Sniffing the Rigol's internal I2C bus

[whotopia]

Can someone advise if it is possible to restore the serial number of a DS2072A ?
I tried to do some of the hacks in the past and this lead me to a unit with serial number DS2A0000000001.  The MAC address on the LAN interface is also wrong.  It's 46:46:46:46:46:46.  I assume the MAC must be uniquely generated from the serial number somehow.
The device is currently at firmware DS2000(DSP)Update_00.03.04.01.00
What can I do?

[smgvbest]

RE: DSA815 Hack
Still working on the traditional way of do this but I had a thought and wanted to see if anyone thought this was remotely possible.
We know prior to boot loader 1.04 that the rigup could create codes that worked and those where stored in memory on the DSA815.
After updating to boot loader you could not enter new codes but those with existing codes still work.

So maybe a little backwards thinking but.  What if we generated licenses for boot 1.03 and wrote them directly to memory then rebooted (may not be needed) the unit.  this would need of course to know where the licenses are stored in memory.  we know a SDRAM dump isn't what's needed and they don't appear to be stored in the FRAM chip either.   So the question is where are the licenses stored?

I know it's far fetched but is there any merit in it the thought?
Just thought I would through this out there. 

[smgvbest]

I am one of the people looking at redoing the keygen but I am far out of my comfort zone in doing so. I had the thought that I posted and was looking for feedback on that question, not clarification on where the issue is boot loader or firmware.   I only state that as it is often the pointed question of which boot loader do you have not which FW version do you have when find out if the user can use the keygen.

My question was around an alternative method of doing this.  If it was possible then it gives us a way to get keys installed and isn't that the point.  The method doesn't mater as long as it works.   

So my question is still does anyone think that might be a viable way around the issue or is it a waste of time to pursue?

It is NOT the BootLoader that is preventing the Riglol Keygen results from working, it is the Firmware (FW). You need to go back to a previous FW such as 00.01.06, but the BootLoader is preventing you from going back to the earlier FW.

It is possible that someone could come up with a Riglol Keygen that would work with the newer version of FW, but it seems that no one has been able to do it.

So those with the newer DSA815 FW should at least for now solder pins 7 and 8 together on U1105 while the Trial Options are still current.   If you want to play Russian Roulette with your DSA815, then wrap a wire between these two pins as some others have suggested.  I say this because you will most likely end up sooner or later with some oxidation between the connections and lose the Trial Options without having any warning.

[geggi1]

Might it be as simple as some checsum stuff to be able to use a older FW?
Add some lines with empty code to get the correc checsum?
Have anybody compared the files size and other features before upgrading FW?

[ted572]

  Re: Sniffing the Rigol's internal I2C bus
« Reply #4063 on: Today at 06:54:27 PM »

I think that the easiest thing to do would be to replace BootLoader .04 with .03 (not that this will necessarily be that easy to do) although it seems like it could be done, and I would think easier than figuring out how to crack the new FW.  Then you would be able to use Riglol Keygen 1.03c or 1.03d to generate the Option codes.

I previously posted in the EEVblog 'DSA815 Spectrum Analyzer' thread on how to downgrade the FW when you have BootLoader .02 or .03.  And BTW I have .14 FW installed, and because I have BootLoader .03 I can still downgrade back to .06 FW and use the Keygen successfully.  And then of course reinstall .14 FW.

Suggestion:  You may want to check who the DSA815 FW gurus are and ask them via PMs for advice on how to/what to look for/etc.  Although, now and then some new guy shows up with actual answers to things like this, but not very often.  That is why I would go to the guys here that have done these things before with the DSA815.

Good Luck and Cheers. . . 

[omegat]

Hi guys,

I just successfully dumped and unlocked my brand new MSO1104Z-S! Thank you all for your outstanding work!!

I did some things differently, namely I did not use openOCD (simply because I couldn't be bothered to actually make it
work with Win7 and my JLink...). So I opted for Jlink Commander (which is nice because it auto-detects the target -
and I had it installed anyway...) using the following commands:
h     /* for HALT (the Target)*/
speed 4800     /* pimp the JTAG frequency to 4.8MHz, you can probably go even higher, but my cable was a bit long...*/
savebin <yourfilename.bin> 0x40000000 0x3FFFFFF    /*actually dump 64MB of Firmware; it took less than ~ 5 Minutes*/
g    /*GO?? -> resumes target*/

Next thing was a problem with rigup: I kept getting segfaults. After some rigorous searching, I found that it had to do with some statically linked (??) libraries. The there mentioned fix worked (Ubuntu 15.10): Remove all LDFLAGS except -O2: LDFLAGS  := -O2
It then compiled nicely and successfully generated the magic letters...

