Sniffing the Rigol's internal I2C bus

[at2]

Hi zombie 28,tirulerbach and tiagobaracho,

thanks to you all for best help.
For best assistance zombie 28 and tirulerbach and excellent job done by tiagobaracho.

My 2072A  now works perfectly in DS2202A mode with all options.

Great!

at2

[johna]

My Model number is: DS2A143101119

You can try this serial: PDVPHYV-H5SQKVS-RDXABUK-AXYPZPA

Enjoy

[zombie28]

https://mega.co.nz/#!MdcEWTgL!0EEmSr-Q6TxaFSsyEmjhRrgqDvFCoXg9K49BalL5Uxc

No need for JTAG memory dumps anymore, just send *IDN? command and you'll get your license encryption keys in response (tested on my DS2072A that has just arrived).

Zombie28, may I kindly ask you to provide a md5 or sha sum of your patched firmware file?

Code: [Select]

File: DS2000Update.GEL
MD5:  8d28a810d45a9e8be3095cd312ec57ec
SHA1: 0ed14539d2b81455bb54927c4fc831fa31eccba5


[Spikee]

My Model number is: DS2A143101119

You can try this serial: PDVPHYV-H5SQKVS-RDXABUK-AXYPZPA

Enjoy

Thanks!
I have full option Rigol Ds2072 now =)

[hari]

Code: [Select]

File: DS2000Update.GEL
MD5:  8d28a810d45a9e8be3095cd312ec57ec
SHA1: 0ed14539d2b81455bb54927c4fc831fa31eccba5


Thank you very much!

[excapealex]

The new method can also work with the DS2072A-S (with 2 channel function generator  )? Has anyone tested on it? 

That you know.. there are codes that add functions to the signal generation? (I did a stupid question?  )

Thanks as always and lots of compliments!

[johna]

Guys, can someone tell me where to find stock firmware. Is it uploaded somewhere? I want to feel a bit safe before I flash to the modified version. I know about request page on rigol, but my scope already has latest version. I can't request firmware upgrade without a reason. My firmware version is 00.02.01.00.03 (DS2072A)

[zombie28]

Guys, can someone tell me where to find stock firmware. Is it uploaded somewhere? I want to feel a bit safe before I flash to the modified version. I know about request page on rigol, but my scope already has latest version. I can't request firmware upgrade without a reason. My firmware version is 00.02.01.00.03 (DS2072A)

https://www.eevblog.com/forum/testgear/sniffing-the-rigol's-internal-i2c-bus/msg342994/#msg342994

[johna]

Thanks!

I searched a lot, but I guess there were no words like "stock, original, unmodified"

And if someone points out the post where someone explains how to uninstall features I would be greatful. I see a lot of people mentioning some commands but I don't know how you specify what option to uninstall. I guess the commands are sent to via ultra sigma software.

edit: because it's easy to mix the firmwares here is the sha1 of the original/stock for DS2072A (if I downloaded the correct one) ddf1d511823eaf31f1d05af2ba845543d97c6d3a  DS2000Update.GEL

[corax]

One thing I've noticed on a DS2072A with all features unlocked (using the recent rigup license generator on zombie's 00.02.01.00.03 keydump firmware):
Although the CAN decoder becomes available, it appears not to work correctly.

Watching known good CAN traffic, the decoder attempts to decode, but gets things wrong (the ID, the data length, etc).
Looking a bit closer, it appears to be neglecting to account for CAN stuff bits.

I notice that Rigol doesn't offer the CAN decoder option for purchase for this scope series (as far as I can tell).  This might be why- it's broken.

Has anyone else actually tried out the CAN decoder?

[johna]

I haven't tried CAN, but even RS232/SPI doesn't work as expected. Sometimes it doesn't read correct values even though signal on screen is visible and there are multiple points per bit. Also mine doesn't work on recorded data. Can someone confirm that?

And .... BIG THANKS to everyone involved in the keygen. Another success here- my poor DS2072A is now fully upgraded DS2202A. I Installed the 200 MHz option - I was too afraid to install the 300Mz one before I learn how to uninstall options.

Thanks again.

[mrflibble]

I haven't tried CAN, but even RS232/SPI doesn't work as expected. Sometimes it doesn't read correct values even though signal on screen is visible and there are multiple points per bit. Also mine doesn't work on recorded data. Can someone confirm that?

How often does this failure to decode occur? Do you have a screenshot of an example waveform where it doesn't work? And also one where you are using the same settings but it does happen to decode it correctly.

