DG4000 - a firmware investigation

[dpenev]

Hi Teneyes,

Yes you seems to have 1ns shift in the trigger point issue in yoru scope?

Dimitar

[rf-loop]

Did you use exactly same cable lenght (and not only physical lenght but with around same travel time lenght because it matter. And images looks like there is signal travel time differencies between cables - and impedance mismatches)?

@rf-loop, Yes the DG4000 generator was set to 50ohm output  and there was a 50 ohm feed-thru termination on the DS2000. 

Reason for this my question was just there. 50ohm feed thru in oscilloscope input is not 50ohm impedance.
So, these "waves" in sweep shape level tell that there is somewhere mismatch or scope front end itself is weird. I believe more mismatch. Genrator output... it is not true 50ohm impedance, scope input is not at all 50ohm impedance when there is 50ohm feed thru. Cable... what difference come from cable qualitu itself and whhaat come from testing quality for this named purpose - classifying cables quality. For this work you need other tools or just very strong "believe".

[H.O]

Hi,

Yes the DG4000 generator was set to 50ohm output  and there was a 50 ohm feed-thru termination on the DS2000.

Just a note, may not have relevance to the current topic but anyway: On the DG4000 you can't, as far as I know, change the actual output impedence, it's always a nominal 50 ohms. What you do when you enable the "50 ohm output impedance" is telling the generator that the external load connected TO the generator is 50ohm, it then changes the displayed amplitude etc with this taken into consideration. (Cutting it in half compared to the "High Z setting").

EDIT: Actually, you can enter any load resistance you want (from 1ohm to 10k) and the DG4000 will scale the displayed amplitude and offset values accordingly. The actual output resistance/impedense is always a fixed 50ohm (nominal). More details to be found on page 10-5 in the manual.

[GonzoTheGreat]

It seems that now there is another reason to upgrade to firmware v1.09

[ytsejam]

Hi cybernet,

I own a DG4062 with latest FW 1.10. Just wondering if it is possible to revert the bootloader and firmware version to 1.08 by JTAG with mem dumps by 1.08 owners? Could you please help to shed some lights?

[ytsejam]

https://www.eevblog.com/forum/testgear/sniffing-the-rigol's-internal-i2c-bus/msg623998/#msg623998

The above link shows how to use TopJTAG Flash Programmer to dump the flash on DSA815. (at least a portion)

I used the same method to dump DG4062's flash (with bootloader 00.06), and compared the dumped binary with DG4000 bootloader 00.06 update file.
Found that the content of dump result does contain the bootloader 00.06.

If any owner of DG4062 with previous bootloader (00.05) can give a hand, help to use the same method to dump the flash (1MB file) and share it with me privately.
I can restore that back to my DG4062 to see if bootloader can be downgrade to 00.05 by this method. Then the new DG4000 (with 00.06) owner might get a chance to downgrade the FW to previous version.

Can anyone give a hand? Much appreciated!

[fact]

Instead of J-Tagging the bootloader and/or firmware, would it be possible to just put the parameters for extending the frequency range in the correct spot in memory?

[ytsejam]

Instead of J-Tagging the bootloader and/or firmware, would it be possible to just put the parameters for extending the frequency range in the correct spot in memory?

Sounds like chickens and eggs.

For new firmware (1.09 and 1.12), though not 100% sure, but I think RIGOL has removed the function for reading the CEN file or at least change the format.
And new bootloader (ver 06) won't accept firmware prior to 1.09.

So we got two choices:

1. Hack the new firmware to find out if there's any new way. This will require JTAG dump the flash and reverse engineering.

2. Overwrite the new bootloader (ver 06) with old one  (ver 05), and that needs JTAG as well.

3. Wait for someone to compile a firmware (home brew) can be loaded by new bootloader, which provides the capability to rewrite the bootloader back to old one or provides a way to update the flash with new model key.

[MiataMuc]

maybe anoter option:

dump the flash, do manually what the cen-file used to do, and then uplaod the changed flash?

[ytsejam]

maybe anoter option:

dump the flash, do manually what the cen-file used to do, and then uplaod the changed flash?

That should work, but:

1. As I learned from the forum, the CEN file is a key file, if valid, DG4000 will store the key somewhere in the flash, however, I don't know in which form or format, nor the address.

