Sniffing the Rigol's internal I2C bus

[icaro600]

Thanks Alex, your are right I meant 5ns
Thanks for your explanation, I will do it

Regards

[probez]

I just received my DP832. But they shipped it with the new firmware 00.01.09.00.01 there doesn’t support downgrade. So the key generator doesn’t work. I have a DS2072A-s there is total unlocked at 300 MHz. The DP832 may have another protection but if not, it could be nice to have a custom based firmware to reveal a possible internal unique private key like the DS2000A scopes (https://docs.google.com/file/d/0B8yFRtbwGWr5QVBGS2NoMlo2WVU/edit). I guess the interest in the DS2000A series is more intensive than the DP800 series. But I have search around in the forum and found that I am absolutely not the only one there isn’t able to use the lovely keygens.
P.S. I would possible not need the features, but it would be fantastic to have all the features. I have of cause tried to firmware downgrade anyway but I can confirm it doesn’t work.

Software information
Digital Version: 00.01.09.00.01
Analog version: 01.02.00.01.02.00
Boot version: 01.06
Keyboard version: 01.01
Calibrated the 24th of Feb. at the factory

[true]

GOOD NEWS ON THE SERIAL RESET PROCEDURE

I figured out the trick as to why it wasn't resetting. I could swear I covered this before.

The issue people are having is that they can't reset the SN even after following all the steps. The key (to which I didn't get an answer before but verified) is that there MUST be a valid key installed. Basically it won't work if there are no keys to uninstall. I made an xx0001 key for DSAZ, installed it, rebooted and then it worked

Follow these modified snmodfix instructions...

Code: [Select]

1.  Requires 00.01.01.00.02 firmware (7777543 bytes, 0xa167ef30 crc32) named
       DS2000Update.gel in same directory as executable
2.  Execute snmodfix and specify serial and model to patch firmware
3.  Flash patched ds2000update.gel using power on help button method
4.  Restart scope
  4.1 After restarted, make sure a trace is showing
5.  Enable advanced system information menu (press Trigger Menu, Menu 7,
       Menu 6, Menu 7, Utility very quickly) to enable it
6.  Show system information - serial should be fixed but NOT saved to flash
      yet - some text labels will be missing (?)
7.  Connect using scpi and issue :SYSTem:OPTion:UNINSTall command which will
      uninstall all keys and save to flash
  7.1 If the info screen disappeared and the traces flashed, success! Move to step 8
  7.2 You don't have a key installed. Install a key for DS2A0000000001 with :SYSTem:OPTion:INSTall <key> - make sure the key has no dashes
  7.3 The screen should flash and the info screen should disappear along with the License installed message.
        If this happened proceed to step 4, otherwise you have no hope
8.  Once settled and the info screen disappeared restart scope
9.  Show system information (not advanced) should now show the correct serial
      and model
10. Update to latest stock unpatched firmware version
11. Storage -> Default
12. Reinstall any key(s)

If this fails, something else I did was install the latest 3.00.xx.xx firmware - to replicate what I did, install it, at first powerup clear FRAM by holding left F6 (sixth softkey from the top on the left side) before turning on, then follow the instructions above.

[metalphreak]

DS1000ZUpdate-v00.02.03.SP5.part1.rar - https://mega.co.nz/#!6RtykAiR!abG81x_vl89xTWZ9noAsmfcTVsWcInlZDdsDwkuOQEo
DS1000ZUpdate-v00.02.03.SP5.part2.rar - https://mega.co.nz/#!bVd32RhS!TqGQmeB6_oQQwMj5OZ9FFVr6ZEy5aVY2vpD0Ip7LWz8

Found on a chinese forum (with a link back to this thread) - clearly they were smart to host it locally

Haven't tested it yet.


Rigol's website contact form is useless. I've asked twice now for firmware updates with no response.

[Circlotron]

But then, finding a 1GHz bandwidth function generator is a tall order, so the REAL way to do it is to measure the rise time on a sharp-edged signal -snip- Anyway, once you know the rise time of an edge with assumed infinite bandwidth, rule of thumb is scope bandwidth = .35/(rise time). So if the rise time off my function generator square wave, is, for example, 56ns, .35/(56ns) = 6.25MHz.

