Author Topic: Sniffing the Rigol's internal I2C bus (Read 1840629 times)

ted572 · « **Reply #4350 on:** May 13, 2017, 02:13:48 pm »

DSA800 Boot Loader: It is customary for electronic equipment manufacturers to store their Boot Loader in ROM, EROM, ERAM, etc; in a form of Protected Memory. Not necessarily to prevent hacking, but to safe guard it from corruption. Because once corrupted (and it has to be retained for the Life Of The Equipment) the unit is dead in its tracks, and re-installation of firmware isn’t generally possible. So then, > Back To The Factory. That’s why I said the changing the firmware will probably be tricky. The task of the Boot Loader is primarily to just boot up the system firmware upon equipment power up, to check and control firmware updates, changes, and installation methods. Not to prevent alterations of installed firmware. The firmware, its checksum(s), etc, do that job. So the Boot Loader doesn’t itself prevent someone from hacking the Rigol Options.

We know that the Rigol DP800 Series is an exception to using protected memory for the Boot Loader. Because Rigol provided a new Boot Loader along with at least one of its firmware updates.

Hopefully someone can figure out how to go back to a earlier Boot Loader in the DSA815. Although if its protected, and very likely it is, especially in the newer hardware Main Boards, then it may not be easy at all. It would have been very easy for Rigol to add a Boot ROM in the newer boards (v. 7 and above), and then it would be much more difficult to change, But Not Impossible.

smgvbest · « **Reply #4351 on:** May 13, 2017, 03:37:22 pm »

Quote from: ted572 on May 13, 2017, 02:13:48 pm

DSA800 Boot Loader: It is customary for electronic equipment manufacturers to store their Boot Loader in ROM, EROM, ERAM, etc; in a form of Protected Memory. Not necessarily to prevent hacking, but to safe guard it from corruption. Because once corrupted (and it has to be retained for the Life Of The Equipment) the unit is dead in its tracks, and re-installation of firmware isn’t generally possible. So then, > Back To The Factory. That’s why I said the changing the firmware will probably be tricky. The task of the Boot Loader is primarily to just boot up the system firmware upon equipment power up, to check and control firmware updates, changes, and installation methods. Not to prevent alterations of installed firmware. The firmware, its checksum(s), etc, do that job. So the Boot Loader doesn’t itself prevent someone from hacking the Rigol Options.

We know that the Rigol DP800 Series is an exception to using protected memory for the Boot Loader. Because Rigol provided a new Boot Loader along with at least one of its firmware updates.

Hopefully someone can figure out how to go back to a earlier Boot Loader in the DSA815. Although if its protected, and very likely it is, especially in the newer hardware Main Boards, then it may not be easy at all. It would have been very easy for Rigol to add a Boot ROM in the newer boards (v. 7 and above), and then it would be much more difficult to change, But Not Impossible.

granted, however the DSA815 support boot from USB and the blackfin supports uart boot. so if we have the boot code in LDR format and put that on a USB drive or load via uart to get 1.03 in then could we not backload FW1.0x then?

ted572 · « **Reply #4352 on:** May 13, 2017, 09:13:28 pm »

Quote from: smgvbest on May 13, 2017, 03:37:22 pm

granted, however the DSA815 support boot from USB and the blackfin supports uart boot. so if we have the boot code in LDR format and put that on a USB drive or load via uart to get 1.03 in then could we not backload FW1.0x then?

Hi Sandra: The Blackfin's interface capability can be limited/overridden by the instructions from the Boot Loader. Or purposely left out by the hardware designer for expediency because it wasn't required for the task. I think that the current .04 Boot Loader most likely preempts doing this, so I think someone will have to directly force a .03 Boot Loader (or equivalent) in place of the .04.
I don't have any vested interest here, because I have the original hardware with all of the permanent Options (so far anyway). If I had the newer unit I would be charging into this relentlessly with a DSA815 open on my bench, to try to at least understand high level system architecture used. I did this for my units Front End, LOs, Mixers, and IFs through to the DSP. https://www.eevblog.com/forum/testgear/spectrum-analyzer-rigol-dsa815/msg1059060/#msg1059060
You may want to consider sketching out your units digital control logic surrounding the firmware and its management. This should help shed more light on all this. I believe that all of the involved ICs have vendor P/Ns, and a few may have SMT Codes. Doing this with Peter's info may help pull it together.
EOT and Cheers, Ted

Edit: I think that this discussion should moved back here -> 'Re: Spectrum Analyzer - Rigol DSA815' to get all the interested and knowledgeable parties in this matter involved.