2. JTAG is needed for dumping/uploading the flash. (which means we need to open the back cover)

[signals]

Re.  DG4000 and the Hack for Rigol's 'unreleased' DG4202 (200MHZ) version:

As of DG4000 Firmware version 00.01.09.00 the DG4000 AWG is no longer compatible with the DG4202 (200MHz), a model version that had never been released by Rigol for the DG4000.

Therefore if you upgrade to FW i00.01.09.00 or 00.01.10.00 you will loose your previously Hacked in DG4202 (200MHz), and your unit will in general be set back to DG4062 (60MHz).  And currently there is no way back.  It's gone!

If on the other hand you installed a valid Hack, such as DG4162 (160MHz), or less, prior to installing FW 00.0.09, then your unit will retain DG4162 (160MHz), etc, after you upgrade the FW to 00.01.09.00 and/or 00.01.10.00.

Well, it was fun while it lasted. I should learn to READ THE EEVBLOG FORUM before I go and do something stupid like upgrade the firmware on my hacked DG4062. Well at least it fixed the problem I was having where it would stop responding to SCPI commands over LXI when in counter mode. Think I'd rather have 200Mhz (or 160Mhz if I would have read the forum first) though.

I guess I'll keep my fingers crossed that someone figures out how to undo the damage I just did. Won't hold my breath though. 

[lunxg]

Hi all,

Just got my DG4062 today(16/6/2015) and the software and FPGA version is 00.01.11
Hard version 01.03
Keyboard version 06.02

[Sparky]

Hi folks,

A new firmware has been released for DG4000 series last month.  It is v00.01.11.00.00 (and contains bootloader 00.06, which is the same as 01.10 DSP firmware).

I have installed it on my DG4062 with "160MHz model patch" and all is well   The boot time seems a little longer than previous, and --- if I'm recalling things correctly --- the LED indication at boot is a little different (the waveform button LEDs seem to light up in sequence, though quickly).  I'm not sure what is new, fixed or broken in this release so...upgrade at your own risk

Cheers,
Sparky

[EV]

A new firmware has been released for DG4000 series last month.  It is v00.01.11.00.00 (and contains bootloader 00.06, which is the same as 01.10 DSP firmware).

Here is listed that the latest firmware is 00.01.12:
http://beyondmeasure.rigoltech.com/acton/form/1579/0012:d-0001/1/index.htm

Has someone installed it? Have you any link to load these firmwares?

[lunxg]

Hi folks,

A new firmware has been released for DG4000 series last month.  It is v00.01.11.00.00 (and contains bootloader 00.06, which is the same as 01.10 DSP firmware).

I have installed it on my DG4062 with "160MHz model patch" and all is well   The boot time seems a little longer than previous, and --- if I'm recalling things correctly --- the LED indication at boot is a little different (the waveform button LEDs seem to light up in sequence, though quickly).  I'm not sure what is new, fixed or broken in this release so...upgrade at your own risk

Cheers,
Sparky

Hi Sparky,

where can I get the "160MHz model patch"? I would like to try in my new arrived one, thanks!

[Sparky]

A new firmware has been released for DG4000 series last month.  It is v00.01.11.00.00 (and contains bootloader 00.06, which is the same as 01.10 DSP firmware).

Here is listed that the latest firmware is 00.01.12:
http://beyondmeasure.rigoltech.com/acton/form/1579/0012:d-0001/1/index.htm

Has someone installed it? Have you any link to load these firmwares?

Looks like version 01.12 just came out!  I haven't tried it yet.

[lunxg]

Re:  Where can I get the "160MHz model patch"? I would like to try in my new arrived one, thanks!

Regretfully I don't think you will be able to install the 160MHz BW software modification on units with the newer firmware.   See -> https://www.eevblog.com/forum/testgear/dg4000-a-firmware-investigation/msg581608/#msg581608   (Reply #270).  But please don't be discouraged, as this is still an awesome Function / Arbitrary Waveform Generator.  And (possibly) someone may figure out how to perform this software fix in the future.

Since I saw Sparky still can install the upgrade with v00.01.11.00.00 firmware. I think the new unit still have a chance to get a try.
But I am not sure what happens if it is failed to upgrade 160MHz.(maybe brick my DG4062?)

I read through the post and found the cengen.c but unfortunately I only have WIN PC. The online compiler seems doesn't work (can compile and execute but show no directly to save the .cen file)

I have to make more time to study on it

[lunxg]

Re:  Where can I get the "160MHz model patch"? I would like to try in my new arrived one, thanks!