I did it like this -> https://www.eevblog.com/forum/testgear/risetime-of-hacked-ds2072/msg321568/#msg321568
By that formula I got 243MHz.

[GlassFET]

The relationship BW = 0.35/(10-to-90% rise time) only applies to a first-order system (having a single-pole filter, which makes a 6-dB-per-octave roll-off with zero overshoot). The anti-aliasing filters and intrinsic roll-offs of input components in these scopes are likely greater than first-order, rendering this formula inaccurate. The best way to measure BW is to measure it as I described in an earlier post, by using an RF signal generator into 50 ohms. Granted, not everyone has access to these instruments, and I applaud the ingenious idea of discharging a cap. But the 11.44% overshoot demonstrates that the rule of thumb is not accurate for this case. See the response curves for the TI LMH6518 variable gain amplifier, alleged to be used in the DS2000A. The higher bandwidths choices have steeper and more complex roll-offs. Ironically, the rise time formula probably is most accurate when the BW is limited to 20MHz.

[AndersAnd]

The relationship BW = 0.35/(10-to-90% rise time) only applies to a first-order system (having a single-pole filter, which makes a 6-dB-per-octave roll-off with zero overshoot). The anti-aliasing filters and intrinsic roll-offs of input components in these scopes are likely greater than first-order, rendering this formula inaccurate. The best way to measure BW is to measure it as I described in an earlier post, by using an RF signal generator into 50 ohms. Granted, not everyone has access to these instruments, and I applaud the ingenious idea of discharging a cap. But the 11.44% overshoot demonstrates that the rule of thumb is not accurate for this case. See the response curves for the TI LMH6518 variable gain amplifier, alleged to be used in the DS2000A. The higher bandwidths choices have steeper and more complex roll-offs. Ironically, the rise time formula probably is most accurate when the BW is limited to 20MHz.

HP/Agilent/Keysight has this application note about the relation between BW and rise-time:

http://cp.literature.agilent.com/litweb/pdf/5988-8008EN.pdf
Understanding Oscilloscope Frequency Response and Its Effect on Rise-Time Accuracy
Application Note 1420

Introduction

When you combine many circuit elements with similar frequency responses, you get a Gaussian response. Traditional analog oscilloscopes chain many analog amplifiers from the input to the cathode ray tube (CRT) display, and therefore exhibit a Gaussian response. The properties of a Gaussian-response oscilloscope are fairly well understood in the industry.

Less familiar, though, is the flat-response that is now more commonly exhibited by modern, high-bandwidth digital oscilloscopes. A digital oscilloscope has a shorter chain of analog amplifiers, and it can use digital signal processing techniques to optimize the response for accuracy. More importantly, a digital oscilloscope can be subject to sampling alias errors, which is not an issue with analog scopes. Compared to a Gaussian response, a flat response reduces sample alias errors, an important requirement in the design and operation of a digital oscilloscope.

This application note reviews the properties of both Gaussian- and flat-response oscilloscopes, then discusses rise-time accuracy for each response type. It shows that a flat-response oscilloscope gives more accurate rise-time measurements than a Gaussian-response oscilloscope of equal bandwidth, and how you can estimate the oscilloscope bandwidth you need.

This discussion refers to using a 1 GHz oscilloscope, but this analysis is scalable to other bandwidths with the same validity.

Properties of a Gaussian-Response Oscilloscope

Figure 1 depicts a typical Gaussian frequency response for a 1 GHz oscilloscope. A Gaussian-response offers good pulse response without overshoot, regardless of how fast the input signal is. Figure 2 shows the pulse response of a 1 GHz Gaussian-response oscilloscope to a fast step input.

