Sniffing the Rigol's internal I2C bus

[Howardlong]

Just bought a MSO1074Z-S, and unfortunately it came with firmware 4.03.SP2.  Board revision is 6.1.2, if that makes any difference.  Obviously, me asking when riglol/rigup will support the new firmware is of no use to anybody, but is there anything I can do that would be helpful at this point?  I haven't managed to grab the memory dump yet, but I do have the tools to do so, and I'll try to get that done this weekend.

It's definitely worth doing, I have the same model, it's my go-to field scope. It just takes a little patience, and care with the warranty sticker.

My main negatives are the screen-only serial decodes, cluttered screen and slow UI, but for the money I'm certainly not going to complain, it gets the job done in a very compact and usable package

[qwertymodo]

I have my memory dumps if they are of any use to anybody with the know-how to work toward updating rigup. There was a message somewhere earlier in this thread where somebody claimed to have gotten working licenses on 4.03.SP1 by dumping the memory while the Rigol logo was on-screen, so I took one then too.

I'm willing to do anything else that might be useful. I already have a DS1054Z fully unlocked, so I'm not in any huge rush (though I would like to sell the '54 once I get the MSO unlocked).

Sent from my m8wl using Tapatalk

[psysc0rpi0n]

Just bought a MSO1074Z-S, and unfortunately it came with firmware 4.03.SP2.  Board revision is 6.1.2, if that makes any difference.  Obviously, me asking when riglol/rigup will support the new firmware is of no use to anybody, but is there anything I can do that would be helpful at this point?  I haven't managed to grab the memory dump yet, but I do have the tools to do so, and I'll try to get that done this weekend.

It's definitely worth doing, I have the same model, it's my go-to field scope. It just takes a little patience, and care with the warranty sticker.

My main negatives are the screen-only serial decodes, cluttered screen and slow UI, but for the money I'm certainly not going to complain, it gets the job done in a very compact and usable package

Are you sure the list of compatible JTAG adapters are in message #2413??? On page 97??? I found that message but it has no list of JTAG adapters. Anyway, I'm trying to find something cheaper than the Olimex LTD ARM-USB-OCD-H . This is quite expensive!

I was thinking about this one which is a lot cheaper:
http://dangerousprototypes.com/docs/Bus_Pirate_v3.6

Is this one suitable for this job?

[hammy]

Are you sure the list of compatible JTAG adapters are in message #2413??? On page 97??? I found that message but it has no list of JTAG adapters.

Yes, I'm sure, it was the first message from buergi: "Reply #2413 on: 11-01-2014, 18:59:55"
There are also several other messages in this thread from various people with various jtag adapters. Just do a search inside this thread.
Or do it the other way around. You found a cheap adapter? Search the forum if someone used this model before.

Cheers
hammy

[psysc0rpi0n]

Are you sure the list of compatible JTAG adapters are in message #2413??? On page 97??? I found that message but it has no list of JTAG adapters.

Yes, I'm sure, it was the first message from buergi: "Reply #2413 on: 11-01-2014, 18:59:55"
There are also several other messages in this thread from various people with various jtag adapters. Just do a search inside this thread.
Or do it the other way around. You found a cheap adapter? Search the forum if someone used this model before.

Cheers
hammy

This is what I find in this thread at pos #2413. But I'll search by the date!
See attachment

[hammy]

That's strange!  I'm sorry.  The message from your screenshot is #2414 for me.

BTW there was someone in this thread using a BusPirate - if I remember correct - and it took him hours to extract the dump. But I'm not sure.

[psysc0rpi0n]

That's strange!  I'm sorry.  The message from your screenshot is #2414 for me.

Yes quite weird... Though, you have nothing to sorry... It's not your fault!

Anyway, I think I get the post you mentioned!

I suppose you mean this one:
https://www.eevblog.com/forum/testgear/sniffing-the-rigol's-internal-i2c-bus/msg365951/#msg365951

[hammy]

Yes! 
There are some adapters mentioned, used by member of this forum.
And there is a link inside this message for a general list: http://urjtag.org/book/_system_requirements.html#_supported_jtag_adapters_cables
And there was this guy, using a raspi: https://www.eevblog.com/forum/testgear/sniffing-the-rigol's-internal-i2c-bus/msg955873/?topicseen#msg955873
Here we are, a BusPirate: https://www.eevblog.com/forum/testgear/sniffing-the-rigol's-internal-i2c-bus/msg585831/?topicseen#msg585831

It's all inside this thread ...

Have fun! Good luck!

[McBryce]

The cheapest I've found that works are these Chinese J-Link knock-offs: http://www.ebay.de/itm/ARM7-ARM9-ARM11-J-link-V8-ARM-Emulator-Cortex-M3-ADS-IAR-STM32-JTAG-Interface-/272345346913
Work fine, just remember to click "no" if the J-Link software offers to upgrade the firmware.

McBryce.

[psysc0rpi0n]

Looks like Bus Pirate is really slow! And all the devices stated around here are quite expensive!

