Sniffing the Rigol's internal I2C bus

[alank2]

FWIW I ended up mangling my SN on the latest firmware version, so that is not guaranteed to prevent it from happening.  It was either trying to uninstall a key via SCPI that did it, or attempting to install a key based on s/n DS2A000000000 by mistake (I forgot to paste my SN in before generating it).

[Avotronics]

I've just shortened the riglol mirror slightly, you'd better update it on the other page, its: http://rigol.avotronics.co.uk/riglol

Done.
Btw I see 2 different usernames, danfloun and Avotronics, is this the same person?

Yeah I've just binned danfloun, not using it no more. Sick of all the different forum logins and am trying to keep them all the same.

Danny

[Avotronics]

So how safe is hacking ds2072 up to 100mhz or more? Any bricks?
I'm think of ordering one soon.

[AndersAnd]

I think the only time you risk bricking it is if something goes wrong while updating the firmware. But that's not directly related to entering option keys. That can happen to anyone updating firmware even if they don't enter any keys.

Entering the keys themselves hasn't bricked any devices from what I've read in this topic. I think the worst thing that has happened is resetting the serial number. But it looks like only people who haven't followed all the steps I described earlier in the right order without any typos, wrong option codes or serials has done that.
But of course it's always on your own risk.

[marmad]

I think the only time you risk bricking it is if something goes wrong while updating the firmware. But that's not directly related to entering option keys. That can happen to anyone updating firmware even if they don't enter any keys.

I think it's virtually impossible to brick these DSOs by updating the firmware (and I've never heard/read of it happening to anyone). The DS2000 has a bootloader (unlike the DS1000E), so in case of a power failure, etc. during firmware update, the unit may not initially start, but you are still able to re-initiate another FW update during the next boot process.

In addition to that, unit-specific data is backed up in another part of memory - so in case it gets corrupted or overwritten, it's restored automatically on the next bootup.

[jamesb]

Ok, I have a theory. jamesb said he used option code DSAZ. This turns on all options including 200MHz, but not 100MHz. I used DSA9 which turns on all options including both 100MHz and 200MHz. Maybe turning both of these on with option 9 instead of Z has sort of an additive effect and tells the scope to operate up to 300 MHz.

Just a theory...

So try it and let us know jamesb! You'd be a good test since your scope is identical to mine in hardware and everything.

-Clayton

I've tried the procedure again, however, I was unable to install trial keys (likely due to my recent second calibration). If this is critical to the procedure, it may not be possible to "work around" into the 300MHz BW without trial licenses installed at the time of firmware upgrade. Having said that, I would have expected to hear more people with 300MHz BW machines simply by upgrading from firmware 00.01.00.05 to 01.01.00.02

My procedure was as follows:

• remove all current keys via SCPI: :SYSTem:OPTion:UNINSTall
• downgrade to FW 00.01.00.05
• generate trial key using Rigol KeyGen v2.0b1 and VSA9 option key
  
• attempt to install trial keys via SCPI :SYSTem:OPTion:INSTall <keyhere> (tried twice, using random seed = 1 and an actual random value)
• unit reported something to indicate that the trial keys are no longer accepted
• reinstall FW 01.01.00.02
• generate permanent key using DSA9 option key and the riglol tool (i385 version and x86_64 generate the same results)
  
• install permanent key using DSA9 option key, again using SCPI
• check BW: no good
• reboot machine, check BW: no good

The outstanding variables (aside from trial keys not being accepted/used) as far as I can tell are:

• firmware: not sure we are using precisely the same firmware files - mine were both from Marmad's list
• keygens: not entirely sure we are using the same version of the key generator programs - I used a version with attributes of: 84777 Sep  5 17:59 riglol

I wonder how we can more directly probe this ... any suggestions?

edit:

If anyone has a method of allowing me to install trial keys again without having to flash a ROM, please PM me so that I can attempt to remove the trial key status as a variable.

[AndersAnd]

If anyone has a method of allowing me to install trial keys again without having to flash a ROM, please PM me so that I can attempt to remove the trial key status as a variable.

