Sniffing the Rigol's internal I2C bus

[neslekkim]

But how is the process of buying a key?, what is collected from the scope to enable the correct key to the user?
If they change keys often in the scope, that would make it harder for Rigol, no?

[AndersAnd]

But how is the process of buying a key?, what is collected from the scope to enable the correct key to the user?
If they change keys often in the scope, that would make it harder for Rigol, no?

They need your Rigol's serial number when ordering a SW option. Their computer would know what key belongs to what serial numbers. It probably all computer automated so it wouldn't make it harder for them.

The bad thing is for customers is that a SW option is tied to a specific device, so if they break their device and have to buy a replacement, they will also have to pay for all the extra option keys again.

[NikWing]

Zombie28: what "production weeks" do you have atm?

[zombie28]

Zombie28: what "production weeks" do you have atm?

DS2202A: 42
DS2072A: 43, 44, 46

[NikWing]

that's the 2 digits after the ds2d15, right?
then I also have one from week 46

[neslekkim]

my ds2202a-s is then week 46 if it is digit 7-8 in the serial

[zombie28]

that's the 2 digits after the ds2d15, right?
then I also have one from week 46

PM sent, let us know if the keys match your scope

[hammy]

I would like to help and I'm ready to open my oscilloscope to JTAG this dump, but I'm not very familiar with in windows system JTAG,Can some guidance?

See posting #2447
A excellent tutorial! 

[marmad]

I would like to help and I'm ready to open my oscilloscope to JTAG this dump, but I'm not very familiar with in windows system JTAG,Can some guidance?

See posting #2447
A excellent tutorial! 

Also now linked to in the first post of this thread - in case you forget the number

[hammy]

Also now linked to in the first post of this thread - in case you forget the number

Good idea! Just answering the obvious questions.
They all want to hack their scope, but don't take the time to read the thread. No pain, no gain!
Sometime the answer its just five messages away. 

[anson80]

Also now linked to in the first post of this thread - in case you forget the number

Good idea! Just answering the obvious questions.
They all want to hack their scope, but don't take the time to read the thread. No pain, no gain!
Sometime the answer its just five messages away. 

If I say I almost from the beginning to see in the end, you will believe that?
Please forgive me, I like serious to read all the articles, but my English is not good,I think have A JTAG method different
I have seen posting #2446 , but like Linux operation

[hammy]

If I say I almost from the beginning to see in the end, you will believe that?

I believe it.

Please forgive me, I like serious to read all the articles, but my English is not good, I think A and A through the JTAG method is different
I have seenposting #2447A , but like Linux operation

Ok. You only have windows and you want to know how to do the jtag dump with windows?
If someone provided already a dump from a scope from the same week like yours, it is not necessary to do this dump. In this case be nice to tirulerbach or zombie28 and ask for a key. Make more dumps and send the files to them!

This hacking here is an ongoing process. They all do great work. It needs time and a lot of effort!

[anson80]

If I say I almost from the beginning to see in the end, you will believe that?

I believe it.

Please forgive me, I like serious to read all the articles, but my English is not good, I think A and A through the JTAG method is different
I have seenposting #2447A , but like Linux operation

Ok. You only have windows and you want to know how to do the jtag dump with windows?
If someone provided already a dump from a scope from the same week like yours, it is not necessary to do this dump. In this case be nice to tirulerbach or zombie28 and ask for a key.

If not -> just wait patiently. Maybe someday there will be a ready-to-use keygen for your scope.
This hacking here is an ongoing process. They all do great work. It needs time and a lot of effort!

Thank you for your help
I just want to give some help, I don't care whether can get keygen. I don't want to No pain

[granz]

Quick bandwidth measurement animation of my DS2072A after the keygen (now shows as DS2202A in system info).   It's a bit course because of the file size limitation.

I'll create a graph in the next few days which is more complete, but I thought I'd post this to help motivate people to provide more memory dumps.

Setup: Signal generator used was a Tektronix SG 503 Leveled Sine Wave Generator which goes up to 250 MHz.  Output was set at 2.00 Vpp (about +/- 5%) and verified with a 500 MHz scope over the frequency range shown.  All images are at the 5ns time base setting.  I'll include data from other time base settings in the graph.  (Obviously, 50 Ohms -to- 50 Ohms w/ 50 Ohm cable--same cable used to verify signal generator output with other scope).

You might notice that I couldn't actually get to the 3 dB point (~1.41 Vpp) with my signal generator due to it's limited output.  I guess I should build myself a fast pulse generator.

[AndersAnd]

Quick bandwidth measurement animation of my DS2072A after the keygen (now shows as DS2202A in system info).

Any reason why you didn't upgrade to DS2302A instead of DS2202A?

