Rigol MSO2000 series hacking

[Eng_hassan85]

Congrats!  Did you use the JTAG method or SCPI commands to get your memory dump?

Thanks hope you too to upgrade if not yet  .. I used the SCPI command .. I am going to share the steps exactly taken to help anyone need to follow this method

after connecting my Scope into LAN and used Peter Program I followed the below steps :

0- Install the software provided with your scope "Ultra Sigma " and restart your machine .
1- start Peter Program and search for the Scope (either USB connection or Lan Connection ) it will appear in the program .. copy the Address of it .. you will use it with the commands below .
2- start SCPI command window from the program itself and enter the below command after updating the Scope address into it .
echo :SYST:UTIL:READ? 15441920,13262848 | ncat -i 1 TCPIP::<IP Address here for the Scope (from peter program)>::INSTR 5555
be patient it  will take some time around 10  minutes !
3- Use the save button to save the memory dump into a file in your local drive say name it (DS2072A_sdram.bin).
4- Open CMD window and navigate to where you have the file that you created .
5- rigup scan DS2072A_sdram.bin > EC-keys.txt
6- rigup DS2072A DS2072A_sdram.bin > Options.txt , note the bold "A" here as without the A it was not working .
7- the generated file "Options.txt" will contain all the needed Keys in the below form :

NSEH:  xxxxxx-xxxxxx-xxxxxx-xxxxxx    All options, no bandwidth upgrade
NSER:  xxxxxx-xxxxxx-xxxxxx-xxxxxx    All options, bandwidth 100 MHz
NSEQ:  xxxxxx-xxxxxx-xxxxxx-xxxxxx    All options, bandwidth 200 MHz
NS8H:  xxxxxx-xxxxxx-xxxxxx-xxxxxx    All options, bandwidth 300 MHz

8- back to your Scope and use the Utility >> Editor to enter the Key you want and Bingo  you are done .

Hope this will be useful to anyone interested in this method as this method has advantage to not avoid any warranty and not taking apart your Scope

[remilton]

Congrats!  Did you use the JTAG method or SCPI commands to get your memory dump?

Thanks hope you too to upgrade if not yet  .. I used the SCPI command .. I am going to share the steps exactly taken to help anyone need to follow this method

after connecting my Scope into LAN and used Peter Program I followed the below steps :

0- Install the software provided with your scope "Ultra Sigma " and restart your machine .
1- start Peter Program and search for the Scope (either USB connection or Lan Connection ) it will appear in the program .. copy the Address of it .. you will use it with the commands below .
2- start SCPI command window from the program itself and enter the below command after updating the Scope address into it .
echo :SYST:UTIL:READ? 15441920,13262848 | ncat -i 1 TCPIP::<IP Address here for the Scope (from peter program)>::INSTR 5555
be patient it  will take some time around 10  minutes !
3- Use the save button to save the memory dump into a file in your local drive say name it (DS2072A_sdram.bin).
4- Open CMD window and navigate to where you have the file that you created .
5- rigup scan DS2072A_sdram.bin > EC-keys.txt
6- rigup DS2072A DS2072A_sdram.bin > Options.txt , note the bold "A" here as without the A it was not working .
7- the generated file "Options.txt" will contain all the needed Keys in the below form :

NSEH:  xxxxxx-xxxxxx-xxxxxx-xxxxxx    All options, no bandwidth upgrade
NSER:  xxxxxx-xxxxxx-xxxxxx-xxxxxx    All options, bandwidth 100 MHz
NSEQ:  xxxxxx-xxxxxx-xxxxxx-xxxxxx    All options, bandwidth 200 MHz
NS8H:  xxxxxx-xxxxxx-xxxxxx-xxxxxx    All options, bandwidth 300 MHz

8- back to your Scope and use the Utility >> Editor to enter the Key you want and Bingo  you are done .

Hope this will be useful to anyone interested in this method as this method has advantage to not avoid any warranty and not taking apart your Scope

Thank you for the fine detail.  The info is always on the blog but can be difficult to assemble as it is a bit piece meal.

