update: when powercycling in 2ns mode, it comes back in 2ns mode, if u leave it then it wont let u back to 2ns
so that byte should be in FRAM somewhere then ...
Did you know that you can enter the 2ns time base by loading a Settings file that has 2ns as the time base it was saved at?
update: when powercycling in 2ns mode, it comes back in 2ns mode, if u leave it then it wont let u back to 2ns
so that byte should be in FRAM somewhere then ...
Did you know that you could enter the 2ns time base by loading a Settings file that had 2ns as the time base it was saved at?
nope, but guess same issue when u leave 2ns mode, you cant get back ...
Now I know the offset for the time base. More details in the source code.
for tinhead 8051
ohh don't worry, i know MCS51 (8051) very well.
My comment was to what
you posted before :
The MCU 8051RNL is a USB Serial in out controller it is most likely the point where the SPI code is used.
and that was
wrong because:
- chip with 8051RNL marking is chip KSZ8051RNL
- this is not MCU
- the "8051" in KSZ8051RNL name have nothing to do with MCS51 platform
- KSZ8051 is a single supply 10Base-T/100Base-TX Ethernet physical layer transceiver
- it does not have anything to do with USB or serial in/out
The USB serial in/out is made with Cypress FX2LP (CY7C68013A) which is the next part KSZ8051RNL to on PCB.
All i said was that the 8051 core in CY7C68013A is not directly accesible from and for DSO hardware.
Now I know the offset for the time base. More details in the source code.
awesome, and did you tried to use even higher values for bandwidth (even if there is no string for menu) ?
Now I know the offset for the time base. More details in the source code.
awesome, and did you tried to use even higher values for bandwidth (even if there is no string for menu) ?
No, I have neither the equipment to check this nor do I think that the hardware can do more.
Do you guys reckon a similar thing is possible with the new function generators? I wouldn't mind pairing a 60mhz function gen (unlocked to 160mhz) with a 70Mhz 2000 series scope (at 200mhz)
I've cracked open my DG4062 to have a crack at this. It's got the same FRAM as the DS2000. I haven't done a dump yet, but it only does a single large read on boot, then doesn't touch it at all. So deciphering what's it in could be a challenge, if it's even the right place to be looking.
Do you guys reckon a similar thing is possible with the new function generators? I wouldn't mind pairing a 60mhz function gen (unlocked to 160mhz) with a 70Mhz 2000 series scope (at 200mhz)
I've cracked open my DG4062 to have a crack at this. It's got the same FRAM as the DS2000. I haven't done a dump yet, but it only does a single large read on boot, then doesn't touch it at all. So deciphering what's it in could be a challenge, if it's even the right place to be looking.
can u share the FW file or at least 0x0 - 0x0FFF of it ? or comment on if my loader addr tool (posted earlier) gives some output.
the fw must be very similiar - i see tons of code for DS4X features in my disassembly. so chances are the use the exact same FRAM mapping.
I've cracked open my DG4062 to have a crack at this. It's got the same FRAM as the DS2000. I haven't done a dump yet, but it only does a single large read on boot, then doesn't touch it at all. So deciphering what's it in could be a challenge, if it's even the right place to be looking.
can u share the FW file or at least 0x0 - 0x0FFF of it ? or comment on if my loader addr tool (posted earlier) gives some output.
the fw must be very similiar - i see tons of code for DS4X features in my disassembly. so chances are the use the exact same FRAM mapping.
I've opened the DG4062 function gen, not the DS4xxx scope if that's what you were after?
BTW how do you actually get the firmware file? Is there a way to read it back out?
I've cracked open my DG4062 to have a crack at this. It's got the same FRAM as the DS2000. I haven't done a dump yet, but it only does a single large read on boot, then doesn't touch it at all. So deciphering what's it in could be a challenge, if it's even the right place to be looking.
can u share the FW file or at least 0x0 - 0x0FFF of it ? or comment on if my loader addr tool (posted earlier) gives some output.
the fw must be very similiar - i see tons of code for DS4X features in my disassembly. so chances are the use the exact same FRAM mapping.