[granz]

Actually, I tried that first.  It took the key but nothing happened except that the decode options were unlocked.  The model # stayed the same in system info and I didn't get the 2ns time base option, so I assumed it didn't take.

[marmad]

Actually, I tried that first.  It took the key but nothing happened except that the decode options were unlocked.  The model # stayed the same in system info and I didn't get the 2ns time base option, so I assumed it didn't take.

2ns time base is already available on DS2202 models (as well as 100M BW limit). 1ns time base becomes available when 300MHz is unlocked.

[granz]

Yes, I understand that 2ns is normally available on DS2202 models, but mine started as a DS2072A with 5ns as the fastest timebase.  What I meant was that I first tried the 300MHz key, but still had only 5ns TB (no 2ns or 1ns) and no model number change (still claimed DS2072A).  When I then tried the 200MHz key it converted to a DS2202A with 2ns TB.  I didn't try the 300MHz key again after already converting it to a DS2202A, but maybe I should?

Tirulerbach can probably comment more, but he did say the 300MHz option was absolutely untested...

[AndersAnd]

Actually, I tried that first.  It took the key but nothing happened except that the decode options were unlocked.  The model # stayed the same in system info and I didn't get the 2ns time base option, so I assumed it didn't take.

So the 4 letter options you have tried are NSEQ and NSFH?

For a appetizer look at the screenshot. Total running time is about 300ms...   O0

[granz]

Exactly.  I went with NSFH first and although it didn't reject the key, nothing happened (no model# change, still stuck at 5ns, no 100 MHz BW limit).  I guess this confirms that it doesn't work at this point?

I then went with NSEQ and that worked as expected (100 MHz BW, 2ns, model# change+plus shows 200MHZ installed option).

[AndersAnd]

Exactly.  I went with NSFH first and although it didn't reject the key, nothing happened (no model# change, still stuck at 5ns, no 100 MHz BW limit).  I guess this confirms that it doesn't work at this point?

What about all the other options like CAN decoder bigger memory etc.? Were they not enabled with NSFH either?

[granz]

All trigger/decoder options including CAN were enabled with NSFH, I can't remember about the sample mem (but I think no), but there was definitely no BANDWIDTH option installed like there is now with NSEQ.  Essentially all NSFH did was remove the trial periods which hadn't yet expired.  Looking back I wish I had taken a screenshot.  I was mostly interested in seeing the 2ns and 1ns TBs and the 100 BW limit, which didn't become available until I used NSEQ (but no 1ns TB).

Hope that helps.

Is there anything known about the SMD jumpers and what they effect?  (Sorry if it's listed elsewhere)

[battlefield]

So I'm having one problem with my jtag connection. I connect all the wires as shown in the schematic, using Olimex ARM-USB-OCD and then run the command buergi ran (sudo ./bfin-gdbproxy...) and I get the following in my console:

Code: [Select]

debug:     bfin: bfin_open ()
Found USB cable: ARM-USB-OCD
Connected to libftdi driver.
warning: TDO seems to be stuck at 0
error:     bfin: detecting parts failed
debug:     bfin: bfin_open ()
Found USB cable: ARM-USB-OCD
error: Couldn't connect to suitable USB device.
error:     bfin: cable initialization failed
Also when I plug my JTAG cable in my computer the led turns green and as soon as I run the command it turns red. I'm using linux 12.04 LTS x64

[Flipp]

So I'm having one problem with my jtag connection. I connect all the wires as shown in the schematic, using Olimex ARM-USB-OCD and then run the command buergi ran (sudo ./bfin-gdbproxy...) and I get the following in my console:

Code: [Select]

debug:     bfin: bfin_open ()
Found USB cable: ARM-USB-OCD
Connected to libftdi driver.
warning: TDO seems to be stuck at 0
error:     bfin: detecting parts failed
debug:     bfin: bfin_open ()
Found USB cable: ARM-USB-OCD
error: Couldn't connect to suitable USB device.
error:     bfin: cable initialization failed
Also when I plug my JTAG cable in my computer the led turns green and as soon as I run the command it turns red. I'm using linux 12.04 LTS x64

Is there any difference, if you do not connect the jtag side of the Olimex to anything? Is it possible to create a "working" jtag chain without any devices by shorting tdi and tdo pins together? Sounds like you have a break in the jtag chain or a fried input chip on your adapter.

Flip

[battlefield]

Nope, all the same no matter what I do -.-

Edit after shorting TDI and TDO and apllying 3.3V to VREF pin I got this

Code: [Select]

debug:     bfin: bfin_open ()
Found USB cable: ARM-USB-OCD
Connected to libftdi driver.
error:     bfin: detecting parts failed
debug:     bfin: bfin_open ()
Found USB cable: ARM-USB-OCD
error: Couldn't connect to suitable USB device.
error:     bfin: cable initialization failed