Sniffing the Rigol's internal I2C bus

[Prax]

Riglol shows individual options, but no letter code for all options.  Do you have to load the options one a a time or something?

Yes, it's individual. No bundle codes. It's also unfortunate that there are no SCPI commands for setting licenses with the DP series. Unlike the scopes where you can use SYSTem:OPTion:INSTall [LICENSE KEY]
It can be pretty tedious entering codes on Rigol products with their poor interfaces.

[ted572]

New DS4000 Firmware, Version 00.02.03.00.03, 3 MB, Released 2016-05-05:

http://int.rigol.com/File/ProductSoftWare/20160505/DS4000(DSP)update.zip

[OsiViper]

Was curious if anyone was able to get this to work with a Atmel ICE. I have the ICE and a new MSO2072A that I wanna unlock the upgrades on and I am wondering if anyone has gotten it to work with the iCE or if I am just better off getting a different tool for the JTAG. And if so, which one is good (doesn't take years to finish)?

Thanks!

[SupraWez]

Hey All,

Great info 

I see the DP832 is mentioned a lot, does anyone know if the DP811 will also work with Riglol?

Thanks

[TurboTom]

The DP811 definitely works as well. Just a week ago I tested it with a unit produced november 2015.

[SupraWez]

The DP811 definitely works as well. Just a week ago I tested it with a unit produced november 2015.

Thanks 

[OsiViper]

I got the Olimex ARM-USB-OCD JTAG Adapter and I am using Win7 64 bit. I got the Blackfin toolchain and I try running "bfin-gdbproxy.exe --debug bfin --frequency=5000000" and all it returns is "debug: bfin: bfin_open ()", "error: bfin: cable initialization failed"

I have tried different USB ports, using Zadig to use a WinUSB Driver instead, but I cannot get past the cable initialization failed.

Any help would be great since I got my scope torn apart on the desk.

Thanks!

[CustomEngineerer]

Did you try different cables? Some USB cables are just crap and can give you real problems. Try a short, quality USB cable if all else fails.

Edit: By quality I don't mean a $50 1 foot gold plated monster cable or anything like that, just a cable from a reputable company.

[OsiViper]

Yea. Tried 3 different cables, none wanna work.

Tried wiring it up using the pull-up resistors as well as wiring TRST and SRST right in instead and nothing seems to make any difference .

[OsiViper]

Well. It wasn't an adapter problem or my wiring. Was something with the drivers in Windows. Had been meaning to install Ubuntu on a external hard drive, so just did that, got Blackfin for Linux and ran it. Working just fine now, doing the dump right now.

[Macbeth]

I had a whale of a time trying to get Blackfin toolchain working with Olimex ARM-USB-OCD on Win 8/10. I gave up.

I did get it running on Ubuntu, though for some reason when using the bfin-* commands like bfin-urjtag vs the plain old urjtag found in the Ubuntu repositories, I find all my cursor keys and history turn into escape characters instead of working normally. It's really annoying!

I also have to run everything using sudo. I've seen some workarounds for this, using udev rules, but they don't seem to work with newer Ubuntu versions.

Any hints on getting it working seamlessly with Ubuntu 16.04 LTS?

[OsiViper]

I got this one "blackfin-toolchain-2014R1_45-RC2.x86_64.tar.bz2" , and I use the tools under /opt/uClinux/bfin-uclinux/bin and it seems to work just fine for me. The dumping that is.

I am having a problem though, I have done 3 dumps and when I do "sudo ./rigup scan ds2k_00_sdram.bin" it tells me that there are no keys found.

Code: [Select]

:~$ sudo ./rigup scan ds2k_00_sdram.bin
rigup scan - Version 0.4.1

        Hacked up for MSO1000Z(-S) rmd79, 0ff eevblog.com

Scanning 'ds2k_00_sdram.bin' failed: No keys

[OsiViper]

Well, I learned something.. I got it working for the MSO2072A.. Aparently Rigup 0.4.1 will not work for it, I downloaded Rigup 0.4.0 and it generated the keys just fine. Got a 200 MHz scope now with all the options.. Thanks everyone for the info here

[pvico]

Did anybody have any luck with the DS1xxxZ Plus?

I have a very recent DS1104Z Plus with SN DS1ZCxxxxxxxxx, software 00.04.03 SP2, board 2.1.1 & boot loader 0.0.1.4.

I spent more than 2 full days doing the following:
I obtained the dump file with an Olimex ARM-USB-OCD-H.
I compiled rigup-0.4.1-mso1000z (I did it both on Mac OS X and Ubuntu 14, they give the same results).
A rigup scan of the dump file gives apparently correct keys and the SN is correct, but the licenses generated with 0x1C00x are all invalid.