I've opened the DG4062 function gen, not the DS4xxx scope if that's what you were after?
BTW how do you actually get the firmware file? Is there a way to read it back out?
ah i misread that sorry, probably looking at assembly code for too long ;-)
for the DG i have firmware files - rigols content delivery system is not the best ;-) even if its not on the homepage you can still download stuff ... ;-) including internal vids ...
look for a 14pin header, as described earlier in my post - if its blackfin its there for sure - and get an 30$ amontec jtag key tiny - thats pretty much all u need, besides a few pullup resistors. rest is uclinux-blackfin toolchain ... bfin-jtag as gdb proxy and gdb + your fav. frontend.
alternatively check my fw loader address tool - or get ldrviewer (free tool) + some offset (check the source)
if that does something usefull, you could use IDA pro + my custom GEL loader - let me know if you find a way.
im only looking after the license keys algos for the DS2k's at the moment ...
look for a 14pin header, as described earlier in my post - if its blackfin its there for sure - and get an 30$ amontec jtag key tiny - thats pretty much all u need, besides a few pullup resistors. rest is uclinux-blackfin toolchain ... bfin-jtag as gdb proxy and gdb + your fav. frontend.
alternatively check my fw loader address tool - or get ldrviewer (free tool) + some offset (check the source)
if that does something usefull, you could use IDA pro + my custom GEL loader - let me know if you find a way.
im only looking after the license keys algos for the DS2k's at the moment ...
Thanks. Being a DS2072 owner I'm benefiting from all the work on that as well so I'm grateful!
The DG4k is based on the blackfin as well, and that header is there. There's a lot of similarities with the insides of the DS2k scope at first look.
Do you guys reckon a similar thing is possible with the new function generators? I wouldn't mind pairing a 60mhz function gen (unlocked to 160mhz) with a 70Mhz 2000 series scope (at 200mhz)
I've cracked open my DG4062 to have a crack at this. It's got the same FRAM as the DS2000. I haven't done a dump yet, but it only does a single large read on boot, then doesn't touch it at all. So deciphering what's it in could be a challenge, if it's even the right place to be looking.
I had a quick look at mine before I read this. Chip appeared to be a 24C16 Seems to read the chip at startup, then write 8 bytes to the start of each page, apparently same each startup (only 2 compared).
However I powered it up with the chip removed and it started up as normal...! Didn't check calibration or anything but serial no. was still there.
Code attatched if anyone wants to compare
Do you guys reckon a similar thing is possible with the new function generators? I wouldn't mind pairing a 60mhz function gen (unlocked to 160mhz) with a 70Mhz 2000 series scope (at 200mhz)
I've cracked open my DG4062 to have a crack at this. It's got the same FRAM as the DS2000. I haven't done a dump yet, but it only does a single large read on boot, then doesn't touch it at all. So deciphering what's it in could be a challenge, if it's even the right place to be looking.
I had a quick look at mine before I read this. Chip appeared to be a 24C16 Seems to read the chip at startup, then write 8 bytes to the start of each page, apparently same each startup (only 2 compared).
However I powered it up with the chip removed and it started up as normal...! Didn't check calibration or anything but serial no. was still there.
Code attatched if anyone wants to compare
Thanks Mike. That's interesting about it still starting and having it's serial #.
I think the firmware's got to be the next place to start.
bfin has a unique chipid and they use that + a model prefix DSA2<.....>
SORRY TINHEAD, my mistake I looked at the wrong Data sheet although I did post the correct one.
We stock about 30,000 ICs and about 50 Data Sheets came up from the search parameters.
I will make sure I am quoting the right Data Sheet next time.