If it really fails to decode that would be bad. So far all the complaint I've read about decoding boiled down to user error. Not that I'm implying (okay yes I am but not the point ) that this is user error, but if Rigol really stuffed up rs232 decoding that would be a bit sad.

[Spikee]

....
. Can someone confirm that?

How often does this failure to decode occur? Do you have a screenshot of an example waveform where it doesn't work? And also one where you are using the same settings but it does happen to decode it correctly.

If it really fails to decode that would be bad. So far all the complaint I've read about decoding boiled down to user error. Not that I'm implying (okay yes I am but not the point ) that this is user error, but if Rigol really stuffed up rs232 decoding that would be a bit sad.

I used it a couple of hours ago (1Mbps SPI) and i can confirm that it won't work sometimes when the traces are clearly visible.
After some fiddling it works again but still there is some kind of bug there.

The decoding was setup correctly.

I use the Rigol Ds2072 using zombie's 00.02.01.00.03 firmware

[stuartk]

Slightly off topic;

I noticed that Ultra Sigma stopped being able to print my DS2102's screen a few weeks ago when my model number got corrupted to 2022.

I was eventually able to get the model to stick with 2202 after System:option:uninstall, instead of reverting back to 2022. It's now is at 2302 after the generously supplied keys.

I realize that most of you are using RUU for screen captures, but this error led me to find the following behavior in Ultra Sigma:

DS2022 -- Unable to print screen
DS2202 -- Able to print screen
DS2302 -- Unable to print screen

I believe that it didn't work as DS2302 is not an actual valid model number.

I was able to get it to work by editing the Ultra Sigma Init file in the following manner:

1. Open the Ultra Sigma Folder
2. Make a backup copy of the Init file
3. Open the Init file with word pad
4. Edit the following line to add DS2302 under 'series and model', (or any other model that you have I would expect)

DS2000 = "DS2072,DS2102,DS2202,DS2202-S,DS2102-S,DS2072-S,DS2302"

5. add under [PrintScreenSCPI]

DS2302 = ":DISPlay:DATA?"

You should now be able to print from Ultra Sigma, if before you got a communication error

6. I also added a 'DS2302.rscpi' file in the 'Instrument_Common_RIGOL_SCPI ControlPanel' folder by duplicating a DS2202 file and renaming it. This step seemed to have no effect one way or another.

Cheers to all,

Stuart

[tiagobaracho]

Thanks zombie28 for the IDA plugin

I comfirm, 0x1C0C7 is the good option for permanent 300Mhz + all options (screenshot) Timebase : 1ns


Congratulations for all the team members as done that possible

HI...
In which model you were able to install the 300mhz?

How did you do to get the NS8H ? when i try rigup license keys.txt 0x1C0C7, windows asks to close..

[awh4992]

Thanks zombie28 for the IDA plugin

I comfirm, 0x1C0C7 is the good option for permanent 300Mhz + all options (screenshot) Timebase : 1ns


Congratulations for all the team members as done that possible

HI...
In which model you were able to install the 300mhz?

How did you do to get the NS8H ? when i try rigup license keys.txt 0x1C0C7, windows asks to close..

rigup spits out a keyfile (saves it to a text file) if you have a memory dump of your scope using the following command: 

Code: [Select]

rigup scan keyfile.txt ds2k_00_sdram.binOnce you have the keyfile, do: 

Code: [Select]

rigup license keyfile.txt 0x1C0C7and that spits out the license key.

I'm pretty sure the stuff spit out by zombie28's firmware via ultra sigma has that keyfile information there too, but ordered differently and whatnot.  I didn't bother to figure it out since I have a dump of my scope.

- Andy

[idpromnut]

Confirmed that the NS8H "works" on my scope.  I see the options and timebase, but I am not a believer until I can test it

[tiagobaracho]

do you know if the hardware is able to do 300mhz ? is it only software limited ?

[tiagobaracho]

I just installed the 300mhz... But it now shows two lines...
BANDWIDTH 200M BadnWidth Official Version
                    300M BadnWidth Official Version

Is that all right ? Or do I need to uninstall first  to put the NS8H serial ?

[Mark_O]

...but even RS232/SPI doesn't work as expected. Sometimes it doesn't read correct values even though signal on screen is visible and there are multiple points per bit.

If it really fails to decode that would be bad. So far all the complaint I've read about decoding boiled down to user error. Not that I'm implying (okay yes I am but not the point ) that this is user error, but if Rigol really stuffed up rs232 decoding that would be a bit sad.

