Sniffing the Rigol's internal I2C bus

[motocoder]

Thank you, Teneyes. From the link you provided, it looks like FW#00.03.00.01.03 is the latest version. Is this version compatible with the keys generated by Riglol, or do I need to use an older version of the firmware for that?

for me  FW#00.03.00.01.03 installed and keeps the options that were installed before, and allows  'CAN'

Ok, so sounds like a safe method would be to uninstall the option keys, generate new keys using the correct option code, install those keys, upgrade the firmware, and do the post-update settings reset mentioned in the post you linked?

[motocoder]

Thank you, Teneyes. From the link you provided, it looks like FW#00.03.00.01.03 is the latest version. Is this version compatible with the keys generated by Riglol, or do I need to use an older version of the firmware for that?

for me  FW#00.03.00.01.03 installed and keeps the options that were installed before, and allows  'CAN'

Ok, so sounds like a safe method would be to uninstall the option keys, generate new keys using the correct option code, install those keys, upgrade the firmware, and do the post-update settings reset mentioned in the post you linked?

Disregard my last question - I did exactly what I said there, and it is running the latest firmware with the options enabled. Unfortunately, I noticed that it locked up already once (in the System/Info screen, it locked up and wouldn't exit this). I am now wondering if there is some actual hardware issue with my scope...

In any event, thank you for your help.

[ted572]

Re. Post #3442 by 'motocoder':

Disregard my last question - I did exactly what I said there, and it is running the latest firmware with the options enabled. Unfortunately, I noticed that it locked up already once (in the System/Info screen, it locked up and wouldn't exit this). I am now wondering if there is some actual hardware issue with my scope...

In any event, thank you for your help.
[/quote]
---------------------------------------------------------------------------------------------------------------------
Reply from 'Ted572' for 'motocoder'

My recommendation....

1. Your DS2000 settings should be set for Power = 'Default', NOT 'Last'.  This way when you have a lockup, etc. and you reboot (Power cycle Off/On) your issue will be cleared.  Otherwise you can end up in a endless loop of unsuccessful reboots.
2. Clear the DS2000's FRAM to be sue this isn't an issue.  To do this:  Press and hold down the left-hand side F6 key during a reboot.
3. Do Not use the 300MHz BW Option!  If you have it selected for a DS2000 non A (it is OK for the DS2000A) get rid of it.  Uninstall All Options with UltraSigma and then add them back in without 300MHz BW.  If you are not sure how to do this please feel free to ask me for a procedure.

      Regards, Ted572.

Edit: Changed from F7 (wrong) to F6 (correct) in item 2. above.

[motocoder]

Re. Post #3442 by 'motocoder':

Disregard my last question - I did exactly what I said there, and it is running the latest firmware with the options enabled. Unfortunately, I noticed that it locked up already once (in the System/Info screen, it locked up and wouldn't exit this). I am now wondering if there is some actual hardware issue with my scope...

In any event, thank you for your help.

---------------------------------------------------------------------------------------------------------------------
Reply from 'Ted572' for 'motocoder'

My recommendation....

1. Your DS2000 settings should be set for Power = 'Default', NOT 'Last'.  This way when you have a lockup, etc. and you reboot (Power cycle Off/On) your issue will be cleared.  Otherwise you can end up in a endless loop of unsuccessful reboots.
2. Clear the DS2000's FRAM to be sue this isn't an issue.  To do this:  Press and hold down the left-hand side F7 key during a reboot.
3. Do Not use the 300MHz BW Option!  If you have it selected for a DS2000 non A (it is OK for the DS2000A) get rid of it.  Uninstall All Options with UltraSigma and then add them back in without 300MHz BW.  If you are not sure how to do this please feel free to ask me for a procedure.

      Regards, Ted572.
[/quote]

Thanks, Ted. Did you mean to say clear FRAM by holding the F6 key during boot, or is it actually F7? The instructions that Teneyes linked to above say F6. I didn't notice any messages about clearing FRAM - does it do anything to indicate that's actually happened?

Regarding the 300MHz BW option, I do indeed have that enabled. I even forked over some money for the 300MHz probes, so it is very disappointing to learn that it causes issues...

