Sniffing the Rigol's internal I2C bus

[Co6aka]

Firmwarez flashed in, and gave the scope some funky signals from my E4438C. Looks OK,  , but it's one-bloody-thirty in the AM...    Gotta climb into my coffin for a while.

[frenky]

To all of those who don't have a fast signal generator.
How about measuring some signals inside of PC, cellphone, mediaplayer...
Processor clocks go over gigahertz so there should be some really fast signals going around?

[Avotronics]

  Can I get some clarification please:

Is the upgrade valid for all models in the series?

For example; There is DS1074Z & DS1104Z, but also DS1074Z-S & DS1104Z-S.

Then we have DP832 but also the DP832A and DP831A.

The list goes on, there are 8 models in the DS400 series?

Thanks for help, I trying to make a single resource for all this info at rigol.avotronics.co.uk

[AndersAnd]

Can I get some clarification please:

Is the upgrade valid for all models in the series?

For example; There is DS1074Z & DS1104Z, but also DS1074Z-S & DS1104Z-S.

...

The list goes on, there are 8 models in the DS400 series?

For DS1000Z series I think it works for both DS1000Z and DS1000Z-S

The DS2000 hacks doesn't work for DS2000A.

For DS4000 series I think it works for all DS4000 and all MSO4000 models too.
cybernet wrote that his modified DS4000 series firmware works with both 2- and 4-channel models and DS4000 and MSO4000 models here:

any DS4k volunteers ?
this sets model type 0x4 = 500mhz
(whatever channel#, whatever MSO y/n it leaves that intact)

So it's really a MSO/DS4000 series hack. Rigol also lists MSO/DS4000 series under one at their site: http://int.rigol.com/prodserv/DS4000/
It's the same user's manual and everything.

Then we have DP832 but also the DP832A and DP831A.

There's also DP811A and DP821A models: http://int.rigol.com/prodserv/DP832/property/
But all the DP8xxA models already have the 4 options from the keygen factory enabled. That's why they keygen is for DP832 only.
So far DP832 is the only non-A model released, but if Rigol releases other non-A models these will probably come without the extra options enabled too.

[Avotronics]

Can I get some clarification please:

Is the upgrade valid for all models in the series?

For example; There is DS1074Z & DS1104Z, but also DS1074Z-S & DS1104Z-S.

...

The list goes on, there are 8 models in the DS400 series?

For DS1000Z series I think it works for both DS1000Z and DS1000Z-S

The DS2000 hacks doesn't work for DS2000A.

For DS4000 series I think it works for all DS4000 and all MSO4000 models too.
cybernet wrote that his modified DS4000 series firmware works with both 2- and 4-channel models and DS4000 and MSO4000 models here:

any DS4k volunteers ?
this sets model type 0x4 = 500mhz
(whatever channel#, whatever MSO y/n it leaves that intact)

So it's really a MSO/DS4000 series hack. Rigol also lists MSO/DS4000 series under one at their site: http://int.rigol.com/prodserv/DS4000/
It's the same user's manual and everything.

Then we have DP832 but also the DP832A and DP831A.

There's also DP811A and DP821A models: http://int.rigol.com/prodserv/DP832/property/
But all the DP8xxA models already have the 4 options from the keygen factory enabled. That's why they keygen is for DP832 only.
So far DP832 is the only non-A model released, but if Rigol releases other non-A models these will probably come without the extra options enabled too.

Great thanks.

Do we know about the DSA815-TG and compatability?

[DL5TOR]

Do we know about the DSA815-TG and compatability?

Compatible to what?
 Sorry i am missing somthing

but for info

There are only 2 typs of  DSA815:

The DSA815 9kHz - 1.5GHz no tracking gen
and
The DSA815-TG 9kHz - 1.5 GHz wiht tracking gen
Keygen works on both only it is not Confirmd or tested what is missing (harware) on the non-TG Version. If it is only the N-connector then all you need is the connector and a licens-key

73 de DL5TOR

[Avotronics]

Do we know about the DSA815-TG and compatability?

Compatible to what?
 Sorry i am missing somthing

I think they don't read the thread. They just ask until somebody answers. The search in this forum seems also be broken. 

I don't think you have read it, otherwise you'd know why I was asking 

[DL5TOR]

I don't think you have read it, otherwise you'd know why I was asking 

Ok I read your page of the DSA815.

Now the Infos that are related to the Hacks is as follow

the DSA815-TG is confirmd for the keygen by me as I have one with all opitons enabeld the non -TG model i can not confirm alltho this shuld be the same (see my last post).

there is no moded Firmware that i am Aware of

so I hope this info is all that you Need

73 de DL5TOR

[Avotronics]

I don't think you have read it, otherwise you'd know why I was asking 

Ok I read your page of the DSA815.

Now the Infos that are related to the Hacks is as follow

the DSA815-TG is confirmd for the keygen by me as I have one with all opitons enabeld the non -TG model i can not confirm alltho this shuld be the same (see my last post).

there is no moded Firmware that i am Aware of

so I hope this info is all that you Need

73 de DL5TOR

GREAT! Thank you. That is exactly what I wanted to know 

[hammy]

I think they don't read the thread. They just ask until somebody answers. The search in this forum seems also be broken. 

I don't think you have read it, otherwise you'd know why I was asking 

Yeah, ok. You make "the single resource" for the hacks, but you want a verification for the information you have on your website. I finally got it!