In a Gaussian-response oscilloscope, the oscilloscope's rise time is related to the oscilloscope's bandwidth using
the familiar formula:

Rise time = 0.35/bandwidth

Another common property of Gaussian systems is that the overall system bandwidth of the oscilloscope and its probe is the inverse root mean square (RMS) value of their individual bandwidths. The system bandwidth can be calculated using the familiar relationship:

System bandwidth = 1/(1/BW_probe² + 1/BW_oscilloscope²)^0.5

Often oscilloscope probes are designed to have sufficiently higher bandwidth than the oscilloscope bandwidth, so you do not need the above formula for derating the system bandwidth. Inversely, the measured rise time is commonly related to the system rise time and signal rise time using the formula:

Measured rise time = (RT_signal² + RT_system²)^0.5

Sometimes this relationship is used to estimate the actual signal rise time when the oscilloscope's system rise time is not sufficiently faster than the signal's rise time to make an accurate measurement.

Properties of a Flat-Response Oscilloscope

Figure 1 compares a flat response to a Gaussian response. Note that the frequency response is much flatter below the –3 dB bandwidth, but then drops off very rapidly above the –3 dB bandwidth. This response shape is sometimes referred to as a maximally flat or brick wall response.

There are a couple of advantages to a flat-response. First, the frequency content of the signal below the –3 dB bandwidth is less attenuated, and thus measured more accurately. Secondly, the steeper roll helps reduce sampling alias errors in digital oscilloscopes (more on this later).

In the time domain, a flat response results in a pulse response with overshoot and ringing when the oscilloscope input is driven with a fast step input, as depicted in Figure 2. Such overshoot and ringing is often perceived as an undesirable effect in an oscilloscope. However, this ringing only occurs if the signal rise time is significantly faster than the oscilloscope can measure accurately, in which case you should use a higher-bandwidth oscilloscope.

Unlike Gaussian systems, the system bandwidth of a flat-response oscilloscope is not determined by the inverse RMS value of the sub-system parts. The commonly used bandwidth and rise-time formulas for Gaussian-response oscilloscope systems do not apply to flat-response oscilloscope systems! Instead, you should rely on the oscilloscope vendor to specify the system bandwidth of an oscilloscope/probe combination.

In the case of a flat-response oscilloscope, the rise time is related to the bandwidth, as described in the formula:

Rise time = N/bandwidth
(where N = 0.4 to 0.5)

The larger N is, the steeper the frequency response is, or the more it approaches the "brick wall" configuration shown in Figure 1. The above relationship will sometimes be included in an oscilloscope's specifications, which can give you an indication of what type of response the oscilloscope has...

[GlassFET]

...The commonly used bandwidth and rise-time formulas for Gaussian-response oscilloscope systems do not apply to flat-response oscilloscope systems! Instead, you should rely on the oscilloscope vendor to specify the system bandwidth of an oscilloscope/probe combination.

In the case of a flat-response oscilloscope, the rise time is related to the bandwidth, as described in the formula:

Rise time = N/bandwidth
(where N = 0.4 to 0.5)

The larger N is, the steeper the frequency response is, or the more it approaches the "brick wall" configuration shown in Figure 1. The above relationship will sometimes be included in an oscilloscope's specifications, which can give you an indication of what type of response the oscilloscope has...

Thanks AndersAnd for the further discussion on this topic. For these scopes, I think that a value of 0.4 to 0.5 should be a better approximation for the coefficient relating BW to rise time than the 0.35 value. Using the higher values with Circlotron's rise time pushes the estimated BW to over 300 MHz, as expected.

[Boris]

Just applied it to my scope, works perfectly!! thank you very much!

[Malama]

Oscilloscope Rigol Basic Model : DS2102 (non A version)
SW : 00.02.01.00.03
HW : 1.0.1.0.0

Hi All,

I install all options including 56M Memory and upgrade successively to 200, 300MHz.
I introduced Keys generated by Riglol1.03c. All have been accepted by the scope.

The scope is became DS2302 and operates fine (1 nS time base).

But, how to remove from the scope, one or all options, including Memory or frequency upgrade  ?

I try to use Rigol UltraSigma Sw, but UlraSigma does not recognize the scope, probably due to that DS2302 (non A version)
does not exist.