[motocoder]

Re. Post #3442 by 'motocoder':

Disregard my last question - I did exactly what I said there, and it is running the latest firmware with the options enabled. Unfortunately, I noticed that it locked up already once (in the System/Info screen, it locked up and wouldn't exit this). I am now wondering if there is some actual hardware issue with my scope...

In any event, thank you for your help.

---------------------------------------------------------------------------------------------------------------------
Reply from 'Ted572' for 'motocoder'

My recommendation....

1. Your DS2000 settings should be set for Power = 'Default', NOT 'Last'.  This way when you have a lockup, etc. and you reboot (Power cycle Off/On) your issue will be cleared.  Otherwise you can end up in a endless loop of unsuccessful reboots.
2. Clear the DS2000's FRAM to be sue this isn't an issue.  To do this:  Press and hold down the left-hand side F7 key during a reboot.
3. Do Not use the 300MHz BW Option!  If you have it selected for a DS2000 non A (it is OK for the DS2000A) get rid of it.  Uninstall All Options with UltraSigma and then add them back in without 300MHz BW.  If you are not sure how to do this please feel free to ask me for a procedure.

      Regards, Ted572.
[/quote]

Also, what is the option code for all options except 300MHz? I used "DSHH" last time, which is all options AND 300 MHz.

[motocoder]

I uninstalled all options, and was re-entering a code. It locked up while entering the code! So seems my lock-ups are not related to the 300 MHz option...

[Sparky]

Is the DP832 firmware 00.09.01 still un-hackable at this stage?

Sort of correct; the latest firmware is actually 00.01.09.00.01 (date 12/27/2013) and bootloader 01.06 (date 12/27/2013).

Yes, still un-hackable. (No further investigation that I'm aware of since the original hack.)

[josem]

Is the DP832 firmware 00.09.01 still un-hackable at this stage?

Sort of correct; the latest firmware is actually 00.01.09.00.01 (date 12/27/2013) and bootloader 01.06 (date 12/27/2013).

Telonic in the UK and already listing 00.01.10 as the latest firmware for the DP832.

http://www.rigol-uk.co.uk/ProductDetails.asp?ProductCode=FIRMTEST#.U74xXq5QZ3s

Not sure if this is 100% accurate and what changes it would include...

[ted572]

Re. Post #3442 by 'motocoder':

Thanks, Ted. Did you mean to say clear FRAM by holding the F6 key during boot, or is it actually F7? The instructions that Teneyes linked to above say F6. I didn't notice any messages about clearing FRAM - does it do anything to indicate that's actually happened?

Regarding the 300MHz BW option, I do indeed have that enabled. I even forked over some money for the 300MHz probes, so it is very disappointing to learn that it causes issues...

Yes, you are correct the Clear FRAM key is F6 (not F7).  I'm sorry for the error, and thank you for catching it.  I also edited my information above with the correct key reference.

[Rigby]

Is the DP832 firmware 00.09.01 still un-hackable at this stage?

Sort of correct; the latest firmware is actually 00.01.09.00.01 (date 12/27/2013) and bootloader 01.06 (date 12/27/2013).

Telonic in the UK and already listing 00.01.10 as the latest firmware for the DP832.

http://www.rigol-uk.co.uk/ProductDetails.asp?ProductCode=FIRMTEST#.U74xXq5QZ3s

Not sure if this is 100% accurate and what changes it would include...

Until there is a very good reason to upgrade, I don't think upgrading would be a great idea.

[marmad]

3. Do Not use the 300MHz BW Option!  If you have it selected for a DS2000 non A (it is OK for the DS2000A) get rid of it.  Uninstall All Options with UltraSigma and then add them back in without 300MHz BW.  If you are not sure how to do this please feel free to ask me for a procedure.

To clarify some things:

First of all - in respect to using the "300MHz" BW option - it makes NO difference if you have a DS2000 or DS/MSO2000A - other than you have the 50 ohm input impedance choice. Aside from that, as far as I've seen, Rigol did not make any major changes to the front-end.