I will be getting my DS2072a next week(my second one).  I will be wait a few days to hack though as first scope I received had a habit of locking up often and I want to make sure this one is working well before I unlock it.

[TitusPullo]

Update:

after glancing through the (huge) thread, I found this remark: All Options + 300Mhz" YOU SHOULD USE NS8N - Sure enough, that did the trick for 300MHz.
Of course this is pushing the scope, as you can see if you apply a 635MHz signal with a 1G samplingrate.
However the signal fidelity is not bad and although I was aiming for 200 MHz I think I will just leave it like this.

[Teneyes]

New Firmware for DS1000Z and MSO/DS2000 Here

[sidener]

Has anyone had any experience reading the memory and decoding the option keys from a Rigol Arbitrary Waveform Generator like the DG5072 using the same technique as on the MSO2000 series?

[infinitybit]

I just unlocked the MSO2072A-S using using Bildschirmkopie tool.  The command echo :SYST:UTIL:READ? 15441920,13262848 | ncat -i 1 TCPIP::<IP Address here for the Scope>::INSTR 5555 didn't seem to work.  Instead I used :SYST:UTIL:READ? 1,33554432.  I had to dump the whole 32 megs because rigup didn't find any keys in 12 meg chunk.

Thank you to everyone who made this possible.

[Purevector]

Update:

after glancing through the (huge) thread, I found this remark: All Options + 300Mhz" YOU SHOULD USE NS8N - Sure enough, that did the trick for 300MHz.
Of course this is pushing the scope, as you can see if you apply a 635MHz signal with a 1G samplingrate.
However the signal fidelity is not bad and although I was aiming for 200 MHz I think I will just leave it like this.

To clarify, NS8N should result in All Options -56Meg + 300Mhz.  In other words, you should not have the deep memory option installed.  To get deep memory, you also need to install NSEH.  If you got 56Meg memory using just NS8N, that would be the first reported case I believe.

[TitusPullo]

Update:

after glancing through the (huge) thread, I found this remark: All Options + 300Mhz" YOU SHOULD USE NS8N - Sure enough, that did the trick for 300MHz.
Of course this is pushing the scope, as you can see if you apply a 635MHz signal with a 1G samplingrate.
However the signal fidelity is not bad and although I was aiming for 200 MHz I think I will just leave it like this.

To clarify, HS8N should result in All Options -56Meg + 300Mhz.  In other words, you should not have the deep memory option installed.  To get deep memory, you also need to install NSEH.  If you got 56Meg memory using just NS8N, that would be the first reported case I believe.

I did not use HS8N. The suggested strings were:

NSEH:  8YTNJME-...   All options, no bandwidth upgrade
NSER:  V3MPVKL-...    All options, bandwidth 100 MHz
NSEQ:  8BYN2C7-...    All options, bandwidth 200 MHz
NS8H:  QA9VQS4-...    All options, bandwidth 300 MHz

Of the above only NSER worked. After digging a little more I used NS8N = 0x1C0C3
==> this gave me all options including 56M pts + 300MHz.

It seems that UNISTALL does not work, so I wasn't able to try HS8N.

[Purevector]

I did not use HS8N. The suggested strings were:

NSEH:  8YTNJME-...   All options, no bandwidth upgrade
NSER:  V3MPVKL-...    All options, bandwidth 100 MHz
NSEQ:  8BYN2C7-...    All options, bandwidth 200 MHz
NS8H:  QA9VQS4-...    All options, bandwidth 300 MHz

Of the above only NSER worked. After digging a little more I used NS8N = 0x1C0C3
==> this gave me all options including 56M pts + 300MHz.

It seems that UNISTALL does not work, so I wasn't able to try HS8N.

Sorry, HS8N was a typo (corrected)... I meant NS8N.  Did you uninstall NSER before using NS8N?  I am the one who initially found the NS8N work around (https://www.eevblog.com/forum/testgear/sniffing-the-rigol's-internal-i2c-bus/msg468951/#msg468951), but on my scope, it did not enable 56Meg option.  I am just curious if it actually did on yours, or if you installed NS8N after NSER.