REGARDS
Rachael
switching internal model type to DS2202 (0x1) allows 2ns Timebase (see attachment) - the settings are read in during boot (TWI i guess, but right sub()s still not found), and then the various strings/settings are applied - changeing the model type has immediate effect ;-)
if somebody whats to check if some of those bytes are in the FRAM try to change em to something like:
RAM:E4DD1F # 0x16=DS2072
RAM:E4DD1F # 0x0= DS2102
RAM:E4DD1F # 0x1= DS2202 (2ns timebase avail)
RAM:E4DD1F # 0x2= DS?? (500ps timebase avail)
update: when powercycling in 2ns mode, it comes back in 2ns mode, if u leave it then it wont let u back to 2ns
so that byte should be in FRAM somewhere then ...
I just checked the hex file that studio25 provided in post on page 4 and the only place that I found the hex digit of 0x16 (for the ds2072) is in the position 0x43c so this is a possible area of attack
I hope this helps
Torsten
for the DG i have firmware files - rigols content delivery system is not the best ;-) even if its not on the homepage you can still download stuff ... ;-) including internal vids ...
I took a look and found all the training videos, sales tool kits and other files. However, I could only find one firmware file. It is for the DG4000 series (DG4000_FW_Update.zip).
It can be found via "113" if you know what I mean...
Can you share where the other firmware files are located?
The DG4000 firmware zip contains the file DG4000Update.GEL, dated 20/3/2012. There doesn't seem to be a readily identifiable version number in it, other than version 1.2.3a. However, it appears as though it is a generic number as it also has a serial number of 543210.
I have a DG4162 and its details are:
Software: 00.01.07 (suspect there is more to it)
Hardware: 01.03
Keyboard: 04.01
I also have a DS4024 and its details are:
Software: 00.01.00.00.07
Hardware: 0.1.2.3
SPU: 03.00.06
WPU: 00.07.04
CCU: 01.40.05
MCU: 1.3
I can dump the contents of the FRAM if it helps.
yeah, the chinese stuff is funny ;-)
- cant remember the vals, but they had multiple root folders in the cms - so its not just changing the last value ;-)
i will start playing with DG firmware once i have bought a DS4162 - still busy with their ds2XXX license key brainfuck ...
Hi all,
to bad that the license on the dsa815 is different then on the scopes as this is also something of interest.
The way I see it the serial number of the scope is in the key of the scope but in the spectrum analyzer it is not. This is backed up by the fact that when you buy a key from batronix for a scope they need the serial of the scope (as stated there) but on the keys for the dsa there is no mention of the serial number.
Just as an FYI the key format on the dsa815 is: FAQ83TF37A3Y8ST4RA********** if you want I can see if I can get a FRAM image from my dsa815, if needed
73 de DL5TOR
can u confirm the following features of the spectrum analyzer license key:
length ?
is it grouped in 4 chunks a 7 chars like the DS2X ? (1234567-1234567-1234567-1234567) ?
no letter I, no letter 0, no 0 (zero), no 1 (one) as input
the lic-functions that i have analyzed so far are 2 categories - kinda prepare the input license key by scrambling/cutting/shifting parts of it around,
they are depending on the length (28/0x1C). but the real deal which does recursive transformations on the key is not length dependent.
ength ?
is it grouped in 4 chunks a 7 chars like the DS2X ? (1234567-1234567-1234567-1234567) ?
Length is 28
no letter I, no letter 0, no 0 (zero), no 1 (one) as input
I do not see one
Id you want, i can send you the key by mail. I also have a firmware file on hand if you need it
yeah, the chinese stuff is funny ;-) - cant remember the vals, but they had multiple root folders in the cms - so its not just changing the last value ;-)
Yes, I see what you mean now... I was wondering what that was about.
I found two other firmware files with unusual file names (eg. "fileCA9NWMFE.zip") but they both contain the same version of DG4000 firmware.
Anyhow, not so interesting anymore so not going to waste anymore time there.