EEVblog Electronics Community Forum
Products => Test Equipment => Topic started by: spaceshipdev on February 14, 2018, 09:44:12 pm
-
After much research I have pretty much given up on trying to acheive an unlocked MSO.
I did go so far as to use the tips from the "How To Remove Warranty Void Security Stickers" (that works a treat by the way, in like Flynn, Errol that is) and actually open her up. Sure enough, no header pins and I'm fairly certain I'll really mess things up if I get my clog iron in there. Interesting thing I did note by the way. Did anyone notice an orange marker pen near every torx screw internally?
I did checkout the link here :- http://peter.dreisiebner.at/rigol-forum.htm#mso1000z (http://peter.dreisiebner.at/rigol-forum.htm#mso1000z) but only get linked to the video that has the jtag pins on the board. My MSO1104z does not have these pins, well headers that is.
I found hope in the idea that I might be able to dump the memory and gain access to a unlock key that way; though the SCPI commands :SYST:UTIL:READ? 15441920,13262848
is failing for me. I just get an error message "There was an error when sending the SCPI command."
Bar any new ideas, and I'm fairly tuned to the fact that I don't think anyones managed to unlock an MSO1104 as yet, I reached out to Rigol for a real quote. Originally $510 today reduced to $300.
Someone knock me out of my misery and tell me theres a way to get more goodies out of the hardware I already own. (that is without soldering my board ahem)
Much appreciated :popcorn:
-
After much research I have pretty much given up on trying to acheive an unlocked MSO.
Well, you didn't research enough :) I certainly have an MSO1104Z that was unlocked using rigup. See:
https://www.eevblog.com/forum/testgear/sniffing-the-rigol's-internal-i2c-bus/msg1191044/#msg1191044 (https://www.eevblog.com/forum/testgear/sniffing-the-rigol's-internal-i2c-bus/msg1191044/#msg1191044)
In that same thread, earlier on, you'll find a number of tips on how to dump out the firmware. You don't need to solder pins to the main board, you can just jam in some pins and weight them down a bit.
Don't despair.
-
Just noticed this response, many many sincere thanks. I will take a look at this link and give this another look. Not sure of the term 'jam in some pins' I'll be honest with you, I'm scared to death of bricking it, I should just pay the $300 but SO much money for something I have already; frustrating.
-
Tonight i managed to unlock an MSO1104z even without tearing it apart. The method relies on a patched firmware developed by a bunch of brilliant guys in the forum. Follow this thread and you will find the solution. If you had any problem, let me know and I'll write a step-by-step guide.
-
I had hoped to achieve this without opening my unit, and if you have any instructions on how this could happen I would very much appreciate it. I already previously opened mine up; there is no place to plug in a JTAG, it's just solder pads with no headers. I also tried the LAN method but I continually got an error when trying to get a memory dump using the SCPI commands. The MSO1104Z seems particularly difficult so any and all help would be appreciated. While I understand the SCPI LAN method worked for others, I'm not sure I have seen much with regard to this model being a success.
-
I had hoped to achieve this without opening my unit, and if you have any instructions on how this could happen I would very much appreciate it. I already previously opened mine up; there is no place to plug in a JTAG, it's just solder pads with no headers. I also tried the LAN method but I continually got an error when trying to get a memory dump using the SCPI commands. The MSO1104Z seems particularly difficult so any and all help would be appreciated. While I understand the SCPI LAN method worked for others, I'm not sure I have seen much with regard to this model being a success.
I posted the guide into this thread: https://www.eevblog.com/forum/testgear/sniffing-the-rigol_s-internal-i2c-bus/msg1479265/#msg1479265 (https://www.eevblog.com/forum/testgear/sniffing-the-rigol_s-internal-i2c-bus/msg1479265/#msg1479265)
take a look and I hope it helps.
-
Thanks for this, though getting this initial memory dump is what I first came to the forum about in the first place. This is the step I am unable to complete. I am still yet to try edgelog's advice so will report back when I have results on this.
I have to say, patched firmware with ignoring errors from Windows builds throws me right off and is not something I'd be happy with at all. I'd pay the fee and have done with it before running unknown unsigned firmware. Extracting keys and performing math on them is far more organic and less invasive and this is the route I'm after; if I could only get this initial memory dump (:
I've had another look around and so far it seems I'm crap out of luck and the only option being to open this sucker up. All I see is that the MSO's are an exception to the SCPI rule, specifically serendipitys post: -
So, having done a lot of research and made my fair share of mistakes, I would like to add to the collective wisdom / noise on this forum.
After I:
- spent a great deal of time wondering why my MSO1074Z doesn't like riglol keys, even with the MSO1000Z patches
- completely botched my warranty void sticker
- spent 42 hours (sic) on a JTAG memory dump
- got locked out of my scope for entering the wrong option keys (12 hours at a time) for more than I can count
- list of mistakes keeps going. I am a terrible hacker. :-[
I finally unlocked the options on my MSO1074Z. I've decided to document my mistakes and hope no one else makes them.
So, here we go:
- riglol does not generate correct keys, even when patched with the MSO1000Z_private_key
If anyone around Ontario wants to make a few bucks, I'd rather pay you than Rigol!
[/list]
-
After extracting the keys, you can install the stock firmware and it will be as official as it gets.