Is there a specific Key for options removal ?

Do you have an idea ?

Thank you,
JC

[neslekkim]

Is there a specific Key for options removal ?

Last paragraph in first post here:
https://www.eevblog.com/forum/testgear/sniffing-the-rigol's-internal-i2c-bus/3105/

[Malama]

I did not used any cable and windows SW to send the Keys to the scope.

Just written Keys directly in the scope generated from Riglol keygen with corresponding Code DSxx.

I search THE code DSxx to generate (via Riglol Keygen) a specific Key to be written in the scope which could be clear partly or all of the options.

Thanks,JC

[Malama]

Hi,

Yes of course, I tried to use Ultra Sigma and USB cable connect at the rear of scope.

The scope is recognize by W7, not by Ultra Sigma, this is the problem.
Nothing in Rigol online devices, perhaps due to that DS2302 does not exist (vs DS2302A that exist) , I don't known ?

Impossible to issue SCPI command.

[Malama]

Hi All,

Problem solved !
Just a value to be setup at scope level : in Utility / IO setting / USB Device => Computer instead of Pictbridge.

Ultra Sigma recognizes the scope as DS2302 and then Options removed without problem using corresponding SCPI command.

Thank you all ! 

[Zone1]

5. When you are done enter the Option Code manually in the DS1000z using a single string without using any 'dash' (-) using Rigol's Procedure for activating the Trial Options in the D1000z.  As I recall the procedure is available on Rigol's Web Site under DS1000z.

I had some difficulty finding the procedures on Rigol's web site for a  DS1074Z can someone help? I could not find that specific model.

[true]

5. When you are done enter the Option Code manually in the DS1000z using a single string without using any 'dash' (-) using Rigol's Procedure for activating the Trial Options in the D1000z.  As I recall the procedure is available on Rigol's Web Site under DS1000z.

I had some difficulty finding the procedures on Rigol's web site for a  DS1074Z can someone help? I could not find that specific model.

It's also been documented a lot in this thread. Two ways:

1. On-screen input, it's pretty self-explanitory.

2. SCPI with :SYStem:OPTion:INSTall <key-without-dashes>

[Zone1]

I had some difficulty finding the procedures on Rigol's web site for a  DS1074Z can someone help? I could not find that specific model.

It's also been documented a lot in this thread. Two ways:

1. On-screen input, it's pretty self-explanitory.

2. SCPI with :SYStem:OPTion:INSTall <key-without-dashes>
[/quote]

This is what I found for the On-screen process.   Is this everything?
There is much discussion about finding files, downgrading firmware, copying to usb, loading etc when it appears to be a  simple procedure of going to the riglol.3owl site getting a key and using the procedure below to enter 28 digits .  Am I missing something?

Now that you have your System information handy...
You'll need to know how to input the Unlock key, when the time comes.

Here is how you get to the menu to input the unlock key..

in your scope Press the "UTILITY" Button that is located at the top of the scope
Now.. Select the "OPTIONS" option by pressing the button to the right of the word "OPTIONS" (if you can't see "OPTIONS" find the very bottom blue arrow buttons and scroll down to get the option "OPTIONS")

at this stage you have the option to select "INSTALLED" (if you do, this will show you What options are Trial version and how much time is remaining on them.
this is the section that you want to come back to you , later, to confirm that the upgrade worked
FOR NOW
Select "SETUP"
NOW.. on this screen the top option will be called "EDITOR" if Editor is OFF (Switch it on, by Pressing the button to the right of EDITOR)

NOTE: if at any point the Menu Bar dissappears, You can make it re appear by Pressing the BLUE "MENU" Button at the top of all the other buttons on the right side of the screen

and just a quickie (if the menu thing gets annoying, you can set the time at which the menu will dissapear by  selecting..
"DISPLAY" Button at the top
"MENU DISPLAY"
Select the Amount of "S" (Seconds you wish) or "Infinite"

NOW, back to the point

Under Utility/Options/Setup

Use the "Intensity" Knob, that is located at the very top of the Scope, next to the Blue "MENU" button
turn it to select your character that you need to input
Push the knob in until you get a click, this will select your character

THIS IS THE AREA WHERE YOU INSERT YOUR UNLOCK KEY

[ted572]

I had some difficulty finding the procedures on Rigol's web site for a  DS1074Z can someone help? I could not find that specific model.

