Sniffing the Rigol's internal I2C bus

[zeratul42]

Hello,
I've a DSA815TG with boot 1.04, to get all licenses i had to solder write pin on Fram.
Does anybody have a way to get private key and generate License ?

[Neuro]

• If the source is available that can help with trust issues (but nobody will take the time to compile it, and 80% of those that do will hassle you about where to get missing libraries)

For those, who are afraid of russian hackers, I've updated a zip-archive.  Now it consist of exe-file and sources. You are free to use or compile it. 
The link is: http://i-hobby.org/file/go/60/

[Macbeth]

For those, who are afraid of russian hackers, I've updated a zip-archive.  Now it consist of exe-file and sources. You are free to use or compile it. 
The link is: http://i-hobby.org/file/go/60/

Yeah. But No..

: 404

(Error: 404 - will the forum finally allow Cyrillic characters?)

[Mosaic]

Just an FYI of the bandwidth of the 'unlocked DS2072a - DS2302A' .

With well calibrated leveled sine wave gens, SG503 and SG504 (TEK) using my custom made remote head for flatness <0.1dB I re-evaluated the Rigol bandwidth.

Figures of merit:

150Mhz - Rigol is still accurate  matching the Vpp of the signal.

300Mhz - Rigol is down 2dB in amplitude.

400 Mhz - Rigol is down 3dB in amplitude.

I'd go with using it to 175Mhz max as reasonably accurate. Start factoring in losses past that.

This cross refernce check matches quite well with my VNA test results on the scope.

[zibadun]

What's the problem with a flag and with a language? 

Mind your Language a bit will you. Your posts with a funny URL look suspicious.
A lot of hackers come from Russia or from that region, so it is not so strange that people start asking questions. If then your language flag is set to German, your profile becomes even more strange.

This guy does not appear to be a "hacker" in a malicious context..  He is a physician from Ukraine who moved to Germany after "the revolution".  He was employed in Crimea at the time of the putsch,  when the newly formed Ukrainian government banned him from continuing work in the occupied territory.  From what I understand he is now a licensed MD in Germany.  I don't think his profile matches a 'script kiddie' who wants to crack your PC.   Just saying...

[smgvbest]

it is in spec for a 300Mhz scope though..  The 3db point is at 400Mhz
just putting it out there that the behavior is not unexpected for this or any scope.

Just an FYI of the bandwidth of the 'unlocked DS2072a - DS2302A' .

With well calibrated leveled sine wave gens, SG503 and SG504 (TEK) using my custom made remote head for flatness <0.1dB I re-evaluated the Rigol bandwidth.

Figures of merit:

150Mhz - Rigol is still accurate  matching the Vpp of the signal.

300Mhz - Rigol is down 2dB in amplitude.

400 Mhz - Rigol is down 3dB in amplitude.

I'd go with using it to 175Mhz max as reasonably accurate. Start factoring in losses past that.

This cross refernce check matches quite well with my VNA test results on the scope.

[CustomEngineerer]

This guy does not appear to be a "hacker" in a malicious context..  He is a physician from Ukraine who moved to Germany after "the revolution".  He was employed in Crimea at the time of the putsch,  when the newly formed Ukrainian government banned him from continuing work in the occupied territory.  From what I understand he is now a licensed MD in Germany.  I don't think his profile matches a 'script kiddie' who wants to crack your PC.   Just saying...

Thats exactly what I'd expect a Ukrainian hacker's German accomplice to say.

Sorry, couldn't resist.

[zibadun]

Thats exactly what I'd expect a Ukrainian hacker's German accomplice to say.

Sorry, couldn't resist.

Bad joke pal.  I spent some time on Neuro's web site, looked at the content, watched some of his youtube videos, translated his story for you so that *you* can sleep well and not be afraid.  and you thanked by calling me a hacker's accomplice?  GFY

[Neuro]

For those, who are afraid of russian hackers, I've updated a zip-archive.  Now it consist of exe-file and sources. You are free to use or compile it. 
The link is: http://i-hobby.org/file/go/60/

Yeah. But No..

: 404

I've fixed that problem. Now the sources are available.

[timofonic]

Thats exactly what I'd expect a Ukrainian hacker's German accomplice to say.

Sorry, couldn't resist.

Bad joke pal.  I spent some time on Neuro's web site, looked at the content, watched some of his youtube videos, translated his story for you so that *you* can sleep well and not be afraid.  and you thanked by calling me a hacker's accomplice?  GFY

Hey, please check your notes about acid humor! There's a risk of Asperger issues here, I think.

