Sniffing the Rigol's internal I2C bus

[AndersAnd]

Just a thought but since theres so much information around and mostly spread across this forum thread i think its time a lot of the facts are consolidated in same way.

Unless someones already done it i can host a wiki on one of my jap based VPS's,...

The member "Avotronics" is already working on somthing like this here http://rigol.avotronics.co.uk

I can also mirror the keygen since its mostly javascript correct? Then eventually setup a firmware archive of sorts...

Avotronics has already mirrored the http://riglol.3owl.com keygen here http://rigol.avotronics.co.uk/mirrors/riglol/
But of course you could always set up another mirror.

[alank2]

thx cosmos - will see if i find code for it.

Can somebody with JTAG query this data to see what is there - that might be pretty enlightening.

[cosmos]

thx cosmos - will see if i find code for it.

Can somebody with JTAG query this data to see what is there - that might be pretty enlightening.

Keep in mind that this will be accessed trough the FPGA fabric, this means it can easily be obfuscated so it might not be a nice contiguous memory area.

[apelly]

and as far as I know, no A-model owner has attempted to just downgrade to a v.1 firmware, run the keygen, and then upgrade back to v.2 (not sure why).

Busy with life. Maybe today.

[apelly]

Just a thought but since theres so much information around and mostly spread across this forum thread i think its time a lot of the facts are consolidated in same way.

Unless someones already done it i can host a wiki

There is already a wiki at http://www.eevblog.com/wiki/

I'll help if you like.

[AndersAnd]

and as far as I know, no A-model owner has attempted to just downgrade to a v.1 firmware, run the keygen, and then upgrade back to v.2 (not sure why).

Busy with life. Maybe today.

Ordered a bus blaster tonight. Will be here in a week or so. Plan is to extract the 2072A firmware.

Have you received your Dangerous Prototypes Bus Blaster yet? Maybe it would be best to do a JTAG memory dump on your DS2000A scope before modding it?
Noone has posted a JTAG memory dump from DS2000A yet.

Which Bus Blaster version did you order, v3 or v4?
Bus Blaster v3 http://www.seeedstudio.com/depot/bus-blaster-v3-p-1415.html
Bus Blaster v4 http://www.seeedstudio.com/depot/bus-blaster-v4-p-1416.html

[alank2]

Noone has posted a JTAG memory dump from DS2000A yet.

Is there a JTAG memory dump from the DS2000 somewhere?  Where?

[alank2]

Dave's teardown talks about a Lattice Mach IO PLD - any idea what would be the likely way the Blackfin would communicate with this?

[AndersAnd]

Noone has posted a JTAG memory dump from DS2000A yet.

Is there a JTAG memory dump from the DS2000 somewhere?  Where?

I think cybernet has done a JTAG dump: https://www.eevblog.com/forum/testgear/sniffing-the-rigol's-internal-i2c-bus/msg241335/#msg241335
But I'm not sure he has uploaded it, but you could try to ask him for it.

[apelly]

Have you received your Dangerous Prototypes Bus Blaster yet? Maybe it would be best to do a JTAG memory dump on your DS2000A scope before modding it?
Noone has posted a JTAG memory dump from DS2000A yet.

Hasn't arrived yet. Did get a shipping note a few days ago. Will check the post box this afternoon.

You raise a good point. I will get what I can with JTAG before I dick around with the firmware.

Which Bus Blaster version did you order, v3 or v4?
Bus Blaster v3 http://www.seeedstudio.com/depot/bus-blaster-v3-p-1415.html
Bus Blaster v4 http://www.seeedstudio.com/depot/bus-blaster-v4-p-1416.html

v4

Carrington has given me his notes and data for emulating a JTAGkey, but that might still take a while to set up.

[cybernet]

Dave's teardown talks about a Lattice Mach IO PLD - any idea what would be the likely way the Blackfin would communicate with this?

via SPORT

[alank2]

via SPORT

I've decoded the LDR streams and then loaded them into IDA.  I can see about a dozen subs that contain SPORT registers, but no SPORT0_RX or SPORT1_RX...

[cybernet]

study the bfin manual with regards to DMA

[cosmos]

Dave's teardown talks about a Lattice Mach IO PLD - any idea what would be the likely way the Blackfin would communicate with this?

Maybe I am blind but I don't see any candidates for a Lattice PLD (except maybe the small clock generation device next to the ADC and sample FPGA).
When in the teardown was this? and was he talking about the DS2k?

[cybernet]

Dave's teardown talks about a Lattice Mach IO PLD - any idea what would be the likely way the Blackfin would communicate with this?

Maybe I am blind but I don't see any candidates for a Lattice PLD (except maybe the small clock generation device next to the ADC and sample FPGA).
When in the teardown was this? and was he talking about the DS2k?

keyboard/leds on the frontpanel

[cosmos]

Dave's teardown talks about a Lattice Mach IO PLD - any idea what would be the likely way the Blackfin would communicate with this?

Maybe I am blind but I don't see any candidates for a Lattice PLD (except maybe the small clock generation device next to the ADC and sample FPGA).
When in the teardown was this? and was he talking about the DS2k?

keyboard/leds on the frontpanel

Duh... That makes sense yes.
Not so interested in that I guess, must have been absent minded watching that part.