Please go to 'Re: Spectrum Analyzer - Rigol DSA815' to follow this subject: https://www.eevblog.com/forum/testgear/spectrum-analyzer-rigol-dsa815/msg1207904/#msg1207904

cybernet · « **Reply #4353 on:** May 17, 2017, 09:41:46 pm »

some ppl asked for it, finally found that stuff again:

DS2000 stuff:

IDA Pro Signatures: http://www.filedropper.com/showdownload.php/ds2000cybernet23072013
LDR Tool: http://www.filedropper.com/geltoolsrctar
Custom LDR binary: http://www.filedropper.com/rigolds2000customlcdtar
UBOOT Custom: http://www.filedropper.com/uboot-201404ds2000tar

DG4000 stuff:

Firmwares, CEN, IDB files: http://www.filedropper.com/dg4000tar_1

DS815 stuff:

DSA815 Dump + IDA: http://www.filedropper.com/dsa815

have fun

RoGeorge · « **Reply #4354 on:** May 18, 2017, 06:37:59 am »

Quote from: cybernet on May 17, 2017, 09:41:46 pm

...
DG4000 stuff:
Firmwares, CEN, IDB files: http://www.filedropper.com/dg4000tar
...

Thank you, but this download didn't worked for me. I tried with 2 different computers, and they both say "unexpected end of archive", "file is broken".

Could you check, please?

cybernet · « **Reply #4355 on:** May 19, 2017, 12:47:52 am »

reup'ed and updated the link, try that one.

RoGeorge · « **Reply #4356 on:** May 19, 2017, 07:52:34 am »

Thank you for re-uploading, but still not working for me.

In Win10 the 7zip gives "unexpected end of archive" then hang.
In Debian 8, the same:

Code: [Select]

rogeorge@debian80:~$ cd Downloads/
rogeorge@debian80:~/Downloads$ gunzip -t DG4000.tar.gz 

gzip: DG4000.tar.gz: not in gzip format
rogeorge@debian80:~/Downloads$ tar -xvzf DG4000.tar.gz -O > /dev/null

gzip: stdin: not in gzip format
tar: Child returned status 1
tar: Error is not recoverable: exiting now
rogeorge@debian80:~/Downloads$ md5sum DG4000.tar.gz 
74fa6a60981025eee721ae1bc76d8054  DG4000.tar.gz
rogeorge@debian80:~/Downloads$ sha1sum DG4000.tar.gz 
30aa545b6339e51e03db70b29b91ada9dea60cf1  DG4000.tar.gz
rogeorge@debian80:~/Downloads$ file DG4000.tar.gz 
DG4000.tar.gz: POSIX tar archive (GNU)
rogeorge@debian80:~/Downloads$ cp DG4000.tar.gz DG4000.tar
rogeorge@debian80:~/Downloads$ tar xvf DG4000.tar
DG4000/
DG4000/license_gen/
DG4000/license_gen/cengen
DG4000/license_gen/cengen.zip
DG4000/license_gen/cengen.c
DG4000/license_gen/license.zip
DG4000/license_gen/.DS_Store
DG4000/license_gen/build.sh
DG4000/license_gen/license.CEN
DG4000/license_gen/diff
DG4000/license_gen/._.DS_Store
DG4000/license_gen/work1/
DG4000/license_gen/work1/main.c
DG4000/license_gen/ix
DG4000/lxi_test/
DG4000/lxi_test/dbgcmd.bin
DG4000/lxi_test/._dbgcmd.bin
DG4000/lxi_test/my_lxi_command.bin
DG4000/mem_dump/
DG4000/mem_dump/dg4000_async0.bin
DG4000/mem_dump/._dg4000_lo1.bin
DG4000/mem_dump/dg4000_memdump.tar.gz
DG4000/mem_dump/dg4000_scratch.bin
DG4000/mem_dump/ivt.bin
DG4000/mem_dump/dg4000_data_a.bin
DG4000/mem_dump/kkkkk.bin
DG4000/mem_dump/dg4000_lo1.bin
tar: Unexpected EOF in archive
tar: rmtlseek not stopped at a record boundary
tar: Error is not recoverable: exiting now
rogeorge@debian80:~/Downloads$ gunzip DG4000.tar.gz 

gzip: DG4000.tar.gz: not in gzip format
rogeorge@debian80:~/Downloads$ gunzip DG4000.tar
gzip: DG4000.tar: unknown suffix -- ignored
rogeorge@debian80:~/Downloads$