Regretfully I don't think you will be able to install the 160MHz BW software modification on units with the newer firmware.   See -> https://www.eevblog.com/forum/testgear/dg4000-a-firmware-investigation/msg581608/#msg581608   (Reply #270).  But please don't be discouraged, as this is still an awesome Function / Arbitrary Waveform Generator.  And (possibly) someone may figure out how to perform this software fix in the future.

Since I saw Sparky still can install the upgrade with v00.01.11.00.00 firmware. I think the new unit still have a chance to get a try.
But I am not sure what happens if it is failed to upgrade 160MHz.(maybe brick my DG4062?)

I read through the post and found the cengen.c but unfortunately I only have WIN PC. The online compiler seems doesn't work (can compile and execute but show no directly to save the .cen file)

I have to make more time to study on it

Sparky had 160MHz installed prior to Firmware 00.01.09.  If you have firmware 00.01.09 or later it is too late for you to get 160MHz.  Please read my  DG4000 Post #270 again.

I got it.
So it is a hacked 160MHz with 1.09 -> 1.11 firmware without losing hack, right?
If 200MHz hack with 1.09 -> 1.11 firmware probably losing all the hack
Correct me if it is wrong

[EV]

ted572

Thanks for the links!

[lunxg]

OK... I still get a try to hack my new arrived DG4062 with software and FPGA  00.01.11 but it popup a message "please select a valid file type" when I press the read button with the .CEN file......

What I can do is learn how to operate the machine now, and wait for folks to hack the new version

[scalargr]

hello to all,
I have for some time my F G 4102 without any upgrade (fw  00.01.03),and I want to upgrade it at 160 MHz .
 My 1st attempts have been made with rory’s  instructions Reply #67 on: November 16, 2013, 05:44:44 PM  but It’s too complicated for me( I’m lacking knowledge of linux).
The 2nd was with  bandgap instructions on Reply #104 on: November 20, 2013, 06:40:38 PM ... I made several attempts and combinations as described , but nothing valuable came out.
( something is wrong / I’m wrong???)

1) Go to http://www.compileonline.com/compile_c_online.php
2) Replace the code in the left box with the code below.
3) Put your command line arguments in the text box at the bottom (in the form <current model> <new model> <current serial>)
4) Press "Compile and Execute" in the top left
5) Press "Download Files" in the top right (assuming everything executed properly)
6) The result tar.gz file will have the proper license.CEN file contained within it.


I don’t want to use 200MHz
Anyway, Could someone post some detailed instructions step by step on that, or could someone make any upgrade for me??
Thanks.
PS: I managed to h/k my msox2014a successfully .Thanks to the forum and the contributors 

[neki]

Free DG4062, DG4102, DG4162, DG4202 and a serial# of your choice ...

http://pastebin.com/ipkJCxPM

This link is not working anymore. Does anybody has the file or new link?

[scalargr]

Hi to all.
Can somebody tell me why it doesnt work on my serial (DG4B141xxxxxx) with FW 00.01.03
Teneyes (thanks again for sending me the cen. files) helped me about that. I tried some different usb sticks, but It's hopeless.
I get ...<invalid license file> / <Excessive number of errors. Please restart>.

I'm unlucky  ...  I have a DG4102 with a serial number starting with DG4B1. cybernet's program requires DG4D1..
Guess I have to take the JTAG route.. Anyway, thanks for your work!!

change the strcmp in the code ....

Thanks!! It worked perfect! 

By the way, I have version 01.02. I will upgrade to 01.07 now.

Could some one help me?

[Michael@de]

Hi folks!

Just bought a used DG4062 and want to upgrade it at 160 MHz .

SN      DG4D....
SW    1.04
FPGA 1.07
HV     1.03
KV     4.01

Could you pls provide a (new) link for the upgrade files?

Michael

[TheContractor]

Since I purchased my DG4062 after this hack was discovered, mine has the updated bootloader. I was wondering if there's a way to fool it into thinking an older version of firmware is actually a newer version by modifying the version in the byte code. To do this we would need to accomplish two things:

• Find the address that the version number is stored at
• Figure out which CRC algorithm is used on the firmware upload file and update the CRC

Reverse engineering is not my strong suit but I'm going to dig into this, if anyone has some insight relevant to this please share!