I just see it as joking about stereotypes. It's true some homebrew attitudes make is suspicious too, but sometimes people lived to joke about it.

What can be more funnier than being someone like...

Linus Torovoldos: A technology genius since very early age (he learnt C++ and assembly at 5yo) and physician from ex-USSR that lived in Crimea (even the name is cool, it sounds s crime in English).

- He got involved in a very highly experimental cyberpunk project, it seems he applied it to his own brain in order to augment his cognitive skills (he's fluent in six human languages at least).

- He escaped to Germany and is hidden as a MD.


This could be the next James Bond movie! Please make it happen!

[DaBone_206]

Hello everybody,
i have a Problem with my Rigol MSO1074zs. I want to unlock all functions but it doesn't works.
I run the Load Dump with an SEGGER ARM Flascher and I use this Rigup Software http://gotroot.ca/rigol/rigup-0.4.1-mso1000z.zip to unlock. But my generated Keys goes wrong. 

What can i do?

[hammy]

I run the Load Dump with an SEGGER ARM Flascher and I use this Rigup Software ...

How big is the dump file and how long you dumped it? My dumpfile had a size of roundabout 65MB.

The first command was:
"./rigup scan mso1074z-s_RAM.bin > mso1074s.txt"

After that I generated the keys with these commands:
"./rigup license mso1074s.txt 0x1C001"
"./rigup license mso1074s.txt 0x1C002"
"./rigup license mso1074s.txt 0x1C004"
"./rigup license mso1074s.txt 0x1C008"
"./rigup license mso1074s.txt 0x1C080"

After that I entered the licenses.

HTH!

Cheers
hammy


List of hex values:
(CSAR = 0x1C001) Triggers
(CSAB = 0x1C002) Decoders
(CSA3 = 0x1C004) Mem-depth
(CSAJ = 0x1C008) Recorder
(CSAS = 0x1C010) DG
(CSRA = 0x1C020) 500uV
(CSBA = 0x1C040) Power Ana.
(CS3A = 0x1C080) Bandwidth (100MHz)
(CSHY = 0x1C0FF) All

[DaBone_206]

How big is the dump file and how long you dumped it? My dumpfile had a size of roundabout 65MB.

The dump file had a size of 65.536KB and i loaded it from 0x40000000 to 0x3FFFFFF with 4800 kHz.
I have already tried the hex values 0x1C001, 0x1C002 0x1C0FF but unfortunately without success.

Perhaps it may be a problem with the current firmware?

[Prax]

How big is the dump file and how long you dumped it? My dumpfile had a size of roundabout 65MB.

The dump file had a size of 65.536KB and i loaded it from 0x40000000 to 0x3FFFFFF with 4800 kHz.
I have already tried the hex values 0x1C001, 0x1C002 0x1C0FF but unfortunately without success.

Perhaps it may be a problem with the current firmware?

I am having similar issues as well. Firmware 04.03 SP2 (and on SP1) Rigup 0.41 (MSO1000Z Edition) no longer seems to generate valid option keys. I continue to get "Invalid License" on the unit.

On a slightly different note: In this firmware revision, it seems they moved the offset for the keys back to  "02 00 84 00 10 00"  Rigup 0.41 is currently looking for keys at  "01 00 84 00 10 00" which is no longer the case for the MSO1074Z-S. Anyone attempting to use previously compiled rigup for windows or compile without modifying "utils.c" will likely get  "Scanning 'mso1074z.bin' failed: No keys"

Attemping to use rigup info mso1074z.txt [LICENSE KEY] generates a "--- FAILED ---" on verify. It does seem to know which option it is from the license key.

Example (Rigup 0.41 MSO1000Z Edition): ./rigup info mso1074z.txt XXXXXXX-XXXXXXX-XXXXXXX-XXXXXXX
XXXXXXX-XXXXXXX-XXXXXXX-XXXXXXX    (CSA3 = 0x1C004)
Signature 1:    000000008599XXXX
Signature 2:    00000000877dXXXX
Padding 1:      0000000000000000
Padding 2:      0000000000000000
Verify:         --- FAILED ---

[Prax]

I run the Load Dump with an SEGGER ARM Flascher and I use this Rigup Software ...

How big is the dump file and how long you dumped it? My dumpfile had a size of roundabout 65MB.