Zone1:   Please go to >  https://www.eevblog.com/forum/testgear/sniffing-the-rigol%27s-internal-i2c-bus/msg425534/#msg425534

If you are still having trouble this should help you.  It is for the DS1074Z and will give you (Sorry - Not 200 MHz - my Error, corrected 5/19/2014) "100 MHz BW", etc., and should get you going.  If not please let me know.   Cheers, Ted

[linux-works]

confirmed that the web-based unlock procedure works fine for the latest shipping (from tequipment.net) 1074z.

thanks to everyone's good work on this; its what pushed me into this specific model/brand purchase ;-)

[AndersAnd]

I had some difficulty finding the procedures on Rigol's web site for a  DS1074Z can someone help? I could not find that specific model.

Zone1:   Please go to >  https://www.eevblog.com/forum/testgear/sniffing-the-rigol%27s-internal-i2c-bus/msg425534/#msg425534

If you are still having trouble this should help you.  It is for the DS1074Z and will give you 200 MHz BW, etc., and should get you going.  If not please let me know.   Cheers, Ted

200 MHz? Doesn't DS1000Z only support 70 and 100 MHz options?

[AndersAnd]

5. When you are done enter the Option Code manually in the DS1000z using a single string without using any 'dash' (-) using Rigol's Procedure for activating the Trial Options in the D1000z.  As I recall the procedure is available on Rigol's Web Site under DS1000z.

I don't think it's available at Rigol's website.
But it's available at the North American distributor Rigol NA has documented the update procedure here:

Option license activation process for the DS1000Z, DS2000/A, DS4000, and DS6000 Oscilloscopes
Here are instructions for activating licenses for the DS1000Z, DS2000/A, DS4000, and DS6000 series of oscilloscopes.
http://beyondmeasure.rigoltech.com/acton/attachment/1579/f-01c0/1/-/-/-/-/file.pdf

I think you should update your guide to include the link for this document.

[Zone1]

I had some difficulty finding the procedures on Rigol's web site for a  DS1074Z can someone help? I could not find that specific model.

Zone1:   Please go to >  https://www.eevblog.com/forum/testgear/sniffing-the-rigol%27s-internal-i2c-bus/msg425534/#msg425534

If you are still having trouble this should help you.  It is for the DS1074Z and will give you 200 MHz BW, etc., and should get you going.  If not please let me know.   Cheers, Ted

Keyed in code for DSER key and all options are official!   It now says Model DS1104Z instead of DS1074Z.   Yes procedure was easy and straight forward  .  Thanks Again.  Haven't confirmed that I have 200MHz yet

[Orange]

Haven't confirmed that I have 200MHz yet

No, its not possible on a DS1104Z or DS1074Z model :-(

[linux-works]

sad to report, there is no new bandwidth in my 'upgrade'.  I did an informal test before the upgrade using a tektronix sg503 signal generator.  I started at 5mhz then went to 10, 25, 50, 100 and 250.   just a bit beyond the 50 point (low 60's) the signal started to attenuate and was no longer flat.  I'm not talking about 3db point, but the very first point where you can see the signal level drop as you increase freq.

the same basic point before the upgrade was there after the upgrade.  I did not see any increase in where that falloff point came.

the good news is that the signal was easily viewable at 100mhz and even up thru 250mhz (my siggen's max limit).  it was attenuated, sure, but very visible and clear (at least as a sine wave).

so, the decode features will unlock, but I'm not convinced any new speed exists with the unlock and its not really a different model number.

[AndersAnd]

but I'm not convinced any new speed exists with the unlock and its not really a different model number.

The model number changes from DS1074Z [70 MHz] to DS1104Z [100 MHz] with the upgrade.