Sniffing the Rigol's internal I2C bus

[Co6aka]

Well, now we know where to go to get a Rigol if we want to sniff its I2C bus.

Except, it seems some have been sniffing a little too much bus, so... Maybe let's not go there. 

Cybernet, did you see my post re accessing the Cal menu of the DSA1000-series? I'm still swamped with nonsense-work so I haven't been able to 'hack on it. (I'm trying to wring out of my cal-lab acquaintance any other Rigol cal access info.) Was also wondering why, if the basic feature bits were mostly/all low-order, why the keys for the different series instruments would be so different (unless of course there's an ID bit/bit-combination,) and if a key for, say a DS4014 and DS4054, for the same options was the same or different.

[cybernet]

the bits are different per instrument series, because rigol choose so. that way they can id a license to a instrument type probably the cause for it.
no real logical other reason imho.

Cybernet, did you see my post re accessing the Cal menu of the DSA1000-series? I'm still swamped with nonsense-work so I haven't been able to 'hack on it. (I'm trying to wring out of my cal-lab acquaintance any other Rigol cal access info.) Was also wondering why, if the basic feature bits were mostly/all low-order, why the keys for the different series instruments would be so different (unless of course there's an ID bit/bit-combination,) and if a key for, say a DS4014 and DS4054, for the same options was the same or different.

[cybernet]

back to topic on this thread:

an early xmas present for all DG4??? users ...

https://www.eevblog.com/forum/testgear/dg4000-a-firmware-investigation/msg331486/#msg331486

[Co6aka]

A dot-CEN file...  Fascinating! (Somebody's been busy... )

[Teneyes]

an early xmas present for all DG4??? users ...

          

Thanks again , Cybernet, 
another great Detective story,  well Done

       
   
now to compile and build the file.
Thanks Sparky , DG , DS  @200MHz

[tan98010]

Can anyone attached the .exe files? thanks.

[true]

cybernet, do you think something similar is in DSxxxx series?

Anyone dump DSxxxx yet? If something like this exists on DSxxxx I can write a downgrader...

[Giggy]

Hey guys,
My ds2072A arrived today, looks good, wasn't aware i was receiving 300mhz passive probes (includes compensation adjustment)

Will have to attempt to hack the device once i learn to use it, i would like the ability to downgrade i suppose, for warranty reasons. (hopefully there isn't something set once hacked that cant be undone)

Anyone interested in some information about it?

[apelly]

Will have to attempt to hack the device

Good luck with that matey

[AndersAnd]

cybernet, do you think something similar is in DSxxxx series?

Anyone dump DSxxxx yet? If something like this exists on DSxxxx I can write a downgrader...

https://www.eevblog.com/forum/testgear/dg4000-a-firmware-investigation/msg331726/#msg331726

[danoxx]

I have one question, working this combination on DSA815 (maintanance or calibration mode) ? TRACE > TG > MARKER FCTN > MEAS SETUP > SYSTEM > PRINT SETUP > STORAGE

I waiting for early xmas present too (DSA1000) 

[cybernet]

I have one question, working this combination on DSA815 (maintanance or calibration mode) ? TRACE > TG > MARKER FCTN > MEAS SETUP > SYSTEM > PRINT SETUP > STORAGE

I waiting for early xmas present too (DSA1000) 

nobody has yet posted any info about DSA1000, what key format, firmware image etc .. feel free to post it, and i'll have a look.

[cybernet]

cybernet, do you think something similar is in DSxxxx series?

Anyone dump DSxxxx yet? If something like this exists on DSxxxx I can write a downgrader...

something is, probably in the internal filesystem - but not via CEN files unfortunatly.

[danoxx]

If I knew how to help... I have only firmware : newest https://www.dropbox.com/s/bw94x4pvcyn3m9b/DSA1000A%28DSP%29update0001160001.rar or older version https://www.dropbox.com/s/zyjhluwdk6k61mr/DSA1000A%28DSP%29update.rar

[cybernet]

If I knew how to help... I have only firmware : newest https://www.dropbox.com/s/bw94x4pvcyn3m9b/DSA1000A%28DSP%29update0001160001.rar or older version https://www.dropbox.com/s/zyjhluwdk6k61mr/DSA1000A%28DSP%29update.rar

thx - looks like the same incremential update format than the DSA815 is using, so without an JTAG dump, no luck. some DSA1k users would need to do a jtag dump like it has been done for the DSA815.

