Sniffing the Rigol's internal I2C bus

[Garnet]

If i'm right the only way for the moment is to use a pic over Fram to reset time trial at each boot.
Did somebody try that with last realease ?

The "Howardlong" method of shorting the two pins together is still a viable option on the latest units. I have:

Main board: 00.08
RF board: 00.05
Digital board: 00.04
F/W Ver: 00.01.09
Boot Ver: 00.01 04

that arrived on March 4th and can attest to the validity of the above statement.

https://www.eevblog.com/forum/testgear/spectrum-analyzer-rigol-dsa815/msg584818/#msg584818

Follow the warranty sticker preservation method shown here:



G

[Dave92F1]

YET ANOTHER HACK SUMMARY

I had all options + 300 MHz on my DS2072A, then I upgraded to the latest firmware, and lost all the hacks. It took me some time to figure out how to get them back.

This is my summary (should work for a new out-of-the-box DS2072A as well):

1 - Download & unzip the latest "Rigol Bildschirmkopie LAN/USB" from http://peter.dreisiebner.at/rigol-bildschirmkopie-lan/

2 - Connect scope to LAN.

3 - Run the RigolBildschirmkopie.exe, click Device>Select>Search>Select.

4 - Do Device>SCPI-Command, then  Send & receive ":SYST:UTIL:READ? 1,33554432".
 
     Wait a long time (~5 to 10 min) for it to complete.
     
     Click Save, save it as "memoryDump.scpi" (save this file for future use!!)

5 - Download and unzip Rigup 0.4 (or later) from http://gotroot.ca/rigol/.

6 - Open a command window where you unzipped Rigup 0.4, copy memoryDump.scpi into the same folder.

7 - In the command window do: "rigup ds2072a memoryDump.scpi"

      This will produce an output something like:

rigup ds2072a - Version 0.4

Serial number: DSxxxxx

NSEH:  JPJQLFK-G3QNRLU-WFFFZMD-xxxxxxx    All options, no bandwidth upgrade
NSER:  8NXBL2U-JE2LZL7-9NEN5XK-xxxxxxx   All options, bandwidth 100 MHz
NSEQ:  R939MMG-NR63H25-9H993PX-xxxxxxx    All options, bandwidth 200 MHz
NS8H:  G2YRFYX-D589HNR-4K8YW3H-xxxxxxx    All options, bandwidth 300 MHz

8 - rigup scan MyKeys memoryDump.scpi

This will write your keys to the file "MyKeys".

9 - rigup license MyKeys NS8N

This produces an output something like:

5P89ZX7-LYMCTCS-P4PQ792-xxxxxxx   (NS8N = 0x1C0C3)

10 - Run RigolBildschirmkopie.exe again, click Device>Select>Search>Select (again).

11 - Click Device>SCPI-Command, then send & receive:
       :SYSTem:OPTion:INSTall <key to the right of NSEQ in step 7>

       The key (from step 7) MUST have the dashes removed.

       For example:
       :SYSTem:OPTion:INSTall R939MMGNR63H259H993PXxxxxxxx
       
At this point you should have all options + 200 MHz.

12 - Click Device>SCPI-Command, then send & receive:

       :SYSTem:OPTion:INSTall <key from step 9>

       Again, the key must have all dashes removed.

       For example:
       :SYSTem:OPTion:INSTall 5P89ZX7LYMCTCSP4PQ792xxxxxxx

That's it; you should have 300 MHz + all options now.

Maybe you can skip step 11 - I haven't tried it that way.

If you mess up, no problem. Just send ":SYSTem:OPTion:UNINSTall" and start over.

[guiasse]

How does it works with DP832 power supply ?

[Blitzbirnep]

Does anyone tried the
- DS2000A_Upgrade_Utility_1_0_0_1_Portable.zip on http://gotroot.ca/rigol/ Or
- the webbased tool which was posted by norkimo on http://www.sonsivri.to/forum/index.php?topic=53230.25

and could tell me his experience with them?

[OldNeurons]

Does anyone tried the
- DS2000A_Upgrade_Utility_1_0_0_1_Portable.zip on http://gotroot.ca/rigol/ Or
- the webbased tool which was posted by norkimo on http://www.sonsivri.to/forum/index.php?topic=53230.25

and could tell me his experience with them?

I have been using "DS2000A_Upgrade_Utility_1_0_0_1_Portable.zip" to unlock all options of my DS2102A.
No pain !
I just experienced troubles finding a USB stick which was supported. Before the 'upgrade' I had been using several models for data, or screen copy export without any problem, but all these sticks did not work for the firmware flash.
I was finally successfull with an old USB 1.0 32Mo stick ..!