Do you have the same md5 or sha1 checksum on your PC, please?
Am I doing something wrong?

McBryce · « **Reply #4357 on:** May 19, 2017, 08:02:18 am »

I tried downloading it (windows 7). I get the same "unexpected end of archive", but it still allows me to extract all the files and they seem to be ok.

McBryce.

cybernet · « **Reply #4358 on:** May 19, 2017, 11:49:25 pm »

Code: [Select]

sha1sum DG4000.tar.gz 
ea51691d00365fe47bc3cf081667c47f8699526d  DG4000.tar.gz

Code: [Select]

gzip -dc DG4000.tar.gz |tar -vxf -
DG4000/
DG4000/license_gen/
DG4000/license_gen/cengen
DG4000/license_gen/cengen.zip
DG4000/license_gen/cengen.c
DG4000/license_gen/license.zip
DG4000/license_gen/.DS_Store
DG4000/license_gen/build.sh
DG4000/license_gen/license.CEN
DG4000/license_gen/diff
DG4000/license_gen/._.DS_Store
DG4000/license_gen/work1/
DG4000/license_gen/work1/main.c
DG4000/license_gen/ix
DG4000/lxi_test/
DG4000/lxi_test/dbgcmd.bin
DG4000/lxi_test/._dbgcmd.bin
DG4000/lxi_test/my_lxi_command.bin
DG4000/mem_dump/
DG4000/mem_dump/dg4000_async0.bin
DG4000/mem_dump/._dg4000_lo1.bin
DG4000/mem_dump/dg4000_memdump.tar.gz
DG4000/mem_dump/dg4000_scratch.bin
DG4000/mem_dump/ivt.bin
DG4000/mem_dump/dg4000_data_a.bin
DG4000/mem_dump/kkkkk.bin
DG4000/mem_dump/dg4000_lo1.bin
DG4000/mem_dump/dg4062.idb
DG4000/mem_dump/dg4000_async2.bin
DG4000/mem_dump/dg4062.map
DG4000/mem_dump/dg4000_data_b.bin
DG4000/mem_dump/iar
DG4000/mem_dump/dg4000_async1.bin
DG4000/mem_dump/secure_code.txt
DG4000/mem_dump/dg4000_sysmmr.bin
DG4000/mem_dump/dg4000_inst_ab.bin
DG4000/mem_dump/dg4000_inst_c.bin
DG4000/mem_dump/license.CEN
DG4000/mem_dump/dg4000_async3.bin
DG4000/mem_dump/dg4000_coremmr.bin
DG4000/mem_dump/facts.txt
DG4000/mem_dump/aaaaa.bin
DG4000/mem_dump/dg4062.rar
DG4000/dumpeth.txt
DG4000/model_sub/
DG4000/model_sub/dg4162.asm
DG4000/model_sub/dg4102.clean
DG4000/model_sub/dg4102.asm
DG4000/model_sub/dg4162.clean
DG4000/.DS_Store
DG4000/._DG4000Update.GEL
DG4000/FW0.7/
DG4000/FW0.7/._DG4000Update.GEL
DG4000/FW0.7/DG4000Update.GEL-FW0.7.zip
DG4000/FW0.7/DG4000Update.GEL
DG4000/gelfile/
DG4000/gelfile/dump_20400000.bin
DG4000/gelfile/dump_20470000.bin
DG4000/gelfile/dump_20300000.bin
DG4000/gelfile/crc_table.h
DG4000/gelfile/dump_2046fc00.bin
DG4000/gelfile/dump_209b0000.bin
DG4000/gelfile/dump_20440000.bin
DG4000/gelfile/dump_20440400.bin
DG4000/gelfile/dump_20460000.bin
DG4000/gelfile/dump_20460400.bin
DG4000/gelfile/dump_20db0000.bin
DG4000/gelfile/dump_20830000.bin
DG4000/gelfile/dump_205b0000.bin
DG4000/gelfile/dump_20040000.bin
DG4000/gelfile/dump_20443800.bin
DG4000/gelfile/gelfile.c
DG4000/gelfile/build.sh
DG4000/gelfile/dump_20443400.bin
DG4000/gelfile/gelfile
DG4000/gelfile/dump_20bb0000.bin
DG4000/gelfile/DG4000Update.GEL
DG4000/gelfile/dump_207b0000.bin
DG4000/license.CEN
DG4000/lxi.py
DG4000/test.RAF
DG4000/bootld/
DG4000/bootld/dg4062_boot_async3.bin
DG4000/bootld/dg4062_boot_ram.bin
DG4000/bootld/dg4062_boot_async2.bin
DG4000/bootld/dg4062_boot_srama.bin
DG4000/bootld/dg4062_boot_smmr.bin
DG4000/bootld/dump.txt
DG4000/bootld/dg4062_boot_cmmr.bin
DG4000/bootld/dg4062_boot_ram.idb
DG4000/bootld/dg4062_boot_dump.zip
DG4000/bootld/dg4062_boot_instab.bin
DG4000/bootld/dg4062_boot_instc.bin
DG4000/bootld/dg4062_boot_async1.bin
DG4000/bootld/dg4062_boot_async0.bin
DG4000/bootld/dg4062_boot_sramb.bin
DG4000/addr_0.3.txt
DG4000/._.DS_Store
DG4000/newoffset
DG4000/._license.CEN
DG4000/DG4000Update.GEL
DG4000/FW0.6/
DG4000/FW0.6/DG4000Update.GEL-FW0.6.zip
DG4000/FW0.6/._DG4000Update.GEL
DG4000/FW0.6/DG4000Update.GEL
DG4000/test.ldr

