The 3rd party plugin should help, despite it's age.
...but how? alas the ADSP-BF526 did not even exist then. Anyway the IDA v7 is not even compatible with this plugin because the API changed between v6 and v7.
If you have any particular block you are sure you would like to analyse, I can dump it for you in a way you don't need to rely on the plugin.
I would not even know the block at this stage of investigation.
I would like to analyze the code that controls the Burst Mode parameters. See this
bug report.
If you want to reverse engineer the DG4000 in order to "fix bugs" for yourself, that will be highly unlikely, especially that what it is described there as bugs are, in fact, in spec DC offset, or expected behavior from a DDS type of generator.
A DDS is different from an analog generator, it first lay down a waveform in memory, then it samples that waveform. Waveform frequency is achieved by sampling memory at different increments of addresses, so it can get into apparently weird behavior when slowly changing the frequency of a given waveform, especially for square waves or pulses.
I admit I didn't read the bugs topic very carefully, but they all looked to be expected behavior coming from a DDS architecture.
...but how? alas the ADSP-BF526 did not even exist then. Anyway the IDA v7 is not even compatible with this plugin because the API changed between v6 and v7.
...
I would not even know the block at this stage of investigation.
They are very similar. You can try one of the methods of the plugin. Of course, you must use IDA <7 or adapt the plugin to the v7.
Based on what RoGeorde said and your level of knowledge about the BF, I think this is beyond your capabilities. It's beyond mine for sure!
I've checked my code. You have the CRC16 parameters wrong.
I was not wrong
Due to the way in which I process the CRC, the bits of the polynomial are stored in reverse order. This makes the polynomial 0x8408 in my code.
Based on what RoGeorde said and your level of knowledge about the BF, I think this is beyond your capabilities. It's beyond mine for sure!
Yes, it is beyond now, but I have built and learned undocumented CPU architectures before... and the BlackFin is documented, isn't it?
The attached image is inside the official DG4000Update.GEL . (I think colors are now correct: 800x480 Format16bppRgb565 )
Can anyone explain me when does it appear in the DG?
Wow, cool picture! It must be associated with some sort of Easter egg.
A reversed image search shows that pic listed as wallpaper hosted on many Russian and Chinese websites.
Would the v1.08 F/W possibly re-open the door to the old BW hacking approach with the Cengen tool by @Cybernet? Skimming over the old posts didn't make it completely clear to me if the Cengen Hack was only possible up to F/V 1.06 or if it worked up to 1.08 (which all required bootloader 4.01 / 5.01). I would actually give it a try on my machine, no risk, no fun, you know...
P.S. All for the sake of science, of course
Given how similar the DG4000 UI is to the DG1022Z, I wonder if the 'magic' USB drive with SCPI upgrade approach would work?
Given how similar the DG4000 UI is to the DG1022Z, I wonder if the 'magic' USB drive with SCPI upgrade approach would work?
In this regard, they are different. Work in progress...
I 've finally reversed the
new format (since v1.09) of .GEL files for the DG4000. (This has never been done before and gives hope to those who can't downgrade their FW due to the bootloader v06.xx...)
As a teaser, I show here the parsing of the v00.01.14.00.01 GEL:
00000000 - File Type: RIGOL:DG4:UPDATE FILE ALL
Deobfuscating...
Header_LDR_block / CRC2 Validation OK
Header_LDR_block / CRC3 Validation OK
FW Signature: 0x51 OK
Offset Flags CRC1 CRC2 CRC3 LoadAdd Size LED1 LED2
00000040 - 01001000(48) 59D8 322E 241A 20040000 0026210C 0004 000004 [00000054-0026215F] 256 Bytes + .LDR block CRC3 OK CRC2 OK CRC1 OK
00262160 - 01000000(40) 790A 5373 0000 20300000 000C3DF6 0008 000008 [00262174-00325F69] FPGA bitstream CRC2 OK CRC1 OK
00325F6A - 01000000(40) 8C44 3FF2 0000 20400000 00001661 0008 000008 [00325F7E-003275DE] Definitions (???) CRC2 OK CRC1 OK
003275DF - 01000000(40) 34ED 168D 0000 20440000 0000027E 0010 000010 [003275F3-00327870] Strings Indexes CRC2 OK CRC1 OK
00327871 - 01000000(40) CA34 4303 0000 20440400 00002C18 0010 000010 [00327885-0032A49C] Strings CRC2 OK CRC1 OK