Thanks again, keep up the awesome work!!
Tobi

[smgvbest]

zapping a memory location with a serial would to seem to be easier than getting the bootloader downgraded. 
Only way I can think is the program the bootloader directly bypassing rigols loader.   I've actually asked that as well.
if anyone knows if the bootloader gel file can be programmed directly using JTAG.   Have not hear any reply to that either.

the original people who found the private keys have not appeared to express interest in working through this again.  cybernet did post some information to help and I'm thankfull for his help.

  Re: Sniffing the Rigol's internal I2C bus
« Reply #4063 on: Today at 06:54:27 PM »

I think that the easiest thing to do would be to replace BootLoader .04 with .03 (not that this will necessarily be that easy to do) although it seems like it could be done, and I would think easier than figuring out how to crack the new FW.  Then you would be able to use Riglol Keygen 1.03c or 1.03d to generate the Option codes.

I previously posted in the EEVblog 'DSA815 Spectrum Analyzer' thread on how to downgrade the FW when you have BootLoader .02 or .03.  And BTW I have .14 FW installed, and because I have BootLoader .03 I can still downgrade back to .06 FW and use the Keygen successfully.  And then of course reinstall .14 FW.

Suggestion:  You may want to check who the DSA815 FW gurus are and ask them via PMs for advice on how to/what to look for/etc.  Although, now and then some new guy shows up with actual answers to things like this, but not very often.  That is why I would go to the guys here that have done these things before with the DSA815.

Good Luck and Cheers. . .

[9a4wy]

Just an update...
My dsa-815tg came with FW 01.09.

Model : DSA815Serial Number : DSA8A144xxxx


Version of Main Board : 00.04
Version of Radio Frequency Board FPGA : 00.05

Version of Digital Board FPGA : 00.04

Version of Firmware : 00.01.09
Version of Boot : 00.01.02
I tried to downgrade to FW 00.01.08.03 and then install all keys...all keys accepted.
then back to 00.01.09 and all keys dissapear!
installing official key for TG restores normal operation.
Is there any other way to upgrade and keep the keys??? It's strange because I have boot 00.01.02.
Did I do something wrong???Maybe trying to downgrade to 01.06 and repeat all???
please info..tnx
K

[McBryce]

Did you cycle the power before you upgraded back up to 1.09?

McBryce.

[9a4wy]

yes.

[Neuro]

Yesterday I succesfully hacked my Rigol MSO1074Z.
Thanks to the modification of the procedure now there is no need to use two OS (Windows and Linux).
Debugger, that was used, is Jet-Link Pro.
Details are here:

Code: [Select]

https://www.youtube.com/watch?v=zhVHj5GTOxY

[MiataMuc]

yes, if anyone knows if one can downgrade the bootlader via JTAG.. I have a DG4062 with the same problem..

[9a4wy]

Just an update...
My dsa-815tg came with FW 01.09.

Model : DSA815Serial Number : DSA8A144xxxx


Version of Main Board : 00.04
Version of Radio Frequency Board FPGA : 00.05

Version of Digital Board FPGA : 00.04

Version of Firmware : 00.01.09
Version of Boot : 00.01.02
I tried to downgrade to FW 00.01.08.03 and then install all keys...all keys accepted.
then back to 00.01.09 and all keys dissapear!
installing official key for TG restores normal operation.
Is there any other way to upgrade and keep the keys??? It's strange because I have boot 00.01.02.
Did I do something wrong???Maybe trying to downgrade to 01.06 and repeat all???
please info..tnx
K

Just tried to dowgrade DSA-815TG from present 01.08. to 01.06 and all licenses still active....then upgrade to newest 01.14 and all options dissapear again! BOOT 01.02 AND LICENSES DISSAPEAR WITH UPGRADE FW  TO 01.09 OR HIGHER!
Downgraded to 01.08 and install all licenses again.
Stucked with FW01.08 for now  .

