Sniffing the Rigol's internal I2C bus

[pascal_sweden]

Hey All,

I am ready to pull the trigger on a DS2102A. Has anyone confirmed that the innards of the 2072A to the 2202A are identical? Would I be able to view 200MHz signals without issue with the 2102A - assuming the appropriate "patches" have been applied? I would be more than willing to dump the memory to help the cause.


Cheers!

Actually would like to know if the DS2072A is identical to DS2302A. But nobody has bought a DS2302A yet to confirm. Who has some money to spare and go buy one? =)

[neslekkim]

To bad the distributor here is so secret about pricing, if I had know that the price difference was so low between 2202 and 2302, I would probably go for that instead of the 2202 that I bought, but i had to ask for prices as I found which products was available, was not able to get an complete list, because "dollar could change", yuck...

[pascal_sweden]

About 340 euro difference on Batronix.

[neslekkim]

Well, you listed some swedish company with other prices, like 2k in difference..  i think.

[gbot]

I'd be happy to know if the 2202A hardware is identical to the 2072A hardware.

Thanks!

Actually would like to know if the DS2072A is identical to DS2302A. But nobody has bought a DS2302A yet to confirm. Who has some money to spare and go buy one? =)

[AndersAnd]

I'd be happy to know if the 2202A hardware is identical to the 2072A hardware.

It is.

[gbot]

Thank you!

I'd be happy to know if the 2202A hardware is identical to the 2072A hardware.

It is.

[sled]

Watch out, here comes the dump: https://mega.co.nz/#!wwVi2YSZ!3o7nhjAZQ4RGAE4dks3HVjABZuFwiETEr78_JH2w-7s

Scope: DS2072A, fresh out of the box, produced in week 42.
JTAG Adapter: Altera USB Byteblaster Rev. C
Time to dump the whole memory in one piece: ~2 hours

Interestingly it was much quicker to dump the memory in pieces of 32M (took about 20minutes)

[AndersAnd]

Is this the JTAG that would work? I just got my 2072A and would just love to open it and play

http://www.ebay.com/itm/150943500360

Yes, that's the one.  In the JTAG connection diagram posted a little while back I used the second setup (pull-ups on TRST and SRST lines -- don't connect these to the programmer at all), but either way should work for you.

Good luck!

Altera USB-Blaster plug pinout (update)
http://hackingbtbusinesshub.wordpress.com/2011/09/12/usb-blaster-plug-connection/

[sled]

here are some pics from my setup with the usb blaster,

Color Coding:

The TRST and SRST (white and violet) are NOT connected to the JTAG cable, they're only pulled high on the breadboard with the pull up resistors)

Gray: TCK
Green: TMS
Blue: TDO
Brown: TDI
Orange & Black: GND
Red: VCC (+3.3V)

(The wire on the breadboard that looks gray, is actually white!)

[Flipp]

What jtag  speed is possible with the fake altera blaster?

[zombie28]

Watch out, here comes the dump: https://mega.co.nz/#!wwVi2YSZ!3o7nhjAZQ4RGAE4dks3HVjABZuFwiETEr78_JH2w-7s

Scope: DS2072A, fresh out of the box, produced in week 42.

Thank you for your dump - finally we have two dumps from different DS2072A scopes produced in the same week. The keys in these dumps are different, so it seems highly probable that every unit has its own keys. Consequently, it won't be possible to use the new keygen without extracting keys from the scope's memory (either flash or DRAM).

[diyaudio]

Is this the JTAG that would work? I just got my 2072A and would just love to open it and play

http://www.ebay.com/itm/150943500360

Yes, that's the one.  In the JTAG connection diagram posted a little while back I used the second setup (pull-ups on TRST and SRST lines -- don't connect these to the programmer at all), but either way should work for you.

Good luck!

Altera USB-Blaster plug pinout (update)
http://hackingbtbusinesshub.wordpress.com/2011/09/12/usb-blaster-plug-connection/

bought one.

[granz]

here are some pics from my setup with the usb blaster,

Color Coding:

The TRST and SRST (white and violet) are NOT connected to the JTAG cable, they're only pulled high on the breadboard with the pull up resistors)

Gray: TCK
Green: TMS
Blue: TDO
Brown: TDI
Orange & Black: GND
Red: VCC (+3.3V)

(The wire on the breadboard that looks gray, is actually white!)