0032A49D - 01000000(40) 632B 5C22 0000 20443400 0000027E 0010 000010 [0032A4B1-0032A72E] Strings Indexes CRC2 OK CRC1 OK
0032A72F - 01000000(40) 51F6 6093 0000 20443800 00001C36 0010 000010 [0032A743-0032C378] Strings CRC2 OK CRC1 OK
0032C379 - 01000000(40) A7BA 33FC 0000 20460000 00000232 0010 000010 [0032C38D-0032C5BE] Strings Indexes CRC2 OK CRC1 OK
0032C5BF - 01000000(40) D041 F062 0000 20460400 0000FFCF 0010 000010 [0032C5D3-0033C5A1] Strings CRC2 OK CRC1 OK
0033C5A2 - 01000000(40) C82A 3A1C 0000 20470400 00000232 0010 000010 [0033C5B6-0033C7E7] Strings Indexes CRC2 OK CRC1 OK
0033C7E8 - 01000000(40) 83E8 4CD7 0000 20470800 00009C1C 0010 000010 [0033C7FC-00346417] Strings CRC2 OK CRC1 OK
00346418 - 01000000(40) 219D 17FA 0000 205B0000 00169DE8 0020 000020 [0034642C-004B0213] Graphics, Images CRC2 OK CRC1 OK
004B0214 - 01000000(40) A299 B63B 0000 207B0000 0003D6C4 0040 000040 [004B0228-004ED8EB] Data (0x00) CRC2 OK CRC1 OK
004ED8EC - 01000000(40) FBF1 3E18 0000 20830000 0004BBEC 0040 000040 [004ED900-005394EB] Data (0x00) CRC2 OK CRC1 OK
005394EC - 00000000(00) 0000 0000 0000 208B0000 000126F4 0040 000040 [00539500-0054BBF3] Data (0x48) CRC: 7E9A
0054BBF4 - 00000000(00) 0000 0000 0000 208F0000 00008F2C 0040 000040 [0054BC08-00554B33] Data (0x48) CRC: F392
00554B34 - 10000000(80) 0000 0000 0000 209B0000 00480000 0080 000080 [00554B48-009D4B47] CPLD (???) CRC: BD1E
│││││
││││└─ 256-bytes header block (before app)
│││└── 64-bytes footer block (after bootloader)
││└─── FRAM(?) write select (default: 0 -> FLASH write select)
│└──── CRC validation required
└───── Last block
In the coming days I'll do some tests to (re)create some "custom" GELs. Let's see where this will end...
F/W 01.14 was available for download from Rigol's chinese firmware archive -- before they "updated" their web site. Now, unfortunately a log-in is required to acces the files but with an on-line translator and a lot of patience, it's still possible to access the files, even for individuals not capable of reading mandarin (though I'm not sure if really everything's still available that was before).
It's really a shame that Rigol isn't keeping all their web sites' (international ones and also distributor's) download sections consistent, so regardless where their customers are located and whatever language they speak, they have access to the same soft- and firmware pool.
The way they handle this situation currently is really everything but professional.
Where did you find FW 00.01.14.00.01 (GEL File) for the DS4000...
Rename it from .tar to .rar before unpacking. Version v00.01.14.00.01 2017-12-23 downloaded from rigol.com in 2018.
[Model Supported] DG4062,DG4102,DG4162,DG4202
[Latest Revision Date] 2017-12-23
[Updated Contents]
v00.01.14.00.01 2017-12-23
- Solve the abnormal output of part of the machine CH1 at normal temperature or low temperature
- Solve the keyboard board encoder causing crashes.
[Previous Versions and Updated Contents]
v00.01.13.00.00 2015-11-05
- Added Traditional Chinese in the Menu.
- The EdgeTime is too slow when the 5MHz square wave is modified to sweep frequency,
- Output can not be changed in real time when editing any wave point.
Why do you need it?
Hi all,
A few years ago, when Rigol introduced DG4000 FW v1.09 supported on bootloader v06.xx some of the guys (that had experimented the 200MHz BW) lost their BW settings, downgrading to 60 MHz BW.
For those ones that lost their official 100MHz/160MHz BWs, please find attached a
handcrafted FW v1.08 GEL file that can be flashed with bootloaders v06.xx.
And, to finish up what member cybernet (kudos to him) started a few years ago, I attach here an "updated and cleaned" compiled version of his famous
license generator "cengen", for Windows machines. I called it v0.2 because it has some corrections/optimizations.
For those interested, I think you know what steps you need to do next.
PS: As always, flashing involves a certain risk. So, although this has already been tested by a knowledgeable forum member, it's your responsibility.
My DG4102 from Q4/2015 that was supplied with F/W 1.09 (and somehow lost its 200MHz capabilities...
) didn't even require a recalibration (obviously) -- a sweep of +3dBm level from 1MHz to 200MHz is accurate within +-0.5dB despite an 80cm RG178 DIY interconnection cable.