[agronaught]

So am I right in what I've read that one of the 'new' dsa-815's will lose the presumably unpurchasable 10Hz RBW bandwidth when the trial timers expire ?

I just took delivery of a new unit and I'm not all that keen on opening it up immediately.  If the 10Hz RBW breaks than I see no alternative but to bridge the pins on the fram.

J.

[TheSteve]

New units don't have 10 Hz RBW anyway. While the option exists it isn't official and doesn't exist according to Rigol. Unless your unit is special 100 Hz will be the minimum RBW.

[agronaught]

New units don't have 10 Hz RBW anyway. While the option exists it isn't official and doesn't exist according to Rigol. Unless your unit is special 100 Hz will be the minimum RBW.

Just got home and... your right.   Ah well, it is what it is.

Thanks.

[TheSteve]

New units don't have 10 Hz RBW anyway. While the option exists it isn't official and doesn't exist according to Rigol. Unless your unit is special 100 Hz will be the minimum RBW.

Just got home and... your right.   Ah well, it is what it is.

Thanks.

Should someone figure out the new keys needed to enable features it can still likely be enabled. It's not often needed but is still nice to have.

[psysc0rpi0n]

Hi...
Is there any news on how to unlock the features on Rigol MSO1104Z model?

[smgvbest]

Hi...
Is there any news on how to unlock the features on Rigol MSO1104Z model?

I don't think any one is looking at doing anything beyond what's been done.   open it up,   jtag dump the SDRAM and run the keygen.  it works fine.

[psysc0rpi0n]

Hi...
Is there any news on how to unlock the features on Rigol MSO1104Z model?

I don't think any one is looking at doing anything beyond what's been done.   open it up,   jtag dump the SDRAM and run the keygen.  it works fine.

I just bought the scope. I'm still not prepared to void the warranty! I'll wait and maybe someone can do that for those who have yet a valid warranty!

[hammy]

I'll wait and maybe someone can do that for those who have yet a valid warranty!

You need your own dump for the keygen.

[zsidoz]

Yesterday I succesfully hacked my Rigol MSO1074Z.
Thanks to the modification of the procedure now there is no need to use two OS (Windows and Linux).
Debugger, that was used, is Jet-Link Pro.
Details are here:

Code: [Select]

https://www.youtube.com/watch?v=zhVHj5GTOxY

Hello Neuro,
I followed the link you supplied, made the memory dump of MSO1074Z and run the rigup tool. I got this output:
rigup license - Version 0.4.1-mso1000z

        Hacked up for MSO1000Z(-S) rmd79, 0ff eevblog.com

Invalid Hexstring given:
Invalid Hexstring given:
Invalid Hexstring given:
HG7ZVYU-RNH93DR-HU6E4P6-UY4FJ6M    (CSAR = 0x1C001)

The code I got is invalid. When I run the tool again I always get different codes but they are also invalid.
Any idea? Thanks.

[McBryce]

There's a special patched version of the rigup tool for the MSO, are you using this or did you use the standard rigup tool?

McBryce.

[smgvbest]

What are you using as the License code you want to enable?
The message you're getting would indicate you're using CSAR for the license code and in the hacked version for the MSO1000Z's  you have to use the HEX value such as 0x1C001.

Also did you run it though and create the key file that has the private key in it? that's what you feed into riglol to get your license codes.

Sorry for the basic questions but there's actually little information on what you did to know where it went wrong.

Sandra

Hello Neuro,
I followed the link you supplied, made the memory dump of MSO1074Z and run the rigup tool. I got this output:
rigup license - Version 0.4.1-mso1000z

        Hacked up for MSO1000Z(-S) rmd79, 0ff eevblog.com

Invalid Hexstring given:
Invalid Hexstring given:
Invalid Hexstring given:
HG7ZVYU-RNH93DR-HU6E4P6-UY4FJ6M    (CSAR = 0x1C001)

The code I got is invalid. When I run the tool again I always get different codes but they are also invalid.
Any idea? Thanks.

[zsidoz]

@ Sandra,

I followed the video on and downloaded the windows version of rigup from here http://tqfp.org/attachments/get/1
I called the tool with this command line: "rigup license mso1074z_dump.bin 0x1C001", where the bin file is what I saved from the scope memory.

@ McBryc,
What is that "special patched version" and where can I find it?