Sniffing the Rigol's internal I2C bus

[elebot]

If both the HW and firmware of the DP832A and DP832 are basically the same, what actually distinguishes the two models?
Serial number range? Or some license key? Is it obvious from the firmware disassembly?

I am curious how feasible would it be to do the full conversion into DP832A as I would love seeing on my DP832 multicolor classic mode and with normal font (not the 7 segment display simulation).

[PepeK]

As the latest DS / MSO 2072 having SW 3.0 SP1 and HW 2.2 refuses patched firmware gel file ver 2, what about modifying the gel file to pretend it is ver 3 ?
Is there something like header / data structure in the first block of the gel file which defines version ?
I am asking because if I open any (2.0 or 3.0) gel file in hex editor, there is a version string at the beginning.

[hematose]

I can also confirm:

I tried it with a DS1104Z-S, serial no. starting with "DS1ZB" -> works.
MSO1104Z-S, serial no. starting with "DS1ZD" -> doesn't work.

Maybe they have changed the algorithm or at least the private key and provided downward compatibility for the first DS1000Z scopes with "DS1ZB" serials.

Michael

 

I tried: http://riglol.3owl.com/ with options DSFR, MSAJ, DSAE on MSO1074Z-S, serial no. starting with "DS1ZD" -> doesn't work. I'd love it if anyone else had any thoughts. Could the fact that the scope still has the trial options enabled have an impact?

[AintBigAintClever]

As the latest DS / MSO 2072 having SW 3.0 SP1 and HW 2.2 refuses patched firmware gel file ver 2, what about modifying the gel file to pretend it is ver 3 ?
Is there something like header / data structure in the first block of the gel file which defines version ?
I am asking because if I open any (2.0 or 3.0) gel file in hex editor, there is a version string at the beginning.

There'll be more to it than that. Version 2.x will know nothing about the MSO features, could end up bricking the scope.

[houly]

Hello all,
I'm plainning to buy a MSO4000 series wand i would want to know if the hack could work on it (in order to choose the 100 MHz and hope hack it to have more bandwidth)
is it possible ? and how ?

regards

[salvix]

Hello all,
I'm plainning to buy a MSO4000 series wand i would want to know if the hack could work on it (in order to choose the 100 MHz and hope hack it to have more bandwidth)
is it possible ? and how ?

regards

Yes. Install MrKrabs firmware from http://gotroot.ca/rigol/.

[Gandalf_Sr]

@0xPIT

I'm having exactly the same issues you described in your reply #3478. 

I'm trying to dump the memory from my MSO2072A using Ubuntu on a Dell Netbook, it always finishes with 'Reply contains invalid hex digit 116'

For us non-Linux literate folks, would you mind expanding on where to find the log file and the exact lines for using the AWK instructions?

Thanks

[Edit] My latest attempt finished as 0xPIT said, again with the 116 error and then I closed the terminal but I can't find the tmp/log file on the drive anywhere.  Any idea where it's supposed to be or how I can find it?

[Edit2] I am thinking of getting a different USB-JTAG debugger.  The Olimex vn seems expensive at $70 given the chip is <$3, any suggestions for a good FT2232-based programmer that is supported by urJTAG?

[0xPIT]

@Gandalr_Sr

I described the procedure in my post.

You need to specify the location of the log file in gdb using e.g.
    set remotelogfile /tmp/log
 it will save the log to the file named "log" in the folder /tmp.

Then you need to clean the log file.
First, you want only lines received, which start with "+r $"
   awk '/+r\ $/' /tmp/log > /tmp/filtered.log

Second, we strip all the "+r $"
   cat /tmp/filtered.log | sed 's/^+r\ $//' > /tmp/cleaned.log

then use convert to binary using
   xxd -p -r /tmp/cleaned.log /tmp/dump.bin

If in doubt, consult the man pages (man <command>) or google for it.
Be aware that I'm on the road, you need to double-check escaping of the commands I suggested.

[Gandalf_Sr]

@0xPIT

Thanks for the clarifications, I'm now pretty sure that the reason I've failed so far to dump successfully from my MSO2072A is that the cheap $7 'Altera' USB Blaster from eBay only supports a frequency of 12 MHz, (gdb) tell me that after I execute the command that's supposed to set the frequency.

Now I'm waiting for the Sparkfun FT2232-based device to arrive.

[xd1217]

As the latest DS / MSO 2072 having SW 3.0 SP1 and HW 2.2 refuses patched firmware gel file ver 2, what about modifying the gel file to pretend it is ver 3 ?
Is there something like header / data structure in the first block of the gel file which defines version ?
I am asking because if I open any (2.0 or 3.0) gel file in hex editor, there is a version string at the beginning.