Looking into my dump file, the only long string that could be a character map is "ABCDEFGH234JKLMNPQR567STUVWXYZ89", so I replaced all instances of charMapDecode and charMapEncode in encode.c and decode.c with that string. The licenses are still invalid.

IMHO, the causes could be:
- Codes other than 0x1C00x are needed
- The private key is not correct. This is a bit scary: the code to transform the public key into a private key is quite complex (using of the MIRACL library) and there are a lot of 'magic' values involved (the ECC parameters in solver.c). Is there any way to verify if these values are still ok?
- A completely different encoding method has been used for this model (I hope not)

In the dump file, there are a few 28 character strings (with characters in ABCDEFGHJKLMNPQRSTUVWXYZ23456789) which are, I guess, the trial licenses.
Should they verify with rigup info (they don't)?

I played a bit with rigup-0.4.0, tried to apply the patches but that did not work either.

Many thanks to anybody who could answer some of these questions.

[arobincaron]

Here's my experience "testing" the ability to setup MSO1074z scope option capabilities:

I do not have a JTAG cable to get a memory dump. I researched alternatives (USB Blaster, Bus Pirate, etc) and I saw the following: https://github.com/synthetos/PiOCD/wiki/Using-a-Raspberry-Pi-as-a-JTAG-Dongle.  As I use Windows 10 I liked the idea of avoiding driver issues by using openocd on Linux.

I purchased a Raspberry Pi 3 (thanks Amazon for same day delivery!).  I hooked it up and followed the instructions from the article to get openocd compiled. I removed the 2 references to "--enable-ft2232_libftdi" as "configure" indicated that that driver is obsolete and I wasn't planning on using it anyway. I stopped following the instructions where downloading of the tcl script (i.e. "sudo wget https://gist.github...") is indicated as from there the instructions are for connecting the Pi to an Arduino Due.

With the Raspberry Pi and openocd ready I proceeded to open the scope as documented by others. I initially attempted to remove the warranty sticker using a plastic instrument only. After seeing some label separation I used a heat gun on low heat to soften the glue. It was much easier that way. I highly recommend using heat!

To figure out how to connect the Raspberry Pi GPIO pins to the scope JTAG port I used info from the article above, the scope JTAG information in https://www.eevblog.com/forum/testgear/sniffing-the-rigol's-internal-i2c-bus/msg720691/#msg720691, reviewed the sysfsgpio-raspberrypi.cfg interface file and http://pinout.xyz/pinout/uart.  Here's what I came up with:

JTAG signal	Scope Header Pin	Pi GPIO Signal	Pi Header Pin
TCK	1	11	23
TMS	3	25	22
TDI	5	10	19
TDO	4	9	21
TRST	7	11	26
Gnd	8	Gnd	25

I used very short cables (~6 inches) and quadrupled checked my connections as I was a bit paranoid about wrecking the scope processor. You should verify yours too 

I started openocd using the following command line:

openocd -d2 -f interface/sysfsgpio-raspberrypi.cfg -f target/imx28.cfg

I installed telnet (sudo apt-get install telnet) and connected to openocd using:

telnet localhost 4444

Next turned the scope on. Once I saw the scope options screen I tried to halt the processor from the telnet session (i.e. "halt") but got an error saying that openocd could not communicate with the target.  I checked the scope and it was clearly not stopped.  I turned off the scope, reviewed my wiring. Everything was ok so I reviewed the openocd output and noticed an error in the openocd logging during startup indicating that it couldn't setup events. I surmised that openocd expected to be able to communicate with the target right from the get go so I decided to start the scope first and then start openocd.

That sequence worked and I was able to halt the processor. I did a small (4KB) memory dumps. The contents looked binary so I figured it was probably ok. The download rate was 6KB/s. I tried using various commands I found to turn up the speed (e.g. adapter_khz) but it appeared that those are not implemented by the Raspberry PI GPIO interface. I tried a larger dump of 1MB and found the rate consistent. That meant the required 64MB dump was going to take 3 hours.

I started the dump. As the scope case was not closed I decided to check whether anything was running hot.  The device with a heatsink was running at ~130F so I hooked up a case fan to push air towards it and it cooled to ~90F.  After ~3 hours the dump completed.