[TitusPullo]

I did not use HS8N. The suggested strings were:

NSEH:  8YTNJME-...   All options, no bandwidth upgrade
NSER:  V3MPVKL-...    All options, bandwidth 100 MHz
NSEQ:  8BYN2C7-...    All options, bandwidth 200 MHz
NS8H:  QA9VQS4-...    All options, bandwidth 300 MHz

Of the above only NSER worked. After digging a little more I used NS8N = 0x1C0C3
==> this gave me all options including 56M pts + 300MHz.

It seems that UNISTALL does not work, so I wasn't able to try HS8N.

Sorry, HS8N was a typo (corrected)... I meant NS8N.  Did you uninstall NSER before using NS8N?  I am the one who initially found the NS8N work around (https://www.eevblog.com/forum/testgear/sniffing-the-rigol's-internal-i2c-bus/msg468951/#msg468951), but on my scope, it did not enable 56Meg option.  I am just curious if it actually did on yours, or if you installed NS8N after NSER.

Exactly - I did not uninstall NSER but installed NS8N on top of it. Seems to have no adverse effects. I tried to get rid of the NSER with UNINSTALL - but that does not work - so I'm stuck with it.

[peter_3425]

Hello to all,
I just unlocked my DS2072A too, I don't need the funktion or the 300Mhz band width urgent because i am a hobby user. But i was interessted if it works with the description here. Great it really works   

After i had done this i wanted to test the command ":SYSTem:OPTion:UNINSTall" and all Options goes back to the "Trial Mode". The Model description goes back from DS2302A to DS2072A. But I don't reboot the scope and made some more measurements.

Then I discover that the time base after the unsinstall didn't go back from 1ns to 5ns as it is described in the datasheet and now the Rigol scope show a timebase (picture) of 500ps. Hmm interressting... however after a reboot and take it from the power socket it goes back to the normal time base.

regards

Software Version 00.003.01   

[soft4gsm]

One more MSO2072A (SW: 00.03.01 / HW: 2.2) unlocked.
Great work guys!
Thanks.

[Shadow]

Hello,
DS2072A, can not find keys.
I have read 32 mbytes dump via network, oscilloscope was in run mode but rigup tells that no key in dump.
SW 00.03.03.SP1
Do i have to use JTAG ?
WBR,

PS: Correct myself - i used incorrect version of rigup for other scope
After using correct version i could enable 200 MHz ( i don't need more   )
Thank's people...You did fu***ing huge JOB!!!! I think Rigol's users around the world wish you happy
WBR,

[Wmacky]

Awesome! 

Just got my 2072A.   Decided I didn't need an upgrade, and to put it off for months / years. I started reading this thread and that idea last all of 30 minutes.  She's now a mighty fine 300MHZ scope!

Thanks to all the contributors!

BTW A USB connection was tried first with the mem dump program,but kept getting send errors?   Switched to a Lan cable connection and the dump proceeded. It's late and I didn't have time to read the entire thread so I just stumbled through the menus on the DSO till I found a good place to type in the key.   

Bingo 

[Gandalf_Sr]

So, I'm still here lurking.  Am I right is understanding that, even with the latest and greatest firmware, the SCPI route still works?  I ask because I'm wondering if there's a newer firmware for my upgraded MSO2072A.

[JCK]

I just received my DS2072A and successfully  upgraded all options and 300MHz.  I had to use NSEH first, followed by NS8N, got "License unavailable" using the other bandwidth options first.  Many thanks to all for the many hours and hard work spent on this!!!

John

[arabesc]

I've successfully got a code from the rigup-0.4 for ds2302a - there's only one and it's NSEH - but my MSO2302A-S didn't accept it.
Is there something special about this scope?

[DG5SAY]

I've successfully got a code from the rigup-0.4 for ds2302a - there's only one and it's NSEH - but my MSO2302A-S didn't accept it.
Is there something special about this scope?

You have to do rigup again on the MSO. The code will be another than the code from the DS-Model.