Did you sort it out??

[DocSnyder]

Hello,

I own a MSO1074Z-S since a few hours. It has software Version 04.00 but the existing license gen doesn't seem to work. Any suggestions? I don't want to brick it.

Thank you

[1.21gigawatts]

OK, So I've read (pretty much) every post in this topic and I'm confused. In recent posts it appears that some people are having problems applying licenses to newer 2000 series scopes. Others say that riglol works straight out of the box to generate licenses while still others are busy doing hex dumps through jtag.

I'm seriously considering (actually more like planning, if I get a good answer to this) to buy (tomorrow) an MSO2072A-S. It's been over 30 years since I bough a new scope for myself, and I figure this one will last until (my) doomsday. But I don't want to make a mistake and be stuck at 70MHz.

I have an Altera USB Blaster Rev C and an assortment of computers running whatever OS one could possibly need, but I don't have a clear path to the upgrade procedure. Don't get me wrong - I have read several procedures and they are pretty clear step-by-step instructions. I'm just concerned about whether they will work on current Rigol production scopes. I know that last time I looked into this (a couple of months ago) there were none of these scopes to be found at US dealers, so I'm assuming that what I buy tomorrow will be from a new production run.

Sooo, is this a purchase I should make, or should I wait a while?

BTW, thanks to all of you who do the work that benefits the rest of us. I just joined eevblog, and I intend to contribute my share of design experience.

[Slappy_g]

OK, So I've read (pretty much) every post in this topic and I'm confused. In recent posts it appears that some people are having problems applying licenses to newer 2000 series scopes. Others say that riglol works straight out of the box to generate licenses while still others are busy doing hex dumps through jtag.

I'm seriously considering (actually more like planning, if I get a good answer to this) to buy (tomorrow) an MSO2072A-S. It's been over 30 years since I bough a new scope for myself, and I figure this one will last until (my) doomsday. But I don't want to make a mistake and be stuck at 70MHz.

I have an Altera USB Blaster Rev C and an assortment of computers running whatever OS one could possibly need, but I don't have a clear path to the upgrade procedure. Don't get me wrong - I have read several procedures and they are pretty clear step-by-step instructions. I'm just concerned about whether they will work on current Rigol production scopes. I know that last time I looked into this (a couple of months ago) there were none of these scopes to be found at US dealers, so I'm assuming that what I buy tomorrow will be from a new production run.

Sooo, is this a purchase I should make, or should I wait a while?

BTW, thanks to all of you who do the work that benefits the rest of us. I just joined eevblog, and I intend to contribute my share of design experience.

You should be fine, but you'll have to go the JTAG route with the newer devices. ROM downgrade is risky. JTAG is guaranteed.

You may need a new device, though, as that Altera device is locked at 12 MHz. I used the Olimex device from Sparkfun. See my thread about the MSO2000 series for detailed instructions.

[Slappy_g]

OK, So I've read (pretty much) every post in this topic and I'm confused. In recent posts it appears that some people are having problems applying licenses to newer 2000 series scopes. Others say that riglol works straight out of the box to generate licenses while still others are busy doing hex dumps through jtag.

I'm seriously considering (actually more like planning, if I get a good answer to this) to buy (tomorrow) an MSO2072A-S. It's been over 30 years since I bough a new scope for myself, and I figure this one will last until (my) doomsday. But I don't want to make a mistake and be stuck at 70MHz.

I have an Altera USB Blaster Rev C and an assortment of computers running whatever OS one could possibly need, but I don't have a clear path to the upgrade procedure. Don't get me wrong - I have read several procedures and they are pretty clear step-by-step instructions. I'm just concerned about whether they will work on current Rigol production scopes. I know that last time I looked into this (a couple of months ago) there were none of these scopes to be found at US dealers, so I'm assuming that what I buy tomorrow will be from a new production run.

Sooo, is this a purchase I should make, or should I wait a while?

BTW, thanks to all of you who do the work that benefits the rest of us. I just joined eevblog, and I intend to contribute my share of design experience.

You should be fine, but you'll have to go the JTAG route with the newer devices. ROM downgrade is risky. JTAG is guaranteed.

You may need a new device, though, as that Altera device is locked at 12 MHz. I used the Olimex device from Sparkfun. See my thread about the MSO2000 series for detailed instructions.

