Hello Guys,
Just a message to report another MSO1074Z unlocked
Thank you to all the people contributing with their knowledge, effort, time, energy ... It's good to know that sharing is a good path to success.
Special thanks to rmd79, 0ff, Hammy, Howardlong and the guys who discovered and shared the hack in the first place sptm14, Slappy_g and for sure all the others I'm forgetting ... sorry, the thread is very long and many have contributed.
For those interested this is how I did it:
- First I tried with an Olimex JTAG header but neither Windows (7 32-bits), nor MAC OS X (Yosemite), nor Linux recognised it.
- I decided to try with the Bus Pirate V3.6 (BP) from Dangerous Prototypes and this worked at the first try (I think I got a defective Olimex
).
- I did the memory dump using Linux (only because I was doing something in that machine and decided to try the BP, but I think it would have worked with the MAC as well, I did't tried).
- I used openocd and the result was a binary file of 67108863 Bytes.
- I used the updated version of rigup tool that takes into account the MSO1074Z and get the private key
- I used again rigup tool and generate the licenses
- I used the SCPI commands to enter the licenses and voila !!
The only thing I can contribute with since I haven't seen it here, is the use of the BP (Bus Pirate), the rest is according to the information given in the forum, so here it goes:
If someone is interested this guide was really helpful in putting Bus Pirate to work with openocd (under linux):
http://cybermashup.com/2014/05/01/jtag-debugging-made-easy-with-bus-pirate-and-openocd/First a little disclaimer: This interface is really slow, when the guys from Dangerous Prototypes say that this is a human speed tool they are not kidding, it took several hours (25+) to get the dump done.
The cabling was pretty straight forward:
Oscilloscope BusPirate
TDO <------------> MISO (According to the label in the PCB, however when in JTAG mode it is TDO as it is supposed to be)
TCK <------------> CLK (Again in JTAG mode this is TCK)
TMS <------------> CS (Which is TMS in JTAG mode)
TDI <------------> MOSI (TDI in JTAG mode)
3.3V <-----------> 3.3V
GND <-----------> GND
I didn't use the other pins.
The openocd command line:
user@system:/home/user#openocd -f mybuspirate.cfg
File: mybuspirate.cfg
source [find interface/buspirate.cfg]
source [find target/imx28cfg]
buspirate_mode normal
buspirate_pullup 0
buspirate_speed fast
buspirate_port /dev/ttyUSB0
/!\ The port where the Bus Pirate was detected in my computer was /dev/ttyUSB0, you must change the previous line according to whatever it is in your case!
once the interface was reporting this:
Info : Buspirate Interface ready!
Info : This adapter does not support configurable speed
Info : JTAG tap: imx28.cpu tap/device found: 0x079264f3 (mfg: 0x279 part: 0x7926, ver: 0x0)
Info : Embedded ICE version 6
Info : imx28.cpu: hardware has two breakpoint/watchpoint units
Info : Accepting 'telnet' connection on tcp/4444
I did the telnet to tcp port 4444
user@system:/home/user#telnet localhost 4444
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
Open On-Chip Debugger
> halt
target state: halted
target halted in ARM state due to debug-request, current mode: Supervisor
cpsr: 0x40000013 pc: 0x401e1104
MMU: enabled, D-Cache: enabled, I-Cache: enabled
> dump_image mso1074z.bin 0x40000000 0x3FFFFFF
dumped 67108863 bytes in 91906.320312s (0.713 KiB/s)
target state: halted
target halted in ARM state due to debug-request, current mode: IRQ
cpsr: 0x40000092 pc: 0x001c17a0
MMU: enabled, D-Cache: enabled, I-Cache: enabled
Then I ran the rigup tool with the dump file as parameter
user@system:/home/user#./rigup scan mso1074z.bin > mso1074z.txt
which generated the private key/public key/RC5 keys/Serial Number
After with the latter file I ran again the rigup tool to generate the licenses:
user@system:/home/user#./rigup license mso1074z.txt 0x1C001
or as Sandra suggested in her post "Reply #3765" page 252 of this thread
This is a summary of the found options as far as I know:
(CSAR = 0x1C001) TRIGGER --> Applied
(CSAB = 0x1C002) DECODER --> Applied
(CSA3 = 0x1C004) MEM-DEPTH --> Applied
(CSAJ = 0x1C008) RECORDER --> Applied
(CSAS = 0x1C010) DG --> Not clear yet on what this option does
(CSRA = 0x1C020) 500uV --> Reported not to work correctly
(CSBA = 0x1C040) Power Ana. --> Not clear yet on what this option does
(CS3A = 0x1C080) Bandwidth (100MHz) --> Applied
(CSHY = 0x1C0FF) --> Kind of APPLY ALL!
And finally to apply the generated licences the easiest way is to use the scope's SCPI interface:
Configure the LAN interface of the MSO1074Z:
Utility —> IO Setting —> LAN Conf.
You can connect the scope through a switch or back to back to your PC in any case this is the setup:
[Oscilloscope] --- straight Cable -----[Switch] ------ straight Cable ------- [PC]
or
[Oscilloscope] ------------- Crossed Cable ---------------- [PC]
user@system:/home/user#telnet <Oscilloscope LAN IP Address> 5555
:SYSTem:OPTion:INSTall <The Activation Code WITHOUT the dashes or spaces>
I hope this will help someone, I tried to complete with some information that was spread in several posts; if you want to see some pictures go to Sandra's post which have some very useful ones (notably for the Oscilloscope JTAG interface).
Cheers,
Gus