[Co6aka]

Yeah, ok. You make "the single resource" for the hacks, but you want a verification for the information you have on your website.

Measure thrice, cut once; to err is human...   (And to make it utterly FUBAR requires government intervention.)

I finally got it!

Whew!  Now we can get back to sniffing bus!  O0 (Werd.)

[Avotronics]

Yeah, ok. You make "the single resource" for the hacks, but you want a verification for the information you have on your website.

Measure thrice, cut once; to err is human...   (And to make it utterly FUBAR requires government intervention.)

I finally got it!

Whew!  Now we can get back to sniffing bus!  O0 (Werd.)

lol  Sniff what you like!

[Tasman]

Unfreezing DS2000.

The method in attached pdf has been proved to unfreeze a locked-up unresponsive scope.  Might be handy if an upgrade goes wrong.

[apelly]

Ordered a bus blaster tonight. Will be here in a week or so. Plan is to extract the 2072A firmware.

[clifford]

if i temper with the file, i temper with the website that displays the md5/sha/<otherhash> too -> e.g. useless

that's why it is important to post the md5/sha/etc. somewhere else (such as this forum).

for example if you have an ftp site with many mirrors, then a user would download the checksum from the primary site and the actual file from the nearest mirror.

[cybernet]

means u trust information in a public non peer reviewed forum when it comes to authenticity of a file ? - i hope u dont end up in a "bad forum" one day, could be surprising ..

[Carrington]

Ordered a bus blaster tonight. Will be here in a week or so. Plan is to extract the 2072A firmware.

If you use a BusBlaster (as JTAGkey) and TopJTAG also you'll need the datasheet for blackfin and NAND (to define the connection pin to pin blackfin-NAND). And another vital thing is the blackfin's bsdl file.

[Gunb]

@cybernet: many thanks for your efforts! Really an outstanding job you've done!

Do you think that 500MHz bandwidh limit is only an firmware issue or that hardware might also be different within the DS4000 series regarding the bandwidth?

Thx again.


Kind rgds
Gunb

[AndersAnd]

Ordered a bus blaster tonight. Will be here in a week or so. Plan is to extract the 2072A firmware.

If you use a BusBlaster (as JTAGkey) and TopJTAG also you'll need the datasheet for blackfin and NAND (to define the connection pin to pin blackfin-NAND). And another vital thing is the blackfin's bsdl file.

Isn't this cyberCAD® DS2k JTAG pinout schematic enough?

https://www.eevblog.com/forum/testgear/sniffing-the-rigol's-internal-i2c-bus/msg241335/#msg241335

https://www.eevblog.com/forum/testgear/dg4000-a-firmware-investigation/

[cosmos]

@ Gunb  The DS4014 is already confirmed (by me, using cybernets excelent firmware mod) to have rise and fall times in the area of a DS4054 so I think it is a safe bet that it does have the same HW.

Looking at the specs of DS4000 vs DS6000 it is even tempting to think that they share HW platform, just a small 25% clock increase for frontend and a 1" larger display.

DS6k vs DS4k
5Gs/s vs 4Gs/s
600 and 1000MHz vs up to 500MHz
Same sample memory size (140M)
180k records/s vs 110k (could be partly from 25% clock increase to support 5Gs/s).
The sensitivity specs are also very similar making me think they share frontend and ADC too.
There are references in the DS4k GEL file to DS6k related text strings.
The BW limiting amplifier of the DS4k should on paper be able to reach 1GHz.

Would have been very nice with a DS6k teardown from some brave soul.

[Gunb]

@ Gunb  The DS4014 is already confirmed (by me, using cybernets excelent firmware mod) to have rise and fall times in the area of a DS4054 so I think it is a safe bet that it does have the same HW.

...

OK, thank you!


Kind rgds
Gunb

[Carrington]

Isn't this cyberCAD® DS2k JTAG pinout schematic enough?
https://www.eevblog.com/forum/testgear/dg4000-a-firmware-investigation/

No with TOPJTAG.



Maybe someone can post how is this pin-to-pin connection, because there are alternative pin for nand in blackfin.

It, is also necessary (so read the datasheet is mandatory):



Fortunately the DS2000's NAND is CFI compliant.

[clifford]

means u trust information in a public non peer reviewed forum when it comes to authenticity of a file ? - i hope u dont end up in a "bad forum" one day, could be surprising ..

Well... If your files are malicious in the first place then we are all screwed anyways.

So I guess the question is if I have trust in the security of this forum, and the answer is of course no (the session cookies are all transferred over http, not https, to start with). But I guess this is as good as it gets..

If you'd post checksums here it would be as secure or insecure as if you'd posted the file itself here. Which is, I expect, all I can ask for.

Besides the security concerns, checksums would also provide an easy unique way of referring to a version of a file.

That all being said: If it's all the same for you I'd prefer checksums, and cryptographic signatures, and ..., otherwise I would prefer if you'd spend your time on awesome hacks rather than creating a cryptographically secure distribution chain.

Thanks for all the amazing work! 

[Carrington]

@ clifford: Strongly agree.

[cybernet]

@cybernet: many thanks for your efforts! Really an outstanding job you've done!

Do you think that 500MHz bandwidh limit is only an firmware issue or that hardware might also be different within the DS4000 series regarding the bandwidth?

Thx again.
Kind rgds
Gunb

impossible to say for me because i dont even own a DS4k - but the hardware experts in that forum say its all the same.