[DocSnyder]

Will I have to do the same procedure for the MSO1074Z-S? As much as I understood the private key of the Ds1k has been read out of the firmware. Now it seems that the MSO behaves not the the same.  Will the JTAG method work in the same way as it does for the DS2000? or do I simply have to use other option keys? thank you for your support.

[1.21gigawatts]

@Slappy_g: Thanks. I've ordered the scope and it will be here Wednesday. I'm like a kid on (the day before) Christmas eve.

[Bukurat]

Well I followed  the instructions in post #2433, downloaded  blackfin-toolchain-2013R1_45-RC1.x86_64.tar.bz2 and unpacked it into the /opt directory on my ubuntu powered laptop, plugged in the Olimex ARM-USB-OCD adaptor and ran
sudo ./bfin-gdbproxy  --debug bfin --frequency=5000000  while in the appropriate bin directory

the result:  ./bfin-gdbproxy: 3: ./bfin-gdbproxy: Syntax error: Unterminated quoted string
I see the same error message with no arguments.

excuse me while I 

[Macman]

the result:  ./bfin-gdbproxy: 3: ./bfin-gdbproxy: Syntax error: Unterminated quoted string
I see the same error message with no arguments.

You are probably using 32 bit Linux with the 64bit version of the toolchain. Try the 32bit version of the toolchain blackfin-toolchain-2013R1_45-RC1.i386.tar.

[Bukurat]

You are probably using 32 bit Linux with the 64bit version of the toolchain. Try the 32bit version of the toolchain blackfin-toolchain-2013R1_45-RC1.i386.tar.

That was it, Thanks.
Now its found the USB cable and has connected to the libftdi  driver
I don't have it connected to the DSO yet so it's telling me that TDO seems to be stuck at 0. That's the same message I had with the win 7 setup and the ARM-USB-OCD connected to the DSO.

I'll plug it into the DSO tomorrow and see how far I get.

[hematose]

Will I have to do the same procedure for the MSO1074Z-S? As much as I understood the private key of the Ds1k has been read out of the firmware. Now it seems that the MSO behaves not the the same.  Will the JTAG method work in the same way as it does for the DS2000? or do I simply have to use other option keys? thank you for your support.

If you manage to do this and get the private key, you will have a lot of grateful people here!

[DocSnyder]

Will I have to do the same procedure for the MSO1074Z-S? As much as I understood the private key of the Ds1k has been read out of the firmware. Now it seems that the MSO behaves not the the same.  Will the JTAG method work in the same way as it does for the DS2000? or do I simply have to use other option keys? thank you for your support.

If you manage to do this and get the private key, you will have a lot of grateful people here!

I am new to that topic. But i do not have fear to go that way. But i would like to get a quote or a hint what way should be the best way to do it. I am aware of the procedure for the DS2000 but i have no clue if this is the same for the MSO1074Z-s. How did they find the key for the DS1000? And how are the option keys to be found? The same way and toolchain as on the DS2000.
Maybe they have only changed the option keys. To many questions.
It would be extremely helpful to get any hints from the pros here.
Thank you in advance

[hematose]

k=40228745953163121  (0x8EEBD4D04C3771)

Wow! Thanks for sharing! How did you found it?

I will answer myself: ECDLP Solver 0.2a found valid solution in 156ms on my computer!
Rigol engineers did really bad job with license keys protection...

I'm trying to read back in the thread to find out how the private keys for the DS1000Z were first found. I'm not sure if we need hardware access or to purchase a genuine key to test it against.

If only Cybernet were still in this thread.

[Slappy_g]

You are probably using 32 bit Linux with the 64bit version of the toolchain. Try the 32bit version of the toolchain blackfin-toolchain-2013R1_45-RC1.i386.tar.

That was it, Thanks.
Now its found the USB cable and has connected to the libftdi  driver
I don't have it connected to the DSO yet so it's telling me that TDO seems to be stuck at 0. That's the same message I had with the win 7 setup and the ARM-USB-OCD connected to the DSO.

I'll plug it into the DSO tomorrow and see how far I get.

By the way, the stuck pin message is typically from people misinterpreting the USB device pin-outs and flipping it left-to-right.

Sent from my SM-N900T using Tapatalk

[Slappy_g]

As requested, here's the step by step instructions for people like me who are not fans of Linux.

https://www.eevblog.com/forum/testgear/rigol-mso2000-series-hacking/msg498454/#msg498454

Sent from my SM-N900T using Tapatalk

[DocSnyder]

Any news on the MSO1074Z-S ? I am considering changing it into a DS2000. But there is a new firmware out there: 00.03.01. Will the known Jtag method work on this firmware.