I built rigup 0.4.1 for the MSO1000Z using the content at http://gotroot.ca/rigol/rigup-0.4.1-mso1000z.zip. Note that you need to change the makefile replacing "-dead_strip" with "--gc-sections -s".  I used make clean to remove the existing/prebuild objects.  I then used rigup to scan for the various keys.  That worked! Next I generated a key for the triggers option (0x1c001). I double checked the key and input it in the scope. The scope accepted the key -- those options now showed "Official".  I generated the other keys (0x1c002, 0x1c004, 0x1c008 and 0x1c080) and input them.  I made a few mistakes inputting the keys in the scope so some were initially rejected but after correction all were accepted. I restarted after adding the last one (0x1c080 - Bandwidth) and now the scope reported itself as an MSO1104z with all options "Official".

I am thankful for all those who figured out the JTAG pin out, how to get the keys from the dump, wrote rigup.  Thank you also to all who documented their experience to make mine possible -- it's great that this community exists!

[Macbeth]

Very nice writeup on how you used a Pi to JTAG instead of the usual suspects 

However, I'm not sure your pinouts will work  That's a lot of signals all going to ground on pin 23 
 

JTAG signal	Scope Header Pin	Pi GPIO Signal	Pi Header Pin
TCK	1	11	23
TMS	3	25	23
TDI	5	10	23
TDO	4	9	23
TRST	7	11	23
Gnd	8	11	23

[arobincaron]

However, I'm not sure your pinouts will work  That's a lot of signals all going to ground on pin 23 

  I corrected the table.

BTW I'm not sure about the scope header connector numbering -- I didn't see a pin 1 designation. The picture in msg 720691 is clear though as to the correct location for each signal.

[whotopia]

Can someone help me out to restore the serial number of a DS2072A ?
I tried to do some of the hacks in the distant past and this lead me to a unit with serial number DS2A0000000001.
The MAC address on the LAN interface is also screwed up.  It's 46:46:46:46:46:46.  I assume this must be uniquely generated from the serial number somehow.
The device is currently at firmware DS2000(DSP)Update_00.03.04.01.00

I think if I could get hold of a memory dump from someone with a working unit (and what their serial number is) I could write back correct values into the scope with my own number.   Thanks!

[progfin]

Can someone help me to define options bits for DG1000Z?
Device has Arb16M option - how to enable it?
Thanks!

[Noize]

I have just bought Rigol MSO1074Z plus. It has operating system 0.4.4.

Does that mean I can't upgrade it with the JTAG method anymore?

[Prax]

I have just bought Rigol MSO1074Z plus. It has operating system 0.4.4.

Does that mean I can't upgrade it with the JTAG method anymore?

I've made several posts about not being able to unlock the later versions of the MSO1074Z-S. Riglol (gotroot.ca) hasn't been updated to reflect this; nor has there been any discussion aside from me making a fuss.
I suspect something has changed around version 04.03. Even the modified serial generator for the MSO1000 series on Riglol fails to find keys if you don't modify the offset to the new location where the keys are stored. Even after making the modification and generating the keys. I get a verification fail on the key signature.

As it stands, it will take several more new owners of the MSO1000 series before we will begin to see any action. It's unfortunate.

Previous Posts:
https://www.eevblog.com/forum/testgear/sniffing-the-rigol's-internal-i2c-bus/msg931770/#msg931770

[qwertymodo]

Just bought a MSO1074Z-S, and unfortunately it came with firmware 4.03.SP2.  Board revision is 6.1.2, if that makes any difference.  Obviously, me asking when riglol/rigup will support the new firmware is of no use to anybody, but is there anything I can do that would be helpful at this point?  I haven't managed to grab the memory dump yet, but I do have the tools to do so, and I'll try to get that done this weekend.

[psysc0rpi0n]

What about unlocking the options for the MSO1104Z model? Is there any developments???

[psysc0rpi0n]

Is any of these devices suitable to do the memory dump of my Rigol MSO1104Z

http://www.ebay.com/itm/Bus-Blaster-v3-high-speed-JTAG-debugger-FT2232H-high-speed-USB-2-0-DIY-Maker-/302046697470?hash=item465362d7fe:g:GtUAAOSwawpXtVMX

or this:

http://www.ebay.com/itm/Bus-Pirate-v3-6-Universal-Serial-Interface-/201191425175?hash=item2ed7f18497:g:afwAAOSwWKtUr3dy

[hammy]

Compatible JTAG adapters are listed in message #2413 in this thread or do a search on the main page for "memory dump jtag" ... 
Have a look for the descriptions of the mentioned debuggers and do a comparison.
I dumped the mem in the past with this one: Olimex ARM-USB-OCD-H

Have fun!

Cheers
hammy