[dadler]

How does it works with DP832 power supply ?

Just use the website.

[OldNeurons]

How does it works with DP832 power supply ?

Just use the website.

I tried for my DP832, firmware rev. 00.01.13, with no luck.
I send the command :SYSTem:OPTion:INSTall MxxxxxxxxxxxxxxxxxxxxxxT, but no message on the DP832 screen, no error from Ultra Sigma...
Anybody successfull with 00.01.13 ?

Thanks for your feedback.

[dadler]

How does it works with DP832 power supply ?

Just use the website.

I tried for my DP832, firmware rev. 00.01.13, with no luck.
I send the command :SYSTem:OPTion:INSTall MxxxxxxxxxxxxxxxxxxxxxxT, but no message on the DP832 screen, no error from Ultra Sigma...
Anybody successfull with 00.01.13 ?

Thanks for your feedback.

Try entering the code via the UI. I've had bad luck installing options on the DP832 via SCPI. Took a while, but I was able to unlock all options on my DP832, latest hardware and firmware.

Also note there is a 12 hour (run-time) lock out period if an invalid code is entered too many times. Also, no dashes. Your code doesn't look long enough either, mine on the DP832 were 28 characters long.

[OldNeurons]

How does it works with DP832 power supply ?

Just use the website.

I tried for my DP832, firmware rev. 00.01.13, with no luck.
I send the command :SYSTem:OPTion:INSTall MxxxxxxxxxxxxxxxxxxxxxxT, but no message on the DP832 screen, no error from Ultra Sigma...
Anybody successfull with 00.01.13 ?

Thanks for your feedback.

Try entering the code via the UI. I've had bad luck installing options on the DP832 via SCPI. Took a while, but I was able to unlock all options on my DP832, latest hardware and firmware.

Also note there is a 12 hour (run-time) lock out period if an invalid code is entered too many times.

Thank you very much !!! 
I just unlocked the High Res option by manually entering the code.

[guiasse]

You just have to copy SN on label and copy Key given by the tool.
This is incredible how easy it is. I will buy a ds812 to try it.
Many thanks !
Gui

[Blitzbirnep]

Does anyone tried the
- DS2000A_Upgrade_Utility_1_0_0_1_Portable.zip on http://gotroot.ca/rigol/ Or
- the webbased tool which was posted by norkimo on http://www.sonsivri.to/forum/index.php?topic=53230.25

and could tell me his experience with them?

I have been using "DS2000A_Upgrade_Utility_1_0_0_1_Portable.zip" to unlock all options of my DS2102A.
No pain !
I just experienced troubles finding a USB stick which was supported. Before the 'upgrade' I had been using several models for data, or screen copy export without any problem, but all these sticks did not work for the firmware flash.
I was finally successfull with an old USB 1.0 32Mo stick ..!

thanks for your feedback i will buy a ds2072 in a few days and than i will report my tries.

[remilton]

Does anyone tried the
- DS2000A_Upgrade_Utility_1_0_0_1_Portable.zip on http://gotroot.ca/rigol/ Or
- the webbased tool which was posted by norkimo on http://www.sonsivri.to/forum/index.php?topic=53230.25

and could tell me his experience with them?

I have been using "DS2000A_Upgrade_Utility_1_0_0_1_Portable.zip" to unlock all options of my DS2102A.
No pain !
I just experienced troubles finding a USB stick which was supported. Before the 'upgrade' I had been using several models for data, or screen copy export without any problem, but all these sticks did not work for the firmware flash.
I was finally successfull with an old USB 1.0 32Mo stick ..!

thanks for your feedback i will buy a ds2072 in a few days and than i will report my tries.

I'll be interested to know if you succeed as I think that is the method of flashing back to an older firmware and as far as I know that does not work with the last few versions of firmware.

[OldNeurons]

Does anyone tried the
- DS2000A_Upgrade_Utility_1_0_0_1_Portable.zip on http://gotroot.ca/rigol/ Or
- the webbased tool which was posted by norkimo on http://www.sonsivri.to/forum/index.php?topic=53230.25

and could tell me his experience with them?

I have been using "DS2000A_Upgrade_Utility_1_0_0_1_Portable.zip" to unlock all options of my DS2102A.
No pain !
I just experienced troubles finding a USB stick which was supported. Before the 'upgrade' I had been using several models for data, or screen copy export without any problem, but all these sticks did not work for the firmware flash.
I was finally successfull with an old USB 1.0 32Mo stick ..!

thanks for your feedback i will buy a ds2072 in a few days and than i will report my tries.