RoGeorge · « **Reply #4359 on:** May 20, 2017, 05:42:27 am »

My download doesn't have the same checksum as your file. I tried also resetting my router, getting a new IP, fire up a clean Debian VMware machine, download without any addblockers, and I still get the same wrong checksum:

Code: [Select]

sha1sum DG4000.tar.gz
30aa545b6339e51e03db70b29b91ada9dea60cf1  DG4000.tar.gz

Thank you for your patience cybernet, but please don't waste any more time with this. I give up.

I guess something is wrong with that file sharing site.

neslekkim · « **Reply #4360 on:** May 21, 2017, 12:25:35 pm »

Quote from: cybernet on May 17, 2017, 09:41:46 pm

...
DG4000 stuff:
Firmwares, CEN, IDB files: http://www.filedropper.com/dg4000tar
...

Same for me, this file is corrupt.

Quote from: cybernet on May 17, 2017, 09:41:46 pm

DG4000 stuff:

Firmwares, CEN, IDB files: http://www.filedropper.com/dg4000tar_1

And this one doesn't even start to download on chrome, but with IE I got an corrupt file, smaller than from the previous link.

PA0PBZ · « **Reply #4361 on:** May 21, 2017, 01:05:12 pm »

Same here, 153MB first file, 113MB the second one.
Also, if I can trust the catalog the contents of the mem_dump folder are different, the 2nd one has more bin files but the idb is missing.

phy14 · « **Reply #4362 on:** June 12, 2017, 06:05:23 pm »

thanks!!

cybernet · « **Reply #4363 on:** June 26, 2017, 09:20:23 pm »

some stuff that had issues:

https://workupload.com/file/tqpFggS
https://workupload.com/file/ffShyMm
https://workupload.com/file/XAuFL37

psysc0rpi0n · « **Reply #4364 on:** July 08, 2017, 12:32:02 pm »

Guys, I can't find the link to generate Serial Keys for the MSO1074Z scope... That rigup tool online site!

sokoloff · « **Reply #4365 on:** July 08, 2017, 01:07:18 pm »

Quote from: psysc0rpi0n on July 08, 2017, 12:32:02 pm

Guys, I can't find the link to generate Serial Keys for the MSO1074Z scope... That rigup tool online site!

google for "riglol" (yes, with the extra "l")

psysc0rpi0n · « **Reply #4366 on:** July 08, 2017, 01:29:07 pm »

Quote from: sokoloff on July 08, 2017, 01:07:18 pm

Quote from: psysc0rpi0n on July 08, 2017, 12:32:02 pm
Guys, I can't find the link to generate Serial Keys for the MSO1074Z scope... That rigup tool online site!
google for "riglol" (yes, with the extra "l")

I found the site. Thanks!