Secondly, to all the people who believe they are magically getting a perfectly-capable "300MHz" DSO just because they put in some option codes: look at all the DSO models from highly-respected test-equipment manufacturers (Agilent, Hameg, Tektronix, etc) - do you see any 2GSa/s DSOs with a higher than 200MHz BW? No, you don't - because there are mathematical reasons why it doesn't really work well. Rigol (and the other Chinese companies) have not invented some new wonderful method for squeezing more BW out of less sample rate - they are, in fact, delivering DSOs that will have problems reproducing those kind of BW waveforms accurately at certain settings (i.e. both channels on) - period.

As long as you understand these problems, fine. But again: they are identical for both DS2000 and DS2000A - it doesn't matter which model you have.

[ted572]

Re. Post #3442 by 'motocoder':

Disregard my last question - I did exactly what I said there, and it is running the latest firmware with the options enabled. Unfortunately, I noticed that it locked up already once (in the System/Info screen, it locked up and wouldn't exit this). I am now wondering if there is some actual hardware issue with my scope...

In any event, thank you for your help.

---------------------------------------------------------------------------------------------------------------------
Reply from 'Ted572' for 'motocoder'

My recommendation....

1. Your DS2000 settings should be set for Power = 'Default', NOT 'Last'.  This way when you have a lockup, etc. and you reboot (Power cycle Off/On) your issue will be cleared.  Otherwise you can end up in a endless loop of unsuccessful reboots.
2. Clear the DS2000's FRAM to be sue this isn't an issue.  To do this:  Press and hold down the left-hand side F7 key during a reboot.
3. Do Not use the 300MHz BW Option!  If you have it selected for a DS2000 non A (it is OK for the DS2000A) get rid of it.  Uninstall All Options with UltraSigma and then add them back in without 300MHz BW.  If you are not sure how to do this please feel free to ask me for a procedure.

      Regards, Ted572.

Thanks, Ted. Did you mean to say clear FRAM by holding the F6 key during boot, or is it actually F7? The instructions that Teneyes linked to above say F6. I didn't notice any messages about clearing FRAM - does it do anything to indicate that's actually happened?

Regarding the 300MHz BW option, I do indeed have that enabled. I even forked over some money for the 300MHz probes, so it is very disappointing to learn that it causes issues...
[/quote]

Reply rfom Ted572:

Apparently 300MHz BW Option MAY NOT (?) be a problem for the DS2000 as was previously reported.  Anyway I'm going to reinstall the 300MHz BW Option in my unit, as I didn't have any issues with it before, other than the technical BW/2GHz Sampling limitations 'marmad' had previously brought to all of our attention.

DS2000, D2000A Device BW Options:  DSAJ - 100MHz BW,  DSAS - 200MHz BW,  DSEZ - 200MHz BW and all Options,  DSCA - 300MHz BW.

[Teneyes]

So at this point, it's unknown if it's just a bug that exists in v.3 with certain settings - or is linked to 300MHz option being installed. But I have to say, before I ever used the 300MHz option, I rarely had the DS2000 crash - but it's happened many more times with it installed. But more info is definitely needed to pinpoint the source of the problem.

I agree with Marmad that the accuracy of 300MHz is questionable with only 1GSa/s,

I have installed the 300MHz option.  ( I do like 1nsec/div)
Unlike Marmad, I do not use my DSO very much (retired) and it is not required to be 100% available.
I am willing to use 300MHz in order to isolate the conditions that causes the DSO to HANG. 

I have seen in FW 00.03.00.00.00 where the Math function 'lg(' would HANG the DSO ,but that does not occured (Fixed) in FW 00.03.00.01.03. This does indicate that often Rigol has not tested new firmware changes thoroughly.

PS  , My DSO is back to S/N= DS2A000000001 with DS2302, but easy to reset

[ted572]

Install - Uninstall Rigol's Options using UltraSigma

[motocoder]

Install - Uninstall Rigol's Options using UltraSigma

Thanks, Ted

[aurel]

Like many of you, I received a brand new DP832 power supply a few weeks ago, with firmware 1.09 installed. Which means no working keygen and no possibility to downgrade...

Well... Not anymore !

I've spent quite some time reverse engineering the new firmware, and I discovered that they didn't change the signing algorithm, and not even the private key. Overall, they only added some bits shuffling (ie. obfuscation) on the final license string and they changed the options coding.