I'll be interested to know if you succeed as I think that is the method of flashing back to an older firmware and as far as I know that does not work with the last few versions of firmware.

That's correct. I am afraid that "DS2000A_Upgrade_Utility_1_0_0_1_Portable.zip" will not work with the latest FW revisions. Have a look in that forum for further details.

Edit: Have a look here:
https://www.eevblog.com/forum/testgear/2072a-question-oddity/msg632955/#msg632955
Seems Wmacky recently unlocked a DS2072A.

[JBR48]

Error: no device found
Error: unable to open ftdi device with vid 15ba, pid 002b, description 'Olimex OpenOCD JTAG ARM-USB-OCD-H' and serial '*'
in procedure 'init'

Any suggestion on what to try next ?

Gus

Hello Gus,

Did you resolve this problem? I saw no further replies.

I have the same issue. I run Win7 64 bit.

[ciborgue]

Dave92F1 excellent post. Confirmed for 00.03.03.01 (latest FW for 03/25/15).

I had to use LAN connection; USB didn't work for me.

[jmccorison]

Dave92F1, Thanks for a great post on unlocking the DS2072A.

Some observations about it. I first performed the unlock on firmware 00.03.00.SP1 and it worked like a champ. I missed step 11 as it was so similar to step 12, so you are correct that step 11 doesn't need to be performed. I then upgraded to firmware 00.03.03.01 and the previous unlock was still in effect.

When I check installed options all options show as "official version" except for the MEM_DEPTH which stills shows as trial. I can live with that.

When I installed the new key the RigolBildschirmkopie.exe tool displayed an error "There was an error when sending the SCPI command." However it still performed the desired action.

[Pacif13r]

Hi all,

I recently got myself a DS2072A over the 1000Z with the plan of doing the hack to add bandwidth and features. I chose to go down the route of a JTAG memory dump to minimize my chances of doing damage. To this end I got myself a Olimex ARM-USB-OCD-H and made up a cable. As everyone has acknowledged this topic is a monster and a half to follow with myriad sub topics having sprung up. Luckily I chanced upon beurgi's #2431 summary of what had been learned. Following those instructions I've got as far as trying to get a memdump...

This has been problematic as rigup is unable to find keys so I've looked at the dump files and I'm certainly not getting anything like what I would have expected (without knowing what to expect in this scopes ram). I've confirmed my results are odd by locating some dumps for the DS2072A which people have uploaded and having a look at these.

Everything appears to work but the resulting dump is around 130MB looks to be 98% full of long runs of FF bytes and then long runs of 00 bytes with the very occasional and sporadic exceptions which tend to be limited to repeated and limited selection of bytes

First image is that it seems to start off ok for a couple of dozen bytes and then...
Second image is a randomly selected island of non FF/00 bytes.

I'm using Ubuntu x64 in a VMware host on my Win7 x64 laptop but I guess I'd think that if that were a factor I wouldn't be able to get as far as I do.
Model: DS2072A
Serial: DS2D16535XXXX
SW Ver: 00.03.03.SP1
HW Ver: 2.0

Code: [Select]

GNU gdb 6.6
Copyright (C) 2006 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "--host=x86_64-unknown-linux-gnu --target=bfin-uclinux".
(gdb) target remote :2000
Remote debugging using :2000
0x00000000 in ?? ()
(gdb) info mem
Using memory regions provided by the target.
Num Enb Low Addr   High Addr  Attrs
0   y  0x20000000 0x20400000 rw nocache
1   y  0xef000000 0xef008000 ro nocache
2   y  0xff800000 0xff804000 rw nocache
3   y  0xff804000 0xff808000 rw nocache
4   y  0xff900000 0xff904000 rw nocache
5   y  0xff904000 0xff908000 rw nocache
6   y  0xffa00000 0xffa0c000 rw nocache
7   y  0xffa10000 0xffa14000 rw nocache
8   y  0xffb00000 0xffb01000 rw nocache
9   y  0xffc00000 0xffe00000 rw nocache
10  y  0xffe00000 0x100000000 rw nocache
(gdb) dump binary memory ~/electronics/ds2k_00_sdram.bin   0x00000000 0x07FFFFFF
Any thoughts gratefully appreciated if anyone has come across this before? 

Thanks,
Justin

[CustomEngineerer]

While opening up your scope so you can hook up JTAG shouldn't be too terribly risky, its still far more risky than just hooking up a network or usb cable to the ports on the outside of the case. There should be no reason to need to open up the scope at all. When I first tried the hack I was having a hard time getting a full dump, I can't remember which SPCI program I was using at the time (probably UltraSigma) but once I switched over to using Bildschirmkopie to get the dump it worked first time. And it has also worked several times since when I lost the original memory dump and generated keys and wanted to try playing around with other options.