[cosmos]

If we where to work on DS4k ... what would we do next?
We have the GEL files, are they enough or do we need JTAG dumps?

We have indications from GEL file (text strings for printing active options) that there are options for 200Mhz, 350Mhz, 500MHz, and "power analysis" that can be opened.

[cybernet]

If we where to work on DS4k ... what would we do next?
We have the GEL files, are they enough or do we need JTAG dumps?

We have indications from GEL file (text strings for printing active options) that there are options for 200Mhz, 350Mhz, 500MHz, and "power analysis" that can be opened.

can u indicate some of those strings ?
what u would need is a jtag adapter, see the DG thread for details and plenty of time.

[cosmos]

strings are here
https://www.eevblog.com/forum/testgear/sniffing-the-rigol's-internal-i2c-bus/msg319892/#msg319892

[AndersAnd]

http://riglol.3owl.com is online again. Not sure why it was down.

DDOS attack (IP Nullrouted)

http://riglol.3owl.com is down again.

[cybernet]

this routine seems to build the model type ... DS40XY ....

[N2tl]

Device:  DS2072 (not the A version)
As delivered:
S/n: DS2A1537nnnnn
h/w: 1.0.2.0.0 (2.0)
S/w: 00.01.01.00.02
FPGA version:
 SPU 03.01.05
 WPU 00.06.05
 CCU 12.29.00
 MCU 00.05
model: DS2072
All options: trial versions.

Narrative:
The unit was supplied with current firmware and the 2.0 hardware board, but the model number is shown as a straight DS2072. So it is one of the few with the 2.0 hardware, but not the new private key.
After checking the above data, I acquired the license key using the web facility (http://riglolDOT3owlDOTcom/), and entered it as documented in the manual. The unit displayed that the license was accepted. Rebooted.
The list of options now has "Official Version" after each feature; the bandwidth is shown as 200 MHz, and the Model field says DS2202. The other "System Information" fields remained unchanged; the serial number remained correct.
Life is good.

[cybernet]

here is a little IDC script, that will try to convert anything that starts with "LINK" statement to a sub in IDA.
saves hours of stupid sub creation ...

Code: [Select]

///////////////////////////////////
// Blackfin LINK finder
// (c) cybernet, 2013
///////////////////////////////////

#include <idc.idc>
static main()
{
    auto addr,start,code;
   
    start=0x1;
    addr=FindBinary(start, SEARCH_DOWN, "00 E8");
    Message("checking for function header at %x\n", addr);
    while (addr > -1)
    {
    if (strlen(Name(addr))==0)  // not yet a known location ? (sub_)
      {
    if (MakeCode(addr))  // try to make code out of it
    {
      code=GetDisasm(addr);
      if (strstr(code, "LINK")>-1)   // mnemonic is a LINK ?
              { 
        MakeFunction(addr,-1);
        Message("created function at %x\n", addr);
              }
    }
    }
    addr=addr+4;
    addr=FindBinary(addr, SEARCH_DOWN, "00 E8");
    Message("checking for function header at %x\n", addr);
    }
}


[DL5TOR]

If we where to work on DS4k ... what would we do next?
We have the GEL files, are they enough or do we need JTAG dumps?

We have indications from GEL file (text strings for printing active options) that there are options for 200Mhz, 350Mhz, 500MHz, and "power analysis" that can be opened.

the DS4K keygen is also there if you read the thread then you will see (someware at page 30 +- 20). it is the same Pub-key as the 3k but the Option code is different but all dockumented somware in this thread)

[AndersAnd]

If we where to work on DS4k ... what would we do next?
We have the GEL files, are they enough or do we need JTAG dumps?

We have indications from GEL file (text strings for printing active options) that there are options for 200Mhz, 350Mhz, 500MHz, and "power analysis" that can be opened.

the DS4K keygen is also there if you read the thread then you will see (someware at page 30 +- 20). it is the same Pub-key as the 3k but the Option code is different but all dockumented somware in this thread)

Yes but you can't change the bandwidth and add "power analysis" with the keygen for DS4k, just like cosmos mentioned.

[Co6aka]

this routine seems to build the model type...

Sure does!  From the serial number? Or...where (originally) in NV memory? 

(Reminds me of the good 'ol days hacking Motorola radio programming software...   Wish I had time to invest right now.)