Can't you just uninstall all official keys with the SCPI command :SYSTem:OPTion:UNINSTall and then install the trial keys generated with http://riglol.3owl.com

To generate trial keys instead of official keys just type V as the first character instead of D.
E.g. VSAZ instead of DSAZ:

DS2000 device options:
first character: D = official, V = trial
DSAB - Advanced Triggers
DSAC - Decoders
DSAE - 56M Memory
DSAJ - 100MHz
DSAS - 200MHz
DSAZ - all options

[Avotronics]

Not sure how getroot.ca operates when it's not accessible, but timeouts and/or redirects to landing pages (i.e. what 3owl.com does) should not affect my mirror. The mirror won't follow temporary or permanent redirects and timeouts will just result in nothing being mirrored, obviously.

I think that covers most situations, but time will tell.

Danny 

[jamesb]

To generate trial keys instead of official keys just type V as the first character instead of D.
E.g. VSAZ instead of DSAZ:

As you will note, I did indicate generating a trial key using the VSA9 option key. The oscilloscope said something to the effect of "trial license unavailable"
Having said that, I tried again this morning, but I used a different keygen and was able to install a trial license using VSA9 (as attempted before).

My latest iteration was as follows:

• Start with FW version 01.01.00.02
• Generate trial license using riglol and VSA9 option key
• Install trial license via SCPI
• Downgrade to FW version 00.01.00.05
• Rebooted machine to be met with a report that trial licenses expired
• Tried to install trial license via SCPI using previously generated value
• Unit said: "Used serial number"
• Generated new trial license using Rigol Keygen v2.0b1 and VSA9 option key (riglol appears to generate the same code every time due to random seed = 1)
• Install trial license via SCPI
• Reboot machine & confirm FW 00.01.00.05 and all trial licenses running
• Install FW version 01.01.00.02
• Reboot machine trial options did not expire as Bandgap experienced, checked BW (just in case) and still 200MHz scope
• Generated new permanent key using Riglol and DSA9 option key
• Check BW and scope is still a 200MHz machine

All firmware upgrades were done via safe method (cold boot, press power, press "help" before LEDs turn off, CH1 blinks indicating FW installation) and all key installs were done via SCPI (Ultra Sigma).

So the difference this time is that I was able to install trial keys, however, they did NOT expire when upgrading from FW 00.01.00.05 to 01.01.00.02 as Bandgap experienced. I will try the whole process again, but it would be nice to know what key generating tools were used in the successful method as well as to have the exact FW copies to use.

[AndersAnd]

As you will note, I did indicate generating a trial key using the VSA9 option key. The oscilloscope said something to the effect of "trial license unavailable"

Did you uninstall the official keys first before trying to install trial keys?

[jamesb]

As you will note, I did indicate generating a trial key using the VSA9 option key. The oscilloscope said something to the effect of "trial license unavailable"

Did you uninstall the official keys first before trying to install trial keys?

Yes, I started with what could be described as a "fresh out of the box" approach. Ie. uninstalled all keys, installed new "trial" key and then started the whole procedure.

[AndersAnd]

As you will note, I did indicate generating a trial key using the VSA9 option key. The oscilloscope said something to the effect of "trial license unavailable"

Did you uninstall the official keys first before trying to install trial keys?

Yes, I started with what could be described as a "fresh out of the box" approach. Ie. uninstalled all keys, installed new "trial" key and then started the whole procedure.

I don't get it, you just said in your previous post you couldn't install the trial keys (trial license unavailable) and now you say you did install them?

[AndersAnd]

Yay... DS2302  (Randomly got it, I guess?) This is a DS2202 unit.

Do you still have the generated key you entered?

[jamesb]

I don't get it, you just said in your previous post you couldn't install the trial keys (trial license unavailable) and now you say you did install them?

That is exactly what I said.
I mentioned being given an error message to the effect of "trial key no longer accepted"
Any particular reason why are you getting caught up about this detail?

[jamesb]

I am beginning to think that getting 300MHz to work is more fluke than anything else.
I've been upgrading and downgrading FW versions, etc, trying to find the exact combination required to make this work and I stumbled onto this:



Notice the trial timers??
And I can not seem to remove the trials now .. I can however get them to reset to their ~4000 minute mark

[alank2]

I am beginning to wonder if there is any logic to it at all.  Mine can't return to a DS2072 now either.  So it has the 00001 sn and is stuck in DS2202 mode.  Won't accept any trial licenses either.  Makes me wonder if the trial extension is part of the problem, maybe no one should load V codes.

