.00.02 firmware (7777543 bytes, 0xa167ef30 crc32) named
       DS2000Update.gel in same directory as executable
2.  Execute snmodfix and specify serial and model to patch firmware
3.  Flash patched ds2000update.gel using power on help button method
4.  Restart scope
5.  Enable advanced system information menu (press Trigger Menu, Menu 7,
       Menu 6, Menu 7, Utility very quickly) to enable it
6.  Show system information - serial should be fixed but NOT saved to flash
      yet - some text labels will be missing
7.  Connect using scpi and issue :SYSTem:OPTion:UNINSTall command which will
      uninstall all keys and save to flash
8.  Once settled restart scope
9.  Show system information (not advanced) should now show the correct serial
      and model
10. Update to latest stock unpatched firmware version
11. Storage -> Default
12. Reinstall any key(s)

[stuartk]

Hi Anders,

I followed all the steps I just didn't write then out to save space.

I did the following:

I did not downgrade my firmware from 00.00.01.00.05, to the stock 00.01.01.00.02 firmware before applying the patched 00.01.01.00.02 firmware. I assumed that it would be redundant.

1.  Requires 00.01.01.00.02 firmware (7777543 bytes, 0xa167ef30 crc32) named
       DS2000Update.gel in same directory as executable

Done

2.  Execute snmodfix and specify serial and model to patch firmware

Done. I used my actual S/N not the DS2A000001
I used my actual Model number DS2102 (option 0)

3.  Flash patched ds2000update.gel using power on help button method

done

4.  Restart scope

done

5.  Enable advanced system information menu (press Trigger Menu, Menu 7,
       Menu 6, Menu 7, Utility very quickly) to enable it

done

6.  Show system information - serial should be fixed but NOT saved to flash
      yet - some text labels will be missing

done

7.  Connect using scpi and issue :SYSTem:OPTion:UNINSTall command which will
      uninstall all keys and save to flash

done

8.  Once settled restart scope

done

9.  Show system information (not advanced) should now show the correct serial
      and model

Everything worked up to step #9.

I stopped there as the serial number and model number were not correct.

True got model # 2202, I have 2022

[alank2]

7.  Connect using scpi and issue :SYSTem:OPTion:UNINSTall command which will
      uninstall all keys and save to flash

When you did this, did your scope respond with a message on the screen, something like:

Options of official version have deleted.

I mention this because for a long time I thought I was issuing the ":SYSTem:OPTion:UNINSTall" command, but I was doing it wrong and nothing was happening...

[stuartk]

Yep it did.

[AndersAnd]

What happens if you follow the last 3 steps and use DSEZ as option? Does the model name change to 2202?

[alank2]

I stopped there as the serial number and model number were not correct.
True got model # 2202, I have 2022

Odd.  I sure don't get the 2022 thing.  Did the serial stay the common mangled 14 digit 0001 type one?

On my unit when I tried this step 5 fixed the serial, but the model was still wrong until I did a restart and then they were both right in the basic system info menu...

I have a theory that it gets corrupted (maybe this is how the s/n gets mangled in the first place) when you try to do more than one key operation without power cycling.  In other words, to keep a s/n from getting messed up, I would always power cycle after doing a key uninstall, or installing a key.  One operation per reboot.

[AndersAnd]

Odd.  I sure don't get the 2022 thing.  Did the serial stay the common mangled 14 digit 0001 type one?

What model# did you select for the custom FW? 2072, 2102, 2202 or 2302? Maybe there's a bug in the FW modification tool that only occurs when selecting 2102?