Sniffing the Rigol's internal I2C bus

[Buzz239]

I guess there is nothing that can be done with the DS1102E it seems like it's already a Hacked DS1052E.

[granz]

A couple things to check: do you see any clock activity on the TCK line when looking at it with a scope when you start up bfin-gdbproxy?  Also, I just looked at the image of the connected programmer in the tutorial and it looks like he has the 3.3V from the Rigol JTAG header connected directly to the 3.3V from the other header on the Rigol board.  THIS IS A BAD IDEA. These might be different 3.3V supply rails, and this connects the outputs of both regulators together.  Just leave the 3.3V pin on the JTAG header unconnected.  I didn't notice it originally, but this should be corrected in the tutorial.

With your Olimex ARM-USB-OCD you probably need to supply VREF to set the signal levels, otherwise you'll get nothing.

If you want to play it safe, set your DS2000 scope aside and first try just using a bench power supply with 3.3V connected to the VREF pin of your ARM-USB-OCD.  Start up bfin-gdbproxy and look for the TCK signal.  Also, nTRST should go high as soon as you start bfin-gdbproxy.

I took the image of the ARM-USB-OCD connector from the website and annotated it for you.  I don't have the device, so I can't verify the pinout of the connector.

I hope that helps.

[Flipp]

I guess there is nothing that can be done with the DS1102E it seems like it's already a Hacked DS1052E.

Those days the topic is not really about  the DS1kE  series anymore. It has grown in federal directions over time.

BTW. I just found out that my DS2072A is another 42nd weeks product just like tirolerbachs DS2202A is one. It would be nice to know if the private keys they used are consistent over the DS2kA series within every production week, wouldn`t it?
There are 2 possibilities how they manage their licence key generation:

1. They have a list of their Keys which are random generated by rolling dice. Their license generator chooses the right key by looking at the Build date in the Serial ##

2. They generate the private key for the ECC in their license key generator by using the serial  number and some sort of super-duper-hyperprivate key and a unknown Scramble or encryption algorithm. This would be very clever for them because all of the vulnerability is in their very secret  own piece of software. No risk of loosing a list of private keys, they simply can keep their super-duper-hyperprivate key in a safe place without the need of weekly updates. We can look if there is any simple correlation between the different private keys.

Best way for us would be to have a firmware which overrides the key verification process but this is a very hard way to go since all the reversing takes a lot of efford. Cybernet has already proven the possibility to toggle some functions like the bw. limit by firmware update.

Flip

[battlefield]

Ok as it looks like it only doesn't work using blacfin tools, it works when I'm using urjtag Now let's study some docs to get the right commands for memory dumping

Code: [Select]

jtag> cable arm-usb-ocd
Connected to libftdi driver.
jtag> frequency 5000000
Setting TCK frequency to 5000000 Hz
jtag> detect
IR length: 5
Chain length: 1
Device Id: 00100010011111100100000011001011 (0x227E40CB)
  Manufacturer: Analog Devices, Inc. (0x0CB)
  Part(0):      BF526 (0x27E4)
  Stepping:     2
  Filename:     /usr/share/urjtag/analog/bf527/bf527
warning: ARM-USB-OCD: untested cable, set wait_clocks to 30

[granz]

I've been down that road actually.  You can't get the memory dumps from the generic urjtag because it doesn't have the bus support which is added in the bfin toolchain version.  Check "help initbus" from both versions of urjtag and you'll see the difference.  I also couldn't get the bfin-jtag/bfin-gdbproxy versions to work with my adapter under 64-bit Linux.  They worked for me on a 32-bit Linux box.  Something to do with the ftdi driver I believe.

[ju1ce]

It turns out that my JLink/urjtag connection is not hanging, instead its just going really really slow 
I've set the frequency to 6 MHz, but its so slow its more like a few kHz (I would check with my scope but the CPU is halted....)

The main problem is the SDRAM - I'm currently trying to dump the full SDRAM address space (128 MB) and its only 1% through after 30 minutes - its going to take too long.... (50hrs?)

On the board it looks as though there's only a single 32 MB SDRAM chip connected to the bf526. I'm gonna assume that its address range is 0x0000 0000 to 0x01FF FFFF and limit the SDRAM dump to that instead.