As far as RS232 is concerned, initially there was one specific baud rate that failed.  That's been fixed.  Also, a few bytes when decoded to ASCII didn't map to the proper characters.  That was also fixed.  So as far as RS232 is concerned, that's been reported to be working properly for quite some time now.

Of course, that was on unhacked units.  Also, "doesn't work as expected" doesn't necessarily mean the Rigol isn't working properly, though that's often the inference drawn.

[johna]

Of course, that was on unhacked units.  Also, "doesn't work as expected" doesn't necessarily mean the Rigol isn't working properly, though that's often the inference drawn.

My test was on unhacked unit. And you are right - "doesn't work as expected" is not a bug, but if you do not have decode on recorded data the decoding option is not worth the money. And I was about to buy the decoding option before I try to hack it ... because well if they did a great job, they deserve the money. But I tried the trial option and I was not quite happy with it. Decoding seams to be there for the marketing - just an answer to Agilent's decoding option.

[Fagear]

Thank you very much, zombie28 and tirulerbach!
It took some time for me to figure out the right sequence.
So I've managed to write it down.

Code: [Select]

Device: DS2xxxA. No need to open it and buy any other stuff.

1) Flash DS2xxxA with patched FW (license key dumping, from zombie28: https://mega.co.nz/#!FFk10SCY!UuWPXyqZwmca00pa2clOth1ryh1Z-AAgJg2yibfoUw0).
2) Connect DS2xxxA to a PC.
3) In "Rigol Ultra Sigma" open "SCPI Control Panel" and "Send&Read" string "*IDN?"
4) Copy answer to text file.
5) Copy string from comma after serial # of your DS2xxxA to the end ("02008400...").
6) Open HEX editor and paste string as HEX (not ASCII).
7) Copy serial # of your DS2xxxA.
8) Append serial # as ASCII to the data in HEX editor.
9) Append "00" as HEX.
10) Save file as "keyfile.bin" to folder with "rigup" (from tirulerbach: https://mega.co.nz/#!qAkUkTZB!XG12bUKhIz4CmQt6DbBnGRMvEe5AvUjEaBxi4R03tw8).
11) Open command line and navigate to folder with "rigup".
12) Execute "rigup scan keyfile.bin" and get some keys:

RC5KEY1:        88359067012Exxxxxxxxxxxxxxxxxxx
RC5KEY2:        3D44CD4EC48Fxxxxxxxxxxxxxxxxxxx
XXTEAKEY:       95F6CC12864Axxxxxxxxxxxxxxxxxxx
PUBKEY:         006CE7F7xxxxxxxx
PRIVKEY:        008ABBC4xxxxxxxx
SERIAL:         DS2D154xxxxxx

13) Copy them to another text file "keyfile.txt" in "rigup" folder.
14) Execute "rigup license keyfile.txt NSxx", where:

NSEH (0x1C087) - All options
NSER (0x1C08F) - 100 MHz + all options
NSEQ (0x1C097) - 200 MHz + all options
NS8H (0x1C0C7) - 300 MHz + all options

15) Copy license key.
16) In "Rigol Ultra Sigma" "Send&Read" ":SYSTem:OPTion:INSTall YOUR-LICENSE-KEY-WITHOUT-DASHES".
Everything worked fine and now my DS2072A became DS2302A with all options!

After that I reflashed to last original FW (non-modified 00.02.01.00.03) and all options stayed in place.

[EV]

If you are using AUTO trigger change it to NORMAL and try again.

My test was on unhacked unit. And you are right - "doesn't work as expected" is not a bug, but if you do not have decode on recorded data the decoding option is not worth the money. And I was about to buy the decoding option before I try to hack it ... because well if they did a great job, they deserve the money. But I tried the trial option and I was not quite happy with it. Decoding seams to be there for the marketing - just an answer to Agilent's decoding option.

[excapealex]

The new method can also work with the DS2072A-S (with 2 channel function generator)? Has anyone tested on it?

That you know.. updating a DS2000A-S with the patched FW there is a risk of losing access to the signal generator?

Having not yet made the purchase..  Do you know how the function generator is managed?
As example: When pressing the source button it switches to a separate management (as a second instrument) or is a more integrated management?

[Spikee]

If you are using AUTO trigger change it to NORMAL and try again.

...
 But I tried the trial option and I was not quite happy with it. Decoding seams to be there for the marketing - just an answer to Agilent's decoding option.

The normal trigger and spi decoding works quite good , the auto trigger just loses its mind.