[Pacif13r]

While opening up your scope so you can hook up JTAG shouldn't be too terribly risky, its still far more risky than just hooking up a network or usb cable to the ports on the outside of the case. There should be no reason to need to open up the scope at all. When I first tried the hack I was having a hard time getting a full dump, I can't remember which SPCI program I was using at the time (probably UltraSigma) but once I switched over to using Bildschirmkopie to get the dump it worked first time. And it has also worked several times since when I lost the original memory dump and generated keys and wanted to try playing around with other options.

Thanks, I was under the impression, that this required a custom firmware flash? I've enjoyed a couple of bricking experiences over the years so I'm super wary with high ticket items... 
Still if there are no horror stories with the technique on here perhaps I should reconsider given my lack of JTAG success unless someone has some insight to share on my problem.

[CustomEngineerer]

There is no longer a need for the custom firmware flash. The current way works with the latests firmware. I believe it was first reported around Aug - Sept 2014. Sorry I dont remember exactly where the steps are in this thread (they are also listed in plenty of other threads, there was a much more recent thread on hacking the rigol scopes from I think Feb 2015). I would go back in this thread to Aug 2014 and go forward from there, or try to find one of the more recently created threads.

1) Use RigolBildschirmkopie program to issue SCPI command to have scope dump memory. My memory dump was only the first 32MB.
2) Use rigup program on dump from step 1 to generate the key codes.
3) Use RigolBildschirmkopie/UltraSigma or any SCPI program to send the key code to the scope. You can also manually add the key code through the scopes interface just like you would if you had purchased an upgrade from Rigol.

Thats it, no opening scope, no flashing custom firmware, no need to downgrade firmware. Once you get it the whole process takes less than 5 minutes.

[CustomEngineerer]

I found one of the shorter to the point threads on hacking the DS2000A series. This link goes straight to reply #44, the replies before that are talking about the older ways to do the hack so you shouldn't need to look back any further.
https://www.eevblog.com/forum/testgear/unlockinghacking-the-rigol-ds2000a-series-scope-the-short-post/msg559767/#msg559767

[jmccorison]

Or, for a slightly more detailed description you can go back one page in this thread to Dave92F1's excellent write up:
https://www.eevblog.com/forum/testgear/sniffing-the-rigol's-internal-i2c-bus/msg633003/#msg633003

In that post he comments that step 11 might not be needed which my recent experience confirms, at least for version 00.03.00.SP1.

[Pacif13r]

I found one of the shorter to the point threads on hacking the DS2000A series. This link goes straight to reply #44, the replies before that are talking about the older ways to do the hack so you shouldn't need to look back any further.
https://www.eevblog.com/forum/testgear/unlockinghacking-the-rigol-ds2000a-series-scope-the-short-post/msg559767/#msg559767

Arrghhh. What  a waste of time on a day trying different combinations of jtag / bluefin drivers / memory ranges / speeds / checking and rechecking my cable 

This did the trick wonderfully, thanks so much. I will put in here as a warning for others that I did then waste about 2 hours trying different combo's of memory dump via the USB & LAN cable because rigup would not find keys in my dump. It turns out that rigup 1.4.1 despite the sequence indicating a later version of 1.4 might be an entirely different branch which caters only for 1000Z's I went back and got 1.4(.0) and it worked straight away on my (ex)DS2072A.

Thanks again for your help! and Thanks for your link too jmccorison it was useful to see the unabridged version when it came to figuring out how to get the code in without manually entering it.

[dagg]

Dave92F1, Thanks for a great post on unlocking the DS2072A.

Some observations about it. I first performed the unlock on firmware 00.03.00.SP1 and it worked like a champ. I missed step 11 as it was so similar to step 12, so you are correct that step 11 doesn't need to be performed. I then upgraded to firmware 00.03.03.01 and the previous unlock was still in effect.

When I check installed options all options show as "official version" except for the MEM_DEPTH which stills shows as trial. I can live with that.

When I installed the new key the RigolBildschirmkopie.exe tool displayed an error "There was an error when sending the SCPI command." However it still performed the desired action.

Forgetting step 11 is exactly causing the mem-depth option to stay on trial, please redo step 11 (only) and it will be ok too, so even after the omission.

Cheers, Jan.

[dadler]

Wow the non-intrusive nature of the latest DS2000 upgrades almost has me convinced I "need" a DS2000 series scope in addition to my 1054z. The DS2000 series has been out for a few years though, kinda concerned that a new model will be released in the not-too-distant future.

Does Rigol have an average/typical release cadence for new/replacement products?