Sorry for the bad news, but I'm goin to persevere and will let you know how it goes.

If anyone has a J-Link running with urjtag at a decent speed let me know!

Any progress in this Segger J-Link speed issue? I started a dump of my DS2072A (serial DS2D1542xxxxx) FW 00.02.01.00.03, and it will be ready tomorrow night at this pace...

[tirulerbach]

If someone provided already a dump from a scope from the same week like yours, it is not necessary to do this dump.

Clear and brief: Bullshit. 

We have only a few f*cking dumps. But we need 20, 30 or even more dumps to build a valuable data basis.

In this case be nice to tirulerbach or zombie28 and ask for a key.

This simply won't work. Begging for keys is wasted time. Show your support by providing dumps or some other help. That's the only way to take part of the game.

When I then tried the 200MHz key it converted to a DS2202A with 2ns TB. 

Did the scope showed the "200 MHz option" or did the scope show really a different model number? 
What is the behavior of non-A-models on bandwidth upgrades?

Tirulerbach can probably comment more, but he did say the 300MHz option was absolutely untested...

Don't know anything about the 300 MHz option, but only install one out of the four licenses. So hook up USB to your scope and use a terminal to tidy up. Beyond that, read your PM.

BTW. I just found out that my DS2072A is another 42nd weeks product just like tirolerbachs DS2202A is one. It would be nice to know if the private keys they used are consistent over the DS2kA series within every production week, wouldn`t it?

A dump will help.

[NikWing]

uah ... I'd make a memdump if I had linux (which can be downloaded, windows is not possible, if I got it right), a spare PC to install it on (which I dun have), a USB jtag (only have serial, gah)
beside that, I'm now puzzled about the way to connect after reading the posting above (about the 3V3 connection) -_-;
aaaand I'm kinda scared since I never jtagged something before and might break the DSO and risk warranty of something that costs more than I can afford over 2 months D:

but IF there's a way for me to read out a memdump and real good fool-proof instruction for complete jtag noobs who are scared to break the device, I'll try my best to get one >_>

[neslekkim]

but IF there's a way for me to read out a memdump and real good fool-proof instruction for complete jtag noobs who are scared to break the device, I'll try my best to get one >_>

this? https://www.eevblog.com/forum/testgear/sniffing-the-rigol's-internal-i2c-bus/msg365951/#msg365951

Only thing I need, is to find out which pins on my ftdi2232h breakout (dangerousprototypes) I need to connect to jtag..
and maybe I need linux, but that can be done in an VM using virtualbox or something I guess, no need for an separate computer.

[NikWing]

maybe a linux live dvd works (though I'm no linux guy AT ALL, I dun really like it lol)
yes, I know the how-to, but recent posts were about the 3V3 connection and that it shouldn't be connected to the pin in the DSO
and I only have seen an old atmel AVR jtag at work, no idea if it's broken or compatible, beside the com/sub-d port XD
troubles XD

[PA0PBZ]

What is the behavior of non-A-models on bandwidth upgrades?

It changes both the model (DS2072->DS2302) and shows the bandwidth option (300M BandWidth), this on rev 2 hardware.

[AndersAnd]

and maybe I need linux, but that can be done in an VM using virtualbox or something I guess, no need for an separate computer.

Can't you also just use a Linux Live-CD/DVD like Knoppix or similar as an alternative? No installation required.

The LiveCD List http://www.livecdlist.com/operating-system/linux

http://en.wikipedia.org/wiki/Live_CD

A live CD, live DVD, or live disc is a complete bootable computer installation including operating system which runs in a computer's memory, rather than loading from a hard disk drive; the CD itself is read-only. It allows users to run an operating system for any purpose without installing it or making any changes to the computer's configuration. Live CDs can run on a computer without secondary storage, such as a hard disk drive, or with a corrupted hard disk drive or file system, allowing data recovery.

[Pehtoori]

Only thing I need, is to find out which pins on my ftdi2232h breakout (dangerousprototypes) I need to connect to jtag..
and maybe I need linux, but that can be done in an VM using virtualbox or something I guess, no need for an separate computer.

Might be better to use linux live CD, you can install programs to it, they will be installed to ram. And when you power down all will be gone and back to M$ land you go So save the files to usb or other media before shutting down.