I would like some help to try to figure out if some other devices are likely to work. For instance, would any of this work:

http://www.ebay.com/itm/FPU1-FTDI-FT2232-USB-JTAG-XILINX-FPGA-CPLD-programmer-cable-/181635528314?hash=item2a4a52367a:g:tJMAAOSwygJXgP4d

http://www.ebay.com/itm/FT2232-USB-DIP-module-for-FTDI-FT2232D-dual-UART-FIFO-JTAG-SPI-/162159976456?hash=item25c17ce008:g:JesAAOSwwpdW4SrL

[psysc0rpi0n]

The cheapest I've found that works are these Chinese J-Link knock-offs: http://www.ebay.de/itm/ARM7-ARM9-ARM11-J-link-V8-ARM-Emulator-Cortex-M3-ADS-IAR-STM32-JTAG-Interface-/272345346913
Work fine, just remember to click "no" if the J-Link software offers to upgrade the firmware.

McBryce.

Well, that is an affordable one indeed!!! If I find no one else, I'll purchase that one!

[McBryce]

Yup (I assume you meant to quote my post?). I've been using it quite a bit since I bought it about 2 years ago and it's never given problems yet.

McBryce.

[psysc0rpi0n]

Yup (I assume you meant to quote my post?). I've been using it quite a bit since I bought it about 2 years ago and it's never given problems yet.

McBryce.

Yes I meant to quote your post! :p

That's good news...

And is there any way of knowing how much time these devices takes to perform the memory dump?

[McBryce]

It's been a while since I dumped the memory from my MSO1104Z-S, but I think it took about 6 minutes. I used the "Speed 6000" command first of course, otherwise it uses some snail-paced default that takes forever.

Here's a post where someone else used exactly the same method, with full instructions on what to do: https://www.eevblog.com/forum/testgear/sniffing-the-rigol's-internal-i2c-bus/msg599846/#msg599846

McBryce.

[psysc0rpi0n]

It's been a while since I dumped the memory from my MSO1104Z-S, but I think it took about 6 minutes. I used the "Speed 6000" command first of course, otherwise it uses some snail-paced default that takes forever.

Here's a post where someone else used exactly the same method, with full instructions on what to do: https://www.eevblog.com/forum/testgear/sniffing-the-rigol's-internal-i2c-bus/msg599846/#msg599846

McBryce.

Nice... I'm going to order one of those and when I get it, I'll ask for help here if I need!
Also need to save these links that will be of great help when I'm about to perform the memory dump!

[psysc0rpi0n]

I just bought the named device (ARM7 ARM9 ARM11 J link V8 ARM Emulator Cortex-M3 ADS IAR STM32 JTAG Interface)! Now, it's a desperation wait!

[qwertymodo]

I used a Raspberry Pi, as described a few pages back.  However, I used the native config, which is a lot faster on the GPIO's than the generic config.  Still took 45 minutes, but that's better than 3 hours.

Edit: I just successfully generated a license for my MS01074S on firmware 4.03.SP2 using rigup 0.4.1-mso1000z.  Based on a previous comment earlier in this thread that I can't seem to find now, it might make a difference when you start the memory dump relative to the boot time.  The dump that I used that worked was halted almost immediately upon the options dialog appearing (immediately after the Rigol logo disappears).  I used option CSGY = 0x1C0DF to generate the license for everything except the 5uV, and that worked.

[psysc0rpi0n]

Has anyone managed to unlock the features of any MSO using the latest firmware?

[qwertymodo]

I'm not sure what the latest firmware version is, but I just did on the 1074 I bought just a week ago, which came from the factory with 4.0.3.SP2.

Sent from my m8wl using Tapatalk

[psysc0rpi0n]

I'm not sure what the latest firmware version is, but I just did on the 1074 I bought just a week ago, which came from the factory with 4.0.3.SP2.

Sent from my m8wl using Tapatalk

I also have that same version of firmware and this last week I requested the latest firmware update and that version was the one they sent me!

[qwertymodo]

Ok, then yes, fully unlocked MSO1074Z-S on the latest firmware.

Sent from my m8wl using Tapatalk

[hammy]

@qwertymodo
@psysc0rpi0n
It doesn't make a difference, but the latest firmware version is "00.04.04.00.07" from July 26, 2016.
The official download page for the MSO/DS1000z is http://int.rigol.com/Product/Index/4
The mentioned firmware shows up in system info with "00.04.04.SP1"

Cheers
hammy

[psysc0rpi0n]

@qwertymodo
@psysc0rpi0n
It doesn't make a difference, but the latest firmware version is "00.04.04.00.07" from July 26, 2016.
The official download page for the MSO/DS1000z is http://int.rigol.com/Product/Index/4
The mentioned firmware shows up in system info with "00.04.04.SP1"

Cheers
hammy

Ok, I misread the version they sent me in 17/09/2016 which in fact was DS1000Z(ARM)Update_00_04_04_00_07.
So this means that an update already came out after my request, I suppose!

[qwertymodo]

Well, in that case, I have no idea if you can dump the keys on 4.04.SP1.  However, I CAN confirm that licenses installed on 4.03.SP2 survive the upgrade to 4.04.SP1 just fine.

[psysc0rpi0n]

Well, in that case, I have no idea if you can dump the keys on 4.04.SP1.  However, I CAN confirm that licenses installed on 4.03.SP2 survive the upgrade to 4.04.SP1 just fine.

The version firmware version I actually have is 4.03.SP2 because when I received the last update I requested (which was 00.04.04.00.07), I thought it was the same as the one in the scope so I didn't upgrade it!

But once more, I didn't know another piece of information. 00.04.04.00.07 shows up in System Info as 00.04.04.SP1. So, I still don't have the latest firmware!

And is it possible to downgrade firmware???