Nicely done!  That is great that you posted pictures.  I tried to explain many times that you don't need to (shouldn't!) connect TRST and SRST to the JTAG cable if you have pull-ups on those, so I'm glad you have validated this--there seemed to be a lot of confusion.

[granz]

What jtag  speed is possible with the fake altera blaster?

Hardware-wise I believe it's fixed at 12 MHz, but the blackfin UrJTAG stuff says something about inserting wait-states if I remember right...

[AndersAnd]

Is there any reason why one pull-up resistor is 3k9 and the other 10k, why two different values? Or is this just what cybernet had at hand when he hooked it up?

[Co6aka]

The keys in these dumps are different, so it seems highly probable that every unit has its own keys.

Generated from the serial number perhaps? Anyway... How does it look patching the firmware to dump the key on the screen? Or out via some other path? Also, wondering how and at what point they load the key (and sernum) because maybe there's some hidden factory function just for that purpose. (Also, as a service issue, how might they deal with a corrupted sernum and/or key?)

[granz]

Is there any reason why one pull-up resistor is 3k9 and the other 10k, why two different values? Or is this just what cybernet had at hand when he hooked it up?

I don't remember what I used for pull-ups, might have been two 10k.  It would only matter if that line had a pull-down on it already of something like 10k (think voltage divider etc.) because it is meant to be driven high by the jtag cable.

[zombie28]

The keys in these dumps are different, so it seems highly probable that every unit has its own keys.

Generated from the serial number perhaps?

I think so, but only Rigol knows the algorithm.

Anyway... How does it look patching the firmware to dump the key on the screen? Or out via some other path?

Yes, I'm thinking about it and cybernet was coughing recently about something like that too...

Also, wondering how and at what point they load the key (and sernum) because maybe there's some hidden factory function just for that purpose. (Also, as a service issue, how might they deal with a corrupted sernum and/or key?)

IIRC the keys are stored in two flash locations - if one fails, then the second copy is used. The keys are stored in encrypted form (using RC5 algorithm) and protected by ECDSA with quite a long key (256 bits or so).

[Co6aka]

Also, wondering how and at what point they load the key (and sernum) because maybe there's some hidden factory function just for that purpose. (Also, as a service issue, how might they deal with a corrupted sernum and/or key?)

IIRC the keys are stored in two flash locations - if one fails, then the second copy is used. The keys are stored in encrypted form (using RC5 algorithm) and protected by ECDSA with quite a long key (256 bits or so).

I meant, when are they first programmed to the scope during the manufacturing process, and how might they be restored/replaced during servicing... Let's think about this as if we're a manufacturer building them and servicing them. Would we pre-program the SN and KEY into the chips before they're soldered, or after the scope comes out of assembly? If after, how would we program them? Also, if servicing a scope, if we had to do a board swap how would we program the instrument's SN and KEY to the new board? Seems logical that we'd want some straightforward time-efficient way to enter SN and KEY into an instrument, so...

[poida_pie]

What chances are there to patch a firmware so that it outputs the key and serial when you send it
"*IDN?". That would be good.

[chebeba]

The keys in these dumps are different, so it seems highly probable that every unit has its own keys.

Generated from the serial number perhaps?

I think so, but only Rigol knows the algorithm.

Does http://www.rigol.com/account/user.php?act=license have anything to do with this?

[NikWing]

Thank you for your dump - finally we have two dumps from different DS2072A scopes produced in the same week. The keys in these dumps are different, so it seems highly probable that every unit has its own keys. Consequently, it won't be possible to use the new keygen without extracting keys from the scope's memory (either flash or DRAM).

I expected that, it proves why it didn't work with mine

btw, sorry if this was explained already, but the 300 MHz (untested) option doesn't seem to work
does it mean that it's not implemented with an option?

somehow 12 MHz JTAG speed feels like the 5 MHz in the how-to, 8 MHz seem faster than 12 (and 5)

[Pehtoori]

Got TIAO JTAG adapter now. I hope I have time to dump at weekend. One more week 42 dump in making

42, 42, 42, something is hidden here ...

[nmz787]

Hi, using a site like this, is it possible to disable 500uV mode? I didn't know about the uncalibrated offset.
http://riglol.3owl.com/