Live CD tools that mess around with HDD will make changes to you windows system, so just don't use them. U can't do it by accident.

<dam I'm slow>

[neslekkim]

Probably, the OS is least of my problems, I can use an raspberry, or my olimex a20 for that if an vm is not usable.

this on the other hand:

http://www.seeedstudio.com/depot/ft2232h-usb-20-hispeed-breakout-board-p-737.html?cPath=19_88

I have it lying here, but not sure what of the connections are for jtag, maybe I will find it on the ftdi datasheet though, but many have used it for jtag, so I don't understand why it's so difficult to find the pinout, my google-foo is expiring..
If the card at all is compatible with urjtag though..

[NikWing]

I can't tell for sure yet since I don't know enough about it: I just tried some keys of a DSO that has the same production week as mine
and I got "license unavailable"
so it seems a memdump IS needed for every a-series DSO

[pascal_sweden]

The distributor in Sweden offers both the DS2072 and DS2072A model at this point in time.

In fact they throw in a discount for the old DS2072 version.
But there is no confirmation if it is HW version 2 or not. I could ask them though.

For my understanding, is DS2072A much improved or only improvement on internal impedance switch?
Or is the overall design improved?

I would like to see summary table with difference between DS2072 HW1, DS2072 HW2 and DS2072A to get overall picture all at once.

Can DS2072 HW version 1 be upgraded to 200 MHz only or up to 300MHz? Verified with actual measurements on scope to double check if it really works and not only in GUI?
Which decoding/memory options can be added?

Can DS2072 HW version 2 be upgraded to 200 MHz only or up to 300MHz? Verified with actual measurements on scope to double check if it really works and not only in GUI?
Which decoding/memory options can be added?

Can DS2072A be upgraded to 200 MHz only or up to 300MHz? Verified with actual measurements on scope to double check if it really works and not only in GUI?
Which decoding/memory options can be added?
I understand that DS2072A might require individual memory dump to do actual upgrade for time being, but still I like to know if HW is capable of the upgrade. Then I can wait until the generic hack is in place, as I dont want to open my scope. But I need to know if DS2072A can be made 100% same as DS2302A.

Did anyone do visual inspection of actual PCB boards between DS2072 and DS2302?

Did anyone do visual inspection of actual PCB boards between DS2072A and DS2302A?

Given that people open up their scope for making memory dumps, visual inspection might be done at same time as well Of course I realize maybe nobody with a real DS2302 or DS2302A wants to open their big investment

[battlefield]

So after making two memory dumps I'd like to add that if you have 64bit linux stuff has a chance of not wroking. I fixed all of my problems just by putting in live usb with Ubuntu 12.04 32bit and downloaded bfin toolchain, and did the memory dump from ther (with Olimex ARM-USB-OCD it took me about 30 to 45 minutes per dump).

[Mark_O]

Q1) For my understanding, is DS2072A much improved or only improvement on internal impedance switch?
Q2) Or is the overall design improved?

Q3) I would like to see summary table with difference between DS2072 HW1, DS2072 HW2 and DS2072A to get overall picture all at once.

Q4) Can DS2072 HW version 1 be upgraded to 200 MHz only or up to 300MHz?
Q5) Verified with actual measurements on scope to double check if it really works and not only in GUI?
Q6) Which decoding/memory options can be added?

Q7) Can DS2072 HW version 2 be upgraded to 200 MHz only or up to 300MHz?
Q8) Verified with actual measurements on scope to double check if it really works and not only in GUI?
Q9) Which decoding/memory options can be added?

Q10) Can DS2072A be upgraded to 200 MHz only or up to 300MHz?
Q11) Verified with actual measurements on scope to double check if it really works and not only in GUI?
Q12) Which decoding/memory options can be added?

Q13) I need to know if DS2072A can be made 100% same as DS2302A.

Q14) Did anyone do visual inspection of actual PCB boards between DS2072 and DS2302?
Q15) Did anyone do visual inspection of actual PCB boards between DS2072A and DS2302A?