But where do I see my Private Key in order to be able to generate the keys?

sokoloff · « **Reply #4367 on:** July 08, 2017, 02:27:46 pm »

Quote from: psysc0rpi0n on July 08, 2017, 01:29:07 pm

I found the site. Thanks!

But where do I see my Private Key in order to be able to generate the keys?

The site generates the private key. You enter your serial number and the 4 alpha code of the options you want to enable and you get a private key out. (Yeah, the web UI makes it look like you need to enter something there. You don't.)

Also note: I found it way easier to hook the Rigol up to my network and telnet into it and do the upgrade via the command line (where I could easily copy/paste the serial number and the private key). When you do that, do not enter the dashes.

Code: [Select]

:SYST:OPT:INST <private key without dashes>

is the command you need.

ebastler · « **Reply #4368 on:** July 08, 2017, 02:32:01 pm »

Quote from: psysc0rpi0n on July 08, 2017, 01:29:07 pm

I found the site. Thanks!
But where do I see my Private Key in order to be able to generate the keys?

Not sure whether you are "1337" enough for this...

psysc0rpi0n · « **Reply #4369 on:** July 08, 2017, 06:49:28 pm »

Quote from: ebastler on July 08, 2017, 02:32:01 pm

Quote from: psysc0rpi0n on July 08, 2017, 01:29:07 pm
I found the site. Thanks!
But where do I see my Private Key in order to be able to generate the keys?

Not sure whether you are "1337" enough for this...

What you mean?
I have already dumped my Rigol memory and generated the Serial Keys to my model. And I could not use that site because the tool was buggy and some member from here fixed that bug somehow and generated the keys to my model. But I'm helping a friend of mine has just bought an MSO1074Z.

ebastler · « **Reply #4370 on:** July 08, 2017, 07:54:38 pm »

Quote from: psysc0rpi0n on July 08, 2017, 06:49:28 pm

What you mean?

Just kidding, since you asked several questions about the most simple step in this "hacking" process.
No offense was intended!

psysc0rpi0n · « **Reply #4371 on:** July 14, 2017, 10:02:28 pm »

Quote from: ebastler on July 08, 2017, 07:54:38 pm

Quote from: psysc0rpi0n on July 08, 2017, 06:49:28 pm
What you mean?

Just kidding, since you asked several questions about the most simple step in this "hacking" process.
No offense was intended!

I couldn't even understood it so no offence could be taken! Just that I'm still in ignorance!

SkyMaster · « **Reply #4372 on:** July 14, 2017, 11:50:36 pm »

Quote from: psysc0rpi0n on July 14, 2017, 10:02:28 pm

I couldn't even understood it so no offence could be taken! Just that I'm still in ignorance!

ebastler was pulling your leg when making reference to "1337"

https://en.wikipedia.org/wiki/Leet

He was not serious

ivi_yak · « **Reply #4373 on:** July 27, 2017, 11:57:06 pm »

hi, what kind of software you use?

LeoIt · « **Reply #4374 on:** August 20, 2017, 10:16:30 pm »

Hello everybody,

I have a question about DSA815....

I searched a lot in the forum to get information about the component U1220 it is a SOIC8 marked as MQD2C.... I didn't find what is it, somebody out there could help, it seems connected to the 4 pins strip near to the power supply connector, I suppose it it something controlled by TWI or SPI ?

May be it is a serial flash that contains some calibration or configuration data ?

Any help is much appreciated !

Many Thanks.


EEVblog Main Site	EEVblog on Youtube	EEVblog on Twitter	EEVblog on Facebook	EEVblog on Odysee

Author Topic: Sniffing the Rigol's internal I2C bus (Read 1840629 times)

Share me