The first command was:
"./rigup scan mso1074z-s_RAM.bin > mso1074s.txt"

After that I generated the keys with these commands:
"./rigup license mso1074s.txt 0x1C001"
"./rigup license mso1074s.txt 0x1C002"
"./rigup license mso1074s.txt 0x1C004"
"./rigup license mso1074s.txt 0x1C008"
"./rigup license mso1074s.txt 0x1C080"

After that I entered the licenses.

HTH!

Cheers
hammy


List of hex values:
(CSAR = 0x1C001) Triggers
(CSAB = 0x1C002) Decoders
(CSA3 = 0x1C004) Mem-depth
(CSAJ = 0x1C008) Recorder
(CSAS = 0x1C010) DG
(CSRA = 0x1C020) 500uV
(CSBA = 0x1C040) Power Ana.
(CS3A = 0x1C080) Bandwidth (100MHz)
(CSHY = 0x1C0FF) All

What is your firmware version? A few of us are not getting any success on the new firmware. Unfortunately, my unit was new and had 04.03 from factory. If you didn't modify utils.c on rigup 0.41 to change offset, I surmise that it is below that.

[Macbeth]

Can you not flash an old firmware then activate the keys on that before upgrading back to the latest?

[Prax]

Can you not flash an old firmware then activate the keys on that before upgrading back to the latest?

I didn't think downgrading was possible.

[smgvbest]

Can you not flash an old firmware then activate the keys on that before upgrading back to the latest?

I didn't think downgrading was possible.

If your dump is 16Kb it's too small.
a 0x3FFFFFF is 67108863 bytes
The openocd command is
dump_image mso1074zs.bin 0x40000000 0x3FFFFFF
Thats start at address 0x40000000 and dump 0x3FFFFFF bytes  so if you have a 16Kb dump it's not going to work
If that is a typo and even if you meant Mb it's still too small to be sure you got everything.

If you do have a 64MB dump please ignore this, otherwise if you truly have a 16Kb dump, please try it again and be sure you get the full 64Mb+ dump

What boot loader do you have?  has it been upgraded to a newer boot?
if not, try downgrading as MacBeth stated.

Downgrading isnt' possible with the DSA815 I've not heard anyone say the MS01074 wasn't down gradeable.

[Prax]

Can you not flash an old firmware then activate the keys on that before upgrading back to the latest?

I didn't think downgrading was possible.

If your dump is 16Kb it's too small.
a 0x3FFFFFF is 67108863 bytes
The openocd command is
dump_image mso1074zs.bin 0x40000000 0x3FFFFFF
Thats start at address 0x40000000 and dump 0x3FFFFFF bytes  so if you have a 16Kb dump it's not going to work
If that is a typo and even if you meant Mb it's still too small to be sure you got everything.

If you do have a 64MB dump please ignore this, otherwise if you truly have a 16Kb dump, please try it again and be sure you get the full 64Mb+ dump

What boot loader do you have?  has it been upgraded to a newer boot?
if not, try downgrading as MacBeth stated.

Downgrading isnt' possible with the DSA815 I've not heard anyone say the MS01074 wasn't down gradeable.

The memdump was 64MB. I never said anything about a 16Kb dump, plus I have isolated where the keys are in the memdump, it is in a different location than what rigup 0.41 is scanning for with the new firmware. (See the top of this page)

According to this thread https://www.eevblog.com/forum/testgear/rigol-ds1000z-series-firmware-downgrade-*is*-possible-and-here-is-how/ downgrading only works on a very old bootloader version. My Boot version is 0.0.1.3. Only versions 0.0.0.11 and 0.0.0.13 allowed downgrading it would seem.

*EDIT* Okay. I tried the downgrade process doing the press help 3 times method and it just beeped and blinked at me until I turned the unit off. Trying to downgrade the traditional way also ended in failure.

[hammy]

What is your firmware version?

It was a previous firmware version, more than a year ago.

Cheers
hammy

[alank2]

Are current version DP832's hackable?  If so, where is the keygen for them?  How long do they take to power on in seconds?

[Prax]

Are current version DP832's hackable?  If so, where is the keygen for them?  How long do they take to power on in seconds?

Yes the DP832 is hackable (up to the latest firmware). Do a search on google for "Riglol". Power up time is about 4-5 seconds.

[alank2]

Thank you Prax - I appreciate it.

[alank2]

Riglol shows individual options, but no letter code for all options.  Do you have to load the options one a a time or something?

[CustomEngineerer]

Yes, you have to enter each option's code individually. As far as I know there is no combination codes like you find for the Rigol scopes.