 

[marmad]

Given that people open up their scope for making memory dumps, visual inspection might be done at same time as well Of course I realize maybe nobody with a real DS2302 or DS2302A wants to open their big investment

There are NO DS2302s - of any kind. Neither Rigol - nor any of their distributors - are, at this point in time, selling DS2302As - nor are they selling upgrades to that BW. So we have no way of knowing whether the current hardware revision that ANYONE owns correctly supports (or will EVER correctly support) that BW. You can currently "turn it on" on any non-A model (but it's buggy) and that's about the state of it. Perhaps Rigol is working on a new revision of the hardware right now for future DS2302s - or perhaps they will NEVER sell them.

IMO it's not a good reason to hold off - or make purchasing decisions - since the current DS2000s (v.1 or v.2) have a ~250MHz BW - and the sampling hardware doesn't really support 300MHz well anyway.

[pascal_sweden]

The Swedish distributor sells the DS2302A:
http://www.instrumentcenter.se/sv/200-500-mhz-bandbredd/rigol-ds2302a-bandbredd-300mhz-2-kanaler-2gsas-minnesdjup-14mpts%28standard%29-56mpts%28option%29-50000-wfmss..php

Or did I misunderstood your remark about not selling 300MHz version? =)

Note that my questions were just trying to get an overall summary in place on current status of hacks/verifications, as this information is spreaded throughout the forum
No need for a hotline

[marmad]

The Swedish distributor sells the DS2302A:
http://www.instrumentcenter.se/sv/200-500-mhz-bandbredd/rigol-ds2302a-bandbredd-300mhz-2-kanaler-2gsas-minnesdjup-14mpts%28standard%29-56mpts%28option%29-50000-wfmss..php

  No - you mean he "advertises" the DS2302A. He'll take your money for one, to be sure! But when will he deliver it? Since none of Rigol's BIG distributors (Tequipment in the US or Batronix here in the EU) - or even Rigol's OWN North American website - are offering them for sale yet, I somehow doubt your Swedish distributor has them in stock. I could be wrong - but if not, you're unlikely to find anyone who has bought one on this board.

[pascal_sweden]

I have written an email to the distributor to confirm availability =) Will keep you updated!

[AndersAnd]

  No - you mean he "advertises" the DS2302A. He'll take your money for one, to be sure! But when will he deliver it? Since none of Rigol's BIG distributors (Tequipment in the US or Batronix here in the EU) - or even Rigol's OWN North American website - are offering them for sale yet, I somehow doubt your Swedish distributor has them in stock. I could be wrong - but if not, you're unlikely to find anyone who has bought one on this board.

Batronix has already sold DS2000A models, even though they still only list DS2000 models at their website. I wonder when they will get it updated to say DS2000A.

There's also one in this topic who has already bought a DS2000A-S at a Norwegian distributor, even though this is not listed at Batronix website, let alone the DS2000A models.

So I wouldn't count on Batronix website for info on what available and not available from them, they seem very slow to update their website.

And the Rigol North America website is alo very slow to update info, they don't list andy DS2000A models yet either: http://www.rigolna.com/products/digital-oscilloscopes/ds2000/
So I wouldn't trust that website for what's available and what's not available either.

And from what I can tell Tequipment is already offering DS2302A even tough they just write "call us" for price. But their website say they have 3 in stock: http://www.tequipment.net/Rigol/DS2302A/

[Flipp]

A dump will help.

Im waiting now for my JTAG dongle. Says it has shipped today.

Any other things to do meanwhile?

We´ll have to collect as much keys from mem dumps  as we can. Thats the only chance to find out what scheme is behind the different keys. Uh and we have to give a hell of a lot BRAIN to it. (courageous hero cybernet pronounced many times)

Flip

[marmad]

I have written an email to the distributor to confirm availability =) Will keep you updated!

But you ignored the rest of my point: as mentioned over and over again on these boards, the 2GSa/s rate does not necessarily support 300MHz well - unless Rigol has created a very good Gaussian filter - and there's no evidence that Rigol can do (or has done) this.

People just see "FREE" bandwidth and they think, "Shit, it's free so it has to be good!" But that's not the case - the extra BW can actually cause problems for the fidelity of your instrument. You have to believe that the representation of the waveform that the DSO is presenting is fairly accurate, otherwise what good is it? If the added BW is actually causing interpolation errors at smaller time bases, it's not a help - it's a hindrance.