A big thanks to @tv84
Perfect! I was just too late buying the DG4062 and got 1.09 with it, so the license file trick didn't work. I studied cybernet's work but this processor just gives me headaches
Anyway, liberated after all
So can we now safely update to 1.13/1.14?
Anyway, liberated after all So can we now safely update to 1.13/1.14?
Yes, after correcting what needs to be corrected you can go directly to v1.14
tv84, 1 000 000 THANK YOU!!!
My DG4102 has had from factory a FW version bigger than 1.08, so until today it could never use 'license.CEN' files generate by 'cengen' tool. The message was Unknown format file.
Now, using your modified firmware to downgrade to FW1.08, then generate a license file to turn DG4102 into DG4202 using your cengen.exe, then upgrade to the latest FW1.14.01 from Rigol, it worked!
Former DG4102 (max. 100MHz) is now upgraded to a DG4202 (max. 200MHz)!
Reminder of the main steps to do the upgrade
==================================
1. Upgrade normally to latest FW1.14.01 from Rigol
2. Downgrade to modified by TV84 FW1.08
3. Use cengen.exe in Windows to generate a license file for DG4202
4. Read the CEN file with DG4102 FW1.08 modified
5. Upgrade to latest unmodified FW1.14.01 from Rigol
DG 4102 should now be seen as DG4202 and the max allowed sinus frequency should be 200MHz.
-------------------------
-The USB drive should be formatted FAT32
-DG4000Update.GEL should be copied alone on the clean formatted USB drive
-To update FW
- insert USB with desired GEL file
- power down the DG4102
- keep the 'Help' button pressed while pressing the 'Power ON' button
- release the 'Help' button when 'Utility' button starts to flash
- from there, leave the unit running, the buttons will start to blink one by one, starting with 'Ramp'
- after about 10 minutes, the DG4000 will restart itself, firmware update is now done
-To see FW version press 'Utility' -> 'System' -> 'System Info'
-To see detailed version press 'Utility' -> 'System' -> 'System Info' -> 'G1' ->'G3' -> 'G5'
where G1...G5 are the grey buttons on the right of the screen
--------------------------
I bought a DG4062 base model as a Black Friday deal from their clearance/demo section.
It came with v1.12 if I recall.
So tv84's hacked firmware would allow me to reverse flash to a earlier version ... hack the firmware, and then upgrade back to v1.14?
Is there something I can do now to back up my machine before the flashing without opening the machine? There is still a 90day warranty on this clearance unit (I think).
Without opening it, no.
Are you aware of any procedure / walk thru on how to do this?
I'm thinking maybe I'll do this when the warranty expires in a couple of months.
I feel like I may have seem some references earlier in the thread; but not 100% sure.
Am I being overly paranoid?
Yes, you are.
Just load the modified by
tv84 firmware 1.08, then load the license file for 200 MHz, then load the latest 1.14.00.01 firmware from Rigol. To generate the license.CEN file I used the
tv84 cengen.exe in a virtual Windows XP machine (because I have Linux). Ask about any details if in doubt.
Nothing to backup, and nothing bad will happen anyway. Even if you manage to brick your DG4000, you can still claim the warranty, and even if they'll refused to service it, people here could still guide to un-brick it yourself.
Good luck with the 200 MHz upgrade.
Thanks for the message and great work.
I,ll will give it a try after Xmas
Wish you a great holiday and New Year.
Yes, you are.
Agreed. I took the callenge last night. Couple of issues I had:
1) Tried a 32GB stick. Wouldn't work. Utility button never began flashing. Using an old 1GB stick I had work perfectly.
2) Couldn't figure out how to "read" the license file. I had assumed I needed to find the license entry screen. I later learned all I had to do was "read" the license.cen file from the utitlity menu.
3) V1.14 upgrade was dirt simple using the same process as the back flash.
Now my only goal is to figure out how to calibrate for above 60MHz. Looking over the document; I lack a "calibrated" DVM and Frequency Counter. I'm actually disappointed I can't use my 1GHz OSCOPE.
Didn't read thru the whole document.
zitt -
did you check the level accuracy of your DG4000 after the "liberation"? I found mine to be spot on up to 200MHz (DS4102 from Q4/2015). Maybe yours also doesn't need to be calibrated at all.
P.s. If you haven't got a spectrum analyzer or a calibrated level meter, you may DIY a detector type level tester with a 50R terminator resistor (preferably 2*100R 1% 805 in parallel), a small signal, low capacitance schottky diode, a 10n smoothing capacitor and maybe a 10k load resistor, coupled to a multimeter. All this has to be assembled just a the back of a BNC connector to keep the impedance low. This "bodge" should give you a good idea of your generator's level accuracy.