[Carrington]

Is this correct?
IMHO would be interesting know the entire table, and thus activate the desired options with a single key.

Code: [Select]

Code table: Use DSYX for a official key, and use VSYX for a trial key.

Y  CAN, 300, 50ohm

A   none
B   ==   ==   on
C   ==   on   ==
D   ??   ??   ??
E   on   ==   ==
F   ??   ??   ??
G   ??   ??   ??
H   on   on   on
J   ??   ??   ??
K   ??   ??   ??
L   ??   ??   ??
M   ??   ??   ??
N   ??   ??   ??
P   ??   ??   ??
Q   ??   ??   ??
R   ??   ??   ??
S   ??   ??   ??
T   ??   ??   ??
U   ??   ??   ??
V   ??   ??   ??
W   ??   ??   ??
X   ??   ??   ??
Y   ??   ??   ??
Z   ??   ??   ??

[fcab100]

DSA9 through DSH9
=====================================================
D S * 9    AT   DC  CAN  MD  100  200  300   unknown

      A       ON  ON    =    ON   ON   ON    =        =

      B       ON  ON    =    ON   ON   ON    =        *

      C       ON  ON    =    ON   ON   ON   ON       =
     
      D       ON  ON    =    ON   ON   ON   ON       *
                           
      E       ON  ON   ON   ON    ON   ON   =        =

      F       ON  ON   ON   ON    ON   ON   =        *

      G       ON  ON   ON   ON    ON   ON  ON      =

      H       ON  ON   ON   ON    ON   ON   ON     *


--------------------------------------------------------------------------------------------------
I have not found what * dose yet.
The "*" unknown option dose not turn on 50ohm for my DS2072 HW 2. 
-------------------------------------------------------------------------------------
Also tried DSI9 through DSZ9. Got license unavailability.  I'm guessing its not a good idea to use DS*9 option same as before.
-----------------------------------------------------------------------------------------------------------

[eV1Te]

New firmware is out for DS1000Z, version 00.02.01.SP1

It has quite a lot of bug fixes and seems to have faster GUI as well. 

Now its possible to export the full memory of points as wfm files, but I have not found any software that supports these files, either to open or convert them... Does Rigol have any software for this?

[AndersAnd]

New firmware is out for DS1000Z, version 00.02.01.SP1

Nice, can you please share the file?

[Carrington]

@fcab100 I believe that you are mixing tables. X variable was defined in the nex table, so DSY9 enable (200, 100, Men, Dec and Trig).
The table to which I refer is only for Y. If I'm not mistaken Y variable directly affects only to the new features.

Cheers. 

Code: [Select]

Code table: Use DSYX for a official key, and use VSYX for a trial key.

X  200, 100, Mem, Dec, Trig

A   none
B   ==   ==   ==   ==   on
C   ==   ==   ==   on   ==
D   ==   ==   ==   on   on
E   ==   ==   on   ==   ==
F   ==   ==   on   ==   on
G   ==   ==   on   on   ==
H   ==   ==   on   on   on

Note: keys A..H wont change the model, only ADD an option.

2102:

J   ==   on   ==   ==   ==   
K   ==   on   ==   ==   on
L   ==   on   ==   on   ==
M   ==   on   ==   on   on
N   ==   on   on   ==   ==
P   ==   on   on   ==   on
Q   ==   on   on   on   ==
R   ==   on   on   on   on   <-  All 2102

2202:

S   on   ==   ==   ==   ==   
T   on   ==   ==   ==   on
U   on   ==   ==   on   ==
V   on   ==   ==   on   on
W   on   ==   on   ==   ==
X   on   ==   on   ==   on
Y   on   ==   on   on   ==
Z   on   ==   on   on   on   <-  All 2202

DONT USE BELOW Not recommended, as activates 2102 and also 2202:

2   on   on   ==   ==   ==
3   on   on   ==   ==   on
4   on   on   ==   on   ==
5   on   on   ==   on   on
6   on   on   on   ==   ==
7   on   on   on   ==   on
8   on   on   on   on   ==
9   on   on   on   on   on

[Git]

New firmware is out for DS1000Z, version 00.02.01.SP1

Has the key and/or serial number format changed?

Git

[NikWing]

does the shop where you bought the DSO send you the updates?

I wonder if the waveform gen in the S version is limited, too
I found little to no information about this new DSO yet ...
and it seems I have to wait until January until I can obtain one :/


btw, just want to say this: I really repect what you people did here ... I wish I would know how cybernet (for example) did all this reverse engineering stuff ... wow

[marmad]

I wonder if the waveform gen in the S version is limited, too

No.

I found little to no information about this new DSO yet ...

I'm not sure exactly which DSO you mean, but Rigol has published fairly detailed datasheets for both the DS2000A-S series, as well as the DS1000Z-S series.

Just look for the specs of the waveform generator down near the bottom in the "Signal Source (DSXXXXX-S)" section.

[eV1Te]

New firmware is out for DS1000Z, version 00.02.01.SP1

Nice, can you please share the file?

Here is the new firmware for the DS1000Z and DS1000Z-S

Version 00.02.01.SP1

Too large to attach as a single file, so here is link to my FTP:
ftp://eevblog:555@ev1te.myftp.org/DS1000Z(ARM)update00.02.01.rar