[arabesc]

You have to do rigup again on the MSO. The code will be another than the code from the DS-Model.

Am I correct that I have to run rigup one more time with the same memory dump and ds2302a as the first argument, then it will generate a new code?

[DG5SAY]

You have to do rigup again on the MSO. The code will be another than the code from the DS-Model.

Am I correct that I have to run rigup one more time with the same memory dump and ds2302a as the first argument, then it will generate a new code?

You must do a memory dump from the DS2302A and a separate memory dump from the MSO2302A-s of course! Then run rigup with each of this memory dumps and you will get two separate codes. You have two different scopes with two different serial numbers (and different hardware).

[arabesc]

You must do a memory dump from the DS2302A and a separate memory dump from the MSO2302A-s of course! Then run rigup with each of this memory dumps and you will get two separate codes. You have two different scopes with two different serial numbers (and different hardware).

I'm using a memory dump from the MSO2302A-S device.
'ds2302a' is the command line parameter for the rigup utility that I'm using to genrate an unlock code.
And the scope (MSO2302A-S) doesn't accept the code.

[george2002]

Hello all eevblog users
Is there any news for unlocking DS2072A with 00.03.03.02.06 (00.03.03 SP2) installed ? i'm asking because i buyed oscilloscope installed with that version and as for today i tried hack him it with instructions:

Step-1: Installed software "Rigol Bildschirmkopie LAN/USB"   

Step-2: Make a memory dump with SCPI Command, :SYST:UTIL:READ? 1,33554432

Step-3: Use software Rigup to extract the correct license keys options

Step-4: With software UltraSigma and use SCPI command, SYSTem:OPTion:INSTall

^- oscilloscope says that license is wrong ...

2.

via this unlock guide:  http://www.gotroot.ca/rigol/D2072A%20Unlocking%20Guide.pdf

^- no luck to downgrade firmware ... as everyone says that firmware can't be downgraded to older than 00.03.....

and have no luck to hack it and i don't want to mess with jtag for now because osciloscope has varranty ...

If someone knows something i would be very grateful for any info because i bought this equipment with think of more capabilites and  i need them for measurments ...

Best Regards
George2002

[bineteri]

http://peter.dreisiebner.at/rigol-bildschirmkopie-lan/
For the LAN connection no driver or installation is necessary.

I used this program to get the memory dump and send the "install options" command. rigup.exe was used to generate the keys.

My Rigol is a DS2072A with software version 00.03.01, connected via LAN.

It worked like a charm

Thank you everyone.

[CustomEngineerer]

Hello all eevblog users
Is there any news for unlocking DS2072A with 00.03.03.02.06 (00.03.03 SP2) installed ? i'm asking because i buyed oscilloscope installed with that version and as for today i tried hack him it with instructions:

Yes, the hack works with the newest firmware. Keep trying and you'll get it. JTAG and Firmware downgrade are not necessary. I would strongly recommend going back and completely re-reading this thread and then try again. You will get it.

[CustomEngineerer]

Hello all eevblog users
Is there any news for unlocking DS2072A with 00.03.03.02.06 (00.03.03 SP2) installed ? i'm asking because i buyed oscilloscope installed with that version and as for today i tried hack him it with instructions:

Yes, the hack works with the newest firmware. Keep trying and you'll get it. JTAG and Firmware downgrade are not necessary. I would strongly recommend going back and completely re-reading this thread and then try again. You will get it.

I see now why so many people just getting their DS2000A keep asking about the downgrading the firmware and using JTAG.

 http://www.gotroot.ca/rigol/D2072A%20Unlocking%20Guide.pdf

This guide is an older version of the steps. Read through the thread linked below, its only 5 pages long and contains the most recent steps to unlock the DS2000A. I especially recommend getting the RigolBildschirmkopie program mentioned in that thread. You can use it to dump your scopes memory, and then to also input the unlock code once you have generated it.

https://www.eevblog.com/forum/testgear/unlockinghacking-the-rigol-ds2000a-series-scope-the-short-post/msg703044/#msg703044