So I took the latest riglol version I found (from http://gotroot.ca/rigol/), and added support for generating license for this new DP832 firmware. It works exactly the same as before. You just need to specify different options string depending on your DP832 firmware version. Executing riglol without parameters will list the valid options depending on firmware version.

I also found other valid options strings but they do not seem to have any effect. And as it seems there is no way to uninstall options on the DP832 (am I wrong ?), I can't check if those unknown options actually activates the same features as some other options. Anyway, here is the list of unknown options, if somebody wants to play with: FPLT, FTLT, F2PT, F4PT.

I compiled this new riglol version for linux, osx and windows, as well as the web version. It would be nice if the persons handling http://gotroot.ca/rigol/riglol/ and http://riglol.3owl.com/ could update their online version.

Enough talk ? You want some action ? Here you go: riglol-20140717.zip
SHA1 of this file: 662b9f460eb618856567587e39827104f22049ca

And last but not least, huge thanks to everybody involved in this riglol hack, and especially to cybernet and zombie28 !

[mcinque]

I've spent quite some time reverse engineering the new firmware, and I discovered that they didn't change the signing algorithm, and not even the private key.

Nice work!

But by revealing details you're just suggesting them how to improve the next version

[sotos]

I've spent quite some time reverse engineering the new firmware, and I discovered that they didn't change the signing algorithm, and not even the private key.

Nice work!

But by revealing details you're just suggesting them how to improve the next version

Maybe, his working for them.

[hematose]

Does anyone here know if the same upgrade codes are used for DS1000Z and MSO1000Z units? Would Riglol work for MSO1000Z?

[studio25]

It would be nice if the persons handling http://gotroot.ca/rigol/riglol/ and http://riglol.3owl.com/ could update their online version.

I have http://riglol.3owl.com/ updatet. Thank you for your work.

[probez]

Thanks a lot Aurel, it rocks

Like many of you, I received a brand new DP832 power supply a few weeks ago, with firmware 1.09 installed. Which means no working keygen and no possibility to downgrade...

Well... Not anymore !

[anson80]

Like many of you, I received a brand new DP832 power supply a few weeks ago, with firmware 1.09 installed. Which means no working keygen and no possibility to downgrade...

Well... Not anymore !

I've spent quite some time reverse engineering the new firmware, and I discovered that they didn't change the signing algorithm, and not even the private key. Overall, they only added some bits shuffling (ie. obfuscation) on the final license string and they changed the options coding.

So I took the latest riglol version I found (from http://gotroot.ca/rigol/), and added support for generating license for this new DP832 firmware. It works exactly the same as before. You just need to specify different options string depending on your DP832 firmware version. Executing riglol without parameters will list the valid options depending on firmware version.

I also found other valid options strings but they do not seem to have any effect. And as it seems there is no way to uninstall options on the DP832 (am I wrong ?), I can't check if those unknown options actually activates the same features as some other options. Anyway, here is the list of unknown options, if somebody wants to play with: FPLT, FTLT, F2PT, F4PT.

I compiled this new riglol version for linux, osx and windows, as well as the web version. It would be nice if the persons handling http://gotroot.ca/rigol/riglol/ and http://riglol.3owl.com/ could update their online version.

Enough talk ? You want some action ? Here you go: riglol-20140717.zip
SHA1 of this file: 662b9f460eb618856567587e39827104f22049ca

And last but not least, huge thanks to everybody involved in this riglol hack, and especially to cybernet and zombie28 !

Thanks Aurel,This is great

[rodpp]

First, congratulations for all involved in this work, it´s amazing!

Knowing the hack method for Rigol DS1000Z, DS2000, DG4000, DSA800 could this help in hacking the DG1000Z series?

Does anyone tried to hack the Rigol DG1000Z Arbitrary Waveform Function Generators?

EDIT: AWF model number correction DG100Z -> DG1000Z.

[ve7xen]

Enough talk ? You want some action ? Here you go: riglol-20140717.zip
SHA1 of this file: 662b9f460eb618856567587e39827104f22049ca

And last but not least, huge thanks to everybody involved in this riglol hack, and especially to cybernet and zombie28 !

Great work! I have updated my mirror at http://gotroot.ca/rigol/ . The old version also remains for posterity.

[Weisserrabe]

I've spent quite some time reverse engineering the new firmware...

  great thanks to you