[darrylp]

I think their might be multiple slots in memory so to speak to hold the license keys. I had to use the uninstall Scpi command a couple of times to remove my trial ones I had loaded on top of already loaded trial with a different combo of options.

Worth doing 5 or 6 uninstalls in a row.

--
Darryl

[alank2]

I think their might be multiple slots in memory so to speak to hold the license keys. I had to use the uninstall Scpi command a couple of times to remove my trial ones I had loaded on top of already loaded trial with a different combo of options.
Worth doing 5 or 6 uninstalls in a row.

I wonder if loading too many keys is what will overflow their slots and perhaps this is what erases the S/N.  I'm not sure if multiple uninstalls clears the slots or just removes the features.

[olsenn]

When you people keep saying you've turned your DS2072 into a DS2302, do you mean you turned it into a DS2302A?

[AndersAnd]

When you people keep saying you've turned your DS2072 into a DS2302, do you mean you turned it into a DS2302A?

I think only one person has successfully upgraded a DS2072 to DS2302 (and not on purpose).
DS2000 and DS2000A seems to be almost the same thing except for this:

Can anybody spot any differences between the DS2000A-Series and the regular DS2000-Series, apart from the inclusion of a 300MHz model and most likely better encryption

Comparing data sheets (DS2000A from Rigol's Chinese web site), the only differences that I can see are:

1)  Added model DS2302A with 300MHz BW and 1ns/div horizontal.
2)  Switchable 50 ohm input termination
3)  Optional CAN bus trigger and decode

The odd thing is that if you look at the current product pages for the DS2000 series scopes on the various Rigol web sites, they list DS2000A as the model number in the specifications:
For example:  http://www.rigolna.com/products/digital-oscilloscopes/ds2000/ds2072/    (click on "Specifications" tab).

And DS2000A also seems to require different option keys than 2000. Nobody has successfully used the DS2000 keygen for a DS2000A.

DS2000A has HW ver. 2. but it's a HW ver. 1 that has been upgraded to DS2302.
Don't think it now has CAN decoder too, but easy to check.
Also easy to check if you can now select 50 termination and if you can if it actually works in the hardware.
Not sure if HW ver. 1 supports 50 ohm termination.

[bandgap]

Yay... DS2302  (Randomly got it, I guess?) This is a DS2202 unit.

Do you still have the generated key you entered?

Sorry, I don't (wish I had thought to save it!) I did use the riglol-x86_64-linux binary mirrored here: http://www.gotroot.ca/rigol/. I used DSA9 and I did not enter the optional private key.

I'm tempted to remove the keys via SCPI and see if I can easily get it back again, but I'm afraid it wouldn't be so easy - especially if there's no rhyme or reason to it!

-Clayton

[AndersAnd]

Yay... DS2302  (Randomly got it, I guess?) This is a DS2202 unit.

Do you still have the generated key you entered?

Sorry, I don't (wish I had thought to save it!) I did use the riglol-x86_64-linux binary mirrored here: http://www.gotroot.ca/rigol/. I used DSA9 and I did not enter the optional private key.

I'm tempted to remove the keys via SCPI and see if I can easily get it back again, but I'm afraid it wouldn't be so easy - especially if there's no rhyme or reason to it!

-Clayton

I wonder if a JTAG memory dump of your scope could be helpful in finding an option code for 300 MHz?

[Avotronics]

I'm gonna get the DS2072 but can't just at the minute, maybe after xmas.
Just wondering; If I end up with a DS2072A does that mean I'd be currently stuck at 70MHz?

[cybernet]

most likely just another screwup (same like serial reset) due to the fact that temp keys leave traces in the NV memory and shitty chinese programming.
as shown in one of the first pages in this thread, if u change the "model_type_id" (thats what i call it) to a certain value, u get 500ps time resolution (on the screen only obviously).
the actual model type string DS2 .. is generated on the fly. supported characters are 1,2,3,4,5 ... so a DS2502 is probably possible.

[AndersAnd]

I'm gonna get the DS2072 but can't just at the minute, maybe after xmas.
Just wondering; If I end up with a DS2072A does that mean I'd be currently stuck at 70MHz?

I think someone needs to upload a JTAG memory dump of JTAG DS2000A series before it can be hacked.
Noone has uploaded a dump from DS2000A yet and only very few has reported getting a DS2000A series yet.